Session Name: Container Images, Sign Em Like It’s Hot
In the ever-changing IT landscape where containerized applications running in a Kubernetes cluster are now the de facto standard, it’s key to secure them properly to keep the malicious attackers out of the way. But, can we keep the agility of DevOps without losing security controls in the SDLC? Can we prevent vulnerable images from being deployed in production? With the adoption of an S-SDLC culture and with the help of container signing in collaboration with Binary Authorization this is not a utopia. In this talk, we’ll cover the security controls needed in our CI/CD pipeline to ensure no vulnerable application will enter the production environment. Our confidentiality, integrity, and availability of our applications/business are closely linked, so we better get it right!
• Make use of SAST, DAST, and SCA tooling in your pipeline • Scan your container images for known vulnerabilities • Use up-to-date and lightweight images • Adapt security controls/enforcement in the CI/CD pipeline • Use container image hardening frameworks like Google SLSA
I’m a cloud engineer with a passion for application security. My key motivation is to help make the world a more secure place. I do that by contributing to the OWASP project. My key specialization areas are Cloud/Kubernetes security and SDLC.