Cloud Superstream: Cloud Security

Sam Newman: Introduction (5 minutes) - 8:00am PT | 11:00am ET | 3:00pm UTC/GMT

• Sam Newman welcomes you to the Cloud Superstream.

Rosemary Wang: Let’s Secure a CI/CD Pipeline (45 minutes) - 8:05am PT | 11:05am ET | 3:05pm UTC/GMT

• Your team uses a CI/CD pipeline to deploy infrastructure and applications to production. However, your security team warns you that your pipeline might be vulnerable. Can you improve it? Join Rosemary Wang to discover how to assess and secure your CI/CD pipeline and protect it from supply chain attacks. You’ll learn some patterns and tools that can help and find out how to scale the practices across your system.
• Rosemary Wang works to bridge the technical and cultural barriers between infrastructure, security, and application development. She has a fascination for solving intractable problems as a contributor, public speaker, writer, and advocate of open source infrastructure tools. Recently, Rosemary has been writing a book, Patterns and Practices for Infrastructure as Code. When she isn’t drawing on whiteboards, Rosemary debugs stacks of various infrastructure systems on her laptop while watering her houseplants.
• Break (5 minutes)

Stefania Chaplin: Securing Microservices—Preventing Vulnerability Traversal (45 minutes) - 8:55am PT | 11:55am ET | 3:55pm UTC/GMT

• When developing and deploying your microservices, preventing vulnerability traversal is a must. Systems need to be designed securely, and security as an afterthought doesn’t scale. Platform engineers and SREs need to quickly identify owners and fix deployment vulnerabilities from in_emphasized text_ception to production. If Log4j taught us anything, it’s that teams must have ownership, accountability, and the power to make changes fast to keep their systems secure. Join Stefania Chaplin to explore OWASP recommendations and Kubernetes best practices that will help you secure your microservices and reduce vulnerability traversal.
• As a solutions architect within cybersecurity, DevSecOps, and OSS governance, Stefania Chaplin has helped countless organizations understand and implement security throughout their SDLC. A Python developer at heart, Stefania enjoys optimizing and improving operational efficiency by scripting and automating processes and creating integrations. She’s an active member of OWASP DevSlop, hosting its technical shows. When not at a computer, Stefania enjoys surfing, doing yoga, and looking after all her tropical plants.
• Break (5 minutes)

Nathen Harvey: The State of DevOps—Security Enables Velocity (45 minutes) - 9:45am PT | 12:45pm ET | 4:45pm UTC/GMT

• As technology teams continue to accelerate and evolve, so do the quantity and sophistication of security threats. It's easy to emphasize the importance of security and suggest that teams need to prioritize it, but doing so requires several changes. Can we rise to security challenges without slowing our software delivery velocity? Nathen Harvey shares his own lived experience as well as that of a multiyear research program led by Google Cloud’s DevOps Research and Assessment (DORA) team to help you understand how security and software delivery work together to drive organizational performance, and how to measure that software delivery and operations performance. Join in to learn why elite performers that met or exceeded their reliability targets were twice as likely to have security integrated into their software development process—and how they did it. Spoiler alert: The best teams focus on getting better at getting better. You can do this too!
• Nathen Harvey is a developer relations engineer at Google and is part of the Google Cloud DORA research team. He’s built a career on helping teams realize their potential while aligning technology to business outcomes and has had the privilege of helping some of the best teams and open source communities apply the principles and practices of DevOps and SRE. Nathen’s a coauthor of Google Cloud’s 2021 Accelerate State of DevOps report and helped edit 97 Things Every Cloud Engineer Should Know from O’Reilly.
• Break (5 minutes)

Shaun McCullough: Cloud Attacks, Mitigations, and Detections—A Code Spaces Case Study (45 minutes) - 10:35am PT | 1:35pm ET | 5:35pm UTC/GMT

• The Code Spaces security breach is a tragic example of a few mistakes leading to devastating consequences. Shaun McCullough takes you through the Code Spaces attack and explains how to detect or mitigate similar actions in AWS and Azure. Join in to see why API calls are your best sources of data in an investigation and learn how to best take advantage of them.
• Shaun McCullough (a.k.a. @cybergoof) is a cloud security architect at GitHub, focusing on security, automation, and threat detection. Shaun has nearly 30 years of experience as a hands-on security engineering, operations, and software development practitioner with a gift for architecture design. He spent more than 20 of those years at the National Security Agency (NSA), where he was a security researcher and the technical director of the Red, Blue, and Hunt operations, and also built an open source platform based on MITRE ATT&CK. Shaun is a SANS instructor and coauthor of the SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection course.

Sam Newman: Closing Remarks (5 minutes) - 11:20am PT | 2:20pm ET | 6:20pm UTC/GMT

• Sam Newman closes out today’s event.

Upcoming Cloud Superstream events:

• AWS - October 19, 2022