POPULARITY
Scientific research is the foundation of many innovative solutions in any field. Did you know that Dynatrace runs its own Research Lab within the Campus of the Johannes Kepler University (JKU) in Linz, Austria - just 2 kilometers away from our global engineering headquarter? What started in 2020 has grown to 20 full time researchers and many more students that do research on topics such as GenAI, Agentic AI, Log Analytics, Procesesing of Large Data Sets, Sampling Strategies, Cloud Native Security or Memory and Storage Optimizations.Tune in and hear from Otmar and Martin how they are researching on the N+2 generation of Observability and AI, how they are contributing to open source projects such as OpenTelemetry, and what their predictions are when AI is finally taking control of us humans!To learn more about their work check out these links:Martin's LinkedIn: https://www.linkedin.com/in/mflechl/Otmar's LinkedIn: https://www.linkedin.com/in/otmar-ertl/Dynatrace Research Lab: https://careers.dynatrace.com/locations/linz/#__researchLab
Sysdig's 2025 Cloud-Native and Security Usage Report is hot off the presses, and Corey has questions. On this episode, he's joined by Crystal Morin, a Cybersecurity Strategist at Sysdig, to break down the trends of the past year. They discuss Sysdig's approach to detecting and responding to security and the success the company has seen with the rollout of Sysdig Sage (an AI product that Corey thinks is actually useful). They also chat about what's driving a spike in machine identities, practical hygiene in cloud environments, and the crucial importance of automated responses to maintain robust security in the face of increasingly sophisticated cyber threats.Show Highlights(0:00) Intro(0:39) Sysdig sponsor read(2:22) Explaining Sysdig's 5/5/5 Benchmark(4:06) What does Sysdig's work entail?(10:03) Cloud security trends that have changed over the last year(14:30) Sysdig sponsor read(15:16) How Sysdig is using AI in its security products(19:09) How many users are adopting AI tools like Sysdig Sage(25:51) The reality behind the recent spike of machine identities in security(29:24) Handling the scaling of machine identities(35:37) Where you can find Sysdig's 2025 Cloud-Native and Security Usage ReportAbout Crystal MorinCrystal Morin is a Cybersecurity Strategist with more than 10 years of experience in threat analysis and research. Crystal started her career as both a Cryptologic Language Analyst and Intelligence Analyst in the United States Air Force and as a contractor for Booz Allen Hamilton, where she helped develop and evolve their cyber threat intelligence community and threat-hunting capabilities. In 2022, Crystal joined Sysdig as a Threat Research Engineer on the Sysdig Threat Research Team, where she worked to discover and analyze cyber threat actors taking advantage of the cloud. Today, Crystal bridges the gap between business and security through cloud-focused content for leaders and practitioners alike. Crystal's thought leadership has been foundational for pieces such as the “2024 Cloud-Native Security and Usage Report” and “Cloud vs. On-Premises: Unraveling the Mystery of the Dwell Time Disparity,” among others.LinksSysdig's 2025 Cloud-Native and Security Usage Report: https://sysdig.com/2025-cloud-native-security-and-usage-report/Sysdig on LinkedIn: https://www.linkedin.com/company/sysdig/Crystal's LinkedIn: https://www.linkedin.com/in/crystal-morin/SponsorSysdig: https://sysdig.com/
Is having a CSPM enough for Cloud Security? At RSA Conference 2024, Ashish sat down with returning guest Jimmy Mesta, Co-Founder and CTO of RAD Security, to talk about the complexities of Kubernetes security and why sometimes traditional Cloud Security Posture Management (CSPM) falls short in a Kubernetes-centric world. We speak about the significance of behavioural baselining, the limitations of signature-based detection, the role of tools like eBPF in enhancing real-time security measures and the importance of proactive security measures and the need for a paradigm shift from reactive alert-based systems to a more silent and efficient operational model. Guest Socials: Jimmy's Linkedin Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (03:12) A bit about Jimmy Mesta (03:48) What is Cloud Native Security? (05:15) How is Cloud Native different to traditional approach? (07:37) What is eBPF? (09:12) Why should we care about eBPF? (11:51) Separating the signal from the noise (13:48) Challenges on moving to Cloud Native (15:58) Proactive Security in 2024 (17:02) Whose monitoring Cloud Native alerts? (23:10) Getting visibility into the complexities of Kubernetes (24:24) Skillsets and Resources for Kubernetes Security (27:54) The Fun Section Resources spoke about the during the interview: OWASP Kubernetes Top Ten
How are modern cloud-native environments changing the way we handle security? Liz Rice, Chief Open Source Officer at Isovalent, explains why traditional IP-based network policies are becoming outdated and how game-changers like Cilium and eBPF, which leverage Kubernetes identities, offer more effective and readable policies. We also discuss the role of community-driven projects under the CNCF, and she shares tips for creating strong, future-proof solutions. What challenges should we expect next? Tune in to find out!Liz Rice is Chief Open Source Officer with eBPF specialists Isovalent, creators of the Cilium cloud native networking, security and observability project. She is the author of Container Security, and Learning eBPF, both published by O'Reilly, and she sits on the CNCF Governing Board, and on the Board of OpenUK. She was Chair of the CNCF's Technical Oversight Committee in 2019-2022, and Co-Chair of KubeCon + CloudNativeCon in 2018.She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, competing in virtual races on Zwift, and making music under the pseudonym Insider Nine.
In this episode, Jim and Jeff welcome back Sandy Bird, the CTO and Co-Founder of Sonrai Security, for a sequel to their first sponsor spotlight. Sandy returns to discuss the groundbreaking Cloud Permissions Firewall with Permissions on Demand. The trio dives into how this new solution revolutionizes the way organizations can clamp down on excessive cloud permissions, streamline operations, and secure their cloud environments with unprecedented speed and efficiency. The discussion illuminates the concept of "default deny," the exhilaration of zapping "zombie" identities, and the seamless integration with cloud native tools. Sandy also shares insights on how customers can measure success with Sonrai's solution and the significant security benefits provided. For a visual walkthrough of Sonrai's Cloud Permissions Firewall, visit http://sonrai.co/idac to see the demo in action and learn how you can try it out with a 14-day free trial. And if you're at RSA, AWS re:Inforce, or Gartner IAM, look for the Sonrai Security booth and experience the epiphany moment for yourself. Connect with Sandy on LinkedIn: https://www.linkedin.com/in/sandy-bird-835b5576 Learn more about Sonrai Security: https://sonrai.co/idac Introducing the Cloud Permissions Firewall (YouTube): https://www.youtube.com/watch?v=ffQbM6KGDbY Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at idacpodcast.com and follow @IDACPodcast on Twitter. Episode Keywords Identity And Access Management (Iam), Cloud Security, Aws, Azure, Gcp (Google Cloud Platform), Least Privilege, Identity Risk, Cloud Permissions Firewall, Infrastructure As Code, Security Operations (Secops), Cloud Operations (Cloudops), Permissions Management, Excessive Privileges, Zombie Identities, Identity Governance, Access Analyzer, Sensitive Permissions, Role-Based Access Control (Rbac), Service Control Policies (Scp), Cloud Native Security
A supply chain attack targets python developers. Russia targets German political parties. Romanian and Spanish police dismantle a cyber-fraud gang. Pwn2Own prompts quick patches from Mozilla. President Biden nominates the first assistant secretary of defense for cyber policy at the Pentagon. An influential think tank calls for a dedicated cyber service in the US. Unit42 tracks a StrelaStealer surge. GM reverses its data sharing practice. Our guest is Anna Belak, Director of the Office of Cybersecurity Strategy at Sysdig, who shares trends in cloud-native security. And a Fordham Law School professor suggests AI creators take a page from medical doctors. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Anna Belak, Director of the Office of Cybersecurity Strategy at Sysdig, shares trends in cloud-native security. To learn more, you can check out Sysdig's 2024 Cloud-Native Security and Usage Report. Selected Reading Top Python Developers Hacked in Sophisticated Supply Chain Attack (SecurityWeek) Russian hackers target German political parties with WineLoader malware (Bleeping Computer) Police Bust Multimillion-Dollar Holiday Fraud Gang (Infosecurity Magazine) Mozilla Patches Firefox Zero-Days Exploited at Pwn2Own (SecurityWeek) Biden nominates first assistant defense secretary for cyber policy (Nextgov/FCW) Pentagon, Congress have a ‘limited window' to properly create a Cyber Force (The Record) StrelaStealer targeted over 100 organizations across the EU and US (Security Affairs) General Motors Quits Sharing Driving Behavior With Data Brokers (The New York Times) AI's Hippocratic Oath by Chinmayi Sharma (SSRN) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.
Madhav Jivrajani is an engineer at VMware, a tech lead in SIG Contributor Experience and a GitHub Admin for the Kubernetes project. He also contributes to the storage layer of Kubernetes, focusing on reliability and scalability. In this episode we talked with Madhav about a recent post on social media about a very interesting stale reads issue in Kubernetes, and what the community is doing about it. Do you have something cool to share? Some questions? Let us know: - web: kubernetespodcast.com - mail: kubernetespodcast@google.com - twitter: @kubernetespod Chatter of the week Mofi Rahman co-host this episode with Kaslin Twitter/X LinkedIn Kubernetes Podcast episode 211 News of the week Google announced a new partnership with Hugging Face RedHat self-managed offering of Ansible Automation Platform on Microsoft Azure The schedule for KubeCon CloudNativeCon EU 2024 is out CNCF Ambassador applications are open The CNCF Hackathon at KubeCon CloudNativeCon EU 2024 CFP is open now The annual Cloud Native Computing Foundation report for 2023 CNCF's certification expiration period will change to 24 months starting April 1st, 2024. Sysdig 2024 Cloud Native Security and Usage Report Links from the interview Madhav Jivrajani Twitter/X LinkedIn Priyanka Saggu Interview Stale reads Twitter/X thread by Madhav "Kubernetes is vulnerable to stale reads, violating critical pod safety guarantees" - GitHub Issue tracking the stale reads CAP Theorem issue CMU Wasm Research Center "A CAP tradeoff in the wild" blog by Lindsey Kuper "Reasoning about modern datacenter infrastructures using partial histories" research paper The Kubernetes Storage Layer: Peeling the Onion Minus the Tears - Madhav Jivrajani, VMware KEP-3157: allow informers for getting a stream of data instead of chunking. KEP 2340: Consistent Reads from Cache Journey Through Time: Understanding Etcd Revisions and Resource Versions in Kubernetes - Priyanka Saggu, KubeCon NA 2023 Kubernetes API Resource Versions documentation
Cybersecurity leader Mike Isbitski explores the intricacies of cloud-native security and vulnerability management in today's technological landscape. With over 25 years of experience, he provides valuable insights into the challenges and complexities organizations face in securing ephemeral infrastructure and machine identities in the cloud. This episode also explores the cautious adoption of AI in cybersecurity, emphasizing the need for a balanced approach that maintains operational functionality while addressing evolving security concerns.Key Points with TimestampSecurity through Obscurity (00:00:00) - Mike discusses common security practices.Cloud-Native Technology Explained (00:01:30) - Unpacking the meaning of cloud-native tech.Evolving Vulnerability Management (00:03:38) - Insights on how vulnerability management has improved.AI in Cybersecurity (00:21:20) - Discussion on the slow but growing adoption of AI in cybersecurity.Challenges of Permissions and Identity (00:29:29) - The complexities of permissions in the cloud environment.Future Trends in Cybersecurity (00:34:11) - Predictions for changes and advancements in the cybersecurity landscape.About MichealMichael Isbitski is a former Gartner analyst, cybersecurity leader, and practitioner with more than 25 years of experience, specializing in application, cloud, and container security. Michael learned many hard lessons on the front lines of IT working on application security, vulnerability management, enterprise architecture, and systems engineering. He's guided countless organizations globally in their security initiatives as they support their businesses.Links Referenced:Sysdig: https://sysdig.com/Sysdig 2024 Cloud-Native Security and Usage Report: www.sysdig.com/SITC
This is part two of a special edition of Day Two Cloud we're calling Security KubeConversations. I spent two days in the Windy City, attending KubeCon Cloud Native Con Chicago 2023. I had the opportunity to speak to a wide array of vendors and open source maintainers about what's happening on the security front in... Read more »
This is part two of a special edition of Day Two Cloud with conversations recorded at KubeCon 2023 in Chicago. These conversations cover the state of cloud-native security, getting a holistic view of your cloud-native environment, security challenges for Kubernetes, and the state of the software supply chain. The post D2C225: Security KubeConversations Part 2 – Cloud-Native Security Challenges appeared first on Packet Pushers.
This is part two of a special edition of Day Two Cloud we're calling Security KubeConversations. I spent two days in the Windy City, attending KubeCon Cloud Native Con Chicago 2023. I had the opportunity to speak to a wide array of vendors and open source maintainers about what's happening on the security front in... Read more »
This is part two of a special edition of Day Two Cloud with conversations recorded at KubeCon 2023 in Chicago. These conversations cover the state of cloud-native security, getting a holistic view of your cloud-native environment, security challenges for Kubernetes, and the state of the software supply chain. The post D2C225: Security KubeConversations Part 2 – Cloud-Native Security Challenges appeared first on Packet Pushers.
- First off, tell us a bit about yourself, what you're up to and how you have gotten where you are career wise- What are some of the key differences with cloud-native security?- There's a lot of acronyms in the cloud-sec space, such as CWPP, CSPM, KSPM and so on. Can you unpack a few of these for the audience and what they mean?- This also infers there's a lot of different tools and capabilities to manage. Why do you think it is important to have a comprehensive platform to bring it together, to avoid tool sprawl and cognitive and alert fatigue?- There's a lot of focus of course on shifting security left, and CI/CD pipelines and so on, but I know you also focus on runtime security. What makes runtime security so crucial in the cloud context?- Can you tell us a bit about Aqua Security, what you all do and what makes you unique from some of the other platform providers and security companies out there?- What does the term "cyber resilience" mean to you?
This is part two of a special edition of Day Two Cloud we're calling Security KubeConversations. I spent two days in the Windy City, attending KubeCon Cloud Native Con Chicago 2023. I had the opportunity to speak to a wide array of vendors and open source maintainers about what's happening on the security front in... Read more »
This is part two of a special edition of Day Two Cloud with conversations recorded at KubeCon 2023 in Chicago. These conversations cover the state of cloud-native security, getting a holistic view of your cloud-native environment, security challenges for Kubernetes, and the state of the software supply chain. The post D2C225: Security KubeConversations Part 2 – Cloud-Native Security Challenges appeared first on Packet Pushers.
Dans cet épisode, nous abordons des questions cruciales sur la sécurité dans l'environnement cloud native et Kubernetes. Pourquoi parle-t-on tant de cloud native security de nos jours? Quels sont les nouveaux défis et vecteurs d'attaques que nous sous-estimons lors de l'adoption des containers ou de Kubernetes?
Involta Enterprise Architect Scott Evers dives into how enterprises struggle to shift security strategies for rapid software release cycles and cloud native infrastructure. Tune in to This Week in Enterprise Tech for insights on securing the modern cloud-driven organization! Full episode at http://twit.tv/twiet564 Host: Louis Maresca Guest: Scott Evers You can find more about TWiT and subscribe to our podcasts at https://podcasts.twit.tv/ Sponsor: GO.ACILEARNING.COM/TWIT
Involta Enterprise Architect Scott Evers dives into how enterprises struggle to shift security strategies for rapid software release cycles and cloud native infrastructure. Tune in to This Week in Enterprise Tech for insights on securing the modern cloud-driven organization! Full episode at http://twit.tv/twiet564 Host: Louis Maresca Guest: Scott Evers You can find more about TWiT and subscribe to our podcasts at https://podcasts.twit.tv/ Sponsor: GO.ACILEARNING.COM/TWIT
Special guest Michael Isbitski joins us to talk about cloud native security and reviews the Sysdig 2023 Cloud-Native Security and Usage Report. Michael and Matty discuss some common security challenges and findings from the report, and how to address them.
Special guest Michael Isbitski joins us to talk about cloud native security and reviews the Sysdig 2023 Cloud-Native Security and Usage Report. Michael and Matty discuss some common security challenges and findings from the report, and how to address them.
We talk about getting PCI compliance into Kubernetes, and other security think in the cloud native world. Securing Tanzu Application Service and Tanzu Application Platform. David Zendzian talks with Cora and Coté about what exactly “security” means in the cloud native context. They use his upcoming paper on PCI compliance as an example throughout. See David in LinkedIn, Twitter, and charming home page. Watch the video of this interview if you prefer that format.
We talk about getting PCI compliance into Kubernetes, and other security think in the cloud native world. Securing Tanzu Application Service and Tanzu Application Platform. David Zendzian talks with Cora and Coté about what exactly “security” means in the cloud native context. They use his upcoming paper on PCI compliance as an example throughout. See David in LinkedIn, Twitter, and charming home page. Watch the video of this interview if you prefer that format.
Cloud Security Podcast - we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the final episode in this series Kubernetes Security Panel from KubeCon EU 2023. Kubernetes Security has evolved since it's inception with many defaults being more secure and some still insecure or has it not evolved at all. Andrew Martin (Control Plane), Matt Jarvis (Snyk), Kerim Satirli (Hashicorp) were on the Kubernetes Security Panel organized by Cloud Security Podcast. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Andrew Martin (Control Plane), Matt Jarvis (Snyk), Kerim Satirli (Hashicorp) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (04:28) A bit about Kerim, Andy and Matt (05:13) What is Kubernetes? (06:49) How do you describe Cloud Native Security? (10:21) How Kubecon and Kubernetes has changed over the years? (15:56) The growing presence of security in Kubecon (22:10) Cloud Security and Cloud Native Security (23:00) Maintenance of Kubernetes (24:17) Shared Responsibility Model (27:37) Single Cluster vs Multi Cluster (34:34) Failure of Workload Identity (36:11) Recommendations for learning (42:06) Disaster Recovery for Kubernetes (47:51) ChatGPT - Problem, Solution or Fad? See you at the next episode!
Cloud Security Podcast - we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the fiveth episode in this series Eve Ben Ezra from The New York Times. GitOps, OPA Conftest, ArgoCD are some of the components to add security to a Cloud Native Security Pipeline! - Eve Ben Ezra from The New York Times shared how we can use these tools to create a Dev Friendly Security Pipeline. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Eve Ben Ezra (Eve Ben Ezra's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (03:10) A bit about Eve (04:05) Eve's 2nd Kubecon (04:43) About Eve's talk at Kubecon (05:29) What is GitOps? (06:28) What is Argo CD? (07:19) What is OPA? (07:34) Why NYTimes has a development platform? (09:14) Challenges with implementing a shared infrastructure (11:17) Feedback is one of the challenges (12:19) Using OPA gatekeeper (13:30) When should developers get feedback in GitOps operational framework? (14:52) What does local feedback to developers look like? (15:54) What is Conftest? (16:24) How do people get started with OPA? (18:32) Making security more accessible for developers (23:02) Managed or self hosted Kubernetes deployment (24:09) How to get started with this? (25:08) Starting with OPA vs Starting with CICD (25:35) Where can you start learning about Kubernetes? (28:10) The difference between CI and CD See you at the next episode!
On this episode, the Chief Security Officer of Cloud at Palo Alto Networks, Bob West, joins Matt to discuss Palo Alto Network's latest State of Cloud Native Security Report. Bob joined Palo Alto Networks after more than 20 years in leadership roles with banks, product companies, and professional services organizations. Before joining Palo Alto Networks, Bob served as managing partner at West Strategy Group, managing director in Deloitte's cyber risk services practice, managing director for CISO for York Risk Services, Chief Trust Officer at CipherCloud, CEO at Echelon One, Chief Information Security Officer (CISO) at Fifth Third Bank, and Information Security Officer at Bank One.Today, Bob talks about the latest installment of the State of Cloud Native Security Report, the severe shortcomings in Cloud Security, and the elevated cost of Cloud Security. Why is it essential to think about security upfront? Hear about the daily mindset shift required to deploy quality code, minimizing complexity to maximize efficiency, and the significant delay in threat management.Timestamp Segments· [01:46] Bob's career-changing experiences.· [04:17] Bob's advice.· [11:10] The 10,000-ft view.· [16:23] The elevated costs of Cloud security.· [22:36] Increased deployment frequency.· [24:54] How do security teams keep up?· [30:44] Security tooling in the Cloud.· [35:46] Holistic Cloud security.· [41:18] There will always be issues. Notable Quotes· “Be nice to your vendors.” - Bob· “You never know who's going to be able to help you out at any point.” - Bob· “You've got to build bridges before you need them.” - Matt· “Common sense isn't necessarily common practice.” - BobRelevant LinksWebsite: www.paloaltonetworks.comLinkedIn: Bob WestResources:Out of the CrisisSecure applications from code to cloud. Prisma Cloud secures applications from code to cloud enabling security and DevOps teams.
Cloud Security Podcast - This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the second episode in this series, we spoke to Andrew Martin (Andrew's Linkedin). Kubernetes Security Best practices built using the OWASP Top 10 for Kubernetes is not enough to deal with new and unknown attack vectors for your Kubernetes deployment. In this episode we have Andrew Martin on how you can deal with Kubernetes attack vectors including supply chain issues. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Andrew Martin (Andrew's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (00:15) A word from our sponsors - head over to snyk.io/csp to find out more (02:50) A bit about Andrew Martin (03:33) What is cloud native security? (06:31) What is Kubernetes Security? (10:23) Kubernetes Security vs Cloud Native Security (11:52) Why is Kubernetes so popular? (16:20) What are the components of Kubernetes security? (21:43) Container security in Kubernetes landscape (26:34) Common attack vectors for Kubernetes (32:16) Impact of cloud in attack vectors (35:38) Managed Kubernetes (38:13) Rationale for using multi cluster (41:11) Should everyone use Kubernetes? (44:18) Is Serverless still relevant ? (47:38) Where can people learn about Kubernetes security? (53:01) The fun questions See you at the next episode!
Ein Dashboard, das aufgrund der roten Färbung Meldungen dazu motiviert, es zu ignorieren? Security als eine universelle Versicherung für unwahrscheinliche Eventualitäten? Was hat sich beim Thema Security in den letzten Jahren getan und welche Möglichkeiten bieten Cloud Native Technologien dabei? Dank Automatisierung und entwickelter Technologien ist heutzutage so viel mehr möglich. Neben diesen Möglichkeiten hat sich auch unser Bewusstsein dahin entwickelt, solche Technologien gezielter einzusetzen. Wir haben die Security Experten Tobias Gerhardt von Aqua und Stefan Trimborn von SysDig auf dem Container Security Day getroffen und sie gefragt, worauf es ankommt.
Palo Alto released their The State of Cloud-Native Security 2023 report and it revealed disturbing trends. This episode goes through the report and what the main challenges are. Source - https://www.paloaltonetworks.com/state-of-cloud-native-security Be aware, be safe. Support the show and get access to behind the scenes content as a patron - https://www.patreon.com/SecurityInFive *** Support the podcast with a cup of coffee *** - Ko-Fi Security In Five Mighty Mackenzie - https://www.facebook.com/mightymackie Where you can find Security In Five - https://linktr.ee/binaryblogger Email - bblogger@protonmail.com
Emily Fox is a security engineer @Apple Cloud Services, a CNCF Technical Oversight Committee member and co-chair for a bunch of CNCF events including recently the Cloud Native Security Conference in Seattle. We had a chance to talk to Emily about the first edition of the CNSC 2023, her involvement with the CNCF community. Her role as a security engineer and some career discussions. Do you have something cool to share? Some questions? Let us know: - web: kubernetespodcast.com - mail: kubernetespodcast@google.com - twitter: @kubernetespod News of the week KubeEdge v1.13.0 released on January 18, 2023, achieves SLSA 3 compliance SLSA 3 compliance KubeVela brings software delivery control plane capabilities to CNCF Incubator GKE Updates: Balanced compute classes are now offered in GKE Autopilot GKE Autopilot now supports exposing randomly assigned host ports for pods GKE has started offering ephemeral storage with local SSDs Added support for Windows Server 2022 nodes AWS announced the availability of AKS anywhere on Snowball Edge Devices Sysdig released their 6th annual Cloud Native Security and Usage Report. Rebooting the Cloud Native Hamburg community group KubeCon EU Amsterdam Schedule Katacoda Kubernetes tutorials shutdown LFX Internships for WASMEdge Kubernetes Community Days (KCDs): Upcoming CFP deadlines: KCD Italy CFP closes February 20 2023 (in-person) KCD Czech + Slovak CFP closes March 1, 2023 (in-person) KCD Bangaluru CFP closes March 20, 2023 (in-person) KCD Zurich CFP closes March 31, 2023 (in-person) KCD Colombia CFP closes March 31, 2023 (in-person) Check out upcoming KCDs that might be in your region: Sponsorship opportunities are available Donation Prospectus available for review KCD Israel 2023, Mar 23, 2023 KCD LA, Mar 9, 2023 KCD Pakistan (Islamabad), February 20, 2023 KCD Netherlands (Amsterdam), February 23-24, 2023 KCD France (Paris), March 7, 2023 KCD Los Angeles, March 9-10, 2023 KCD Ukraine Virtual Fundraiser, March 16, 2023 Links from the interview Emily Fox: Twitter Linkedin Cloud Native Security Con Youtube Playlist How to Secure Your Supply Chain at Scale - Hemil Kadakia & Yonghe Zhao, Yahoo eBPF CIA Triad Waterfall development Cloudcareers.dev podcast Rory McCune on twitter Software Supply Chain Security Emily Fox on SBOM Emily Fox on SDLC Shift Left Security: Best Practices for Getting Started Episode 196 with Benjamin Elder CNSC 2023 seattle guests David Wolf Eric Knauer Liz Rice Mitch Connors Josh Knarr Nick Young Taylor Dolezal Frederick Kautz on SPIFFE/SPIRE Chris Aniszczyk's Blog The Falco Project Cilium Tetragon Pixie Aviatrix Keylime Google Anthos Beyond Cluster-Admin: Getting Started with Kubernetes Users and Permissions - Tiffany Jernigan Standardization & Security - A Perfect Match - Ravi Devineni & Vinny Carpenter, Northwestern Mutual CSI Container: Can You DFIR It? - Alberto Pellitteri & Stefano Chierici, Sysdig Links from the post-interview chat Cloud Native Security Con Eu 2023 CNCF TOC
The economics of the Internet are changing as the foundational ad-driven model is being disrupted. How will this impact the cost of things we've long enjoyed for free on the Internet?SHOW: 697CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotwCHECK OUT OUR NEW PODCAST - "CLOUDCAST BASICS"SHOW SPONSORS:Did you know that 87% of container images in production include a high or critical vulnerability? No wonder prioritization is difficult. Download the Sysdig 2023 Cloud-Native Security and Usage report to dig into the state of cloud and container usage.CloudZero – Cloud Cost Visibility and SavingsCloudZero provides immediate and ongoing savings with 100% visibility into your total cloud spendSection is the fastest, easiest and most cost-effective way to run applications across multiple clouds.Cloudcast listeners can experience the benefits of unparalleled performance and uptime, plus the ability to scale as needed. There's no risk to try it out – run one project for free with no credit card required!SHOW NOTES:ChatGPT-style search will cost 10x more for Google, MicrosoftStratechery on Apple ATTApple App Tracking TransparencyApple ATT change in IOS will have $10B impact on Facebook (Spotify)Is streaming really cheaper than the cable bundle?Google eliminates free Gmail accountsTwitter will start charging for SMS 2FABMW charging monthly for heated seatsTHE EVOLUTION OF HOW THE INTERNET WAS PAID FOROriginal Internet - Funded by the US Gov't (ARPANET)Walled Gardens - AOL, CompuserveThe Rise of Web Browsers, Search Engines and the Open InternetThe Rise of Consumer Broadband and Over-the-Top ServicesAdvertising as the dominant business model, and building moatsTHE DISRUPTION OF THE AD-CENTRIC INTERNET AND ITS IMPACTSGoogle moats for ads/search - Maps, Gmail, Android, Weather, Flights, Stocks, etc.Google, Facebook, Amazon, Apple have build huge ad businessesApple is disrupting mobile advertising with ATTMicrosoft is disrupting search with ChatGPT (and OpenAI)FEEDBACK?Email: show at the cloudcast dot netTwitter: @thecloudcastnet
Michael Isbitski (@michaelisbitski, Director Cybersecurity Strategy @sysdig) talks about about Sysdig's 2023 Cloud Native Security and Usage Report. The latest trends, interesting findings and the latest on Cloud Native SecuritySHOW: 696CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotwNEW TO CLOUD? CHECK OUT - "CLOUDCAST BASICS"SHOW SPONSORS:How to Fix the Internet (A new podcast from the EFF)Datadog Application Monitoring: Modern Application Performance MonitoringGet started monitoring service dependencies to eliminate latency and errors and enhance your users app experience with a free 14 day Datadog trial. Listeners of The Cloudcast will also receive a free Datadog T-shirt.Solve your IAM mess with Strata's Identity Orchestration platformHave an identity challenge you thought was too big, too complicated, or too expensive to fix? Let us solve it for you! Visit strata.io/cloudcast to share your toughest IAM challenge and receive a set of AirPods ProSHOW NOTES:Sysdig (homepage)Sysdig 2023 Cloud-Native Security and Usage Report Topic 1 - Welcome to the show. Tell us a little bit of your background, and where you focus your efforts at Sysdig?Topic 2 - Let's talk about the 2023 report. This is something that Sysdig has run for many years. What are some of the major Container Security and Usage trends you're seeing this year (2022 to 2023)? Report is unique as it looks at real-world data or more than a billion containers 6th report, each year we build on the data collected previously Beyond the speed of containers and usage data, we also looked at things people care about right now Where are there cost savings How are we doing with implementing zero trustWhere can we save time and reduce riskTopic 3 - It seems like preparedness for attacks, via vulnerabilities, is on the rise? Why do you think we're seeing things getting worse, rather than better? Topic 4 - Talk to us about some of the best practices for managing all the vulnerabilities, and how to think about prioritization - such as Common Vulnerability Scoring System (CVSS).Topic 5 - It appears that Zero Trust is a big buzzword, but maybe companies have zero trust in zero trust. Did this surprise you? What do you think is causing this?Topic 6 - What are some of the operational best practices that you're seeing companies doing to help mitigate these ever growing security threats? FEEDBACK?Email: show at the cloudcast dot netTwitter: @thecloudcastnet
Public cloud usage. Cloud-native application development. Developer relations. In a down economy, everything gets questioned. Expect a lot of naysayers and doubters. SHOW: 695CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotwCHECK OUT OUR NEW PODCAST - "CLOUDCAST BASICS"SHOW SPONSORS:CloudZero – Cloud Cost Visibility and SavingsCloudZero provides immediate and ongoing savings with 100% visibility into your total cloud spendSection is the fastest, easiest and most cost-effective way to run applications across multiple clouds.Cloudcast listeners can experience the benefits of unparalleled performance and uptime, plus the ability to scale as needed. There's no risk to try it out – run one project for free with no credit card required!Did you know that 87% of container images in production include a high or critical vulnerability? No wonder prioritization is difficult. Download the Sysdig 2023 Cloud-Native Security and Usage report to dig into the state of cloud and container usage.SHOW NOTES:Kubernetes is great, but it's been a 7 year distraction (and this thread)Cloud players sound a cautious tone in 2023Is DevRel as an idea being abandoned?THE CURVE IS BENDING DOWN, SO QUESTION EVERYTHINGThe public cloud is no longer economically viableDistributed systems are not practicalKubernetes is now too difficult to useDeveloper relations (DevRel) is no longer needed by vendorsTHE DIFFERENCE BETWEEN EARLY ADOPTERS AND MAINSTREAMEarly adopters typically have a specific problem they are trying to solveNear-term and long-term goals don't always alignThe ROI of technology doesn't always happen immediatelyResume-driven-development is a real thing in good timesEconomic downturns shine a light on practicality and profitabilityGreed is a factor in good times and bad timesFEEDBACK?Email: show at the cloudcast dot netTwitter: @thecloudcastnet
Now that AWS, Azure, GCP earnings are slowing down across the board, let's look at what this could mean in the near-term and long-term. SHOW: 693CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotwCHECK OUT OUR OTHER PODCAST - "CLOUDCAST BASICS"SHOW SPONSORS:Section is the fastest, easiest and most cost-effective way to run applications across multiple clouds.Cloudcast listeners can experience the benefits of unparalleled performance and uptime, plus the ability to scale as needed. There's no risk to try it out – run one project for free with no credit card required!Did you know that 87% of container images in production include a high or critical vulnerability? No wonder prioritization is difficult. Download the Sysdig 2023 Cloud-Native Security and Usage report to dig into the state of cloud and container usage.CloudZero – Cloud Cost Visibility and SavingsCloudZero provides immediate and ongoing savings with 100% visibility into your total cloud spendSHOW NOTES:AWS earnings - $21.4B, up 20% (down from 27% QoQ)Microsoft Azure earnings - $21.5B, up 31% (down from 35% QoQ)Google Cloud earnings - $7.32B, up 32% (down from 38% QoQ)Google claims that Azure is losing moneyCloud leaders AWS, Azure, Google show the market is cooling down2022 CAPEX spend by the cloud providersCloud players being cautious in 2023THE GROWTH OF CLOUD PROVIDERS IS BEGINNING TO SLOW DOWNThe cloud providers are still growing at a high rateBut the rate of grow, and CAPEX investment is slowing downIs this the new normal?WHAT'S CAUSING THE SLOW DOWN?Increased interest rates, so slower overall spending across techCloud cost optimization tools and company-wide programsEnterprise companies managing to post-COVID “new normals”SaaS companies cutting back, especially VC-funded companiesLots of tech layoffs Concern about Google (and Azure?) being profitable?Will the new AI wars disrupt the focus of the cloud companies?Will we see services cut back by the cloud providers?Companies now have an opportunity to renegotiate costs?FEEDBACK?Email: show at the cloudcast dot netTwitter: @thecloudcastnet
The tech industry is going through an employment level downturn at the moment, so what should you do? What shouldn't you do? SHOW: 691CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotwCHECK OUT OUR NEW PODCAST - "CLOUDCAST BASICS"SHOW SPONSORS:Did you know that 87% of container images in production include a high or critical vulnerability? No wonder prioritization is difficult. Download the Sysdig 2023 Cloud-Native Security and Usage report to dig into the state of cloud and container usage.Solve your IAM mess with Strata's Identity Orchestration platformHave an identity challenge you thought was too big, too complicated, or too expensive to fix? Let us solve it for you! Visit strata.io/cloudcast to share your toughest IAM challenge and receive a set of AirPods Pro.Section is the fastest, easiest and most cost-effective way to run applications across multiple clouds.Cloudcast listeners can experience the benefits of unparalleled performance and uptime, plus the ability to scale as needed. There's no risk to try it out – run one project for free with no credit card required!SHOW NOTES:An Analysis of Recent Layoffs2023 Tech Layoff TrackerFrom diversity and inclusion to adversity and expulsionThe five stages of griefLAYOFFS ARE NEVER FUN, AND THEY HAVE RIPPLE EFFECTSHiring tends to happen in waves, and layoffs happen in blastsSometimes layoffs happen for solid reasons, and sometimes for emotional reasonsHOW TO NAVIGATE A LAYOFF, OR BEING AROUND AFTER A LAYOFFEventually, everybody gets fired - whether they should or notTry not to make it too emotional, which is initially difficultCompanies never really take ownership, but they can be compassionateAllow yourself to go through the grieving processDecide if you still want to stay in the tech industryStay active in life - get up, find a routine, stay healthy, make a plan each dayBegin looking while you have financial buffersFind something creative - build thingsStay active with your skills - volunteer, side projects, etc.Stay active with your networksAt some point, be realistic - family needs, sunk costs, titles, etc.FEEDBACK?Email: show at the cloudcast dot netTwitter: @thecloudcastnet
**SEASON 2** In this episode, Abhay shares about his infosec journey and how he was introduced to it? He also talks about his current work, his experience of running an infosec company, the communities he is associated with and advice for people starting out & in the infosec industry. We have introduced rapid round questions this season. Tune into the episode to learn more!! Speaker Intro - Abhay Bhargav is the Founder & Chief Research Officer of AppSecEngineer, an elite, hands-on online training platform for AppSec, Cloud-Native Security, Kubernetes Security and DevSecOps. AppSecEngineer delivers hands-on security skills that companies are actually looking for. Abhay started his career as a breaker of apps, in pentesting and red-teaming, but today is more involved in scaling AppSec with Cloud-Native Security and DevSecOps. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world's first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to this, he is active in his research of new technologies and their impact on Application Security, specifically Cloud-Native Security. He has contributed to pioneering work in the Vulnerability Management space, being the architect of a leading Vulnerability Management and Correlation Product, Orchestron. Abhay is also committed to Open-Source and has developed the first-ever Threat Modeling solution at the crossroads of Agile and DevSecOps, called ThreatPlaybook. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA, SHACK and so on. He's authored two international publications on Java Security and PCI Compliance as well. You can reach out to him on, Twitter - @abhaybhargav LinkedIn - Abhay Bhargav AppSecEngineer Website - https://www.appsecengineer.com/ Follow "Stories of Infosec Journeys" podcast on LinkedIn - Stories of Infosec Journeys Twitter - @InfosecJourneys Instagram & Facebook - @storiesofinfosecjourneys Kindly rate the podcast on Spotify and leave a review on Apple podcast.
In Episode S4E16, our guest is Abhay Bhargav, the Founder of we45 — a focused Application Security Company, and the Chief Research Officer of AppSecEngineer — an elite, hands-on online training platform for AppSec, Cloud-Native Security, Kubernetes Security, and DevSecOps. The topic Steve Bowcut and Abhay discuss is The Application Security Skills Gap. Abhay gives an informative view of the scope of the skills gap for application security and explains why he thinks the shortage of skilled security professionals is occurring. Steve and Abhay discuss the skills gap's impact on organizations and what they can do to solve this issue. About our Guest Abhay started his career as a breaker of apps in pen testing and red-teaming, but today is more involved in scaling AppSec with Cloud-Native Security and DevSecOps. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world's first hands-on training program on DevSecOps, focused on Application Security Automation. Abhay is active in the research of new technologies and their impact on Application Security, specifically Cloud-Native Security. He is the architect of a leading Vulnerability Management and Correlation Product, Orchestron, from we45. He is a speaker and trainer at major industry events and has authored two international publications on Java Security and PCI Compliance. Don't miss this insightful look into the application security skills gap.
Aaron and Brian talk about all things KubeConNA (Detroit) 2022.SHOW: 665CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotwCHECK OUT OUR NEW PODCAST - "CLOUDCAST BASICS"SHOW SPONSORS:Datadog Kubernetes Solution: Maximum Visibility into Container EnvironmentsStart monitoring the health and performance of your container environment with a free 14 day Datadog trial. Listeners of The Cloudcast will also receive a free Datadog T-shirt.CloudZero - Cloud Cost Intelligence for Engineering TeamsCDN77 - CDN Focused on VOD and SecurityCDN77 - ask for a free trial with no duration or traffic limits. SHOW NOTES:CNCF Announcements - KubeConNA 2022 (Detroit)KubeCon Vendor ListTopic 1 - Let's start with what was good or bad at CloudNativeCon/KubeCon. Overall vibes at the conference? 7,000 attendees, 300 vendor-companies, good amount of end-usersGood: Well-organized, live interactionsBad: City choice, keynotes, Day1 & 2 pricing modelsIs this Big Tent 2.0? (Aaron - I don't think so…)Topic 2 - Interesting technologies or technology trends? Kubernetes is no longer the center of this conferenceService Mesh, WASM (Web Assembly), Cost-Mgmt, various forms of SecurityStarting to see fragmentation (e.g. Cloud-Native Security is it's own conference)Topic 3 - Are we in a bubble? Lots of companies in each technology category? Will we see consolidation, failures or buyers? What's the mission for CNCF - place for projects to incubate with no “horse in the race”, all areas will eventually consolidate down to a few players over time?Topic 4 - What's next for KubeCon? Can it survive as a big event without a central technology? Will it splinter into lots of little events?Did the CNCF turn this into too much of a marketing event?What's in it for the sponsors? Especially if it splits into different events?Why do they keep making bad location choices? (Amsterdam 4/20, Chicago - Nov ‘23)FEEDBACK?Email: show at the cloudcast dot netTwitter: @thecloudcastnet
In this episode of the Virtual Coffee with Ashish edition, we spoke with Christophe Parisel (Christophe's Linkedin) about what how to transition from being a technical architect on premise to a cloud security architect and then a cloud native security architect. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Christophe Parisel (Christophe's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:21) https://snyk.io/csp (03:18) A little bit about Christophe (05:08) What is Cloud Native? (07:27) Why Cloud Native is important? (09:34) Responsibilities of Cloud Native Architect (13:15) Solution Architect vs Cloud Native Architect (15:32) Culture to move into Cloud Native Environment (18:09) Designing an application in Cloud (21:41) Designing an application using Kubernetes Cluster (24:39) Learning Kubernetes as an Architect (28:09) Common services people should standardise (31:50) Frameworks for Kubernetes Architecture (34:06) Logging with Kubernetes at Scale (38:24) Challenge with transitioning to Cloud Native Security Architect (39:43)Should we trust the cloud? (43:37) Bottlerocket in Kubernetes (46:00) Certifications for Cloud Native Security Architect
Auf der diesjährigen KubeCon NA in Detroit hatten wir die Möglichkeit, mit Christoph Hartmann (CTO von Mondoo) zu sprechen. Hierbei gab er uns spannende Einblicke in die verschiedenen Herausforderungen von Cloud und Cloud-Native Security. Weitere Informationen zum Thema Mondoo findet ihr unter mondoo.com. Falls ihr selbst gerade auf der KubeCon seid und mit uns über ein Thema sprechen wollt, kontaktiert uns einfach unter podcast@sva.de.
Auf der diesjährigen KubeCon NA in Detroit hatten wir die Möglichkeit, mit Christoph Hartmann (CTO von Mondoo) zu sprechen. Hierbei gab er uns spannende Einblicke in die verschiedenen Herausforderungen von Cloud und Cloud-Native Security. Weitere Informationen zum Thema Mondoo findet ihr unter mondoo.com. Falls ihr selbst gerade auf der KubeCon seid und mit uns über ein Thema sprechen wollt, kontaktiert uns einfach unter podcast@sva.de.
In this Episode of Kubernetes Bytes, Ryan and Bhavin talk about upcoming conferences and dig into the world of Kuberentes Security. Bhavin and Ryan talk about and dig into the various aspects of the 4C's of Cloud Native Security (Code, Container, Cluster and Cloud). Bhavin and Ryan dig in a foot deep from everything from encryption at rest, network policies, linux seccomp, software SBOM and ransomeware. This episode had so many good resources in the show notes, we decided to create a community resource for everyone. Please see the below public google doc with all show notes, links and more. Feel free to comment and engage! Cloud Native Security 101 Resource Community Document
Security is everyone's business. And as everyone seems to be moving to Cloud Native it's important to understand what the security landscape in k8s, containerized apps, serverless, … looks like.To learn more about this we invited Anais Urlichs (@urlichsanais), Developer Advocate at Aqua Security and CNCF Ambassador of the year 2021. Over the past years Anais has educated thousands of people on cloud native, devops and security on her YouTube Channel.Tune in and learn more about the different approaches to security in cloud native, which open source projects are out there and how her advise on embedding security in your day2day work.Some additional links we discussed can be found here:Anais on Linkedin: https://www.linkedin.com/in/urlichsanais/Anais on Twitter: https://twitter.com/urlichsanaisTrivy: https://github.com/aquasecurity/trivyWeekly DevOps Newsletter: https://anaisurl.com/WTFisSRE Talk: https://www.youtube.com/watch?v=0zL61AiOaK0Anais's YouTube channel: https://www.youtube.com/c/AnaisUrlichsAqua Open Source YouTube Channel: https://www.youtube.com/channel/UCb4mfRT5UWpjoUQRcIE2qOQ
Developers want bug-free code -- it frees up their time and is easier to maintain. They want secure code for the same reasons. Matias Madou joins to talk about how the definition of secure coding varies among developers and appsec teams, why it's important to understand those perspectives, and how training is just one step towards building a security culture. This week in the AppSec News: OWASP Top 10 for Kubernetes, Firefox improves security with process isolation, CNCF releases guidance on Secure Software Factories and Cloud Native Security, & the DOJ clarifies its policy on CFAA! Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw198
Developers want bug-free code -- it frees up their time and is easier to maintain. They want secure code for the same reasons. Matias Madou joins to talk about how the definition of secure coding varies among developers and appsec teams, why it's important to understand those perspectives, and how training is just one step towards building a security culture. This week in the AppSec News: OWASP Top 10 for Kubernetes, Firefox improves security with process isolation, CNCF releases guidance on Secure Software Factories and Cloud Native Security, & the DOJ clarifies its policy on CFAA! Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw198
This week in the AppSec News: OWASP Top 10 for Kubernetes, Firefox improves security with process isolation, CNCF releases guidance on Secure Software Factories and Cloud Native Security, & the DOJ clarifies its policy on CFAA! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw198
This week in the AppSec News: OWASP Top 10 for Kubernetes, Firefox improves security with process isolation, CNCF releases guidance on Secure Software Factories and Cloud Native Security, & the DOJ clarifies its policy on CFAA! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw198
The move to cloud has great potential to improve security, but the required process and cultural changes can be daunting. There are a vast number of critical vulnerabilities that make it to production and demand more effective mitigations. Although “shifting security left” should help, organizations are not able to achieve this quickly enough, and “shifting left” does not account for runtime threats. Organizations must strive to improve the prioritization of vulnerabilities to ensure the most dangerous flaws are fixed early. But even then, some risk will be accepted, and a threat detection and response program is required for full security coverage. On this episode of CyberWire-X, host Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, explores how to secure your software development lifecycle, how to use a maturity model like BSIM, where do containers fit in that process, and the Sysdig 2022 Cloud-Native Security and Usage report. Joining Rick on this episode are Tom Quinn, CISO at T. Rowe Price and CyberWire Hash Table member, and from episode sponsor Sysdig is their Director of Thought Leadership, Anna Belak, to discuss their experiences and real world data, as well as practical approaches to managing cloud risk.
Tanya Janca joins Scott Hanselman to discuss the various security features within Azure that are cloud native and what that means for security professionals. Discussing the benefits of DDoS protection (and what DDoS is) will help you understand its value and when it's needed. We also discuss the added value of Azure Defender features such as JIT, FIM, and Application Adaptive Controls in preventing ransomware. Chapters 00:00 - Introduction 00:20 - Distributed Denial of Service (DDoS) attacks 03:00 - DDoS Protection in Azure 05:55 - Microsoft Defender for Cloud 06:42 - Microsoft Defender for Cloud | Workload protections 10:53 - We Hack Purple Community 11:42 - Wrap-up Recommended resources Azure DDoS Protection Standard overview What is Microsoft Defender for Cloud? We Hack Purple Community Top 5 security items to consider before pushing to production Connect Scott Hanselman | Twitter: @SHanselman Tanya Janca | Twitter: @SheHacksPurple We Hack Purple Academy & Community! | Twitter: @WeHackPurple Azure Friday | Twitter: @AzureFriday
Tanya Janca joins Scott Hanselman to discuss the various security features within Azure that are cloud native and what that means for security professionals. Discussing the benefits of DDoS protection (and what DDoS is) will help you understand its value and when it's needed. We also discuss the added value of Azure Defender features such as JIT, FIM, and Application Adaptive Controls in preventing ransomware. Chapters 00:00 - Introduction 00:20 - Distributed Denial of Service (DDoS) attacks 03:00 - DDoS Protection in Azure 05:55 - Microsoft Defender for Cloud 06:42 - Microsoft Defender for Cloud | Workload protections 10:53 - We Hack Purple Community 11:42 - Wrap-up Recommended resources Azure DDoS Protection Standard overview What is Microsoft Defender for Cloud? We Hack Purple Community Top 5 security items to consider before pushing to production Connect Scott Hanselman | Twitter: @SHanselman Tanya Janca | Twitter: @SheHacksPurple We Hack Purple Academy & Community! | Twitter: @WeHackPurple Azure Friday | Twitter: @AzureFriday
In this episode of the Virtual Coffee with Ashish edition, we spoke with Pushkar Joglekar, Sr. Security Engineer, VMWare Tanzu Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Pushkar Joglekar @PuDiJoglekar Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy
Is your enterprise just getting started on its cloud security monitoring journey? Hear from our guest and CEO of Panther Labs, Jack Naglieri, on some of the biggest challenges he sees in the data security space and even an example of a recent public data breach. Panther labs provides a cloud native threat detection platform that uses services to scale up workloads as needed by customer demands. He shares with us how he got his start at some of the leading silicon valley tech companies and where the idea and need for Panther Labs came from. Finally, he provides his view on how to implement a threat detection platform on a cloud environment and the benefits of this compared to traditional, off-the-shelf software. Not sure where to get started? Jack provides advice on where to get started and precautions you can take today with your employees to ensure phishing, the easiest way to hack an environment, is prevented.
Snake Oilers isn't our regular weekly podcast, it's a wholly sponsored series we do at Risky.Biz where vendors come on to the show to pitch their products to you, the Risky Business listener. To be clear – everyone you hear in one of these editions, paid to be here. We'll hear from three vendors in this edition of Snake Oilers: Upskill your testers and developers with PentesterLab for US$20 a month Manage penetration tests and reporting with AttackForge How Sysdig can help herd your container cats (vuln management and detection for container environments) Show notes PentesterLab: Learn Web Penetration Testing: The Right Way AttackForge® - Penetration Testing Workflow Management, Productivity & Collaboration Tools Sysdig 2022 Cloud-Native Security and Usage Report: Stay on Top of Risks as You Scale – Sysdig
In this episode you will hear Rory's insights about cloud native security trends, threats and how to stay protected against potential attacks on organisations' supply chains and systems. Rory McCune is a Cloud Native Security Advocate at Aqua Security. His role involves helping to educate and inform around open source cloud native security and protect against potential vulnerabilities. If you want to be our guest, or you know some one who would be a great guest on our show, just send your email to info@globalriskconsult.com with a subject line “Global Risk Community Show” and give a brief explanation of what topic you would like to to talk about and we will be in touch with you asap.
About AnnaAnna has nearly ten years of experience researching and advising organizations on cloud adoption with a focus on security best practices. As a Gartner Analyst, Anna spent six years helping more than 500 enterprises with vulnerability management, security monitoring, and DevSecOps initiatives. Anna's research and talks have been used to transform organizations' IT strategies and her research agenda helped to shape markets. Anna is the Director of Thought Leadership at Sysdig, using her deep understanding of the security industry to help IT professionals succeed in their cloud-native journey.Anna holds a PhD in Materials Engineering from the University of Michigan, where she developed computational methods to study solar cells and rechargeable batteries.How do I adapt my security practices for the cloud-native world?How do I select and deploy appropriate tools and processes to address business needs?How do I make sense of new technology trends like threat deception, machine learning, and containers?Links: Sysdig: https://sysdig.com/ “2022 Cloud-Native Security and Usage Report”: https://sysdig.com/2022-cloud-native-security-and-usage-report/ Twitter: https://twitter.com/aabelak LinkedIn: https://www.linkedin.com/in/aabelak/ Email: anna.belak@sysdig.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Today's episode is brought to you in part by our friends at MinIO the high-performance Kubernetes native object store that's built for the multi-cloud, creating a consistent data storage layer for your public cloud instances, your private cloud instances, and even your edge instances, depending upon what the heck you're defining those as, which depends probably on where you work. It's getting that unified is one of the greatest challenges facing developers and architects today. It requires S3 compatibility, enterprise-grade security and resiliency, the speed to run any workload, and the footprint to run anywhere, and that's exactly what MinIO offers. With superb read speeds in excess of 360 gigs and 100 megabyte binary that doesn't eat all the data you've gotten on the system, it's exactly what you've been looking for. Check it out today at min.io/download, and see for yourself. That's min.io/download, and be sure to tell them that I sent you.Corey: This episode is sponsored by our friends at Oracle HeatWave is a new high-performance query accelerator for the Oracle MySQL Database Service, although I insist on calling it “my squirrel.” While MySQL has long been the worlds most popular open source database, shifting from transacting to analytics required way too much overhead and, ya know, work. With HeatWave you can run your OLAP and OLTP—don't ask me to pronounce those acronyms again—workloads directly from your MySQL database and eliminate the time-consuming data movement and integration work, while also performing 1100X faster than Amazon Aurora and 2.5X faster than Amazon Redshift, at a third of the cost. My thanks again to Oracle Cloud for sponsoring this ridiculous nonsense.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Once upon a time, I went to a conference talk at, basically, a user meetup. This was in the before times, when that wasn't quite as much of a deadly risk because of a pandemic, and mostly a deadly risk due to me shooting my mouth off when it wasn't particularly appreciated.At that talk, I wound up seeing a new open-source project that was presented to me, and it was called Sysdig. I wasn't quite sure on what it did at the time and I didn't know what it would be turning into, but here we are now, what is it, five years later. Well, it's turned into something rather interesting. This is a promoted episode brought to us by our friends at Sysdig and my guest today is their Director of Thought Leadership, Anna Belak. Anna, thank you for joining me.Anna: Hi, Corey. I'm very happy to be here. I'm a big fan.Corey: Oh, dear. So, let's start at the beginning. Well, we'll start with the title: Director of Thought Leadership. That is a lofty title, it sounds like you sit on the council of the Lords of Thought somewhere. Where does your job start and stop?Anna: I command the Council of the Lords of thought, actually. [laugh].Corey: Supply chain issues mean the robe wasn't available. I get it, I get it.Anna: There is a robe. I'm just not wearing it right now. So, the shortest way to describe the role is probably something that reports into engineering, interestingly, and it deals with product and marketing in a way that is half evangelism and half product strategy. I just didn't feel like being called any of those other things, so they were like, “Director of Thought Leadership you are.” And I was like, “That sounds awesome.”Corey: You know, it's one of those titles that people generally don't see a whole lot of, so if nothing else, I always liked those job titles that cause people to sit up and take notice as opposed to something that just people fall asleep by the time you get halfway through it because, in lieu of a promotion, people give you additional adjectives in your title. And we're going to go with it. So, before you wound up at Sysdig, you were at Gartner for a number of years.Anna: That's right, I spent about six years at Gartner, and there half the time I covered containers, Kubernetes, and DevOps from an infrastructure perspective, and half the time I spent covering security operations, actually, not specifically with respect to containers, or cloud, but broadly. And so my favorite thing is security operations, as it relates to containers and cloud-native workloads, which is kind of how I ended up here.Corey: I wouldn't call that my favorite thing. It's certainly something that is near and dear to the top of mind, but that's not because I like it, let's put it [laugh] that way. It's one of those areas where getting it wrong is catastrophic. Back in 2017, when I went to that meetup in San Francisco, Sysdig seemed really interesting to me because it looked like it tied together a whole bunch of different diagnostic tools, LSOF, strace, and the rest. Honestly—and I mean no slight to the folks who built out this particular tool—it felt like DTrace, only it understood the value of being accessible to its users without basically getting a doctorate in something.I like the idea, and it felt like it was very much aimed at an in-depth performance analysis story or an observability play. But today, it seems that you folks have instead gone in much more of a direction of DevSecOps, if the people listening to this, and you, will pardon the term. How did that happen? What was that product evolution like?Anna: Yeah, I think that's a fair assessment, actually. And again, no disrespect to DTrace of which I'm also a fan. So, we certainly started out in the container observability space, essentially because this whole Docker Kubernetes thing was exploding in popularity—I mean, before it was exploding, it was just kind of like, peaking out—and very quickly, our founder Loris, who is the co-founder of Wireshark, was like, “Hey, there's a visibility issue here. We can't see inside these things with the tools that we have that are built for host instrumentation, so I'm going to make a thing.” And he made a thing, and it was an awesome thing that was open-sourced.And then ultimately, what happened is, the ecosystem of containers and communities evolved, and more and more people started to adopt it. And so more people needed kind of a more, let's say, hefty, serious tool for observability, and then what followed was another tool for security because what we actually discovered was the data that we're able to collect from the system with Sysdig is incredibly useful for noticing security problems. So, that caused us to kind of expand into that space. And today we are very much a tool that still has an observability component that is quite popular, has a security component which is it's fairly broad: We cover CSPM use cases, we cover [CIEM 00:05:04] use cases, and we are very, kind of let's say, very strong and very serious about our detection response and runtime security use cases, which come from that pedigree of the original Sysdig as well.Corey: You can get a fairly accurate picture of what the future of technology looks like by taking a look at what my opinion of something is, and then doing the exact opposite of that. I was a big believer that virtualization, “Complete flash in the pan; who's going to use that?” Public cloud, “Are you out of your tree? No one's going to trust other companies with their holy of holies.” And I also spent a lot of time crapping on containers and not actually getting into them.Instead, I leapfrogged over into the serverless land, which I was a big fan of, which of course means that it's going to be doomed sooner or later. My security position has also somewhat followed similar tracks where, back when you're running virtual machines that tend to be persistent, you really have to care about security because you are running full-on systems that are persistent, and they run all kinds of different services simultaneously. Looking at Lambda Functions, for example, in the modern serverless world, I always find a lot of the tooling and services and offerings around security for that are a little overblown. They have a defined narrow input, they have a defined output, there usually aren't omnibus functions shoved in here where they have all kinds of different code paths. And it just doesn't have the same attack surface, so it often feels like it's trying to sell me something I don't need. Security in the container world is one of those areas I never had to deal with in anger, as a direct result. So, I have to ask, how bad is it?Anna: Well, I have some data to share with you, but I'll start by saying that I maybe was the opposite of you, so we'll see which one of us wins this one. I was an instant container fangirl from the minute I discovered them. But I crapped out—Corey: The industry shows you were right on that one. I think the jury [laugh] is pretty much in on this one.Anna: Oh, I will take it. But I did crap on Lambda Functions pretty hard. I was like, “Serverless? This is dumb. Like, how are we ever going to make that work?” So, it seems to be catching on a little bit, at least it. It does seem like serverless is playing the function of, like, the glue between bits, so that does actually make a lot of sense. In retrospect, I don't know that we're going to have—Corey: Well, it feels like it started off with a whole bunch of constraints around it, and over time, they've continued to relax those constraints. It used to be, “How do I package this?” It's, “Oh, simple. You just spent four days learning about all the ins and outs of this,” and now it's, “Oh, yeah. You just give it a Docker file?” “Oh. Well, that seems easier. I could have just been stubborn and waited.” Hindsight.Anna: Yeah, exactly. So, containers as they are today, I think are definitely much more usable than they were five-plus years ago. There are—again there's a lot of commercial support around these things, right? So, if you're, you know, like, a big enterprise client, then you don't really have time to fool around in open-source, you can go in, buy yourself a thing, and they'll come with support, and somebody will hold your hand as you figure it out, and it's actually quite, quite pleasant. Whether or not that has really gone mainstream or whether or not we've built out the entire operational ecosystem around it in a, let's say, safe and functional way remains to be seen. So, I'll share some data from our report, which is actually kind of the key thing I want to talk about.Corey: Yeah, I wanted to get into that. You wound up publishing this somewhat recently, and I regret that as of the time of this recording, I have not yet had time to go into it in-depth, and of course eviscerate it in my typical style on Twitter—although that may have been rectified by the time that this show airs, to be very clear—but it's the Sysdig “2022 Cloud-Native Security and Usage Report”.Anna: Please at me when you Twitter-shred it. [laugh].Corey: Oh, when I read through and screenshot it, and I'd make what observations that I imagine are witty. But I'm looking forward to it; I've done that periodically with the Flexera, “State of the Cloud” report for last few years, and every once in a while, whatever there's a, “We've done a piece of thought leadership, and written a report,” it's, “Oh, great. Let's make fun of it.” That's basically my default position on things. I am not a popular man, as you might imagine. But not having had the chance to go through it in-depth, what did this attempt to figure out when the study was built, and what did you learn that you found surprising?Anna: Yeah, so the first thing I want to point out because it's actually quite important is that this report is not a survey. This is actual data from our actual back end. So, we're a SaaS provider, we collect data for our customers, we completely anonymize it, and then we show in aggregate what in fact we see them doing or not doing. Because we think this is a pretty good indicator of what's actually happening versus asking people for their opinion, which is, you know, their opinion.Corey: Oh, I love that. My favorite lies that people tell are the lies they don't realize that they're telling. It's, I'll do an AWS bill analysis and, “Great. So, tell me about all these instances you have running over in Frankfurt.” “Oh, we don't have anything there.”I believe you're being sincere when you say this, however, the data does show otherwise, and yay, now we're in a security incident.Anna: Exactly.Corey: I'm a big believer of going to the actual source for things like this where it's possible.Anna: Exactly. So, I'll tell you my biggest takeaway from the whole thing probably was that I was surprised by the lack of… surprise. And I work in cloud-native security, so I'm kind of hoping every single day that people will start adopting these modern patterns of, like, discarding images, and deploying new ones when they found a vulnerability, and making ephemeral systems that don't run for a long time like a virtual machine in disguise, and so on. And it appears that that's just not really happening.Corey: Yeah, it's always been fun, more than a little entertaining, when I wind up taking a look at the aspirational plans that companies have. “Great, so when are you going to do”—“Oh, we're going to get to that after the next sprint.” “Cool.” And then I just set a reminder and I go back a year later, and, “How's that coming?” “Oh, yeah. We're going to get to that next sprint.”It's the big lie that we always tell ourselves that right after we finished this current project, then we're going to suddenly start doing smart things, making the right decisions, and the rest. Security, cost, and a few other things all tend to fall on the side of, you can spend infinite money and infinite time on these things, but it doesn't advance what your business is doing, but if you do none of those things, you don't really have a business anymore. So, it's always a challenge to get it prioritized by the strategic folks.Anna: Exactly. You're exactly right because what people ultimately do is they prioritize business needs, right? They are prioritizing whatever makes them money or creates the trinkets their selling faster or whatever it is, right? The interesting thing, though, is if you think about who our customers would be, like, who the people in this dataset are, they are all companies who are probably more or less born in the cloud or at least have some arm that is born in the cloud, and they are building software, right? So, they're not really just your average enterprises you might see in a Gartner client base which is more broad; they are software companies.And for software companies, delivering software faster is the most important thing, right, and then delivering secure software faster, should be the most important thing, but it's kind of like the other thing that we talk about and don't do. And that's actually what we found. We found that people do deliver software faster because of containers and cloud, but they don't necessarily deliver secure software faster because as is one of our data points, 75% of containers that run in production have critical or high vulnerabilities that have a patch available. So, they could have been fixed but they weren't fixed. And people ask why, right? And why, well because it's hard; because it takes time; because something else took priority; because I've accepted the risk. You know, lots of reasons why.Corey: One of the big challenges, I think, is that I can walk up and down the expo hall at the RSA Conference, which until somewhat recently, you were not allowed to present that or exhibit at unless you had the word ‘firewall' in your talk title, or wound up having certain amounts of FUD splattered across your banners at the show floor. It feels like there are 12 products—give or take—for sale there, but there are hundreds of booths because those products have different names, different messaging, and the rest, but it all feels like it distills down to basically the same general categories. And I can buy all of those things. And it costs an enormous pile of money, and at the end of it, it doesn't actually move the needle on what my business is doing. At least not in a positive direction, you know? We just set a giant pile of money on fire to make sure that we're secure.Well, great. Security is never an absolute, and on top of that, there's always the question of what are we trying to achieve as a business. As a goal—from a strategic perspective—security often looks a lot like, “Please let's not have a data breach that we have to report to people.” And ideally, if we have a lapse, we find out about it through a vector that is other than the front page of The New York Times. That feels like it's a challenging thing to get prioritized in a lot of these companies. And you have found in your report that there are significant challenges, of course, but also that some companies in some workloads are in fact getting it right.Anna: Right, exactly. So, I'm very much in line with your thinking about this RSA shopping spree, and the reality of that situation is that even if we were to assume that all of the products you bought at the RSA shopping center were the best of breed, the most amazing, fantastic, perfect in every way, you would still have to somehow build a program on top of them. You have to have a process, you have to have people who are bought into that process, who are skilled enough to execute on that process, and who are more or less in agreement with the people next door to them who are stuck using one of the 12 trinkets you bought, but not the one that you're using. So, I think that struggle persists into the cloud and may actually be worse in the cloud because now, not only are we having to create a processor on all these tools so that we can actually do something useful with them, but the platform in which we're operating is fundamentally different than what a lot of us learned on, right?So, the priorities in cloud are different; the way that infrastructure is built is a little different, like, you have to program a YAML file to make yourself an instance, and that's kind of not how we are used to doing it necessarily, right? So, there are lots of challenges in terms of skills gap, and then there's just this eternal challenge of, like, how do we put the right steps into place so that everybody who's involved doesn't have to suffer, right, and that the thing that comes out at the end is not garbage. So, our approach to it is to try to give people all the pieces they need within a certain scope, so again, we're talking about people developing software in a cloud-native world, we're focused kind of on containers and cloud workloads even though it's not necessarily containers. So that's, like, our sandbox, right? But whoever you are, right, the idea is that you need to look to the left—because we say ‘shift left'—but then you kind of have to follow that thread all the way to the right.And I actually think that the thing that people most often neglect is the thing on the right, right? They maybe check for compliance, you know, they check configurations, they check for vulnerabilities, they check, blah, blah, blah, all this checking and testing. They release their beautiful baby into the world, and they're like, okay, I wash my hands of it. It's fine. [laugh]. Right but—Corey: It has successfully been hurled over the fence. It is the best kind of problem, now: Someone else's.Anna: It's gone. Yeah. But it's someone else's—the attacker community, right, who are now, like, “Oh, delicious. A new target.” And like, that's the point at which the fun starts for a lot of those folks who are on the offensive side. So, if you don't have any way to manage that thing's security as it's running, you're kind of like missing the most important piece, right? [laugh].Corey: One of the challenges that I tend to see with a lot of programmatic analysis of this is that it doesn't necessarily take into account any of the context because it can't. If I have, for example, a containerized workload that's entire job is to take an image from S3, run some analysis or transformation on it then output the results of that to some data store, and that's all it's allowed to talk to you, it can't ever talk to the internet, having a system that starts shrieking about, “Ah, there's a vulnerability in one of the libraries that was used to build that container; fix it, fix it, fix it,” doesn't feel like it's necessarily something that adds significant value to what I do. I mean, I see this all the time with very purpose-built Lambda Functions that I have doing one thing and one thing only. “Ah, but one of the dependencies in the JSON processing library could turn into something horrifying.” “Yeah, except the only JSON it's dealing with is what DynamoDB returns. The only thing in there is what I've put in there.”That is not a realistic vector of things for me to defend against. The challenge then becomes when everything is screaming that it's an emergency when you know, due to context, that it's not, people just start ignoring everything, including the, “Oh, and by the way, the building is on fire,” as one of—like, on page five, that's just a small addendum there. How do you view that?Anna: The noise insecurity problem, I think, is ancient and forever. So, it was always bad, right, but in cloud—at least some containers—you would think it should be less bad, right, because if we actually followed these sort of cloud-native philosophy, of creating very purp—actually it's called the Unix philosophy from, like, I don't know, before I was born—creating things that are fairly purposeful, like, they do one thing—like you're saying—and then they disappear, then it's much easier to know what they're able to do, right, because they're only able to do what we've told them, they're able to do. So, if this thing is enabled to make one kind of network connection, like, I'm not really concerned about all the other network connections it could be making because it can't, right? So, that should make it easier for us to understand what the attack surface actually is. Unfortunately, it's fairly difficult to codify and productize the discovery of that, and the enrichment of the vulnerability information or the configuration information with that.That is something we are definitely focusing on as a vendor. There are other folks in the industry that are also working on this kind of thing. But you're exactly right, the prioritization of not just a vulnerability, but a vulnerability is a good example. Like, it's a vulnerability, right? Maybe it's a critical or maybe it's not.First of all, is it exposed to the outside world somehow? Like, can we actually talk to this system? Is it mitigated, right? Maybe there's some other controls in place that is mitigating that vulnerability. So, if you look at all this context, at the end of the day, the question isn't really, like, how many of these things can I ignore? The question is at the very least, which are the most important things that I actually can't ignore? So, like you're saying, like, the buildings on fire, I need to know, and if it's just, like, a smoldering situation, maybe that's not so bad. But I really need to know about the fire.Corey: This episode is sponsored in part by LaunchDarkly. Take a look at what it takes to get your code into production. I'm going to just guess that it's awful because it's always awful. No one loves their deployment process. What if launching new features didn't require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren't what you expect? LaunchDarkly does exactly this. To learn more, visit launchdarkly.com and tell them Corey sent you, and watch for the wince.Corey: It always becomes a challenge of prioritization, and that has been one of those things that I think, on some level, might almost cut against a tool that works at the level that Sysdig does. I mean, something that you found in your report, but I feel like, on some level, is one of those broadly known, or at least unconsciously understood things is, you can look into a lot of these tools that give incredibly insightful depth and explore all kinds of neat, far-future, bleeding edge, absolute front of the world, deep-dive security posture defenses, but then you have a bunch of open S3 buckets that have all of your company's database backups living in them. It feels like there's a lot of walk before you can run. And then that, on some level, leads to the wow, we can't even secure our S3 buckets; what's the point of doing anything beyond that? It's easy to, on some level, almost despair, want to give up, for some folks that I've spoken to. Do you find that is a common thing or am I just talking to people who are just sad all the time?Anna: I think a lot of security people are sad all the time. So, the despair is real, but I do think that we all end up in the same solution, right? The solution is defense in depth, the solution is layer control, so the reality is if you don't bother with the basic security hygiene of keeping your buckets closed, and like not giving admin access to every random person and thing, right? If you don't bother with those things, then, like, you're right, you could have all the tools in the world and you could have the most advanced tools in the world, and you're just kind of wasting your time and money.But the flipside of that is, people will always make mistakes, right? So, even if you are, quote-unquote, “Doing everything right,” we're all human, and things happen, and somebody will leave a bucket open on accident, or somebody will misconfigure some server somewhere, allowing it to make a connection it shouldn't, right? And so if you actually have built out a full pipeline that covers you from end-to-end, both pre-deployment, and at runtime, and for vulnerabilities, and misconfigurations, and for all of these things, then you kind of have checks along the way so that this problem doesn't make it too far. And if it does make it too far and somebody actually does try to exploit you, you will at least see that attack before they've ruined everything completely.Corey: One thing I think Sysdig gets very right that I wish this was not worthy of commenting on, but of course, we live in the worst timeline, so of course it is, is that when I pull up the website, it does not market itself through the whole fear, uncertainty, and doubt nonsense. It doesn't have the scary pictures of, “Do you know what's happening in your environment right now?” Or the terrifying statistics that show that we're all about to die and whatnot. Instead, it talks about the value that it offers its customers. For example, I believe its opening story is, “Run with confidence.” Like, great, you actually have some reassurance that it is not as bad as it could be. That is, on the one hand, a very uplifting message and two, super rare. Why is it that so much of the security industry resorts to just some of the absolute worst storytelling tactics in order to drive sales?Anna: That is a huge compliment, Corey, and thank you. We try very hard to be kind of cool in our marketing.Corey: It shows. I'm tired of the 1990s era story of, “Do you know where the hackers are?” And of course, someone's wearing, like, a ski mask and typing with gloves on—which is always how I break into things; I don't know about you—but all right, we have the scary clip art of the hacker person, and it just doesn't go anywhere positive.Anna: Yeah. I mean, I think there certainly was a trend for a while have this FUD approach. And it's still prevalent in the industry, in some circles more than others. But at the end of the day, Cloud is hard and security is hard, and we don't really want to add to the suffering; we would like to add to the solution, right? So, I don't think people don't know that security is hard and that hackers are out there.And you know, there's, like, ransomware on the news every single day. It's not exactly difficult to tell that there's a challenge there, so for us to have to go and, like, exacerbate this fear is almost condescending, I feel, which is kind of why we don't. Like, we know people have problems, and they know that they need to solve them. I think the challenge really is just making sure that A) can folks know where to start and how to build a sane roadmap for themselves? Because there are many, many, many things to work on, right?We were talking about context before, right? Like, so we actually try to gather this context and help people. You made a comment about how having a lot of telemetry might actually be a little bit counterproductive because, like, there's too much data, what do I do well—Corey: Here's the 8000 findings we found that you fail—great. Yeah. Congratulations, you're effectively the Nessus report as a company. Great. Here you go.Anna: Everything is over.Corey: Yeah.Anna: Well, no shit, Nessus, you know. Nessus did its thing. All right. [laugh].Corey: Oh, Nessus was fantastic. Nessus was—for those who are unaware, Nessus was an open-source scanner made by the folks at Tenable, and what was great about it was that you could run it against an environment, it would spit out all the things that it found. Now, one of the challenges, of course, is that you could white-label this and slap whatever logo you wanted on the top, and there were a lot of ‘security consultancies' that use the term incredibly… lightly, that would just run a Nessus report, drop off the thick print out. “Here's the 800 things you need to fix. Pay me.” And wander on off into the sunset.And when you have 800 things you need to fix, you fix none of them. And they would just sit there and atrophy on the shelf. Not to say that all those things weren't valid findings, but you know, the whole, you're using an esoteric, slightly deprecated TLS algorithm on one of your back-end services, versus your Elasticsearch database does not have a password set. Like, there are different levels of concern here. And that is the problem.Anna: Yeah. That is in fact one of the problems we're aggressively trying to solve, right? So, because we see so much of the data, we're actually able to piece together a lot of context to gives you a sense of risk, right? So, instead of showing all the data to the customer—the customer can see it if they want; like, it's all in there, you can look at it—one of the things we're really trying to do is collect enough information about the finding or the event or the vulnerability or whatever, so we can kind of tell you what to do.For example, one you can do this is super basic, but if you're looking at a specific vulnerability, like, let's say it's like Log4j or whatever, you type it in, and you can see all your systems affected by this thing, right? Then you can, in the same tool, like, click to the other tab, and you can see events associated with this vulnerability. So, if you can see the systems that the vulnerability is on and you can see there's weird activity on those systems, right? So, if you're trying to triage some weird thing in your environment, during the Log4j disaster, it's very easy for you to be like, “Huh. Okay, these are the relevant systems. This is the vulnerability. Like, here's all that I know about this stuff.”So, we kind of try to simplify as much as possible—my design team uses the word ‘easify,' which I love; it's a great word—to easify, the experience of the end-user so that they can get to whatever it is they're trying to do today. Like, what can I do today to make my company more secure as quickly as possible? So, that is sort of our goal. And all this huge wealth of information we gather, we try to package for the users in a way that is, in fact, digestible. And not just like, “Here's a deluge of suffering,” like, “Look.” [laugh]. You know?Corey: This is definitely complicated in the environment I tend to operate in which is almost purely AWS. How much more complex is get when people start looking into the multi-cloud story, or hybrid environments where they have data center is talking to things within AWS? Because then it's not just the expanded footprint, but the entire security model works slightly differently in all of those different environments as well, and it feels like that is not a terrific strategy.Anna: Yeah, this is tough. My feelings on multi-cloud are mostly negative, actually.Corey: Oh, thank goodness. It's not just me.Anna: I was going to say that, like, multi-cloud is not a strategy; it's just something that happens to you.Corey: Same with hybrid. No one plans to do hybrid. They start doing a cloud migration, realize halfway through some things are really hard to move, give up, plant the flag, declare victory, and now it's called hybrid.Anna: Basically. But my position—and again, as an analyst, you kind of, I think, end up in this position, you just have a lot of sympathy for the poor people who are just trying to get these stupid systems to run. And so I kind of understand that, like, nothing's ideal, and we're just going to have to work with it. So multi-cloud, I think is one of those things where it's not really ideal, we just have to work with it. There's certainly advantages to it, like, there's presumably some level of mythical redundancy or whatever. I don't know.But the reality is that if you're trying to secure a pile of junk in Azure and a pile of junk in AWS, like, it'd be nice if you had, like, one tool that told you what to do with both piles of junk, and sometimes we do do that. And in fact, it's very difficult to do that if you're not a third-party tool because if you're AWS, you don't have much incentive to, like, tell people how to secure Azure, right? So, any tool in the category of, like, third-party CSPM—Gartner calls them CWPP—kind of, cloud security is attempting to span those clouds because they always have to be relevant, otherwise, like, what's the point, right?Corey: Well, I would argue cynically there's also the VC model, where, “Oh, great. If we cover multiple cloud providers, that doubles or triples our potential addressable market.” And, okay, great, I don't have those constraints, which is why I tend to focus on one cloud provider where I tend to see the problems I know how to solve as opposed to trying to conquer the world. I guess I have my bias on that one.Anna: Fair. But there's—I think the barrier to entry is lower as a security vendor, right? Especially if you're doing things like CSPMs. Take an example. So, if you're looking at compliance requirements, right, if your team understands, like, what it means to be compliant with PCI, you know, like, [line three 00:28:14] or whatever, you can apply that to Azure and Amazon fairly trivially, and be like, “Okay, well, here's how I check in Azure, and here's how I check in Amazon,” right?So, it's not very difficult to, I think, engineer that once you understand the basic premise of what you're trying to accomplish. It does become complicated as you're trying to deal with more and more different cloud services. Again, if you're kind of trying to be a cloud security company, you almost have no choice. Like, you have to either say, “I'm only doing this for AWS,” which is kind of a weird thing to do because they're kind of doing their own half-baked thing already, or I have to do this for everybody. And so most default to doing it for everybody.Whether they do it equally well, for everybody, I don't know. From our perspective, like, there's clearly a roadmap, so we have done one of them first and then one of them second and one of the third, and so I guarantee you that we're better in some than others. So, I think you're going to have pluses and minuses no matter what you do, but ultimately what you're looking for is coverage of the tool's capabilities, and whether or not you have a program that is going to leverage that tool, right? And then you can check the boxes of like, “Okay. Does it do the AWS thing? Does it do this other AWS thing? Does it do this Azure thing?”Corey: I really appreciate your taking the time out of your day to speak with me. We're going to throw a link to the report itself in the [show notes 00:29:23], but other than that, if people want to learn more about how you view these things, where's the best place to find you?Anna: I am—rarely—but on Twitter at @aabelak. I am also on LinkedIn like everybody else, and in the worst case, you could find me by email, at anna.belak@sysdig.com.Corey: And we will of course put links to that in the [show notes 00:29:44]. Thank you so much for taking the time to speak with me today. I appreciate it.Anna: Thanks for having me, Corey. It's been fun.Corey: Anna Belak, Director of Thought Leadership at Sysdig. I'm Cloud Economist Corey Quinn and this is streaming on the cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment telling me not only why this entire approach to security is awful and doomed to fail, but also what booth number I can find you at this year's RSA Conference.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
Anna Belak learned about containers and security as a Gartner industry analyst. She is now the Director of Thought Leadership at Sysdig, who have just published their latest annual Cloud Native Security and Usage Report. Anna joins Craig to dicuss the report’s findings. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod News of the week Chaos Mesh moves to Incubation in CNCF Episode 121, with Ed Huang Google raises payouts for Kubernetes vulnerabilities 2021 VRP roundup Sysdig teams up with Snyk, Snyk teams up with Sysdig $25m investment in KubeCost Episode 124, with Webb Brown Links from the interview Sysdig Cloud Native Security and Usage Report 2022 The last time we had a materials engineer on the show Tricking a rock into thinking Why Software is Eating The World Can analysis be worthwhile? Is the theater really dead? Industry analysts Anna Belak at Gartner Doge. Much wow Sysdig $2.5 billion valuation Beginnings Source code Episode 91, with Leonardo Di Donato Tectonic Summit, 2015 Loris Degioanni Episode 137, with Michael Gerstenhaber Sysdig’s changing reports: 2017 2018 2019 2020 2021 GKE Autopilot Are we human, or are we dancer? Anna Belak on Twitter
If you've ever been curious about all things cloud native security, you're in luck because our host, Jeff DeVerter, and his guest, Mark Miller, from JupiterOne expand on the adventures of this exact subject. Special Guest: Mark Miller.
Salt Labs was created in 2021 to help the industry with tackling the increase in API threats. The research division of Salt Security focuses on not only finding API vulnerabilities, but also increasing awareness about API security and offering solutions to help mitigate such risks.
Links: How to Bridge On-Premises and Cloud Identity: https://www.darkreading.com/vulnerabilities—threats/how-to-bridge-on-premises-and-cloud-identity-/a/d-id/1341512 How AWS is helping EU customers navigate the new normal for data protection: https://aws.amazon.com/blogs/security/how-aws-is-helping-eu-customers-navigate-the-new-normal-for-data-protection/ Cloud security should never be a developer issue: https://www.securitymagazine.com/articles/95641-cloud-security-should-never-be-a-developer-issue Tool Sprawl & False Positives Hold Security Teams Back: https://www.darkreading.com/application-security/tool-sprawl-and-false-positives-hold-security-teams-back/d/d-id/1341517 The what and Why of Cloud-Native Security: https://containerjournal.com/editorial-calendar/cloud-native-security/the-what-and-why-of-cloud-native-security/ OSPAR 2021 report now available with 127 services in scope: https://aws.amazon.com/blogs/security/ospar-2021-report-now-available-with-127-services-in-scope/ Researchers Create New Approach to Detect Brand Impersonation: https://www.darkreading.com/endpoint/researchers-create-new-approach-to-detect-brand-impersonation/d/d-id/1341549 Privacy Law Update: Colorado Privacy Bill Becomes Law: How does it Stack Up Against California and Virginia?: https://www.adlawaccess.com/2021/07/articles/privacy-law-update-colorado-privacy-bill-becomes-law-how-does-it-stack-up-against-california-and-virginia/ CISA Launches New Website to Aid Ransomware Defenders: https://www.darkreading.com/threat-intelligence/cisa-launches-new-website-to-aid-ransomware-defenders/d/d-id/1341539 stopransomware.gov: https://stopransomware.gov TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: There are several larger topics within the realm of cybersecurity that come up constantly. Subscribers of MiS are likely seeing these emerge from topics I cover. Some of the most common themes lately are compliance, privacy, ransomware, and DevSecOps. So, we are all working from common definitions, let's elaborate a bit on each.Compliance is the process of meeting some list or lists of requirements, usually have an outside agency of some sort. Most people think about this in terms of laws like GDPR, SOC, HIPAA, FERPA, and others. These are great examples, but compliance includes meeting certification requirements like SOC 2, various ISO certifications, or PCI.Privacy gets broad in terms of implementation, but at its core, it means the protection of information related to a person or organization. Basically, don't collect or disclose things you don't absolutely need to, and always ensure you have permission before any collection or disclosure of information.Ransomware is the software that will destroy or disclose—or both—your data if you don't pay someone. DevSecOps is the methodology of writing software with secure practices and systems in mind from the start. It's that whole shift-left thing.Meanwhile in the news. How to Bridge On-Premises and Cloud Identity. Identity and access management, or IAM, is difficult without introducing wholly different environments. We have to pick an IAM solution, so we choose what works across all our environments and services. Of course, ultimately, this means implementing Single Sign-On, SSO, of some sort as well.Sophisticated Malware is Being Used to Spy on Journalists, Politicians and Human Rights Activists. Not all horrible software sneaking into our devices and systems are from hidden criminal or enterprises or nation-state sponsored groups. Some of it sadly comes from for-profit companies. Just like a hammer can be used for horrible things, so can some security software.A Complex Kind of Spiderweb: New Research Group Focuses on Overlooked API Security. APIs run our whole cloudy world. They're the glue and crossovers communication mechanisms rolled into one conceptual framework. However, while we may introduce security flaws in our use of the billion APIs we have to use, the APIs themselves might have security vulnerabilities as well. I'm interested in the output from this practical research group to see if this bolsters API use and implementation in general.How AWS is helping EU customers navigate the new normal for data protection. Managing regulatory compliance is a circus act on a good day. On a bad day, it's a complex web of sometimes conflicting and sometimes complementary solutions. Many organizations worldwide need to meet EU regulations, so be sure to know if you must as well.Cloud security should never be a developer issue. I first thought this was the counterargument to the shift-left and DevSecOp movements, but this piece supports those movements. I like the view of supporting and protecting the developers to do better security. You don't need to hire a bunch of security experts and teach them to code; that wouldn't work so well. You can hire coders and teach them to code securely.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Tool Sprawl & False Positives Hold Security Teams Back. Tool confusion and poorly tuned alerting systems plagues IT and security alike. Think about how you can streamline this by consolidating both IT and security management monitoring and alerting tools into a set of tools spanning use cases. Also, you need to read this because a source of the article is one of the most forward-thinkers in security today: Kelly Shortridge.The What and Why of Cloud-Native Security. Sometimes we humans struggle with the transition to a new paradigm. Well, most of the time. Despite rapid and drastic shifts in technology constantly since computers were a thing, we still struggle as professionals. Many of us had just gotten cybersecurity figured out when this cloud thing started raining on us. Let's get us all sorted out before we miss the rainy weather.OSPAR 2021 report now available with 127 services in scope. If you think your compliance issues are complex, have you considered what a global cloud provider has to support? I've worked with compliance for over two decades and I still struggle to keep up with the pace of change. Thankfully, AWS breaks it down for you with the Outsource Service Provider Audit Report, or OSPAR.Researchers Create New Approach to Detect Brand Impersonation. Brand impersonation is where someone puts up a site that looks just like yours, but it's a ruse to collect passwords and other information. Having a better way to find these and alert us is amazing. It used to be, this type of thing wasn't common because of the effort involved to do it. Now, it's far easier, even though the technology underpinning things have gotten much more complex.Privacy Law Update: Colorado Privacy Bill Becomes Law: How does it Stack Up Against California and Virginia? If you aren't sure what privacy laws apply to your operations, you should consult legal advice and get on top of this quickly. There are laws being passed in many jurisdictions around the world tightening the requirements for storing, using, and reporting on people's information and activities in your environments.CISA Launches New Website to Aid Ransomware Defenders. Many of us don't need to know the details about security things as long as they're monitored and managed by people who do know cybersecurity. However, we all need to better understand ransomware because it's a difficult-to-impossible problem to tackle without a concerted effort between multiple groups in our organizations. Check out the stopransomware.gov site for some help.And now for the tip of the week. Compliance is often a messy thing. It shouldn't be the burden it ends up being for most of us. Use the AWS Artifact service to understand AWS compliance. This service saves you hours of trying to figure out what reports to give your auditors for security compliance. Get in there and look around; it's peace of mind, just one URL away. You can manage various compliance-related agreements in there as well, so it's a fantastic resource. And that's it for the week. Securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Cloud native computing is bringing about such a sea change in how applications are developed, deployed and run, that, not surprisingly, it is changing the rules for information security as well. Case in point: serverless computing.In this latest edition of The New Stack makers podcast, we speak with Check Point's Cloud Security Strategist Hillel Solow, who has been at the cutting edge of these changes. Solow co-founded Protego Labs, a pioneer in serverless security. Security vendor Check Point saw the writing on the security wall early on and gobbled up Protego in 2019. The New Stack Publisher Alex Williams and TNS Editor Joab Jackson hosted this episode.
Extended Berkeley Packet Filter (eBPF) allows us to tap into the kernel to implement monitoring, observability, networking, and security. In this episode, we invited Chris Kranz and Liz Rice to discuss the usage and adoption of eBPF within Cloud Native solutions.Referenceshttp://www.brendangregg.com/https://nathanleclaire.com/https://github.com/iovisor/bpftracehttps://ebpf.io/what-is-ebpfhttps://github.com/lizrice/ebpf-beginnerseBPF for Windows: https://www.youtube.com/watch?v=LrrV-eo6fugCommunity: http://slack.cilium.io/eBPF Summit 2021https://ebpf.io/summit-2021/Please visit our YouTube Channel to see Chris present in our June 2021 Gathering (monthly meet-up).Guest SpeakersChris KranzChris supports the Sales Engineering team in EMEA at Sysdig, helping make cloud native easier and more secure for Sysdig customers. Before joining Sysdig, he spent time building microservices and cloud applications with various end users, and before that lived a life of cloud, virtualisation and storage!https://www.linkedin.com/in/ckranz/@ckranzLiz RiceLiz is focused on containers, cloud native technologies, security and distributed systems, and heavily involved in open source as the chair the Technical Oversight Committee of the Cloud Native Computing Foundation (CNCF), and an ambassador for OpenUK.https://www.linkedin.com/in/lizrice/@lizriceYour HostsMichael Man: https://www.linkedin.com/in/mman/Glenn Wilson: https://www.linkedin.com/in/glennwilson/DevSecOps - London GatheringKeep in touch with our events associated with this podcast.https://www.meetup.com/DevSecOps-London-Gathering/https://twitter.com/DevSecOps_LGhttps://www.youtube.com/c/DevSecOpsLondonGathering
Attendees Guest: Gadi Naor Guest Title: VP Software Engineering, Cloud Security @ Rapid7 Topic: Cloud Native Security Foundations Abstract Lately, The CNCF (Cloud Native Computing Foundation) released the cloud native security whitepaper: the first release of security guidelines for organizations who adopt cloud native approaches. In order to better understand the guidelines, we hosted Gadi Naor, VP Software Engineering, Cloud Security @ Rapid7, and co-author of the guidelines, for a conversation about what is cloud native security and why & how organizations should adopt this approach.
In Episode S3E4, we talk with Abhay Bhargav, founder of we45 - an Application Security Company and he is also the Chief Research Officer of AppSecEngineer - a hands-on online training platform for AppSec, Cloud-Native Security, Kubernetes Security, and DevSecOps. We talk about why it's important to foster a culture of collaboration between security and engineering teams, and what can happen if you don't collaborate. We discuss the role of automation in DevSecOps and how it can be implemented. Finally, we touch on Infrastructure as Code (IaC). Please join us for an interesting conversation. Abhay Bhargav started his career as a breaker of apps, in pen testing and red-teaming, but today is more involved in scaling AppSec with Cloud-Native Security and DevSecOps He is a pioneer in the area of DevSecOps and AppSec Automation, including the world's first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, specifically Cloud-Native Security. --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app
This edition of The New Stack Makers podcast features a number of guests who speak during Palo Alto Networks' Cloud Native Security Virtual Event. It kicks off with none other than Seth Meyers, an Emmy Award-winning comedian of “Late Night with Seth Meyers” and “Saturday Night Live (SNL)” fame. Meyers' interview with Palo Alto Networks founder and CTO Nir Zuk is followed by a customer roundtable hosted by Alex Williams, founder and publisher of The New Stack, with guests Brian Cababe, director of cyber security, architecture and governance, Cognizant; Tyler Warren, director of IoT security, Prologis and Alex Jones, infosec manager, Cobalt.io. Meanwhile, the event concludes with a talk on Prisma Cloud 2.0, given by Varun Bradhwar, senior vice president, product, Palo Alto Networks. Meyers began the session by declaring that “much like Nir Zuk, I am a cyber security luminary.” He also said he didn't want to “brag too much” about his accomplishments, but said using your mother's maiden name to recover passwords was his idea. Meyers then asked Zuk, while at least feigning to be serious, what cloud native means for organizations, as well as its impact on security management.
Federal agencies are increasingly viewing DevSecOps as an enabler of their migration to the cloud. DevSecOps brings rapid application development, more reliable applications, and increased security to their applications. Palo Alto Networks has continued to enable our customers to streamline their application development and shift security left. Listen to the podcast to hear Brain Wegner, Systems Engineer for Palo Alto Networks, discuss how solutions have enabled our customers to achieve a Continuous Authority to Operate (cATO) and implement Zero Trust Architecture for the applications.
Attendees Guest: Benjy Portnoy Guest Title: Sr. Director, Solution Architects Company: Aqua Security Abstract A cloud-native security strategy entails protecting the infrastructure, build, and running workloads. In this episode, we spoke with Benjy Portnoy, Sr Director of Solution Architects at Aqua Security regarding cloud-native security fundamentals. We also delve into various attacks identified in the recently published Cloud Native Threat Report by Aqua's security research team, Nautilus. Timing 0:00 introducing our guest 2:50 what is cloud native security 5:11 Sorting out between CWPP, CSPM & DevSecOps 8:01 Protecting the build, the platform and workload 10:30 Understanding what is CASB 12:45 diving into the kinsing attack 29.11 Summary and last words
This conversation covers: How Frame.io was faced with the decision to be cloud native or cloud-enabled — and the business and technical reasons why Frame.io chose to be cloud native. How Abhinav successfully built a world class cloud-native security program from the ground up to protect Frame.io users' sensitive video content. Abhinav also talks about the special security considerations for truly cloud native applications. Cloud native as a “journey without a destination.” In other words, there is no end point with cloud native transitions, because new technologies are always being developed. Why Abhinav is a firm believer in both ISEs and GitOps, and why he thinks the industry should embrace both of these strategies. The challenge of not only maintaining security in this type of environment, but also communicating security issues to various stakeholders with different priorities. Abinhav also talks about the role that specialists like AWS and machine learning experts can play in furthering security agendas. Common misconceptions about cloud native security. Frame.io's decision to roll out Kubernetes, and why they are also considering adding chaos engineering to fortify against unexpected issues. Tool and vendor overload, and the importance of trying to find the right tools that fit your infrastructure. Links: Frame.io: https://frame.io/ Connect with Abhinav on LinkedIn: https://www.linkedin.com/in/absri/ The Business of Cloud Native: http://thebusinessofcloudnative.com TranscriptAnnouncer: Welcome to The Business of Cloud Native podcast where we explore how end users talk and think about the transition to Kubernetes and cloud-native architectures.Emily: Welcome to The Business of Cloud Native. I'm Emily Omier, your host, and today I am chatting with Abhinav Srivastava. Abhinav, can you go ahead and introduce yourself and tell us about where you work, and what you do.Abhinav: Thanks for having me, Emily. Hello, everyone. My name is Avinash Srivastava. I'm a VP and the head of information security and infrastructure at Frame.io. At Frame, I am building the security and infrastructure programs from ground up, making sure that we are secured and compliant, and our services are available and reliable. Before joining Frame.io, I spent a number of years in AT&T Research. There I worked on various cloud and security technologies, wrote numerous research papers, and filed patents. And before joining AT&T, I spent five great years in Georgia Tech on a Ph.D. in computer science. My dissertation was on cloud and virtualization security.Emily: And what do you do? What does an average day look like?Abhinav: Right. So, just to tell you where I answer the question where I work: so I work at Frame.io, and Frame.io is a cloud-based video review and collaboration startup that allows users to securely upload their video contents to our platform, and then invite teams and clients to collaborate on those uploaded assets. We are essentially building the video cloud, so you can think of us as a GitHub for videos. What I do when I get to office—apart from getting my morning coffee—as soon as I arrive at my desk, I check my calendar to see how's my day looking; I check my emails and slack messages. We use slack primarily within the company doing for communication. And then I do my daily standup with my teams. We follow a two-week sprint across all departments that I oversee. So, a standup gives me a good picture on the current priorities and any blockers.Emily: Tell me a little bit about the cloud-native journey at Frame.io? How did the company get started with containers, and what are you using to orchestrate now? How have you moved along in the cloud-native journey?Abhinav: We are born in the cloud, kind of, company. So, we are hosted in Amazon AWS since day one. So, we are in the cloud from the get-go. And once you are in the cloud, it is hard not to use tools and technologies that are offered, because our goal has always been to build secure, reliable, and available infrastructure. So, we were very, very mindful from the get-go that while we are in the cloud, we can choose to be cloud-native or just cloud-enabled. Means use tools, just virtual machines, or heavyweight virtual machines, and not to use container and just host our entire workload within that. But we chose to be cloud-native because, again, they wanted to boot up or spin up new containers very fast. As a platform we, as I mentioned, we allow users to upload videos, and once the videos are uploaded, we have to transcode those videos to generate different low-resolution videos. And that use case fits with the lightweight container model. So, from the get-go, we started using containerized microservices; orchestration layer; From AWS, their auto-scaling; automation infrastructure as a code; monitoring. so all those things were, kind of, no brainer for us to use because given our use case and given the way we wanted to be a very fast uploader and transcoder for all of our customers.Emily: This actually leads me to another question: have you guys seen a lot of scaling recently as a result of stay-at-home orders and work from home?Abhinav: Right. So, we are seeing a lot more people moving towards remote collaboration tools who are actually working in the production house since they have to work from home now. So, they are now moving to these kind of tools such as Frame.io. And we do see a lot more customers joining our platform because of that. From the traffic perspective, we did not see much increase in the web traffic or load our infrastructure, because we have always set up the auto-scaling and our infrastructure can always meet these peak demands. So, we didn't see any adverse effect on our infrastructure from these remote situations.Emily: What were some of the other advantages? Like you were talking about that you had the choice to be either cloud-enabled or truly cloud-native? What were the biggest, you know—and I'm interested, obviously in business rationale to the extent you can talk about it—for being truly cloud-native?Abhinav: So, from business perspective, again, a goal was to [basic] secure available and reliable production infrastructure to offer Frame.io services. But cloud-native actually helped us to faster time to market because our developers are just focusing on the business logic, deploying code. They were not worried about the infrastructure aspect, which is good. Then we're rolling out bug fixes very quickly through CI/CD platform, so that, again, we offer the better [good] services to our customer. Cloud-native helped us to meet our SLA and uptime so that our customer can access their content whenever they would like to. It also helped us securing our infrastructure and services, and our cost also went down because we were scaling up and down based on the peak demand, and we don't have to provide dedicated resources, so that's good there. And it also allowed us to faster onboard developers to our platform because we are using a lot of open source technologies, and so the developers can learn quickly—there are a lot more resources out there for them to learn. And it also helped us avoid vendor lock-in. We are relying on more and more open-source projects, CNCF [unintelligible] projects, so that has helped us. And more importantly, it is helping us stay competitive because in this industry—in this time—we would like to be available, we would like to be secure. So, for our customers to stay doing their job that they used to do in an office setting or in a non-remote setting, and we can continue providing help that they need.Emily: How has this changed the security story?Abhinav: So, obviously, security story is same what we have before because, I mean, we allow people to have upload their media content to our platform. So, that's very sensitive content. So, we always wanted to make sure that they stay secure. And for that, we have built a world-class security program from ground up, with emphasis on product security, cloud security, security data science, and also compliance and privacy program. So, we are doing what we used to do: making sure that content is still secure, our infrastructure follows the AWS security best practices, we can identify vulnerability within our application and fix it. So, again, as I said, that it hasn't changed much from security perspective, as far as Frame.io's daily operations are concerned.Emily: How does having a truly cloud-native application, how is that different from a security perspective from something that isn't cloud-native?Abhinav: So, security is very important whether you are cloud-enabled or cloud-native. So, security is very important for all the services. Being in the world of microservices and in the container, actually, it helped us to model the application behavior. For example, if you have one very big monolithic application, it does so many things, so it's really hard for you to know to find out what's the normal execution pattern. And when this application is going to—if it attacked, how it's going to behave, how is abnormal execution look like? But in the microservices world, since each application, each microservices is getting one job. So, you can create a good model of behavior of that container. Or even if you are monitoring their runtime behavior, you know that what kind of processes are going to be invoked from that container? What kind of network connections are going to be made? What are the files are going to be accessed by the services within the host, or within S3, or other resources? So, you know their interaction pattern—execution pattern, and that, you can qualify, both in terms of your security rules that you want to create on the infrastructure for those services, or you can create a better anomaly detection or machine learning models for those behavior. And we did both in our infrastructure to keep them secure.Emily: And how do conversations about security go when you talk with different stakeholders. I'm curious to know if there's any sort of miscommunications, or things that are lost in translation when you're talking about security with, say, the development team; with the business stakeholders; with platform engineers. What are some of the things—anything that gets lost in translation?Abhinav: So, there are two parts of this question. In general, having a discussion around cloud-native services and the security of cloud-native services. Because there are various ways you can deploy a service in the cloud, you can have a service deployed in the cloud just by running a bunch of VMs, or you can deploy it using cloud-native architecture where you have doing all those things. But the cloud-native architecture requires you to think of all the stages of the services. For example, how will SLAs, SLOs, SLIs look like for this service? Or, how do you monitor the service when it execute? How will you protect these services when you deploy them? What kind of resources are going to be accessed by this service? How will create their identity and management rules there? How would you deploy it and how would you create network rules for that so that you can do it in a principle of least privileged fashion, you can execute these services?So, you need to do proper planning that how would a new service going to interact with other services in the infrastructure. And these non-functional requirements are, many times, described poorly or not written at all because as a developer, you would like to create service and deploy service, and so that customer can use it. And these are the things behind the scenes we have to think about it. And we, as a team are working very actively to bridge this knowledge and semantic gap so that these things don't get lost in the translation when you're thinking about the service.Emily: What about when you talk to say, business stakeholders? Is there anything that gets lost in the translation?Abhinav: So, I mean, in the business sense, we always have to keep the discussion at a very high level. That, what's a use of service? Or, where we should deploy? Who are going to be the users? So, at that time, we don't want to talk about those underlying infrastructure-related issues because at the business level, we would like to know that how the service is going to function, and mostly functional requirements. But at the low level, we would like to think about that when we are about design these services, what are the things we have to worry about in order for that service to deploy securely and reliably?Emily: How important is security to Frame.io? Not every company thinks the same about security, I should say.Abhinav: And that's a great question. I think for us, security is very important. I know every company says that, but I think we truly mean that. So, we are close to 150 employees, but I was hired around when I was a [00:12:31 unintelligible] employee as a head of security. So, that shows that we care about security. And I have been building security from ground up. We got our SOC 2 Type II compliance when we was around 70 employees. And there are companies out there who are doing SOC 2, and they are thousand employees. So, we are GDPR compliant; we are working towards our CCPA compliance, and we are TPN compliant as well. TPN stand for Trusted Partner Network, which is the [same world] media, and entertainment companies, and industry users. And we were the first few companies who got that certification, also. So, we care about security very much because we allow users to upload their contents in our cloud and we make sure that those contents remain secure.Emily: And so, is there any tension that you feel between talking about security or making things as secure as possible, and either business stakeholders or other parts of the IT team?Abhinav: So, there is definitely attention. [laughs]. If I say no, then I would be lying because our goal—engineers or developers or service creators, they want to deploy the service. They will get satisfaction once the customer start using those services. And our job is to make sure to—we put some guardrails in place—or barriers in place so that we can vet the application, we can vet the service, we can do the proper testing, we can make sure that by deploying the service, we don't increase our exploitable surface. So, that kind of tension will always be there because, by nature, security's job is to make sure that whatever is deployed is secure. Our infrastructure is secure and the service owner's job is to deploy the service. But I think what we are trying to do in the organization, we are trying to take a risk-based approach because security is just another business function. The way sales is important, the way engineering is important, the same way that security is important. And there's a risk in this environment of not meeting sales targets, same way there's a risk of getting breached. So, how do we provide a risk-based methodology so that when we talk about security, we talk in terms of risk; we talk in terms of probabilities versus possibilities? Because there is always possibility of something going wrong, but what's the probability of something happening? And that basically gives us some way of talking to other business-holders saying that, “Okay, if you deploy the service the risk is high. But the risk is high because the likelihood of getting breached is high, but impact would be very low. So, since risk is the product of impact and likelihood, overall the risk is low.” But sometimes the risk is that chance of getting attacked is very low, but the impact could be very high. Again, you will have risk low because probability of actually happening that event is low. So, that basically gives us some common language we can use to talk to other business-holders because risk is being used as a language across other departments. We try to use the same language to convey cybersecurity risk as well.Emily: Since starting with Frame.io and building this security program from the ground up, what surprises have you encountered?Abhinav: I would say there were many surprises. First of all, I had those surprises because I come from a background from research and development. There, goal was to develop services, goal was to think about new security product, and goal was to think of attack and coming up with defenses for them. Having the responsibility of building the security program from ground up, or having to adjust this risk-based mentality was a big surprise because it's not that just because there is a bug, engineering is going to fix it. You have to show the impact of that bug. You should have a proper [unintelligible] associated with that. You have to show that what are the ways that bug can be launched. So, it means, just because you care about security, doesn't mean that everybody else cares about security. So, you have to keep the communication on. You have to always talking, you have to always adjusting, and you have to use the right language to the right person that you are talking to.Emily: What tips do you have about adjusting your language for different audiences and getting them to understand what you're talking about?Abhinav: So, one thing is to use risk-based methodology. That is saying that, “Oh, we have a bug, or we have a high priority bug.” I think saying that, “What is the impact of that bug? How would that bug be exploited in a real setting?” I think those things are important because people care about security, but then they have hundred other things to do, as well. So, how do you talk to their language? And also building the right team, as well. So, if you want to target product security, you have to have a product security specialist, who can understand these nuances; who can understand what are the different attacks. Some companies build a security team with many generalists. I took an approach where I'm building team with the specialists. So, for product security, I have two core product security engineers who have done this thing many times before. For cloud security, I have a specialist who knows about AWS Cloud and everything. For security data science, I have a machine learning expert. So, for each of those roles that you have mined, you try to fill the position with the right set of people. And coming back to this cloud-native security. I think one thing is very important in the cloud-native world, as I have realized lately, that infrastructure as a goal is very important piece for securing your cloud. It's not that I or the team don't know about it, but the temptation to do things quickly sometimes resorting to manual work instead of writing your Terraform or CloudFormation. So, you can do things quickly, but then the chances of you making error are also high. Because if you go to Terraform, you can follow the regular CI/CD process, you can have your pull request approved by somebody, and chances of finding a error quickly is high. And for security purposes, infrastructure code is a blessing. Because you can put proper guard rails in place to make sure that nobody does manual operation in the infrastructure, and everything goes through proper approval process, and that will—as a head of security if you know that if somebody wants to do anything or open any port in the infrastructure, two people are going to look at it and then they're going to have a dialogue with each other, and they're going to find out the real need for opening that port. Your life will be a lot simpler. Emily: What do you think are some misconceptions about cloud-native security, both inside the engineering department—so developers, for example—and then outside in the rest of the company?Abhinav: I think misconception that I view—and it's my opinion—is that the only thing that is important is deploying fast, or moving to production very fast. I think there are so many things has to be done behind the scene in order for you to move fast. And if you don't do those things, then it means that either you're going to break your application, or you're going to make your infrastructure insecure. So, for example, if you have a CI/CD set up and you want to deploy a business logic, and you think that, “Oh, I can code that thing in AWS Lambda functions.” AWS Lambda function is completely managed service. You went ahead and coded in Python, and your service is up and running. But now in doing so, what you did quickly that you forgot to follow the best practices that Lambda function has to be within the VPC; you need to generate an IAM role that has restricted permission; you have to make sure that proper security groups has to be attached to Lambda functions so that it is not open to www. And those things are part of misconception that, “Oh, if I have to do something, AWS allows that we can do it quickly.” That's what we are trying to do. We are trying to come up with a set of best practices for each of those resources as a team, writing documents, sharing with engineering that, “Okay, you want to do it? Sure, go ahead, do it, but just follow these best practices.” So, that even if you SAM or Terraform, whatever you want to use to deploy your application, make sure that best practices are always followed.Emily: Can you think of any misconceptions about cloud-native security that, say, somebody might have if they're coming from a legacy environment: managing security but in a very different type of environment.Abhinav: So, I mean, cloud-native security is all about making sure that your microservices are secure, the kind of access pattern they have, kind of network pattern they have. So, I think one misconception is that—you can think of misconception is, if you are coming from a monolithic world, where you have logged on your services, but just by assuming that you have a parameter between outside world and inside world, so your firewall rules are just like that between in and out. But that parameter is blurred now. There is no such thing as a “them versus us.” It's all blurred now. So, in the microservices world, instead of North/South traffic going up and down. You have to think about East/West traffic as well. So, making sure that your service communication are secure as well: you make sure you use proper cryptography, make sure your endpoints are authenticated so that your services are not compromised. Because if one service compromised, if you don't use proper control among those services, then your other services can be compromised very quickly. And that's the problem when we go from monolithic application to microservices.Emily: Do you think that people outside of the security team understand that distinction?Abhinav: I would say they do, to the extent that they know about it, but then when we have to actually implement it, there are always some concerns that it is going to slow down our application, it is going to introduce latency in the application. So, people do understand that okay parameter is going away, but to the extent that they know about it, but when you—again, when we start implementing it, there is always concern that how it's going to play out.Emily: Do you think Frame.io is fully cloud-native? Do you think there's anything that you could do to be more quote-unquote, “cloud native.”Abhinav: So, in my opinion, it is a journey without any destination. Just like security, you can never say, “I'm secure.” You will have to adjust your control based on the threats or attacks going on. In the same way, there is no end to transition to cloud-native because new technologies are coming, and we will have to evaluate new tools that can help us realize our business goals effectively. So, we are cloud-native, but still, we can do a lot more things, given time and resources. So, in some concrete world that we are doing right now, that we are creating more tools for developers to perform tasks themselves. So, creating more self-serve culture. As I said that moving towards more [IFC] model, and so on. And for that, we are setting up guardrails so that they can perform those operations within those boundaries without impacting security and reliability. We are also looking into ways to extend Kubernetes. Because Kubernetes is in itself a full cloud platform with a lot of possibilities. So, we are interested in making it more programmable for our environment. But these are ongoing things that we'll have to continue doing it.Emily: Do you have any other next steps that you could share? What's next in your journey?Abhinav: So, we rolled out Kubernetes in our infrastructure last December, and that move paid us off. So, we are building more tools on Kubernetes. As I said, that we are going towards more self-service style of architecture where developers can do a lot more things within those guardrails and we are also looking into ways to introduce chaos engineering in our environment because we do things fast, but we break things fast as well. [laughs]. So, one small configuration error can create severity zero alert. So, what we need is a good chaos engineering practices to simulate these areas, so that everybody can train on these events and know how to prevent and respond to such problems. That will reduce our incident resolution time as well.Emily: When—sort of last question: anything else that you would like to add?Abhinav: Two things, I think. One thing is we all should be going towards IFC and GitOps; infrastructure code and GitOps. If this is the one takeaway from this podcast, is that that's the way to go. I know manually doing work is tempting, but that creates problem down the road. So, life will be a lot simpler if we go with the IFC and GitOps. Second thing is that I feel this pain, and many other people are facing the same way, that there are too many tools and vendors out there. So, it's really hard to choose from what is going to work in your environment. CNCF is helping us by highlighting some of these projects by assigning proper maturity levels, like sandbox incubation, and graduated project, so on, but it still is very challenging to find the right tooling that fits your infrastructure. So, always make sure that when you choose a new technology, see how it's going to be working with your existing technologies because it's not that easy to throw away an existing thing because all these things that the tool that you try, it also complicates your security as well because you just do not know how it's going to play out when you deploy this new technology in your environment where the other tools and services are running. So, I think we have to evaluate all tools carefully to make sure that we understand its a security and reliability impact on our existing infrastructure.Emily: What is your can't live without engineering tool or security tool?Abhinav: Huh, that's a good question. Right now, one tool that I cannot live without is Falco. That is a runtime container monitoring solution. We invested a lot on it, and it is paying off in terms of the kind of alert it is generating, kind of visibility it is providing in our infrastructure. And one tool I can't leave off from both from security infrastructure perspective is Slack because we have done a lot of automation to bring all these alerts through Slack. So, all of our ops happen via Slack. So, I think these are the two tools I'm relying a lot in terms of visibility and in terms of response.Emily: Well, thank you so much for joining me.Announcer: Thank you for listening to The Business of Cloud Native podcast. Keep up with the latest on the podcast at thebusinessofcloudnative.com and subscribe on iTunes, Spotify, Google Podcasts, or wherever fine podcasts are distributed. We'll see you next time.This has been HumblePod production. Stay humble.
Prisma Cloud from Palo Alto Networks sponsored this podcast. Palo Alto Networks, Amazon Web Services, and Accenture, in March 2020, began to survey over 3,000 cloud architecture, InfoSec and DevOps professionals, on a quest to uncover the practices, tools and technologies companies are using to meet and deal with challenges of securing cloud native architectures and methodologies — and to gain the benefits of moving to the cloud. This edition of The New Stack Makers features the keynote panel discussion with thought leaders from Palo Alto Networks, Amazon Web Services (AWS) and Accenture who shared their own experiences and anecdotes within their organizations as they related to the findings. Moderated by Alex Williams, founder and publisher of The New Stack, the panel discussion was recorded for the The State of Cloud Native Security virtual summit held on June 24. The panelists guests were: John Morello, vice president of product, Prisma Cloud. Mark Rauchwarter, multicloud security lead, Accenture. Daniel Swart partner solutions architect Amazon Web Services (AWS)
Prisma Cloud from Palo Alto Networks sponsored this podcast. In this edition of The New Stack Makers recorded for The State of Cloud Native Security virtual summit held on June 24, thought leaders from Palo Alto Networks discuss why the shift left for security in the software production process is essential for DevOps today. The topics discussed include how the trend to shift left has its roots in DevOps, its integration with continuous delivery (CD), security's role not only in software development processes but for the enterprise as well and, ultimately, how the shift left helps to ensure software is safe and secure. Many, if not most, DevOps team leaders and CTOs are well aware of the importance of embedding security processes at the very beginning of the production pipeline. The guests from Palo Alto Networks are: Aqsa Taylor, a product manager for Prisma Cloud. Ashley Ward, solutions architect. Keith Mokris, head of product marketing, Prisma Cloud. Vinay Venkataraghavan, Cloud CTO, Prisma Cloud.
In this edition of The New Stack Makers podcast hosted by Alex Williams, founder and publisher of The New Stack, Wang spoke about these and other third-party security trends. The podcast was recorded in anticipation of the The State of Cloud Native Security virtual summit to take place on June 24. Major exploits such as the Target and Equifax hacks made headlines a few years ago. But these infamous attacks have not necessarily served as a wakeup call for many, if not most, organizations. They lack the security tools, processes and culture required to properly protect their data, Chenxi Wang, Ph.D., managing general partner, Rain Capital, said. “Everybody read about those headlines but translating that into the work [organizations] do day to day, I think there's still a gap,” Wang said. “As security industry professionals — myself included — we need to reach out more to the adjacent community and especially with Dev these days. I mean software is eating the world and Dev is the one driving software, so we need to work with dev to make it happen.”
In this edition of The New Stack Makers podcast hosted by Alex Williams, founder, and editor-in-chief of The New Stack, Keith Mokris, head of product marketing, Prisma Cloud, Palo Alto Networks, and Mark Rauchwarter, cloud and infrastructure security for Accenture Security, discuss the key talking points of the Prisma Cloud Native Security Summit and what the results of the survey mean for the DevOps community. Join Prisma Cloud by Palo Alto Networks June 24 at 9:00 AM PDT at The State of Cloud Native Security virtual summit for a full discussion of the “The State of Cloud Native Security” report and other topics relevant to your organization's digital journey. The summit will feature a panel session hosted by The New Stack's Founder and Editor-in-Chief Alex Williams, with security thought leaders from AWS, Accenture, and Prisma Cloud by Palo Alto Networks.
Read more stories like this here! https://thenewstack.io/ Prisma, from Palo Alto Networks, sponsored this podcast, following its Cloud Native Security Live, 2020 Virtual Summit held Feb. 11, 2020. Agile development teams may able to meet software release and update cadences at faster and faster rates — but ultimately, their deployments are only as good as the underlying code. Applications that lack robustness or have vulnerabilities that are discovered until only after its too late can defeat the whole purpose of Agile DevOps. The hard truth is that policies and practices must involve testing and monitoring from the outset of code development while extending throughout the entire CI/CD lifecycle. The main theme of this edition of The New Stack Makers podcast recorded live at Palo Alto Networks' studio in Santa Clara, CA, is how to protect software throughout the entire supply chain. The guests were: Dr. Chenxi Wang, a managing general partner for Rain Capital, a keynote speaker and a “Forbes” contributor. Rochelle Mattern, a Google Cloud customer engineer at Google. Gareth Rushgrove, a director of product management at Snyk The New Stack Publisher Alex Williams hosted this episode.
Prisma, by Palo Alto Networks, sponsored this podcast, in advance of its Cloud Native Security Live, 2020 Virtual Summit Feb. 11, 2020. For many organizations, becoming a software company hinges on making a successful shift to cloud native platforms. This makes sense as a rapidly growing number of organizations, both in the private and public sectors, can achieve very tangible benefits by making the transition. The ultimate goal is typically being able to vastly improve the digital experience for the end-use customer. In this, The New Stack Makers podcast, Morello and Aqsa Taylor, a product manager for Prisma Cloud Compute, discuss what organizations should know about security before making the cloud native native shift. The themes covered include, among other things, what a cloud native security platform should offer and the evolution of security in the cloud native era.”
Many IT teams begin moving their applications to containers and Kubernetes after their managers mandate the switch. Then in the rush to deploy they may forget, or simply delay, some fundamentals. Only six to 12 months later does integrating security into their CI/CD pipeline becomes a priority. This gradual evolution toward cloud native security best practices is worrisome, but it's the norm among organizations adopting Kubernetes today. This is what we learned from a panel of cloud native security experts at The New Stack's pancake and podcast from KubeCon+CloudNativeCon North America this week. The New Stack founder and publisher Alex Williams was joined on the panel by: Keith Mokris, product marketing manager, container security at Palo Alto Networks; Maya Kaczorowski, product manager at Google. Santiago Torres-Arias, Ph.D. student at New York University Center for Cyber Security; Sarah Allen, co-chair of the Cloud Native Computing Foundation's (CNCF) Security Special Interest Group (SIG); Sean M. Kerner, senior editor at InternetNews.com. Prisma by Palo Alto Networks sponsored this podcast.
Many IT teams begin moving their applications to containers and Kubernetes after their managers mandate the switch. Then in the rush to deploy they may forget, or simply delay, some fundamentals. Only six to 12 months later does integrating security into their CI/CD pipeline becomes a priority. This gradual evolution toward cloud native security best practices is worrisome, but it's the norm among organizations adopting Kubernetes today. This is what we learned from a panel of cloud native security experts at The New Stack's pancake and podcast from KubeCon+CloudNativeCon North America this week. The New Stack founder and publisher Alex Williams was joined on the panel by: Keith Mokris, product marketing manager, container security at Palo Alto Networks; Maya Kaczorowski, product manager at Google. Santiago Torres-Arias, Ph.D. student at New York University Center for Cyber Security; Sarah Allen, co-chair of the Cloud Native Computing Foundation's (CNCF) Security Special Interest Group (SIG); Sean M. Kerner, senior editor at InternetNews.com. Prisma by Palo Alto Networks sponsored this podcast.