KubeCon + CloudNativeCon + Open Source Summit + AI_dev China 2024

Navigating the complexities of supply chain security might seem intimidating, especially with evolving frameworks like SLSA (Supply-chain Levels for Software Artifacts). This talk introduces beginners to the foundational practices required to secure software from build to runtime using CNCF tools. We'll explore how GitHub Actions can automate build processes, integrate with Cosign for keyless artifact signing, and use Kyverno for runtime policy enforcement. Additionally, we'll discuss how tools like in-toto and Kubescape help manage and verify artifact integrity, providing a holistic view of SLSA compliance in the Kubernetes ecosystem. To enhance security further, we will also briefly discuss the potential integration of Hardware Security Modules (HSMs) into the supply chain. HSMs can offer an added layer of security for key management operations critical to signing processes, ensuring that cryptographic keys are managed securely and are resilient against attack.

在KubeCon的一个会话描述： 供应链安全的复杂性可能看起来令人望而却步，尤其是随着像SLSA（软件构件供应链级别）这样不断发展的框架。 本次演讲将向初学者介绍使用CNCF工具来确保软件从构建到运行时的基本实践。 我们将探讨GitHub Actions如何自动化构建流程，与Cosign集成进行无密钥构件签名，以及使用Kyverno进行运行时策略执行。此外，我们还将讨论像in-toto和Kubescape这样的工具如何帮助管理和验证构件完整性，为Kubernetes生态系统中的SLSA合规性提供全面视角。 为了进一步增强安全性，我们还将简要讨论将硬件安全模块（HSMs）集成到供应链中的潜在可能性。HSMs可以为关键管理操作提供额外的安全层，这对签名过程至关重要，确保加密密钥得到安全管理，并且具有抵御攻击的弹性。

Cyber-attacks against cloud-native infrastructure are increasing in frequency and sophistication. The complexity of modern cloud-native systems and the speed at which technology is developing have outpaced cloud security solutions. On the flip side, cyber-criminals are taking advantage of these developments to launch successful cloud attacks. This session delves into the paradigm of Zero Trust Chaos Experiments, exploring how intentional disruptions and simulated cyber threats can uncover vulnerabilities and enhance cyber resilience. Through practical insights, we will illustrate the transformative impact of Zero Trust Chaos Experiments on organizations' ability to detect and mitigate cyber incidents. By the end of the session, participants will be equipped with actionable strategies and a better understanding of how Zero Trust Chaos Experiments can elevate cyber resilience in cloud-native environments

针对云原生基础设施的网络攻击频率和复杂性正在增加。现代云原生系统的复杂性和技术发展速度已经超过了云安全解决方案。与此同时，网络犯罪分子正在利用这些发展来发动成功的云攻击。 本场演讲将深入探讨零信任混沌实验的范式，探讨有意的干扰和模拟网络威胁如何揭示漏洞并增强网络安全弹性。通过实用的见解，我们将阐明零信任混沌实验对组织检测和缓解网络事件能力的转变影响。在会议结束时，参与者将掌握可操作的策略，并更好地了解零信任混沌实验如何提升云原生环境中的网络安全弹性。

Ensuring the integrity and authenticity of container images is critical in securing the container supply chain. As developers are increasingly using images from external sources, questions arise: How can we verify these images originate from trusted vendors? How do we guarantee they are not altered since their creation? In this session, you will learn from the real-world experience of VMware Bitnami, who partnered with the Notary Project community to implement image signing and verification. Bitnami will show you how they use Notary Project signatures to ensure the integrity and authenticity of images from Docker Hub. Don't miss this opportunity to gain practical insights into container security with Notary Project within your CI/CD pipelines and during Kubernetes deployments! Additionally, we’ll explore future enhancements, including attestation support, empowering users to verify images from various perspectives such as provenance, vulnerability assessment, and software compliance.

确保容器镜像的完整性和真实性对于保护容器供应链至关重要。随着开发人员越来越多地使用来自外部来源的镜像，一些问题浮出水面：我们如何验证这些镜像来自可信赖的供应商？我们如何确保它们自创建以来没有被篡改？在这场演讲中，您将从VMware Bitnami的实际经验中学习，他们与Notary项目社区合作实施了镜像签名和验证。Bitnami将向您展示他们如何使用Notary项目签名来确保来自Docker Hub的镜像的完整性和真实性。不要错过这个机会，在您的CI/CD流水线和Kubernetes部署中通过Notary项目获得容器安全的实用见解！此外，我们将探讨未来的增强功能，包括证明支持，使用户能够从各种角度验证镜像，如来源、漏洞评估和软件合规性。

How to find the right balance between convenience, operational efficiency, and a strong security policy in a world of ephemeral containers? And how can we ensure security at a time when Advanced Persistent Threats (APTs) are more prevalent? In this talk we will present the latest Cloud Native Security & Usage Report findings on critical vulnerabilities inherent in today’s container security practices. We will also demonstrate how a compromised, short-lived container can be an insidious security risk, and what we can do to detect and mitigate those risks in real time using cloud native open source tools.

在一个短暂容器世界中，如何在便利性、运营效率和强大安全政策之间找到合适的平衡？在APT（高级持续性威胁）更加普遍的时代，我们如何确保安全？ 在这次演讲中，我们将介绍最新的云原生安全和使用报告发现，揭示当今容器安全实践中存在的关键漏洞。 我们还将演示一个被 compromise 的短暂容器如何成为一个隐蔽的安全风险，以及我们如何使用云原生开源工具实时检测和减轻这些风险。

As more folks deploy cloud-native architectures and technologies, store ever larger amounts of data, and build ever more complex software suites, the complexity required to correctly and securely authorize requests only becomes exponentially more difficult. Broken authorization now tops OWASP's Top 10 Security Risks for Web Apps. Their recommendation? Adopt an ABAC or ReBAC authorization model. This talk establishes the problems with the status quo, explains the core concepts behind ReBAC, and introduces SpiceDB, a widely adopted open source system inspired by the system internally powering Google: Zanzibar.

随着越来越多的人部署云原生架构和技术，存储越来越多的数据，并构建越来越复杂的软件套件，正确和安全地授权请求所需的复杂性变得指数级增加。 破解授权现在已经成为OWASP Web应用程序安全风险前十名之首。他们的建议是采用ABAC或ReBAC授权模型。本次演讲将阐明现状存在的问题，解释ReBAC背后的核心概念，并介绍SpiceDB，这是一个广泛采用的开源系统，受到Google内部系统Zanzibar的启发。