Loading…
October 24 - 25, 2022 | Detroit, Michigan
View More Details | Registration Information

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2022 - Detroit, MI + Virtual and add this Co-Located event to your registration to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Eastern Daylight Time (EDT), UTC -4. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

The schedule is subject to change.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, October 24
 

7:30am EDT

Badge Pick-Up + Vaccine or Negative COVID-19 Test Verification
Monday October 24, 2022 7:30am - 6:00pm EDT
Fort Pontchartrain Hotel | Lobby Level, Fort Pontchartrain Room Fort Pontchartrain Hotel: 2 Washington Blvd, Detroit, MI 48226

7:30am EDT

Badge Pick-Up + Vaccine or Negative COVID-19 Test Verification
Monday October 24, 2022 7:30am - 6:00pm EDT
Detroit Marriott at the Renassaince | Level 3, Ontario Foyer Detroit Marriott: Renaissance Center, 400 Renaissance Dr W, Detroit, MI 48243

7:30am EDT

Badge Pick-Up + Vaccine or Negative COVID-19 Test Verification
There are two locations at Huntington Place where you can go through Health + Safety to show proof of vaccination or negative COVID-19 test and pick up your badge:
  • Corner entrance on the cityside @ the corner of W Congress St. and Washington Blvd.
  • Riverside entrance @ Atwater St. (along the Riverwalk)

Monday October 24, 2022 7:30am - 6:00pm EDT
Huntington Place Detroit

7:30am EDT

On-site COVID-19 Test Kit Pick-Up
CNCF will provide free eMed testing kits on-site from Sunday, October 23 – Friday, October 28 for those that need to provide a negative COVID-19 test prior to entering the event. There will not be space to take the test where you pick it up, so please plan to test in an alternate location (i.e, your hotel room) with reliable internet. You must test within 1-day of picking up your KubeCon + CloudNativeCon North America name badge. 

In addition, antigen COVID-19 tests will be available for any attendee that would like to test throughout the week.

eMed Test Kit Pickup Location
  • Fort Pontchartrain Wyndham Hotel | Lobby Level, Pontchartrain Room, located directly across the street from Huntington Place.
  • Tests will not be available at Huntington Place Convention Center
eMed Test Kit 
  • The eMed test kit includes (1) BinaxNow COVID-19 antigen test 
  • The test is administered by a virtual proctor via the eMed app
Prepare for Your Test in Advance
1. Create an eMed Account or Use an Existing eMed Account https://core.emed.com/procedure/begin?client_id=dsA1oAynCVLjz7o2S239g&scope=emed-binaxnow
*Save time on-site and complete this step ahead of time.
2. Give yourself plenty of time to pick up and take the test. From start to finish, the testing process takes 20-30 minutes.
3. A step by step process to take the virtually proctored eMed test will be provided when you pick up your test on-site. 
4. Once you’ve taken the test you will receive digital results (shared via email and in the eMed app) to share upon entry to KubeCon + CloudNativeCon North America. 
5. The following data will be shared with the Linux Foundation: date of birth, name, email address, testing result. Your information will be kept confidential. If you do not want to share this data with the Linux Foundation, please unselect this box in the eMed app.

Monday October 24, 2022 7:30am - 6:00pm EDT
Fort Pontchartrain Hotel | Lobby Level, Fort Pontchartrain Room Fort Pontchartrain Hotel: 2 Washington Blvd, Detroit, MI 48226

9:00am EDT

Opening Remarks + CTF Overview - Andrew Martin, ControlPlane


Capture The Flag is available to in-person Cloud Native SecurityCon attendees. To get started, either visit Meeting Room 333 or send a message to the CTF team via the #3-cnsecuritycon-ctf channel.

Want to know more about the CTF? Review the details here.

Speakers
avatar for Andrew Martin

Andrew Martin

CEO, Control Plane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →


Monday October 24, 2022 9:00am - 9:15am EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Opening/Closing Remarks

9:20am EDT

Keynote: Crossing the Kubernetes Network Policy Chasm - Michael Foster, Red Hat, Community Lead - StackRox
Isolating pods with Kubernetes network policies is a vital activity in securing the Kubernetes cluster. The technology has been around since 2017, and yet organizations often make very limited use of it, leaving workloads with over-privileged ingress and egress rights.  Why is that? Well, identifying the right networking requirements of individual workloads is challenging to begin with, and operationalizing the task across Dev, Sec and Ops is not trivial.  In this talk we will explain how open source technology helps development and security teams automate the process using machine generated Kubernetes  network policies, along with human authored policies to govern them. The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross this chasm.

Speakers
avatar for Michael Foster

Michael Foster

Community Lead - StackRox, Red Hat
Michael Foster is the Community Lead for the open source StackRox project and Principal Product Marketing Manager for Red Hat based out of Toronto. In addition to his open source project responsibilities, he utilizes his applied Kubernetes and container experience with Red Hat Advanced... Read More →



Monday October 24, 2022 9:20am - 9:25am EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Keynotes

9:30am EDT

Keynote: Why Developer Laptop Security is Key to Securing Your CI/CD Pipeline - Jeremy Colvin, Technical PMM, Uptycs
Your developer’s laptop is only one hop away from cloud infrastructure and crown-jewel data and services. 
 
When it comes to securing cloud applications, security teams need to consider how they can secure the arc of application development. It often begins when a developer signs into an identity provider using their laptop, then pulls open-source code from a Git repository. Developers use Chrome extensions for development tasks, then push code through their build, test, and deploy processes using automation servers, Kubernetes, and public cloud services like AWS. At each stage, there are multiple points an attacker can target. 
 
This 5-minute lightening session will cover the requirements for visibility into the entire development supply chain, from laptop to cloud, including: 
  • Why developer laptops are often an entry point for attackers—now more than ever
  • How to gather real-time "device integrity" or security hygiene checks for zero-trust access
  • How to audit for malicious Chrome extensions or vulnerable software packages
  • How to tie together identity and GitHub activity on the laptop with CI/CD actions
 

Speakers
avatar for Jeremy Colvin

Jeremy Colvin

Technical PMM, Uptycs
Jeremy is a Technical Product Marketing Manager at Uptycs and enjoys the bits and bytes of what makes good security. Before Uptycs, Jeremy worked at Deloitte as a security engineer architecting, configuring, and implementing secure systems. He graduated from Princeton, focusing on... Read More →



Monday October 24, 2022 9:30am - 9:35am EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Keynotes

9:40am EDT

Securing Access to Kubernetes Infrastructure with Kubernetes Zero Trust Principles - Mohan Atreya, Rafay Systems
As a Kubernetes footprint expands through a number of development and production clusters – spread across on-premises data centers, multiple public cloud providers, and edge locations – it shouldn’t be a surprise that complexity leads to challenges. When it comes to ensuring Kubernetes security and controlling access to clusters, limited standards and shared practices are creating a “wild west” scenario. Many organizations have multiple clusters in multiple locations—often running different distributions with different management interfaces—and teams of developers, operators, contractors, and partners who need varying levels of access. If your team is deploying Kubernetes in production, you have to do everything possible to ensure access security. In this presentation, we’ll review how to apply Kubernetes zero trust principles to enable controlled, audited cluster access for developers, SREs and automation systems to a Kubernetes infrastructure.

Speakers
avatar for Mohan Atreya

Mohan Atreya

SVP Product and Solutions, Rafay Systems
Mohan is the SVP of Products & Solutions at Rafay systems, a leading platform provider for Kubernetes operations. An avid human psychology practitioner and astronomy enthusiast who has spent serious money chasing stardust. Unlike many B2B Product Managers, Mohan's path to product... Read More →



Monday October 24, 2022 9:40am - 10:10am EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Sessions

10:10am EDT

☕ Coffee Break + Networking
Monday October 24, 2022 10:10am - 10:25am EDT
Level 3 Foyer

10:25am EDT

Cloud Native Security for the Rest of Us - Tiffany Jernigan, VMware
Your mission is to secure the vast tracts of land of the Cloud Native security landscape. Where do you even start?!? It would be preposterous to cover that whole topic in a single session, but we can at least map it out. The plan is to break it down into three key areas and review each in turn. * Platform - securing and upgrading our control planes and nodes; isolating compute, storage, and network resources; managing privileges and secrets. * User management and permissions - various ways to authenticate and authorize user access; leveraging tools like RBAC and Namespaces, and some common "gotchas". * Software supply chain - what that means; some actual threat models are; how to mitigate them. You will leave this session with a stronger understanding of the breadth and depth of Cloud Native security and resources to further develop your knowledge.

Speakers
avatar for Tiffany Jernigan

Tiffany Jernigan

Developer Advocate, VMware
Tiffany is a senior developer advocate at VMware and is focused on Kubernetes. She previously worked as a software developer and developer advocate (nerd whisperer) for containers at Amazon. She also formerly worked at Docker and Intel. Prior to that, she graduated from Georgia Tech... Read More →


Monday October 24, 2022 10:25am - 10:55am EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Sessions, Track 1

11:00am EDT

Day in the Life of a Base Image: The Evolution of Vulnerabilities in the Most Popular Containers - Ayse Kaya, Slim.AI
While container scanning & security is becoming more widely adopted, it’s still not well-understood how these containers evolve over time from a security perspective. This includes understanding the long-term security posture of these containers, whether it is improving or declining as new vulnerabilities are discovered. 

 This talk will take a first-time look at why handling vulnerabilities in containers is a really sticky problem to begin with, with known vulnerabilities requiring patching, as new vulnerabilities arise constantly, and many other vulnerabilities simply falling into a catchall bucket of "won't fix" . We'll show data visualizations of how the attack surface of two mega-popular public container images (Python, NodeJS) have changed over the past year, highlighting the problem developers and DevSecOps teams are facing. We'll demonstrate how some of the most popular vulnerability scanners show different results, sometimes to extreme degrees. But stick around to the very end, because on the upside, we'll wrap up with practical steps developers can take to stay on top of vulnerabilities and prevent their dev process from grinding to a halt.

Speakers
avatar for Ayse Kaya

Ayse Kaya

Senior Director, Strategic Insights & Analytics, Slim.AI
Ayse Kaya is the Senior Director of Strategy and Analytics at Slim.AI. She is an accredited data scientist and container enthusiast. A graduate of the MIT Sloan School of Management's Operations Research Center, Kaya was previously a strategy and analytics lead at CloudLock and Cisco... Read More →


Monday October 24, 2022 11:00am - 11:30am EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Sessions

11:35am EDT

Panel Discussion: Securing the Golden Path: Adding Guardrails for Developers Without Getting in Their Way! - Moderated by Aradhna Chetal, TIAA; Elizabeth Vasquez Alban, Barclays; Kapil Bareja, Saviyant; Jim Bugwadia, Nirmata & Anil Karmel, RegScale
Is it possible to increase both agility and security? We all know that as organizations are increasingly driven to deliver faster, security often gets overlooked. So, how can organizations adopting cloud native best practices balance the growing complexity of securing modern applications against the ever increasing organizational drivers for speed? In this session, the panelists will discuss how security and operations teams can collaborate to provide developers with a “secure golden path” that promotes security best practices without compromising agility. The panel discussion will cover how the adoption of cloud native systems impacts security, the cloud native lifecycle, and highlight organizational best practices for adopting cloud native systems. The panelists will also provide practical tips and guidance on how cloud native systems can offer composable and programmable options for policy as code and continuous compliance across the software delivery pipeline to create automated guardrails for developers.

Speakers
avatar for Aradhna Chetal

Aradhna Chetal

Managing Director - Cloud Security; Co-Chair CNCF, CNCF Security TAG
Visionary & Dynamic CISO with demonstrated success in driving Cyber & digital transformation strategies. Implementing Security at speed of Cloud, Conveying complex security topics to a variety of audiences from CEO to security engineers & developers. Transformational management style... Read More →
avatar for Kapil Bareja

Kapil Bareja

Saviynt, Global Technical Leader
Kapil is a Global Technical Leader with Saviynt with over 18+ years of experience while working for companies from the Fortune 500, Public sector to a startup firm. His strengths include strategic leadership in various disciplines of Information Security specializing in Cloud security... Read More →
avatar for Jim Bugwadia

Jim Bugwadia

Co-founder and CEO, Nirmata
Jim Bugwadia is a co-founder and the CEO of Nirmata, the Kubernetes policy and governance company. Jim is an active contributor in the cloud native community and currently serves as co-chair of the Kubernetes Policy and Multi-Tenancy Working Groups. Jim is also a co-creator and maintainer... Read More →
avatar for Anil Karmel

Anil Karmel

Co-Founder and CEO, RegScale
Anil Karmel is the Co-Founder and CEO of RegScale, which delivers freedom from paper by helping organizations shift both security and compliance left via our RegScale continuous compliance software. Formerly, Anil served as the National Nuclear Security Administration (NNSA) Deputy... Read More →


Monday October 24, 2022 11:35am - 12:15pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Sessions

12:15pm EDT

🍲 Lunch + Networking
Monday October 24, 2022 12:15pm - 1:25pm EDT
Hall E

1:25pm EDT

Building Images for the Secure Supply Chain - Adrian Mouat, Chainguard
Security scans getting you down? Users complaining they can't verify your images? Have no idea if your systems are vulnerable to the latest exploit? Want to improve your SLSA level but don't know where to start? You're not alone -- all organisations face these issues. This talk will walk through techniques and tooling that you can use today to address these concerns. In particular it will cover: - The distroless philosophy; why minimal images can save you from scan report purgatory - The importance of updating images and dependencies - Using apko to build container images with SBOMs and complete reproducibility - Signing images with Sigstore The best bit? These tools and techniques will make your systems simpler and faster. Adding security doesn't have to mean hurting usability or productivity.

Speakers
avatar for Adrian Mouat

Adrian Mouat

Product Manager, Chainguard
Adrian has been involved with containers from the early days of Docker and authored the O’Reilly book “Using Docker” (https://atlas.oreilly.com/oreillymedia/using-docker). He works as a product manager at Chainguard (chainguard.dev) whose mission is to make the software lifecycle... Read More →



Monday October 24, 2022 1:25pm - 1:55pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Sessions

1:25pm EDT

An Introduction to Capture the Flag - James Cleverley-Prance, ControlPlane
This session is NOT live-streamed or recorded.  This session repeats again at 3:20 PM.

Capture The Flag is available to in-person Cloud Native SecurityCon attendees.  To get started with the Introductiory session, visit Meeting Room 333 (Level 3).

This session aims to introduce CTF competitions to those who are new to them. We will discuss a methodology for completing these challenges at a high level and work through a practice scenario together.

Want to know more about the main CTF event? Details for the full CTF event on Tuesday are here.

Speakers
avatar for James Cleverley-Prance

James Cleverley-Prance

Security Engineer, ControlPlane
James works as a Cloud Native Security Engineer at ControlPlane. In his day to day, he focuses on static and dynamic security assessments covering cloud native, infrastructure as code, policy as code, CI/CD, and architecture appraisals. He specialises in offensive security, Kubernetes... Read More →


Monday October 24, 2022 1:25pm - 2:55pm EDT
Room 333 Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Capture the Flag

2:00pm EDT

How’s Your Supply Chain with Your Insecure OSS Ingestion? - James Holland, Citi
OSS libraries can be used by anyone, but how does an enterprise secure what should, or more importantly, should not be used? The package/artifact managers are at best simple proxies, so security checking is mostly beyond them. Moreover, within enterprises, these tasks end up being manual. This talk will outline the additional checks that should/could be performed at ingestion and subsequently; continuous automated grooming of OSS artifacts. James will demonstrate the Continuous Secure Software Ingestion (CSSI) application, a policy driven system built on Tekton & Open Policy Agent (OPA), to perform continuous secure ingestion from any source, including Google AOS. He will also show the additional constraints that are placed on the downstream enterprise Software Composition Analysis (SCA) tooling to handle the data graph that this generates.

Speakers
avatar for James Holland

James Holland

CISO Director of AppSec, Citi
James leads the AppSec space at Citi; he has contributed to OWASP standards, such as Top 10 and ASVS, as well as mentoring on OIDC/OAuth2 standards based on PSD2/OpenBanking as part of he role with the UK’s OBIE working groups.



Monday October 24, 2022 2:00pm - 2:30pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Sessions

2:35pm EDT

Uncovering the History of Your Software Artifacts - Mikhail Swift, TestifySec
Discovering who, how, and where a software artifact was created is a daunting task. Archivist is an open source In-Toto attestation index and store, allowing you to uncover the history and establish trust of a software artifact. Archivist allows you to discover the attestations you need to satisfy your in-toto policies and ensure only trusted artifacts make it to production. In this talk we’ll use Witness (an In-Toto implementation) to create attestations about a build process of an attestation and store them in Archivist. Then we will create a Witness policy and enforce it while querying Archivist to discover relevant attestations to satisfy the policy.

Speakers
avatar for Mikhail Swift

Mikhail Swift

CTO, TestifySec
Mikhail is the co-founder and CTO of TestifySec, a company focusing in software supply chain security solutions. Mikhail has contributed to the in-toto project and has a passion for open source software.



Monday October 24, 2022 2:35pm - 3:05pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Sessions

3:05pm EDT

☕ Coffee Break + Networking
Monday October 24, 2022 3:05pm - 3:20pm EDT
Level 3 Foyer

3:20pm EDT

Conan.Io – Lessons Learned from Securing 40,000 C++ Packages - Diego Rodriguez-Losada Gonzalez, JFrog
Supply chain security needs are at an all-time peak, since attackers are now massively targeting developers through their use of package repositories such as npm and PyPI. Conan.io, the open-source package manager for C and C++, currently houses more than 11 million binaries built by user-submitted recipes, but managed to have 0 security incidents since its inception, despite its extremely wide reception (15TB of monthly transfers). In this session, Diego (Conan's co-creator) will share how he and his team has managed this incredible feat by utilizing automated quality checks, compiler security mitigations, package signing, a secure build pipeline and an extremely strict and efficient review process, even when faced with more than 9000 pull requests in the last two years.

Speakers
avatar for Diego Rodriguez-Losada Gonzalez

Diego Rodriguez-Losada Gonzalez

Lead Architect, JFrog
Diego Rodriguez-Losada‘s passions are robotics and SW engineering and development. He has developed many years in C and C++ in the Industrial, Robotics and AI fields. Diego was also a University (tenure track) professor and robotics researcher for 8 years, till 2012, when he quit... Read More →



Monday October 24, 2022 3:20pm - 3:50pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Sessions

3:20pm EDT

An Introduction to Capture the Flag - James Cleverley-Prance, ControlPlane
This session is NOT live-streamed or recorded.  This session is a repeat of the one at 1:25 PM.

Capture The Flag is available to in-person Cloud Native SecurityCon attendees.  To get started with the Introductiory session, visit Meeting Room 333 (Level 3).

This session aims to introduce CTF competitions to those who are new to them. We will discuss a methodology for completing these challenges at a high level and work through a practice scenario together.

Want to know more about the main CTF event? Details for the full CTF event on Tuesday are here.


Speakers
avatar for James Cleverley-Prance

James Cleverley-Prance

Security Engineer, ControlPlane
James works as a Cloud Native Security Engineer at ControlPlane. In his day to day, he focuses on static and dynamic security assessments covering cloud native, infrastructure as code, policy as code, CI/CD, and architecture appraisals. He specialises in offensive security, Kubernetes... Read More →


Monday October 24, 2022 3:20pm - 4:50pm EDT
Room 333 Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Capture the Flag

3:55pm EDT

Why Machines Deserve Rights: Rethinking Automated Infrastructure Access with OSS Teleport Machine ID - Kenneth DuMez, Teleport
This talk will focus on the problems of credentials for machines in modern
infrastructure and why it’s imperative you treat your bots the same way you treat
your humans. Typically when using automation for CI/CD or Microservices, teams
will have vaulted credentials shared between worker nodes. This introduces
challenges as these credentials are often long-lived, requiring frequent rotation,
introducing both toil and security threats. Open-source Teleport Machine ID mitigates
these problems by assigning a unique identity with attached RBAC roles baked into
unique, short-lived certificates enabling bot users to connect to remote hosts while
centrally audit-logging all of the machine’s activity. This identity-based access control
plane works seamlessly with all your cloud infrastructure including K8s clusters,
databases, and any other remote compute resource. The talk will include an
assessment of current legacy automated access solutions, an overview of Teleport,
a Machine ID demo, and an in-depth discussion of the technology behind it. With
open-source Teleport, managing and rotating shared credentials is a thing of the
past. Give the machines rights! Secure your infrastructure.

Speakers
avatar for Kenneth DuMez

Kenneth DuMez

Developer Relations, Teleport
Kenneth DuMez joined Teleport in April 2022, after having worked at Pivotal and VMware developing Kubernetes build solutions. Currently he is focused on garnering developer adoption of Teleport, an open-source secure access control plane. He primarily spends his time producing written... Read More →



Monday October 24, 2022 3:55pm - 4:25pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Sessions

4:30pm EDT

Verifiable eBPF Traces for Supply Chain Artifacts with Witness and Tetragon - Cole Kennedy, TestifySec
Until now, validating the build environment and detecting tampered tooling in a build has been very difficult. This talk will show how Cillium Tetragon and Witness integration simplifies this process for developers and security engineers. Witness is a framework for supply chain security that implements the in-toto specification. It has a modular design, easily extendable for various attestors, backends, and key providers (including SPIFFE/SPIRE). This talk will show an attestation plugin that programs Cillum Tetragon to provide detailed eBPF traces of a build step. Additionally, we will create a build policy that verifies the trace and blocks the execution of workload compiled by a malicious compiler when the compiled workload is executed.

Speakers
avatar for Cole Kennedy

Cole Kennedy

CEO, TestifySec
Cole Kennedy is the founder and CEO of TestifySec. TestifySec serves clients in high compliance and high assurance environments. His technical passion is simplifying and securing complex systems through strong identity management of workloads, environments, and users.


Monday October 24, 2022 4:30pm - 5:00pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226

5:00pm EDT

Closing Remarks - Eric Smalling, Cloud Native Security TAG
Speakers
avatar for Eric Smalling

Eric Smalling

Senior Developer Advocate, Snyk
Eric is a 30+ year enterprise software developer, architect, and consultant with a focus on CI/CD, DevOps, and container-based solutions over the last decade. He is a Docker Captain, is certified in Kubernetes (CKA, CKAD, CKS), and has been a Docker user since 2013. As a Senior Developer... Read More →


Monday October 24, 2022 5:00pm - 5:10pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226

5:00pm EDT

CNCF-Hosted Co-Located Events Reception - Sponsored by OpenSSF & Veritas
Join us onsite for drinks and appetizers with fellow co-located attendees from Monday's CNCF-hosted Co-located Events.

Network with attendees from:
BackstageCon North America hosted by CNCF
Cloud Native SecurityCon North America hosted by CNCF
Cloud Native Telco Day North America hosted by CNCF
Cloud Native Wasm Day North America hosted by CNCF
eBPF Day North America hosted by CNCF
KnativeCon North America hosted by CNCF
EnvoyCon North America hosted by CNCF
Kubernetes Batch + HPC Day North America hosted by CNCF
Open Observability Day North America hosted by CNCF

Monday October 24, 2022 5:00pm - 6:30pm EDT
Huntington Place Square, Level 2 (outside)
 
Tuesday, October 25
 

7:30am EDT

Badge Pick-Up + Vaccine or Negative COVID-19 Test Verification
Tuesday October 25, 2022 7:30am - 6:00pm EDT
Detroit Marriott at the Renassaince | Level 3, Ontario Foyer Detroit Marriott: Renaissance Center, 400 Renaissance Dr W, Detroit, MI 48243

7:30am EDT

Badge Pick-Up + Vaccine or Negative COVID-19 Test Verification
There are two locations at Huntington Place where you can go through Health + Safety to show proof of vaccination or negative COVID-19 test and pick up your badge:
  • Corner entrance on the cityside @ the corner of W Congress St. and Washington Blvd.
  • Riverside entrance @ Atwater St. (along the Riverwalk)

Tuesday October 25, 2022 7:30am - 6:00pm EDT
Huntington Place Detroit

7:30am EDT

Badge Pick-Up + Vaccine or Negative COVID-19 Test Verification
Tuesday October 25, 2022 7:30am - 6:00pm EDT
Fort Pontchartrain Hotel | Lobby Level, Fort Pontchartrain Room Fort Pontchartrain Hotel: 2 Washington Blvd, Detroit, MI 48226

7:30am EDT

On-site COVID-19 Test Kit Pick-Up
CNCF will provide free eMed testing kits on-site from Sunday, October 23 – Friday, October 28 for those that need to provide a negative COVID-19 test prior to entering the event. There will not be space to take the test where you pick it up, so please plan to test in an alternate location (i.e, your hotel room) with reliable internet. You must test within 1-day of picking up your KubeCon + CloudNativeCon North America name badge. 

In addition, antigen COVID-19 tests will be available for any attendee that would like to test throughout the week.

eMed Test Kit Pickup Location
  • Fort Pontchartrain Wyndham Hotel | Lobby Level, Pontchartrain Room, located directly across the street from Huntington Place.
  • Tests will not be available at Huntington Place Convention Center
eMed Test Kit 
  • The eMed test kit includes (1) BinaxNow COVID-19 antigen test 
  • The test is administered by a virtual proctor via the eMed app
Prepare for Your Test in Advance
1. Create an eMed Account or Use an Existing eMed Account https://core.emed.com/procedure/begin?client_id=dsA1oAynCVLjz7o2S239g&scope=emed-binaxnow
*Save time on-site and complete this step ahead of time.
2. Give yourself plenty of time to pick up and take the test. From start to finish, the testing process takes 20-30 minutes.
3. A step by step process to take the virtually proctored eMed test will be provided when you pick up your test on-site. 
4. Once you’ve taken the test you will receive digital results (shared via email and in the eMed app) to share upon entry to KubeCon + CloudNativeCon North America. 
5. The following data will be shared with the Linux Foundation: date of birth, name, email address, testing result. Your information will be kept confidential. If you do not want to share this data with the Linux Foundation, please unselect this box in the eMed app.


Tuesday October 25, 2022 7:30am - 6:00pm EDT
Fort Pontchartrain Hotel | Lobby Level, Fort Pontchartrain Room Fort Pontchartrain Hotel: 2 Washington Blvd, Detroit, MI 48226

9:00am EDT

Welcome + Opening Remarks - Pratik Lotia, Cloud Native Security TAG
Speakers
avatar for Pratik Lotia

Pratik Lotia

Senior Security Engineer, Reddit
Pratik Lotia is a cloud security engineer at Reddit, where he is responsible for building tools and processes for implementing security best practices for cloud native environments; and contributing to open source projects. He actively contributes to open source projects (including... Read More →


Tuesday October 25, 2022 9:00am - 9:10am EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Opening/Closing Remarks

9:15am EDT

Keynote: Detecting Threats in GitHub with Falco - Loris Degioanni, Chief Technology Officer & Founder, Sysdig
Are your code repositories secure? Misconfigurations and attacks that target GitHub repositories are a serious source of risk, which many people underestimate. Learn what the most common issues with GitHub security are, and how to detect and prevent them with CNCF's Falco.

Speakers
avatar for Loris Degioanni

Loris Degioanni

Loris Degioanni, Founder and CTO, Sysdig, Sysdig
Loris (he/him) is the Chief Technology Officer & Founder of Sysdig. He is also the creator of the popular open source troubleshooting tool, sysdig, and the open source container security tool Falco. He is the co-author of a new book, Practical Cloud Native Security with Falco. Prior... Read More →


Tuesday October 25, 2022 9:15am - 9:20am EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Keynotes

9:25am EDT

Keynote: Vulnerability Data is Not Enough: The Case for an Actionable UI - Kara Yimoyines, Sr. Engineering Manager, VMware Tanzu
Data without the ability to act on CVEs adds little value to platform hygiene and productivity. As we recognize what we need to secure our software supply chain we understand that vulnerability data is not enough. Vulnerability data with inventory data - the form of a software bill of materials, is also not enough. Without the ability to automate remediation, understanding blast radius of your CVEs, while maintaining up-time and a golden path to production data is not helpful. Security analysts and platform engineers need a complete view that is tailored for their concerns so they can make sure remediation is done at the right level.  

In this talk we’ll discuss considerations for a user interface that presents the right data to the right teams, empowers them to address any bugs or CVEs quickly, and a software bill of materials so they can make sure all the affected components and dependencies are remediated.

Speakers
avatar for Kara Yimoyines

Kara Yimoyines

Senior Engineering Manager, VMware
Kara is a Senior Engineering Manager leading multiple teams devoted to VMware’s Tanzu Application Platform. Kara’s journey began by surfing the waves of the early internet, spending her first dozen years building web applications for startups. For VMware she’s been both an engineer... Read More →



Tuesday October 25, 2022 9:25am - 9:30am EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Keynotes

9:30am EDT

Capture the Flag Experience
The Capture The Flag experience runs concurrently to Cloud Native SecurityCon North America!  
Note: Registration for Cloud Native SecurityCon North America is required.

To get started, either visit Meeting Room 333 or send a message to the CTF team via the #3-cnsecuritycon-ctf channel.  Want to know more about the CTF? Review the details here.

Delve deeper into the dark and mysterious world of Kubernetes security! Exploit a supply chain attack and start your journey deep inside the target infrastructure, exploit your position to hunt and collect the flags, and hopefully learn something new and wryly amusing along the way!

Attendees can play six increasingly beguiling and demanding scenarios to bushwhack their way through the dense jungle of Kubernetes security. Everybody is welcome, from beginner to hardened veteran, as we venture amongst the low-hanging fruits of insecure configuration and scale the lofty peaks of cluster compromise!

Tuesday October 25, 2022 9:30am - 4:00pm EDT
Room 333 Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Capture the Flag

9:35am EDT

Introducing the OWASP Top Ten for Kubernetes - Jimmy Mesta, KSOC Labs, Inc.
The Open Web Application Security Project (OWASP) is a nonprofit organization focused on improving software security through community, open source, events, and more. Given the growth and adoption of Kubernetes, a number of projects have been published in the OWASP community to help practitioners assess and secure the security of their containerized infrastructure including the recently released Top Ten for Kubernetes (https://owasp.org/www-project-kubernetes-top-ten/). This OSS project is a community-curated list of the most common Kubernetes risks backed by data collected from organizations varying in maturity and complexity. This session will discuss the project in detail, examples for each of the risks in the list, and how to get involved.

Speakers
avatar for Jimmy Mesta

Jimmy Mesta

Co-Founder, KSOC Labs, Inc.
Jimmy Mesta is the Co-Founder and CTO at KSOC. He is a veteran security engineering leader focusing on building cloud-native security products. Prior to KSOC, Jimmy held senior leadership positions at a number of enterprises including Signal Sciences (acquired by Fastly) where he... Read More →


Tuesday October 25, 2022 9:35am - 10:05am EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Sessions, Track 2

10:05am EDT

☕ Coffee Break + Networking
Tuesday October 25, 2022 10:05am - 10:20am EDT
Level 3 Foyer

10:20am EDT

Pwning the CI (with GitHub Action Workflows) - Stephen Giguere, Bridgecrew
Our journey to open source and GitOps heaven has exposed new security challenges as our CI platforms are exposed to the outside world. The soft underbelly of our development pipeline is visible as much to willing contributors as it is to malicious subversives looking for the keys to the backdoor. In this talk we'll start with basic social engineering and progress to demostrating live some known potential abuses to GitHub Actions workflows in combination with an insecure GitHub configuration to show how alluring defaults and straight-up bad practices can leave our supply chain, wide open to attackers.

Speakers
avatar for Stephen Giguere

Stephen Giguere

Developer Advocate, Bridgecrew
Steve started his cybersecurity life by being kicked out of his high school computing class for privilege escalation on the school linux system and changing all passwords to "peaches" (his dog's name). But that was a long time ago. Since then he has experienced a wide breadth of technologies... Read More →



Tuesday October 25, 2022 10:20am - 10:50am EDT
Room 321 Huntington Place: 1 Washington Blvd, Detroit, MI 48226

10:20am EDT

Hands-on Workshop: Batten Down the Hatches! A Cluster Security Journey - Steve Wade, KSOC Labs, Inc.
Your career is really taking off and you’ve finally landed that security engineer role at the company of your dreams. At your first daily standup meeting, the Chief Security Officer welcomes you aboard and gives you your first major project to lead which is aptly named, “Operation: Cluster Lockdown”. In this hands-on workshop, the instructors will dive into the methods used to perform a successful real world Kubernetes security audit. Attendees will learn through instructor-led scenarios how to perform cluster / workload inventory, rapidly assess the security posture of workloads, enforce least privilege for end-users and service accounts, and comply with established compliance standards. Each workshop attendee will be provided with a pre-configured public cloud environment running real-world Kubernetes workloads. The tools and methodologies covered in this workshop will give attendees the real world experience to perform a rapid Kubernetes security posture audit in their own organization’s clusters.

Speakers
SW

Steve Wade

KSOC Labs, Inc.
Steve Wade is currently one of the founding engineers at KSOC, a Kubernetes security startup. Before his current role, Steve held Platform leadership roles at UnderWrite Me and Mettle. During these roles, he leveraged the concept of GitOps to provide self-service platforms to developers... Read More →


Tuesday October 25, 2022 10:20am - 11:30am EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226

10:55am EDT

Policy-Based Governance for End-to-End Integrity Control of Policies - Yuji Watanabe, IBM Research & Jayashree Ramanathan, Red Hat
Open Cluster Management (OCM) is a CNCF sandbox project aimed at simplifying and streamlining multi-cluster and multi-cloud management of Kubernetes environments. OCM policy framework simplifies complex and time consuming processes to meet enterprise standards for security and regulatory compliance requirements. The integrity of policies is critical because any modification, maliciously or accidentally, can negatively impact your cluster. This talk describes how you can manage the integrity of the policy resources using the OCM policy framework. We will use manifest signing to protect the integrity of policies. To enable signing, secret values such as the signing key or some sort of access credentials managed on Vault are securely delivered to the signing pipeline by using the policy with a new function called templated secret. The secret values are embedded into the policy and delivered from the hub to the cluster in an encrypted form, and decrypted at the clusters. Admission control to enforce signature verification of policy resources at the cluster is also enabled by using the policy.

Speakers
avatar for Yuji Watanabe

Yuji Watanabe

Senior Technical Staff Member, IBM Research
Yuji Watanabe is a Senior Technical Staff member at IBM Research that lives in Tokyo, Japan. He leads a research team on cloud native security and has been delivering new integrity monitoring and enforcement technology to the open-source community and products. His current focus is... Read More →
avatar for Jayashree Ramanathan

Jayashree Ramanathan

Distinguished Engineer, Red Hat
Dr. Jaya Ramanathan is a Distinguished Engineer within Red Hat. She has held Chief Architect roles for identity and access management, audit logging and reporting, data loss prevention, and cloud security, compliance, and governance. Her current focus is autonomous policy based governance... Read More →



Tuesday October 25, 2022 10:55am - 11:25am EDT
Room 321 Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Sessions, Track 2

11:30am EDT

⚡ Lightning Talk: Assessing Environments Against Cloud Native Security Best Practices - Pratik Lotia, Reddit & Jon Zeolla, Seiso
Organizations are in need for a standard, sane way to perform an assessment of their cloud native environments. This talk provides insight on how security professionals as well as auditors can identify whether they are following the controls and practices suggested in CNCF published white papers and thereby adhering to NIST 800-53v5 controls.. We will also provide examples on how we plan to develop open source automation (such as OSCAL) to reduce the toil of audits; and cross mapping to various frameworks and standards to enable builders focus on making their environments safer.

Speakers
avatar for Pratik Lotia

Pratik Lotia

Senior Security Engineer, Reddit
Pratik Lotia is a cloud security engineer at Reddit, where he is responsible for building tools and processes for implementing security best practices for cloud native environments; and contributing to open source projects. He actively contributes to open source projects (including... Read More →
avatar for Jon Zeolla

Jon Zeolla

Co-founder and CTO, Seiso
Jon Zeolla is the co-founder and CTO of Seiso, an information security company, where he is responsible for the research and refinement of cloud native security solutions, including contributing to open source projects and industry standards focused on Zero Trust, DevSecOps, and Cloud... Read More →



Tuesday October 25, 2022 11:30am - 11:40am EDT
Room 321 Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Lightning Talks, Track 2

11:35am EDT

Source Attestations with Gitsign - Billy Lynch, Chainguard
Attestations are a useful tool for attaching supply chain metadata to artifacts and images, but how can we attach attestations to source code itself? In this talk, we'll go into some of the ways you can attach attestations to source code with Git. Learn how data can be stored verifiably alongside commits, how attestations can be modeled to describe SLSA source requirements, and how tools like Gitsign can make this easy to add to your CI/CD pipelines.

Speakers
avatar for Billy Lynch

Billy Lynch

Staff Software Engineer, Chainguard
Billy is a staff software engineer at Chainguard, working on developer tools and securing software supply chains for everyone! He is an active contributor to the Sigstore and Tekton, and maintains Tekton Chains, Sigstore Gitsign, and more! Prior to working at Chainguard, Billy worked... Read More →


Tuesday October 25, 2022 11:35am - 11:45am EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226

11:45am EDT

⚡ Lightning Talk: Securing K8s Pods from Within: A Runtime Approach - Rahul Arvind Jadhav, Accuknox Inc
For Kubernetes, the basic unit of execution is a pod. All the binaries in all the containers have equal access to the volume mount points and thus have direct access to the service account tokens and k8s secrets that the pod mounts. Almost all Kubernetes attacks exploit/leverage this fact. The only thing an attacker has to ensure is to inject a binary into the pod using a known/unknown vulnerability in any of the binaries within any of the containers. Once the attacker injects a malicious binary, it has unrestricted access to the secrets in predefined volume mount points (we are making it so easy for the attacker!). Typically only a few binaries within the pod need access to the tokens/secrets. The access should be restricted to such a list of processes/binaries, and an automated framework should derive this list. This is easier said than done, taking into consideration that the app is updated every few weeks, i.e., the security posture changes with the app updates. The sessions aim to highlight runtime security risks that are inherent to k8s design and possible solutions to alleviate some of these concerns. Rahul is a dev/maintainer of KubeArmor (runtime security engine).



Tuesday October 25, 2022 11:45am - 11:55am EDT
Room 321 Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Lightning Talks, Track 2

11:45am EDT

🍲 Lunch + Networking
Tuesday October 25, 2022 11:45am - 12:55pm EDT
Hall E

12:55pm EDT

⚡ Lightning Talk: OPAL: The Open Source GitOps Enabled Platform for Building Authorization - Asaf Cohen, Permit.io
Broken Access Control is the top vulnerability in the OWASP Top 10 security risk list. Proper configuration and enforcement of access control are critical to modern organizations, as privacy and compliance awareness are at their peak. Yet, building authorization or permissions management is a painful process for developers, due to complex and ever-evolving requirements and lack of knowledge for avoiding common pitfalls. OPAL (Open Policy Administration Layer) is an open-source administration layer for OPA (Open-Policy Agent). OPAL detects changes to both policy and policy data in real-time and pushes live updates to policy engines, making them real-time and event-driven. OPAL uses Git as the source-of-truth for policy, enabling GitOps workflows for policy delivery and versioning. OPAL is used by thousands of engineers, from Tesla, Zapier, Cisco, Accenture and others. In his talk, Asaf Cohen, co-maintainer and author of OPAL, will explain the challenges of managing modern authorization and access control and how these challenges can be solved by using open source tools like OPAL. In the end, he will provide use cases and tips for implementing simple and scalable authorization.

Speakers
avatar for Asaf Cohen

Asaf Cohen

Co-founder and CTO, Permit.io
Asaf is the CTO and co-founder of Permit.io, and co-author of open source OPAL.ac. Before he started Permit, Asaf worked on internal developer tools at Facebook. He also worked at Claroty, and at Microsoft, where he worked on the Xbox recommendation system. Prior to that Asaf served... Read More →



Tuesday October 25, 2022 12:55pm - 1:05pm EDT
Room 321 Huntington Place: 1 Washington Blvd, Detroit, MI 48226

12:55pm EDT

Hands-on Workshop: Network Policies - The Not-So-Hard Way - Raymond de Jong & Tracy Holmes, Isovalent
Many people avoid networking wherever possible because they think it is too complex and don’t even get them started on policy. In this session, we will help overcome these fears for both app developers and operations teams with network policies the not so hard way. In four easy steps we will: Introduce the fundamentals of Cilium Network Policies and the basics of application-aware and Identity-based Security Discuss the default-allow and default-deny approaches and visualize the corresponding ingress and egress connections Use the Network Policy Editor to show how a Cilium Network Policy looks and what they do on a given Kubernetes cluster Walk through examples and demonstrate how application traffic can be observed with Hubble The audience will walk away with the ability to create network policies for their workloads so they can stop worrying and love the secure connections, and show how you can use the Network Policy Editor to apply new Cilium Network Policies for your workloads.

Speakers
avatar for Tracy P Holmes

Tracy P Holmes

Technical Community Advocate, Isovalent
A "jackie of all trades" (and mistress of being herself), Tracy is a Technical Community Advocate at Isovalent focusing on all things Cilium, eBPF, and Anxiety Driven Development. When she isn't leveling up her programming skills, hanging with her pup, or learning all she can about... Read More →
avatar for Raymond de Jong

Raymond de Jong

Field CTO EMEA, Isovalent
Raymond de Jong is Field CTO for EMEA at Isovalent, the originators of the Cilium project, providing networking, observability, and security for cloud-native applications using eBPF. In this role, he is supporting and enabling customers and partners to be successful with Cilium in... Read More →



Tuesday October 25, 2022 12:55pm - 2:05pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226

1:10pm EDT

Beyond Proof of Concept: Keys to a Successful SPIRE Rollout in Production - Eli Nesterov, N/A
You might have heard about SPIFFE and SPIRE, or you've already read specifications and run your first proof of concept SPIRE deployment to provide your workloads X.509 or JWT SVIDs. Maybe you are planning to use SPIRE for advanced use-cases like federating with the cloud service provider IAM, third-party service, or for your hybrid deployment. Despite where you are on your journey, you most likely asked yourself a question: How do I run SPIRE in production? In this presentation, Eli Nesterov will discuss what it means to run SPIRE in production and how it differs from POC. We'll go through different stages, from the most common architecture patterns, deployment models, logging, and monitoring to security, availability, and performance topics. The talk is based on learning from multiple successful production deployments, the most commonly asked questions in SPIFFE/SPIRE Slack channels, and hours of video conference talks.

Speakers
avatar for Eli Nesterov

Eli Nesterov

Security
Eli Nesterov is a security enthusiast, threat researcher, and engineer. He spent years in security research and engineering building and scaling security products at ByteDance, Facebook, ShapeSecurity, and F5 Networks. Eli likes to share his knowledge with the community and occasionally... Read More →



Tuesday October 25, 2022 1:10pm - 1:40pm EDT
Room 321 Huntington Place: 1 Washington Blvd, Detroit, MI 48226

1:45pm EDT

Secure CI/CD Using JSON Web Token (JWT) - Dov Hershkovitch, GitLab
DevSecOps extends the DevOps ecosystem with the security aspect. Sensitive information is everywhere, be it passwords, secret tokens or exchanged IDs in order to gain access to tools and platforms. The problem has been addressed by many secret management solutions and frameworks, yet creating another problem: Which to choose from, and how to integrate best into your DevOps processes? Engineers started to workaround the security protocols, and often sensitive information is stored in insecure ways. A plaintext token can lead to security leaks and business incidents in a worst case scenario. JSON Web Token (JWT) aims to build the integration bridge as an open standard for security claims exchange. Join this session to learn how in GitLab we leverage JWT tokens to access different secret management solutions, including major cloud providers. Hear best practices on the challenges to retrieve sensitive data and how to enhance the DevSecOps security processes in your organization.

Speakers
avatar for Dov Hershkovitch

Dov Hershkovitch

Senior Product Manager, GitLab
My Name is Dov Hershkovitch, I am a Senior Product Manager at GitLab, Previously worked at Elastic and HP, I spend many hours speaking with our community to better understand their challenges and process, and to build solutions that would solve their pains, my current role I am responsible... Read More →



Tuesday October 25, 2022 1:45pm - 2:15pm EDT
Room 321 Huntington Place: 1 Washington Blvd, Detroit, MI 48226

2:05pm EDT

☕ Coffee Break + Networking
Tuesday October 25, 2022 2:05pm - 2:30pm EDT
Level 3 Foyer

2:20pm EDT

Panel Discussion: Say Hi to the New Couple in the Town – DockerSlim and Kyverno – Making Your Kubernetes Workloads More Secure! - Moderated by Mritunjay Sharma, Slim.AI; Shuting Zhao , Nirmata; Ruhika Bulani, D.Y. Patil College of Engineering, Aku
Want to minify your container image? Or let's go ahead; ever thought of automating the creation of your container's AppArmor and SecComp profiles? Okay, wait, let us surprise you even more; what if you get all the above and a way to administer their control in the K8s cluster! Yes, you heard it right, Unveiling to you the intersection of Kyverno and DockerSlim! This panel by Shuting, Ruhika, and Mritunjay will demonstrate how these two projects are making the lifecycle of the software supply chain more secure. Kyverno's policies leveraged with DockerSlim's combo of minified image and the auto-generated Seccomp profile will make your cluster security management just another YAML chore without you being a Linux syscalls expert!

Speakers
avatar for Mritunjay Sharma

Mritunjay Sharma

Member of Technical Staff, Slim.AI
Mritunjay is a Member of Technical Staff with Slim.AI, with active involvement in various open-source communities for almost two years now. He was previously an SDE Intern at HackerRank and Nirmata too. A speaker for two talks at KubeCon NA'21 and at the maintainer’s track talk... Read More →
avatar for Shuting Zhao

Shuting Zhao

Senior Software Engineer, Nirmata
Shuting Zhao is a Senior Software Engineer at Nirmata, working on Golang and distributed systems. She helped create Kyverno, a Kubernetes native policy engine which was recently adopted as a CNCF incubation project. She is a core contributor for Kyverno, and also contribute to the... Read More →
avatar for Ruhika Bulani

Ruhika Bulani

Student, D.Y. Patil College of Engineering, Akurdi, Pune.
Ruhika Bulani is a final-year Bachelors of Engineering undergrad from India. She has been an LFX Mentee to CNCF - Crossplane Project for Summer’22 where she’s contributed to report-breaking changes in CRD schemas. Ruhika and her team are also the finalists for Smart India Hackathon... Read More →



Tuesday October 25, 2022 2:20pm - 3:00pm EDT
Room 321 Huntington Place: 1 Washington Blvd, Detroit, MI 48226

2:25pm EDT

Hands-on Workshop: Confidential Containers: Bringing Confidential Compute to Kubernetes - Mikko Ylinen, Intel & Tobin Feldman-Fitzthum, T.J. Watson IBM Research Center
Typical data protection ensures data is encrypted while in transit and at rest. Confidential computing (CC) adds data protection while data is in use, in memory, enabling end-to-end protection. Highly regulated industries such as finance and health care are driving the market for CC. Cloud service providers are adding CC capabilities in their offerings. In parallel the open-source cloud native ecosystem is seeing more new projects and start-ups building upon CC. For instance, the CNCF recently accepted the sandbox project Confidential Containers with active participation from different hardware and software vendors and CSPs. In this workshop we will talk about CC in cloud native. We will start by giving an overview of CC and a detailed introduction to the Confidential Containers project and its building blocks. Next, we walk the audience through detailed steps to get the Confidential Containers environment set up. Finally, we want to leave some time for interactive discussion with the audience about cloud native use cases and CC.

Speakers
TF

Tobin Feldman-FItzthum

Software Engineer, T.J. Watson IBM Research Center
Tobin Feldman-Fitzthum is a Software Engineer at the T.J. Watson IBM Research Center. He works on secure virtualization and confidential computing. Tobin was a founding maintainer of the Confidential Containers CNCF Sandbox Project. He has also worked on encrypted disks and fast live... Read More →



Tuesday October 25, 2022 2:25pm - 3:35pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226

3:05pm EDT

Know Your Dependencies: A Guide to Automating Dependency Assurance - Steve Judd, Jetstack
It is a truth universally acknowledged that almost every modern software component contains a selection of external dependencies whose provenance is unknown. Another truth is that no dependency should be trusted until proven trustworthy. This second truth, though, is often ignored by organisations and their engineering teams, who argue that assuring the trustworthiness of dependencies is too complex, too time-consuming and has a detrimental impact on development velocity. This talk will describe how Jetstack has worked with several clients in the financial services and defence sectors to help them develop dependency assurance mechanisms and processes that allow greater visibility and insight into the dependencies used and their impact on the clients’ risk and security postures. The audience will learn how modern tooling and practices can be used to create efficient, automated pipelines that audit dependencies for vulnerabilities and licence obligations, assess them against the organisation’s security policies and ultimately provide the ability to control which dependencies can be used and deployed within the organisation.

Speakers
avatar for Steve Judd

Steve Judd

Senior Solutions Architect, Jetstack
Steve Judd, a Solutions Architect at Jetstack and Certified Kubernetes Administrator, has spent the last 6 years helping organisations successfully transition to Kubernetes. He has a wealth of experience in dealing with the challenges of developing distributed applications and improving... Read More →



Tuesday October 25, 2022 3:05pm - 3:35pm EDT
Room 321 Huntington Place: 1 Washington Blvd, Detroit, MI 48226

3:40pm EDT

See It to Believe It: Bringing Observability to Otherwise Opaque Container Builds - Parth Patel, Kusari & Shripad Nadgowda, Intel
Container build is arguably one of the most security sensitive operations in the whole application supply chain spectrum, which has largely remained opaque to date. It is typically implemented as a multi-stage process in the Continuous Integration (CI) pipeline that includes cloning the source code, resolving and downloading dependencies, compiling and packaging applications and finally publishing the built artifacts. To establish trust in the final built artifact, it is not sufficient to ensure security guarantees around just the built artifact, but it is critical to provide provenance and integrity assurance for every action in the pipeline that went into building that artifact. While tools, such as Tekton Chains, provide visibility into the steps that were performed and components that were used during the build process, we are still missing the lower level syscalls that were made. In this presentation, Parth and Shripad will present an open framework using tetragon to bring out-of-band runtime visibility and provide automated attestation for tekton based CI pipeline.

Speakers
avatar for Parth Patel

Parth Patel

Co-Founder, Kusari
Solutions Architect with 10+ years of CyberSecurity, DevOps, Software Development and Automation experience. Parth has successfully led multiple consulting and development projects in various industries (regulated and commercial) for modernization/migration, cloud adoption and secure... Read More →
avatar for Shripad Nadgowda

Shripad Nadgowda

Software Architect, Intel
Shripad is a Cloud Software Architect at Intel. He is currently leading multiple initiatives around software supply chain security, especially in the area of operationalization and management of SBOM , CICD pipeline security and provenance readiness. He is also actively engaged in... Read More →



Tuesday October 25, 2022 3:40pm - 4:10pm EDT
Room 321 Huntington Place: 1 Washington Blvd, Detroit, MI 48226

3:40pm EDT

The Eye of Falco: You Can Escape but Not Hide - Stefano Chierici & Lorenzo Susini, Sysdig
Container technologies rely on features like namespaces, cgroups, SecComp filters, and capabilities to isolate different services running on the same host. However, SPOILER ALERT: container isolation isn’t bulletproof. Similar to other security environments, isolation is followed by red-teamer questions such as, “How can I de-isolate from this?” Designed with the principle of least privilege in mind, capabilities provide a way to isolate containers, splitting the power of the root user into multiple units. However, having lots of capabilities introduces complexity and a consequent increase of excessively misconfigured permissions and container escape exploits, as we have seen in recently discovered CVEs. Fortunately using Falco, a CNCF container runtime security tool, it’s possible to monitor Linux capabilities, detect misconfigured containers, and proactively respond to secure environments. In this talk, we explain how you can use Falco to detect and monitor container escaping techniques based on capabilities. We walk through show real-world scenarios based on recent CVEs to show where Falco can help in detection and automatically respond to those behaviors

Speakers
avatar for Stefano Chierici

Stefano Chierici

Threat Research Lead Manager, Sysdig
Stefano Chierici is a security researcher at Sysdig, where his research focuses on defending containerized and cloud environments from attacks ranging from web to kernel. Stefano is one of the Falco contributors, an incubation level CNCF project. He studied cyber security in Italy... Read More →
avatar for Lorenzo Susini

Lorenzo Susini

Open Source Engineer, Sysdig
Lorenzo Susini has a passion for runtime security. As an open source engineer at Sysdig, he spends his time working on the libraries for Falco, a CNCF project, implementing features to detect attacks in modern infrastructures. He has a Masters Degree in Computer Engineering, with... Read More →



Tuesday October 25, 2022 3:40pm - 4:10pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Sessions, Track 1

4:15pm EDT

Fileless Attack - Detecting the Undetectable - Carolina Valencia, Aqua Security
A fileless attack is a technique that takes incremental steps toward gaining control of your environment while remaining undetected. In a fileless attack, the malware is directly loaded into memory and executed, evading common defenses and static scanning. Often, attackers may also use compression or encryption to cloak the malware file to avoid detection. Most commonly used against Windows, we have recently seen a growing trend in its use against Linux, and, more specifically, within containers. In this guide, we will break down a fileless attack by creating a fileless demo and detecting unexpected activity with eBPF tools in the Cloud Native Security Runtime Space: Falco, Tracee, and Tetragon.


Tuesday October 25, 2022 4:15pm - 4:45pm EDT
Room 321 Huntington Place: 1 Washington Blvd, Detroit, MI 48226

4:15pm EDT

Getting More Confident with Your Security Helper Libraries Thanks to Go Fuzzing - Jeremy Matos, Grafana Labs
Security helper libraries are often hard to unit test because they should make sure “bad” inputs are not considered valid, but how can we know we are not forgetting one kind of “bad” input? In cases where we don’t have an explicit definition of a good input, Go Fuzzing can be really helpful to gain confidence we are not missing some corner cases. Using a real-life example of a path traversal vulnerability in Grafana OSS, this talk will show how Go Fuzzing can be used to improve the test coverage of the corresponding security fix. Additionally, it will cover how this technique helped validate more complex security helpers and enabled us to detect some bypasses.

Speakers
avatar for Jeremy Matos

Jeremy Matos

Principal Security Engineer, Grafana Labs
Jeremy Matos is a Principal Security Engineer at Grafana Labs. Rather than breaking things, the former backend developer has shifted his main focus to helping produce secure enough software. He used to work at GitLab and has 15 years of experience in the software security industry... Read More →



Tuesday October 25, 2022 4:15pm - 4:45pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226

4:50pm EDT

Closing: "And, That's a wrap!" - Marina Moore + Ragashree M C, Event Program Chairs & Andrew Martin + James Cleverley-Prance, CTF
Speakers
avatar for James Cleverley-Prance

James Cleverley-Prance

Security Engineer, ControlPlane
James works as a Cloud Native Security Engineer at ControlPlane. In his day to day, he focuses on static and dynamic security assessments covering cloud native, infrastructure as code, policy as code, CI/CD, and architecture appraisals. He specialises in offensive security, Kubernetes... Read More →
avatar for Ragashree MC

Ragashree MC

Student, Carnegie Mellon University
Ragashree M C is a Security professional with 4+ years of industry experience. She is an active member of open-source security forums such as CNCF, and OWASP and is currently serving the Cloud Native Computing Foundation Security Technical Advisory Group (TAG) as a technical lead... Read More →
MM

Marina Moore

PhD Candidate, New York University
Marina Moore is a PhD candidate at NYU Tandon’s Secure Systems Lab focusing on secure software updates and software supply chain security. She is a maintainer of TUF, a CNCF graduated project, as well as Uptane, the automotive variant of TUF. She contributed to the updated TAG Security... Read More →
avatar for Andrew Martin

Andrew Martin

CEO, Control Plane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →


Tuesday October 25, 2022 4:50pm - 5:05pm EDT
Room 330 AB Huntington Place: 1 Washington Blvd, Detroit, MI 48226
  Opening/Closing Remarks

5:00pm EDT

CNCF-Hosted Co-Located Events Reception
Join us onsite for drinks and appetizers with fellow co-located attendees from Tuesday's CNCF-hosted Co-located Events.

Network with attendees from:
Cloud Native Security Conference Europe hosted by CNCF
EnvoyCon North America hosted by CNCF
GitOpsCon North America hosted by CNCF
Kubernetes AI Day North America hosted by CNCF
Kubernetes on Edge Day North America hosted by CNCF
Prometheus Day North America hosted by CNCF
ServiceMeshCon North America hosted by CNCF
SigstoreCon North America hosted by CNCF

Tuesday October 25, 2022 5:00pm - 6:30pm EDT
Huntington Place Square, Level 2 (outside)
 
  • Timezone
  • Filter By Date Cloud Native SecurityCon North America 2022 Oct 24 -25, 2022
  • Filter By Venue Detroit, MI USA
  • Filter By Type
  • Badge Pick-Up
  • Breaks
  • Capture the Flag
  • COVID-19 Test Kit Pick-Up
  • Experiences
  • Hands-on Workshops
  • Keynotes
  • Lightning Talks
  • Opening/Closing Remarks
  • Sessions
  • Content Experience Level
  • Talk Type
  • Subject

Filter sessions
Apply filters to sessions.