Security-specific tools are often overlooked until it becomes a requirement, necessity or things have gone terribly wrong. While many organisations will build a security team to address related issues, smaller organisations and individual contributors do not have this option. This talk is divided into two sections. In the first one, Anais will share the similarities between climbing and the importance of establishing a security-centric mindset. What happens if we do not have security specialists supporting our team? Free-climbing might be an option for experts with years of experience but not for most cluster admins. The second part will go over security-specific tools in the cloud native ecosystem. A live demo will focus on Trivy, an open source tool with 11k+ stars on GitHub. Anais will showcase how we can get started and the benefits of integrating cloud native security tools, such as Trivy, into our existing processes and monitoring stack. The goal is to provide Kubernetes cluster admins and engineers with the tools and knowledge to take ownership of securing their resources without having to become security experts.
When we are talking about DevSecOps, we often focus on Security for Developers or Security for workload management and deployments. While the discussion between DevOps and SRE continues until the end of time, we can agree that SRE is more focused on the culture and the processes put in place to build reliable and efficient infrastructure for our deployments. If we just adapt security tools into our SRE workflows, we might risk introducing decoupled processes.
This talk will showcase how we can integrate open source security solutions and a security-centric mindset into the SRE culture. Anais Urlichs will first provide an overview of the top security risks that we face during our cloud native infrastructure management and deployments; and then highlight how we may adapt our workflows to become security-centric.
A key element of successfully integrating security into the DevOps lifecycle is embedding it right from the start. Helping developers and operators build security controls in from day-one with easy to use open source tooling can make that a reality. This workshop will take a hands-on approach to demonstrate how to install, configure and customize open source security tools to be used throughout the DevOps process. The workshop will focus on a couple of core tools. Firstly understanding how Trivy can be used to help secure container images, Dockerfiles, Kubernetes manifests and IaC code such as Terraform. Then the workshop will move on to operationalizing security controls using Starboard to automate the operation of Trivy and other security tools, providing continuous security assurance of workloads and Kubernetes clusters.