 Welcome to KubeCon. Oh, wait, this is not a colo anymore. Welcome to Cloud Native SecurityCon, the first of its kind in Seattle, North America. It is so great to be here with you all today. We have gathered here because security, the topic of this conference, is the most important and pressing issue we face as an industry and as an open source Cloud Native community. Much has been said on the topic in many forums, but this conference is different. CIOs and CISOs, they worry about security. In the shift left phenomenon necessitated by containers and microservices, which are our jam here in Cloud Native, developers mitigate those worries. This conference is for those developers. You are at the first open source, vendor neutral, practitioner-driven conference for security. Great choice. This is where you can learn how to build and deploy software securely and teach others what you know. This is, after all, a collective sport that goes across organizations. What I'm hearing, Cloud Native is the now and the future. Would you folks agree? I want to hear that louder because this is not convincing. Yes, I agree with you. Everyone is becoming a Cloud Native developer. According to independent research by Slash Data, there are over 7.1 million Cloud Native devs and counting. Given the changes that our paradigm brings, it's going to need a paradigm shift to level up the Cloud Native security posture. And level up, we really must. Security within the Cloud Native ecosystem is deeply complex. You know this better than anyone. That's why you showed up here. All of us, we focus on rapid development and deployment. And that is why Cloud Native is fast becoming ubiquitous. We're essential to organizations and businesses everywhere. That also means more exposed edges and nodes, greater attack surfaces, and ultimately less control. I mean, who here lost countless evenings and weekends fixing the log4j vulnerabilities over the past year? Anyone? Anyone involved in log4j? Raise your hand. Yep, yep, exactly. Some of us are still dealing with that today. The experience we've had should remind us that security is not a one and done task. And no person is an island when it comes to security in modern times. At CNCF, the focus on security is beyond directives reports. This community realizes that it's an ongoing conversation. And a conversation is a must because things are looking pretty dire right now. The cost of us not doing anything is very high. The 2022 cost of a data breach report from IBM Security and Ponemon Institute revealed that 83% of organizations had experienced more than one breach. And the impact was that the customers suffered because 60% of organizations breaches led to increased prices being passed on to customers. And then talking about how this is a cross-organizational team sport, 79% of organizations are not deploying a zero trust environment. That is really not good, because ultimately what that's leading to, if you see here, is almost 20% of breaches are occurring because they're compromised at a business partner. And keep in mind, by the way, that almost half the breaches that occur are cloud-based. That's our world in cloud native. The same study broke out the costs for breaches. When you look at hybrid cloud environment, the average cost of a breach on an organization is $3.8 million. When you look into the private cloud world, that number goes up to $4.2 million. And when it's public clouds, it's over $5 million. And this is just the average cost. Not a good thing, especially in the times we face today. It doesn't mean no one's doing anything. Our CIOs and CISOs, they're doing their part. Gartner predicts that organizations will spend over $188.3 billion on Infosec and risk management in 2023. They also flag cloud security as the fastest-growing 27% increase this year. So that's wonderful. But the problem is that top-down solutions will not fix what truly needs to be a bottoms-up community-led movement. Proof is, in the state of the cloud security 2022 report from SNCC, 77% of organizations said that poor trainings and lack of collaboration were their major challenges. There are siloed teams often working in separate countries, time zones, using different tools, policy frameworks. And this is just within one organization. In the cloud-native environment, we are interacting with so many other entities. Throw in a lack of security policy, and there's the recipe for your security breach right there. At CNCF in the cloud-native ecosystem, we have a perspective. We believe that security is people-powered. We all benefit when we collaborate together as a knowledgeable vendor-neutral community to develop the tools and processes that are going to up-level our posture, whether it's creating use cases, defining security scenarios, developing best practices and anti-patterns. A key point to remember is that the conversations we have and the assets we create together are publicly accessible, and they endure between roles, jobs, and life changes. So the lessons in cloud-native security have staying power. That is why I believe that cloud-native presents the best place for industry collaboration on security. Practitioners and developers, folks like you, gather here and share their development and deployment expertise, and that's why we're in a position to teach each other. We're all a global team of doers, and when we work together, we cover far more ground than any single organization alone. Going back to the conversations that we need to continually have, they cannot happen without each and every one of you, the humans behind cloud-native. Who here has heard of tag security? Yep, most of many of you. Raise your hand higher. I can't see. I have these lights. This is really hard. OK, awesome. Most of you do. This wonderful 165-person strong group of contributors develops and evolves this cloud-native security through education, partnership, and engaging projects and communities. I have directly heard from projects the game-changing impact they've had on their security posture with the super useful feedback given. An example of that is their security pals program, where someone from tag security will work hand in hand with the CNCF project to integrate security from the get-go. Keep in mind, for any project applying to be an incubated CNCF project, they have to go through a tag security audit. This group is also famous for their numerous well-researched pieces of content, such as the cloud-native security white paper that I quote over here. I suggest it as a must-read. As they say in this paper, the cloud-native paradigm dictates the need for new security mechanisms, our belief is that the answer is an industry collaboration. A wonderful example of this multi-vendor open-source industry collaboration is the project Sigstore, which Kubernetes adopted last May. This helps users easily verify the distribution that they are using, and it is exactly what it claims to be. Sigstore has been a collaboration between multiple organizations starting with Red Hat and Google Open Source Security, and it has now developed with the Open SSF, other organizations such as academia, for-profit entities, et cetera. As one of the founders of the project says, security truly is a multi-dimensional problem today. And Sigstore's success is a direct result of open multi-vendor collaboration, because ultimately today you need modular interoperable solutions that's only possible when you bring in diverse perspectives. The CNCF itself is supporting the community efforts and industry collaboration by maintaining a very careful security posture for our projects. We've partnered up with the Open Source Technology Improvement Fund, OSTIF, to conduct audits, security audits, for our projects. We also do fuzzing audits, and ultimately that's resulted in hundreds of bugs being found. We're also adopting S-bombs, our software bill of materials, all over. If you want to learn more about how we did it, I highly recommend catching up with our CTO, Chris Anischeck, at this conference, whose mantra is S-bombs everywhere. The team's really passionate about them. So coming back to this conference, we are here at Cloud Native SecurityCon. It's first ever of its kind, and we're a global community of developers and security experts. We will tackle issues of security together here and further on. We'll share our experiences, successes, perhaps more importantly, failures, and help with the collecting of understanding. We'll create solutions. That's right. The practitioners are leading the way, having conversations they need to have. That's all of you. This conference, today and tomorrow, is packed with 72 sessions for all levels of technologists. To reflect the bottoms up developer first nature of the conference, the co-chairs have selected these sessions, and they are true blue practitioners. Let me tell you a little bit about them. First up, Emily Fox. She is a cloud security services and compliance engineer at Apple, and has spent more than 12 years working in security. She also has an academic background in cybersecurity. She's a member of the TOC, CNCF Technical Oversight Committee, and you should definitely catch her keynote tomorrow at 9.25 AM, which takes a community to raise a conference. It'll tell you more about how Cloud Native SecurityCon, this place you're at, came to be. Second, Liz Rice. I mean, who doesn't know Liz Rice? She needs no introduction as the chief open source officer at Isovilland, who created the Cilium Project and are heavily involved in EBPF. She also chaired the CNCF TOC and has vast experiences within Cloud Native. And thirdly, we have Brandon Lum, who is the open source security software engineer at Google and a co-chair of our beloved CNCF TAG security. And he works to improve the security of the open source ecosystem day in, day out. They have selected some amazing talks which go into depth and share people's perspectives and experiences. As I look through the agenda, it was really hard to pick my favorites. Two things stood out. First was an end user journey by Yahoo about how to secure your supply chain at scale. That's happening today, 11 to 1135. And then the other, going back to that stat we looked at about how over 70% organizations are not deploying a zero trust architecture is a talk by Frederick Cotts on establishing a production zero trust architecture. Highly recommend you attend it because we got to fix that stat. That's also happening today at 1150 and room is listed on the slides. Learning and developing our security posture is, it's a multi-track activity. There are so many things we can do. And if you want to get your hands dirty, I highly recommend joining the Capture the Flag experience today. It's, well, tomorrow. You go to room 615 or 16. Or you can also send a message on Slack to the channel that's listed on the slides. I'm going to let you take a picture if you want it. Participants can play three increasingly treacherous and demanding scenarios to bushwack their way through the dense jungle of cloud-native security. Everybody is welcome from beginner to seasoned. Other activities that I encourage, I'm hosting an empower us lunch for women and non-binary folks today from 1225 to 155 in the lunch hall. We'll have some tables. It'll be obvious. You'll see us. Come join in and let's have a good time. Tomorrow, tag security is hosting a similar lunch. So if you want to spend time with them, ask questions, share your insights, that's the place to go. Same time, lunch place as today with me. And in the spirit of learning together, we're going to start here today at Cloud Native Security Con and then continue way beyond this conference. At CNCF, we are developing a new certification called Kubernetes and Cloud Native Security Associate, which is an entry-level exam and will gather towards people who want to learn about cloud-native security and get started. So if you have team members who you wish would come along for the security ride, whether it's product teams, other edge teams, marketing teams, strategy folks, this is a great exam for them. And right now, we're looking for beta testers. So if you can help out, please use this QR code or go to cncf.io slash kcsa-beta testing to support bringing this exam out to the public, which should happen sometime later this year. With that said, attendees, you are here because you recognize that security is a cross-organizational team sport. Who does to you? I hope you will learn from each other, find interesting solutions, and have a wonderful time. I'd also like to thank our sponsors who have invested in bringing all of us together. This collective group is ahead of the curve and will be the future of security. Let this conference be the beginning of that. And now, folks, I will hand over to our wonderful coaches. Thank you and enjoy the show.