 Hello, everyone. My name is Swarabh Wadhwa. I'm a Senior Solutions Engineer at UpTex. And the agenda for my talk today is DevSecOps for your developer ecosystem. I've been a developer in my past life, and security never crossed my mind. But it's the harsh reality. You have developers, you have security, and you have operations working together to give you a secure working app running in the cloud. And the second piece would be security at the developer laptop. We never focus on developer laptop security. That's where the crown jewels lie. You have your code being built. You have your access keys lying there. They have admin access to different systems for building the app. But we never focus on security. On the right-hand side, you see something that caught my mind, the LastPass attack. But this is not just the only one, the most recent one being Dropbox. And the trend is that a lot of developer environments are being targeted. And it's not like these are just random attacks. The attackers are becoming really sophisticated when they are attacking the CICD ecosystem. So on this slide, I'll pause for a moment to just take a moment to digest what exactly is going on. You have your pre-production phase where the development is happening. The developers are developing code, committing it to a repository. And then you have the building and testing phase. And then you have the post-production phase, which is the control plane and the data plane. Now, if we focus on the control plane and the data plane, this is where the different services are running. You have your orchestration services like Humanities, OpenShift. And then you have your runtime, such as Docker. And then you have the data plane where you have the worker nodes running the actual container workloads. From a security perspective, this is pretty siloed. You can't connect the data between what's going on at the control plane with what's actually happening inside the containers. So take, for example, the container escape attack. So containers, when they're deployed in production, they widen the attack surface. And containers share the same IP space. They share the host kernel space. So what happens is if an attacker does perform container escape, he will get access to the underlying hosts as well as the other containers. And it's the same thing for the pre-production pipeline where the development is taking place. We often silo the testing and the registry stage from the code development and the developer laptop monitoring. So these days, a lot of attacks are targeting the developer laptops, the latest being a Dropbox. And what's the reason? The reason being the groundwork is done by the developers. They build the software. They have admin privileges to different systems. Maybe GitHub, for example. And once the attackers enter your CI CD pipeline, they can exploit this to move laterally around the network and gain access to the end goal. So there are a few different ways how we can enable security at the developer laptop. So this is the shift-left approach. Why not focus on security right when the production starts rather than focusing on security when the software is actually running in production? So we can start with auditing for vulnerable packages. A lot of developers use third-party libraries. And also look for any malicious Chrome extensions because there have been cases where there was a spearfishing attack because some developer installed a malicious Chrome extension. Then you have the zero trust access with the BYOD remote working from home, BYOD policies. We need to have something in place which gives access to developers to those critical systems that are needed to perform their job. And zero trust is a great way because every request is authenticated and then authorized. And on the laptops itself, we should have a mechanism which is detecting something malicious and taking probably like remediative actions. So just to wrap up, I would say the attackers don't think in silos. When they see your CI CD pipeline or the innovation pipeline, it's an ecosystem. And neither should security practitioners like us should think in silos. We should not do like that. And for a good security, developers don't need a security program that hampers innovation. So a good security program enables them to build a secure running product in the cloud. Thank you. If you would like to talk more about this, have more discussions, please join us at the uptick booth. And we would be happy to chat with you.