Security-specific tools are often overlooked until it becomes a requirement, necessity or things have gone terribly wrong. While many organisations will build a security team to address related issues, smaller organisations and individual contributors do not have this option. This talk is divided into two sections. In the first one, Anais will share the similarities between climbing and the importance of establishing a security-centric mindset. What happens if we do not have security specialists supporting our team? Free-climbing might be an option for experts with years of experience but not for most cluster admins. The second part will go over security-specific tools in the cloud native ecosystem. A live demo will focus on Trivy, an open source tool with 11k+ stars on GitHub. Anais will showcase how we can get started and the benefits of integrating cloud native security tools, such as Trivy, into our existing processes and monitoring stack. The goal is to provide Kubernetes cluster admins and engineers with the tools and knowledge to take ownership of securing their resources without having to become security experts.
When we are talking about DevSecOps, we often focus on Security for Developers or Security for workload management and deployments. While the discussion between DevOps and SRE continues until the end of time, we can agree that SRE is more focused on the culture and the processes put in place to build reliable and efficient infrastructure for our deployments. If we just adapt security tools into our SRE workflows, we might risk introducing decoupled processes.
This talk will showcase how we can integrate open source security solutions and a security-centric mindset into the SRE culture. Anais Urlichs will first provide an overview of the top security risks that we face during our cloud native infrastructure management and deployments; and then highlight how we may adapt our workflows to become security-centric.
Too Much to Choose - Making Sense of a Smorgasbord of Security Standards -- Anaïs Urlichs & Rory McCune, Aqua Security
Implementing GitOps best practices with Crossplane and ArgoCD
DockerCon -- Do Not Ingore .dockerignore
Anais' Public Speaking (Specific to DevOps)