By Jennifer Bly, OpenSSF
Next week we’re heading to the first ever standalone CloudNativeSecurityCon North America put on by the Cloud Native Computing Foundation (CNCF) in Seattle, WA. This event brings together application developers and security experts to propose solutions to security challenges, to explore cutting edge projects, and to discuss advances in modern security approaches. It is designed to foster collaboration, discussion and knowledge sharing of developer-first cloud native security practices and cover topics like architecture and policy, secure software development, supply chain security, identity and access, forensics, and more.
CloudNativeSecurityCon takes place on February 1-2, 2023 in Seattle, WA. The agenda is packed with lots of great content, and here are a few sessions you won’t want to miss.
- Fighting The Next War – Future Threats to OSS and Software Supply Chain Security – Brian Behlendorf, General Manager, Open Source Security Foundation (OpenSSF)
- Wednesday, February 1 • 9:15am – 9:30am
- Buffer overflows, typo-squatting, leaked credentials – many of the biggest problems in securing software today are the same greatest-hits since the 1990s. More or less once a year we see a novel kind of security attack, taking advantage of some new centralized service, a weakness we incorrectly assumed could not be exploited, or a new IT advancement that changes everything. As a keynote speech given at a 2023 Q1 conference, we are now legally required to mention ChatGPT, but ignoring the hype, the prospect of AI enabling uncanny spearfishing or automating mass pull requests with backdoors seems much less sci-fi today than it would have a year ago. What other new kinds of attacks could emerge, and what should OSS projects do to prepare?
- Cloud Native Security Landscape: Myths, Dragons, and Real Talk – Edd Wilder-James & Loris Degioanni, Sysdig; Kim Lewandowski, Chainguard; Isaac Hepworth, Google; Randall Degges, Snyk
- Wednesday, February 1 • 1:55pm – 2:30pm
- The open source security landscape is moving fast, and affects you at all parts of the software lifecycle, from creating open source, to consuming it, to remedying vulnerabilities and detecting threats at runtime. The sheer number of moving parts represents great progress, but challenging when it comes to knowing what to prioritize. Do you like GUAC with your SLSA? Are you equipped to handle the latest OSS vulnerabilities? This panel will discuss where you should pay attention, what’s real now, and what’s coming in the future. Topics will include:
- From design-time to run-time: security is a multi-layer concern. All along the software development lifecycle, progress is being made in securing cloud-native, what are the most important projects to know about?
- It’s about the people, naturally: we’re being told to “shift left” security focus to the developer, but are we ready for it? What are the challenges of connecting the security teams to developers and architects, and what really works?
- What is real, what is myth? The field is full of hot takes, from grand ideas that won’t take off, to draconian policies that throw the baby out with the bathwater. Where are the real risks, and how do you deal with the myths and the scares?
- 🦝 Let’s Talk Software Supply Chains with TAG Security – Michael Lieberman, Kusari
- Wednesday, February 1 • 2:45pm – 3:20pm
- The supply chain security working group has been working to provide guidance and resources for projects looking to improve their supply chain security. In this talk, we will discuss the outputs of this working group, including the Software Supply Chain Security Whitepaper, catalog of supply chain compromises, and our reference architecture for a secure supply chain. We will also discuss our recent survey about supply chain security, and have interactive discussions about next steps for this working group. Bring your questions and ideas about supply chain security!
- How Do You Trust Your Open Source Software? – Naveen Srinivasan, Endor Labs & Brian Russell, Google
- Wednesday, February 1 • 3:50pm – 4:25pm
- Open source demand continues to explode and the processes used to run, test, and maintain these projects are largely opaque. This lack of transparency makes it challenging for project consumers, including large companies, to assess the risk and make informed decisions about using and maintaining open-source components. In this talk, we will introduce a tool developed by the OpenSSF: Scorecards. Most software is built with hundreds if not thousands of dependencies and transitive dependencies. Knowing the health of these dependencies in your software is a daunting task. How do you know which dependencies are maintained? When a new dependency is included, wouldn’t it be nice to get a score of the dependencies’ health? Enter OpenSSF Scorecard. By attending this session, you will learn how to trust an open source project based on Scorecard result. Additionally, you will learn how to automate Scorecards by incorporating them into your development toolchain (just add an API call!). Using this knowledge, you’ll be able to build a simple dependency policy for your open-source dependencies. The difference between our last presentation and now is the new API capabilities of scorecard which can be utilized to scale.
- It Takes a Community to Raise a Conference: From Security Day to CloudNativeSecurityCon – Emily Fox, Security Engineer, Apple
- Thursday, February 2 • 9:25am – 9:40am
- Our baby colo has grown up and ventured out on its own! How did this happen? They grow up so fast! In less than 4 years we’ve held 7 events in Europe and North America — reaching thousands of practitioners online and in person. All from a community member’s idea and the passionate volunteers that pulled together to make it real. Emily will share her experience coordinating Security Day – now grown into CloudNativeSecurityCon – and her aspirations for the future of this conference and cloud native security.
- SBOMs, VEX, and Kubernetes – Kiran Kamity, Deepfactor; Jonathan Meadows , Citi; Dr. Allan Friedman, Cybersecurity and Infrastructure Security Agency; Andrew Martin, Control Plane; Rose Judge, VMware
- Thursday, February 2 • 11:00am – 11:35am
- Software supply chain security is rapidly becoming critical to overall security. Software Bill of Materials (SBOMs) formats are standardizing around CycloneDX, SPDX, etc. VEX (vulnerability exploitability exchange) is emerging as a standardized companion to SBOMs to help determine whether a vulnerability is exploitable. For Kubernetes app developers, how do we address the supply chain problem? This panel discusses the practical and operational aspects of gathering, using, and handling SBOMs for containers: both running on Kubernetes and the underlying images that comprise Kubernetes itself. We will cover use cases from open source projects, through vendors and cloud providers, to the use of SBOMs in highly regulated environments including financial services and critical national infrastructure. Panelists include experts and practitioners with deep expertise in SBOMs, VEX, supply chain security, and cloud native application security.
- Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore – Zachary Newman, Chainguard, Inc. & Marina Moore, New York University
- Thursday, February 2 • 3:50pm – 4:25pm
- It’s easy to think that because more developers are signing software, the consumers of that software are necessarily more secure. However, a signature is only useful if verified correctly. One common failure mode is to verify that some software was signed, but not check who signed it. This means that you’ll treat a signature from firstname.lastname@example.org the same as a signature from yourself! We want to check that software came from the right person, but how do we know who that is? In this talk, Marina Moore and Zachary Newman will show how you can answer that question, securely. First, use Sigstore to make signing easy. Then, use CNCF projects The Update Framework (TUF) and in-toto to concretely improve security of open source package repositories, internal container registries, and everything in between. Cut through the hype and see how to sign software in order to increase security. Learn what signing can do—and what it can’t. With this knowledge, you can design appropriate verification policies for your project or organization. You’ll also learn how the open source software repositories you depend on are adopting these techniques to ensure that the code you download comes from the authors you expect.
Plus a few Lightning Talks to put a little zip in your step on the afternoon of February 1st:
- Software Dark Matter is the Enemy of Software Transparency – Santiago Torres-Arias, Purdue University
- My First Supply Chain Security Pull Request as a 13-Year-Old – Neil Naveen, Middle School
- Securing Your Source Repositories – 5 Tips to Get Started! – Billy Lynch, Chainguard
Stop by the OpenSSF Booth
If you’ll be at CloudNativeSecurityCon, visit our booth P5 in the sponsor showcase to discuss what the OpenSSF is up to and how you can get involved in securing the open source supply chain. We’ll have community members available to discuss what they’re working on, recent accomplishments, and future plans. Come chat with us about your interests and we’ll help you find a place to contribute or propose new ideas. See you in Seattle!