If the past couple of years taught us anything, it’s the importance of security in cloud native and open source environments. The fallout of vulnerabilities like Log4j even reached the U.S. Federal Government with the Executive Order on improving cybersecurity and the subsequent Securing Open Source Software Act and OpenSSF Open Source Software Mobility Plan.
Organizations are no longer questioning whether or not to move to the cloud but are looking for the quickest and most efficient way to do so. And security too often gets overlooked in these transitions and upgrades. Because of this and the rise of open source software usage everywhere, we will likely see another large open source security issue in 2023, it’s only a matter of when. Now is a great time to come together as a community to ensure we are prepared – so join us February 1-2 in Seattle, Washington, for CloudNativeSecurityCon North America 2023.
Here are a few topics that will be important in 2023 and beyond and some of the CloudNativeSecurityCon sessions where you can learn more.
eBPF allows organizations to write custom code to run in the kernel. By making the Linux kernel programmable, eBPF has introduced a new generation of cloud native tooling in areas such as networking, observability, and security. Many CNCF projects, including Cillium, Falco, and Pixie, have been designed to bring the advantages of eBPF to cloud native, while others, like Istio, are being redesigned to include eBPF tooling. eBPF can improve cloud native security in several ways. Cillium, for instance, can help provide more visibility into container workloads, while Falco provides a behavioral activity monitor designed to detect anomalous activity in container runtimes.
CloudNativeSecurityCon sessions on eBPF:
- Verifiable GitHub Actions with eBPF – Jose Donizetti & Itay Shakury, Aqua Security
- Finding the Needles in a Haystack: Identifying Suspicious Behaviors with eBPF – Jeremy Cowan & Wasiq Muhammad, Amazon Web Services
- Securing the Superpowers: Who Loaded That EBPF Program? – John Fastabend & Natalia Reka Ivanko, Isovalent
Software Bill of Materials (SBOM)
The concept of an SBOM is relatively straightforward – it provides a list of components in a piece of software and has long been used in traditional manufacturing as part of supply chain management. In practice, it offers a lot of benefits, including security alerts for dependencies and a more complete view of the origin of artifacts and the software supply chain.
SBOMs are becoming more common in cloud native in part due to the recent White House Executive Order, and they will continue to be an essential part of software supply chain security. Kubernetes has already adopted SBOMs and produces them as part of builds and releases. Most CNCF projects will soon do the same.
CloudNativeSecurityCon sessions on SBOMs:
- An Inner Look Into What SBOMs Really Tell Us – Adolfo García Veytia, Chainguard
- SBOMs, VEX, and Kubernetes – Kiran Kamity, Deepfactor; Jonathan Meadows, Citi; Dr Allan Friedman, Cybersecurity and Infrastructure Security Agency; Andrew Martin, Control Plane; Rose Judge, VMware
- Leveraging SBOMS to Automate Packaging, Transfer, and Reporting of Dependencies Between Secure Environments – Ian Dunbar-Hall & Jerod Heck, Lockheed Martin
Security Education and Training
Our 2022 Cloud Native Security Microsurvey found that organizations’ biggest security challenges in running cloud native environments are: a lack of technical expertise and trouble matching new methods and processes like DevOps and CI/CD with existing requirements, tools, and processes.
At CNCF, we’ve taken steps to address these gaps, including making our projects inherently more secure with third-party security audits and fuzzing and with education and training, including the Certified Kubernetes Security Specialist (CKS) and Kubernetes Security Essentials course. You can expect more to come in 2023.
There is a clear need for people to become more versed in security practices – and what better place to do so than CloudNativeSecurityCon? The event will feature a 101 track, talks on education and teaming, and hands-on tutorials.
CloudNativeSecurityCon sessions and tutorials on education, training, and teaming:
- Cloud Native Security Landscape: Myths, Dragons, and Real Talk – Edd Wilder-James & Loris Degioanni, Sysdig; Kim Lewandowski, Chainguard; Isaac Hepworth, Google; Randall Degges, Snyk
- More Than Just a Pretty Penny! Why You Need Cybersecurity in Your Culture – Callan Andreacchi & Michaela Flatau, Defense Unicorns
- Tutorial: How to Build a K8s Admission Controller from Scratch! – Stephen Giguere, Bridgecrew; Jessica Cregg, LaunchDarkly; Matt Johnson, Prisma Cloud by PANW
For the complete CloudNativeSecurityCon 2023 program, please visit the schedule.
Register now for CloudNativeSecurityCon North America. Those who cannot attend in person can register for the complimentary keynote livestream, which will take place 8:55-10:30 AM PST on February 1st and 2nd.