Skip to content
Untitled design-Aug-24-2022-05-09-06-26-PM
Ben Rockwood November 24, 2022 4 min read

Top 5 Security Themes from Kubecon North America 2022

Mondoo_graphics_Top 5 Security Themes from Kubecon North America 2022-b-02

KubeCon + CloudNativeCon North America 2022 may have come and gone but the learning should never end! We had a great time at the show and appreciated everyone who stopped by our booth to say hello and learn more about Mondoo.

kubecon (2)

Mondoo came to Kubecon with a host of big announcements and features, but none more exciting than the release of our open source projects, cnquery and cnspec!

Get started with cnspec today.

booth

Security should be holistic, from end to end, which is why Mondoo applies policy to your entire SDLC, from the developer's laptop to source code to source repositories to clouds to Kubernetes nodes, workloads, and clusters and everything in between! We were excited to see a strong focus on security within the Cloud Native ecosystem, and so before we say goodbye to Detroit 2022 we wanted to share with you our Top 5 Security Themes from the event.

5. The rise of SigStore

SigStoreCon NA was held on Tuesday the 25th, before the main event, to much fanfare. Of all the announcements during Kubecon NA 2022, none were more universally heralded than the announcement that SigStore was going GA.  

The Sigstore trio of Cosign, Fulcio and Rekor come together beautifully in Cosign 1.x and strongly align with Mondoo’s belief in validating everything. This is a project we will continue to watch, and we encourage anyone who hasn’t heard of the project to begin digging in.  

Watch Luke Hinds's SigStoreCon NA Keynote, The Meteoric Rise of Sigstore. All the other conference talks are also available in a playlist on YouTube.

 

4. SBOMs, SBOMs everywhere

Software Bill of Materials (SBOMs) have been a hot topic in supply chain security for the last year or so but interest boiled over into mania when President Biden signed Executive Order 14028, “Improving the Nation’s Cybersecurity”, which mandates:

“providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website”

Discussions of SBOMs were heard in many of the Kubecon talks but a particularly great introduction to the topic was SBOM X-Ray Superpowers: Making Better SBOMs, Using SBOMs from our friends at Anchore, makers of Syft:

 

3. The future of supply chain security 

SBOMs are frequently compared to food labels, providing useful details about what's in a package and all its ingredients (dependencies). But ingredients alone aren’t enough. Consider a drug manufacturer: They need to track not just the ingredients but every detail about the production of each of those ingredients, because the downstream impact of any defect is tremendous. This data is known as providence and its generation is the goal of Prof. Santiago Toerres-Arias’s in-toto project.  

Hear Santiago provide an introduction and update to the project in his talk, Achieving End-To-End Software Supply Chain Security With in-toto.

 

With all this information now being produced from supply chains, a new problem appears: How do we make sense of all this data? Santiago’s second talk at Kubecon answers that question: It’s Dangerous To SLSA Alone Out There! Take This Artifact Knowledge Graph!

In this presentation, he and Michael Leiberman introduce GUAC, the Graph for Understanding Artifact Composition. While this technology is still very young, it points clearly to the future of supply chain security and artifacts we expect from vendors in the future.

 

2. Hacking for fun and team building!

If you’ve seen Mondoo CISO Patrick Munch’s presentations on Hacking Kubernetes, you know that we love to break (into) things. Lewis Denham-Parry and Natalia Reka Ivanko gave a great talk about how you can implement Capture The Flag (CTF) security events within your own organization to share security knowledge in a fun and engaging way. 

 

1. Fuzzing all the things 

Fuzzing is the process of providing unexpected and spurious input to applications to test for unexpected outcomes. We were excited to see two excellent talks on the topic to help everyone in the Cloud Native world take up the practice of fuzzing our software.

In Fuzzing Session: Finding Bugs and Vulnerabilities Automatically, David and Adam Korczynski provide an actionable path to fuzzing for any organization.

Follow that up with Teju Nareddy of Google’s Lightning Talk, Securing Envoy: Catching Vulnerabilities With Continuous Fuzz Testing, which provides an excellent case study on the practice. Teju also shares details about Google’s free service, OSS-Fuzz, that is being widely embraced by CNCF projects.

 

What's next?

In the immortal words of Q from the final episode of TNG, “The trial never ends.” Hackers are getting more sophisticated every day and new vulnerabilities are appearing faster than organizations can address them. But, thanks to cnquery and cnspec, you’re armed with tools to level the playing field, being ever vigilant about your security posture and readiness. We hope that some of the talks above encourage you to expand your knowledge and empower your security programs to tackle the new challenges on the horizon.

Lots of events are coming up soon. We’re particularly excited about CloudNativeSecurityCon 2023 taking place in Seattle. We hope to see you there!

Get started with cnspec today.

avatar

Ben Rockwood

Ben Rockwood is the VP of Engineering & Operations at Mondoo. He helped build the first Infrastructure as a Service cloud at Joyent in 2005 and became an influential voice in the DevOps movement since it began in 2009. He’s also helped advance operations, security, and compliance at Chef, Packet, and Equinix. He lives on Bainbridge Island near Seattle.
view raw