From 41bf4346b4e3ef7e7e6fb98599e5f933eadb6043 Mon Sep 17 00:00:00 2001 From: Shlomo Zalman Heigh Date: Wed, 10 Jul 2024 15:29:40 -0400 Subject: [PATCH] [Blog] CNSC 2024 Takeaways (#1315) * Blog post: CNSC 2024 takeaways Signed-off-by: Shlomo Heigh * Schedule blog post for Monday July 15th Signed-off-by: Eddie Knight * Update blog post datetime Signed-off-by: Eddie Knight * Update blog post datetime Signed-off-by: Eddie Knight --------- Signed-off-by: Shlomo Heigh Signed-off-by: Eddie Knight Co-authored-by: Eddie Knight --- ci/link-config.json | 2 +- ci/spelling-config.json | 8 ++ website/content/blog/cnsc-2024-takeaways.md | 105 ++++++++++++++++++++ 3 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 website/content/blog/cnsc-2024-takeaways.md diff --git a/ci/link-config.json b/ci/link-config.json index 0e43c9de4..95daf4d03 100644 --- a/ci/link-config.json +++ b/ci/link-config.json @@ -1,5 +1,5 @@ { - "aliveStatusCodes": [200,206,402], + "aliveStatusCodes": [200,206,402,999], "fallbackRetryDelay": "10s", "replacementPatterns": [ { diff --git a/ci/spelling-config.json b/ci/spelling-config.json index ca98eb92f..eabc7a458 100644 --- a/ci/spelling-config.json +++ b/ci/spelling-config.json @@ -12,6 +12,7 @@ "antifragile", "APAC", "archives", + "ARMO", "ATT&CK", "backdoors", "Benedictis", @@ -33,6 +34,7 @@ "CODEOWNERS", "Configu", "conftest", + "Conjur", "coreutils", "CrowdStrike", "cryptomining", @@ -50,6 +52,7 @@ "exfiltrate", "exfiltration", "explainability", + "exploitability", "Expressibility", "Fianu", "FIPS", @@ -57,9 +60,11 @@ "frontmatter", "Gamal", "gconv", + "GUAC", "helm", "HIPAA", "HITRUST", + "Hirschberg", "hotspots", "hyperconverged", "Inclusivity", @@ -75,6 +80,7 @@ "Kube", "kubecon", "Kubernetes", + "Kubescape", "Kyverno", "libc", "libgcrypt", @@ -115,7 +121,9 @@ "Ragashree", "Razzak", "RBAC", + "RCOS", "Rego", + "Rensselaer", "Roadmap", "runtimes", "sandboxed", diff --git a/website/content/blog/cnsc-2024-takeaways.md b/website/content/blog/cnsc-2024-takeaways.md new file mode 100644 index 000000000..8c2bee9c0 --- /dev/null +++ b/website/content/blog/cnsc-2024-takeaways.md @@ -0,0 +1,105 @@ +--- +title: "Securing the Cloud: Insights from CloudNativeSecurityCon 2024" +date: 2024-07-10T13:30:00-04:00 +author: Shlomo Zalman Heigh +--- + +I recently had the pleasure of attending and speaking at the CNCF's +[CloudNativeSecurityCon 2024](https://events.linuxfoundation.org/cloudnativesecuritycon-north-america/) +in Seattle, WA. The conference brought together security professionals, +developers, and industry experts to discuss the latest trends and advancements +in cloud native security. The keynotes, breakout sessions, and networking +opportunities provided valuable insights into the evolving landscape of security +practices. Here are some key takeaways I gathered from the event: + +## Industry Progress in Supply Chain Security + +At the conference, we witnessed significant advancements in supply chain +security. Three notable projects stood out to me: SLSA, GUAC, and VEX. + +- **SLSA and GUAC**: Both SLSA and GUAC aim to improve transparency and trust in +software supply chains. By defining different maturity levels of supply chain +security (SLSA), and providing a graph to visualize and reason about it (GUAC), +they helps organizations make informed decisions about the components they use. +It was clear to me that both SLSA and GUAC are gaining tremendous traction in +the industry, and their adoption will surely enhance visibility into security +posture across the software supply chain. + +- **VEX (Vulnerability Exploitability eXchange)**: VEX addresses the +overwhelming number of vulnerabilities detected during container scans. It aims +to allow teams to prioritize and handle vulnerabilities more effectively by +knowing which ones are more likely to be exploited and which should be treated +as false positives. There are a few implementations of the VEX standard, and +there were several talks at the conference discussing how to integrate VEX into +existing security workflows. We'll cover this more a bit later in this post. + +## Trends in Identity and Workload Security + +The industry is shifting away from long-lived credentials toward workload +identity. SPIFFE (Secure Production Identity Framework For Everyone) has gained +prominence as a standard for workload identity. This approach enhances security +by ensuring that services can only access resources they are explicitly +authorized to use, without the need for long-lived credentials which are +prone to leakage. + +[Session link](https://sched.co/1dCWN) + +## Lighter Systems: Operators Over Sidecars + +Traditionally, sidecars have been used to enhance container functionality, and +provide authentication between services. However, the trend is moving toward +lighter systems like operators, which don't require additional resources for +each pod and therefore scale more efficiently. In particular, we saw Istio's new +Ambient Mode demoed in the keynote by Lin Sun. This feature is still in beta, +and you can learn more on the +[Istio blog](https://istio.io/latest/blog/2024/ambient-reaches-beta/). + +[Keynote link](https://sched.co/1dCVF) + +## University Open Source Centers and Student Involvement + +One of my favorite breakout sessions was given by two students from Rensselaer +Polytechnic Institute, Ben Smith-Foley and Sam Begin. They discussed how +University Open Source Centers, such as RCOS (Rensselaer Center for Open +Source), provide students with valuable opportunities to learn and gain +real-world experience. These centers bridge the gap between classroom learning +and practical skills. Students can contribute to open-source projects, document +their processes, and tackle "good-first-issue" tasks. I always enjoy hearing +about initiatives that encourage student involvement in open source, and I was +inspired by the work these students are doing and hope to see more universities +adopt similar programs which are beneficial for both students and the +open-source community. + +[Session link](https://sched.co/1dCUW) + +## VEX: Automated Vulnerability Prioritization + +As mentioned earlier, VEX has been gaining traction as a way to prioritize +vulnerabilities detected during container scans. I had the privilege of +delivering a presentation on automated generation of VEX documents using +Kubescape along with Ben Hirschberg, CTO of [Armo](https://www.armosec.io/). We +discussed how [Kubescape](https://kubescape.io/) can be used to generate VEX +documents through runtime analysis of containers in Kubernetes, and how we +developed a new +[GitHub Action](https://github.com/kubescape/generate-vex-action) to automate +this process. + +[Session link](https://sched.co/1dCWE) + +## Conclusion + +There were many more valuable insights and takeaways from +CloudNativeSecurityCon, and I encourage you to explore the conference schedule +and watch the recorded sessions once they are available on the +[CNCF YouTube channel](https://www.youtube.com/@cncf). I'm excited to see +the continued progress in cloud native security and look forward to attending +future events to learn more about the latest trends and advancements in the +industry. + +## About the Author + +Shlomo Heigh is a Senior Software Engineer at CyberArk, where he maintains the +[Conjur](https://www.conjur.org/) open source secrets manager. He is a +contributor to the CNCF's TAG Security and an OWASP chapter leader. You can find +him on [LinkedIn](https://www.linkedin.com/in/szheigh) and +[GitHub](https://github.com/szh).