Top takeaways from first CloudNativeSecurityCon
TechTarget's Enterprise Strategy Group offers the main takeaways from the first vendor-neutral, practitioner-driven conference for security.
The Cloud Native Computing Foundation (CNCF) early this month in Seattle hosted the first standalone CloudNativeSecurityCon (CNSCon) North America 2023. The event drew more than 800 attendees and offered 70 sessions. In her keynote, CNCF Executive Director Priyanka Sharma described it as the first open source, vendor-neutral, practitioner-driven conference for security.
"Security within the cloud-native ecosystem is deeply complex," Sharma said. "All of us focus on rapid development and deployment, and that is why cloud-native is fast becoming ubiquitous. We're essential to organizations and businesses everywhere, but there are more exposed edges and nodes, greater attack surfaces and ultimately loss of control."
This conference is important for security teams and developers to help organizations effectively manage their security posture as they digitally transform for better business results, Sharma said.
Check out the keynotes and sessions from the conference available on demand. Below are my highlights and key takeaways from the show.
Shift-left, developer-focused theme
CISOs and CIOs worry about security, and with the shift-left phenomenon from containers and microservices, developers are the ones to mitigate these worries, Sharma said in her keynote.
I've written about the importance of shifting security left to developers. This is challenging for security teams using their typical skill sets. My research on shift left and GitOps security showed the top challenges for developers and security teams. Security teams want to help developers secure their code in the most efficient, nondisruptive way, while gaining visibility and control to manage risk. For their part, developers want to release secure code but they don't want to have to become security experts or waste time on unnecessary security tasks. So, they need to work together.
There is also a misconception about shifting security left, where the emphasis is on shifting left in the software development lifecycle (SDLC). While this is needed to address coding issues early -- ideally before the applications are deployed -- it's also about easier, faster remediation in runtime to minimize rework. Cloud-native computing is all about efficiency and collaboration. Security needs to be better incorporated throughout the SDLC so developers have shorter feedback loops to remediate security issues.
For example, a number of vendors at the conference showed the benefits of monitoring applications and workloads in runtime for better context and understanding security issues. Liz Rice, event co-chair and chief open source officer at Isovalent, gave a keynote showing how eBPF event monitoring tools can be used to create visualizations to help drive security actions to efficiently reduce risk.
Cloud-native security opportunities
On the second day of the conference, event co-chair and Apple security engineer Emily Fox gave a keynote about the event's history. This session well articulated the opportunity for cloud-native security. She described how the group evolved over the years, from gathering at KubeCon+CloudNativeCon events to evaluate the security posture of projects, to forming what is now the CNCF Security Technical Advisory Group (TAG).
The group's mission is to prevent unauthorized access for cloud-native applications and workloads in a way that makes sense for those who adopt and maintain the projects. The TAG provides security guidance, instructions and tools to the community.
"Organizations were leveraging heritage and checklist security requirements, completely ignorant of all the possibilities that cloud-native could provide from a security perspective," Fox said.
She described the charter's three focus areas as follows:
- defining how to protect workloads without having security as a hindrance to users' or engineers' workflows;
- applying security controls in a way that helps developers meet security requirements; and
- applying common tooling for auditing.
"There are many domains with no security approach," Fox said. "We need to explore and drive content in these areas to inform adopters and maintainers how to do security in the cloud. It's more than just Kubernetes. It is a multi-objective, multi-constrained problem space with a lot of different domains. It spans the entire SDLC and whatever comes next. We have to be prepared for it."
Security teams and vendors need to participate in these shows and community efforts to ensure security can keep up with cloud-native development.
Software supply chain security and OpenSSF
The conference also highlighted the important work of the Open Source Security Foundation (OpenSSF) for software supply chain security. Like CNCF, OpenSSF is a cross-industry effort that is part of the Linux Foundation. Its initiatives focus on bringing individuals and companies together to advance open source security.
Leveraging open source software (OSS) is a key part of cloud-native development because using freely available third-party code helps developers efficiently build their applications. My research showed that 89% of organizations are using open source software in their cloud-native applications, with an additional 19% planning to use it. It also showed that most applications were comprised of more than 50% OSS. I expect this to further grow given economic pressures to use free tools and increase productivity.
General manager of OpenSSF Brian Behlendorf gave a keynote describing the challenges of how the internet has evolved with the focus on building and moving quickly without having pervasive security in place. He also described the challenges of sourcing code, assumptions and biases that may or may not be well documented about trusted sources of code, and the challenges of accruing technical debt. He described key initiatives, including Sigstore -- which handles digital signing, verification and checks for code provenance so code can be tracked and secured through the software supply chain.
Behlendorf also described new attack surfaces that can come from adopting new tools used to scale -- such as AI and ChatGPT -- that bring new risk. OpenSSF has working groups that address software supply chain issues as well as future paths of attack and offers training and resources. As a cross-industry and cross-vendor organization, it has the potential to play a crucial role in securing the software supply chain to enable greater technological innovation.
New Kubernetes and Cloud Security Associate certification
A key announcement for the show was the new Kubernetes and Cloud Security Associate certification that will be available later this year. The certification helps fill the gap in cloud-native security technical expertise by providing knowledge and skills to practitioners -- including beginners -- to help organizations with their cloud-native adoption.
Smaller but promising security conference
I wrote about my excitement for CloudNativeSecurityCon when it was announced at KubeCon+CloudNativeCon 2022 because I believe these shows should be increasingly important for security teams and security vendors. CNSCon has an opportunity to become a top security conference to help security teams support cloud-native development.
This conference was relatively small, however. With lingering COVID-19 and flu season concerns, along with the current economic climate pushing tech companies to conserve budget, it may have been difficult for vendors or attendees to justify participation in a new show. It was nice to have meaningful conversations with a smaller group of attendees -- in the hundreds instead of the thousands of people to interact with -- but I hope future conferences attract bigger audiences and more vendors.