Global AppSec Amsterdam

Managing security within a cloud-native development pipeline requires reimagining traditional security rituals. With hybrid and multi-cloud deployments as well as different container runtimes, orchestration platforms, and technology stacks, getting it right requires more than tooling. We must understand how our teams build software and consume telemetry gleaned through operations. This talk will dive into building with isolation in mind and limiting the damage of a compromised service within an environment. It starts with development and extends through deploying software to the runtime environment. This presentation’s goal is to provide strategies on moving security both to the left and to the right in our software development lifecycle. This presentation will explain the distinct differences between shipping traditional software and how the cloud-native development pipeline changes things. We will focus on popular projects from the Continuous Delivery Foundation (CDF) including Jenkins X, Spinnaker, and Tekton and using them with Kubernetes. We'll examine the non-linear pipelines we're building, the additional steps we've introduced, and the consequences of how CI/CD works in cloud-native shops. At the end of this presentation, you'll be ready to tighten up your stack with new tricks to solidify your cloud-native CI/CD pipeline and the additional security dilemmas it presents.