KubeCon + CloudNativeCon North America 2022 may have come and gone but the learning should never end! We had a great time at the show and appreciated everyone who stopped by our booth to say hello and learn more about Mondoo.
Security should be holistic, from end to end, which is why Mondoo applies policy to your entire SDLC, from the developer's laptop to source code to source repositories to clouds to Kubernetes nodes, workloads, and clusters and everything in between! We were excited to see a strong focus on security within the Cloud Native ecosystem, and so before we say goodbye to Detroit 2022 we wanted to share with you our Top 5 Security Themes from the event.
5. The rise of SigStore
SigStoreCon NA was held on Tuesday the 25th, before the main event, to much fanfare. Of all the announcements during Kubecon NA 2022, none were more universally heralded than the announcement that SigStore was going GA.
The Sigstore trio of Cosign, Fulcio and Rekor come together beautifully in Cosign 1.x and strongly align with Mondoo’s belief in validating everything. This is a project we will continue to watch, and we encourage anyone who hasn’t heard of the project to begin digging in.
Watch Luke Hinds's SigStoreCon NA Keynote, The Meteoric Rise of Sigstore. All the other conference talks are also available in a playlist on YouTube.
4. SBOMs, SBOMs everywhere
Software Bill of Materials (SBOMs) have been a hot topic in supply chain security for the last year or so but interest boiled over into mania when President Biden signed Executive Order 14028, “Improving the Nation’s Cybersecurity”, which mandates:
“providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website”
Discussions of SBOMs were heard in many of the Kubecon talks but a particularly great introduction to the topic was SBOM X-Ray Superpowers: Making Better SBOMs, Using SBOMs from our friends at Anchore, makers of Syft:
3. The future of supply chain security
SBOMs are frequently compared to food labels, providing useful details about what's in a package and all its ingredients (dependencies). But ingredients alone aren’t enough. Consider a drug manufacturer: They need to track not just the ingredients but every detail about the production of each of those ingredients, because the downstream impact of any defect is tremendous. This data is known as providence and its generation is the goal of Prof. Santiago Toerres-Arias’s in-toto project.
Hear Santiago provide an introduction and update to the project in his talk, Achieving End-To-End Software Supply Chain Security With in-toto.
With all this information now being produced from supply chains, a new problem appears: How do we make sense of all this data? Santiago’s second talk at Kubecon answers that question: It’s Dangerous To SLSA Alone Out There! Take This Artifact Knowledge Graph!
In this presentation, he and Michael Leiberman introduce GUAC, the Graph for Understanding Artifact Composition. While this technology is still very young, it points clearly to the future of supply chain security and artifacts we expect from vendors in the future.
2. Hacking for fun and team building!
If you’ve seen Mondoo CISO Patrick Munch’s presentations on Hacking Kubernetes, you know that we love to break (into) things. Lewis Denham-Parry and Natalia Reka Ivanko gave a great talk about how you can implement Capture The Flag (CTF) security events within your own organization to share security knowledge in a fun and engaging way.
1. Fuzzing all the things
Fuzzing is the process of providing unexpected and spurious input to applications to test for unexpected outcomes. We were excited to see two excellent talks on the topic to help everyone in the Cloud Native world take up the practice of fuzzing our software.
In Fuzzing Session: Finding Bugs and Vulnerabilities Automatically, David and Adam Korczynski provide an actionable path to fuzzing for any organization.
Follow that up with Teju Nareddy of Google’s Lightning Talk, Securing Envoy: Catching Vulnerabilities With Continuous Fuzz Testing, which provides an excellent case study on the practice. Teju also shares details about Google’s free service, OSS-Fuzz, that is being widely embraced by CNCF projects.
In the immortal words of Q from the final episode of TNG, “The trial never ends.” Hackers are getting more sophisticated every day and new vulnerabilities are appearing faster than organizations can address them. But, thanks to cnquery and cnspec, you’re armed with tools to level the playing field, being ever vigilant about your security posture and readiness. We hope that some of the talks above encourage you to expand your knowledge and empower your security programs to tackle the new challenges on the horizon.
Lots of events are coming up soon. We’re particularly excited about CloudNativeSecurityCon 2023 taking place in Seattle. We hope to see you there!