Dates
Conferences
Tags
Sort by:
Most recent
Conference: KubeCon + CloudNativeCon Europe 2022
Authors: Anais Urlichs, Rory McCune
2022-05-20
As time goes by, there are an increasing number of security standards which Kubernetes cluster operators may be asked to comply with or get audited against. This talk will look at how Kubernetes security standards like the CIS benchmarks, DISA STIG, Pod Security Standards and the NSA hardening guide compare, where they compare and where they don’t. Additionally, we will also cover the recently released PCI guidance on container orchestration security. Once a standard has been chosen, the remaining pain lies in compliance. Luckily, the cloud native ecosystem provides several open-source tools to make it easier. We will look at using open source tooling to assess Kubernetes clusters against these standards. At the end of the presentation, the audience will gain a clear understanding of the benefits of each standard and the processes that can be adopted to comply with common requirements.Click here to view captioning/translation in the MeetingPlay platform!
Conference: OWASP 20th Anniversary Event
Authors: Wendy Nather
2021-09-24
tldr - powered by Generative AI
The presentation discusses the limitations and challenges of using software bill of materials (S-BOMs) in cybersecurity and DevOps.
- Automating the matching of vulnerabilities and exploits with threat intelligence and blocking them is not feasible as customers may not trust the organization to do it.
- Not all customers know enough about their software to determine if it is safe to block something.
- Partial remediation and tracking the timeline of remediation can be challenging.
- Social graphs and tracing components may not be useful if customers do not know what to do with the information.
- Consumers in the middle of the supply chain need to decide the depth at which they can investigate something and owe answers to downstream customers and partners.
- The limits of S-BOMs and the knowledge that can be obtained from them should be considered.
- SAS providers may not provide S-BOMs for their products.