As organizations shift to agile development methodologies and the use of cloud-based platforms, they have the opportunity to leverage the cloud to improve their security practices. By adopting a DevSecOps approach, organizations can integrate security into the development lifecycle and take advantage of the scalability, flexibility, and automation capabilities of the cloud.
In this session, We will explore the benefits of leveraging the cloud for security in DevOps, and discuss the key principles of DevSecOps architecture, including collaboration, automation, and continuous integration and delivery. We will also examine the role of security tools and technologies, such as static code analysis, dynamic testing, and vulnerability management, in the DevSecOps process, and discuss how these tools can be effectively deployed in a cloud environment.
In addition, I will provide practical guidance and strategies on how organizations can implement the latest DevSecOps strategies in their cloud environments. This will include a discussion of best practices for integrating security into the development process, such as setting up security gates, implementing security testing early in the development process, and automating security checks.
Overall, this session will highlight the benefits of leveraging the cloud for improved security in DevOps, and provide practical guidance with the latest cloud technologies on how to implement DevSecOps effectively in a cloud environment.
People are under the impression that when you spin up the latest and greatest AKS, EKS, OpenShift or GKE instance, that you're secure. However with K8S, now more than ever the workload underneath matters. One privileged, neglected, container can compromise an entire setup. Rather than just talking about the risks or best practices, this talk is all about showing how easy it is to do.
The talk will first discuss possible attack paths in the Kubernetes cluster, and what differences exist in the attack techniques compared to classic infrastructures. For this purpose, a web application in a container will be compromised, then the Kubernetes cluster and the cloud account. Subsequently, 2 open-source tools will be discussed how such vulnerabilities and misconfigurations can be detected in the different infrastructure layers.
Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.
How can developers ensure that their code is secure enough? They can scan for common vulnerabilities and exposures (CVEs) in open-source code. They can even scan their Infrastructure-as-Code (IaC) tool to identify insecure configurations. But what about custom code? At many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times.
Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly. In this talk, we will discuss common risks in serverless environments. We will then cover existing testing methodologies and why they do not work well for serverless. Finally, we will present a new, completely frictionles