As HSBC continues to migrate workloads to AWS there is a need to support a security compliant mechanism for storing and scanning container images. Learn how HSBC leveraged AWS serverless technologies to build an automated container scanning platform integrated with Vulnerability Management processes.

Securing microservices/APIs must be done at multiple levels, and one of them is the application level. In this talk, using recent breaches as examples, we give you immediately actionable tips to protect your APIs at design and development time.

Over 600 developers in more than 100 teams work at bol.com, which is one of the most popular retailer of The Netherlands and Belgium. They are responsible for the entire DevOps process of their applications. Using an in-house developed infrastructure as code and configuration management solution (“R2D2”), they deploy and manage their own services without interference. How does the 19-person strong security team of bol.com keep control of security in our Google Kubernetes Engine (GKE) environment, while embracing the "You build it, you run it, you love it" culture in bol.com?

What does DevOps adoption look like at enterprises, and what is the impact of that on cloud-native security? 451 Research presents results from its quantitative and qualitative research into cloud native security, particularly the relationship between current security practices and DevOps.

Until now, Kubernetes has had no standard for requesting and approving x509 certificates. Jetstack has been working with the upstream Kubernetes community to create standard extensibility points that will allow the community to request and manage certificates for kubelets and user applications.

Once you get past the basics of Kubernetes security, locking down your APIs and implementing RBAC you might think you’ve got most of your security issues sorted. However, like any complex system Kubernetes has some sharp security edges. This is a talk about avoiding getting cut by them.

Secrets (SQL/LDAP passwords, SSH-keys and API-tokens) are usually kept by applications in configuration files or as source code constants. Kubernetes offers a great feature to store your application's Secrets where your containers can access them on demand. In our talk, we’ll share several use cases and flaws were using Kubernetes built-in Secrets Storage is insufficient, and review several future features of K8s and other concepts available in order to be able to better manage and secure your secrets.

How would you react if your laptop was stolen? Are you worried about attackers performing a cold boot attack to extract your Kubernetes credentials? Do you already use a YubiKey for SSH and GPG, and wonder why you cannot use it with kubectl? If yes, then this talk is for you!

This session will speak to Kubernetes security checklist based on Kubernetes workflows and attack vectors.  This talk will also include best practices for each attack vector.

Lightning Talk "Meet the Experts"

Kubernetes has an OIDC endpoint on the roadmap for release 1.18 and EKS provided their own OIDC endpoint. This talk will cover the power this will bring with Projected Service Account tokens. We will walk through how you can have secure intercluster RBAC and how to talk to external services.

The talk gives the audience to learn about kubernetes security in a real world setting. There is nothing sexy about security but it is damn important. Saurya and Erik (architect at Finastra) will share their real life experiences having worked in the field for 5 years.

Threat modeling is a very powerful tool within application security. This session explains how we can optimize threat modeling and improve the process outcome, and how we can handle a new dimension in the model since the containers usage requires attention to additional aspects easily overlooked.

Networking Drinks