logo
ArticlesConferencesPresentations
Dates
Author
Conferences
Tags

Sort by:  

⚡ Lightning Talk: Assessing Environments Against Cloud Native Security Best Practices

Conference:  Cloud Native SecurityCon North America 2022
Authors: Pratik Lotia, Jon Zeolla
2022-10-25
Organizations are in need for a standard, sane way to perform an assessment of their cloud native environments. This talk provides insight on how security professionals as well as auditors can identify whether they are following the controls and practices suggested in CNCF published white papers and thereby adhering to NIST 800-53v5 controls.. We will also provide examples on how we plan to develop open source automation (such as OSCAL) to reduce the toil of audits; and cross mapping to various frameworks and standards to enable builders focus on making their environments safer.
Tags:
CNCF
NIST 800-53v5
OSCAL
Cloud Native

Panel Discussion: Securing the Golden Path: Adding Guardrails for Developers Without Getting in Their Way!

Conference:  Cloud Native SecurityCon North America 2022
Authors: Aradhna Chetal, Kapil Bareja, Jim Bugwadia, Anil Karmel, Elizabeth Vasquez Alban
2022-10-24

tldr - powered by Generative AI

The conference presentation discusses the importance of building a golden path for Cloud Native organizations to ensure security and compliance. The path should be unique to each organization and based on the type of data they are trying to protect and their regulatory requirements. Automation and observability are key components of the golden path.
  • Building a golden path is crucial for Cloud Native organizations to ensure security and compliance
  • The path should be unique to each organization and based on their data and regulatory requirements
  • Automation and observability are key components of the golden path
Tags:
Cloud Native
agility
Golden Path
Panel

Road to SLSA3: Non-falsifiable Provenance in Tekton with SPIFFE/SPIRE

Conference:  SupplyChainSecurityCon 2022
Authors: Brandon Lum, Parth Patel
2022-06-21

tldr - powered by Generative AI

The presentation discusses the challenges of locking down Providence metadata fields in Tecton and proposes a solution using Spiffy Inspire for strong attestation and verification.
  • Tecton users have direct access to objects and metadata fields, making it difficult to lock down Providence metadata fields
  • Kubernetes cluster classes are managed by different entities, making it challenging to restrict access to metadata fields
  • The Task Run object becomes a main attack point for malicious actors
  • The proposed solution involves creating a trusted computing base and restricting access to metadata fields
  • Spiffy Inspire provides strong attestation and verification for the trusted computing base
  • Future work includes extending the solution to other custom resources and validating artifacts passed between tasks
Tags:
Tekton
Cloud Native
CI/CD
SLSA
unsigned provenance

It's Not Your Developers' Fault

Conference:  OWASP 20th Anniversary Event
Authors: Edwin Kwan
2021-09-24
The number of security incidents and data breaches are increasing. It feels like not a week goes by without hearing of another breach or compromise. Are we getting worse at doing security? In this talk I'll provide my opinion on this, from an application security perspective, by taking a look at how software development has changed over the years. As we move towards Cloud Native workloads, staying secure is harder; and it's not always your developers' fault.
Tags:
incidents
data breaches
Cloud Native
Application Security