Loading…
In-person
1-4 April 2025
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Europe 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in British Summer Time (BST) (UTC +1). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis. 
or to bookmark your favorites and sync them to your phone or calendar.
Type: Security clear filter
Wednesday, April 2
 

14:30 BST

Trust No One: Secure Storage With Confidential Containers - Aurélien Bombo, Microsoft
Wednesday April 2, 2025 14:30 - 15:00 BST
Level 0 | ICC Auditorium
If you are processing and storing sensitive data in the cloud, can you really trust anyone (including the cloud)? The answer is no. Confidential Containers (CoCo) is a CNCF project that leverages Trusted Execution Environments (TEEs) to tackle this challenge. A critical aspect in this effort is providing secure and confidential storage solutions that can be seamlessly deployed across cloud providers.

This session explores the implementation of trusted storage in CoCo, highlighting key aspects such as Kubernetes storage drivers, device virtualization, and the role of attestation in secure key release and data encryption. We also demonstrate how we prevent attackers from injecting data into the TEE using the CNCF Rego policy language.

Overall, we aim to show how cloud providers and end users can securely store and protect sensitive data, enabling the adoption of confidential computing across numerous use cases.
Speakers
avatar for Aurélien Bombo

Aurélien Bombo

Software Engineer, Microsoft
Aurélien is a contributor to the Confidential Containers project and serves on the Architecture Committee of sister project Kata Containers. At Microsoft, he works on the Linux confidential platform.
Wednesday April 2, 2025 14:30 - 15:00 BST
Level 0 | ICC Auditorium
  Security

15:15 BST

The Security Challenges of Running Untrusted Code in Production on Kubernetes at Internet Scale - Christian Weichel & Alejandro de Brito Fontes, Gitpod
Wednesday April 2, 2025 15:15 - 15:45 BST
Level 0 | ICC Auditorium
Running untrusted code from 1.5 million developers presents unique security challenges that push container isolation to its limits. At Gitpod, we spent six years building secure boundaries for development environments on Kubernetes, ultimately discovering fundamental security limitations that led us to rearchitect our platform. Our recent technical deep-dive blog ended up on Hacker News and sparked quite the intense debate (speakers are the OP).

This deep-dive examines our security evolution from standard container isolation to custom security implementations involving user namespaces, seccomp profiles, and network isolation. We'll explore how we handled privileged operations like Docker-in-Docker, FUSE filesystems, and root access requests while maintaining isolation. Whether you're dealing with multi-tenant workloads or running untrusted code, you'll gain practical insights about our learnings on real-world security boundaries in Kubernetes.
Speakers
avatar for Alejandro de Brito Fontes

Alejandro de Brito Fontes

Senior Engineer, Gitpod
Alejandro is a software entrepreneur and systems architect with more than 20 years of experience designing, building, and operating mission-critical IT infrastructure.
avatar for Christian Weichel

Christian Weichel

Chief Technology Officer, Gitpod
Chris Weichel is the Chief Technology Officer at Gitpod, where he leads the engineering team that builds and maintains the cloud-native platform for software development. With over 20 years of experience in software engineering and human-computer interaction, he has a comprehensive... Read More →
Wednesday April 2, 2025 15:15 - 15:45 BST
Level 0 | ICC Auditorium
  Security

16:15 BST

Signed, Sealed, Delivered - Sign and Verify All the Things - Jeremy Rickard, Microsoft
Wednesday April 2, 2025 16:15 - 16:45 BST
Level 0 | ICC Auditorium
You're a cluster operator facing evolving supply chain threats. You're getting hit with rate-limits causing service availability issues. A configuration change made it into production and deployed unapproved images. Someone got access to your registry and tampered with an image. How do we handle these threat vectors? Digital signing and policy enforcement can help! In this talk, we'll look at how CNCF projects like ORAS, Notary, Flux, and Kyverno can be used together to ensure that everything in your production clusters, from images to configuration YAML, comes from a trusted source and has been digitally signed to ensure it hasn't been tampered with and. how to do this with a registry you control. You'll leave this session with knowledge of how these tools work together to enable you to protect your clusters, some of the gaps, and how you can address them. Jeremy will walk through a complete end-to-end experience and provide a Github repo with samples to take home.
Speakers
avatar for Jeremy Rickard

Jeremy Rickard

Principal Software Engineer, Microsoft
Jeremy Rickard is a principal software engineer at Microsoft where he works on the Azure Container Upstream team. He is currently a co-chair for SIG Release and serves on both the CNCF and the Kubernetes Code of Conduct Committees. He was also the Kubernetes 1.20 Release Lead.
Wednesday April 2, 2025 16:15 - 16:45 BST
Level 0 | ICC Auditorium
  Security
  • Content Experience Level Any

17:45 BST

Securing AI Workloads: Building Zero-Trust Architecture for LLM Applications - Rohit Ghumare, Taikun & Joinal Ahmed, NTG
Wednesday April 2, 2025 17:45 - 18:15 BST
Level 0 | ICC Auditorium
As businesses increasingly rely on LLM applications for their important functions, it becomes important to implement strong security measures to protect sensitive information and guarantee smooth operations. This session shows how to build a zero-trust security architecture for AI workloads using cloud native patterns. We'll explore how to implement AI Gateways that have strong authentication and authorization and include audit logging. Keep compliance and governance requirements while you secure model artifacts and implement runtime security and protect against prompt injection attacks.
Speakers
avatar for Joinal Ahmed

Joinal Ahmed

head of ai, ntg
Joinal is an experienced Data Science professional with a interest on building solutions with quick prototypes, community engagements and influencing technology adoption.
avatar for Rohit Ghumare

Rohit Ghumare

DevRel As Service, Founder
As a Google Developer Expert specializing in Google Cloud, I am a passionate DevOps Advocate and a dedicated Community Evangelist. I lead and nurture multiple communities across diverse platforms, fostering DevOps and Developer Relations awareness. My commitment to the open-source... Read More →
Wednesday April 2, 2025 17:45 - 18:15 BST
Level 0 | ICC Auditorium
  Security
 
Thursday, April 3
 

11:00 BST

Identity-based Trust - Till Death Do We Part? - John Kjell, TestifySec & Kairo De Araujo, Independent
Thursday April 3, 2025 11:00 - 11:30 BST
Level 1 | Hall Entrance S10 | Room C
With the rise in adoption of identity-based trust, it is increasingly important to understand the threats to such systems. PyPI, NPM, RubyGems, and Homebrew have all established models for “trusted publishing” attestation, based on OIDC. Many of these implementations rely on Project Sigstore’s projects Fulcio and Rekor.

Sigstore’s Rekor is an append only log. There’s no way to remove entries, even if they’re illegitimate. In the case of an identity compromise, most individuals would prefer to avoid a divorce from their identity, allowing for recovery and the establishment in future trust of their name.

In this session, we’ll examine a threat model and mechanisms for compromise in a Sigstore-based identity signing system. Once established, we’ll describe ways to mitigate and resolve the threats, leveraging the CNCF projects in-toto and The Update Framework (TUF). Beyond theoretical designs, we’ll look at how this system has been implemented in in-toto’s sub-project Archivista.
Speakers
avatar for John Kjell

John Kjell

Director of Open Source, TestifySec
John is responsible for open source at TestifySec, a software supply chain security startup. He is a maintainer for the Witness and Archivista sub-projects under in-toto. Additionally, John is an active contributor to CNCF's TAG Security and multiple projects within the OpenSSF. Before... Read More →
avatar for Kairo De Araujo

Kairo De Araujo

Open Source Engineer, Independent
Kairo is a Senior Open Source Engineer. Kairo maintains python-tuf and is the author of Repository Service for TUF (RSTUF). His past roles include Senior Open Source Software Engineer at TestifySec, VMware, Senior Software Engineer at IBM, ING, Forescout, and a former System Engineer... Read More →
Thursday April 3, 2025 11:00 - 11:30 BST
Level 1 | Hall Entrance S10 | Room C
  Security

11:45 BST

IAM, Agent: Identity for Autonomous AI - Matthew Bates, Cofide
Thursday April 3, 2025 11:45 - 12:15 BST
Level 1 | Hall Entrance S10 | Room C
First there were chatbots, then LLMs and now we're beginning to hear everyone talk about "agents", where multiple AI agents collaborate and execute tasks autonomously. As AI systems evolve toward multi-agent architectures, robust identity and access management (IAM) becomes critical for security. While these share similarities with microservices, AI agents introduce unique challenges around dynamic capabilities, trust and the interplay between human and agent identities.

This talk explores applying zero trust principles to AI agent workloads using CNCF projects like SPIFFE/SPIRE and emerging IETF standards (WIMSE). We'll explore dynamic identity provisioning, agent-to-agent authentication, and cryptographic attestation. Through hands-on demonstrations, you'll learn how to implement secure, standards-compliant identity management in your multi-agent AI systems, addressing both familiar distributed systems challenges and novel security considerations.
Speakers
avatar for Matthew Bates

Matthew Bates

Founder, Cofide
Matt is the founder of Cofide, a startup focused on workload identity and access management. He was previously co-founder and CTO of Jetstack, the company behind cert-manager. Since the launch, he has contributed widely to the Kubernetes project, both to the technology and to the... Read More →
Thursday April 3, 2025 11:45 - 12:15 BST
Level 1 | Hall Entrance S10 | Room C
  Security

14:15 BST

Mind the Gap: Bridging Supply Chain Policy With Git-less GitOps and GUAC - Michael Lieberman, Kusari & Andrew Martin, ControlPlane
Thursday April 3, 2025 14:15 - 14:45 BST
Level 1 | Hall Entrance S10 | Room C
In a live supply chain attack demo, we demonstrate the latest security features of Flux CD and OpenSSF GUAC together in a hardened, wide-scale production scenario. When the next XZ or log4shell vulnerability lands, see how to assess, respond, and prevent proliferation before or after an attacker gets a foothold in your systems.

See how to defend against an assault on your dependency tree, prevent hostile insiders from escalating their privilege, and lock down your production environment to harden it against future threats.

We:
Use OCI-first Flux CD to remove network routes to Git servers from production
GUAC to manage dependency inventory and bring signal to the noise of CVE updates
Timoni to reliably patch, customise, and verify deployments before release
Flux Autopilot to roll out multi-tenancy lockdown, horizontal and vertical scaling, and persistent storage across fleets of clusters
Speakers
avatar for Michael Lieberman

Michael Lieberman

CTO, Kusari
Michael Lieberman is co-founder and CTO of Kusari where he helps build transparency and security in the software supply chain. Michael is an active member of the open-source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF’s Secure Software Factory Reference... Read More →
avatar for Andrew Martin

Andrew Martin

CEO, ControlPlane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →
Thursday April 3, 2025 14:15 - 14:45 BST
Level 1 | Hall Entrance S10 | Room C
  Security

15:00 BST

​​SPIFFE in Practice: Universal Identity for WebAssembly Workloads - Joonas Bergius, Cosmonic & Colin Murphy, Adobe
Thursday April 3, 2025 15:00 - 15:30 BST
Level 1 | Hall Entrance S10 | Room C
Universal Identity (or Workload Identity) is a foundational concept that underpins every secure platform. When implemented well, it provides the platform and security teams the ability to reason about the entities running on their platform and the interactions between them.

SPIFFE has become the industry standard for establishing Identity that can be used to authenticate across all major cloud providers, on various workload platforms and even to an increasing number of third-party services. As SPIFFE adoption across various CNCF projects is growing, WebAssembly workloads present some unique challenges to simply lifting and shifting from what’s been done before.

This talk will cover the journey CNCF wasmCloud underwent in adopting SPIFFE as the foundation for providing Secure Production Identity for the WebAssembly Workloads running on the platform. We will share the lessons we learned from our journey, starting out with a concept to then bringing it all the way to production.
Speakers
avatar for Colin Murphy

Colin Murphy

Sr Software Engineer, Adobe
Colin Murphy is a senior software engineer on the Adobe Content Authenticity Initiative team. Previous roles include frontend engineer for Adobe Express, head of infrastructure of Adobe Document Cloud microservices, including Adobe Sign and Acrobat Web. He has been responsible for... Read More →
avatar for Joonas Bergius

Joonas Bergius

Senior Software Engineer, Cosmonic
Joonas Bergius is a veteran of the Cloud Native community, having been part of the Kubernetes ecosystem as a contributor and end-user since the early days (circa 2015) of Kubernetes.
Thursday April 3, 2025 15:00 - 15:30 BST
Level 1 | Hall Entrance S10 | Room C
  Security

16:00 BST

Open Source Malware or a Vulnerability? The Philosophical Debate and How To Mitigate - Brian Fox, Sonatype; Madelein van der Hout, Forrester Research Inc.; Santiago Torres-Arias, Purdue University
Thursday April 3, 2025 16:00 - 16:30 BST
Level 1 | Hall Entrance S10 | Room C
As open source software is increasingly important in modern software development, the security challenges continue to evolve. Vulnerabilities are largely understood, but open source malware poses a uniquely hidden threat. But when does a planted vulnerability transform a package into malware? This talk will discuss and debate the nuances between open source vulnerabilities and malware, as well as discuss the before diving into what’s most important: how to stay secure with open source.

Traditional SCA and endpoint security tools do not detect open source malware, which increases the challenge. In this panel, key experts — from software engineering acad to influential analysts and open source security veterans — will dive into the different types of open source malware and why it’s so pervasive, outline practical strategies for mitigating threats and discuss the responsibility of enterprises and developers in safeguarding the software supply chain.
Speakers
avatar for Brian Fox

Brian Fox

Co-founder and CTO, Sonatype
Co-founder and CTO, Brian Fox is a Governing Board member for the Opensource Security Foundation, a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin... Read More →
avatar for Madelein van der Hout

Madelein van der Hout

Senior Analyst Cybersecurity & Risk, Forrester Research Inc.
Madelein is a senior analyst on the security and risk (S&R) team, focusing on European security consulting firms, European CISO strategy work, and security operating model and organizational research. She supports security executives and professionals in building and maturing their... Read More →
avatar for Santiago Torres-Arias

Santiago Torres-Arias

Assistant Professor of Electrical and Computer Engineering, Purdue University
Santiago Torres-Arias is an assistant professor at Purdue’s ECE department, where researches Secure Systems, Applied Cryptography and Software Supply Chain security. Santiago is the team lead of in-toto, a framework to secure the SDLC, as well as PolyPasswordHasher, a password storage... Read More →
Thursday April 3, 2025 16:00 - 16:30 BST
Level 1 | Hall Entrance S10 | Room C
  Security
  • Content Experience Level Any

16:45 BST

Redefining Access Control: Scaling Policy as Code for Humans and AI Agents - Raz Cohen, Permit.io
Thursday April 3, 2025 16:45 - 17:15 BST
Level 1 | Hall Entrance S10 | Room C
As enterprises embrace AI, managing access for both human users and AI agents has become essential. Traditional access control methods can no longer meet the demands of AI-driven identities such as chatbots, AI agents, decision engines, and autonomous tools.

This talk explores how Policy as Code redefines fine-grained access control, enabling scalability for both humans and AI. Learn how to design flexible, auditable policies that support real-time decision-making and address AI-specific challenges. Tools like Open Policy Agent (OPA) and OpenFGA will be featured, along with strategies for integrating AI-driven access models into zero-trust environments.

Through real-world case studies, discover how enterprises secure billions of interactions while fostering seamless collaboration between humans and machines.

Join me to gain practical insights into implementing scalable access control for today’s AI-powered ecosystems !
Speakers
avatar for Raz Cohen

Raz Cohen

Head of Platform, Permit.io
I'm Raz Cohen, Head of Platform at Permit.io. With over eight years in Kubernetes, cloud-native solutions, open-source projects & Platform engineering, starting at IDF's 8200 unit, Logz.io and Doubleverify, I've become a specialist in Developer Tools. I've spoken at events like KubeCon... Read More →
Thursday April 3, 2025 16:45 - 17:15 BST
Level 1 | Hall Entrance S10 | Room C
  Security

17:30 BST

Weaving a VEX Feed Through the Kubernetes Project - Adolfo García Veytia, Stacklok
Thursday April 3, 2025 17:30 - 18:00 BST
Level 1 | Hall Entrance S10 | Room C
Vulnerability triaging is an expensive process, often plagued with false positives that cause organizations to waste thousands of dollars in engineering time handling and suppressing them to conform with compliance frameworks.

Here to the rescue comes VEX - the Vulnerability Exploitability eXchange - a new metadata format, designed as a companion to SBOMs that communicates the impact of a vulnerability on a piece of software.

False positives come in many forms: From vulnerabilities found in other platforms, non-exploitable code paths, to simple mitigations pre applied to artifacts. Using VEX, software authors can communicate downstream that software is safe to use despite security scanners going brrrr..

In this talk, we dive into VEX, explore the new Kubernetes VEX feed instrumented through collaboration from SIG Release, the Security Response Committee and SIG Security to understand the source of the data, how to use it and do some cool demos with real vulnerability scanners!
Speakers
avatar for Adolfo García Veytia

Adolfo García Veytia

Staff Software Engineer, Stacklok
Adolfo García Veytia (@puerco) is a software engineer with Stacklok. He is one of the Kubernetes SIG Release Technical Leads, actively working on the Release Engineering team to improve the software that drives Kubernetes release process. He is also the creator of the OpenVEX and... Read More →
Thursday April 3, 2025 17:30 - 18:00 BST
Level 1 | Hall Entrance S10 | Room C
  Security
 
Friday, April 4
 

11:00 BST

Container Runtimes... on Lockdown: The Hidden Costs of Multi-tenant Workloads - Lewis Denham-Parry, Edera & Caleb Woodbine, ii.nz
Friday April 4, 2025 11:00 - 11:30 BST
Level 1 | Hall Entrance S10 | Room D
Container runtimes form the bedrock of Kubernetes, but running diverse workloads side-by-side introduces complex security challenges that many teams overlook. This talk peels back the layers of container isolation, starting with the fundamentals of how containers operate as Linux processes and evolving through today's runtime landscape.

We'll dive deep into the hidden costs and security implications of different container runtime choices in multi-tenant environments. Through real-world examples and performance benchmarks, we'll explore the delicate balance between isolation and efficiency. You'll learn about emerging solutions in the container runtime space and practical approaches to securing workloads without sacrificing performance.

Attendees will leave with critical security considerations for choosing container runtimes, strategies for workload isolation, and tools to evaluate isolation versus performance tradeoffs.
Speakers
avatar for Caleb

Caleb

Software Engineer, calebwoodbine.nz
Open Source, software, cloud native community and distributed cloud enthusiast.
avatar for Lewis Denham-Parry

Lewis Denham-Parry

Staff Solutions Engineer, Edera
Lewis Denham-Parry orchestrates containers by day and puts them through rigorous security testing by night. As Staff Solutions Engineer at Edera, he leverages his diverse background to deliver the robust security and isolation that modern systems demand.A dynamic speaker at KubeCon... Read More →
Friday April 4, 2025 11:00 - 11:30 BST
Level 1 | Hall Entrance S10 | Room D
  Security

11:00 BST

Zero Trust at Shopify Scale: Automating MTLS Across Thousands of Services - Dani Santos & Michelle Mali, Shopify
Friday April 4, 2025 11:00 - 11:30 BST
Level 1 | Hall Entrance N10 | Room H
Certificate management at scale presents critical challenges for securing service-to-service communication in zero trust architectures. We will demonstrate how Shopify automates mTLS across thousands of services, addressing certificate rotation without interruption, renewal failures, and cross-cluster distribution. Drawing from production experience, we'll explore our evolution from custom admission controllers to versatile patterns working across Kubernetes and non-Kubernetes environments, including mounting CA certificates at container startup with periodic Cronjob renewals. We'll share code examples for resilient rotation mechanisms, graceful certificate rollover, and RBAC. Attendees will learn practical patterns for scaling mTLS, with examples of monitoring certificate lifecycles and troubleshooting common failure modes.
Speakers
avatar for Michelle Mali

Michelle Mali

Infrastructure Security Engineer, Shopify
Michelle Mali is an Infrastructure Security Engineer at Shopify, specializing in securing cloud-native environments. With experience in Kubernetes and container security, they hold the Certified Kubernetes Application Developer (CKAD) and Certified Kubernetes Administrator (CKA) certifications... Read More →
avatar for Dani Santos

Dani Santos

Senior Infrastructure Security Engineer, Shopify
Dani Santos is a Senior InfraSec Engineer at Shopify, focusing on service identity and PKI infrastructure at scale in cloud-native environments. She's involved in certificate management initiatives across Shopify's internal services, developing solutions for automated mTLS flows... Read More →
Friday April 4, 2025 11:00 - 11:30 BST
Level 1 | Hall Entrance N10 | Room H
  Security

11:45 BST

Enhancing Software Composition Analysis Resilience Against Container Image Obfuscation - Agathe Blaise, Thales & Jacopo Bufalino, CNAM
Friday April 4, 2025 11:45 - 12:15 BST
Level 1 | Hall Entrance S10 | Room D
Malicious compliance has been highlighted in previous KubeCon talks as a challenge for software composition analysis, as it conceals OS and package information in container images and hides vulnerabilities. In this talk, we analyze how the landscape evolved over the past two years and propose improvements for SBOM generation. We found that open-source and cloud providers' tools remain vulnerable, which is even more visible in compressed images from public container registries. We uncover another form of malicious compliance with no standardization of package identifier format, resulting in inconsistencies in detected vulnerabilities between SBOM tools. To address this, we introduce an open-source methodology for layer-by-layer container image analysis, reconstructing complete history of file modifications and retrieving package metadata and package-related content, improving file coverage and SBOM accuracy. We finally outline concrete steps for advancing SBOM resilience and accuracy.
Speakers
avatar for Agathe Blaise

Agathe Blaise

Research Engineer, Thales
Agathe Blaise is currently a research engineer at Thales (Gennevilliers, France). She received the Ph.D. degree in Computer Science from LIP6, Sorbonne University (Paris, France) in 2020. Her research interests focus on cloud computing security, studying various aspects (container... Read More →
avatar for Jacopo Bufalino

Jacopo Bufalino

Security Researcher, CNAM
I've always enjoyed breaking things, that's why I work in security. After some years in industry working as DevOps, I moved to academia, focusing on cloud network security.
Friday April 4, 2025 11:45 - 12:15 BST
Level 1 | Hall Entrance S10 | Room D
  Security

13:45 BST

Do Your Containers Even Lift – A Hardening Guide for K8s Containers - Cailyn Edwards & Daniel Murphy, Okta
Friday April 4, 2025 13:45 - 14:15 BST
Level 1 | Hall Entrance S10 | Room D
In a world where containers are centre stage it's important that they look and feel their best. In this talk we will go over the Kubernetes security checklist - identifying quick fixes that will yield huge gains. Together Cailyn and the audience will take a container from flimsy and squishy to rock solid in a Rocky worthy montage of a demo. Become the trainer your containers need, and ensure that your security routines are sustainable and maintainable! From slim images, to access control we will cover techniques and tools that will make your security dreams a reality. Attendees will leave this talk with a list of Cloud Native tools that will take their container security to the next level and help their containers get a PB on their next CIS BENCHmark!
Speakers
avatar for Daniel Murphy

Daniel Murphy

Senior Security Engineer, Okta
Daniel Murphy (they/them/he/him) is a Senior Security Engineer at Okta, where their main focus is making managing vulnerabilities less tedious. Prior to joining Okta, Daniel also spent time in Quality and Software Engineering, and Application Security. Outside of work Daniel enjoys... Read More →
avatar for Cailyn Edwards

Cailyn Edwards

Senior Security Engineer, Okta
Cailyn Edwards (she/her) is a CNCF Ambassador and a Senior Security Engineer at Okta, where she spends her time paving roads, putting up guard rails and generally helping to secure the cloud. She is also an active contributor to SIG-Security and 2022 Contributor Award recipient. Her... Read More →
Friday April 4, 2025 13:45 - 14:15 BST
Level 1 | Hall Entrance S10 | Room D
  Security

14:30 BST

Compliance at the Speed of Innovation: Leveraging AI-Driven Automation for Real-Time Regulatory Read - Larry Carvalho, RobustCloud LLC; Simon Metson, EnterpriseDB; Robert Ficcaglia, Sunstone Secure, LLC; Anca Sailer, Red Hat / IBM; Yuji Watanabe, IBM Japa
Friday April 4, 2025 14:30 - 15:00 BST
Level 1 | Hall Entrance N10 | Room G
Due to upcoming regulations, the increased time organizations need to meet compliance requirements is slowing down their ability to innovate rapidly. Businesses are transitioning from periodic compliance assessments to continuous compliance monitoring, which offers constant, real-time visibility into an enterprise's ability to meet regulatory guidelines. With the rapid evolution of regulatory requirements and the surge in recent data breaches, it is evident that customers need a continuously updated and comprehensive understanding of their compliance status and risk exposure. In this session, attendees will learn how adopting a code-based approach to compliance—powered by agentic AI—can accelerate their go-to-market strategy by automating the creation of compliance artifacts. Catalog, controls, and automatic assessments will be discussed. As a use case, the new DORA regulations will be discussed along with the workflow this technology can enable to help organizations adhere to DORA.
Speakers
avatar for Larry Carvalho

Larry Carvalho

Principal Consultant, RobustCloud LLC
Larry Carvalho of RobustCloud LLC provides strategy and insight into the adaption of Edge and Cloud Computing technologies. He provides advisory services and works closely with customers and vendors to help all parts of the ecosystem understand cloud computing, map business goals... Read More →
avatar for Anca Sailer

Anca Sailer

Distinguished Engineer, Red Hat / IBM
Dr. Anca Sailer is an IBM Distinguished Engineer at the T. J. Watson Research Center where she transforms the clients compliance processes into an engineering practice. Dr. Sailer received her Ph.D. in CS from Sorbonne Universités, France and applied her Ph.D. work to Bell Labs before... Read More →
avatar for Robert Ficcaglia

Robert Ficcaglia

CTO and CISO, Sunstone Secure, LLC
Robert is leading the CNCF Compliance WG, helps Kubernetes Audit in SIG-Security, and is the emeritus chair of wg-policy and an active lead in the project assessments for CNCF Security TAG. He also participates in LF efforts related to AI security and safety. As CTO for SunStone... Read More →
avatar for Yuji Watanabe

Yuji Watanabe

Senior Technical Staff Member, IBM
Yuji Watanabe is a Senior Technical Staff member at IBM Research that lives in Tokyo, Japan. He leads a research team on cloud native security and has been delivering new integrity monitoring and enforcement technology to the open-source community and products. His current focus is... Read More →
avatar for Simon Metson

Simon Metson

SVP Engineering, EnterpriseDB
Simon Metson is SVP for EDB’s Hybrid Cloud products. Throughout his career he’s worked on data problems on distributed systems; whether 100's of 1000+ node batch farms for physics experiments processing petabytes of data, first generation Cloud DBaaS products or bringing automation... Read More →
Friday April 4, 2025 14:30 - 15:00 BST
Level 1 | Hall Entrance N10 | Room G
  Security

14:30 BST

Fresh Secrets From the Docks: Lessons Learnt From Analyzing 180,000 Public DockerHub Images - Guillaume Valadon, GitGuardian
Friday April 4, 2025 14:30 - 15:00 BST
Level 1 | Hall Entrance S10 | Room D
Hardcoded secrets remain a common practice in containerized environments, often used for convenience during testing or deployment, despite their significant, well-known security risks.

Docker images are not immune and can inadvertently leak secrets through Dockerfiles, configuration files, or image layers. Once pushed to registries such as DockerHub, these secrets become discoverable to attackers, putting environments at risk.

In this session, we will share insights from an extensive analysis of 180,000 public Docker images retrieved from DockerHub, uncovering a staggering number of 35,000 secrets from 18,000 images. More than 6,000 of these secrets were valid when the study was conducted in late 2024, including AWS keys, GCP keys, OpenAI tokens, and GitHub tokens belonging to Fortune 500 companies.

Finally, we will discuss common misuses and pitfalls in Dockerfile files that lead to secrets being leaked, and describe best practices for handling secrets in Docker images.
Speakers
avatar for Guillaume Valadon

Guillaume Valadon

Staff CyberSecurity Researcher, GitGuardian
Guillaume is a Cybersecurity Researcher at GitGuardian. He holds a PhD in networking. He likes looking at data and crafting packets. He co-maintains Scapy. And he still remembers what AT+MS=V34 means!
Friday April 4, 2025 14:30 - 15:00 BST
Level 1 | Hall Entrance S10 | Room D
  Security

15:15 BST

EVAPorating Kubernetes Security Risk: Adopting Validating Admission Policy at Scale - Kaitlyn Lee & Jordan Conard, Datadog
Friday April 4, 2025 15:15 - 15:45 BST
Level 1 | Hall Entrance S10 | Room D
Is the cost and operational toil of security policy enforcement raining on your parade? Learn how Datadog is simplifying its internal security policies across its dozens of clusters using Validating Admission Policy. We’ll cover our motivations for adopting VAP, detailing its features and contrasts with webhook-based admission controllers, like OPA Gatekeeper.

We will dive into the design of our policy that restricts the use of additional capabilities on containers, sharing tips on Common Expression Language, the use of multiple types of VAP parameters, and how we provide helpful validation error messages to our engineers. Lastly, we will outline our migration from OPA and how we ensure the health and reliability of our API servers by monitoring metrics and validation cost budgets.

Discover VAP’s features, scalable policy design, and our migration insights to help enhance your security posture, streamline policy enforcement, and safeguard your environments against abuse and bypass.
Speakers
avatar for Kaitlyn Lee

Kaitlyn Lee

Software Engineer, Datadog
Kaitlyn Lee is a software engineer at Datadog. She works in the Compute team which is responsible for running the company’s Kubernetes platform. She focuses on workload autoscaling and node lifecycle automation.
avatar for Jordan Conard

Jordan Conard

Security Engineer, Datadog
Jordan joined DataDog in 2022 as a Security Engineer and is currently focused on securing its Kubernetes infrastructure through admission policies and secure-by-default initiatives. Jordan’s decade of industry experience runs the gamut from managing hybrid cloud environments to... Read More →
Friday April 4, 2025 15:15 - 15:45 BST
Level 1 | Hall Entrance S10 | Room D
  Security

15:15 BST

From Chaos To Control: Migrating Access Control To OpenFGA in a Multi-Tenant World - Jo Guerreiro, Grafana Labs & Poovamraj Thanganadar Thiagarajan, Okta
Friday April 4, 2025 15:15 - 15:45 BST
Level 1 | Hall Entrance N10 | Room G
Designing access control that works seamlessly for individuals and scales to millions of resources is a complex challenge.
From lackluster search performance to feature inconsistency and multi-tenant schema discrepancies, there’s no shortage of issues to face.
Join the Grafana Access squad’s journey through the ups and downs of how we’re tackling these issues using OpenFGA, a CNCF sandbox project, by porting our existing access control schema and rethinking our resource search strategy.
If you’ve ever wondered what it takes as a platform engineer to support access control on a multi-tenant system with millions of resources, this is your opportunity to learn how to orchestrate a migration from your current access control system and hear about the peculiar challenges of developing security critical systems.
Speakers
avatar for Jo Guerreiro

Jo Guerreiro

Engineering Manager, Grafana Labs
Jo Guerreiro is a Staff Engineer turned Engineering Manager at Grafana Labs. As part of the Identity and Access team at Grafana, Jo’s focus has been on developing Grafana’s access control system and making it accessible to both users wanting to configure their access rules and... Read More →
avatar for Poovamraj Thanganadar Thiagarajan

Poovamraj Thanganadar Thiagarajan

Senior Software Engineer, Okta
Poovamraj Thanganadar Thiagarajan is a Senior Software Engineer at Okta. As part of the FGA team, he focuses on developing resilient infrastructure for FGA projects, including setting up and scaling systems for high-traffic environments. Poovamraj also plays a key role in data-driven... Read More →
Friday April 4, 2025 15:15 - 15:45 BST
Level 1 | Hall Entrance N10 | Room G
  Security

15:15 BST

Why Don’t We Have Both? Track Build- and Run-time Information for Security With Kubescape and GUAC - Jeff Mendoza, Kusari & Ben Hirschberg, ARMO
Friday April 4, 2025 15:15 - 15:45 BST
Level 1 | Hall Entrance S10 | Room B
The best way to secure your software is to know what’s in it. But do you use software bills of materials (SBOMs) at build time or do you scan what’s actually running? Build-time analysis lets you know what’s in your application before you deploy it. Run-time analysis tells you what’s actually in use right now. With GUAC’s Kubescape integration, you can have both.

GUAC, an OpenSSF incubating project, creates a graph database of your supply chain information from many sources and supports querying to derive insights. It now supports collecting cluster scan data from Kubescape, a CNCF sandbox project that provides comprehensive security coverage. Used together, they provide a powerful tool for consuming, storing, managing, and analyzing software supply chain information that reflects what software is used, not just what is compiled into the environment.
Speakers
avatar for Ben Hirschberg

Ben Hirschberg

Co-founder and CTO, ARMO
Ben is a veteran cybersecurity and DevOps professional, as well as computer science lecturer. Today, he is the co-founder at ARMO, with a vision of making end-to-end Kubernetes security simple for everyone, and a core maintainer of the open source Kubescape project. He teaches advanced... Read More →
avatar for Jeff Mendoza

Jeff Mendoza

Software Engineer, Kusari
Jeff is a maintainer of GUAC, an OpenSSF incubating project. Also in the OpenSSF: Jeff is a maintainer of Allstar, on the Scorecard steering committee, and a Co-Chair of the Securing Critical Projects WG. As a software engineer at Kusari, he is focused on Open Source, Cloud Native... Read More →
Friday April 4, 2025 15:15 - 15:45 BST
Level 1 | Hall Entrance S10 | Room B
  Security
 
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Monday, March 31
Tuesday, April 1
Wednesday, April 2
Thursday, April 3
Friday, April 4
Bafta | Ray Dolby Room
Civo Tech Junction
Crowne Plaza London Docklands
Level 0 | ICC Auditorium
Level 0 | ICC Capital Hall | Room 1
Level 0 | ICC Capital Hall | Room 2
Level 1 | Hall Entrance N10 | Room E
Level 1 | Hall Entrance N10 | Room F
Level 1 | Hall Entrance N10 | Room G
Level 1 | Hall Entrance N10 | Room H
Level 1 | Hall Entrance N11
Level 1 | Hall Entrance S10 | Room A
Level 1 | Hall Entrance S10 | Room B
Level 1 | Hall Entrance S10 | Room C
Level 1 | Hall Entrance S10 | Room D
Level 1 | Hall Entrance S5
Level 1 | Hall Entrances S8 - S9, N8 - N9
Level 2 | South Gallery | Room 11 - 12
Level 3 | ICC Capital Suite 1
Level 3 | ICC Capital Suite 10-12
Level 3 | ICC Capital Suite 14-16
Level 3 | ICC Capital Suite 17
Level 3 | ICC Capital Suite 7-9
Platinum Suite | Level 3
Platinum Suite | Level 3 | Room 1-2
Platinum Suite | Level 3 | Room 3-4
The Steel Yard
  • 🚨 Contribfest
  • 🪧 Poster Sessions
  • AI + ML
  • Application Development
  • Breaks
  • ⚡ Lightning Talks
  • Cloud Native Experience
  • Cloud Native Novice
  • CNCF-hosted Co-located Events
  • Connectivity
  • Data Processing + Storage
  • Emerging + Advanced
  • Experiences
  • Keynote Sessions
  • Maintainer Track
  • Observability
  • Operations + Performance
  • Platform Engineering
  • Project Opportunities
  • Registration
  • Security
  • Solutions Showcase
  • Sponsor-hosted Co-located Event
  • Tutorials
  • Content Experience Level
  • Advanced
  • Any
  • Beginner
  • Intermediate