Highlights from CloudNativeSecurityCon 2024

The importance of groups outside security

New technologies and development processes challenge traditional application security methods. Continuous integration and continuous deployment pipelines and microservices-based applications empower developers to deploy infrastructure, build and release applications and continuously update them.

We talk about shifting left to shift security responsibilities to developers to enable them to secure their own code so security doesn't become a bottleneck. CloudNativeSecurityCon is focused on the CNCF community, so attendees included architects, developers, DevOps, site reliability engineers and sys admins. Notably, this is not an audience of application security or security professionals, but cloud-native security depends on education, training and security responsibilities for these nonsecurity roles.

These groups outside of security are doing important work. In his keynote, CNCF CTO Chris Aniszczyk welcomed the attendees as those who are security-minded and described their shared responsibility to improve security across the cloud-native ecosystem.

We've seen friction before -- security teams want to own application security and all that's involved, including testing, setting policies, monitoring for security issues and remediating issues, and developers need to focus on building applications. But for cloud-native security, security teams need to work with other groups. They need to collaborate with developers and operators to align on common goals and better incorporate security into development processes.

"All the stuff we've built is critical for the world's workloads," Aniszczyk said. "When there's an issue, it affects everyone."

CNCF and community efforts

Aniszczyk pointed out the CNCF efforts, including the vast CNCF ecosystem with 200 security and compliance projects. CNCF makes significant investments in security audits, training and resources. It also works on marketing and awareness to encourage use and community contributions to help projects progress along their maturity process, including incubating and graduating projects, such as Falco, Open Policy Agent and Cilium.

CNCF's cloud-native security Technical Advisory Group has a number of working groups on key topics, including software supply chain, controls, automated governance and reviews. The group's "About Us" states "We aim to significantly reduce the probability and impact of attacks, breaches and compromises. By empowering developers and operators to understand and manage the security posture of their systems, we strive to fulfill the promise of enhanced productivity and operational efficiency."

Improving software supply chain security

My recent research on the growing complexity of software supply chain security showed organizations increasingly use third-party and open source software in their applications. The top challenges and concerns of this include the following:

• Having a high percentage of -- and becoming too dependent on -- open source code.
• Difficulty identifying vulnerabilities in the code.
• Increased chances of becoming victims of attackers who target popular and commonly used third-party software and open source code.
• Understanding software dependencies for applications.
• Understanding code composition.
• Creating a software bill of materials.

The CNCF has made significant investments in open source security. Its sister organization, the Open Source Security Foundation (OpenSSF), which is also part of the Linux Foundation, drives community efforts across companies, government agencies and individuals to secure development, maintenance and use of open source software.

The conference included sessions applying many of the OpenSSF projects for secure open source software use. These included Supply-chain Levels for Software Artifacts, Graph for Understanding Artifact Composition, Open Vulnerability Exploitability eXchange, Sigstore and OpenSSF Scorecard.

One session had updates on Sigstore, the free signing device for software developers to track modifications and verify the authenticity of open source components. Created by companies including Google, Chainguard, Red Hat and Stacklok, Sigstore has become the de facto approach to code signing for open source software. It has also been adopted by major cloud-native projects, including Kubernetes and Helm, and NPM, the node package manager for JavaScript. Today, Sigstore has more than 58 repositories spanning many libraries, including Go, Rust and JavaScript.

A session with Trevor Rosen, staff engineering manager at GitHub, addressed capabilities to best source open source software. Another interesting session by Harry Toor, chief of staff at OpenSSF, covered AI's role in shaping the future of the secure open source software ecosystem, describing possible scenarios and optimizing its usage.

Techniques and methods for improving cloud-native security

Recent research on cloud detection and response from TechTarget's Enterprise Strategy Group showed the challenges security teams face with the dynamic nature of cloud-native applications and elastic cloud infrastructure. To address these, teams need full visibility to monitor, collect and process data and information from necessary telemetry sources.

The conference included sessions on observability, vulnerability management, security posture management, threat modeling, data harvesting and forensics investigations.

In a keynote address, Alexander Lawrence, field CISO at Sysdig, described the importance of enabling teams to "move at incredible speed" and challenged the audience to find ways to apply security programs to most effectively use time, people and processes.

Many other conference sessions echoed Lawrence's sentiment. For example, sessions focused on container security and vulnerability management efficiency with speakers from vendors including AWS, Aqua and Red Hat. An interesting session by Dakota Riley, vice president of cloud engineering at Aquia, looked at building Kubernetes detection into autologs to detect attacks on Kubernetes clusters.

The need to address AI and generative AI

A handful of the sessions covered how to ensure security with the increased use of AI. One session addressed implementing a risk management framework with policy-as-code automation, security controls for responsible AI use and compliance. Robert Ficcaglia, CTO at SunStone Secure, described the uniqueness of AI security and privacy, the need for threat modeling and red teaming, useful industry frameworks and ways to apply controls to mitigate risk.

Another interesting session by Frederick Kautz, director of research and development at TestifySec, was about how to apply CNCF and OpenSSF projects to secure the AI supply chain. He described using in-toto, which is a framework to secure the integrity of software supply chains, to create a layout defining a path to ensure security of AI and machine learning models. The tool helps ensure models are not tampered with and applies attestations to handle data inputs and outputs.

The importance of people and the community for security

CloudNativeSecurityCon and other CNCF events do a good job emphasizing the importance of people and the community sharing their experiences and ideas to improve security -- even as the excitement and hype around automation and AI abounds.

People who were unable to attend should check out this year's conference sessions, now available online. Doing so will enable you to catch up on the latest techniques for application security, security operations, identity and access management for machine workloads, and threat detection and response.

Melinda Marks is a practice director at TechTarget's Enterprise Strategy Group, where she covers cloud and application security.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.