 Hello everyone. I hope you guys had an excellent cloud native security day. I know I did. Unfortunately, I didn't get a chance to participate in the CTF because I was so busy reading through all the chats and listening to all the amazing talks from our fabulous speakers and helping out to everybody that reached out for assistance either through the Slack channels or through direct messages. So we're going to go ahead and wrap up the events. I'm Emily Fox. I'm the SIG Security Co-Chair and the Security Day Lead for the event. And we've got JJ who's one of my other co-chairs and Brandon Lum who is a technical lead for SIG Security. So we're going to talk a little bit more about SIG Security and how you can get involved with this awesome group of people as well as do a full day event recap and open everything up for Q&A in case you're curious about anything else going on with SIG Security or if you've got questions about anything associated with cloud native security. We've got some great stuff coming up for you. So Brandon. Thank you, Emily. Awesome. So I'm just going to go through a couple of slides. We're going to tell you a little bit more about SIG Security on top of what Emily has already shared this morning. And then we're going to go into the discussions. So awesome. What do we have for SIG Security? So Emily covered in the morning a little bit about presentations and discussions. This is something that's ongoing. As you can see, some of the topics here are something that we've seen today. For example, PASAC. There's some, there's a lot of topics that we have coming from the other working groups that we work with. For example, the policy working group. We work closely with the SIG data working group and so on. And as Emily mentioned, whenever there's a chance for community collaboration, for example, Ava dropped by from the confidential computing consortium and then we talked about the ways we could engage as a cloud native community. So if you're in a community that would like to be involved with cloud native security, or that is, you have a project that you think would be interesting to share about to come create an issue, everything that we have is managed through our GitHub. So another big thing that we have is the supply chain catalog. This was something that was created a while back by Santiago and a couple others. And there was a lot of interest in the supply chain problems and security today. We even had a breakout hallway track session on that. And I think there were a lot of interesting links that we'll put in there. I think there was even a paper. It was called The Backstabber's Knife Collection or something. Also paper is definitely something to read. It's a cool title. So this catalog is commonly maintained. So I think based on the number of resources that were posted in the channel, if you see that there is something that is missing from the catalog or we can make improvements to it, please don't hesitate to create a PR against it. All right. So usually we have in-person meetups. So this is something that hopefully next year we'll start resuming once things get back to normal. So hopefully I know Europe will be virtual, but maybe the next QCon and we'll see each other again. And we also have security assessments. This was, it's one of the co-activities that we engage in. Today we have five security assessments already done. These security assessments are a way to really assess the security posture of a CNCR project. There's a lot of interactions with the TOC and helping them provide recommendations on what is a project's security posture, as well as if it's a security project, for example, how does it really fit into the CNCF ecosystem? And the output of this project is a security document, which we, for these projects that we've already done, it is a document where if you're interested in a project or you have been looking at one of these projects, for example, OPA, and you're not sure like where do I start in terms of security considerations, the security assessment document is something that you should definitely take a look at. It really is like a good introductory document. Security assessments are also a good way to engage in the community. Usually assessments are scoped about four weeks total, where two weeks of it is the main review and assessment, and the rest is kind of putting together everything at the end and then working up a summary of what the recommendations are. So it's very nicely scoped. Usually we have four to five reviews per assessment, and so this is open to everyone. If you are someone that is new to this or would like to learn, we have opportunities to kind of shadow to kind of join the channel to see what's happening with the security assessments. And if you're someone that's experienced with this, definitely come take a look and it'll be great to have more people on board. So just a shout out to all the security reviewers we've had since we started security assessments. Thank you so much. We wouldn't have been able to do the first five assessments, which was our first security assessment master. So how do I get involved with security? Security is mainly based on our GitHub repository. So if you go there, there's meaning information, stack information, everything is governed in the GitHub repository. And so there is a new member's page that you can take a look at, tells you a little bit more about security, what we do, as well as how to add yourself as a member to the group. We have weekly meetings that you can join in our Zoom session every Wednesday. If not, what happens usually in the repo is everything is well documented in issues or pull requests. So if you actually go to the GitHub repo and you go into issues, if you've seen anything in the previous slides that you're interested in, for example, you want to present something about your project to the group or talk about the security practices within your organization, you can create an issue for a presentation and then we will start figuring out the logistics to do that you present that. Or if you have a security idea that you would like to, you think the group could benefit from, you could add a proposal or a suggestion. And if you're a project that would like to start a security assessment process, you can go ahead and create a security assessment issue. So with that, I'm going to wrap up this part of the closing. Like I mentioned multiple times before, everything is on the GitHub. So if you remember one thing, just go to the GitHub CNCF Slack security. Our meeting times are Wednesday and we have a Slack link over here of which part of the CNCF Slack. And don't forget to sign up for mailing this. All right. So Emily, back to you. That was awesome. Thank you so much, Brandon. JJ, what was one of your favorite talks for today? I know I have a list and I know Brandon's got at least one, if not two. But JJ, how about you? What was your favorite talk? Oh, JJ, I can hear you. Sorry, I'll first go to Brandon before I actually go for it. I'll have to digest my... Yeah. I think for me, I think I had a couple of favorite talks. I really liked the dynamic analysis during the S3 system calls. We were talking about EBPF and how it's kind of really evolved, how people do analysis and dynamic, even just like the runtime security stuff. I'm also like a big fan of any hardware security related things. So the past presentations and also even the certificates. I think we're talking about how we actually bootstrap the chain of trust to HSM. I think I thought that was cool. Yeah, definitely. Those ones were all really good ones. I think... So it's hard for me to just pick one, but I have to admit the UBK talk at the end of the day, right before the CTF wrap up, I thought was really cool because it highlighted a huge problem space that occurs in the community when we're trying to go cloud native because cloud native landscape is so large and security is like three miles long and leagues deep. But the nice little shopping list that they put together for how to get some of these tools to work together. We heard about that earlier in some of the other talks that you can't just pick one solution and just roll with it and you're automatically secure. You have to work on them a little bit. You have to build that defense and depth mentality across your organization because it's not just going to be runtime security. That's a concern. It's going to be all along your supply chain. It's going to be through your build. It's going to be through your pipeline, all of that. JJ, what about you? I mean, the EPP of talk was like the most fascinating one. I'd love to... There's so much about the EBPF that's actually a mystery for most people in terms of, is it secure? Is it not secure? Is it kernel mode? Is it not kernel mode? I mean, as an industry, I think there's a lot of clarification. It's super powerful as a tool to be used and super relevant for the modern day compute and modern day networking overall. Especially modern day observability that actually provides much more security at scale. I hope there is more, of course, kinds of discussions and talks that happen to ease and comfort users. There is also a lot of doubts in terms of the versions of kernel where it's applicable to. There is tremendous amount of repetition in terms of adopting EBPF. I think more of those talks will actually help ease. I think it is much more relevant for security at scale for a lot of things. That was my most favorite talk. Yeah. I think also JJ talked about the modern cloud deployments and also Emily talked about just having to juggle different aspects of security, but then even like in the shared governance lightning talk where you talked about, it's not even just different components of your security ecosystem, but when you have multiple parties involved like your cloud provider, how do you make sure that you have proper governance of that? As a company or as a cloud user, how do I ensure that even my implementation of security meets the standards? How do I do compliance and auditability if I don't own certain services? Yeah. Policy distribution at scale, computed with performance is going to be a challenge. Then the more the computers are not under your control, the more faster you want to like evaluate the security policies and it needs to happen closer to the edge. So it's going to be, that is something that actually was still fascinating and I think it should we should pay attention to that as a whole. I mean overall all the talks were phenomenal and fantastic, especially some that actually overlaid the industry was also good, but this one was probably my favorite talk. So we actually got our first question. One of our SIG security members decided to ask it. So Pushkar wants to know, what are our recommendations for security-related talks to attend for the rest of KubeCon and I can only assume that he's asking that because he's so in love with all the security talks that we had today at Cloud Native Security Day and he can't quite get enough of it as we've seen in some of the other Slack channels talking about Security Day. So Brandon, what talk are you looking forward to or would you recommend in the KubeCon schedule? I'll be honest, I was going to look through this tonight. I actually haven't had the time to look through this. I'm actually looking through it right now. All right, JJ, how about you? Yeah, give me a second. Yeah, I'm in the same camp with Brandon. I think, yeah, I'm just looking through it quickly. I think there are a few things that could be interesting. I like anything which is kind of like bypassing security mechanisms. I think the one that the Google team did, a couple of KubeCon's back on like jumping between notes, that one was cool. So there's another one called bypass Velco. So I think this could be cool. It's going to touch on a lot of the stuff that we just talked about like EBPF. It's a mystery. It's something cool, but I think this will be kind of a good insight and a nice exercise to kind of see how the TRED model of that fits into into applications as well. Yeah, for me, I spent most of yesterday furiously coming through the schedule looking at all of the talks. The bypassing Velco one definitely stood out for sure. There were a couple of other ones, though, that I thought were really interesting. Let me find that one. I mean, pretty much any talk with Liz Rice is going to be good. Yeah, man, there's just so many. And that's one of the nice things is that we're starting to see more security focused talks with or even just regular technical talks with the security bend to them, which is fabulous. And that's something that we want to see from the community. But yeah, I actually have my schedule viewable. So if you are friends with me in schedule, you can check out and see which sessions I'm going to if you're interested. Yeah, I think to stop the starboard one, starboard is something that I looked at for a bit. It's definitely a cool observability as well as kind of get a good idea of what you know, things within your cluster, what's happening there. I also I'm looking forward to the PKI the wrong way. Because that is something that although has been around is misunderstood a lot. And I think this is going to be your help solidify some of the kind of mindsets and also hopefully give me another way to see it and to see how how we can make sure we cover those grounds when we're in the PKI. I feel like no matter how many times you do it, you can bound to make mistakes. Yeah, we got another question. For compliance automation, do we have any recommendations for a specific session? I would like to point out that we had some excellent compliance check coverage today with OPA. I think there was at least three talks discussed today that mentioned OPA or talked about policy enforcement and automation of policy rules. So JJ, do you know of a particular talk or maybe even specific technology that we can point books to to learn more in that space? I mean OPA is a pretty good pretty good first step. And I think there is also a bunch around that's published closer to cloud security alliance that actually is somewhat of the intersection point of where we are. If you're looking purely for compliance, I think there are a bunch of standards based stuff that that are available that it's probably worth looking at. We do a lot of cross pollination between like a bunch of other security consortiums to ours. And I think if you were to listen to some of the security talks like in the last previous four to five blocks, I think a bunch of times compliance has come up in the conversation. And there are like few good recommendations there too. But in general, there's a good amount of resources in cloud security alliances that are going to go around and then attending security meeting for more of more of in-depth conversation would be a useful thing. In compliance is like one of those things where like when your infrastructure is moving dynamically, anything that's been defined yesterday doesn't actually apply today. And it's good to have a scriptable compliance story to go with. But what you want to know is like what, how do you verify validate and then how do you basically assert what you've said, what's happening in the system. When the infrastructure itself is changing and computes are not the thing that you actually own. To a large extent, it's an open problem. So participating in community is probably what I would say to keep ahead of what your compliance story should look like. Yeah, I think there are like two or more talks in the security track. But while we're on this, I think a couple other sessions or topics outside KubeCon. Oscar is one of them. And also just my personal way to kind of like look into the compliance, one of the things that I like doing is a lot of these products have kind of like this compliance mapping where they'll kind of say, okay, he has a NIST standard. He has where the specific controls will map onto it. We did some work as part of the SIG with the DoD. There was a spreadsheet somewhere. I think we can link it in the Slack channel later. But they kind of talked about some of the controls that Kubernetes or some kind of scanning tools are going to be. But I think compliance is something that's very specific to implementation as well. It's very specific to the type of compliance that you want to end up doing, whether it's FISMA or FedRAM or HIPAA. But usually, boy, it's not in this. So if you can map it onto some title in this 853, you should be fine. Yeah, you actually brought up a good point. And this is something that we've talked about quite a bit in the SIG is that security and compliance are often lumped together and they don't always mean the same thing. You can be more secure in some cases through implementing compliance controls. But you're not always going to be compliant when you're just implementing security out of the gate. So it's important to note that compliance rulesets and policy rulesets can help make your organization more secure when you're doing them correctly. But one does not always necessarily mean the other. And we've talked about this in a couple of previous meetings within the SIG and it's actually going to be discussed briefly in the Cloud Native Security Waypaper, which is going to go live tomorrow. So shout out to CNCF, the awesome folks there that have helped us work through the logistics about getting that document published. And it will become live in our repo after a KubeCon Cloud NativeCon is complete. The white paper also has a lot of pointers to it doesn't have a full story on compliance, but it has this amount of indications to think through in terms of compliance. So I'd highly recommend taking a look at that as well. Yeah, I think also the policy of what group that is front of NC as well has some discussions. I looked at a couple of recordings for some of the sessions and they're talking about compliance in terms of the policy framework as well. So that could be a good place to go to as well. Definitely for sure. What else did you guys like the most about Security Day? Overall, mostly because I've been so close to the Cloud Native Security White Paper and getting that wrapped up. It was really nice to see that almost every single one of the talks were entirely about Cloud Native Security end to end or at least how you manage or deal with a particular problem area in Cloud Native Security. It's I talked specifically about dynamic image security scanning and how that fits into your life cycle, which we talk about in the paper as well. Alfie and Nick talking about the importance of your data source and the benefits of understanding what the data gives you for Cloud Native Security. Kelly talked about security theater, which I think a lot of us are very familiar with and the list just goes on and on. A lot of these topics are huge problems in the area where we're trying to move security forward. There was a lot of that progression in many of the talks. What did you all think about what was the most important theme or the biggest takeaways from today? For me, actually, I feel like the cool thing was that we kind of see the talks evolving to be targeted towards a more mutual security posture of running compute. It's no longer or I'm just going to put some scanning stuff and then have the CI and have my cluster and our bank and I find we're going to be seeing a lot of more advanced problems. That's why we have Cartographer. We're looking at service mesh. We look at how do I, having service mesh side cars and authorization in Kafka, right? How do I bring it all together in a place that makes sense? We're not just talking about simple basic controls, but how do we tie the entire security picture together? I think that's what I got excited about, especially with a lot of hardware stuff. But I'm curious to hear from everyone as well, what are future topics that we can really go into? What's interesting? What are the new requirements that we're seeing as we are getting more and more books moving to the community? I mean, one of the talks related to that that reminded me of is the defender's thinking list, attacker's thinking graph. There are multiple people that talked about that as well. This isn't the first thing, but it's just fascinating as the services get more distributed, as the services are running everywhere, the defense mechanism of early days of making it perimeter based security doesn't actually really work. We have to look through the defense mechanism in a completely different way to think through it. That I would highly recommend any talk, any directionally applications, either compliance verifications or even application of authorization policies that thinks about it in a graph-based way. It's probably a directionally right thing to do. Might be too early to be honest, I think it's still a lot to be desired in terms of performance when you're evaluating in that zone, but directionally, I think that's probably a good way to think through security. Yeah, I think one of the interesting things that we got a lot of is just because you're doing containers, it doesn't necessarily mean you're secure. We saw that through the CTF and it's unfortunate that Andrew had to drop offline, but if you were online before, he did a wrap-up of the CTF and he went through all the challenges and the flags. This was our first time doing the CTF as part of Cloud Native Security Day. We wanted to do one of these for a while, and it's really awesome to see so many people, especially first-timers in security, or folks just sipping their toes into the water, to be so successful in their first container escape. Did either of you have a chance to participate in the CTF? I know I didn't. No, I didn't get to, unfortunately. Maybe next year when we can take a break from running the event. Well, we should get Andrew to give us all the access. That's right, but exactly right. The container security is super important, but container security isn't the only thing that's going on in the Cloud Native space. We had a presentation at one of the SIGs recently about serverless security from the Cloud Native Security Alliance. As of late, I've been getting a lot of newsletters from various sources about things that are going on in the security landscape. Serverless security has pretty much come up in the last 10 emails about it that I've gotten. I'm curious, do you guys think we're going to get some serverless security talks next year, maybe? That could be cool. It is a fascinating topic, serverless security, because it is the ephemerality that makes it harder to enforce the security that's actually consistent. I think it's harder, but at the same time, it's easier, because the good thing is, really, it decomposes your entire application, your entire enterprise into the smallest component. So you could technically, theoretically, have the best authorization policies ever. But then you also introduce other side of it, which is that level of fraction of compute and multi-tenancy. It's the difference between the container. Container will be more secure. Container is assumed security. The nice thing about that, and with a lot of the other talks that we got, especially from the end user stories, like with Ubiko and one of the other presentations that we had earlier, is that it kind of builds on the previous layer or the previous activities or the previous part of the lifecycle to ensure that we're getting to that more and more secure state as compute gets more and more finite and smaller. So I'm curious to see what kind of talk submissions we're going to get next year. I'm very excited about it. Do we have any other questions from folks? I know that we had a bunch of people drop off. At one point, we had like 60 plus people in the viewing area. Yeah, I think we have overtime a little bit. I'm not sure whether we're going to get kicked off. All right. Well, I will go ahead and wrap things up. I want to thank everybody for joining us for Cloud Native Security Day North America 2020. Thank you, Brandon. Thank you, JJ. Thank you, all of the CNCF staff that helped make this possible, as well as the Cloud Native Security Day program committee. Without all of you here attending the event and volunteering and helping out, we could not make this possible. So thank you all so much. I hope you had a wonderful day. Yeah, I have to say big kudos to the CTF team. This is the one of the Spooder CDFs I've seen run. I want to give a big shout out to Emily for pulling the whole thing together and then keeping it on track and getting the whole thing organized. So shout out to Emily and shout out to Brandon for closing and then keeping it in sync. All right. Thanks, you all. All right. Thank you. Take care.