Full Stack Cloud Security
Tuesday, September 14, 2021
When you think of authorization control and policy enforcement, do you put together a scavenger hunt of resources needed to figure out what should have access, then what actually does have access? Is there one team or one person in your organization holding all the policy information needed to secure your cloud-native application in an excel spreadsheet or a wiki somewhere? Then is this information hard-coded into each layer between your microservices?
OPA (Open Policy Agent) is a graduated CNCF (Cloud Native Computing Foundation) project that exists to simplify and accelerate application development by decoupling policy decisions from enforcement. Already battle tested and proven by organizations such as Netflix, Goldman Sachs, Pinterest and Atlassian; who are using OPA for distributed policy enforcement across a range of languages, execution environments and protocols.
During this talk we will cover some common authorization use cases. Showing how to utilizes OPA's decoupled nature to write simple policies that can be easily enforced by your system.
Common Use Cases:
* Restrict API access during blackout periods
* Grant SSH and sudo access to on-call engineers
* Require test certification for workloads deployed to production environments
You should attend this talk if you have an interest in learning how to enforce complex policies at scale with OPA, and without introducing significant latency or impacting availability.
This session will include information about how popular open source has become and how it is driving innovation for enterprises in today's market. Open source allows enterprises to get value to market faster, and ensure the survival of many businesses. But open source software (OSS) has recently been an attack vector and focus for cybercrime syndicates. How can you protect yourself? What are you up against? We will also cover how the Struts2 vulnerability, a common java OSS component, led to the attack and breach of several financial institutions. In this workshop, we will set up the Struts2 application and walk through not only how to exploit it, but also how to protect yourself from this attack.
As cloud threats continue to rise, understanding an adversary's tactics, techniques and procedures (TTPs) is critical to strengthening cloud security. How can you pull together a unified and simple approach to speed up detection and response for your SOC team?
In this session, we will:
-Dive into a comprehensive view of the MITRE ATT&CK for Cloud Matrix
-Explore real attack scenarios and best practices to detect them
-Advise on how to establish a unified threat detection strategy for cloud and containers
-Share how open source tools like Falco provide IDS capabilities for containers
Wednesday, September 15, 2021
In 2021, your entire tech stack is likely in the Cloud - so why aren’t your software packages?
Whether you’re currently on-premise, have your own in-house solution or have a bit of a hybrid set up, join us in this session to explore why the future is cloud-native, what the benefits of this are over cloud-hosted, and how to easily set up a secure, cloud-native software pipeline in 60 seconds.
You can find talks demonstrating how some security tools work in isolation, but what about a closer to life scenario showing how to introduce security throughout development, deployment and runtime?
This is the demo that will finally fill that gap! Attendees will be able to take back knowledge and get a head start in introducing security everywhere in their SDLC.
We’ll see a hands on demonstration of how to use a variety of tools under the CNCF to dramatically enhance the security of any environment:
- In-Toto will help us ensure the integrity of our software from development to deployment
- Kyverno will allow us to define policies in our environment to guarantee compliance
- We’ll use Notary to sign our dockerimages and finally
- Falco we’ll notify us if any threats are identified in the runtime of our kubernetes cluster
OPEN TALK: Cybersecurity at a Global Scale: Addressing Next Generation Supply Chain Issues in Open Source EcosystemsJoin on Hopin
The landscape of cybersecurity is rapidly changing. Traditional, or “Legacy Attacks” used to target code downstream in open source code running in production, but the next generation of attacks is in manufacturing upstream Typo-squatting campaigns, Malicious Code Injection directly at source and Tool Tampering in development stream, all of which pose risks from the biggest corporations to the smallest hobbyist project as we all rely on the same open source ecosystems to do our work. The reality of the modern development landscape is that in a world of continuous integration and delivery, we have to start thinking about continuous security in open source security. This talk will describe the security taxonomy that offers the ability to detect, report and resolve vulnerability and malware attacks before they make their way into our applications, and to provide actionable recommendations when new vulnerabilities in distributions are surfaced in open source repositories.
Most CI/CD pipelines used by DevOps teams utilize integrations with services such as APIs, databases and other critical systems to complete their workflows. These integrations usually required the use of extremely sensitive secrets such as passwords, tokens or certificates and must be securely protected at all times. Unauthorized access of these pipeline secrets open these systems to threats from bad actors and illegal access of data.
In this talk Angel will discuss common pain points in properly securing applications, CI/CD pipelines and protecting sensitive access gates to integration targets. Attendees will learn strategies to secure their applications, sensitive data and pipeline integration points. Attendees will leave with a better understanding of how to implement security layers that can improve their pipeline security posture.