October 12, 2021
Los Angeles, California + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2021 - Los Angeles, CA + Virtual and add this Co-Located event to your registration to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Pacific Standard Time (PST), UTC -7. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

IMPORTANT NOTE: Timing of sessions and room locations are subject to change through Monday, September 13 due to schedule changes that will be made as speakers finalize whether speaking in person or virtually.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, October 12

9:00am PDT

Opening Remarks - Dan Papandrea, Sysdig & Andres Vega, VMware, Cloud Native Security Conference Program Chairs
avatar for Andres Vega

Andres Vega

Product Line Manager, VMware
Andres Vega is Product Line Manager for Security in VMware Tanzu. In his role, he helps organizations securely build large-scale distributed software solutions across multi-cloud environments. The focus of his career has been on the intersection of cloud infrastructure, cybersecurity... Read More →
avatar for Dan Papandrea

Dan Papandrea

Field CTO, Sysdig
Dan "POP" Papandrea is the Field CTO for Sysdig, a cloud-native security and visibility platform. POP spends his days learning and contributing to the orchestration and container ecosystem. POP is the host of the hit podcast The POPCAST by Dan POP which explores the leaders and creators... Read More →

Tuesday October 12, 2021 9:00am - 9:10am PDT
Room 408 AB + Online

9:00am PDT

Capture the Flag Experience
The Capture The Flag experience runs concurrently to Cloud Native SecurityCon North America!  
Note: Registration for Cloud Native SecurityCon North America is required.

Delve deeper into the dark and mysterious world of Kubernetes security! Exploit a supply chain attack and start your journey deep inside the target infrastructure, exploit your position to hunt and collect the flags, and hopefully learn something new and wryly amusing along the way!

Attendees can play six increasingly beguiling and demanding scenarios to bushwhack their way through the dense jungle of Kubernetes security. Everybody is welcome, from beginner to hardened veteran, as we venture amongst the low-hanging fruits of insecure configuration and scale the lofty peaks of cluster compromise!

Tuesday October 12, 2021 9:00am - 4:00pm PDT
Room 409 AB + Online

9:10am PDT

Keynote: Leave it to the Machine - How to Leverage AI to Effectively Shift Left Security- Yuval Shchory, Head of Product Management, Check Point
Containerization and the empowerment of developer and DevOps teams have been one of the most productivity driving factors in today’s cloud life. Building a new n-layered application has never been so easy, and pushing from staging to production has never been so swift. But – where does this leave the security of these environments? Where does this leave the different security teams in terms of their ability to be proactive and timely responding to requirements by these newly established container-based applications?
This keynote will focus on how Machine Learning and Artificial Intelligence provides a means to “shift left” security capabilities as well shorten the time between n-layered application readiness for production and its actual production. See how by employing AI/ML, security teams will be no longer regarded as the bottle necks of the application world and will allow themselves to lead in the continuum of securing containerized application delivery.

avatar for Yuval Shchory

Yuval Shchory

Head of Product Management, Cloud Security, Check Point
Yuval Shchory is the Head of Product Management for everything cloud security with Check Point. Security runs in Yuval’s blood for the most of his career – a CISO for a large Service Provider, a co-entrepreneur and co-founder of an elite security system integrator, line of business... Read More →

Tuesday October 12, 2021 9:10am - 9:20am PDT
Room 408 AB + Online

9:20am PDT

Keynote: Like a Magic Eye Illusion: Seeing the Bigger Picture for Cloud-Native Security- Kirsten Newcomer, Director Cloud Security, Red Hat
In recent years, the cloud-native community has successfully built a shared understanding of what is needed to effectively secure cloud-native infrastructure and applications. Contributions from SIGs, working groups, individuals, and CNCF members to key initiatives such as the Kubernetes security audit, industry benchmarks, and open source projects provide a foundation for tackling the various layers of cloud-native security, including approaches such as “shift left.” At the same time, the work required to adopt “best practices” and create alignment across teams can seem daunting for even the most seasoned security and DevOps teams. This session aims to help the audience get a better sense of the state of cloud-native security today. It will highlight the latest developments in Kubernetes and container security as well as where organizations have been more and less successful in adjusting security practices to be cloud-native. It will also share results from a recent industry survey on Kubernetes security, some of the biggest open questions for the community, and where we can expect to go from here.

avatar for Kirsten A Newcomer

Kirsten A Newcomer

Director, Security Product Management, Hybrid Platforms at Red Hat, Red Hat
Kirsten works closely with Red Hat’s many security professionals across the Red Hat portfolio of enterprise-ready open source offerings. Kirsten is a diversified software management professional with 20+ years of experience in security, application development and infrastructure... Read More →

Tuesday October 12, 2021 9:20am - 9:30am PDT
Room 408 AB + Online

9:30am PDT

Keynote: Modern Least Privilege and DevSecOps - James Watters, CTO, VMware
Modern apps are more complicated than traditional apps—they have greater scale, change faster, and are more distributed (i.e., don’t have a traditional security perimeter). Although it may seem like this would make it more difficult to keep them secure in the long run, innovations in the cloud native space—such as automation—simplifies many aspects of security.
As the industry has increased the adoption of cloud native applications over the past decade, a clear set of best practices has emerged predicated on “least privilege.” Now, it’s time to dramatically improve enterprise application security by embracing a modern set of principles. 

avatar for James Watters

James Watters

CTO, VMware Tanzu
"James Watters is the CTO, Modern Application Platforms BU at VMware. James works with customers to integrate VMware Tanzu to accelerate their time to market by modernizing their applications and infrastructure.Prior to VMware, James was the SVP of Strategy at Pivotal. James worked... Read More →

Tuesday October 12, 2021 9:30am - 9:40am PDT
Room 408 AB + Online

9:40am PDT

Securing the Software Supply Chain with Open Source - Dan Lorenc, Google
The software industry is stepping up its response to securing the software supply chain but the challenges are still immense. A concerted effort is needed that spans companies, communities, and industries. Fortunately, many open source projects are emerging as part of the solution. Additionally, the Continuous Delivery Foundation hosts key CI/CD projects and has a mission to improve the world's capacity to deliver software with security and speed through communities of practice. This talk gives an overview of emerging open source projects & initiatives such as CDF and ways to get involved so we can all work together to accelerate securing the software supply chain.

avatar for Dan Lorenc

Dan Lorenc

CEO, Chainguard
Dan has been working on and worrying about containers since 2015 as an engineer and manager.He started projects like MinikubeSkaffold, and Kaniko to make containers easy and fun, then got so worried about the state of OSS supply-chains he partnered up with Kim and others to f... Read More →

Tuesday October 12, 2021 9:40am - 9:50am PDT
Room 408 AB + Online

9:55am PDT

The State of Vulnerability in Cloud Native Security- Magno Logan, Trend Micro
This talk aims to present the research results analyzing all the vulnerabilities reported from previous cloud native tools security audits and publicly known vulnerabilities reported by third-party directly to the project maintainers. We’ve bundled and analyzed all these vulnerabilities from different projects such as Kubernetes, Helm, etcd, gRPC, CodeDNS, and many others until July 2021. The goal was to understand the most common issues and most critical risks found in those tools. Furthermore, we wanted to know why they happen, try to prevent them from happening in the future, and at the same time raise awareness for users and organizations using those projects about the risks associated with using these tools in their environment. A PDF report with all the data and findings will be released to the audience with this presentation.

avatar for Magno Logan

Magno Logan

Information Security Specialist, Trend Micro
Magno Logan works as an Information Security Specialist for Trend Micro. He specializes in Cloud, Container, and Application Security Research, Threat Modelling, and Red Teaming. In addition, he has been tapped as a resource speaker for numerous security conferences around the globe... Read More →

Tuesday October 12, 2021 9:55am - 10:25am PDT
Room 408 AB + Online

10:25am PDT

Protecting the Omniverse: How NVIDIA is Securing Containers- Adam Wallis, NVIDIA
With growing use of Kubernetes, NVIDIA was increasingly delivering containerized software for external customers and internal applications. As a result, the NVIDIA Product Security team needed a scalable security process that would support diverse requirements across business units without slowing down development. They integrated security checks into their existing CI/CD Pipelines to find and fix security issues early. Session attendees will learn how NVIDIA uses open source security tools to transition to continuous container security for their Kubernetes workloads, including how to: - Automating security checks across multiple CI/CD toolchains, registries, and Kubernetes platforms - Decentralized security policies that empower development teams with the responsibility of resolving security issues - Delivering centralized reporting for business unit accountability - Providing a centrally hosted solution to support thousands of containerized apps, and hundreds of thousands of containers

avatar for Adam Wallis

Adam Wallis

Senior Security Software Engineer, NVIDIA
As a senior software security engineer at NVIDIA, Adam works on platforms, tools and processes that improve the security of customer-facing and internal applications. Current projects include extending NVIDIA’s product security processes to containerized applications including NGC... Read More →

Tuesday October 12, 2021 10:25am - 10:55am PDT
Room 408 AB + Online

10:55am PDT

Coffee Break
Tuesday October 12, 2021 10:55am - 11:10am PDT
Los Angeles Convention Center + Online 1201 S Figueroa St, Los Angeles, CA 90015

11:10am PDT

Cloud Native Security Lexicon- Ragashree M C, Nokia
Identity, credentials, and secrets, oh my! Making sense of all these security terms in a cloud native world can be confusing, especially with a vast array of tooling as expansive as the cloud native landscape. You may have found yourself talking past colleagues as certain security terms are overused, catch-all umbrellas, or even incorrectly presented. How do you know what secrets actually mean? What about secret store? This talk will help define commonly used terms in the cloud native security landscape and provide details on the usage and understanding of how they fit into software development and the corresponding operational environment

avatar for Ragashree M C

Ragashree M C

Cloud Security Specialist, Nokia
2021 Nokia Ada Lovelace Honoree, Ragashree M C is a Cloud Security enthusiast with 3+ years industry experience in the domain. She is an active member of several open source security forums such as OWASP, CNCF, CSA etc. She is currently serving Cloud Native Computing Foundation Security... Read More →

Tuesday October 12, 2021 11:10am - 11:30am PDT
Room 408 AB + Online

11:35am PDT

Replacing PSPs? Keep Bad Pods out of your cluster using Kyverno!- Shuting Zhao, Nirmata
Securing sensitive aspects of the Pod specification has always been difficult but it has become more challenging now with the deprecation of PodSecurityPolicy (PSP). So how can you continue to ensure that “Bad Pods” stay out of your cluster and don’t compromise the security posture?   Kyverno, an admission controller, provides a Kubernetes native solution to set and validate security context, not only for pods but also for all the pod controllers. In addition to admission review, Kyverno can be run in audit mode. In this mode, Kyvero does not impact existing clusters but audits the cluster and reports any security violations in policy reports. Kyverno also provides the Command Line Tool (CLI) to support “dry run” so that you can easily execute policies in your CI/CD pipeline and generate reports without having to deploy Kyverno to your cluster.  In this talk, Shuting Zhao will provide an overview of Kyverno and present a set of Kyverno policies for Pod that is based on Pod Security Standards. She will demonstrate how to generate policy reports for existing clusters. She will also demonstrate how Kyverno can enforce best practices for Pod security. Lastly, she will show how Kyverno can help add default security context to Pods and improve the security posture of your clusters. 

avatar for Shuting Zhao

Shuting Zhao

Senior Software Engineer, Nirmata
Shuting Zhao is a senior software engineer at Nirmata, working on Kyverno and several other projects that help automate the deployment and operation of Kubernetes workloads and clusters. Shuting has become the mentor of several LXF mentorship programs since March 2021, she enjoys... Read More →

Tuesday October 12, 2021 11:35am - 12:05pm PDT
Room 408 AB + Online

12:05pm PDT

Lunch Break
Tuesday October 12, 2021 12:05pm - 1:15pm PDT
Los Angeles Convention Center + Online 1201 S Figueroa St, Los Angeles, CA 90015

12:15pm PDT

Capture The Flag - Twitch Live Stream Part 1
Please make sure to follow us on Twitch at: https://www.twitch.tv/cloudnativefdn for the live stream sessions we are having during Cloud Native SecurityCon. If you want to join the chat asap, please follow now as there is a 15 min delay after you follow and you are allowed to post messages on the Twitch chat. The sessions for today are:
  • 12:15pm to 1:15pm PST
  • 3pm to 4pm PST
We'll have many guest speakers to talk about their Cloud Native journey and provide tips regarding some of the Capture The Flag challenges! Stay tuned!

Tuesday October 12, 2021 12:15pm - 1:15pm PDT
Room 409 AB + Online

1:25pm PDT

Security Chaos Engineering for Fun and Profit- Kennedy Torkura, Firebolt Analytics
The dynamic nature of cloud-native infrastructure requires continuous security mechanisms to effectively tackle security threats. However, cloud native infrastructure is complex and still emerging hence the security threats are barely understood resulting in successful attacks due to unknown attack patterns and behavior. In this talk, the innovative notion of Security Chaos Engineering (SCE) is introduced as a viable approach for enabling proactive cloud native security mechanisms for cloud native infrastructure. Essentially, SCE applies chaos engineering principles to cyber security such that defended environments are not just secure but also resilient to cyber-attacks. A major benefit is the derivation and use of instant empirical feedback loops that aid in verifying security mechanisms (e.g. tools) and expected properties (confidentiality, integrity and availability). Through the injection of controlled security faults (crafted as security hypotheses), deployed security mechanisms are properly analyzed, security blind spots are identified and remediated, thereby resulting in increased security and resiliency. Furthermore to previous presentations, this talks demonstrates SCE benefits including compliance monitoring, incident response and threat detection.

avatar for Kennedy Torkura

Kennedy Torkura

Co-Founder & CTO, Mitigant
Kennedy Torkura is a cybersecurity researcher and cloud security engineer. He has spent over 10 years in cybersecurity and is passionate about the intersection of security chaos engineering, incident response, risk analysis and threat detection in cloud security. He has published... Read More →

Tuesday October 12, 2021 1:25pm - 1:55pm PDT
Room 408 AB + Online

1:45pm PDT

Supply Chain Security Reference Architecture- Priya Wadhwa & Alex Marshall, Security TAG
Security TAG will provide a brief presentation of the supply chain security reference architecture. This reference architecture is for developers and operators to experiment on how to build and implement a secure, zero-trust supply chain for their organizations given the existing tooling available to the community.

avatar for Priya Wadhwa

Priya Wadhwa

Software Engineer, Chainguard
Priya Wadhwa is a software engineer at Chainguard, where she works on open source projects like Sigstore and Tekton. In her free time she enjoys playing the drums and eating desserts!
avatar for Alex Floyd Marshall

Alex Floyd Marshall

Cyber Security Engineer, Raft
Alex is a Cyber Security Engineer at Raft, a member of the CNCF TAG-Security, and a freelance writer. Alex enjoys hiking with his family, kayaking, and playing the guitar and dulcimer.

Tuesday October 12, 2021 1:45pm - 1:55pm PDT
411 Theatre + Online

1:55pm PDT

Change is Hard - Securing the Future Today- Andrew Clay Shafer, Red Hat
The future of security is here now, but isn't evenly distributed. Change is inevitable, but resistance to change may be even more inevitable. What can we do to help organizations overcome the resistance to improve? The social engineering to solve is at least as hard as the technical challenges. This presentation will mix research and anecdote to discuss security as a socio-technical system recognizing the agency of the humans involved in addition to the technology advances that are driving the state of the art to solve security problems more holistically from first principles.

avatar for Andrew Clay Shafer

Andrew Clay Shafer

VP Global Transformation Office, Red Hat
Building systems and communities, Andrew Clay Shafer contributed to improving DevOps tools and practices before DevOps was a word. They have a history of helping people deliver with a number of open source infrastructure projects including Puppet, OpenStack, Cloud Foundry and Kubernetes... Read More →

Tuesday October 12, 2021 1:55pm - 2:25pm PDT
411 Theatre + Online

1:55pm PDT

Data Security and Storage Hardening in Rook and Ceph- Federico Lucifredi, Red Hat
This talk will be presented by Federico Lucifredi, but features his collaborative work with Ana McTaggart (Red Hat) and Michael Hackett (Red Hat).

We explore the security model exposed by Rook with Ceph, the leading software-defined storage platform of the Open Source world. Digging increasingly deeper in the stack, we examine hardening options for Ceph storage appropriate for a variety of threat profiles. Options include defining a threat model, limiting the blast radius of an attack by implementing separate security zones, the use of encryption at rest and in-flight and FIPS 140-2 validated ciphers, hardened builds and default configuration, as well as user access controls and key management. Data retention and secure deletion are also addressed. The very process of containerization creates additional security benefits with lightweight separation of domains. Rook makes the process of applying hardening options easier, as this becomes a matter of simply modifying a .yaml file with the appropriate security context upon creation, making it a snap to apply the standard hardening options of Ceph to a container-based storage system.

avatar for Federico Lucifredi

Federico Lucifredi

Product Management Director, Red Hat
Federico Lucifredi is the Product Management Director for Ceph Storage at Red Hat, formerly the Ubuntu Server PM at Canonical, and the Linux "Systems Management Czar" at SUSE.

Tuesday October 12, 2021 1:55pm - 2:25pm PDT
Room 408 AB + Online

2:25pm PDT

Pinniped: A Unified Framework for User Authentication to Kubernetes Clusters- Mo Khan & Anjali Telang, VMware
If you are a Kubernetes Administrator, IT Administrator or Community User, who manages user access to multiple Kubernetes clusters, you not only understand the pain of configuring user authentication to multiple clusters, but also the pain of managing and supporting multiple Identity Providers (IDPs). For user authentication, there are various cluster providers that offer vertically integrated solutions but there is still a need for a generic solution that can work across kubernetes clusters. Further, many IDPs offer Web-based administration interfaces that are not command-line/kubectl friendly. In this talk, we introduce Pinniped, a One-size-fits-all, completely Open Source User-Authentication solution to all Kubernetes clusters! Our architecture is designed to not only support Day0 Ops for configuring clusters during deployments but also Day2 Ops for managing user access after clusters are deployed. During our session we will elaborate on the various configurations supported by Pinniped,such as multiple Identity Providers, multiple kubernetes platform providers and different deployment configurations (Edge, Core).

avatar for Mo Khan

Mo Khan

Software Engineer, VMware
Mo Khan currently serves as a chair for Kubernetes SIG Auth and has made contributions to SIG API Machinery.
avatar for Anjali Telang

Anjali Telang

VMware, Senior Product Manager
Anjali Telang is a Senior Product Manager for Tanzu at VMWare. She is a security and cloud enthusiast with over 15 years of experience in cloud, security and networking. Prior to joining VMware, she worked in various Product and Engineering roles at RedHat and NetApp.

Tuesday October 12, 2021 2:25pm - 2:35pm PDT
Room 408 AB + Online

2:25pm PDT

Strengthening Supply Chain Security By Enforcing Policies Using OPA Gatekeeper on Kubernetes- Rita Zhang & Sertaç Özercan, Microsoft
Open Policy Agent (OPA) Gatekeeper is a general-purpose policy engine for Kubernetes and provides various means to validate and mutate Kubernetes resources to enforce policies. In many of these scenarios, this data has to be either built-in, static or user-defined. However, to strengthen supply chain security this data needs to be dynamic, and is usually stored in external services, such as container registries. With Gatekeeper external data feature, Gatekeeper offers a provider-based model to enforce policies to strengthen supply chain security by validating artifacts like checking for image vulnerabilities, image signatures, software bill of materials (SBOM). In this talk, we are going to talk about how OPA Gatekeeper can be used to enforce policies to validate container images and secure your Kubernetes cluster.

avatar for Rita Zhang

Rita Zhang

Principal Software Engineer, Microsoft
Rita Zhang is a software engineer at Microsoft, based in San Francisco. She leads the Azure Container Upstream team building features for Kubernetes upstream and various CNCF projects. Rita is a Kubernetes SIG Auth co-chair, a maintainer of the Secrets Store CSI Driver project, and... Read More →
avatar for Sertaç Özercan

Sertaç Özercan

Principal Software Engineer Lead, Microsoft
Sertaç Özercan is a Principal Software Engineering Lead in Microsoft. He is based in San Francisco and leads the security & compliance team in Azure Core Container Upstream organization. Previously, he worked in Azure Kubernetes Service (AKS) and Azure Red Hat OpenShift (ARO). He... Read More →

Tuesday October 12, 2021 2:25pm - 2:35pm PDT
411 Theatre + Online

2:35pm PDT

Coffee Break
Tuesday October 12, 2021 2:35pm - 2:50pm PDT
Los Angeles Convention Center + Online 1201 S Figueroa St, Los Angeles, CA 90015

2:50pm PDT

As Strong As the Weakest Link: Securing the Software Supply Chain- Brendan O'Leary, GitLab
The Solarwinds breach is an event that we won't truly understand for some time - if ever. Several discussions we've been having in the abstract for years have become very concrete. The systems we use to develop, build and deploy our code are essential production systems. Securing the software supply chain is one of the most underrated security aspects today. All software today is built with dependencies. However, a discussion of these dependencies - both explicit and transient - as links in the software supply "chain" couldn't be more accurate. And the truth is, a chain is only as strong as its weakest link. In this talk, we'll examine the complexities and sophisticated tradecraft from the various supply chain attacks. We'll also explore securing the cloud native supply chain with CNCF tools from Helm & Distribution to Cloud Custodian & Porter. More importantly, we'll delve into the simple, practical security measures that can help prevent such attacks.

avatar for Brendan O'Leary

Brendan O'Leary

Staff Developer Evangelist, GitLab
Brendan O'Leary is a Staff Developer Evangelist at GitLab, the DevOps platform, and a governing board member at the Cloud Native Computing Foundation and advisor to various startups. He has a passion for software development and iterating processes just as quickly as we iterate on... Read More →

Tuesday October 12, 2021 2:50pm - 3:00pm PDT
411 Theatre + Online

2:50pm PDT

Service Authentication - Tokens or Certificates?- Marc Boorshtein, Tremolo Security, Inc.
The audience for this talk is anyone that is interested in rolling out a services infrastructure. Authentication is generally offloaded to the infrastructure, rather then handled by individual services (or at least it should be). In addition to the daunting number of decisions to be made at the service layer for configuration, authentication is often one of the hardest because it bridges both technology and business requirements and control of decisions may fall outside of the implementer’s ownership path. Having a roadmap for how to choose the right mechanism can either free or hamper implementation and future expansion because it is so foundational to the security of a service.

avatar for Marc Boorshtein

Marc Boorshtein

CTO, Tremolo Security, Inc.
Marc Boorshtein has been a software engineer and consultant for nearly twenty years and is currently the CTO of Tremolo Security, Inc. Marc has spent most of his career building identity management solutions for large enterprises, U.S. Government civilian agencies, and local government... Read More →

Tuesday October 12, 2021 2:50pm - 3:00pm PDT
Room 408 AB + Online

3:00pm PDT

It's Time We Start Securing Our CICD Pipelines- Shripad Nadgowda, IBM Research
Containers allowed breaking monolithic applications and business logic into modular components that can be developed independently and quickly. Such an accelerated development pattern then required a high velocity path from code to container that gave rise to innovation and automation in CICD pipelines. CICD pipelines aim to facilitate expedited DevSecOps functions like testing, security scanning and delivery of applications to cloud through automation. At the same time there is a growing open-source ecosystem around CICD technologies, where number of such functions are being made available ready-to-use, like tektoncd-catalog, GitHub Actions Marketplace for instance. As a result, our pipelines are also subjected to prevelant supply chain vulnerabilities, wherein some malicious open-source task could temper and compromise our whole pipeline. Thus, as we are building CICD DevSecOps pipelines for securing our application builds and delivery, our pipelines as-is can not be the root-of-trust. In other words, we need to make sure our CICD pipelines are “secure” at the composition to begin with and need to address security at multiple layers.

avatar for Shripad Nadgowda

Shripad Nadgowda

Senior Technical Staff Member, IBM Research
Shripad is a Senior Technical Staff Member & Master Inventor at IBM TJ Watson Research Center, NY. He is creator and chief-architect of number of container security projects that are part of IBM Cloud products and services. He is currently leading innovations around software supply... Read More →

Tuesday October 12, 2021 3:00pm - 3:10pm PDT
Room 408 AB + Online

3:00pm PDT

The Long and Windy Road that leads to Cloud Native Security- Frederick Kautz, Sharecare
Establishing and maintaining a Cloud Native Security policy is more than just installing tools and configuring Kubernetes. A solid security stance requires buy-in from the top leadership down to those implementing and using the system. Obtaining buy-in requires understanding the drivers that motivate Infosec's governance, risk management, and compliance. In this talk, Frederick will discuss how information security programs are structured and how to engage with the organization effectively to establish a scalable Cloud Native Security program. Frederick will discuss topics such as: What is Infosec? How does Infosec interact with the rest of the organization? How do these interactions translate to the procedures we use to defend our systems? Where do these procedures even come from? How do we collaborate with Infosec to help improve the company's security posture? How do we enlist Infosec as allies in our Cloud Native Journey? Finally, Frederick will discuss how to get involved with upstream communities which provide guidance, such as the CNCF Security TAG's Security Controls Catalog.

avatar for Frederick Kautz

Frederick Kautz

Cloud Native Infra and Security Enterprise Architect
Frederick collaborates on security and networking. He is on the SPIFFE Steering Committee, focusing on providing Zero Trust Workload Identity to compute workloads and resources. Frederick co-authored Solving the Bottom Turtle. He is a co-founder of GitBOM and maintains the reference... Read More →

Tuesday October 12, 2021 3:00pm - 3:30pm PDT
411 Theatre + Online

3:00pm PDT

Capture The Flag - Twitch Live Stream Part 2
Please make sure to follow us on Twitch at: https://www.twitch.tv/cloudnativefdn for the live stream sessions we are having during Cloud Native SecurityCon. If you want to join the chat asap, please follow now as there is a 15 min delay after you follow and you are allowed to post messages on the Twitch chat. The sessions for today are:
  • 12:15pm to 1:15pm PST
  • 3pm to 4pm PST
We'll have many guest speakers to talk about their Cloud Native journey and provide tips regarding some of the Capture The Flag challenges! Stay tuned!

Tuesday October 12, 2021 3:00pm - 4:00pm PDT
Room 409 AB + Online

3:10pm PDT

Not-So-Fantastic Leaks, and Where to Find Them In Containers- Alex Goodman, Anchore
Building images can be surprisingly difficult, particularly if you need to use packages or applications that are not open and publically available. It’s all too easy to end up with access tokens, credentials, or build artifacts left behind in non-obvious parts of an image. Once you have an image how certain are you that you’ve cleaned up properly and that it doesn’t contain any secrets? Does it have any vulnerable software packages? Is your base image hiding information or unexpected content from you? This talk will show you common pitfalls that lead to information being hidden within an image (either wittingly or unwittingly) and how you can be sure there are no lurking surprises in your image before you publish it. I’ll show how to automate these practices in a Tekton pipeline that both builds your image and acts as a quality gate for publication, because no-one wants to be the person with access keys sitting out in a registry.

avatar for Alex Goodman

Alex Goodman

Senior Software Engineer, Anchore
I'm one of the core developers of Syft (an SBOM generator) and Grype (a vulnerability scanner) and am also the maintainer of Dive (a container image explorer TUI).

Tuesday October 12, 2021 3:10pm - 3:20pm PDT
Room 408 AB + Online

3:20pm PDT

Cryptographic Signatures: A Building Block Not A Panacea- Marina Moore, NYU
Cryptographic signatures are a key piece of securing the software supply chain. They allow developers to attest that a piece of software is valid, and an end user to ensure that the software was not tampered with. In this talk, Marina Moore will talk about what cryptographic signatures do and don’t provide for a security ecosystem with examples of their effective use as a building block for existing cloud native supply chain security applications. She will also address some common pitfalls in the implementation of cryptographic signature systems.

avatar for Marina Moore

Marina Moore

PhD Student, NYU
Marina Moore is a PhD student at NYU Tandon’s Secure Systems Lab focusing on secure software updates and supply chain security. While at NYU she has worked primarily on research and development for The Update Framework (TUF), Uptane, and Notary. She has spoken at KubeCon + CloudNativeCon... Read More →

Tuesday October 12, 2021 3:20pm - 3:50pm PDT
Room 408 AB + Online

3:30pm PDT

SBOM: The Rest Of the Story- Moderated by Emily Fox, Apple; Nisha Kumar, VMware; Allan Friedman, CISA
In a world of compliance requirements, security compromises, and ridiculously long dependency chains, three unlikely travelers cross paths to clear the smoke and mirrors around SBOM: the rest of the story. Our champions of security, compliance, and open source embark on an epic quest to seek truth, actionable software content, and considerations for implementation. They cross the sea of noise in search of the signal by which all of industry can overcome the mighty blight of supply chain insecurity. They wrangle the SBOM misconceptions, they drudge forward through the swamp of Sharing Uncertainties, and confront the beast of Secure Builds. Will they succeed? Will you walk away enlightened, empowered, and ready to tackle the dragons of consumption, risk, and friendship in the face of SBOM publication?

avatar for Allan Friedman, PhD

Allan Friedman, PhD

Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency
Allan Friedman is the guy who won’t shut up about SBOM at the Cybersecurity and Infrastructure Security Administration. He coordinates the global cross-sector community efforts around software bill of materials (SBOM), and works to advance its adoption inside the US government... Read More →
avatar for Nisha Kumar

Nisha Kumar

Senior Open Source Engineer, VMWare
Nisha is a Senior Open Source Engineer at VMware and the technical lead for container packaging and distribution. She has been a DevOps engineer for embedded systems and a Radio Frequency Engineer in semiconductor manufacturing. She has been involved in Open Source for more than 15... Read More →
avatar for Emily Fox

Emily Fox

Security Engineer, Apple
Emily Fox is a DevOps enthusiast, security unicorn, and advocate for Women in Technology. She promotes the cross-pollination of development and security practices. She has worked in security for over 12 years to drive a cultural change where security is unobstructive, natural, and... Read More →

Tuesday October 12, 2021 3:30pm - 4:10pm PDT
411 Theatre + Online

3:50pm PDT

Coffee Break
Tuesday October 12, 2021 3:50pm - 4:10pm PDT
Los Angeles Convention Center + Online 1201 S Figueroa St, Los Angeles, CA 90015

4:10pm PDT

Data Security: Theoretical and Real World Approaches to Compartmentalization- Ana McTaggart & Michael Hackett, Red Hat; Sean Anderson, Portland State University
Using data on an untrusted cloud presents challenges to ensuring the security of computations, communication, and storage. Controlling the disclosure of information is a challenge, in both theory and in practice. In a theoretical model, a challenge is how to enforce and verify security mechanisms, particularly around disclosure of information. By applying formal methods from programming languages, security properties can be enforced on both storage systems and hardware. In a practical model, a challenge is how to ensure consistency and reliability across an untrusted cloud. The use of operators such as Rook allow container based storage for Ceph, with uniform security policies and automation of ops efforts towards resilience. The discussion will cover how theory and practice meet, and state of the art approaches to these problems. Collectively, this panel has worked on topics ranging from secure domain specific languages, to work on open source projects involving Ceph and RedHat, SUSE, and Ubuntu.

avatar for Michael Hackett

Michael Hackett

Senior Principal Product Experience Engineer, Red Hat
Principal Product Experience Engineer at Red Hat | IBM Michael Hackett is a Principal Product Experience Engineer at Red Hat with excellent technical, analytical and communication skills demonstrated by certifications and over 13 years of experience. He has co-published two books... Read More →
avatar for Ana McTaggart

Ana McTaggart

Security Analyst, Red Hat | IBM
Ana McTaggart is a computer security researcher and analyst at Red Hat. They are passionate about the intersection of formal language theory, systems, and security, with a particular focus on distributed and cloud storage. Ana has degrees from the University of Massachusetts, Amherst... Read More →
avatar for Sean Anderson

Sean Anderson

PhD Student, Portland State University
Theoretical security properties motivate enforcement mechanisms and, when stated formally, can be used to validate them through proof or testing. As a PhD student at Portland State University, Sean studies properties for compartmentalization and stack safety in low level or unsafe... Read More →

Tuesday October 12, 2021 4:10pm - 4:40pm PDT
Room 408 AB + Online

4:45pm PDT

Security TAG Closing - Dan Papandrea, Sysdig + STAG Leadership Team
We'll be wrapping up Cloud Native Security Con with a presentation from the Security TAG featuring highlights of their existing work, future work, and how to get involved.

avatar for Dan Papandrea

Dan Papandrea

Field CTO, Sysdig
Dan "POP" Papandrea is the Field CTO for Sysdig, a cloud-native security and visibility platform. POP spends his days learning and contributing to the orchestration and container ecosystem. POP is the host of the hit podcast The POPCAST by Dan POP which explores the leaders and creators... Read More →

Tuesday October 12, 2021 4:45pm - 5:05pm PDT
Room 408 AB + Online

5:15pm PDT

CNCF-hosted Co-located Events Happy Hour
Join us onsite for drinks and appetizers with fellow co-located attendees from Tuesday's CNCF-hosted Co-located Events.  Network with attendees from:
  • Cloud Native DevX Day North America hosted by CNCF
  • Cloud Native Security Conference North America hosted by CNCF
  • Cloud Native Wasm Day North America hosted by CNCF
  • FluentCon North America hosted by CNCF
  • GitOpsCon North America hosted by CNCF
  • Kubernetes AI Day North America hosted by CNCF + LFAI & Data
  • ServiceMeshCon North America hosted by CNCF

Tuesday October 12, 2021 5:15pm - 6:30pm PDT
Los Angeles Convention Center, Petree Plaza
  • Timezone
  • Filter By Venue Los Angeles, California, USA
  • Filter By Type
  • Breaks
  • Capture the Flag
  • Keynote
  • Lightning Talk
  • Networking
  • Opening/Closing
  • Panel Discussion
  • Session
  • Audience
  • Talk Type