 Hello everyone. Good afternoon to everyone over here. Welcome to cloud-native security con. I've been, you know, a moderator for this session. And today we are talking about securing the golden path, adding guardrails for the developers without getting in their way. Is it possible to increase both agility and security? We all know that organizations are driven to deliver faster and security often get overlooked. So how organizations adopting cloud-native best practices balance the growing completely complexity of securing modern applications against. It is something we have been discussing for a long time, but now the industry is feeling the need to, you know, show the way how security and operation teams can collaborate for providing developer with a secure golden path. So in today's session, we will definitely cover, you know, some of those guardrails policies in the golden parts with a great panelists we have on the call today. And quickly I want everyone to introduce yourself. Maybe we can start with Aradna. Good afternoon all. My name is Aradna Chital. I'm managing director for cloud security at TIAA. I'm also co-chair for tag security at CNCF and co-chair serverless working group at CSA and have been participating in a number of other industry initiatives around cloud and cloud-native initiatives. Thank you. Thank you, Aradna. Jim. Hi, everyone. Thanks for joining. I'm Jim Bagwadia, co-founder and CEO at Nirmata. Nirmata provides Kubernetes policy and governance. And within the CNCF communities, I'm a co-chair of the policy working group. I also am a co-chair of the multi-tenancy working group. And I am a maintainer off Kiverno, which is the Kubernetes native policy engine. Great. Thank you, Jim. Aradna. Good afternoon, everyone. I'm Neil Carmel, co-founder and CEO of Regscale. Regscale helps organizations shift left compliance via an API-centric continuous compliance automation platform. By way of background, very active in the cloud security alliance, lead the Washington, DC metro area chapter, as well as co-chair of the application containers and microservices working group and the DevPsychops working groups active in those groups as well. I'm honored to be here and look aboard at the conversation. Absolutely. Thank you, Aradna. And Liz. Hi. My name is Liz Vasquez. I have been working with cloud security for at least the last six years. And most recently at Barclays, director of security, working with their cloud security program. Before that, at HSBC, helping to really build up their cloud security as they were just entering the cloud on multiple platforms, AWS, Google, Microsoft. And before that, at JP Morgan. So yeah, so I've kind of been around the financials, helping them either develop the policies, understand what the new security controls and concepts were on cloud versus what the traditional security paths were. So that's what I've been doing for the last few years. Thank you, Liz. Thanks. It was a great introduction. And I quickly introduce myself as well. I'm a global technical leader with working as a salient. I'm a co-chair with cloud security alliance and been also working on CNCF. I've been in the industry for 18 years, have been thoroughly, you know, working on cloud security identity and, you know, what different disciplines of information security. So I am looking forward to have a great conversation today with our fellow panelists. And to start the question, you know, we know everyone talks about developer experience. So what does that mean and why does it matter? So, Liz, why can't you start that? And we can have a, you know, good conversation on that topic. Definitely. So from what I've seen in terms of, you know, being on the security aspect before that, I used to be a developer, technical architect myself. Right. So my, my, the beginning of my journey was really how do I secure my own application? How do I integrate all of the various policies in terms of code scans, pen testing, you know, running my own pen tests and then setting up, you know, the environment for, for pen tests against it. You know, so I saw, I saw the way it was done previously when it was a lot of ad hoc and manual doing your security code scans on your machine yourself to as we were moving to cloud and as, not just the developers, but the, you know, the technology started to allow more of the, you know, ability to bolt on, right, ability to automate, ability to build into pipelines. So, so it's kind of been a journey that I've seen on both ends where the developers obviously have taken on to, you know, building pipelines because it facilitates everything on that, on that developer end. I can, I can build and run my environment so much faster. You know, now with, you know, as Kubernetes started coming into the, to the picture and cloud, the same thing, that mentality to me was very developer friendly. It was a mentality where this is great. I can push out features without having to rebuild a whole application. I can isolate and I easily identify which parts of my components of, of, of, you know, the aspects of my changes, what was going out. The part that was lagging behind was the security side because the security still, still was requiring you to scan your whole application, even though maybe I was only updating, you know, a few components here and there. Those are the aspects where being on the security side, I have seen, we have really been focusing on, right? How do we as security now support the fact that, yes, you know, developers are going to, you know, they can build now, now that things are automated, they can build their application four times, five times, 10 times, right? For each of those times, are you going to require a full security scan, right? The, the parts that I've seen where, you know, where the developer experience and let's say the security requirements are colliding. It's that it's, it's, is security enabling or are we creating, you know, roadblocks, time blocks? You know, I'm scanning thousands of lines of code. I'm telling you now that you have thousands of non-compliance lines of code. What are all those requirements? So, so I'll kind of just, you know, lead it up to that. Like what, where is it at? Where are those challenges at? What's security? What's security? And then obviously the security team's working now with the products that are out there saying, guys, this is where we need your help, right? Because this is what, this is what's happening where we can't continue creating these blocks or these slowdowns for the developers. However, we need to ensure that the security is compliant. We need to ensure that the developers have a way to easily remediate those bugs, to easily remediate, you know, SEV-1 issues and to still be able to push out all of their features, right? So in the last few years, I know a lot of people talk about that. It really is a partnership of security doesn't want to block you, but security is I think more recently being enabled by products in the industry and so on to help developers rather than hinder them, right? Absolutely. I totally agree. Anil, you're shaking your head. I think you have something to share, please. Yeah. Yeah. I mean, you know, ultimately developers, you know, need the ability to have security, right? Be transparent and compliance be transparent to enable them to do what they do so effectively and do so well, which is develop applications that solve real world business problems, right? So, you know, by using golden paths and having an internal development framework, right? Where you now have, this is the way that we develop applications and you make security and compliance transparent to the developers so that they can focus on building those applications that add value to deliver and address those issues that do arise in a quick, agile manner and speed the time from development to deployment, right? Really is kind of the thesis underpinning golden paths, but, you know, the piece that should not be ignored, which I think is kind of, you know, the topic of conversation today is the security of those golden paths, right? And ensuring that we have secured the golden paths, that we've baked in security and compliance and made it real time, made it continuous and made it complete. Yeah. Thank you, Anil. I think you're absolutely right. This is something. It's a continuous delivery process and keeping developer experiences, you know, motivational for the companies to, you know, developers to have developing a good user experience and then, you know, feedback is one of the greatest constantly shaking around in organization. Radhna, what do you think about your experience on, you know, on developers and specifically how, how does it impact, you know, for the customers you're working with from the end user perspective? So my perspective is all this technology, cloud or cloud native, everything is to optimally support business and business changes very quickly. Developers have to be able to respond to the changing market needs very quickly. Imagine a payment app, right? There are new features, your competition, they're coming up with new features as a developer. I want to provide those features as quickly as possible to my customer base. How do I do it? So that, there are regulatory changes. There are new regulations coming in all areas, not just security or compliance. There are other regulations that they have to meet. They have to meet visibility needs for the regulators. So the whole concept is that the developers are key. I mean, in 2007, you can go to YouTube and look at Steve Palmer's presentation on developers, developers, developers, right? Developer experiences, everything. And how to facilitate that? Obviously, there is a lot of evolution that has happened in the industry and evolution is still continuing. Basically, we want to leverage economies of scale. The common security controls need to be built into the platforms, right? And then the individual application developers should not have to worry about infrastructure or what server or what host or what VM do I need to deploy. Hence the serverless architectures in the market today, right? So that they can just develop application functionality and deploy it. Yeah, security still has to be built as part of that. So we will talk a little more about what the tutorials and papers and golden packs mean after that. Absolutely. Jim, why don't you share your thoughts about developer experience? Sure. Yeah, and being a developer myself, it's interesting to see the evolution just over the last few decades, right? Because like Aradna mentioned, we went from a time where you would have to submit a bill in the evening and wait until the next day to get that bill back, right? And that was the developer experience. But today, within seconds, we're expecting things to be pushed into production in a secure and compliant manner. So like Aradna was also mentioning, today, of course, every business is a digital business. Businesses that can deliver faster will win. It's that simple, right? And how do you deliver faster? Well, you need to create the right developer experiences with the right security guardrails in place, policies, compliance, et cetera. But in a manner that's completely transparent to developers and empowers them to deliver faster. The other interesting trend we're seeing, along with things like golden packs is also the rise of platform teams, right? Their sole purpose is to serve as developers within an enterprise. Absolutely. I think you're right. This is something, as Aradna mentioned, and I concur with you, Jim, as well. Understanding what customers want and needs is crucial. That's the way to provide experience and ensuring that whatever we are writing, specifically, it's of high quality. That's the way we are improving our experience. The productivity also increases as a time when team realizes that this is necessary for the project or for the innovation that they need to do in developing software. So yeah, good point. Let's move to my second question for the panel over here is, what are the golden parts and how can they help in securing how we can improve that specifically or what we're talking over here. Jim, why can't you start with you first? Sure. To me, quite simply, a golden path is how do you get from zero to production as quickly as possible in a secure, compliant manner, right? And this, of course, is not an easy task or easy feat. So whether you want to deploy an application or maybe a database service or something else, just having the recipes for this, which can be followed and which take care of the proper guardrails, but at the same time, allow that flexibility where required is what a golden path would be. Awesome. So in order for the golden part, what, Kevin, can I say that this could be a series of questions and answers or could be an offering at what customers looking to solve over here? So Radha, what do you think from your viewpoint or how does that golden path help in overall direction that industry is right now going in? So think threat landscape today and an application developer. It is practically impossible for a developer to know all the threats and vulnerabilities in every possible language operating system and all the stuff, right? There are so many security standards, compliance standards. I will not be able to focus on my code if I have to worry about all that, right? So as platform engineers or security engineers, our job is to build these controls and paved paths in the platform itself. The tooling in the CI CD pipeline, the integration and policy enforcement. So when I'm trying to push my code, I can automatically stop if I'm not meeting certain policies. So in addition to providing guidance to the developers, you know, training on threats and vulnerabilities. So if we build these controls, I will not be able to deviate from those pathways and my code will still be delivered and will be secure and compliant. So the whole point is providing developers those paved paths so that they cannot deviate from that. There's a paved path, right? You know where you're going, how you're going to reach your summit, right? Similarly, developers need those paved paths in the platform itself so that they can deploy code securely and if they are not meeting certain policies, they're stopped. They need to go fix the vulnerabilities or if they are not meeting certain policies. And this has evolved quite a bit over time, right? How security integration, security tools integration and the whole Q and O aspect of it, right? Admission controllers. And there's progression being made in the industry on supply chain security, right? Where you're going further into getting the information about the metadata of the third-party software components that you're integrating in your software code. Everything is connected these days and you're leveraging a lot of open-source and third-party libraries. So how do you make sure your code is still secure? So all these are components added together in the secure platform, the secure CRCD pipeline and all the policy enforcement in the pipeline shifts to the left and also provides a golden path for developers and developer experience improvements and efficiencies. Thank you. I think this is... It looks like an interesting discussion right now. Anil, what trends you are seeing in your area specifically on the golden path and how does it impact the overall experience over here? Yeah, I mean, there's been a lot of conversation that Daniel Bochum and Rodna have raised in their points on this particular topic around shift left and the complexity of environments and the need to enable developers to be able to deliver code quickly, right? Instead of waiting for a bill to happen overnight, instead of worrying about the security and compliance requirements of the code, being able to ship code in minutes, not days and weeks is absolutely mission critical to meet the needs of the business. Now, with that said, following golden paths help you make that happen quickly in large complex organizations because you have a recipe for how it should be done, leveraging, for example, an IDP and internal development platform, right? Or different paths for different organizations. With that said, those paths need to be extensible technology and tooling changes at a rapid pace. There's new technologies coming in and out of organizations daily, right? So as the shift left movement takes hold to enable and empower developers to build great software, make sure that those golden paths have the right guardrails to employ and enforce security and compliance, yet be extensible to allow new technologies to be brought in to help enable and secure the enterprise. Absolutely. You made a right point about, you know, how we basically get onboarding or the create and process, something which requires minimal integration. Suppose, you know, we're doing a CI CD pipeline integration or a version control system or any kind of a static code analysis. That way, getting the right set of offerings specifically for the customer intent to be done over there is to get an observability capability, what is being done over there. So, yeah, thank you so much for sharing your views, Liz. What about yourself? Like what trends you are seeing in your area specifically and how you manifest allow those, you know, specifically while deploying the applications? Yeah. What, in terms of a golden path, what we're seeing more and more of and what, like, the request for various vendors, even especially in the last couple of years, has really been the, well, this is great that you can help me automate the policies, but even, let's say, running these security code scans, let's say, every time you push a build to dev or test, even at that point, it gets burdensome, right? Which is why the request now has been, can we, you know, can you help us scan the code within the IDE environments, right? Can we plug in those policies so that it's visible to the developer so that as a developer is building the code, building those module changes, they can start seeing and be notified of, you know, this code right here that you've just written is, you know, potentially going to violate the following policy and even sometimes having those, you know, those code fixes, right, the recommendations, right? This is how you can fix this. Because, like, so the challenge that I would see was as a security team, do you leverage the, okay, well, you know, do you run, let's say, these particular scans, like once daily, right? Because sometimes when it gets plugged in, like I said, it gets run, you know, oh, we're going to scan it every build. Well, again, that gets burdensome on the business because now you're potentially adding, you know, minutes and then potentially stopping, right, a push to an environment depending on the errors every single time. And like I said, developer teams want to be able to build and push to dev, let's say, multiple times in a day, right? And maybe some of those fixes are actually fixes for, you know, security requirements. So they're pushing multiple times a day. So sometimes even myself, I was like, you know, is it more efficient to be able to leverage and say, okay, these scans will run, let's say, once every day. So let's say the first build to that environment, that's one way to approach depending on which scan it is. But I see the, you know, if it's a scan, let's say, for the infrastructure, for the environment, then that, you know, let's say that makes sense, or that might be every time because you don't change the infrastructure so much, so much. But when it comes to the code itself, I am seeing that the way we can help developers the most is really integrating it during that development cycle, during that design cycle, right? As we can apply policies to their design, as we can apply policies to their development. So it's not a surprise to them later on. Now they've designed this application, now they've built all this code, and now you're telling me, oh, you have a problem in all of these areas, right, in all of these lines of code. I think that's why the, let's say, the burden on development team has been so great because security has come in further down. And I know that security teams have been saying, we're gonna shift left, we're gonna shift left. The challenges have been how, right? Where's the tooling capability, you know, how do we integrate these policies and so on? And that has really been the challenge for security is, because a lot of the tooling, you know, previously has been the, oh, you can scan it once you get to this environment, right? You can require it at this step. It was still at later steps. Yeah, thank you so much, Liz. I think we made a very good point about, you know, how we're taking a shift left, and developers normally don't shift left. They have the experiences, more security is talking more from the shift left perspective. So thanks for sharing your views on that. So Anil, I'll come to you about, you know, some of the design principles and what common templates or unique to your each organization, specifically for Red Scale, what do you think are some common templates that you are building for your organization and how your customers are helping and taking care of that? Yeah, I mean, you know, in the vein of, you know, kind of templates and guardrails, you know, there are, you know, definitely, it comes back to the type of data that you're trying to protect and the type of organization and it's security and compliance requirements for that organization. Different organizations have different requirements. Financial institutions, for example, are beholden to some very stringent regulatory requirements. Healthcare institutions, completely different regulatory requirements, right? But somewhat analogous, right? And then you've got some organizations that have very little regulatory requirements. So understanding kind of two things. A, before you pick a template and say, okay, we're going to go and put the same thing on everything and just assume it's all going to work and everything's going to be great. That's not necessarily true, right? Because every organization is just a little bit different and it should be. So first, understand what type of data are you entrusted to protect within that application, right? Who are you serving? What kind of data are you trying to protect, right? Whether it's internally or externally? Secondly, what are the security and regulatory requirements that that organization is beholden to, right? Once you have answers to those questions, you can then select from a lexicon of templates that meet those requirements and establish those guardrails for that organization, whether it be NIST, 853, whether it be CSA, CCM, whether it be HIPAA, whether it be GDPR, whether I'm using regulatory requirements, right? But whatever they might be, establishing those, what kind of data are we trying to protect? What are the requirements of the organization? And then deciding what templates that I need to go apply helps you then develop applications that are secure and compliant as you move through the pipeline, right? Pushing those ideas into the IDE where it makes sense, right? But then in having the right tools in the pipeline to do those scans, do those both security and compliance checks. So when the code exits the pipeline in the environment, you can validate, yeah, we've shifted level security and compliance. This code is good to go. Great. Absolutely. I think we made a right remark on specifically how those common templates be uniquely and benchmark against different security requirement data coming out from the regulation from the, you know, from the industry specifically. Jim, what do you think about how you organization specifically at taking care of, you know, designing those common templates and how it's unique to your organization? Yeah, one interesting trend, you know, of course, with Kubernetes becoming the most popular container orchestration system today, it itself, you know, provides a layer of standardization across, you know, any infrastructure, any cloud provider and gives developers a set of standard interfaces to deploy and manage their applications, right? Kubernetes also has been designed to be extensible. So I mean, even discussing golden paths, it's a great example of how a set of complex orchestration scheduling behaviors can be codified, can be offered as a standard, but with the right extensibility to its declarative configuration management. And what we see over there is because of that extensibility, Kubernetes policy engines like Kibirno, we have over like 200, you know, sample policies in our community library for best practices, for security, for automation, and for other things, right? So this itself creates a good library of these standard templates, which really enables developers. So now if, you know, if a developer wants to create a Kubernetes deployment and perhaps they're new to Kubernetes, they don't have to think about all the details. They're told right away in native tools that maybe the pod requires some outchecks or probes or other configurations which are best practices in Kubernetes. So that, you know, is now made possible by these type of digital platforms and systems which just even five years ago we didn't have those advantages or capabilities. Absolutely. So moving into the next question about, you know, specifically maybe right now you can take that question. How should organization go about securing the golden parts? What top security concerns, you know, they should address specifically? I just can't get your point from, you know, from any other perspective. Yeah. So obviously, like I've mentioned, it's really important to have the platforms secured first, right? Every enterprise is a multi-cloud enterprise today by choice or they've been forced into it because they bought the, you know, SAS usage has increased over time as well. And so it's a complex ecosystem of cloud, cloud native, SAS, and past services. And some of it is managed platforms, some of them you have to manage yourself. So based on the risk tolerance of the organization, it's really important to define what those baseline controls are going to be in all platforms, regardless of who's using what application. And considering cloud and cloud native platforms already provides you capabilities to microsite, right? Making sure you're isolating all your applications and you have controls in the platform itself, infrastructure as code when you're deploying, you know, a VPC or something, and appropriate security codes. The next is the common security controls, identity and access management. Every application, every component is, every service, every API is going to need identity and access management, right? Then obviously asset management. How are you going to manage all your assets? There are cloud platform assets, as well as the application of workloads that are going to utilize the platform. Detection and response, right? How are you going to detect? There are some cloud native tools available from the cloud providers, but they may be insufficient in some cases. You want to layer on additional detection tools, right? Cloud security posture management tools, you know, which are context aware that can provide you, you know, the pulse of their platform itself. So that is giving you economies of scale, right? All application services will use common platforms. You can have tools to scan, CIS benchmarks, your image management, flows, et cetera, everything, your repos, you know, making sure your repos are scanned, your appropriate segregation of duties and the repos and all that. And then comes the CICD pipeline. That is common to multiple applications. So you, whatever controls you want to build, common controls, you know, obviously there may be some unique applications which have unique policies, but still you can have your policy depot and scanning tools can be integrated. Then you have bug bars, right? You enforce those bug bars through the CICD pipeline. There are some pain points still that need to be mitigated in the pipeline for the developers. For example, good scanning tools come up with a lot of vulnerabilities, right? How do you prioritize them? And based on the risk tolerance of your organization, you might need a mapping of, you know, what may be considered high in the industry or what may be considered moderate in the industry in your organization's risk tolerance that is high. So that mapping and then providing developers guidance as to which are the highest criticality vulnerabilities they need to address before they can migrate forward. So these are the common controls that can be built into the platform and CICD pipeline and forcing all the policies and controls as a baseline. So we can continue to enhance, you know, other controls and policies. Great. Thanks, Radna. I think you're right. So, Anil, just quick, you know, to be mindful about the time over here, what are some of the guardrails, you know, specifically, it can be implied over here to bridge the security and compliance. What do you think over there? I'm going to double click on what Aradna said around controls, around APIs, having that standard baseline and the mappings, right? So, and then we've got all in with a new standard that came out from MIST called open security controls assessment language. There's this big movement of compliance as code and trying to establish compliance as code leveraging a common standard or lexicon. So NIST has kind of taken the lead there in collaboration with FedRAMP and created this new machine readable language that allows you to express those common controls across multiple catalogs in a standardized schema and the associated assessments of those controls and the results of those controls and the issues and whatnot, right? All in one standard XML or JSON file, right? As opposed to 600 page Word docs that you have to do steering repair exercises against, right? Not helpful for anyone. So, you know, from that standpoint, you know, really the rise of the API economy being able to exchange information between systems, right? Allowing security tools to now talk to compliance tools, right? Leveraging an API centric platform, leveraging a CI CD pipeline. So as code goes through this pipeline, you can establish here's the controls that matter to me, right? Here's the standard baseline. Here's the mapping of those controls to other standard catalogs and frameworks. Here's the security scans that come in. Take those scans, feed them to your compliance tool, right? In our case, right scale, but, you know, whatever tool you might use, right? And output your documentation as code OSCAL, right? That allows you to truly shift left security and compliance. Leveraging standards like in this OSCAL push a button and you can make compliance as code real. Absolutely. Jim, what do you think about from the policy's perspective what are the security concerns and how specifically organization can, you know, secure those? Yes, so every survey that's out there about security talks about, you know, misconfigurations being the number one problem, right? So starting with that, addressing that right up front is a big win. And policies, digital policies, of course, codified in Kubernetes and enforced at admission time as well as runtime can help dramatically with that. Then tying in other processes, you know, like vulnerability management, other things into a Kubernetes and cloud native way of doing things. So, you know, making sure GitOps tooling is available, Git becomes the new system of record and Kubernetes becomes the new system of engagement for developers, operators and security teams. Great. Thank you so much everyone for, you know, discuss on a very crucial aspect on securing the golden pass and what concerns, challenges, tokenization of facing, what can be done, what card routes can be applied. Thanks everyone for participating in the last 10 minutes, I will have a quick Q&A and, you know, I have a follow up final remark from everyone from each of the panelists. So, I will start with less, you know, a quick question about, you know, what it means a golden pass for the hybrid and magic cloud environment, what do you think could be those pathways? In terms of what I think in terms, so for me, what a golden path truly means, what we're trying to build across organizations is, you know, golden means that it's golden for everyone, right, golden means that like we said, we can enable developers to do their job. We can enable compliance teams to have the visibility of those standards of how they're being met, of how of providing metrics. So one thing that we didn't bring up and I would say needs to be included in that golden path is that observability. So as we're automating and building everything in, I believe we're also then able to build that observability of, you know, I can now prove that this application that's internet facing, or that this application that I need to prove is miscompliant, HIPAA compliance, PCI compliant and so on, I can easily identify those rather than relying on applications to self-identify yes, I'm an internet application, yes, I have data that's impacted by GDPR, yes, I have data that's impacted by PCI. I think that's also one of the benefits of automating, of building templates of building policies is that you can then build that observability and see how the policies are being met. See, you know, maybe which policies are failing more across the board, and so then security teams can say, you know, why are these failing more? How can we enable developers more? How do we, you know, do we need to provide more templates, right? I know that that's one of the things with Adana that's worked on in the past is, you know, we've said we need to put those templates out there because then developers say, okay, I know how to build a secure, you know, environment, you know, that's going to be a Kubernetes environment, that's going to be a serverless environment, that's going to go to this cloud environment and use this cloud product. So yes, I think observability really really helps us across the board. Thank you so much, Alice. So I know we have been just slow in time, so I will have each one of you 30 seconds to conclude and, you know, provide the your guidance and you know, to do what cloud native leaders can look at, the organization can look into. Adana, why can't you start with the concluding remark? So everything, Anil, Les and Jen said is important. In addition, I would like to say automation, automation, automation, all security policies, all controls, all observability have to be automated through manual pathways. Thank you. Yes, so, you know, I think what we're starting to see emerge here is again, you know, leveraging systems like Kubernetes, cloud native processes like GitOps and really rethinking every IT process that we've had in the past around security compliance and moving to the as code model, right? So leveraging best practices of version control, automation, some of these other items. Perfect. Thank you. So I'll end with an adage. If you don't know where you're going, any path will get you there. So, you know, you really leveraging a golden path in an organization to say this is where we're going, bringing shift left into your environment and making that real leveraging automation, leveraging technologies and capabilities and best practices to enable developers to solve real world problems at the speed of business. That's the future. And if you haven't started, you better take that step today.