This year the Cloud Native Computing Foundation (CNCF) hosted the first CloudNativeSecurityCon in Seattle. Spanning two days, the inaugural event saw approximately 1,000 attendees, both online and in-person. The event's mission statement was simple: bring together the cloud-native community to share knowledge.
Over the course of the conference there were 72 sessions that covered topics ranging from software bill of Materials (SBOM) to methods for static code analysis. In this post, we'll recap the biggest talks and presentations and look at some of the themes we saw.
Priyanka Sharma, executive director of the CNCF, opened the conference by sharing how the attack surface of Cloud Native technology is expanding. According to the CNCF “Cloud Native continues to grow with more than seven million developers worldwide”. Further, Sharma emphasized that the community is in a “position to teach one another.” In support of this sharing of knowledge, the CNCF’s security technology advisory group (STAG) has recently revised the Cloud Native Security Whitepaper to provide the community with the latest information for cloud-native development.
The small but mighty STAG has had a significant impact on the Cloud Native space. Since its founding, the STAG has fixed 132 security issues, reported 45 CVEs to critical projects, and built 51 security tools. Having up-to-date access to their expertise means the community can develop, deploy, and maintain more secure cloud-native applications.
The other conference keynotes hit a number of different topics and themes:
- Assumptions are made: In his keynote, Fighting The Next War - Future Threats to OSS and Software Supply Chain, Brian Behlendorf, general manager of the Open Source Security Foundation dissected the tradeoffs in building nearly anything, including software. In order to ship in a timely manner you always have to make assumptions about the things you’re building on top of. Our industry is only beginning to ask questions like, “Is the operating system I’m building on sufficiently secure?”
- Visualization is essential at any scale: Liz Rice, chief open source officer at Isolvalent, urged us to think more about the human element in the systems we’re building. In her session, Picture this! Solving Security Problems Visually with eBPF, she walked through several use cases where dataviz is a highly effective method for the human brain to find anomalies in network traffic flows at scale using tools like Cilium.
- SBOMs are everywhere: Directly relating to Behlendorf’s discussion around “building based on assumptions,” many of the speakers talked about the increasingly mature model for software bills of materials” (SBOMs). There has been an explosion in security tooling since Executive Order 14028, but in reality teams are drowning in potentially hundreds of thousands of software manifests without the right workflow automations to handle violations or grant exceptions.
- Securing the future: The old adage still holds true that defenders are often still working on patching the last security issue while new threats loom on the horizon. Matt Jarvis, director of developer relations at Snyk, gave a keynote, “Back to the Future: Next-Generation Cloud Native Security”, in which he looked further forward at quantum computing as a threat to asymmetric key cryptography, and threat models like ChatGPT executing attacks as sophisticated as an advanced red team. “Entire industries will be disrupted based on tests with limited human input,” said Jarvis.
- Increased complexity of CI/CD: Monitoring, maintaining, and scaling CI/CD controls can be challenging across your organization. As mentioned, SBOM is everywhere! Your CI/CD pipelines are no exception. Adopting a standard blue print like the one mentioned in the presentation given by Brandon Lum, open source security engineer at Google, "The Next Steps in Software Supply Chain Security".
At events like these, the most valuable content is often in the sessions themselves. The organizers of CloudNativeSecurityCon have an amazing process for evaluating and choosing session proposals that is both rigorous and inclusive. (For more information, check out the conference's open source CFP Scoring Guidelines.) Next, we'll look at a couple of our favorites from this year's conference.
According to Anchore’s Software Supply Chain Report, supply chain attacks are up 742 percent year over year. In this talk, the presenters discussed how Yahoo is using open source tools similar to the Secure Software Factory pattern to secure the company's massive codebase. SBOM tooling has learned a lot from the DevOps model; embracing automation as a means of scaling is a key takeaway from this presentation.
Securing Self-Hosted GitHub Actions with Kubernetes & Actions Runner Controller by Natalie Somersall, GitHub
This talk bridged the gap between the cloud-native” world and the data center. Often, researchers and security experts don’t acknowledge that some companies must and still do operate some systems on-prem. Running GitHub Actions is no exception. If you have “weird” use cases like proprietary hardware, need support for unsupported OSes, or frequently access huge datasets, these could all be reasons why you might consider using something called self-hosted runners. These self-hosted jobs run in Kubernetes in your data center via a GitHub-maintained project called Actions Runner Controller. With great flexibility comes great responsibility, and Somersall does a great job of walking through the gotchas, alternatives, and observability challenges in these environments. Even if you don’t anticipate using self-hosted runners this is a fascinating walkthrough of some use cases you may not have considered.
Securing the Superpowers: Who Loaded That EBPF Program? by John Fastabend and Natalia Reka Ivanko, Isovalent
The introduction of eBPF has been a massive win for security and observability. The ability to rapidly hot-load and instrument different parts of the operating system in real time has opened a lot of doors. In recent years attackers have also been poking at eBPF to see how the technology could be abused, which is often the classic struggle in implementing any privileged system. In this presentation Fastabend and Ivanko walk us through one model for auditing the loading of eBPF programs, providing attribution back to who loaded them, and recommended guardrails. If you use eBPF at all or are considering it, this talk is an essential watch for a deep dive.
This year’s CloudNativeSecurityCon can be considered a massive success. The participation, both in-person and virtual, led to some great knowledge sharing among experts and users in the cloud-native space. The full playlist of videos from the event is available online. If you want to get involved in the cloud-native community, consider joining the STAG by checking out their joining instructions. Emily Fox, CNCF cochair for CloudNativeSecurityCon chose to represent the work of the STAG with a quote from Margaret Mead, “Never doubt that a small group of thoughtful, committed citizens can change the world: indeed, it’s the only thing that ever has.”