CloudNativeSecurityCon North America 2024: Full Schedule

June 26-27, 2024 | Seattle, WA
View More Details | Registration Information

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for CloudNativeSecurityCon North America 2024 to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Pacific Daylight Time (PDT), UTC -7. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

The schedule is subject to change.

8:00am PDT

Registration + Badge Pick-Up

Tuesday June 25, 2024 8:00am - 5:00pm PDT

Ballroom Lobby

Tuesday June 25, 2024 8:00am - 5:00pm PDT
Ballroom Lobby

Badge Pick-Up + Registration

9:00am PDT

OTel Community Day (Additional Registration Required)

Tuesday June 25, 2024 9:00am - 5:00pm PDT

TBA

OpenTelemetry Community Day is a time and a place for maintainers, contributors, and users of OpenTelemetry to come together and celebrate both our open source work and our successes with Observability.

View the schedule here

Tuesday June 25, 2024 9:00am - 5:00pm PDT
TBA

Co-located Events

9:00am PDT

Secure AI Summit (Powered by Cloud Native) (Additional Registration Required)

Tuesday June 25, 2024 9:00am - 5:00pm PDT

TBA

Join us at Secure AI Summit (powered by cloud native), a premier gathering for security professionals, AI experts, and cloud-native enthusiasts. This groundbreaking event delves into the intersection of artificial intelligence and cloud-native security, offering invaluable insights, strategies, and best practices. Explore cutting-edge advancements in threat detection, incident response automation, and privacy-preserving AI techniques. Don’t miss this opportunity to network with industry leaders, exchange ideas, and stay ahead of the curve in safeguarding cloud-native environments.

View the schedule here

Tuesday June 25, 2024 9:00am - 5:00pm PDT
TBA

Co-located Events

7:30am PDT

Registration + Badge Pick-Up

Wednesday June 26, 2024 7:30am - 6:00pm PDT

Ballroom Lobby

Wednesday June 26, 2024 7:30am - 6:00pm PDT
Ballroom Lobby

Badge Pick-Up + Registration

9:00am PDT

Keynote: Welcome + Opening Remarks - Chris Aniszczyk, CTO, Cloud Native Computing Foundation

Wednesday June 26, 2024 9:00am - 9:15am PDT

Ballroom 2-3

Speakers

Chris Aniszczyk

CTO, Linux Foundation (CNCF)

Chris Aniszczyk is an open source executive and engineer with a passion for building a better world through open collaboration. He's currently a CTO at the Linux Foundation focused on developer relations and running the Open Container Initiative (OCI) / Cloud Native Computing Foundation... Read More →

Wednesday June 26, 2024 9:00am - 9:15am PDT
Ballroom 2-3

Keynote Sessions

9:15am PDT

Keynote: Demystifying Secure Application Communication with Zero Trust: Identity, Integrity, Confidentiality - Lin Sun, Head of Open Source, solo.io

Wednesday June 26, 2024 9:15am - 9:30am PDT

Ballroom 2-3

Modern cloud-native applications are frequently distributed across multiple Kubernetes clusters or virtual machines. But what exactly are the requirements for securing communication among these cloud native applications? Is encryption alone sufficient? Do applications require unique identities? How can we ensure the integrity of our applications' data? Do we need to control who can access what? And what are the considerations when dealing with multi-cluster environments? This presentation will explore the essentials of securing application communications within a zero-trust architecture framework. Lin will explain how mutual TLS (mTLS) meets these requirements through its handshake and record protocols. Moreover, she’ll demonstrate live how you can implement mTLS for applications by simply labeling their namespaces, without any restart of applications using Istio's ambient mesh.

Speakers

Lin Sun

CNCF TOC member and Head of Open-Source at solo, solo.io

Lin is the Head of Open Source at Solo.io, and a CNCF TOC member and ambassador. She has worked on the Istio service mesh since the beginning of the project in 2017 and serves on the Istio Steering Committee and Technical Oversight Committee. Previously, she was a Senior Technical... Read More →

Wednesday June 26, 2024 9:15am - 9:30am PDT
Ballroom 2-3

Keynote Sessions, Cloud Native Security Novice

Content Experience Level Beginner

9:30am PDT

Sponsored Keynote: What Can You Do in 5 Minutes? - Alexander Lawrence, Field CISO, Sysdig

Wednesday June 26, 2024 9:30am - 9:35am PDT

Ballroom 2-3

Organizations embracing Cloud Native architectures require rapid and effective security measures. This keynote underscores the shift to open source in security operations and the importance of meeting the 555 Benchmark: 5 seconds to detect, 5 minutes to triage, and 5 minutes to respond to cloud threats. It highlights redefining processes and harnessing human intelligence and automation within an open source ecosystem for cloud security.

Speakers

Alexander Lawrence

Field CISO, Sysdig

Alex Lawrence is Field CISO at Sysdig. Alex has an extensive history working in the datacenter as well as with the world of DevOps. Prior to moving into a solutions role, Alex spent a majority of his time working in the world of OSS on identity, authentication, user management and... Read More →

CNCS 24 Sysdig pdf

Wednesday June 26, 2024 9:30am - 9:35am PDT
Ballroom 2-3

Keynote Sessions

9:35am PDT

Keynote: Security in the Open - How Industry and Community Benefit When Security Thrives in the OSS Landscape - Cailyn Edwards, Senior Security Engineer, Okta & Jonathan Whitaker, Staff Software Engineer, Okta

Wednesday June 26, 2024 9:35am - 9:50am PDT

Ballroom 2-3

To continue fostering and growing the cloud-native security community we need more companies to support employees spending time on open source projects. To do this, we need to continue to build a symbiotic relationship between the cloud-native community and industry. The Okta FGA team has seen first hand the value of creating and supporting open source projects since launching OpenFGA and joining the CNCF. Private and open source communities working together have the opportunity to boost product discovery, increase developer growth and velocity, and engage and become integral leaders in the security space by establishing security standards and guidelines across the industry.

In this presentation, Jonathan and Cailyn will talk about some of the biggest wins, and why they think all companies should be giving back to the open source community more and how it can mutually benefit the security footprint of the software industry in general.

Speakers

Cailyn Edwards

Senior Security Engineer, Okta

Cailyn Edwards (she/her) is a Senior Security Engineer at Auth0 by Okta, where she spends her time paving roads, putting up guard rails and generally helping to secure the cloud. She is also an active contributor to SIG-Security and 2022 Contributor Award recipient. Her current focus... Read More →

Jonathan Whitaker

Staff Software Engineer, Okta

Jonathan has spent 7+ years in the Identity and Access Management (IAM) domain. His work is focused on building authorization integrations and frameworks for small, medium, and large platforms. He has helped build IAM platforms for companies as big as Adobe and for small startups... Read More →

CNSecCon Keynote 2024.pptx pdf

Wednesday June 26, 2024 9:35am - 9:50am PDT
Ballroom 2-3

Keynote Sessions

Presentation Slides Attached Yes

9:50am PDT

Keynote: K8s Security Safari: Hunting Threats in the Wild Wild Cloud - Stav Ochakovski, DevOps Tech Lead, Mitiga & Ariel Szarf, Senior Cloud Security Researcher, Mitiga

Wednesday June 26, 2024 9:50am - 10:05am PDT

Ballroom 2-3

Kubernetes is spreading through the world faster than a viral dance challenge on social media. As the K8S ecosystem on the cloud gains more attention and spotlight, hackers actively seek ways to bounce between clusters and clouds, aiming for unauthorized access.

Join us to delve deep into the K8S security fundamentals on the different cloud providers and their logging system. Explore K8S TTPs, K8S to cloud environment attack vectors and IAM role abuse. Gain a comprehensive understanding of conducting threat hunting on K8S, utilizing your cloud provider and K8S logs to identify threat actors, particularly related to lateral movement and privilege escalation methods within the K8S environment.

You’ll come away with practical knowledge about the relevant logs and how to use them to investigate potentials attacks on K8S. Cool, Huh?

Speakers

Stav Ochakovski

DevOps Tech Lead, Mitiga

Stav Ochakovski is the DevOps Team Lead at Mitiga, where she manages highly scalable multi cloud environments. With a background in DevOps engineering and instruction, Stav seamlessly transitioned into the dynamic cybersecurity start-up scene. She is also a key manager of the IL AWS... Read More →

Ariel Szarf

Senior Cloud Security Researcher, Mitiga

Researcher of the old and new. Ariel Szarf works as a Senior Cloud Security Researcher at Mitiga. As part of that, Ariel researches potential attacks on cloud providers and SaaS, and investigates incidents. Besides that, Ariel likes to research ancient manuscripts and bake in his... Read More →

k8s security safari pdf

Wednesday June 26, 2024 9:50am - 10:05am PDT
Ballroom 2-3

Keynote Sessions, IAM + Multi-tenancy + Network Security

Content Experience Level Intermediate

10:05am PDT

Keynote: TAG Security, You're It! - Moderated by Eddie Knight, Sonatype

Wednesday June 26, 2024 10:05am - 10:20am PDT

Ballroom 2-3

Have you ever wanted to contribute to the security of cloud native technologies? Do you have questions about security best practices? Learn how TAG security can help! Join a panel of leaders in TAG Security to learn about what the TAG does and how you can get involved.

Speakers

Marina Moore

Researcher, Independent

Marina Moore is a PhD candidate at NYU Tandon’s Secure Systems Lab researching secure software updates and software supply chain security. She is a maintainer of The Update Framework (TUF), a CNCF graduated project, as well as in-toto, an incubating project. She contributed to the... Read More →

Brandt Keller

OSS Maintainer, Defense Unicorns

Brandt is a Software Engineer with a passion for Open Source. As a Maintainer and Contributor to multiple Open Source projects, he finds distinct pleasure in solving difficult problems and being a voice for Critical - Regulated - and Air-Gapped environments (most often all of the... Read More →

Michael Lieberman

CTO, Kusari

Michael Lieberman is a technologist focused on IT transformations. Mostly recently he has been focused on work within the software supply chain security space. He is an OpenSSF SLSA steering committee member, and tech lead for the CNCF Security Technical Advisory Group (STAG). He... Read More →

Eddie Knight

OSPO Technical Program Manager, Sonatype

Eddie leads the Open Source Program Office at Sonatype. He serves as a Co-Chair for the CNCF Security Technical Advisory Group, and is a member of the FINOS Technical Oversight Committee.

John Kjell

Director of Open Source, TestifySec

John is responsible for open source at TestifySec, a software supply chain security startup. He is a maintainer for the Witness and Archivista sub-projects under in-toto. Additionally, John is an active contributor to CNCF's TAG Security and multiple projects within the OpenSSF. Before... Read More →

Wednesday June 26, 2024 10:05am - 10:20am PDT
Ballroom 2-3

Keynote Sessions

10:20am PDT

Keynote: Closing Remarks

Wednesday June 26, 2024 10:20am - 10:30am PDT

Ballroom 2-3

Wednesday June 26, 2024 10:20am - 10:30am PDT
Ballroom 2-3

Keynote Sessions

10:30am PDT

Coffee Break ☕

Wednesday June 26, 2024 10:30am - 11:00am PDT

Ballroom 1

Wednesday June 26, 2024 10:30am - 11:00am PDT
Ballroom 1

Breaks

10:30am PDT

Solutions Showcase

Wednesday June 26, 2024 10:30am - 6:45pm PDT

Ballroom 1

Wednesday June 26, 2024 10:30am - 6:45pm PDT
Ballroom 1

Solutions Showcase

11:00am PDT

Shadow Vulnerabilities in AI/ML Data Stacks - What You Don’t Know CAN Hurt You - Avi Lumelsky & Nitzan Mousseri, Oligo Security

Wednesday June 26, 2024 11:00am - 11:35am PDT

Ballroom 2-3

Open-source AI software introduces a new family of vulnerabilities to organizations. Some components in AI, like model serving, include Remote Code Execution (RCE) by design, like when loading pre-trained models from external sources. This talk will examine some of the common security anti-patterns prevalent in AI engineering, such as security issues that are not classified as CVEs by design, or patched security issues that introduce breaking changes and therefore are not practically implemented. We’ll review the methods introduced for better security hygiene such as new checkpoint formats (model files on disk) - like SavedModel and SafeTensors. While SCA, SAST, and traditional approaches don't analyze model checkpoints, leaving these silent vulnerabilities in your stacks, we’ll demo through real code examples, why the runtime context is crucial to detect these security issues––and how this can be achieved by leveraging eBPF and open source tooling .

Speakers

Avi Lumelsky

AI Security Researcher @ CTO Office, Oligo Security

Avi has a relentless curiosity about business, AI, security—and the places where all three connect. An experienced Software Engineer and Architect. His work focuses on AI engineering and security research.

Nitzan Mousseri

Threat and Data Researcher, Oligo Security

Nitzan Mousseri is an experienced Software Developer and Security Researcher, with a passion for exploring complex topics. Her work focuses on advancing security research and innovative solutions.

Shadow Vulnerabilities in AI pdf

Wednesday June 26, 2024 11:00am - 11:35am PDT
Ballroom 2-3

Leveraging + Preparing for AI In Cloud Security

Content Experience Level Intermediate

11:00am PDT

SaaC – Security as a Culture, the Distributed Advocacy - Deep Patel, Cisco

Wednesday June 26, 2024 11:00am - 11:35am PDT

443

The concept of "Security Advocacy" highlights a crucial point: security is not inherently part of development processes and requires promotion to achieve completeness. This suggests the existence of two distinct groups, the 'committed,' who are dedicated to security, and the 'others,' who do not share the same level of motivation. The expectation here is that both eventually converge, though such convergence is not a certainty. This talk promotes the concept of distributed advocacy, wherein security advocates and developers are part of a unified community. Here, every member is a champion of the cause. According to this framework, security requirements and compliance are foundational aspects of the system's core functional specifications and are incorporated into the final products. By blending the roles of advocates and developers, this approach fosters ongoing collaboration and encourages all participants to be more actively involved.

Speakers

Deep Patel

Senior Technical Leader, Cisco Systems Inc.

Deep Patel is a multifaceted Security Architect at Cisco Systems' Data Center Group, with roles spanning architecture, development, testing, vulnerability assessment, customer engagement, and education. An advocate for security with over 20 years of experience, he specializes in software... Read More →

SaaC DeepPatel Cisco 26June2024 pdf

Wednesday June 26, 2024 11:00am - 11:35am PDT
443

Security Advocacy + Collaboration

Content Experience Level Intermediate
Presentation Slides Attached Yes

11:00am PDT

Accelerating AI Securely with GVisor - Lucas Manning, Google

Wednesday June 26, 2024 11:00am - 11:35am PDT

445

Container sandboxing is one of the best approaches we have to securing high-risk or untrusted container workloads. In the AI-first world, demand for these types of workloads, whether it be running untrusted LLM-generated code or training on proprietary datasets, is growing fast. In this talk you will learn about the different approaches to sandboxing containers and tradeoffs associated with them. Then Lucas will dive deep into the implementation of the open source gVisor sandbox and container runtime. Lucas will discuss new sandboxed hardware accelerator support in gVisor, implementation trade-offs, the ways gVisor is being used to mitigate AI/ML security risks, and the work the gVisor team has done to reduce the performance costs of sandboxing.

Speakers

Lucas Manning

Software Engineer, Google

Lucas is a software engineer at Google, working on the gVisor project since 2021. His work spans across the entire gVisor ecosystem, including hardware accelerator support, virtual filesystem compatibility, and networking performance.

gvisorCNSConPres pdf

Wednesday June 26, 2024 11:00am - 11:35am PDT
445

Supply Chains + Containers + Application Security

Content Experience Level Intermediate
Presentation Slides Attached Yes

11:00am PDT

Leveraging the Linux Kernel for Building a Zero-Trust Environment Without a Service Mesh - Marton Sereg & Zsolt Varga, Cisco

Wednesday June 26, 2024 11:00am - 11:35am PDT

447

Faced with the need to establish a zero-trust network, our team sought an alternative to complex and resource-heavy service meshes. In this session, we share our journey toward a unique solution: a kernel module that enables mTLS and access control directly from the Linux Kernel by relying on proven technologies like WebAssembly, kTLS, or OPA. This approach allowed us to assign strong identities to workloads and encrypt traffic without modifying application code or interfering with the network layer, overcoming the typical complexities associated with traditional methods. We will discuss the challenges we faced, our thought process, and the practical steps taken in developing and deploying this solution. Importantly, we made our kernel module open-source, contributing a simpler, more efficient method for achieving zero-trust security to the wider community.

Speakers

Zsolt Varga

Engineering Technical Lead, Cisco

Zsolt Varga is a senior software engineer with Cisco Outshift. He is an early-adopter of new technologies and has more than 20 years of experience in software development and infrastructure engineering. His focus in the past several years was around cloud native technologies and service... Read More →

Marton Sereg

Product Manager, Cisco

camblet CNSC 2024jun pptx

Wednesday June 26, 2024 11:00am - 11:35am PDT
447

Supply Chains + Containers + Application Security

Content Experience Level Intermediate
Presentation Slides Attached Yes

11:00am PDT

Tutorial: Sailing the Security Seas with Tetragon - Duffie Cooley, Isovalent

Wednesday June 26, 2024 11:00am - 12:25pm PDT

435

In this tutorial we will cover how to get started with tetragon. Show how to use the tetra cli to filter and examine interesting events at runtime and shore up our ship against boarders! Come prepared to this tutorial with a laptop. We will be using instruqt to explore!

Speakers

Duffie Cooley

Field CTO, Isovalent

Wednesday June 26, 2024 11:00am - 12:25pm PDT
435

Tutorials, Supply Chains + Containers + Application Security

Content Experience Level Beginner

11:05am PDT

⚡ Lightning Talk: Security Down to the Kernel - Justin Garrison, Sidero Labs

Wednesday June 26, 2024 11:05am - 11:10am PDT

433

Everyone knows security is best done in layers. Usually that means adding more layers. This requires more to manage, more resources to pay for, and more overhead. But what if you could gain security by taking away some of the layers? We'll show examples of how we took away layers in Talos Linux to strip and harden the OS with a total of only 12 binaries and a strict focus on Kubernetes.

Speakers

Justin Garrison

Director of DevRel, Sidero Labs

Justin is a developer advocate at AWS where he helps improve container services for everyone. In the past he has helped make Oscar winning movies, built infrastructure for Disney+, and has been active in open source for a long time. In his spare time he enjoys tinkering with hardware... Read More →

Wednesday June 26, 2024 11:05am - 11:10am PDT
433

⚡ Lightning Talks, Supply Chains + Containers + Application Security

Content Experience Level Intermediate

11:10am PDT

⚡ Lightning Talk: Speak Egress and Exit: A Look at Securing Traffic Out of the Mesh with Istio - Nina Polshakova & Ariana Weinstock, Solo.io

Wednesday June 26, 2024 11:10am - 11:15am PDT

433

Your service mesh is up and running, but now your request must venture securely beyond the mesh! On top of defining multiple CRs (ServiceEntries, Gateways, VirtualServices, DestinationRules, oh my!), you’ll need to consider the routing and security configurations for egress traffic that Istio supports: sidecar TLS origination, egress gateway TLS origination, TLS passthrough, ExternalName Services, and more! Though Istio can send traffic to an external IP address, hostname, or internal DNS entry directly, this doesn’t limit which services can access external endpoints. Egress gateways enforce policies across an organization and provide a centralized point for monitoring, controlling, and shaping outbound traffic. In a live demo, we’ll build up Istio configuration piece by piece for setups simple to complex and peek behind the scenes at the underlying Envoy configuration. Together we’ll deliver a request out of the cozy, hobbit hole mesh and into the fiery chasm of the outside world.

Speakers

Nina Polshakova

Principal Software Engineer, Solo.io

Nina is a software engineer working on multi-cluster Istio solutions on the Gloo Platform team at Solo.io. She has also been on several Kubernetes release teams, most recently as the Enhancements team lead for the 1.29 release. Previously Nina worked at Shape Security preventing malicious... Read More →

Ariana Weinstock

Software Engineer, Solo.io

Ariana has been a software engineer at Solo.io for 4 years, gaining experience with Kubernetes, Envoy, and Istio through her work on various Gloo products and development teams. She previously worked for GoDaddy out of their office in Cambridge, MA after studying computer science... Read More →

Speak Egress and Exit A Look at Securing Traffic Out of the Mesh with Istio pdf

Wednesday June 26, 2024 11:10am - 11:15am PDT
433

⚡ Lightning Talks, IAM + Multi-tenancy + Network Security

Content Experience Level Any
Presentation Slides Attached Yes

11:15am PDT

⚡ Lightning Talk: Securing Your Systems with Service Mesh - Tyler Schade, Solo.io

Wednesday June 26, 2024 11:15am - 11:20am PDT

433

Service mesh can be a very intimidating topic for cloud-native practitioners. A proxy in front of everything? Sounds too complicated. In this talk, I will provide a five minute introduction to service mesh and the security benefits it can bring to your systems. We will talk about easy mTLS everywhere, all at once, and provide a conceptual framework for attendees to learn more about service mesh after the talk.

Speakers

Tyler Schade

Senior Software Engineer, Solo.io

Tyler Schade is a software engineer at solo.io, working on simplifying complex cloud architectures with Gloo Platform (https://www.solo.io/products/gloo-platform/). Tyler lives in Miami, Florida and enjoys lifting weights, reading, snowboarding and mountain biking.

Security and Service Mesh pdf

Wednesday June 26, 2024 11:15am - 11:20am PDT
433

⚡ Lightning Talks, Cloud Native Security Novice

Content Experience Level Beginner
Presentation Slides Attached Yes

11:20am PDT

⚡ Lightning Talk: Don’t Make Me Impersonate My Identity - Cynthia Thomas, Google

Wednesday June 26, 2024 11:20am - 11:25am PDT

433

Identities are a crucial part of running workloads on Kubernetes. How do you ensure Pods can securely access Cloud resources? In this lightning talk, you will learn how large Cloud providers work together to share Identity Provider responsibilities in order to federate identities in multi-cloud environments.

Speakers

Cynthia Thomas

Product Manager, Google

Cynthia Thomas is a Product Manager for Google Kubernetes Engine (GKE) at Google Cloud. She has spent 17+ years in the tech industry, the last 10 of which she was an advocate for open source and cloud-native technologies. She enjoys solving problems with experience in Service Provider... Read More →

Wednesday June 26, 2024 11:20am - 11:25am PDT
433

⚡ Lightning Talks, IAM + Multi-tenancy + Network Security

Content Experience Level Intermediate

11:50am PDT

Leveraging Cryptographic Lineage for Context and ConnectedTrust - Yogi Porla, Deep Lineage

Wednesday June 26, 2024 11:50am - 12:25pm PDT

Ballroom 2-3

Security is sum of all parts. However vendors take an approach of Siloed and Reactive approach towards Cybersecurity. This approach also lacks Context. Moreover distributed nature of Generative AI adoption in real world is fraught with numerous issues such as Copyright Infringement, Data protection , Data Poisoning , Prompt Injection etc. In this presentation we look at building Cryptographic Lineage and how this can be used to create an Attested Claims with Chain of Custody. This approaches starts with point to point zero trust using SPIFFE and on top of it builds Attested Claims to incorporate Context of every step of transaction. This chain of custody incorporates Zero Trust at every point of communication and adds Traceability, Audit-ability and Watermark-ability with deep rooted Trust at every step of the way. Our work is based on open-source effort of Attested Claims.

Speakers

Yogi Porla

Founder, Deep Lineage inc

Yogi Porla is an avid tinkerer with multifaceted experience working in the roles of AI Strategist, Cybersecurity Engineer, DevOps Engineer, Engineering Leader etc in the domains of AI, Cloud , Cybersecurity, Networking. Yogi has unique experience working at different firms such as... Read More →

CNSC24 CryptographicLineage pdf

Wednesday June 26, 2024 11:50am - 12:25pm PDT
Ballroom 2-3

Leveraging + Preparing for AI In Cloud Security

Content Experience Level Advanced
Presentation Slides Attached Yes

11:50am PDT

CSI Forensics: Unraveling Kubernetes Crime Scenes - Alberto Pellitteri & Stefano Chierici, Sysdig

Wednesday June 26, 2024 11:50am - 12:25pm PDT

433

In the event of a security breach, employing well-defined DFIR techniques becomes imperative to mitigate the incident's impact effectively. However, with the spreading adoption of containers, the employment of DFIR processes and capabilities is becoming increasingly complex. Join us in an insightful session that will cover cutting-edge DFIR practices on container environments. After a short overview of the essence of DFIR, we'll direct our focus towards various advanced DFIR techniques within a Kubernetes environment, which can prove highly beneficial in the event of a compromise. Starting from how to checkpoint compromised apps and restore them in a sandboxed environment for further analysis, we will move to how to conduct memory forensics on container evidence using old-style open-source DFIR tools. At the end of the presentation, the audience will be familiar with the advantages and disadvantages of the latest DFIR capabilities and will have the basics to understand how to use them.

Speakers

Stefano Chierici

Threat Research Lead Manager, Sysdig

Stefano Chierici is a Threat Research Lead Manager at Sysdig, where his research focuses on defending containerized and cloud environments from attacks ranging from web to kernel. Stefano is one of the Falco contributors, an incubation level CNCF project. He studied cyber security... Read More →

Alberto Pellitteri

Threat Research Engineer, Sysdig

Alberto Pellitteri is a security researcher with a speciality in Kubernetes and Docker technologies. Currently a security researcher at Sysdig, Alberto researches malware and attacks that target cloud infrastructure and vulnerable environments. As a contributor to open source projects... Read More →

CloudNativeSecurityCon24.pptx pdf

Wednesday June 26, 2024 11:50am - 12:25pm PDT
433

Observability + Detections + Response

Content Experience Level Intermediate
Presentation Slides Attached Yes

11:50am PDT

Security Champions LeaderBoard - Building and Gamifying the Security Culture at Your Organisation - Aseem Shrey, SecureMyOrg

Wednesday June 26, 2024 11:50am - 12:25pm PDT

443

At most places, security teams are quite lean on people in a company, where we could easily have a dev:security engineer ratio anywhere between 1:30 to 1:50. So having a larger set of people looking out for the security of the organisation would definitely help. The idea was to make people proactively get involved in security and be more ‘security-savvy’. A lot of people love and play games in some form or the other, especially multiplayer games. We tried to gamify the 'security experience' to improve the security-savviness at our organisation. This would help us to recognise more 'security champions' from different teams and help to find early adopters for our security initiatives. In this talk I go through the process of ideation to creation of the security champions leaderboard and how it’s improved the overall developer and security culture at the organisation. Easing out the security team’s work in the organisation.

Speakers

Aseem Shrey

Founder, SecureMyOrg

Hello Everyone 👋This is Aseem. I've. I teach people through my YouTube channel HackingSimplified. I've reported a few critical issues to the Government of India, specifically it's Digilocker Initiative and a lot of other private organisations throughout the world, including IBM... Read More →

Wednesday June 26, 2024 11:50am - 12:25pm PDT
443

Security Advocacy + Collaboration

Content Experience Level Any

11:50am PDT

Navigating the Quantum Readiness Journey: Securing Kubernetes with Quantum-Resistant Cryptography - Tomas Gustavsson, Keyfactor

Wednesday June 26, 2024 11:50am - 12:25pm PDT

447

Join us in exploring the Quantum Readiness journey, focusing on cybersecurity preparations. Dive into securing Kubernetes, containers, and software supply chains with demos using open-source FIPS-certified cryptographic APIs: bouncycastle.org and the open-source Public Key Infrastructure software: ejbca.org. Cryptography is a cornerstone in cybersecurity and is essential for developers. We aim to empower you with hands-on insights into quantum-resistant cryptography, covering mTLS, x.509 certs, container signing, and more. Get equipped to navigate this tech and conduct your own tailored experiments. Learn about standardization progress in Europe and the US. Security is a collective effort; community collaboration is vital for high-quality, interoperable cryptographic solutions.

Speakers

Tomas Gustavsson

Chief PKI Officer, Keyfactor

Tomas Gustavsson pioneered the open-source PKI with EJBCA, now embraced by over 3000 downloads per month. With a background in Computer Science, Tomas established EJBCA to fortify trusted digital identities globally. He advocates for cybersecurity through innovation, collaboration... Read More →

Tomas Gustavsson Quantum Resistant Cryptography Seattle 2024 pdf

Wednesday June 26, 2024 11:50am - 12:25pm PDT
447

Supply Chains + Containers + Application Security

Content Experience Level Any
Presentation Slides Attached Yes

11:50am PDT

Sigstore: Past, Present and Future Directions - Luke Hinds, Stacklok & Bob Callaway, Google

Wednesday June 26, 2024 11:50am - 12:25pm PDT

445

Sigstore was founded in 2021 to make it easier for developers to sign and verify their software artifacts. Since then, the project has become the de facto approach to code signing for OSS, and has been adopted by major cloud native projects including Kubernetes and Helm, and by npm to sign SLSA provenance statements. Today, Sigstore has over 58 repos spanning many libraries (including Go, Rust, and JavaScript), and provides a public good service staffed by community SREs.

During this talk, Sigstore founders Luke Hinds (Stacklok) and Bob Callaway (Google) will discuss the origins of Sigstore and their experience growing a large community. They'll discuss ongoing work to integrate Sigstore into Homebrew, PyPI, and Maven Central, as well as Sigstore roadmap priorities and where they see the project heading in the future.

Speakers

Bob Callaway

Engineer, Google

Bob is the tech lead & manager of the supply chain integrity group in Google's Open Source Security Team. He and his team directly contribute to critical OSS secure software supply chain projects (including Sigstore that he co-founded), as well as help drive adoption of best practices... Read More →

Luke Hinds

CTO, Stacklok, Stacklok, Inc

Luke Hinds is a software engineer living in the UK. Luke is focused on building the next generation of software supply chain security solutions at Stacklok, Inc, where he is the CTO. He is a member of the OpenSSF Board and founded the sigstore project. He has held numerous community... Read More →

Wednesday June 26, 2024 11:50am - 12:25pm PDT
445

Supply Chains + Containers + Application Security

Content Experience Level Intermediate

11:50am PDT

An Introduction to Capture The Flag - Iain Smart, ControlPlane

Wednesday June 26, 2024 11:50am - 12:25pm PDT

420

The Cloud Native Capture The Flag (CTF) is available to all in-person CloudNativeSecurityCon attendees. In preparation for getting started with the activity, you are invited to attend an introductory session.

This session aims to introduce how to participate in CTF competition to those who are new to them. We will share our tips and tricks for completing these challenges and work through a practice scenario together.
Learn more about how to participate in Capture The Flag.

Speakers

Iain Smart

Principal Consultant, ControlPlane

Iain Smart is a Principal Consultant at ControlPlane, where he reviews cloud-native deployments and performs offensive security engagements. He enjoys playing with new technologies, and if he's not hacking a Kubernetes cluster or attacking a build pipeline he can probably be found... Read More →

Wednesday June 26, 2024 11:50am - 12:25pm PDT
420

🚩 Capture the Flag

12:25pm PDT

Lunch 🍲

Wednesday June 26, 2024 12:25pm - 1:55pm PDT

Ballroom 1

Wednesday June 26, 2024 12:25pm - 1:55pm PDT
Ballroom 1

Breaks

12:25pm PDT

EmpowerUs

Wednesday June 26, 2024 12:25pm - 1:55pm PDT

Ballroom 1

Attendees who identify as women, trans, non-binary individuals, or allies are invited to join this casual networking lunch to have open discussions with fellow attendees about challenges, changes, leadership innovation, and empowerment in our fast-growing ecosystem. Grab your lunch, then meet at the reserved EmpowerUs table.

Wednesday June 26, 2024 12:25pm - 1:55pm PDT
Ballroom 1

Diversity + Equity + Inclusion

1:55pm PDT

One Project, Different Angles: How to Secure and Observe with Cilium - Christine Kim, Isovalent

Wednesday June 26, 2024 1:55pm - 2:30pm PDT

447

Cilium has evolved to be a multi faceted project. What was thought of as “just a CNI”, Cilium has evolved to offer a Service Mesh, Hubble, and Tetragon. You may be confused around the differences of these projects, so let’s break down the projects in the Cilium family from a security perspective. We'll go through common use cases that can show how to secure your applications from different points of view. Let's explore the Cilium family, go over the basics, and see how they can enable you to run your workloads safely.

Speakers

Christine Kim

OS @ Isovalent, Isovalent

Christine Kim focuses on developer experience at Isovalent, where she dabbles in the world of Kubernetes and Service Meshes.

One Project, Different Angles SecurityCon Seattle pdf

Wednesday June 26, 2024 1:55pm - 2:30pm PDT
447

Cloud Native Security Novice

Content Experience Level Beginner
Presentation Slides Attached Yes

1:55pm PDT

Brave New World: Welcoming New AI Identity Challenges - Gabriel L. Manor, Permit.io

Wednesday June 26, 2024 1:55pm - 2:30pm PDT

Ballroom 2-3

For many years, digital identity was primarily associated with human personalities, with only minimal effort dedicated to programmable interfaces. The result is a system designed for human behavior, from security to usability. Over the past year, LLM, vector DBs, and GPTs have introduced a new type of non-human personality that has permeated the applications around us. The side effect is an exponential increase in programmable identities in our applications. In this talk, I'll discuss the differences between a programmable AI identity and a real human, what we need to rethink, and what could simply be improved. Then, I'll demonstrate a fully functional auth system built for the AI identity era using only open-source software.

Speakers

Gabriel Manor

Engineering Director, Permit.io

Gabriel is a senior full-stack developer who blends his passion for technical leadership, security, authorization, and devtools into his current role as the Head of Growth and DevRel at Permit.io. Before joining Permit.io, Gabriel worked as a technical leader and principal engineer... Read More →

talk pdf

Wednesday June 26, 2024 1:55pm - 2:30pm PDT
Ballroom 2-3

Leveraging + Preparing for AI In Cloud Security

Content Experience Level Intermediate
Presentation Slides Attached Yes

1:55pm PDT

Building Bridges in Open Source: Connecting Academic Talent with Industry Innovation - Ben Smith-Foley & Sam Begin, Rensselaer Center for Open Source

Wednesday June 26, 2024 1:55pm - 2:30pm PDT

443

The industry often experiences a number of roadblocks while working on emerging technologies, whether they be related to a knowledge gap, resource constraints, community engagement, or innovation stagnation. Companies frequently struggle to find new hires who are skilled in the latest tools and technologies. Despite the existence of student internship programs, this problem still persists. This talk explores the untapped potential of engaging university students into open-source projects & how it can offer fresh perspectives on collaboration and skill development outside of traditional internship programs. Drawing from my experience as a student involved in open-source, I will share the transformative impact these opportunities can have on a student’s career and the edge they bring to the companies they engage with. Through a showcase of successful university open-source centers, attendees will discover how they can benefit from partnerships with educational institutions.

Speakers

Ben Smith-Foley

University Student, Rensselaer Center for Open Source

Ben is a senior at Rensselaer Polytechnic Institute studying Computer Science with a concentration in Systems and Software. He is currently conducting undergraduate research in "Anomaly Detection in High-Volume Encrypted Network Traffic", helps lead the Rensselaer Center for Open... Read More →

Sam Begin

University Student, Rensselaer Center for Open Source

Sam is a rising junior at Rensselaer Polytechnic Institute, pursuing a degree in Computer Science with a concentration in Systems and Software. He mentors at the Rensselaer Center for Open Source (RCOS), where he leads a project focused on Cloud Native technology.

CNSC 24 Building Bridges in Open Source.pptx pdf

Wednesday June 26, 2024 1:55pm - 2:30pm PDT
443

Security Advocacy + Collaboration

Content Experience Level Any
Presentation Slides Attached Yes

1:55pm PDT

Avengers Assemble: Threat Modeling Kubernetes Clusters at a Massive Scale - Sai Charan Teja Gopaluni & Jamal Arif, Amazon Web Services

Wednesday June 26, 2024 1:55pm - 2:30pm PDT

445

Microservices architectural patterns are complex, and are becoming increasingly more complex and capable over time, delivering more business value and increased customer satisfaction and engagement. This means that design decisions need to account for an ever-increasing number of use cases, and be made in a way that mitigates potential security threats that may lead to business-impacting outcomes, including unauthorized access to data, denial of service, and resource misuse. During design phase, Information Security teams within an organization would employ Threat modeling as a process to identify potential threats such as structural vulnerabilities or the absence of appropriate safeguards and prioritize countermeasures. In this talk, we will see how threat modeling can be applied at Kubernetes service level by identifying access points, exfiltration points and discuss controls applicable at each level

Speakers

Sai Charan Teja Gopaluni

Sr. Specialist Solutions Architect, Containers, Amazon Web Services

Sai Charan Teja Gopaluni is a Sr. Containers Specialist Solutions Architect at Amazon Web Services. In his role as a subject matter expert, he enjoys helping customers design modern, scalable and secure container based applications.

Jamal Arif

Sr. Solutions Architect, Amazon Web Services

Jamal is a Senior Solutions Architect at Amazon Web Services, specializing in AWS artificial intelligence/Machine Learning and container services. He has extensive experience in designing innovative, resilient, and enterprise-scale solutions using AWS technologies. In his spare time... Read More →

Avengers Assemble Threat Modeling Kubernetes Clusters at a Massive Scale pdf

Wednesday June 26, 2024 1:55pm - 2:30pm PDT
445

Supply Chains + Containers + Application Security

Content Experience Level Any
Presentation Slides Attached Yes

1:55pm PDT

Malicious Compliance Automated: Building Secure Containers and Obfuscating What's Inside - Kyle Quest, AutonomousPlane & Duffie Cooley, Isovalent

Wednesday June 26, 2024 1:55pm - 2:30pm PDT

433

What if you compress a container image? What will happen? Is it even possible?

Let's explore the good, the bad and the fun of minifying container images and the side effects of it.

You will learn what it takes to build secure container images and how to make sure you have only the components you need to reduce the attack surface of your containers. You will learn about what's truely necessary for your containers to function. You will also learn how it's possible to automate container image compression leveraging low level Linux kernel interfaces and application analysis.

We'll also explore the side effects of image compression on the vulnerability scanners and exploits and how they will be disrupted and broken.

As a bonus you will see a number of additional container obfuscation techniques that will make vulnerability scanners completely blind.

Speakers

Duffie Cooley

Field CTO, Isovalent

Kyle Quest

Founder, AutonomousPlane

Kyle is the creator of DockerSlim (aka SlimToolkit, aka MinToolkit), a popular tool to inspect, optimize and debug containers. He's the founder/CEO of AutonomousPlane and he's also the founder/CTO of Slim.AI. He's building a supply chain security solution for the cloud native applications... Read More →

Malicious Compliance Automated.talk pdf

Wednesday June 26, 2024 1:55pm - 2:30pm PDT
433

Supply Chains + Containers + Application Security

1:55pm PDT

Tutorial: Demystifying and Enabling Workload Identity Across the Cloud Native Ecosystem - Andrew Block, Anjali Telang, Trilok Geer, Red Hat; Mariusz Sabath & Maia Iyer, IBM

Wednesday June 26, 2024 1:55pm - 3:20pm PDT

435

Zero Trust principles represent a departure for how systems traditionally communicate with each other. Instead of long-lived credentials, access is granted based on caller identity to enable elevated security controls. Most public cloud providers and hosted solutions support assigning identities to workloads and has been enabled in many applications and frameworks. However, many end users are unaware of the baseline fundamental concepts. In this interactive tutorial, attendees will dive into the world of workload identity management, their components, how identities are generated, and where they can be used. By leveraging SPIFFE and SPIRE, CNCF projects providing tools for establishing trust between systems, we'll showcase how workload identities can be used beyond the Public Cloud to secure applications and systems in any environment. Upon completion, participants will have the knowledge, skills, and real world examples to implement these patterns in their own environments.

Speakers

Andrew Block

Distinguished Architect, Red Hat

Andrew Block is a Distinguished Architect at Red Hat that works with organizations to design and implement solutions leveraging cloud native technologies. He specializes in Continuous Integration and Continuous Delivery methodologies with a focus on security to reducing the overall... Read More →

Mariusz Sabath

Senior Technical Staff Member, IBM Research

Mr. Sabath is a Senior Technical Staff Member at the IBM T. J. Watson Research Center, with extensive experience in system management and distributed environments. He has led numerous development projects, authored technical papers, and holds numerous patents. His current research... Read More →

Maia Iyer

Research Software Developer, IBM

Maia is a Research Software Developer at IBM. During her two-year tenure, she has become a dedicated contributor and maintainer of the open-source project Tornjak under the SPIFFE/SPIRE Community, and is actively involved in developing Tornjak as an easy-to-use control plane for SPIRE... Read More →

Anjali Telang

Principal Product Manager, OpenShift Security and Identity, RedHat

Anjali Telang is a Principal Product Manager for Security and Identity in OpenShift at RedHat. She is a security and cloud enthusiast with over 16 years of experience in cloud, security and networking. Prior to joining RedHat, she worked in various product and engineering roles at... Read More →

Trilok Geer

Principal Software Engineer, Red Hat

Tutorial Demystifying and Enabling Workload Identity Across the Cloud Native Ecosystem pdf

Wednesday June 26, 2024 1:55pm - 3:20pm PDT
435

Tutorials, IAM + Multi-tenancy + Network Security

Content Experience Level Intermediate

2:45pm PDT

Threat Modelling: How to Improve Your Kubernetes Security Posture with Threat Model? - Maxime Coquerel, Royal Bank of Canada (RBC)

Wednesday June 26, 2024 2:45pm - 3:20pm PDT

447

Kubernetes environments are complex due to the number of potential third party integration such mesh solutions, secrets management, governance solutions and more. This complexity is increased especially for regulated entities like financial companies. Conducting an efficient threat model is a key element in identifying emerging threats and risks in dynamic environments such as Kubernetes platform. In this presentation, will introduce how a non-conventional methodology for performing Kubernetes threat modelling and identifying threats, emphasizing its adoption by your development and SRE teams. At the end of this presentation, you will have a comprehensive understanding of how a threat model can help you to increase your overall Kubernetes security posture.

Speakers

Maxime Coquerel

Principal Kubernetes Cloud Security, RBC - Royal Bank of Canada

In my current role at RBC - Royal Bank of Canada, I lead the worldwide strategy and product vision of the Kubernetes Security program across RBC in Canada, USA, and UK, overseeing security architecture, cloud threat research, threat modeling, and risk assessment of cloud designs and... Read More →

CNSC24 KubernetesThreatModel pdf

Wednesday June 26, 2024 2:45pm - 3:20pm PDT
447

Cloud Native Security Novice

Content Experience Level Intermediate
Presentation Slides Attached Yes

2:45pm PDT

Threat Modeling for AI Apps with Attacks as Code - Priyanka Tembey, Operant & Glenn McDonald, Operant AI

Wednesday June 26, 2024 2:45pm - 3:20pm PDT

Ballroom 2-3

While AI presents an opportunity to innovate across domains, we are learning that it also presents unknown threat vectors that are constantly evolving. So what does threat-modeling look like for today's AI apps? OWASP LLM risks or MITRE ATLAS framework are emerging that list attack TTPs for AI apps. However these are baseline frameworks that need to be customized to each organization's needs. Furthermore, secure behavior of AI apps needs continuous verification as they're built on top of 3rd party models which are untrusted black boxes, but are deeply plugged into organizational data, IP, and internal APIs - highlighting the need to add threat modeling as part of an AI app’s CI/CD vs doing it infrequently. This talk will describe how to automate threat modeling for AI apps using Secops-Chaos- an open source framework that helps encode TTPs as security focused experiments, with hands-on demos of how to map some of the MITRE ATLAS TTPs to AI apps running within Kubernetes environments.

Speakers

Priyanka Tembey

Co-founder and CTO, Operant

A technologist with a PhD in distributed systems and optimization from Georgia Tech, Priyanka has spent over 10 years as a software engineer at the forefront of cloud-native technologies. Priyanka was one of the foundational engineers to build out VMware's hybrid cloud product architecting... Read More →

Glenn McDonald

Software Engineer, Operant

Glenn McDonald is a Software Engineer at Operant, bringing a broad industry experience from Cloud Providers to Financial Services. Specializing in Cloud Native architecture and Application Security, with a keen interest in exploring emerging technologies.

CNSCon Talk 2024 SecopsChaos pdf

Wednesday June 26, 2024 2:45pm - 3:20pm PDT
Ballroom 2-3

Leveraging + Preparing for AI In Cloud Security

Content Experience Level Intermediate
Presentation Slides Attached Yes

2:45pm PDT

CVE Context Matters, but Do All Vulnerabilities Really Matter? - Shubha Badve & Ross Tannenbaum, Red Hat

Wednesday June 26, 2024 2:45pm - 3:20pm PDT

433

Anyone can run a vulnerability scanner, but understanding the context and relevance of a vulnerability in the context of cloud-native projects is challenging, especially when the quality of scanners varies. What vulnerability feeds are helpful? What tools can you use? Do all vulnerabilities really matter?

In this presentation, we'll break down what you should prioritize in your vulnerability scanners and where the actual value lies. We'll also discuss the best practices for implementing and evaluating the success of a vulnerability scanner. By the end of the talk, you'll understand the vulnerability scanner ecosystem, how to accurately assess your vulnerabilities, and how to effectively implement a vulnerability scanner in your daily workflows.

Speakers

Shubha Badve

Principal Product Manager - Technical, Red Hat

Shubha Badve, a Technical Product Manager at Red Hat, collaborates with open source security experts, focusing on Red Hat's security products. She manages Red Hat Advanced Cluster Security for Kubernetes, integrating software supply chain security practices and open-source tech to... Read More →

Ross Tannenbaum

Principal Software Engineer, Red Hat

Vulns And Risk pdf

Wednesday June 26, 2024 2:45pm - 3:20pm PDT
433

Observability + Detections + Response

2:45pm PDT

Championing Security: Scaling Security at Every Level - Dwayne McDaniel, GitGuardian

Wednesday June 26, 2024 2:45pm - 3:20pm PDT

443

Security teams, at best, are outnumbered 100 to 1. Securing every door, window, network, endpoint, device, API, and system is an overwhelmingly endless task. How can we hope to keep the enterprise secure while the threat landscape keeps evolving ever faster? It is time for an age of champions. Security Champions. Security champions are individual team members on teams outside of security who volunteer to stay up to date with security updates and help spread the word. They look for places where security best practices can be applied and help the security team know where people are struggling and have questions. This session will explore the guidelines put forth by some open-source communities, such as OWASPs Security Champions Guide, and learn some best practices for starting a program and getting your teams on board.

Speakers

Dwayne McDaniel

Sr. Security Developer Advocate, GitGuardian

Dwayne has been working as a Developer Relations professional since 2015 and has been involved in tech communities since 2005. He loves sharing his knowledge, and he has done so by giving talks at over a hundred events worldwide. Dwayne currently lives in Chicago. Outside of tech... Read More →

Championing Security Dwayne McDaniel CloudNativeSecurityCon pdf

Wednesday June 26, 2024 2:45pm - 3:20pm PDT
443

Security Advocacy + Collaboration

Content Experience Level Any

2:45pm PDT

Below the Radar: Identifying Hidden Threats Within the Development Ecosystem - Yakir Kadkoda, Aqua Security

Wednesday June 26, 2024 2:45pm - 3:20pm PDT

445

In this session, attendees will explore new critical threats in the Development Ecosystem, posing security challenges for cloud-native environments. We will focus on how exposed secrets can be hidden in code due to vulnerabilities in source code management platforms, and how to find these exposed secrets before attackers do. Attendees will discover that they know little about secret scanning. The session will delve into discovered flaws, examining Kubernetes secrets and their elusive nature and discussing Shadow IT and how it can expose secrets. Examples will illustrate how attacker vectors have led to major supply chain attacks on popular platforms. Attendees will acquire mitigation strategies and tools, with detailed explanations.

Speakers

Yakir Kadkoda

Lead Security Researcher, Aqua Security

Yakir Kadkoda is a Lead Security Researcher at Aqua's research team, Team Nautilus. He combines his expertise in vulnerability research with a focus on discovering and analyzing new security threats and attack vectors in cloud native environments, supply chain security, and CI/CD... Read More →

CNSC 24 Below the Radar pdf

Wednesday June 26, 2024 2:45pm - 3:20pm PDT
445

Supply Chains + Containers + Application Security

Content Experience Level Intermediate
Presentation Slides Attached Yes

2:45pm PDT

An Introduction to Capture The Flag - Iain Smart, ControlPlane

Wednesday June 26, 2024 2:45pm - 3:20pm PDT

420

Speakers

Iain Smart

Principal Consultant, ControlPlane

Wednesday June 26, 2024 2:45pm - 3:20pm PDT
420

🚩 Capture the Flag

3:20pm PDT

Coffee Break ☕

Wednesday June 26, 2024 3:20pm - 3:50pm PDT

Ballroom 1

Wednesday June 26, 2024 3:20pm - 3:50pm PDT
Ballroom 1

Breaks

3:50pm PDT

Everyone’s Starting to Look SPIFFE: MTLS and Identity with Linkerd and Teleport - Dave Sudia, Teleport

Wednesday June 26, 2024 3:50pm - 4:25pm PDT

Ballroom 2-3

The SPIFFE ecosystem is starting to grow as more projects implement the standard to verify workload identities. In this presentation we will show two of the most recent projects to adopt SPIFFE working together, to show what can be accomplished when projects work with a common standard. Linkerd, a Kubernetes-native service mesh, recently launched a feature for using SPIFFE SVIDs to verify workload identities outside of the mesh and cluster. Teleport provides access control for infrastructure, and has recently adopted SPIFFE to provide workload identity for applications by making SVIDs available over the Workload API. We’ll show a practical example of how to use these projects together to secure a Kubernetes cluster and workloads running outside of the cluster. We will also discuss why the two projects chose to implement SPIFFE, and the benefits of building to this new standard.

Speakers

Dave Sudia

Senior Product Engineer, Teleport

Dave Sudia went from Platform Engineering to Product Engineering; in both roles he has had to stand up infrastructure in repeatable but constantly evolving structures, and is the world's biggest fan of Infra-as-Code. By day you'll find him enabling developers to do their best work... Read More →

Teleport Linkerd SPIFFE pdf

Wednesday June 26, 2024 3:50pm - 4:25pm PDT
Ballroom 2-3

IAM + Multi-tenancy + Network Security

Content Experience Level Intermediate
Presentation Slides Attached Yes

3:50pm PDT

API Security: Code-to-Cloud Context for Complete Protection - Idan Plotnik, Apiiro & Patrick Sullivan, Akamai

Wednesday June 26, 2024 3:50pm - 4:25pm PDT

433

Attackers are taking advantage of the fact that APIs give access to large amounts of data and are often improperly secured. But the complexity and scale of enterprise API estates make identifying and fixing API security weaknesses easier said than done. An integrated Code-to-runtime approach provides defenders the best chance at outpacing attackers. This session will demonstrate how you can take a comprehensive approach to API security with code-level inventorying and runtime protection. Learn about the challenges of one-dimensional API security approaches and what it takes to automate API security across the development lifecycle. Discover how to mitigate API issues faster and improve your organization’s API security posture more efficiently.

Speakers

Idan Plotnik

Co-Founder and CEO, Apiiro

Idan is a serial entrepreneur and product strategist, bringing to Apiiro nearly 20 years of experience in cybersecurity. Previously, Idan was Director of Engineering at Microsoft following the acquisition of Aorato where he served as the founder and CEO.

Patrick Sullivan

Patrick Sullivan is VP, CTO of Security Strategy for Akamai. He joined the Security Team in 2005 and has been a leader working on shifting to Edge-Based Security architectures. Patrick is a frequent speaker at Security Conferences including RSAC, Blackhat, Gartner, IANS, and others... Read More →

Wednesday June 26, 2024 3:50pm - 4:25pm PDT
433

Observability + Detections + Response

Content Experience Level Intermediate

3:50pm PDT

Metrics That Matter: How to Choose Cloud Security KPIs for Your Business - Emma Yuan Fang, EPAM Systems

Wednesday June 26, 2024 3:50pm - 4:25pm PDT

443

As cloud security operations mature within the organizations, implementing effective metrics is vital for measuring cloud security posture and operational readiness. Organizations often face challenges in tracking security metrics without incurring resource overheads. This talk discuss examples of both potentially effective and ineffective metrics based on real-life experiences, tailored to various business scenarios and risk appetite. We will explores how to prioritize metrics that inform leadership and drive continuous improvement in cloud security posture. The session also introduces concepts like the Exploit Prediction Scoring System (EPSS) for prioritizing vulnerability remediation and Protection Level Agreements (PLAs) for building effective KPIs. The goal is to not only measure but enhance cloud security operations, empowering teams to identify cloud security metrics truly matter to their business.

Speakers

Emma Fang

Senior Manager, Senior Cloud Security Architect, EPAM Systems

Emma is a Senior Manager, Cloud Security Architect at EPAM Systems, who provide strategical and technical advisory for enterprise cloud projects. Previously working at Microsoft, she delivered cybersecurity projects and workshops to startups to FTSE 100 firms. A dedicated advocate... Read More →

Metrics that Matter CNSC Final pdf

Wednesday June 26, 2024 3:50pm - 4:25pm PDT
443

Security Advocacy + Collaboration

Content Experience Level Beginner
Presentation Slides Attached Yes

3:50pm PDT

Evasive Maneuvers: Strategies to Overcome Runtime Detection Tools - Amit Schendel, ARMO

Wednesday June 26, 2024 3:50pm - 4:25pm PDT

445

The race between cyberattackers and defenders is intense and ongoing. As the capabilities of these runtime detection tools evolve, so too do the techniques employed by adversaries to get around them. In this talk, we uncover the intricate landscape of evasion strategies, presenting innovative methods to outmaneuver runtime detection mechanisms. From obfuscation and polymorphism to sandbox evasion and behavioral camouflage, each tactic represents a nuanced approach aimed at subverting detection and infiltrating systems undetected. By dissecting real-world case studies and exploring the underlying principles of detection avoidance, this presentation equips defenders with invaluable insights into the evolving tactics of threat actors and underscores the critical importance of adaptive security measures in safeguarding against emerging threats.

Speakers

Amit Schendel

Senior Security Researcher, ARMO

Passionate about security research and low-level programming with a focus on OS internals (Windows & Linux). Proficient in C++, Python, and Go. Excited about tackling complex challenges at the intersection of cybersecurity, system-level development and cloud technologies.

Wednesday June 26, 2024 3:50pm - 4:25pm PDT
445

Supply Chains + Containers + Application Security

Content Experience Level Intermediate

3:50pm PDT

Tutorial: Automating Configuration and Management of your GitHub Repositories with Minder - Dania Valladares & Evan Anderson, Stacklok

Wednesday June 26, 2024 3:50pm - 5:15pm PDT

435

Everyone likes consistent security rules, as long as they are your own rules. But keeping dozens or hundreds of repos consistent is no easy task. Minder, an open source supply chain security platform, allows you to write your own rules for what “good” looks like, and then apply them consistently to your GitHub configuration, source code, Actions, and Images. In this tutorial, you’ll learn how to write your own Rego rules for Minder, and apply them across multiple repositories. No more spreadsheets and shell scripts for keeping your supply chain secure.

Speakers

Evan Anderson

Software Engineer, Stacklok

Co-founder and maintainer on Knative project. Member of sigstore-oncall. Previously worked on Google Compute Engine and Serverless (App Engine, Functions) and in SRE. Principal engineer at Stacklok. Ex-Google, ex-VMware. Author of Building Serverless Applications on Knative by O'Reilly... Read More →

Dania Valladares

Software Engineering Manager, Stacklok

Dania, as a Software Engineering Manager at Stacklok is deeply committed to fostering an inclusive workplace environment where every team member can thrive through continuous learning, growth and personal fulfillment. With a strong foundation in engineering full-stack enterprise-level... Read More →

Wednesday June 26, 2024 3:50pm - 5:15pm PDT
435

Tutorials, Supply Chains + Containers + Application Security

Content Experience Level Intermediate

4:40pm PDT

Learn to Navigate the Perils and Pitfalls of Multi-Tenant Identity Infrastructure - Fabienne Bühler & Livio Spring, ZITADEL

Wednesday June 26, 2024 4:40pm - 5:15pm PDT

Ballroom 2-3

In this talk, we'll dive into the complexities and frustrations of implementing multi-tenant identity and access management (IAM) systems, a significant headache for anyone juggling the diverse needs of B2B, B2C, and M2M environments. An important part of the discussion is on the decision-making process around multi-tenancy configurations: should we push for a unified system that makes resource sharing a breeze, or should we double down on tenant isolation for the sake of security? This conversation goes beyond; we'll address the intense effort needed to rally devs, ops, and security into a single platform approach, moving away from those isolated IAM solutions that barely scratch the surface of broader IAM challenges. Expect a candid look at the hurdles of tenant isolation, ensuring a smooth user experience, handling policy enforcement, auditing, and finding the right balance between self-hosting and leveraging cloud services—highlighting their impact on a multi-tenanted IAM approach.

Speakers

Fabienne Bühler

Co-Founder & Head of Product, ZITADEL

I started my career as a software engineer and transitioned into product management at ZITADEL, driven by a passion for both technology and customer needs. In my role, I work to connect development, customers, and business goals to ensure our products meet user expectations and drive... Read More →

Livio Spring

Co-Founder & Software Engineer, ZITADEL

Livio is a software engineer with more than 7 years experience in identity and access management. At ZITADEL, I have focused on developing solutions for OAuth, OpenID Connect (OIDC), and other industry-standard protocols for the past five years and was the main contributor of ZITADEL's... Read More →

Perils And Pitfalls Of Multi Tenant Identity Infrstructure pdf

Wednesday June 26, 2024 4:40pm - 5:15pm PDT
Ballroom 2-3

IAM + Multi-tenancy + Network Security

Content Experience Level Any
Presentation Slides Attached Yes

4:40pm PDT

Detection Engineering in Kubernetes Environments: Wrangling Security Data Out of Your Clusters! - Dakota Riley, Aquia

Wednesday June 26, 2024 4:40pm - 5:15pm PDT

433

As Kubernetes (K8s) usage becomes more common, security teams are often tasked with securing K8s usage within their organization. K8s Clusters contain a variety of different logs and data sources. Feeding these data sources with appropriate detective controls can give Security teams deep insight into the activity of their clusters, and help identify both malicious activity and risky configurations. In this talk, we will explore: The different types of logs and data available within K8s environments What you should care about (and why) from a security perspective The differences between self-managed and CSP managed-K8s offerings, and how each affects detection Engineering aspects of plumbing these logs to a SIEM or Data Lake How to get started on generating your own detection cases, including real-world attack scenarios! Throughout the presentation, we will layer our guidance alongside input from industry frameworks like MITRE ATT&CK for Containers and real world experience.

Speakers

Dakota Riley

Principal Security Engineer, Aquia

Dakota Riley is a Principal Security Engineer with Aquia. Dakota handles a mix of application security, cloud security, and automation/development in his day-to-day. When not building with the CDK - he enjoys hiking, grappling, and video games.

Wednesday June 26, 2024 4:40pm - 5:15pm PDT
433

Observability + Detections + Response

Content Experience Level Intermediate

4:40pm PDT

Navigating the Intersection: AI’s Role in Shaping the Secure Open Source Software Ecosystem - Harry Toor, Open Source Security Foundation (OpenSSF)

Wednesday June 26, 2024 4:40pm - 5:15pm PDT

443

The intersection of AI, cybersecurity, and open-source software (OSS) is pivotal for growth and development of companies and society. We discuss the four apparent corners of this intersection to help inform a growing ecosystem: (1) OSS underpins AI systems, and routinely faces security risks. Tools like Scorecard help consumers understand risks in the supply chain of OSS used in AI systems. (2) Furthermore, open-sourcing AI components accelerates OSS growth, requiring secure practices. Tools like sigstore can help secure these newly released open sourced AI components entering the OSS supply chain. (2) AI also revolutionizes OSS security by automating vulnerability management, enhancing development lifecycles. (4) Lastly, AI's role is evolving; it now contributes to OSS, influencing both upstream creation and downstream use, marking a significant shift in open-source development. These four corners and the challenges within are crucial in shaping the future of technology.

Speakers

Harry Toor

Chief of Staff, OpenSSF

Harry is the Chief of Staff for the OpenSSF and comes to the Linux Foundation with over a decade of experience supporting clients understand how they can harness technology to innovate, adapt, and evolve their enterprises. He has worked across industries including the Public Sector... Read More →

Wednesday June 26, 2024 4:40pm - 5:15pm PDT
443

Security Advocacy + Collaboration

Content Experience Level Beginner

5:15pm PDT

Sponsor Booth Crawl

Wednesday June 26, 2024 5:15pm - 6:45pm PDT

Ballroom 1

Join us onsite for drinks and appetizers, fun, and conversations with old and new friends in the Solutions Showcase. Explore exhibit booths to learn more about the latest technologies, browse special offers and job posts, and much more.

In order to facilitate networking and business relationships at the event, you may choose to visit a third party’s booth. You are never required to visit third party booths. When visiting a booth or by participating in sponsored activities, the third party will receive some of your registration data. This data includes your first name, last name, title, company, address, email, standard demographics questions (i.e. job function, industry), and details about the sponsored content or resources you interacted with. If you choose to interact with a booth or access sponsored content, you are explicitly consenting to receipt and use of such data by the third-party recipients, which will be subject to their own privacy policies.

Wednesday June 26, 2024 5:15pm - 6:45pm PDT
Ballroom 1

Solutions Showcase

8:00am PDT

Registration + Badge Pick-Up

Thursday June 27, 2024 8:00am - 4:30pm PDT

Ballroom Lobby

Thursday June 27, 2024 8:00am - 4:30pm PDT
Ballroom Lobby

Badge Pick-Up + Registration

9:00am PDT

Keynote: Opening Remarks

Thursday June 27, 2024 9:00am - 9:05am PDT

Ballroom 2-3

Thursday June 27, 2024 9:00am - 9:05am PDT
Ballroom 2-3

Keynote Sessions

9:05am PDT

Keynote: Securing Kubernetes, the Upstream Way - Rey Lejano, Solutions Architect, Red Hat

Thursday June 27, 2024 9:05am - 9:20am PDT

Ballroom 2-3

There are countless tools, projects, and products to secure your cloud native workloads on Kubernetes. With millions of Kubernetes container image pulls a day and over 120 downstream Kubernetes distributions, the most effective approach to securing Kubernetes is to focus upstream -- this is where the geese of Kubernetes SIG Security honk and improve Kubernetes' security posture.

This talk will highlight some of the work and successful consequences of third-party security audits of Kubernetes managed by a SIG Security subproject. Hopefully this talk will inspire contributors to improve the security posture of an open source project.

Speakers

Rey Lejano

Solutions Architect, CNCF Ambassador, DevOps Institute Ambassador, K8s SIG Docs co-chair, Red Hat

Rey Lejano is a Solutions Architect at Red Hat and is the co-chair of Kubernetes SIG Docs. He contributes to Kubernetes SIG Security, Release, & Contributor Experience. He is a member of seven Kubernetes Release Teams including serving as the 1.23 Release Lead and 1.25 Emeritus Adviser... Read More →

Securing Kubernetes, the Upstream Way print version pdf

Thursday June 27, 2024 9:05am - 9:20am PDT
Ballroom 2-3

Keynote Sessions

9:20am PDT

Keynote: Security Education Through the Art of Storytelling - Ann Wallace, Director of Product Security Education, Okta

Thursday June 27, 2024 9:20am - 9:35am PDT

Ballroom 2-3

Yearly compliance and security training often feels like a chore – tedious and disconnected from the real challenges we face. What if there was a way to captivate folks and excite them to learn more about security? The simple answer is storytelling. In this presentation, Ann will explore the role of storytelling in teaching security principles and concepts to an audience that might have little interest in the topic. She will delve into the core concepts of storytelling, highlighting what works and what doesn’t. She will share her stories of success and failures, providing a candid look at the impact of storytelling on the effectiveness of security education. Lastly, she will share how these storytelling techniques have been instrumental in shaping the Security Education program at Okta. Attendees will leave this session with innovative strategies to make security education more accessible, engaging, and enjoyable through the power of storytelling.

Speakers

Ann Wallace

Director, Product Security Education, Okta

Ann Wallace is currently the Director of Security Education at Okta. Prior to Okta Ann has held various security and cloud leadership & architecture roles at Shopify, Google and Nike. Ann has spoken at numerous conferences on Compliance and Container Security. Ann can also be found... Read More →

Thursday June 27, 2024 9:20am - 9:35am PDT
Ballroom 2-3

Keynote Sessions, Security Advocacy + Collaboration

Content Experience Level Beginner

9:35am PDT

Keynote: Sugar Ray.io on K8s: Shut the Door, Baby! - Greg Castle, GKE Security Tech Lead, Google & Cynthia Thomas, Product Manager, Google

Thursday June 27, 2024 9:35am - 9:50am PDT

Ballroom 2-3

As a distributed compute framework for AI applications, Ray.io shares several similarities with Kubernetes, but takes a different approach to security. Ray has grown in popularity in recent years, and deploying it on Kubernetes with KubeRay is a popular choice that provides flexibility and configurable orchestration. In this talk, we’ll discuss recent security research that found misconfigured Ray clusters exposed to the Internet, and we’ll cover what options you have for hardening Ray deployments with Kubernetes. Can Kubernetes shore up security where Ray expects it to be configured by the user?

Speakers

Cynthia Thomas

Product Manager, Google

Greg Castle

GKE Security Tech Lead, Google

Greg is the tech lead for the Google Kubernetes Engine (GKE) security team and has been contributing to K8s security since 2017. He founded the K8s Container Identity Working Group and led GKE team members who built K8s OIDC support, Secrets Encryption, RuntimeClass, and more. Greg... Read More →

Sugar Ray on K8s CNSCon 2024 pdf

Thursday June 27, 2024 9:35am - 9:50am PDT
Ballroom 2-3

Keynote Sessions, Leveraging + Preparing for AI In Cloud Security

Content Experience Level Intermediate

9:50am PDT

Keynote: A Vision for a Secure Software Supply Chain - Marina Moore, PhD Candidate, New York University

Thursday June 27, 2024 9:50am - 10:05am PDT

Ballroom 2-3

Supply chain attacks have been in the news a lot the past few years, but luckily there are a lot of great solutions being built in this space. This talk will discuss some of the emerging technologies in this space, and present of vision of a future with secure supply chains. It will address how various software supply chain security technologies can fit together, and how we can achieve this future.

Speakers

Marina Moore

Researcher, Independent

Thursday June 27, 2024 9:50am - 10:05am PDT
Ballroom 2-3

Keynote Sessions

10:05am PDT

Keynote: We’re VEXing the Cloud Native Landscape. Bring Your Code! - Adolfo García Veytia, Staff Software Engineer, Stacklok

Thursday June 27, 2024 10:05am - 10:20am PDT

Ballroom 2-3

Notorious events such as the xz backdoor often lead to a surge in user inquiries, with repetitive questions becoming a common occurrence. What's more, when a vulnerability doesn't affect your software, scanners may generate false positives. It's a recurring challenge for any application security team. Enter VEX, the Vulnerability Exploitability eXchange, a complementary format to SBOM allowing developers to communicate the impact of vulnerabilities on their software. VEX also provides insights into the triage status and facilitates automation to address false positives in security scanners. In this presentation, we'll delve into how the Kubernetes ReleEng Team, in collaboration with TAG Security, bootstrapped OpenVEX feeds throughout the CNCF ecosystem. Using these initiatives as a roadmap, we'll show how to effortlessly build a new feed and showcase the automation of VEX data, and illustrate through hands-on demos, how consumers and security tools can leverage it effectively.

Speakers

Adolfo García Veytia

Staff Software Engineer, Stacklok

Adolfo García Veytia (@puerco) is a staff software engineer with Stacklok He is one of the Kubernetes SIG Release Technical Leads, actively working on the Release Engineering team. He specializes in improving the software that drives the K8s release process. He is also the creator... Read More →

Thursday June 27, 2024 10:05am - 10:20am PDT
Ballroom 2-3

Keynote Sessions, Supply Chains + Containers + Application Security

Content Experience Level Beginner

10:20am PDT

Keynote: Closing Remarks

Thursday June 27, 2024 10:20am - 10:30am PDT

Ballroom 2-3

Thursday June 27, 2024 10:20am - 10:30am PDT
Ballroom 2-3

Keynote Sessions

10:30am PDT

Coffee Break ☕

Thursday June 27, 2024 10:30am - 11:00am PDT

Ballroom 1

Thursday June 27, 2024 10:30am - 11:00am PDT
Ballroom 1

Breaks

10:30am PDT

Solutions Showcase

Thursday June 27, 2024 10:30am - 4:00pm PDT

Ballroom 1

Thursday June 27, 2024 10:30am - 4:00pm PDT
Ballroom 1

Solutions Showcase

11:00am PDT

Container Images & Security 101: 5 Need to Know Facts - Phil Estes, AWS

Thursday June 27, 2024 11:00am - 11:35am PDT

Ballroom 2-3

A newbie to our cloud native community can easily be overwhelmed: OCI specifications, SBOMs, build pipelines, image scanning, secure supply chain! The terminology, tools, and practices are moving quickly and new developers can find themselves lost amidst the information overload! This talk will provide an easily understandable guide to the container image format as it relates to the tools and practices that are critical to using containers security and confidently in application deployments in the cloud, on Kubernetes, or in a myriad of other ways they are used today. We'll boil all this down to five critical facts that developers should understand about how images work and how the world of security tools and practices interact with these fundamental principles. Hopefully new (and old) developers alike will find this space demystified and approachable in a way they haven't before!

Speakers

Phil Estes

Principal Engineer, AWS

Phil is a Principal Engineer for Amazon Web Services (AWS), focused on core container technologies that power AWS container offerings like Fargate, EKS, and ECS. Phil is an active contributor and maintainer for the CNCF containerd runtime project, and participates in the Open Container... Read More →

CNSecCon 5 Things Container Images pdf

Thursday June 27, 2024 11:00am - 11:35am PDT
Ballroom 2-3

Cloud Native Security Novice

Content Experience Level Beginner

11:00am PDT

Scan, Patch, VEX - Using Open Source Tools to Manage Vulnerabilities in Containers - Toddy Mladenov & Sertaç Özercan, Microsoft; Itay Shakury, Aqua Security

Thursday June 27, 2024 11:00am - 11:35am PDT

433

Do you feel overwhelmed managing vulnerabilities at cloud-native scale? Keeping track of patches and exceptions can be daunting. There must be a better way to automate the process and reduce the noise. In this talk you will learn how you can manage vulnerabilities with open source tools like Trivy and Copacetic as well as open standards like VEX. The speakers will explain the roles of the tools and the standards in your vulnerability management process and demonstrate their use in various scenarios. You will see how you can improve the vulnerability posture of your cloud native workloads in development, test and production settings. Attendees will leave the session with practical knowledge that will help them improve the security of their organizations.

Speakers

Sertaç Özercan

Principal Software Engineering Manager, Microsoft

Sertaç Özercan is a Principal Software Engineering Manager for the open-source cloud-native containers security team in Microsoft Azure. Previously, he worked in the Azure Kubernetes Service (AKS) and Azure Red Hat OpenShift (ARO) teams.

Itay Shakury

VP Open Source, Aqua Security

Itay Shakury is the VP of Open Source at Aqua Security, where he leads engineering for open source, cloud native security solutions. Itay has some 20 years of professional experience in various software development, architecture and product management roles. Itay is also a CNCF Cloud... Read More →

Toddy Mladenov

Principal Product Manager, Microsoft

Toddy has over 25 years of experience in software engineering and design, consulting, and product management for companies like Microsoft, T-Mobile, and SAP. He started his cloud journey 14 years ago as part of the Azure team. Since then, Toddy worked on large-scale cloud implementations... Read More →

CNSC24 pdf

Thursday June 27, 2024 11:00am - 11:35am PDT
433

Observability + Detections + Response

Content Experience Level Any

11:00am PDT

Shift Down Security! How Platform Teams Can Help Break the Logjam - Jim Bugwadia, Nirmata & Poonam Lamba, Google

Thursday June 27, 2024 11:00am - 11:35am PDT

443

Lets face it, the current approaches to security are not working. Centralized security teams are not the domain experts, and yet are tasked with securing highly dynamic cloud native environments. And, “Shift Left” just adds more burden to already busy developers, who may not have context or proper training in security best practices. The emergence of platform engineering, along with cloud native best practices of codification and automation, offers a new way: automating security and compliance using cloud native policy as code! In this session, Poonam and Jim will present both the security and operations teams perspective on adopting policy as code combined with cloud native best practices, to implement guardrails in the platform layer, so both developers and security teams can focus on what they do best.

Speakers

Jim Bugwadia

Founder and CEO, Nirmata

Jim Bugwadia is a co-founder and the CEO of Nirmata, the Kubernetes policy and governance company. Jim is an active contributor in the cloud native community and currently serves as co-chair of the Kubernetes Policy and Multi-Tenancy Working Groups. Jim is also a co-creator and maintainer... Read More →

Poonam Lamba

Product Manager, Google

Poonam is a Product Manager at Google, where she leads Policy, Governance, and Compliance for GKE. An active contributor to the Kubernetes Policy Working Group and Gatekeeper project, she is passionate about open-source solutions. Outside of work, Poonam enjoys hiking, paddle boarding... Read More →

CNSCon Shift Down Security pdf

Thursday June 27, 2024 11:00am - 11:35am PDT
443

Security Advocacy + Collaboration

Content Experience Level Beginner

11:00am PDT

Amplifying Impact: Documentation and Supply Chain Security - Michelle Irvine, Google Cloud

Thursday June 27, 2024 11:00am - 11:35am PDT

447

Teams with high-quality documentation are 3.8 times more likely to implement security practices compared to teams with low-quality documentation. This is just one of a set of findings about security practices from Google Cloud’s DORA research program (dora.dev). Our research is industry-wide, and documentation and security are two of many constructs that we study and measure. This talk focuses on these two elements, and there are many more findings about security (including evaluating SLSA and SSDF in 2022) in the DORA reports. In this talk, I will: - Describe how we measure security practices and documentation quality. - Present our findings about security practices, including why documentation is like sunshine. - Give some insight into the creation of quality documentation to support your security efforts. This talk is valuable for anyone in technical roles, and for leaders looking to improve the quality of their organization’s security practices and other performance metrics.

Speakers

Michelle Irvine

Technical Writer, Google Cloud

Michelle Irvine is a technical writer at Google. She has been part of the DORA project since 2020, and leads research into the impact and production of technical documentation. Before Google, Michelle worked in educational publishing and as a technical writer for physics simulation... Read More →

Amplifying Impact CloudNativeSecurityCon June2024 pdf

Thursday June 27, 2024 11:00am - 11:35am PDT
447

Supply Chains + Containers + Application Security

Content Experience Level Any
Presentation Slides Attached Yes

11:00am PDT

Embracing the Future: The Effortless Mutual TLS and Rich Layer 7 Authz Policy Without Sidecars - Lin Sun, solo.io

Thursday June 27, 2024 11:00am - 11:35am PDT

445

In today's production environments, sidecars have become the dominant choice for implementing mutual TLS, rich Layer 7 authorization policies and traffic management. However, sidecars require applications to restart after being added to the mesh, causing unnecessary overprovisioning of resources for L7 processing when only mutual TLS is required. This presentation will delve into the reasons behind the rise of sidecar-less service mesh in Istio with the innovative two-layers design. Lin will explain the key advantages of sidecar-less architecture and demonstrate live how both developers and operators can enforce mTLS and rich L7 authorization policies without any effort or sidecars!

Speakers

Lin Sun

CNCF TOC member and Head of Open-Source at solo, solo.io

Thursday June 27, 2024 11:00am - 11:35am PDT
445

Supply Chains + Containers + Application Security

Content Experience Level Beginner

11:00am PDT

Tutorial: Hacking Istio: The Good, the Bad, and the Misconfigured - Nina Polshakova & Peter Jausovec, Solo.io

Thursday June 27, 2024 11:00am - 12:25pm PDT

435

Istio provides out-of-the-box network security tools- from mutual TLS (mTLS) encryption to powerful AuthorizationPolicies for access control. However, misconfigurations can expose vulnerabilities, compromising the security of the entire mesh. The new Ambient mode in Istio removes the need for sidecars but requires new considerations when configuring access control at different network layers. The tutorial will provide Kubernetes clusters with Istio installed and some vulnerabilities ready for you to exploit and learn from. After an introduction to Istio, we will provide time for participants to find and exploit the Istio misconfigurations (with hints if you get stuck!). We will wrap up the tutorial by walking through the steps to find the flag hidden on the cluster. This is a beginner-friendly, hands-on, collaborative tutorial to learn the importance of correctly configuring Istio security policies and what can go wrong if misconfiguration slips through the cracks.

Speakers

Peter Jausovec

Principal Platform advocate, Solo.io

Peter Jausovec is a platform advocate at Solo.io. He has over 15 years of experience in software development and tech in various roles such as QA (test), software engineering, and leading tech teams. He's been working in the cloud-native space for the past couple of years and delivering... Read More →

Nina Polshakova

Principal Software Engineer, Solo.io

SecurityCon The Good, The Bad, The Misconfigured pdf

Thursday June 27, 2024 11:00am - 12:25pm PDT
435

Tutorials, IAM + Multi-tenancy + Network Security

Content Experience Level Beginner

11:00am PDT

🚩 Capture the Flag Experience

Thursday June 27, 2024 11:00am - 12:25pm PDT

420

Delve deeper into the dark and mysterious world of Cloud Native security! Exploit developer permissions, perform incident response, dance through developer environments, utilize your position to hunt and collect the flags, and hopefully learn something new and wryly amusing along the way!

Everybody is welcome, from beginner to seasoned veterans, as we venture amongst the low-hanging fruits of insecure configuration and scale the lofty peaks of cluster compromise!
Learn more about how to participate in Capture The Flag.

Speakers

Andrew Martin

CEO, ControlPlane

Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →

Iain Smart

Principal Consultant, ControlPlane

Thursday June 27, 2024 11:00am - 12:25pm PDT
420

🚩 Capture the Flag

11:50am PDT

Demystify Modern Signing: Keys, Certs, and Envelopes - John Kjell, TestifySec

Thursday June 27, 2024 11:50am - 12:25pm PDT

Ballroom 2-3

Have you heard of projects like Sigstore’s Cosign, Notation, The Update Framework (TUF), or in-toto before? What’s one thing they all have in common? They cryptographically sign things. In this talk there will be no explanations of elliptic curves, discussion about what prime numbers have to do with cryptography, or modular exponentiation. Instead, we’ll talk about how the above tools work from a practical perspective covering key algorithms, signing envelopes, certificates, and verification. First, we’ll take a brief look at the differences between signing and verification versus encryption and decryption. Building on this, we’ll look at the different design decisions made by Cosign, Notation, TUF, and in-toto’s Witness project. Finally, we’ll walk through the emerging trend of identity-based signing using short-lived keys and certificates, including verification of a signature using nothing besides the openssl and shasum CLI commands.

Speakers

John Kjell

Director of Open Source, TestifySec

Thursday June 27, 2024 11:50am - 12:25pm PDT
Ballroom 2-3

Cloud Native Security Novice

Content Experience Level Beginner

11:50am PDT

Network ACLs Made Easy: Establishing Zero Trust Network Policies in a Few Clicks - Juno Im & Yonghwi Jin, Theori

Thursday June 27, 2024 11:50am - 12:25pm PDT

443

Achieving comprehensive Zero Trust through user/RBAC authentication alone is challenging. Realizing full zero trust often requires network-level access controls, complicating access management across authentication and network ACLs while adhering to least privilege principles. Manually managing numerous ACLs is extremely daunting for security teams, especially in high-traffic environments where network activity makes maintaining proper access controls difficult. We will share a case study on leveraging AWS VPC Flow Logs and Terraform to automate security group configuration without third-party solutions. We demonstrate how to analyze historical network traffic data using a few lines of Rust code to establish and maintain network ACLs. Furthermore, we showcase optimizations to AWS-related Terraform workflows for much faster application of security groups. All tools and scripts developed for this workflow will be released as open-source software.

Speakers

Juno Im

Mr., Theori

Juno is a staff researcher at XINT. He has 6 years of experience in the cyber security field, brings a expertise in Cloud Security Consulting, Penetration Testing, Security Assessment. Having discovered vulnerabilities for major tech companies like Samsung, Google, Apple, and AWS... Read More →

Yonghwi Jin

Staff Researcher, Theori

Yonghwi Jin is a staff researcher in Theori. He is mainly interested in static analysis, DevSecOps automation.

Network ACLs Made Easy Establishing Zero Trust Network Policies in a Few Clicks pdf

Thursday June 27, 2024 11:50am - 12:25pm PDT
443

IAM + Multi-tenancy + Network Security

Content Experience Level Advanced
Presentation Slides Attached Yes

11:50am PDT

Securing CI/CD Runners Through eBPF Agent - Mert Coskuner, Yahoo & Cenk Kalpakoglu, Kondukto

Thursday June 27, 2024 11:50am - 12:25pm PDT

433

CI/CD pipelines are complex environments. This complexity requires methodical comprehensive reviews to secure the entire stack. Often a company may lack the time, specialist security knowledge, and people needed to secure their CI/CD pipelines. Realising these facts; cyberattacks targeting CI/CD pipelines has been gaining momentum, and attackers increasingly understand that build pipelines are highly-privileged targets with a substantial attack surface. In this presentation, we will share some of our observation through showing different flavours of attack on possible development pipelines, and introduce a tool to detect them.

Speakers

Mert Coskuner

Principal Product Security Engineer, Yahoo

Mert Coskuner is an experienced security engineer who has worked for numerous well known tech companies. He is a veteran pentester, red teamer, security researcher and malware & cryptography nerd.

Cenk Kalpakoglu

Co-Founder & CEO, Kondukto

Cenk is the Co-founder & CEO of Kondukto Inc. He is an experienced system developer and application security professional with over 15 years of experience. Cenk is a longtime Linux aficionado. He is active speaker in events and enjoys speaking about appsec automation, fuzzing, the... Read More →

Securing CI CD runners through eBPF pdf

Thursday June 27, 2024 11:50am - 12:25pm PDT
433

Observability + Detections + Response

Content Experience Level Advanced
Presentation Slides Attached Yes

11:50am PDT

How to Generate VEX Automatically for Your Project - Shlomo Heigh, CyberArk & Ben Hirschberg, ARMO

Thursday June 27, 2024 11:50am - 12:25pm PDT

447

CNCF Projects to spearhead vulnerability management revolution The presentation will start with an overview of VEX, what problem it solves, and how you can use it to improve vulnerability management. Producing VEX for container image deliverables of open-source projects greatly reduces false positives in security scans. It helps users to focus on real security issues rather than managing unexploitable vulnerabilities. Next, we’ll cover how to automate VEX generation on your Kubernetes workloads using Kubescape, a CNCF project that helps you identify misconfigurations and vulnerabilities. Lastly, we’ll discuss a new GitHub Action we’ve developed that streamlines the generation of VEX files in release processes, making it easier for you and the users of your project to manage your vulnerabilities.

Speakers

Shlomo Zalman Heigh

Senior Software Engineer, CyberArk

Shlomo is a senior software engineer at CyberArk. He's a maintainer of the Conjur open source project, a DevSecOps secrets manager that aims to solve the problem of secret leakage in production applications and workloads running on-prem or in the cloud. He's also a member of the CNCF's... Read More →

Ben Hirschberg

CTO, ARMO

Ben is a veteran cybersecurity and DevOps professional, as well as computer science lecturer. Today, he is the co-founder at ARMO, with a vision of making end-to-end Kubernetes security simple for everyone, and a core maintainer of the open source Kubescape project. He teaches advanced... Read More →

cnscon2024 vex github action pdf

Thursday June 27, 2024 11:50am - 12:25pm PDT
447

Supply Chains + Containers + Application Security

Content Experience Level Any
Presentation Slides Attached Yes

11:50am PDT

The Runtime Rodeo; Where Open Source Image Behavior Is Tamed - Jimmy Mesta, RAD Security

Thursday June 27, 2024 11:50am - 12:25pm PDT

445

In this talk, we will discuss a new proposed standard for creating behavioral fingerprints of open source image's behavior at runtime. In cloud native security, software supply chain security has been focused almost exclusively on what happens before a container's deployment, focusing on SBOMs, SCA, like SCA, CVEs, image signing and more. But the most well-known software supply chain attack, Solar Winds, was not a CVE. Their software was tampered with in the CI/CD process, and then released to customers. What if a company could create a cryptographically verified runtime behavioral fingerprint? It would be the ultimate software supply chain verification, and would have stopped the Solar Winds attack. In this talk, we will discuss the decision points for the new standard, in terms of what should be included in or excluded from the fingerprint and why, using different open source images like nginx or apache as examples.

Speakers

Jimmy Mesta

CTO and Co-Founder, RAD Security

Jimmy Mesta is the founder and Chief Technology Officer at RAD Security. He is responsible for the technological vision for the RAD Security platform. A veteran security engineering leader focused on building cloud-native security solutions; Jimmy has held various leadership positions... Read More →

Runtime Rodeo 2024 DarkVersion.pptx pdf

Thursday June 27, 2024 11:50am - 12:25pm PDT
445

Supply Chains + Containers + Application Security

Content Experience Level Beginner
Presentation Slides Attached Yes

12:25pm PDT

Lunch 🍲

Thursday June 27, 2024 12:25pm - 1:55pm PDT

Ballroom 1

Thursday June 27, 2024 12:25pm - 1:55pm PDT
Ballroom 1

Breaks

1:55pm PDT

Level up Your Security Career with the TAG Security Community - Andrew Martin, ControlPlane

Thursday June 27, 2024 1:55pm - 2:30pm PDT

Ballroom 2-3

Have you ever wondered how the CNCF secures its projects? Or how security whitepapers get written? Or how threat modelling works? Then this is the talk for you! Long-time TAG Security collaborator and co-chair emeritus Andy Martin will take you through his journey into the Technical Advisory Group for Security that supports the Cloud Native Computing Foundation with projects like Flux, Flatcar, and Kubeflow. From how to get started, through current initiatives, and future industry directions and trends — this talk introduces it all, and shows you how collaboration with a kind community of other experts that can take your career to the next level.

Speakers

Andrew Martin

CEO, ControlPlane

Thursday June 27, 2024 1:55pm - 2:30pm PDT
Ballroom 2-3

Cloud Native Security Novice

Content Experience Level Beginner

1:55pm PDT

Implementing a Multi-Tenant, Relationship-Based Authorization Model with OpenFGA - Evan Anderson, Stacklok & María Inés Parnisari, Okta

Thursday June 27, 2024 1:55pm - 2:30pm PDT

435

When we built the open source supply chain security platform, Minder, we initially wrote our own database-backed authorization implementation, with the concepts of users, roles, organizations, and groups. This was a lot of code that distracted from our core mission of securing software repositories, but it was critical to get right in a multi-tenant service. In this talk, we’ll explain how we replaced that code with OpenFGA, an open source authorization solution, to implement hierarchical permissions and project relationships. We’ll show how we used OpenFGA’s modeling language to write and test our permissions model, using middleware to perform the authorization check, and additional work you may need to do outside of OpenFGA to better connect with your own identity providers. At the end of this talk, you’ll know enough to decide if OpenFGA is right for you.

Speakers

Evan Anderson

Software Engineer, Stacklok

María Inés Parnisari

Senior Software Engineer, Okta

Maria is a software engineer specializing in backends running in the cloud. She is based in Canada.

Thursday June 27, 2024 1:55pm - 2:30pm PDT
435

IAM + Multi-tenancy + Network Security

Content Experience Level Intermediate

1:55pm PDT

A Needle in a Haystack: How to Find a Threat Hidden in Over 6 Billion Logs Per Day - Brian Davis, Red Canary

Thursday June 27, 2024 1:55pm - 2:30pm PDT

443

All cloud platforms offer audit logs of their cloud control planes (e.g., AWS CloudTrail, Google Cloud Platform Audit Logs, Azure Activity Logs) but these generate such a high volume of logs that wading through them to find indications of a threat is a huge challenge. In this talk, I’ll explain how you can take this massive stream of data and break it down into manageable chunks using basic cloud building blocks like S3 buckets and SQS queues, or more sophisticated tools like OpenSearch and Kubernetes, to create your own detection platform and build custom analytics to search for whatever needle you want to find in the haystack. This will reduce the flood of data down into a trickle of actionable alerts, in the same way that Red Canary sifts through more than 6 billion cloud log records a day.

Speakers

Brian Davis

Principal Software Engineer, Red Canary

Principal Software Engineer and Architect at Red Canary, Brian Davis has been building complex systems for over two decades, ranging from signal-processing algorithms to complex data-processing applications, deploying these on Solaris servers, on-prem virtual machines, and the cloud... Read More →

A needle in a haystack How to find a threat hidden in over 6 billion logs per day Brian Davis, Red Canary pdf

Thursday June 27, 2024 1:55pm - 2:30pm PDT
443

Observability + Detections + Response

Presentation Slides Attached Yes

1:55pm PDT

Proactive Kubernetes Security: Anomaly Detection and Runtime Alerting in Kubernetes Workloads - Amit Schendel, ARMO & Remi Minnebo, Alter Domus

Thursday June 27, 2024 1:55pm - 2:30pm PDT

433

What happens when a project maintainer and an end-user go into a bar? Sounds like the beginning of a bad joke, but in this case, it triggered a new idea of implementing anomaly detection for security purposes for Kubernetes Workloads. Traditional runtime security approaches often struggle to keep pace with the dynamic and ephemeral nature of Kubernetes environments. This presentation introduces KubeCop, a proof-of-concept tool within the Kubescape project, designed to add a new direction to Cloud Native security approaches. The heart of the presentation will focus on anomaly detection, explaining ApplicationProfile baselines and their role in identifying deviations from normal workload behavior using Kubescape and Inspektor-Gadget. Get ready for a hands-on exploration as we demonstrate KubeCop's deployment and the user experience it has from the end user perspective with feedback from real systems. We will show real-world attack scenarios and how the concept handles them.

Speakers

Amit Schendel

Senior Security Researcher, ARMO

Remi Minnebo

Head of Cloud Platform Engineering, Alter Domus

Proven track record in designing resillient, automated & highly scalable enterprise-level cloud (native) environments with a high emphasis on security.

Thursday June 27, 2024 1:55pm - 2:30pm PDT
433

Observability + Detections + Response

Content Experience Level Intermediate

1:55pm PDT

A Mouthful of Mayhem: Taste Test and Gut Response to SLSA, GUAC, and Supply Chain’s Plat Du Jour - Shane Lawrence, Shopify

Thursday June 27, 2024 1:55pm - 2:30pm PDT

447

Major chains, celebrity chefs, and cozy independents have prepared a buffet of supply chain entrees, and there has never been such a focus on how the sausage is made. So why does it feel overdone while we’re still hungry for more? In this talk, Shane will review some of the most popular ingredients in today’s supply chain ecosystem and show how they can be combined into a recipe that satisfies the appetite of organizations responding to supply chain threats.

Speakers

Shane Lawrence

Sr Staff Developer, Shopify

Shane is a Senior Staff Infrastructure Security Engineer at Shopify, where he's working on a multi-tenant platform that allows developers to securely build scalable apps and services for crafters, entrepreneurs, and businesses of all sizes.

CNSCon24 Mouthful pptx

Thursday June 27, 2024 1:55pm - 2:30pm PDT
447

Supply Chains + Containers + Application Security

Content Experience Level Any

1:55pm PDT

Where Does Your Software (Really) Come from? - Trevor Rosen, GitHub

Thursday June 27, 2024 1:55pm - 2:30pm PDT

445

For decades, we’ve been building things with open source library dependencies, but most of the time, **we’re not 100% certain where those components actually originate** or how they were built. Over the past two years, GitHub has been working hand-in-hand with the open source community to attack this problem. In this talk, we’ll take you inside the effort to build a brand-new capability that is now in public beta for all repos on GitHub: Artifact Attestations. Thanks to hard work from Hubbers and contributors to projects like Sigstore, SLSA, and in-toto, creators of open source software can create an unforgeable paper trail for anything they build on GitHub, verifiable anywhere via the gh CLI tool. Learn all about the work that GitHub has done to create a new signing authority for the OSS world and the impact that we intend to have in bringing about a much-needed cultural shift towards always knowing where your software comes from.

Speakers

Trevor Rosen

Engineering Director, GitHub

Trevor Rosen is the founder of the Package Security team at GitHub, focused on improving supply chain integrity. He has extensive experience in practical information security with a particular focus CI/CD systems. A veteran of the SolarWinds attack and subsequent response, Trevor... Read More →

Thursday June 27, 2024 1:55pm - 2:30pm PDT
445

Supply Chains + Containers + Application Security

Content Experience Level Any

1:55pm PDT

🚩 Capture the Flag Experience

Thursday June 27, 2024 1:55pm - 4:25pm PDT

420

Speakers

Andrew Martin

CEO, ControlPlane

Iain Smart

Principal Consultant, ControlPlane

Thursday June 27, 2024 1:55pm - 4:25pm PDT
420

🚩 Capture the Flag

2:45pm PDT

Guardians of the Dataverse: Securing the AI Supply and Data Chain - Frederick Kautz, TestifySec Inc.

Thursday June 27, 2024 2:45pm - 3:20pm PDT

Ballroom 2-3

Embark on a journey with Frederick as we chart a course beyond the familiar territories of Software Supply Chains (SSC) into the vast, uncharted realms of AI/ML and Big Data pipelines. Drawing from the pioneering insights of NIST SP 800-204D, crafted under Frederick’s stewardship to fortify the SSC, we'll explore how these strategies are not just applicable but crucial to the advanced landscapes of AI/ML. Also discover how existing and mature CNCF and OpenSSF projects can be harnessed to shield critical AI workflows. Frederick will draw from his experience of architecting Cloud Native AI/ML pipelines and platforms that operated on some of the most sensitive data on the industry and describe some of the open source controls he found most effective. Join the call to arms to begin defending your AI/ML pipelines and the data that powers them!

Speakers

Frederick Kautz

Cloud Native Security Unicorn, TestifySec Inc.

Frederick has an extensive background in Cloud Native and Security. Some relevant highlights include previously Co-Chairing KubeCon, authoring NIST SP 800-204D, co-charing the CTA/ANSI working group in securing AI/ML pipelines. Frederick also has an extensive history in Cloud Native... Read More →

Thursday June 27, 2024 2:45pm - 3:20pm PDT
Ballroom 2-3

Cloud Native Security Novice

Content Experience Level Beginner

2:45pm PDT

How Does a Workload Authenticate an API Request?: Implementing Transaction Tokens with Keycloak - Yoshiyuki Tabata, Hitachi, Ltd.

Thursday June 27, 2024 2:45pm - 3:20pm PDT

435

Using OAuth2 access tokens is the best practice for authenticating an API request by a resource server. As stated in the draft CNCF Zero Trust White Paper, it is recommended to verify the "audience" of the access token to prevent access tokens from being consumed by other recipients ("Token Redirect" attack). Especially in cloud-native architectures, there are many internal workloads, so it's hard for the resource owner to identify all audiences and consent for each consumption. In this case, we can adopt the OAuth WG's draft called "Transaction Tokens" (Txn-Tokens), which utilizes OAuth2 Token Exchange (RFC8693) to issue Txn-Tokens that allow downstream workloads to identify call chains. Keycloak, an IAM OSS, supports Token Exchange. Therefore, Keycloak can potentially support the Txn-Token service which issues Txn-Tokens. In this presentation, Yoshiyuki Tabata provides an overview of Txn-Tokens and introduces how to implement Txn-Tokens with Keycloak.

Speakers

Yoshiyuki Tabata

Senior OSS Consultant, Hitachi, Ltd.

He's a Senior OSS Consultant at Hitachi, Ltd, responsible for IAM and API-related solutions.As an authentication and authorization expert, he has provided numerous consultations, for example designing and building API/SSO systems in various fields such as finance and public. As a... Read More →

Transaction Tokens with Keycloak pdf

Thursday June 27, 2024 2:45pm - 3:20pm PDT
435

IAM + Multi-tenancy + Network Security

Content Experience Level Intermediate
Presentation Slides Attached Yes

2:45pm PDT

Kubernetes Node Firewalling from the Inside Out - Jef Spaleta, Isovalent & Justin Garrison, Sidero Labs

Thursday June 27, 2024 2:45pm - 3:20pm PDT

443

The Kubernetes API manages network policies for application traffic in a declarative way. Some network interfaces—like Cilium—take this further by introducing additional policy resources that are more expressive than the default resources. Kubernetes intentionally leaves host networking policy out of the equation. As a result, admins typically fall back to familiar tools and write fragile bash scripts for Iptables and Firewalld when defining host network firewall policy, but that's not the only option. The host network in your Kubernetes node is just another network namespace, albeit a somewhat special one, and it is possible to use declarative resources to secure node host networks, but not with the default Kubernetes API resources. This talk will cover a couple of contemporary implementations that provide in-cluster host network firewalling. Both Talos, as a Kubernetes distribution, and Cilium, as an advanced CNI, offer host firewalling declared as resources inside the cluster.

Speakers

Justin Garrison

Director of DevRel, Sidero Labs

Jef Spaleta

Technical Community Advocate, Isovalent

Jef Spaleta has more than a decade of experience in the technology industry; as software engineer, open source contributor, IoT hardware developer, operations, and most recently as a community advocate at Isovalent.

Thursday June 27, 2024 2:45pm - 3:20pm PDT
443

IAM + Multi-tenancy + Network Security

Content Experience Level Beginner

2:45pm PDT

Kubernetes Deep Dive: Elevating ML Workload Monitoring to Art - Ziwen Ning & Geeta Gharpure, Amazon Web Services

Thursday June 27, 2024 2:45pm - 3:20pm PDT

433

The excellence in operating Kubernetes using AI/ML accelerator hardware includes operational resilience and comprehensive workload monitoring. This session focuses on empowering Kubernetes practitioners with the strategies and insights needed to optimize AI/ML workloads effectively. We will explore a cohesive approach that combines node health assurance with advanced monitoring techniques, illustrated through practical applications such as AWS Neuron's integration for problem detection and the deployment of Neuron Monitor for enhanced observability. Diagnosing and resolving real-world issue examples in an AI/ML cluster, the presentation underscores the tangible benefits of our methodologies. Attendees will learn to implement robust detection and recovery mechanisms, alongside leveraging tools like K8s node problem detector, Prometheus, Grafana, and AWS CloudWatch for in-depth performance analytics, thus ensuring their Kubernetes environments are both resilient and transparent.

Speakers

Geeta Gharpure

Senior Software Engineer, Amazon

Geeta works on Kubernetes integration for AWS Annapurna ML team. She is focussed on usability and scalability of distributed training on Kubernetes. She has a Masters degree in Computer Science.

Ziwen Ning

Software Development Engineer, Amazon Web Services, Inc.

Ziwen is an energetic and experienced software engineer at AWS. He is currently dedicated to enhancing the AI/ML experience through the integration of AWS Neuron with containerized environments and Kubernetes. In his free time, he enjoys challenging himself with badminton, swimming... Read More →

CNSC2024 AIML Observability pdf

Thursday June 27, 2024 2:45pm - 3:20pm PDT
433

Observability + Detections + Response

Content Experience Level Intermediate
Presentation Slides Attached Yes

2:45pm PDT

End-to-End Encryption for Container Checkpointing in Kubernetes - Radostin Stoyanov, University of Oxford

Thursday June 27, 2024 2:45pm - 3:20pm PDT

447

Container checkpointing is an important feature that has been enabled in many container engines (e.g., Docker, Podman, CRI-O, containerd), and more recently in orchestration systems like Kubernetes. Checkpointing is particularly useful from a security perspective as it allows to transparently save important information about the runtime state of containers. This state, for example, can be used for analyzing security incidents and examining the processes, open files, and network connections within a container at a particular point in time. However, checkpoint data can also lead to serious information leakage. Container checkpoints include a snapshot of the raw application memory, which might contain confidential or sensitive data that should not be exposed to unauthorized users. In this talk, we are going to discuss the security risks, best practices and how to enable end-to-end encryption for container checkpoints in Kubernetes.

Speakers

Radostin Stoyanov

University of Oxford, PhD student, University of Oxford

Radostin Stoyanov is a PhD student at the Scientific Computing research group at the University of Oxford, and a Software Engineer at the Core Kernel Team at Red Hat. His research focuses on improving the resilience and performance of HPC and cloud computing systems.

E2E Encryption for Container Checkpointing in Kubernetes pdf

Thursday June 27, 2024 2:45pm - 3:20pm PDT
447

Supply Chains + Containers + Application Security

Content Experience Level Intermediate
Presentation Slides Attached Yes

2:45pm PDT

User Namespaces in Kubernetes: Security and Flexibility - Pick Both - David Leadbeater, G-Research

Thursday June 27, 2024 2:45pm - 3:20pm PDT

445

Kubernetes has not made use of user namespaces, despite the fact that Linux has supported them for around 10 years. This is changing and in Kubernetes 1.30 user namespaces will become a beta feature. Users will begin to benefit from the increased security and flexibility they offer if they adopt several simple practices. This presentation will introduce the concepts, such as Linux namespaces, that make containers possible on Linux. It will explain what user namespaces are, and demonstrate how they can help mitigate a recently discovered vulnerability in the container ecosystem. Finally, it will demonstrate the flexibility of user namespaces through running Docker inside a container without using "privileged” mode, as some common "Docker-in-Docker" approaches do.

Speakers

David Leadbeater

Open Source Engineer, G-Research

David is a contributor to Prometheus and Kubernetes. He is a software engineer at G-Research, where he focuses on security and reliability of open source tools. He has a strong background in Site Reliability Engineering having worked as an SRE at Google before joining G-Research... Read More →

cns userns pdf

Thursday June 27, 2024 2:45pm - 3:20pm PDT
445

Supply Chains + Containers + Application Security

Content Experience Level Intermediate

3:20pm PDT

Coffee Break ☕

Thursday June 27, 2024 3:20pm - 3:50pm PDT

Ballroom 1

Thursday June 27, 2024 3:20pm - 3:50pm PDT
Ballroom 1

Breaks

3:50pm PDT

From Risks to Resilience: Leveraging CNCF Projects Against Kubernetes' OWASP Top 10 - Alireza Rahmani & Hilliary Lipsig, Red Hat

Thursday June 27, 2024 3:50pm - 4:25pm PDT

Ballroom 2-3

This Talk aims to explore the critical security risks identified in the OWASP Kubernetes Top Ten list and propose a comprehensive strategy for effectively mitigating these risks by leveraging CNCF (Cloud Native Computing Foundation) projects. Kubernetes has emerged as a leading platform for container orchestration, but its widespread adoption has also brought forth numerous security challenges. The OWASP Kubernetes Top Ten list highlights vital vulnerabilities and risks faced by organizations deploying Kubernetes environments. To address these challenges, this presentation advocates implementing CNCF projects that offer specialized capabilities to enhance Kubernetes’ security. By aligning specific CNCF projects with each risk outlined in the OWASP Kubernetes Top Ten list, this talk seeks to provide actionable insights for organizations aiming to bolster the security posture of their Kubernetes deployments.

Speakers

Hilliary Lipsig

Principal Site Reliability Engineer, Red Hat inc

Hilliary is an autodidact and start-up veteran who has frequently learned and applied technologies to get a job done. She’s had her hand in every part of the application delivery process, honing in her skills originally as a QE engineer. Hilliary is an IT polyglot able to talk the... Read More →

Alireza Rahmani

Senior Cloud Success Architect, Red Hat

Alireza Rahmani, Red Hat Senior Cloud Success Architect, merges cloud computing with academic skills. With software engineering and business degrees, he excels in both spheres. An active educator, he develops curricula and teaches, highlighting open-source innovation. Alireza commits... Read More →

From Risks to Resilience Leveraging CNCF Projects Against Kubernetes' OWASP Top 10 pdf

Thursday June 27, 2024 3:50pm - 4:25pm PDT
Ballroom 2-3

Cloud Native Security Novice

Content Experience Level Beginner

3:50pm PDT

Implementing AI RMF with Policy-as-Code Automation - Robert Ficcaglia, SunStone Secure; Anca Sailer & Vikas Agarwal, IBM

Thursday June 27, 2024 3:50pm - 4:25pm PDT

447

This session will focus on AI Risk Assessment, Compliance Assurance, and Red Teaming for AI models and AI pipelines deployed on Kubernetes cloud native platforms. We will map the LinuxFoundation Trusted AI Principles of Reproducibility, Robustness, Equitability, Privacy, Explainability, Accountability, Transparency, and Security to the NIST AI RMF, and define a reusable framework for designing controls to implement these principles and requirements. We will show policy-as-code templates that enforce controls throughout the AI life cycle, and discuss how to report risks and show examples of compliance artifacts for Privacy and Bias validation. The session will be led by experienced AI and compliance practitioners who are implementing red teaming and AI safety assurance using Kubernetes and CNCF open source tools. This session will work through specific examples, and AI SMEs will provide feedback and suggestions regarding attendees’ questions and scenarios.

Speakers

Anca Sailer

Distinguished Engineer, IBM / RedHat

Dr. Anca Sailer is an IBM Distinguished Engineer at the T. J. Watson Research Center where she transforms the clients compliance processes into an engineering practice. Dr. Sailer received her Ph.D. in CS from Sorbonne Universités, France and applied her Ph.D. work to Bell Labs before... Read More →

Robert Ficcaglia

CTO, SunStone Secure, LLC

Robert is the co-chair of the Policy Workgroup and contributor to SIG-Security. He helped lead the 2023 Kubernetes Audit effort and is leading the update of the K8s threat model.

Vikas Agarwal

Senior Research Scientist, IBM

Dr. Vikas Agarwal is a Senior Research Scientist at IBM Research, India. He has more than 20 years of experience in diverse areas such as Cloud Computing, Cognitive and AI, Mobile Computing, Web Services and Semantic Web, etc. His current interests are in the area of Cloud Security... Read More →

AI RMF Talk Seattle 2024 pdf

Thursday June 27, 2024 3:50pm - 4:25pm PDT
447

GRC + Privacy

Content Experience Level Intermediate

3:50pm PDT

Bridging Mesh Enclaves: Securing and Maintaining Mesh Heterogeneity - Lukonde Mwila, Amazon Web Services (AWS)

Thursday June 27, 2024 3:50pm - 4:25pm PDT

443

Today, many teams rely on a service mesh implementation to provide a secure identity model for their environments. But adopting service meshes is a challenging feat, and so many teams are given autonomy to choose their own mesh and, in some cases, completely forgo one. This is great for technical heterogeneity, but it can contribute further to convolution and complexity in the larger software architecture. As the size of this "web of complexity" grows, organizations become increasingly dependent on the network for service to service communication and have to figure out an optimal model for securing workload interactions across the board. But how do you build a standard mechanism of trust between different service mesh technologies? How do you maintain technical heterogeneity with a universal approach to workload security? In this session, Lukonde will walk-through and demonstrate how you can use SPIFFE and SPIRE to securely connect workloads in Istio, and custom envoy meshes.

Speakers

Lukonde Mwila

Sr Product Manager, Amazon Web Services (AWS)

Lukonde is a Senior Product Manager for Kubernetes at AWS. He has years of experience in application development, solution architecture, cloud engineering, and DevOps workflows. He is a life-long learner and is passionate about sharing knowledge through various mediums. Nowadays... Read More →

Thursday June 27, 2024 3:50pm - 4:25pm PDT
443

IAM + Multi-tenancy + Network Security

Content Experience Level Advanced

3:50pm PDT

IAM Confused: Decoding 8 Real World Cloud Identity Breaches - Maya Levine, Sysdig

Thursday June 27, 2024 3:50pm - 4:25pm PDT

435

Almost every cloud breach in recent years has taken advantage of mismanaged permissions, secrets, and identities. This session will dissect 8 real cloud breaches where attackers exploited insecure identities, each scenario unveiling unique insights, intriguing facets, and advice to mitigate similar risks. Themes include: Ownership of identity posture b/w Dev, Ops, & Sec is often unclear, leading to mistakes that stem from going fast Automation tech, serverless functions, & cloud-native activities require authentication. Often this is poorly managed, e.g. leaving secrets/credentials exposed in S3 state files (Human/machine identity management) MFA abuse through social engineering still works well SaaS apps are huge attack surface, with credentials being left everywhere: repos, Github, AD, Slack We will specifically highlight something interesting in each scenario and provide a key takeaway that is more useful than “lock your stuff down.”

Speakers

Maya Levine

Product Manager, Sysdig

Maya Levine is is a Product Manager for Sysdig. Previously she worked at Check Point Software Technologies as a Security Engineer and later a Technical Marketing Engineer, focusing on cloud security. Her earnest and concise communication style connects to both technical and business... Read More →

KubeCon 2024 FINAL PDF pdf

Thursday June 27, 2024 3:50pm - 4:25pm PDT
435

IAM + Multi-tenancy + Network Security

Content Experience Level Any
Presentation Slides Attached Yes

3:50pm PDT

Is the Internet on Fire? Strategies for Mitigating Open Source Software Vulnerabilities - Andrew Martin, ControlPlane & Michael Lieberman, Kusari

Thursday June 27, 2024 3:50pm - 4:25pm PDT

433

Open source is deployed everywhere, but is no longer trusted by default. Supply chain attacks via package registries, GitHub, and various accidental and entirely understandable vulnerabilities have proven that nothing is entirely secure. What tools do we have at our disposal to defend ourselves? From examining SBOMs and source code, open source ingestion techniques and signing, to assured open source programs, traditional defence in depth measures, and the emerging next generation of security controls — this talk examines the open source security landscape and the tools, patterns, and practices we have available to defend ourselves. We dive deep into: - The safety and sanctity of open source software ingested from GitHub and package managers - The value of SBOMs and assured software throughout the build, ingestion, and runtime phases - Incident response with open source security tools - Designing systems beyond zero trust for compromise resilience and assumed breach

Speakers

Andrew Martin

CEO, ControlPlane

Michael Lieberman

CTO, Kusari

Thursday June 27, 2024 3:50pm - 4:25pm PDT
433

Supply Chains + Containers + Application Security

Content Experience Level Intermediate

3:50pm PDT

Teach Your SBOM New Tricks with Bomshell - Adolfo García Veytia, Stacklok

Thursday June 27, 2024 3:50pm - 4:25pm PDT

445

One of the widest gaps hindering Software Bill of Materials (SBOM) adoption is the diverse structure and content in the documents exchanged today. SBOM ingestion is tough: Is your SBOM in SPDX or CycloneDX? Which version? Is it encoded in JSON or tag-value? Do you have a single document or many? Is that SBOM complete, or do you need to enrich it? Is it flat or a full dependency tree? It seems that every supplier, every tool, and every ecosystem produces a different document which, in turn, isn't compatible with your SBOM systems. Meet bomshell! bomshell, a project originally funded by DHS, is a scripting language for SBOM based on CEL. It lets you create programs to work with their contents, regardless of format. bomshell can query SBOMs for data and extract the parts you need. It can combine documents and reshape them into new ones that look exactly the way you need them. Again in any format. This talk will be rich in demos showing all of bomshell capabilities.

Speakers

Adolfo García Veytia

Staff Software Engineer, Stacklok

Thursday June 27, 2024 3:50pm - 4:25pm PDT
445

Supply Chains + Containers + Application Security

Content Experience Level Intermediate

4:40pm PDT

All I Know About Cybersecurity I Learned from Fungus - Alex Lawrence, Sysdig

Thursday June 27, 2024 4:40pm - 5:15pm PDT

Ballroom 2-3

Have you ever woken up at night wondering why a parasitic fungal infection looks so much like cryptojacking? What about that time you were looking at hyphae under a microscope and you just couldn’t stop thinking about the implications that had on your defense in depth strategy? Lets not forget about the time you fed your pet slimold and realized the analog it posed to your zero-trust cloud-access project. If like me, these questions are on your mind 24/7, then this is the talk for you! We will explore the many lessons cybersecurity professionals can learn from our spore-bearing cousins from across the planet. Attendees will come away with a new found knowledge from the world of fungi as well as best practices in cybersecurity across the spectrum of cloud-native applications.

Speakers

Alexander Lawrence

Field CISO, Sysdig

All I Know About Cyber Security I learned from Fungus pdf

Thursday June 27, 2024 4:40pm - 5:15pm PDT
Ballroom 2-3

Cloud Native Security Novice

Content Experience Level Beginner

4:40pm PDT

Cloud Native GRC - Brandt Keller, Defense Unicorns & Jon Zeolla, Zenable

Thursday June 27, 2024 4:40pm - 5:15pm PDT

447

Policy-as-Code is a pivotal tool for security across various domains, particularly in its role as an enabler of admission control. By managing access and evaluation, it fortifies the security posture by facilitating scrutiny and decisive actions. Expanding beyond its role in admission control, Policy-as-Code extends its reach to compliance and security auditing functions. Through automation, it streamlines traditionally cumbersome tasks, benefiting system owners and ensuring continuous reporting on compliance status against established thresholds. This presentation delves into the versatile application of both governance and policy for conducting seamless, ongoing audits across diverse environments. From infrastructure to applications, it underscores the potential of policy-driven approaches in achieving comprehensive compliance. Furthermore, it advocates for collaborative efforts in shaping reference architectures that support automated Governance, Risk, and Compliance frameworks.

Speakers

Jon Zeolla

Founder, Zenable

Jon Zeolla is the founder of Zenable where they are reinventing how Enterprises write and use Governance. Previously he co-founded Seiso where he was responsible for cloud native security and compliance innovation. He is also a CNCF Ambassador, SANS Instructor for SEC540: Cloud Security... Read More →

Brandt Keller

OSS Maintainer, Defense Unicorns

2024 06 27 Cloud Native Security Con pdf

Thursday June 27, 2024 4:40pm - 5:15pm PDT
447

GRC + Privacy

Content Experience Level Intermediate
Presentation Slides Attached Yes

4:40pm PDT

The Story of Crush: The Microservice That Navigated the Cloud Native Ocean with a SPIFFE Identity - Mattias Gees, Venafi & Tom Meadows, Testifysec

Thursday June 27, 2024 4:40pm - 5:15pm PDT

435

Deep in the vast Cloud Native ocean lived a turtle-shaped microservice called Crush. Crush was a happy API server written in Go, but always struggled with security. Speaking with databases, message queues and cloud services all required secrets, and Crush messed up every time. Sharing them, losing them from memory, failing to rotate, you name it. Crush felt hopeless. One day, Crush was provided with a document that changed everything. This is the story of how a microservice (Crush the turtle) was provided with a SPIFFE ID, allowing it to encrypt its traffic to other services (other sea animals) with mTLS and even gain access to other platforms and services (different reefs of the ocean), all in a standard, globally accepted manner without compromising security. Expect many twists and turns as Crush finds success (illustrated in live demos) using his new-found identity, but in other scenarios is not understood, leading to stormy situations in the great big Cloud Native ocean.

Speakers

Tom Meadows

Open Source Engineer, Testifysec

Tom is an engineer who works for TestifySec as an Open Source Engineer. After becoming intrigued by the space, he decided to dive into the world of supply-chain security (mostly software, but also some strange food analogies). By being enabled by initiatives like the OpenSSF, in-toto... Read More →

Mattias Gees

Director of Tech, Venafi

Mattias is working as Director of Tech at Venafi, specializing in helping companies with their Cloud Native strategy. A strong open-source enthusiast, Mattias has been active in the Cloud Native ecosystem since the early days when Kubernetes was first established. More recently, he... Read More →

Story of Crush pdf

Thursday June 27, 2024 4:40pm - 5:15pm PDT
435

IAM + Multi-tenancy + Network Security

Content Experience Level Beginner

4:40pm PDT

Drawing Lines in the Sand, or Running Unprivileged eBPF in Kubernetes - Nikola Grcevski, Grafana Labs

Thursday June 27, 2024 4:40pm - 5:15pm PDT

433

You can do so much with eBPF, with so little code. You can easily and cheaply get insights on connectivity, networking, security and performance. One drawback is that these eBPF probes require elevated permissions, in order to be loaded and to perform their job. But what permissions exactly? Can we avoid ‘privileged:true’ in the Kubernetes securityContext, and in what situations? This talk focuses on exploring the mapping between the Linux security capabilities, which can be configured in the Kubernetes securityContext, and eBPF capabilities. We discuss some of the learnings on when even CAP_SYS_ADMIN is not enough and how to avoid the dreaded ‘privileged: true’. We go into detail on the fine boundaries of what capabilities some common eBPF features require and where the lines are drawn. We explore when the CAP_BPF capability is enough, and what additional privileges are required for what types of instrumentation to avoid CAP_SYS_ADMIN.

Speakers

Nikola Grcevski

Principal Software Engineer, Grafana Labs

Nikola Grcevski has worked as a software engineer for more than 20 years, mostly in the field of compilers, managed runtimes and performance optimization. Most recently he's working on low level application instrumentation with eBPF at Grafana Labs.

CloudNativeSecurityCon 2024 Drawing Lines In The Sand pdf

Thursday June 27, 2024 4:40pm - 5:15pm PDT
433

Observability + Detections + Response

Content Experience Level Intermediate
Presentation Slides Attached Yes