tldr - powered by Generative AI

• Security is key for modern apps
• Application security needs to be approached across the entire stack and software supply chain
• Scanners are essential but need to be deployed and orchestrated at scale
• Good dashboards and UI are necessary to convey a clear and convincing picture of application security posture
• Open Clarity is an open source suite effort that aims at addressing the entire cloud security and application security stack
• VM Clarity is a new project that offers VM agentless scanning at scale
• More open source tools are needed to address the totality of the application security picture

tldr - powered by Generative AI

• Real-time monitoring is critical for detecting malicious activity using secrets
• Malicious images can be planted in public repositories and trusted sources should be used
• DDOS attacks are increasing and containers are being used to crowdsource participation
• Supply chain compromises and blind trust in dependencies can lead to major security issues
• Attackers are becoming more knowledgeable about cloud-native tools and services
• Crypto mining attacks are low effort and high reward, and their scale is expected to increase

tldr - powered by Generative AI

• The organization has multiple AWS accounts for different purposes and teams
• The Lambda function assumes a role into the organization management account and triggers a step function to orchestrate Lambda functions for each AWS account
• Each Lambda function queries Route 53 records and writes to a DynamoDB database and SNS topic for notifications
• The architecture is designed to be low cost, low operational overhead, and continuous
• The use of serverless services allows for scalability and ease of maintenance

tldr - powered by Generative AI

• Cube armor provides fine-grained access control on container entities
• Cube armor offers a declarative way to manage policies for access control
• Cube armor has inline policy enforcement
• Cube armor provides Telemetry data with context

tldr - powered by Generative AI

• Developer laptops are a high-value asset and a potential entry point for attackers to access cloud infrastructure and data.
• Real-time device integrity checks are necessary for zero-trust access.
• Auditing for vulnerable software packages and malicious Chrome extensions is crucial.
• Tying together identity and GitHub activity on the laptop with CI/CD actions can help detect and protect against malicious behavior.
• Correlating data across the CI/CD pipeline is essential to prevent security gaps and enable effective security measures.

tldr - powered by Generative AI

• Recent compromises of Codecov and Solar Winds have put a spotlight on software supply chain attacks.
• Lessons that Shopify has learned in protecting millions of businesses and demonstrate these techniques using open source software.
• Traditional defensive techniques can be applied in the cloud.
• Voucher and grafeas implementations can give you control over the software that runs in your clusters.
• The SLSA framework can guide you toward establishing trust in your software.
• Falco can be used to detect malicious behaviour or indicators that your supply chain has been compromised.
• Specific techniques for mitigating supply chain attacks include scanning or reviewing the code, using static analysis, and looking at the reputation and response to previous incidents of the maintainers.
• We can expect more from our suppliers by asking for receipts, an S-bomb, and what your software is made of.