Virtual Event
November 17, 2020
Learn More and Register to Attend This Event

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2020 - Virtual and add this Co-Located event to your registration to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Eastern Standard Time (UTC–05:00). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, November 17

10:00am EST

Welcome and Introductions - Emily Fox, National Security Agency
avatar for Emily Fox

Emily Fox

Security Engineer, Apple
Emily Fox is a DevOps enthusiast, security unicorn, and advocate for Women in Technology. She promotes the cross-pollination of development and security practices. She has worked in security for over 12 years to drive a cultural change where security is unobstructive, natural, and... Read More →

Tuesday November 17, 2020 10:00am - 10:10am EST

10:15am EST

Dynamic Image Scanning Through System Tracing - Itay Shakury, Aqua Security
As security practices and tools for application scanning are becoming increasingly popular, malicious actors are introducing sophisticated techniques to obfuscate their intent and evade those scanning tools. The malware they create cannot be detected using static analysis or signatures, but dynamic analysis that runs the application and observes its activity can trace the entire chain of events and help you detect those threats.  In this talk we introduce Dynamic scanning and discuss how it relates to two other security approaches: Static scanning and Runtime security. We will then show how operating system tracing is key to implementing dynamic scanning as we explore common behavioral patterns of malware, and discuss how these threats can be uncovered using open source tools.

avatar for Itay Shakury

Itay Shakury

Director of Open Source, Aqua Security
Itay Shakury is Director of Open Source at Aqua Security, where he leads the development of industry leading, open source, cloud native security solutions. Itay has almost 20 years of experience in various development, architecture and product roles. Itay is also a CNCF Cloud Native... Read More →

Tuesday November 17, 2020 10:15am - 11:00am EST

11:05am EST

Building Effective Attack Detection in the Cloud - Alfie Champion & Nick Jones, F-Security Consulting
The cloud has significantly altered the nature of attack detection, and many of the common data sources and attacker TTPs that security teams have been looking for on premise have changed or are no longer relevant. A lack of public threat intelligence has hindered development of industry knowledge bases, such as the MITRE ATT&CK framework, and the nature of many cloud-native attacker TTPs make it challenging to separate the malicious from the benign.  Based on first-hand experience attacking and defending large enterprises, this talk will share what Alfie and Nick have learned about detecting attacks against cloud-native environments. They will cover how the cloud has changed the detection landscape, the key data sources to leverage, and how to plan and prioritise your cloud detection use cases. They'll also discuss how to validate your detection, including a demonstration of Leonidas, an open source framework for automatically validating detection capability in the cloud.

avatar for Nick Jones

Nick Jones

Senior Consultant, Global Cloud Lead, F-Secure Consulting
Nick Jones is the cloud security lead and a senior security consultant at F-Secure Consulting (formerly MWR InfoSecurity), where he has focused on AWS security in mature, cloud-native organisations and large enterprises for a number of years. When he's not delivering offensively-focused... Read More →
avatar for Alfie Champion

Alfie Champion

F-Secure Consulting
I lead F-Secure's consulting services for all things attack detection, from traditional objective-based adversary simulations through to 'purple teaming' exercises in cloud. Outside of helping bolster client's detective capabilities, I love building new tools for simulating offensive... Read More →

Tuesday November 17, 2020 11:05am - 11:50am EST

11:55am EST

Tuesday November 17, 2020 11:55am - 12:20pm EST

12:25pm EST

Exit Stage Left: Replacing Theater with Chaos - Kelly Shortridge, Capsule8
Kelly will explore how security theater leads to increased organizational friction, especially in the realm of software delivery, rather than promoting safety. She'll contrast these dramatics with a security chaos engineering approach – one which embraces the importance of convenience, alignment with organizational goals, and the wisdom derived from failure.

avatar for Kelly Shortridge

Kelly Shortridge

VP of Product Management and Product Strategy, Capsule8

Tuesday November 17, 2020 12:25pm - 12:45pm EST

12:50pm EST

Designing Secure Applications in the Cloud - Adora Nwodo, Microsoft
When building cloud applications, we should always bear in mind that our services are exposed on the Internet and can be accessed by anyone and may have untrusted users.  Because of this, we need to be proactive and aware of these possible security threats so that we can design our cloud applications to be able to handle them properly. Apart from preventing malicious attacks, cloud applications must also be designed to protect sensitive data and grant access for certain resources to only authorized users.  In this session, I will be talking about 3 security patterns that can be used to prevent malicious or accidental actions outside of the applications designed usage, and to prevent disclosure or loss of information when building for the cloud.

avatar for Adora Nwodo

Adora Nwodo

Software Engineer, Microsoft
Adora is a Software Engineer currently building Mixed Reality on the Cloud at Microsoft. She is also the Author of the popular book "Cloud Engineering for Beginners". This book is currently helping a lot of people start their career as Cloud Engineers. Adora is also a Digital Creator... Read More →

Tuesday November 17, 2020 12:50pm - 1:35pm EST

1:40pm EST

A Tale of a Meshi Kafka: Securing Kafka Deployment When Istio Is Used - Ariel Shuper, Portshift & Nikolas Mousouros, Marlow Navigation
Kafka is a commonly used message broker for microservices real-time data feeds. A standard setup allows any micro-service to read or write any messages to/from any topic. The need for security typically starts when multiple applications use the same Kafka broker in a cluster, or when confidential information is shared in the Kafka topics. Common security practices to use are authenticating subscribers and publishers, authorization policies for access control and data encryption. When Istio is being used with microservices that access Kafka topics, the envoy proxies is expected to offload these security elements.  However, creating sustainable and consistent authorization policies when Istio is deployed isn't feasible, and tracking the microservices based on their IPs isn’t feasible because of their replacement.   The session will present how to build an external authorization mechanism and simplify policy management for Kafka topics by using open source tools, like OPA and others

avatar for Ariel Shuper

Ariel Shuper

VP Product, Portshift

Nikolas Mousouros

Marlow Navigation

Tuesday November 17, 2020 1:40pm - 2:25pm EST

2:50pm EST

Cartography: using graphs to improve and scale security decision-making - Alex Chantavy, Lyft & Marco Lancini, Thought Machine
This talk highlights using Cartography (https://github.com/lyft/cartography) to improve and scale security decision-making in cloud-native environments. Attendees of this session will be introduced to the platform and shown a broad set of compelling scenarios including understanding complex permissions relationships, tracking and alerting on infrastructure changes, and enabling teams to see and better understand their security risk regardless of the platforms they use.  Cartography is a free open-source tool that consolidates your technical assets and the relationships between them in an intuitive graph database.  The presenters hope that sharing their approaches to these problems will help you better understand, categorize, and secure all the assets deployed in your cloud-native organization. They are thrilled to grow the Cartography community in the first couple years as an open source project and look forward to hearing your feedback!

avatar for Alex Chantavy

Alex Chantavy

Software Engineer, Lyft
Alex Chantavy is a software engineer on Lyft's security team. He maintains an open source security graph tool called Cartography, and is particularly interested in understanding cloud permissions relationships and finding opportunities for lateral movement. In previous roles, Alex... Read More →
avatar for Marco Lancini

Marco Lancini

Thought Machine
Marco Lancini is a Cloud Security Engineer at Thought Machine, where he focuses on the security of the containerisation technologies used (i.e., Docker and Kubernetes), as well as of the deployments on the different cloud providers (AWS, GCP, Azure). He also curates CloudSecList... Read More →

Tuesday November 17, 2020 2:50pm - 3:35pm EST

3:40pm EST

Cloud Security and how to leverage the shared responsibility model to your advantage - Eshrak Assaf & David Lebutsch, IBM
Adopting Cloud Computing models could be a blessing or a curse. When done with security and compliance in mind, it could save you lots of time, effort and operational costs. When done without regard to security and compliance, it could result in exposing your company to financial and reputational risks. In this session, we will talk about some basic security and compliance concepts that developers need to know before they consider adopting Cloud Computing models. We will talk about how to leverage the Cloud shared responsibility model to your advantage, and why Cloud security and compliance is not optional.

avatar for Eshrak Assaf

Eshrak Assaf

Senior Manager, IBM
Senior manager for the Virtual Private Cloud Gen2, IBM Cloud Telemetry and Analytics teams. MSc & MBA graduate complemented by 13+ years of experience in Development, Security, DevOps and Operations with a primary focus on virtualization and cloud computing.
avatar for David Lebutsch

David Lebutsch

CTO / Distinguished Engineer SaaS and Hybrid Cloud, IBM Data and AI, IBM
IBM Distinguished Engineer and CTO for Data & AI SaaS on IBM Cloud. Hands on architect and technical leader with 20+ years of experience.

Tuesday November 17, 2020 3:40pm - 3:50pm EST

3:50pm EST

Why OpenID Connect is More Secure then Certificates - Marc Boorshtein, Tremolo Security, Inc.
Most user's first experience accessing a cluster usually involves a certificate.  It's one of the most secure ways to authenticate a user, when done properly.  It's not nearly as secure as OpenID Connect for your clusters.  In this session you will learn why certificate authentication is a bad idea for your users accessing your clusters and why you should be using OpenID Connect.  In addition to showing why OpenID Connect is the more secure method for accessing your clusters, the session will detail the OpenID Connect threat model and how to mitigate it.  The session will also contrast this model with certificates and show how it's nearly impossible to create an authentication system with certificates as secure as one protected with OpenID Connect.  There will also be a chance for those attending to try to take over an OpenID Connect protected cluster!  

avatar for Marc Boorshtein

Marc Boorshtein

CTO, Tremolo Security, Inc.
Marc Boorshtein has been a software engineer and consultant for nearly twenty years and is currently the CTO of Tremolo Security, Inc. Marc has spent most of his career building identity management solutions for large enterprises, U.S. Government civilian agencies, and local government... Read More →

Tuesday November 17, 2020 3:50pm - 4:00pm EST

4:00pm EST

Hardware Backed Security For Multitenancy at the Edge with SPIFFE & PARSEC - Paul Howard, Arm & Andres Vega, VMware
Three powerful CNCF projects come together in this session, which focuses on how cloud-native workloads can access the best hardware security facilities of any platform in a way that is portable, convenient to consume, and which scales to multiple workloads.  SPIFFE, the Secure Production Identity Framework for Everyone, alongside its production-grade implementation project SPIRE, are both now incubation projects within CNCF.  Parsec (CNCF sandbox) is the Platform Abstraction for Security: a simple and portable way to access platform facilities for key management and cryptography on any hardware in any programming language. But Parsec is so much more than just an API shim. It also provides key management and access control based on the identities of workloads, keeping their secure assets separate.  This session will show how Parsec can be combined with SPIFFE and SPIRE to provide a key management service based on attested workload identities,

avatar for Andres Vega

Andres Vega

VP of Operations, North America, ControlPlane
Andrés Vega is VP of Operations, North America at ControlPlane focused on helping global banks develop new online capabilities while meeting compliance objectives with a zero trust, continuous security approach. Previously, Andres was the Head of Product Management for Security... Read More →
avatar for Paul Howard

Paul Howard

Principal System Solutions Architect, Arm
Paul has been a solutions architect at Arm since November 2018, having previously held software engineering positions at companies including Citrix and Global Graphics. He is a graduate of Aston University and is currently based in Cambridge, UK. Paul is a maintainer of the Parsec... Read More →

Tuesday November 17, 2020 4:00pm - 4:10pm EST

4:15pm EST

Enabling Autonomous Teams With Policy Enforcement at Yubico - James Alseth & John Reese, Yubico
In this talk, we will discuss the tools and processes created by Yubico to enable autonomous teams through policy.  Initially, Kubernetes RBAC and peer reviews from our Platform team allowed teams to adopt Kubernetes for their services. However, we knew that a dependency on a single team was not a scalable solution.  To give teams more autonomy over their services, and rely less on manual reviews, we began to enforce policies in our pipelines and clusters by leveraging the Open Policy Agent. The Open Policy Agent and its surrounding projects were the perfect fit for us; they are open source, flexible, performant, and have seen widespread adoption throughout the ecosystem.  We'll also discuss the tooling that was built that enabled us to test policies, automatically generate supporting documentation and audit how each policy is being used so that they can be safely promoted through our environments. Best of all? They are all open source!

avatar for James Alseth

James Alseth

Security Engineer, Yubico
James Alseth is a Security Engineer at Yubico, currently focused on cloud infrastructure security. He works on building self-service security solutions that enable engineers to be more confident in their design, implementation, and deployment decisions and strategies.
avatar for John Reese

John Reese

Software Engineer, Yubico
John Reese is a Software Engineer at Yubico, who specializes in Kubernetes and Go. He is an active open source contributor and a core maintainer for Conftest, a tool that helps you write tests against structured configuration data. In his free time, he enjoys playing hockey and video... Read More →

Tuesday November 17, 2020 4:15pm - 5:00pm EST

5:05pm EST

Tuesday November 17, 2020 5:05pm - 5:20pm EST

5:25pm EST

Capture the Flag Wrap Up & Summary, Andrew Martin, Control Plane & Magno Logan, Trend Micro
avatar for Andrew Martin

Andrew Martin

CEO, ControlPlane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →
avatar for Magno Logan

Magno Logan

Information Security Specialist, Trend Micro
Magno Logan works as an Information Security Specialist for Trend Micro. He specializes in Cloud, Container, and Application Security Research, Threat Modelling, and DevSecOps. In addition, he has been tapped as a resource speaker for numerous security conferences around the glob... Read More →

Tuesday November 17, 2020 5:25pm - 6:10pm EST

6:15pm EST

Event Closing Talk
avatar for Andrew Martin

Andrew Martin

CEO, ControlPlane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →
avatar for Emily Fox

Emily Fox

Security Engineer, Apple
Emily Fox is a DevOps enthusiast, security unicorn, and advocate for Women in Technology. She promotes the cross-pollination of development and security practices. She has worked in security for over 12 years to drive a cultural change where security is unobstructive, natural, and... Read More →
avatar for Brandon Lum

Brandon Lum

Senior Software Engineer, IBM
Brandon loves designing and implementing computer systems (with a focus on Security, Operating Systems, and Distributed/Parallel Systems). He enjoys tackling both technical and business challenges and has a side interest in organizational behavior and leadership. At IBM Research... Read More →

Jeyappragash Jeyakeerthi

Co-chair, Tetrate

Tuesday November 17, 2020 6:15pm - 6:45pm EST
  • Timezone
  • Filter By Venue VIrtual
  • Filter By Type
  • Break
  • General Session
  • Lightning Talk
  • Session Presentation
  • Sponsored Session

Filter sessions
Apply filters to sessions.