#197 March 3, 2023
Emily Fox is a security engineer @Apple Cloud Services, a CNCF Technical Oversight Committee member and co-chair for a bunch of CNCF events including recently the Cloud Native Security Conference in Seattle.
We had a chance to talk to Emily about the first edition of the CNSC 2023, her involvement with the CNCF community. Her role as a security engineer and some career discussions.
Do you have something cool to share? Some questions? Let us know:
Kubernetes Community Days (KCDs):
CNSC 2023 seattle guests
ABDEL SGHIOUAR: Hello, and welcome to the Kubernetes podcast from Google. I'm your host Abdel Sghiouar.
KASLIN FIELDS: And I'm Kaslin Fields.
ABDEL SGHIOUAR: In this episode, we interviewed Emily Fox. Emily is a security engineer at Apple Cloud Services and co-chair for the Cloud Native Security Con.
KASLIN FIELDS: We had a chance to sit down and talk with Emily about the first edition of the Cloud Native Security Con in 2023 in Seattle and her involvement with the CNCF in various security topics.
ABDEL SGHIOUAR: But before, let's get to the news.
KASLIN FIELDS: KubeEdge is a Kubernetes-based open-source system for extending native containerised application orchestration capabilities to hosts at the Edge. KubeEdge version 1.13, released on January 18, 2023, achieves SLSA 3 compliance. This makes it the first SLSA 3 compliant project in the CNCF.
SLSA stands for supply chain levels for software artifacts, SLSA, and is a security framework and checklist of standards and controls. This announcement shows exciting progress for security and cloud native style workloads at the Edge.
ABDEL SGHIOUAR: The CNCF Technical Oversight Committee, TOC, has voted to accept KubeVela as a CNCF incubating project. KubeVela is an application delivery engine built with the Kubernetes control plane that makes deploying and operating applications across hybrid and multi-cloud environments easier, faster, and more reliable.
KASLIN FIELDS: There are some new features in Google Kubernetes Engine, including balanced compute classes, now being offered in GK Autopilot. GK Autopilot also now supports exposing randomly-assigned host ports for pods. GKE has started offering ephemeral storage with local SSDs and has added support for Windows Server 2022 nodes.
ABDEL SGHIOUAR: AWS announced the availability of AKS, AWS Kubernetes services, anywhere on Snowball Edge devices. Snow, or Snowball, are computer platforms that can be used on the Edge in disconnected environments for running data analytics or ML workloads. AKS Anywhere is an AWS version of Kubernetes that can be deployed on-prem and now on Snow devices.
KASLIN FIELDS: Sysdig released their sixth annual cloud native security and usage report. Some of the key trends from this year's edition include 87% of monitored container images have a high or critical vulnerability in them. 71% of these vulnerabilities have an available fix, which have not been applied.
Over-permissioned access remains an issue, with about 90% of permissions not being used. Over-provisioned capacity of containerized environments is trending up with about 69% of requested CPU remaining unutilized. This report estimates organizations could save millions of dollars if they optimize their workloads. Be sure to check out the report in the show notes.
ABDEL SGHIOUAR: The CNCF Hamburg Community Group in Germany is starting back up after being out of commission for a while due to the pandemic. Our past guest Leonard is partially leading the effort to revive the group. This reflects a seeming trend of increased localized CNCF community activities alongside a number of regional Kubernetes community days. Some upcoming KCDs are taking place in Israel and LA in the US. The LA KCD is also co-located with the Southern California Linux Expo Scale.
KASLIN FIELDS: If you haven't seen it yet, the schedule is out for KubeCon EU. This is arguably the premier event in the Kubernetes and cloud native open-source ecosystem. So there's a lot to see. Just scrolling through the schedule can tell you a lot about ecosystem trends and popular technologies. Be sure to check it out in our show notes.
ABDEL SGHIOUAR: Katacoda, the popular learning platform that was acquired by O'Reilly and shut down in June 2022 announced that they are also shutting down Kubernetes tutorials at the end of March this year. This will impact Kubernetes project tutorial landing page, which references Katacoda tutorials and any links that point to the project. The project is looking for a replacement solution and is open to volunteers who would like to help.
KASLIN FIELDS: The Linux Foundation announced a set of paid internships to help shape the future of WASMEdge. If you're looking to learn some new developer skills and work on cutting-edge technologies, head to the website in the show notes.
ABDEL SGHIOUAR: And that's the news.
Emily is a security engineer at Apple Cloud Services, a CNCF technical oversight committee, and co-chair of a bunch of CNCF events, including the most recent one, the Cloud Native Security Con in Seattle. Welcome to the show, Emily.
EMILY FOX: Thanks so much for having me, Abdel. It's a pleasure to be here.
ABDEL SGHIOUAR: Thank you. It's a little bit bright and early, I guess, for you.
EMILY FOX: Kind of. It's about 10:00 AM, so it's not too bad. I've already had a cup of coffee, and I'm on to tea.
ABDEL SGHIOUAR: Good, and it's Friday. We are recording on Friday, and I'm going for vacation next week.
EMILY FOX: Congratulations.
ABDEL SGHIOUAR: Thank you. I'm going to record with you, and then I'm just going to turn off my computer.
EMILY FOX: That's the way to do it.
ABDEL SGHIOUAR: Yes, all right, so let's get going. Can we start with introducing yourself, Emily. Tell us who you are.
EMILY FOX: I am Emily Fox. I am a community member within the Cloud Native Computing Foundation. I started contributing to open source in 2018 after attending a talk from Justin Cormack at KubeCon Cloud Native Con Europe. And I'm a security engineer. I do a lot of stuff.
I've been a technical lead for the security technical advisory group within the CNCF. Then I became a co-chair and was selected to join the Technical Oversight Committee. I also participate, as I have time, in the open-source security foundation trying to connect the bridge between cloud native security and open-source security upstream.
So you'll see my name pop up in a lot of different places. But I'm the security Fox. I'm not the data scientist Fox.
ABDEL SGHIOUAR: Nice. Actually, I was reading your LinkedIn. And obviously, that's an impressive background, and there is a lot to unpack there. But there was one thing that jumped into my eyes when I was checking out your LinkedIn is you said, I am not a developer.
EMILY FOX: Yes.
ABDEL SGHIOUAR: You explicitly called that out. Is that because people just assume that you are a developer?
EMILY FOX: You would be surprised how many times I get questions about software engineering or whether or not I'm a programmer. I am not. I don't even pretend to play one on TV. But I know a lot about software engineering and software development and practices and how that works.
And I'm very passionate about ensuring our developers and software engineers understand security, their responsibilities, and trying to make that level of knowledge easier for them to process or at least make it such that they don't have to go get another college degree just to understand what it is that I'm asking them to do.
So I try very hard to understand their background, their frustrations, where their head's at and what they want to do and what they want to achieve, and try to enable them to be successful in that in the most secure way possible.
ABDEL SGHIOUAR: Cool. How does that go usually because, from my experience, security people are usually just perceived as disliked people that come in and just block everything because somebody made a mistake?
EMILY FOX: Yeah, that's extremely common. The best way to describe it is it's really a translation function. I basically translate between two different communities, security and software engineering, or even operations as well. It works really well when you have an interest in what it is that they're working on and trying to build something better, create a new feature that makes it easier for users, or even makes it better for other engineers to be able to access your services.
So having an interest in the domain is one area, helping them figure out how they solve some of the more complex problems, and then sprinkling in security along that process and walking them through, not necessarily going through a full-on threat model, but talking to them about translating threat modeling activities or security considerations into daily metaphors for them to use.
It's a lot easier now since the pandemic happened because everybody was their own risk management practice with whether or not they wanted to go out. But there's so much to do there, and as long as you're speaking the same language or you're asking the questions to show that you're interested, because you are, that people are more friendly and they're more willing to adopt the practices that you're recommending to them.
ABDEL SGHIOUAR: Cool. I actually can relate to that because I myself am not a developer. I did five years of software engineering. I never used that. I'm actually more on the infrastructure side, right? And I had my fair share of experiences working with developers and trying to explain what DNS is and how it works.
So it's quite interesting, right?
EMILY FOX: It's magic, and it's always wrong.
ABDEL SGHIOUAR: Exactly, and it's surprising the amount of people that just make an API call to DNS thing and not even log when DNS doesn't resolve properly. And then you're just there banging your head against the wall figuring out why your thing is broken. So you're also part of the Technical Oversight Committee, or the TOC of the CNCF. Can you tell us a little bit, what's that?
EMILY FOX: So the Technical Oversight Committee within the Cloud Native Computing Foundation is responsible for the technical oversight and technical direction of the projects and the communities within the foundation.
A lot of what it is that we do is evaluation of projects, whether or not they are meeting the expectations of the adopters and the end users within the cloud native ecosystem as well as guiding them along a path of higher levels of maturity.
So ensuring that they're aligned with our governance expectations for processes of an inclusive and welcoming community with clear paths for ascension to leadership positions within a particular project, within a tag or a SIG, special interest group, as well as whether or not they have all the security considerations in mind. What is their performance and scalability?
Like if you were an engineer and you were looking at an open-source project or even a commercial product, what kinds of concerns or considerations would you have in evaluating whether or not it's going to work with your particular use case or your posture or for your entire company? What are your compliance requirements?
We have to do all of that at various stages of maturity within projects, and as well as evaluating whether or not they have potential to be successful within the ecosystem. So you'll see us accept projects that are very experimental, or they're on the fringes of cloud native because we're trying to figure out whether or not that's something that the market or the community is looking to.
ABDEL SGHIOUAR: I see, yeah. Cool. So you are also involved with quite a lot of other things in CNCF, right?
EMILY FOX: Yes.
ABDEL SGHIOUAR: You have been chairing or co-chairing a bunch of conferences and stuff like that, and very recently, the Cloud Native Security Con, which took place 1st and 2nd of February in Seattle.
EMILY FOX: Yeah.
ABDEL SGHIOUAR: And I quote from the keynote, that's your baby project.
EMILY FOX: Yes, it is. It feels very strange to have the first thing I worked on and grow up and become its own standalone conference. I feel like a proud mom when they told me. I got all teary and emotional.
ABDEL SGHIOUAR: Nice. So you mentioned that the conference was standalone for the first time. So can you tell us a little bit about the history of Cloud Native Security Con and how it came to become a standalone conference?
EMILY FOX: Yeah, it was-- whoo. It started, again, a very long time ago with an idea from a community member. Michael Doocy was running Local DevOps Days. He had a lot of experience with unconference and open-space schedules. We had both recently attended KubeCon.
And one of the challenges that we had was there was a lot of vendor or very narrow topics in the security domain because it was still new at the time. People were still trying to figure stuff out. Like what does cloud native security mean? And how expansive is it?
We wanted a place for collaborators in the community to get together and talk about some of the gaps and some of the problems that they're experiencing or how they're solving some of these challenges or what are they thinking about next from a security perspective.
So he proposed a one-day conference, and there were 14 of us initially that jumped on board to start planning it. It was originally intended to be a small event, try to really drive more discussions through curated open-space conversations around particular topic areas, like supply chain security or machine learning, secure defaults, those kinds of things.
It was actually pretty popular for a one-day event set up by a bunch of volunteers. And then we kept doing it and turned it into a co-located event with KubeCon, which were growing in popularity at the time. And we kept selling out, or we kept hitting the room limits. That was actually very common.
People were interested in it. But one of the things that made it different than the security track at KubeCon was we were focusing on things beyond just Kubernetes. Kubernetes security and, in particular, the special interest group for security in the Kubernetes project were doing excellent work on furthering what gate security actually looks like and providing guides and documentation.
But the rest of the ecosystem outside of that didn't really have something equivalent, and they didn't really know how to take the existing standards bodies, like NIST 853 controls or PCI DSS compliance controls, all of those things, and translate into cloud native.
So there was a lot of unknowns and a lot of ambiguity at the time that we were able to deliver in content at the co-los and the attendees were very receptive to it. And that's how we became the co-lo for the conference.
ABDEL SGHIOUAR: Cool, cool, yeah. So I did attend a couple of co-located events at KubeCon. And from my experience, they have always been sold out, so the rooms have always been full. And also from my experience, these actually sometimes turns out to be better than KubeCon itself because you have a focus on a specific topic, right? KubeCon is just a lot of things happening at the same time and a lot of vendors trying to sell things.
And I like this idea of, OK, let's just get together and do our own little thing for people who are like-minded people, I would say.
EMILY FOX: Yeah.
ABDEL SGHIOUAR: So then how was it? How was the event like, now that you had time to cool off?
EMILY FOX: As a standalone, we weren't really sure how successful it was going to be because you're taking something that people are already going to, which is KubeCon. It's a huge event-- it attracts thousands every region that it's in-- and spinning this off into its own thing in North America.
We had about 700 to 800 attendees. It was really successful. I had my doubts initially. They were very small. But a lot of people really enjoyed it. They said-- a lot of the attendees that I talked to particularly liked the size of the conference. It was smaller. It felt more intimate that they were able to make stronger network connections with folks in areas that were relevant to them because security covers so many different things. But within security, there's all these interesting subdomains of expertise.
If you're talking about software supply chain security, that is a big domain in and of itself. And then you break that down into identity and access management more specifically, detection engineering and threat response. And you see those in the Cloud Native Security Con track. We tried to break some of these topics up for attendees in areas of interest. And I think, for the first time, we did a good job. Next time, I think we can do even better with the feedback from attendees to understand where are they looking to next.
A really good example is I had a lot of attendees tell me how much they enjoyed one talk in particular from an end user about how they are architecting their end-to-end software supply chain. It's an excellent talk. If you haven't seen it, go to the CNCF YouTube channel and watch the full day of talks. This one is from Yahoo.
They did a great job explaining what it is that they're doing. What are their trade-offs? What are their considerations? What kinds of environments do they have? What are their compliance checks and mechanisms?
And I think that one really stuck with people because they're trying to figure out how to connect all of these independent moving objects into their architecture for a particular problem space. And that's not something that you get quite as easily in the main conference. You do get end user talks that are excellent, but they're not focused on a particular problem domain space.
ABDEL SGHIOUAR: Yeah, I will definitely check out the talk. And we will have a link in the show notes for this episode. But I think something that you said that resonated with me is the actual use cases, how people are using the technology. So the software supply chain security topic that you said is a big domain. And all the things inside, like SBOM and sign-in and stuff, those are individual pieces. But seeing how they're put together to make a software supply chain security is definitely something that I do understand why it's interesting for people.
Cool, so I've been going to KubeCon very often. I think you mentioned that the first time when you talked about this Cloud Native Security Con was KubeCon Barcelona 2019 or something?
EMILY FOX: That was when I first got interested in, at the time, they were called the special interest group for security within the CNCF. But that was that first time. I had gone to KubeCon previously in Copenhagen, and I got really interested. I spent the entire day in the maintainer track and just absorbed all of this fantasticness that the community was putting together. And I was really excited to go back home and be like, yes, I'm going to build an awesome system with all of these things. And I know what a stack looks like now.
ABDEL SGHIOUAR: Nice.
EMILY FOX: Boy, was I very young.
ABDEL SGHIOUAR: Yeah, so we must have missed each other because I've been to all these KubeCons. But they are massive events, I think.
EMILY FOX: They are.
ABDEL SGHIOUAR: Barcelona was like 8,000 or 7,000 people. It was crazy.
EMILY FOX: It was a lot.
ABDEL SGHIOUAR: Yeah, I remember there was a lot of walking. The venue was huge, and you had to go walk a couple of kilometers a day to get from one part to another.
So since you have been going to KubeCon quite often, you see or you know that every single KubeCon has a trend, right? There is always something. Like last one, in Valencia last year was all about eBPF. There was at least 10 vendors doing eBPF, right? So I would ask you, what was the main trend from the Cloud Native Security Con, if there was any?
EMILY FOX: So eBPF is still going to be popular for a very long period of time. The technology itself is not brand new. However, we're figuring out different ways that we can leverage it to solve problems. The challenge comes in is that, when you have a few individuals that really understand the underlying technology, it makes it a little bit more difficult to be able to figure out how we can apply that technology across different problem areas.
But we've seen more people getting interested in the space, learning more about eBPF, how to leverage it both within detections but as well as within their service mesh and networking requirements. So eBPF definitely for sure.
I think the next thing is that people are looking to figure out how to adopt and make the most out of the technology that's there. It's that day-two operations problem space. We have all these great things. I had mentioned before, I had figured out what a stack looked like, and I wanted to run back and go start building all of these cool capabilities to solve my particular problem.
And I think a lot of people go to the conference, both KubeCon and Cloud Native Security Con, learn about all these great tools. But they struggle with how do we integrate that within our own enterprise environments, our own architectures? How do we take the information out of that and operationalize it for us? What are the problems beyond day two that we're not even thinking about yet? And what is the maturity of it?
You've got folks that have been doing these really awesome capabilities with cloud and with cloud native and Kubernetes and all sorts of really cool projects that are new in this space. But they don't know what does mature look like? What is the starting point, and what is the ending point because we talk about the end all the time?
Look at all these cool things I've built with my stuff, and here's how I can take advantage of it to answer all of these questions. Or here's all the really cool dashboards I built with it. But nobody actually talks about why that's meaningful or what we can do with that information.
And I think that's the trend that I saw is that people were craving that content, that detail that a lot of adopters and end users are very hesitant to provide because they're unique cases, meaning that it's potentially proprietary or is protected. Or maybe they don't think it really matters to everybody else because it's just solving their problem. But I think we have more problems in common than most people realize.
ABDEL SGHIOUAR: I definitely can plus one that. I did some consulting before my developer advocacy role I have right now. I did like four years of consulting on Kubernetes and Service Mesh. And I can assure you that like 80% or 90% of use cases that I came across are not unique.
EMILY FOX: Yeah.
ABDEL SGHIOUAR: People are always trying to solve the same problems probably using the same tools. What could be unique, as you said, is well, each company has their own IAM system or their own processes or stuff like that. So yeah, that basically doubles down on the idea of people like the use cases content. How do we put technology to be used, right? So this probably could be an advice for people listening to this episode. Submit your use cases. People might like them actually.
EMILY FOX: Yes, those talks almost always get scored higher if they're well written because they have that consideration that talk about their particular use case. And the attendees can go to those ones that where the problem space aligns, they're excited to go there and learn.
ABDEL SGHIOUAR: Yeah, yeah, cool, so continuing on the topic of the Cloud Native Security Con, what were the three, five main takeaways from the event for you this year?
EMILY FOX: People really needed that extra deep technical content that you couldn't get at KubeCon because we're trying to cater to a much larger audience. Usually, they're beginner or maybe midway through their cloud native journey. And Cloud Native Security Con provided them four levels deeper in content, probably more advanced topics that you don't get unless you're mid to later in your maturity from a cloud native security perspective.
So that was a key takeaway for me as a community member and leader running a bunch of conferences and assisting the community in figuring out how we bring that content in.
The next one I will say is that supply chain security is not young. It's been around for a really long time. We just happen to be paying more attention to it. And we find all of these problems, and now we have technology that is increasing in maturity, not quite fully robust yet. But people are rapidly starting to adopt it and trying to figure out what do I need to do with SBOMs? Where do they get integrated? The common questions that we're getting three years ago are still coming up because people are still onboarding into their journey.
So we have to be able to provide content both for newcomers as well as the more advanced folks, and we need to be able to balance that. So I would say that that was another main takeaway for me and for the program committee is figuring out how to span multiple levels of expertise in content without losing some of that technical depth that attendees are going to come to expect moving forward.
The last one I will say is we're starting to see more maturity in detections and what could be done about them. A lot of the conversation has been around ransomware and crypto mining. It's fairly common and makes a lot of sense. But we've not seen a lot of discussions around attack surface reduction. So we're focused more on detection engineering, and how do we detect anomalies and suspicious behavior within these environments?
So I think that will continue for a while until we get ahead of it some more and start getting more standard detections in place for cloud native architectures. This is what a crypto mining container looks like, and that is baked into every product and every project as a standard profile to keep an eye out for. And then we can start looking at attack service reduction.
ABDEL SGHIOUAR: Yeah, yeah, specifically the topic of software supply chain, as you said, these have been around for a while. And a lot of people have been hearing about it. But I think what's happened in recent years is we started seeing it's being used and impacting day-to-day life, beyond the intercontinental pipeline, for example, in the US.
Or for me, in Sweden, it was actually a supermarket chain that got impacted because they did not get hacked, or they did not use something vulnerable. One of their software provider had a backdoor in one of their dependencies. So somebody pulled in a dependency, used it to build a software, delivered it to their customers. And then their customers got impacted.
And they had to shut down the whole supermarket chain in Sweden, actually, for a few days until they could figure it out, yeah. Yeah, it was quite big. Not a major problem, but probably a few people got annoyed that they couldn't get their favorite ice cream or something.
EMILY FOX: But you take those problems and you start abstracting them to other industry verticals, you can talk about that with finance. You can even talk about that with education that's still--
ABDEL SGHIOUAR: Energy, yeah.
EMILY FOX: Yeah, all of those constantly under attack. And now it's becoming easier because we don't have-- actually, this goes back to another probable take away that I will mention is lack of security education is very apparent, not necessarily in attendees, but in our users and our adopters and even with software engineers-- we talked earlier about this-- trying to get them to reach the level of foundational security awareness and security literacy in a increasingly more online digital world, especially when everything is in the cloud. You can't touch it. You can't feel it. You don't have physical control over it.
ABDEL SGHIOUAR: Yeah.
KASLIN FIELDS: That, I think, is the next coming thing out of these conferences that people are slowly starting to realize.
ABDEL SGHIOUAR: Yeah, I think people are also starting to realize that the password on a post-it note under the keyboard is not only your grandmother problem. It's everybody's doing something like that.
EMILY FOX: It's funny you mention that. In a few security Slacks that I'm in I've heard lots of security folks say, I can't believe I'm saying this, but it might be safer for you to keep a password journal locked in a safe in your house than maybe using some of these password management systems that are constantly being attacked.
Now, that's probably not the best for everybody. And this is where we go back to that threat modeling in that risk management conversation about you're going to do what's going to work best for you, but make sure you consider all angles.
ABDEL SGHIOUAR: Yeah, I moved away from an online password manager early this year because one of these majorly known ones got hacked a couple of times. So I was like, I had enough. I'm going to run a local copy of my passwords.
EMILY FOX: That's pretty accurate. People are getting fed up with hearing about all the attacks all the time. So anything that we can do to make our software products and projects more secure for end users and adopters, whether or not they're consumers, or if there are other technology companies and organizations, that is how we're going to get ourselves out of this, oh, someone was hacked again.
ABDEL SGHIOUAR: Yeah, it's becoming something that happens and we hear about it every day. It's annoying.
EMILY FOX: Yes.
ABDEL SGHIOUAR: So I would like to go back a little bit to the cloud native security. What do you mean when you say cloud native security? How is that different than how we used to do security before when we had data centers and VMs?
EMILY FOX: It's not fundamentally different. The underlying foundations of security as a concept will remain the same. Protect things from exposure, ensuring that the integrity we expect to be there is still true, and then making sure that our systems are highly available and operating as intended. And the availability depends on what it is that your use case is and what your end state looks like. Some of that's streaming, so you're always up all the time. And some of it's you're only up when you need to be.
ABDEL SGHIOUAR: Yeah.
EMILY FOX: In the cloud native space, that means taking these concepts-- it's called the CIA triad, confidentiality, integrity, and availability, and applying them in a way where we have distributed, ephemeral, and immutable architectures, workloads, tooling, software, and applications. And that is what cloud native security is.
It's not necessarily just the containerization aspect of it and making sure your containers are secure. It's the configuration of the underlying worker nodes with operating systems that are on them, applying principles of least privilege to make sure that they're not running as root unless you absolutely need it, ensuring that your operations engineers have access to the appropriate tooling. That way they could sidecar into another workload and figure out why something isn't performing optimally.
Or even just nuke the entire pod and redeploy completely fresh because you don't have the allowable downtime to be able to troubleshoot something. You'll do it after the fact offline looking through logs and observability tooling.
There's just-- I don't know. There's so much to consider when it comes to cloud native, and it bleeds heavily into just general open-source security. You'll see this in a lot of the security technical advisory group's issues and discussions is we are starting to get to a good saturation of what is secure practices in the cloud or secure practices with open source and where that overlay with cloud native makes it for technical uniqueness.
Those are becoming more and more challenging as the lines get blurred because we're seeing more mature security guides from the cloud native ecosystem applied outside of our architectures.
So we've done really good. We've gotten ahead, and people are using the products and the deliverables that come out of that group. And now we're trying to figure out what's the next thing that hasn't already been covered? Or where do we point to existing material that is more refined and more use-case specific for adopters?
ABDEL SGHIOUAR: Yeah, so if I understand correctly, when we say cloud native security, it's more taking the same exact security principles and just applying them to a different way of doing things, which is cloud, right?
EMILY FOX: Correct, which is tricky when traditional security is all about checklists.
ABDEL SGHIOUAR: Yes.
EMILY FOX: Do you have dataflow diagrams that document which ports and protocols that you're using? Some of those things that people that have been in the community for a long time and familiar with waterfall development, they'll have this stuck in their conscience about this is how we do security. But breaking that apart into more movable and flexible components that we can continue to build on and iterate, that's the other part of this. It's the constant refinement. Start with one, and then figure out if one worked. And then go to two and keep building.
ABDEL SGHIOUAR: Yeah, it's funny that you mentioned the checklist thing. When I was in my consulting times, I actually came across a lot of use cases when you work with traditional companies that are trying to move to the cloud. But then they put the responsibility for security on their existing security people who are used to the checklist. And it makes it super hard to actually have a conversation, like what you said, a dataflow.
A dataflow diagram in Kubernetes is extremely hard to actually build.
EMILY FOX: Yes.
ABDEL SGHIOUAR: There's a lot of moving parts, and there is traffic that is not even application traffic that you have to also somehow cater for, right? So it's quite interesting. So I'll ask you one question, which was not actually planned initially to ask it. But this is more something I care about in terms of careers, right?
I have a podcast where I talk about careers in the cloud, and I think I want to have you there at some point. But my question to you, which I get asked all the time, is what would be your advice to people who are new to the security world and new to cloud native security? What would you advise them to focus on?
EMILY FOX: So it's funny you mention that because, again, one of the security slacks that I'm in, somebody had asked this particular question. If you're looking to get into security, where do you tell people to start? And just like a engineer would usually say, it depends.
I hate to use that term in this context, but it really does. Usually when people approach me about I'm interested in security or I'm starting my career in security-- what should I focus on? What should I learn? It depends on what they're interested in. Security has two primary areas of focus.
There's more of the offensive side, which is doing the penetration testing, doing detection engineering and response, threat intel, those kinds of things. And then there's more of the design and the architecture and the strategic thinking around how do you secure an entire enterprise using cloud native technologies or using whatever technologies work for your use case? You could still have a data center, and you can still do these.
From there, the next thing I will say is go read your history. You can learn so much about the security failings and successes of the past and how technology has matured and developed over time. And this is more of a nontraditional route, but as we continue to move forward in technology innovation and build layers of abstraction upon abstraction from previous innovation-- Kubernetes is a really good example of this.
We start to lose the fundamental understanding of everything under the covers. And that's where our attackers are getting more successful, moving further upstream, moving further down the stack because layer seven is getting really easy to attack but also really secure really quickly.
So they're going to start looking for those more archaic, more difficult-to-understand technologies. And if you as a security professional getting into the industry understand how well that stuff works, you are going to be wildly successful regardless if you become a penetration tester or if you become a security architect. Doesn't matter. That information is still useful.
ABDEL SGHIOUAR: Yeah, attackers are finding new interesting ways to actually hack you or get into your system. And to me, as somebody who's coming from the hardware background, I actually was quite surprised when I saw a lot of companies starting to react to what happens if your hardware is compromised, right, like by putting chips inside servers to establish trust and things like that because you get these things manufactured by third party, you cannot trust them. It's quite interesting the spectrum of security you can do because there is multiple things, right?
EMILY FOX: There's that, but it's a little bit more than that as well. So there's a lot of the most common attacks that are occurring are simple things that people just forget. They're commonplace configuration errors like how many S3 buckets are still unprotected on the internet? Oh, there's a lot. How many Kubernetes clusters are still unprotected on the internet? There's still a lot.
You can look at Rory McCune's tweets and some of his talks about how many clusters are still in the wild and susceptible to attacks. It's those things as well. So it's even more important as you get this innovation and as you get this abstraction, you have to understand everything from probably the '90s, even before then, about how technology actually built and was developed. And then all of the configuration options that have existed between 1999 and 2023, there's a lot.
And attackers basically have an entire catalog that they can go through and be like, hmm, I'm feeling-- let's attack an API today. Here's a bunch of different ways I can do that. I can go grab your credentials out of your GitHub repo because you inadvertently checked them in. All of that stuff, they have way more options. And we have a lot more things to consider. And there's far fewer of us than there are of them.
ABDEL SGHIOUAR: Yeah, yeah, so we mentioned through the interview quite a lot of time the software supply chain security or, as we commonly abbreviate as SDLC, and also there is this new trend since few years called the shift left movement, right?
EMILY FOX: Yeah.
ABDEL SGHIOUAR: Can you tell us what's that's a little bit, and what's your take into that?
EMILY FOX: I will say, early on in my career, I was all about shift left because it was integrating security further upstream. It was the bake it in not build it on, or don't frost your cake with security. Make sure it's actually mixed in well throughout, so you have a nice end project or product.
Shift left, as I've matured in my career, has become a little bit frustrating because I've seen organizations get confused with the concept thinking that they don't have to run security skins in their production environments anymore because they're running them in their source code, or they're running them as part of their build pipeline, or they're scanning their artifacts.
And conceptually, shift left makes sense, but you can't forget about the stuff that you currently have running. And we still have a lot of innovation that needs to be done in production environments from a security perspective, like being able to reach into a container and actually know what's in it and what's running versus if some software engineer decided to feel super fancy and put a sleep in there to start downloading a bunch of files off of the internet and installing them.
There's all sorts of weird, crazy things that engineers can do in those running environments that we still don't have a lot of visibility or clarity on what's actually happening. So if there's anyone out there working on that, that would be really cool to be able to solve that problem because right now we can't see anything that's actually going on.
But back to shift left, I think it works for a lot of people in a way that they can apply it conceptually. But they can't forget about the rest of what security is. And it's the stuff that's actually running. If you're really good at it, it's expand left. That's the trend I think that should be taking off is really start focusing on, not only the software engineering practices, the software development lifecycle, all the open source that you're pulling into your environment before your software engineers actually put hands on a keyboard to start development and integration.
You need to also continue to work those operational security problems and tie those loops back together. This is where DevOps principles come into play, using systems-level thinking, iterating on feedback loops and amplifying that content because if you can gather metadata out of your software development pipeline, whatever that looks like to you, whatever that looks like in your particular use cases.
And make that metadata operational to implement policies and productions and periodic checks and evaluation, that's where you're really going to start picking up that increased velocity and increased visibility and potentially heat maps of what your real risk is as an enterprise or even as an organization.
ABDEL SGHIOUAR: Yeah, I also think about shift left and talk about it to customers as more from a cultural perspective of how can you actually empower everybody involved in the software supply chain into doing the right thing. Like you mentioned, engineers can do crazy stuff. So how can we not stop them from doing crazy stuff but teach them they shouldn't be doing crazy stuff, right?
EMILY FOX: Correct.
ABDEL SGHIOUAR: So the cultural aspect of it is also quite interesting. I understand. It's a common problem in our world these days that there is buzzwords that people use but they don't really understand what they are, right? But yeah, I like your explanation. It's pretty cool.
EMILY FOX: Yeah, I used to lecture at the Naval Academy. I was a guest lecturer for a few times. And there was a talk I gave with some colleagues called Modern Software Development. And the subtitle of that was The Most Buzzwords You'll Probably Ever Hear In An Entire Presentation. And that's really what it was.
Our concepts of technology and security and cloud and cloud native, even just modern development practices, is so overloaded with buzzwords that we lose the underlying meaning of what it is that we're trying to accomplish because people spend more time trying to figure out what is this word in this context and how do I apply it than understanding the actual engineering principles behind those concepts.
ABDEL SGHIOUAR: Yeah, yeah, nice. Well, Emily, thank you very much for the time.
EMILY FOX: Yeah, not a problem. This has been fun.
ABDEL SGHIOUAR: That was a lovely interview. I learned a lot from you. I'm certainly going to follow you online to learn more.
EMILY FOX: Awesome.
ABDEL SGHIOUAR: And maybe we will cross paths at some point.
EMILY FOX: Definitely, next time you're at a KubeCon and I'm there, hit me up.
ABDEL SGHIOUAR: Yeah, I will. I'm going to Amsterdam, so I'm going to probably see you there.
EMILY FOX: Excellent. I will see you there.
ABDEL SGHIOUAR: Awesome, cool. Anything you want to add, anything you want to close on?
EMILY FOX: I would like to see the community take more effort, more conscientious effort in building succession within their projects because you'll probably hear me talk about this a little bit at KubeCon, so teaser for my keynote maybe. We'll see. I'm still writing it.
But we do a great job of capitalizing on the existing leaders within the community. But they're getting stretched really thin, both themselves and our maintainers. They're being asked to do a lot with very little resources. And I'm going to ask them to do a lot more by thinking about who's going come behind them, who's going to help them, and who's going to take over for them when they want to retire or move on to a new career prospect?
And I think that is the biggest shortcoming, and I'm guilty of that, moving from a co-chair position directly into a TOC without building a line of succession behind me. And I'm really pushing for that and advocating for that moving forward. People need to consider how do we bring our less experienced engineers up to a level that allows them to replace us when we want to move on to whatever the next green pasture looks like for ourselves.
ABDEL SGHIOUAR: Yeah, this is something that definitely echoes quite often when we talk to people involved in CNCF. Just very recently, Benjamin Elder, he talked specifically about this. Being across multiple committees is not sustainable on the long run, right?
EMILY FOX: Correct, and it isolates the knowledge in a few individuals. Our best factor becomes very catastrophic at that point.
ABDEL SGHIOUAR: Yes, yes. Having all the important people on the same flight towards KubeCon is not a good strategy, actually.
EMILY FOX: Yeah.
ABDEL SGHIOUAR: All right, well, thank you very much for joining us, Emily.
EMILY FOX: Thank you so much, Abdel, for having me. And thank you everyone for listening. I really appreciate your time.
ABDEL SGHIOUAR: Thank you. You can find Emily on Twitter @TheMoxieFox, or you can find her on the CNCF Slack channel.
EMILY FOX: Yeah.
KASLIN FIELDS: Thanks, Abdel, for that interview. Emily Fox is such an interesting person. She has so much cool experience, and there's so much I want to dig into there. But recently, I actually also attended Cloud Native Security Con.
ABDEL SGHIOUAR: Yes, and I'd like you to tell me how was it?
KASLIN FIELDS: I would love to tell you, but I'm always intimidated by that question. People are always like, oh, how was the conference? And you try to talk about all of the trends that you saw, and you're always worried that you won't really cover everything. So I'd rather let the folks who attended the conference tell you themselves. We've got a set of interviews of wonderful folks who attended Cloud Native Security Con and were willing to be on with us.
ABDEL SGHIOUAR: Sounds good.
KASLIN FIELDS: I'm Kaslin Fields with the Kubernetes podcast from Google here at Cloud Native Security Con 2023 in Seattle. And I'm here with--
DAVID WOLF: David Wolf, I'm a cybersecurity researcher at Devo Cloud Native SIEM Platform.
ERIC KNAUER: Eric Knauer.
JOSH KNARR: Josh Knarr.
LIZ RICE: My name is Liz Rice. I am chief open-source officer at Isovalent, and more relevantly, for today, I'm one of the program co-chairs for Cloud Native Security Con here.
MITCH CONNORS: Hey, Kaslin, Mitch Connor is happy to be here with you.
NICK YOUNG: Hi, my name is Nick Young. I am a software engineer with Isovalent, and working on ceiling service mesh. I'm also a maintainer on the gateway API.
TAYLOR DOLEZAL: Taylor Dolezal of the CNCF.
KASLIN FIELDS: Awesome, and what are you most looking forward to at the conference?
DAVID WOLF: I wanted to get a better sense of the Panoptic Cloud, AWS, and GCP, and Azure, infrastructure, and workspaces, a holistic unified cloud view.
ERIC KNAUER: Well, I wasn't sure what to expect. I've been to a few KubeCons. So I was curious, like, OK, it's not all about Kubernetes. But I wanted to know what the security aspects of it were. And just find out what in the security landscape I should be exploring.
JOSH KNARR: I'm hoping to get hands on experience with the products. I feel like there's a lot of YouTube out there. There's a lot of blogs. Everybody's got a stack exchange, that kind of a thing. But what I really appreciate is meeting people, being on podcasts, for sure.
KASLIN FIELDS: Love to hear it, love to hear it.
JOSH KNARR: And it's nice to also get that hands-on stuff. I went to a talk on SPIFFE Inspire that gave practical examples, and I'm like, oh, my gosh. That is the light bulb moment for me, yeah.
KASLIN FIELDS: Was that the one with Frederick Kautz He gave one on SPIFFE Inspire.
JOSH KNARR: I think so, yeah.
KASLIN FIELDS: Nice. It was a good one.
LIZ RICE: It was the first time we've done this stand-alone conference. So I really wanted to-- I had confidence that it would be a successful event. But really, seeing how focusing on something a bit narrower than the amazing breadth of topics that we covered at KubeCon, how if we go to a more focused set of topics, and the security is pretty big anyway.
Would we get back to this feel of a bit more of an intimate conference, a bit more human connections, a bit more serendipitous, bumping into the right person at the right time who happened to be talking about the right thing? And I think we did. I think it's been really successful from just hitting that sweet spot of enough people but not too many to have some really great conversations.
KASLIN FIELDS: I've definitely heard actually a few people say that specifically when I've talked to them about the conference.
LIZ RICE: Wonderful.
MITCH CONNORS: I'm really interested in hearing how everyone is solving for VPC and layer 3 networking problems within cloud native. Istio and other tools have very traditionally focused on L4 through L7. And it seems to me that there's some space to grow our cloud native footprint at the L3 layer. So I've been asking people how they're solving that.
NICK YOUNG: Look, I think, to be honest, because I live in Australia and I haven't got to travel much recently, a large part of it was getting to see people that I work with a lot in person. That's my biggest reason for traveling is to actually get to see people not just faces on Zoom screens. Yeah, and aside from the fact that most of the people who work in this area are pretty awesome people, I was just been really looking forward to catching up with a lot of people and meeting people that I knew of but hadn't met before.
TAYLOR DOLEZAL: So really, I've just been having a great time getting to connect with people. I think it's always great to see folks be able to come together and have that space. I feel like we're past Zooms and everything else and all these virtual calls anyway. So just really great to connect with folks and then see these impassioned presentations. It's been great.
KASLIN FIELDS: So what big trends are you seeing?
DAVID WOLF: Well, from our security research, what it is that we see is the increasing prevalence of cloud, that cloud detections and cloud controls in the SOC are increasingly important, increasingly vital. I'm at the point that 1 in 4 SOCs have a majority of cloud detections in their Sim detection stack. And we're seeing a steady growth in importance of defending cloud infrastructure and workspaces, and that multiple clouds are in scope for many enterprises.
ERIC KNAUER: Well, a lot of it is focused on Kubernetes. So that was good. They're definitely seeing different attack surfaces for containers and then VMs or other on-prem equipment. I was just interested in seeing a lot of like why big organizations still keep getting hacked. It seems like we should have solved this by now, and it still seems every other week somebody large is suffering from a vulnerability or a hack.
JOSH KNARR: Supply chain security, everybody's supply chain security. I'm also happy to see that the goose still lives. There's still plenty of goose jokes, right?
KASLIN FIELDS: Absolutely.
JOSH KNARR: And it's good stuff. The other nice thing that we're seeing is, hey, let's actually write code. I want to go to an event coming up that we're going to write a new mission controller, stuff like that. The hands-on trend is amazing.
KASLIN FIELDS: Cool.
LIZ RICE: So I think Chris Anyszczyk wrote a blog post that really nailed it, that interesting things are-- obviously, supply chain security and SBOMs is-- it's almost a joke how big of a topic that is. And eBPF, I'm really focused on eBPF, so I'm bound to be excited about it.
But I think it is genuinely enabling this whole new generation of tools, Cilium and Cilium's Tetragon security-oriented project, Falco, Pixi. There are a whole range of different eBPF-based projects in the CNCF, and I think they're really revolutionizing the way we're instrumenting applications.
MITCH CONNORS: Well, the hallway track trend, it's not exactly a technical trend. It may not be a direct answer to the question, but all of the vendor booths have stayed full no matter what's happening. There's always a big crowd going on in there. There's always somebody to talk to.
And for me, the thing that I love is that, even though I'm not at the same company that I was at a year ago, even though many of my peers in the hallway track are not at the same company they were at a year ago, we're all still part of the same community. So there's these relationships that form over years that span more than just a single career at a single company. And I love the community that that creates.
NICK YOUNG: I think that you really can't go past how much supply chain security, SBOMs are a thing. But I thought that it's really interesting to see more discussion in the supply chain thing about the importance of things like the attestation. And I've been working a lot with SPIFFE Inspire lately.
But it's good to see the discussion about how that part, how the identity of the things that are building your stuff is important as well as all the dependencies and stuff like that. You can't finish that supply chain without having that stuff sorted. I was a little surprised at how much bigger that was than I thought it would be.
TAYLOR DOLEZAL: Biggest trends I'm seeing right now that are really surprising me are the different ways in which people are exploiting different systems. Oh, my goodness. I didn't know you could do that. That's been the most fun for me. More generally, I think, SBOMs, supply chain security, those have been the biggest topics that I've seen. But yeah, just thinking outside of the box, I think that's the most fascinating to me personally.
KASLIN FIELDS: And what's the most interesting thing that you've learned at the conference so far?
DAVID WOLF: So far, for us, running Kubernetes is a core part of our infrastructure, of our development and deployment lifecycles. And I've learned about controlling Kubernetes, and I'm absolutely fascinated by the opportunity of eBPF and getting closer to application, cloud runtime defense. And coming from our Sim perspective, how can we unlock all the runtimes. There's infinite data, infinite logs coming at that level.
ERIC KNAUER: It was actually from a talk yesterday that Northwestern I think was the name of the company. They talked about standardization is not your enemy and actually makes things a lot better. And they had a nice diagram of how your pipeline has so many choices. But if you narrow it down to just a few things, you reduce complexity. Your developers and teams have less to choose from, which is actually better for them in a lot of cases.
And they mentioned they can always argue for something new getting included. It's not rigid, but by setting some standards, you avoid teams running off and doing their own thing. But they also highlighted you really have to be sure to reduce friction because that's what pushes people into doing their own solutions outside of your golden pipeline to rule them all, I think they called it. So that was interesting.
JOSH KNARR: SPIFFE Inspire, for sure. I think that that's a place where we haven't solved it yet. I know we're supposed to be like, hey, Google, Anthos is awesome. But I feel like that notion of portable, extensible hybrid in multicloud identity is a very important component that's just about ready to be ready for prime time.
LIZ RICE: So actually, it's a bit of a non-technical thing. I had a really great discussion. It was at the Empower Us lunch. And we were talking about inclusivity in discussions. And Emily Fox, who has the most incredible clarity of thought, and she really nails things really precisely.
And she was talking about just if you want to pull somebody into a conversation, pointing at them and asking them directly a question to bring them in and physically pointing at them to ensure that people are focusing on that person. That's just a really good tip.
MITCH CONNORS: I was able to listen to Matt Klein and Kelsey Hightower talk last night.
KASLIN FIELDS: Always amazing.
MITCH CONNORS: Yep, and they were talking about a lot of topics but particularly about zero trust. And it was helpful to hear each of them say that there's not actually any such thing. We've had so many arguments over the years between vendors about is this really zero trust, or is this true zero trust? Or are we just calling it zero trust?
And they pointed out that really what you need to look at is what is the next security step for your customer? If the next most important thing is identity-based networking, then what we call zero trust solutions-- we still have some trust involved in them-- are a great step. But if you're a customer who's struggling to keep your credentials from being posted to GitHub, zero trust isn't really going to help with that problem.
You could zero trust all the things and still have a huge vulnerability in your software. So they really brought it back to the user and to the customer and what their specific needs are rather than having a one-size solution for everyone. I thought that was great.
NICK YOUNG: I have been working a lot with Kubernetes networking for quite a long time, especially ingress. And so I know a lot about that. But it's been really nice to see a whole bunch of the new things that people are doing around networking, not only the stuff that I'm working closely with in Cilium, but a lot of the other stuff that other people are doing around new policy stuff and a bunch of other really cool stuff there was really neat, yeah.
TAYLOR DOLEZAL: I think favorite thing that I've learned was really just during the keynotes getting to see all of this data about who is secured, who is not, and what the overall focus is of organizations is on. We all agree that we have to work on security, but where to start or where to look to find the thing is, I think, what's been really helpful on that front.
KASLIN FIELDS: Nice, so have you learned anything so far at the conference that you're hoping to implement later?
DAVID WOLF: The answer is yes. For our product innovation strategy and detections engineering, I see new opportunities for cloud-specific applying the seven-layer model and providing a different view, bilayer specifically, in terms of implementing enterprise strategies for controls, so new control strategies that I want to map our detections too.
KASLIN FIELDS: Nice.
ERIC KNAUER: Yeah, definitely. Tiffany gave a good talk on RBAC yesterday that I would like to look into more, just get more familiar with it. There was also a talk today about digital forensics and incident response that I wanted to look into some more, just the ways that you can be prepared. And then when something does happen, you can actually get some useful information about it instead of just trying to shut everything down.
JOSH KNARR: SPIFFE Inspired.
KASLIN FIELDS: SPIFFE Inspired.
JOSH KNARR: I'm really a fanboy of SPIFFE Inspire, yeah.
KASLIN FIELDS: Have you been using it already? Or are you just going to start trying it out after this?
JOSH KNARR: No, I bumped into it talking to Brandon Mitchell with BoxBoat, and he's a cool dude. I talk to him a lot. And he introduced me to it, and then it was like, OK, this going to be a cool thing. You should go study the cool thing. And I never got my brain around it. I tried to do a reference implementation. I was like, I don't know what to do with this. So now that I have those practical examples, that's what I'm after.
LIZ RICE: Right now, the thing I'm most excited to explore would be some more sleep.
KASLIN FIELDS: I feel that.
MITCH CONNORS: Yeah, so Aviatrix works at layer 3 Networking, and I've had a lot of people asking me, you work at Aviatrix but you work on Istio. How do I use those together? And they do work together, but we haven't talked a lot about that in the past. So I'm looking at firing off some blog posts, putting out some reference architectures for how you can use these two technologies together.
Also, looking at maybe some of the rough spots. One of the big selling points of Aviatrix is network address translation. And that does not work at all with Istio today. So looking at how we might be able to bring those features together so that Istio users can take advantage of-- not just from Aviatrix but from other gateway providers as well.
NICK YOUNG: Yeah, actually, I hadn't heard of Keylime before. And the idea of doing attestation that's backed up by an ultimate trust route in a TPM or something like that is really neat. I really want to go and have a play with that. It sounds cool.
TAYLOR DOLEZAL: I think too much--
--if I'm being honest on that front. But yeah, it really just things-- thinking how to lock things down and really, with security, I see that being really similar to a lot of the good GitOps principles and practices, is just lock your things down. Have it be infrastructure-- or configuration as code. That's a great way to bootstrap yourself and keep things up to date so that you don't have a firewall rule that you shouldn't have in there or a person on that shouldn't be there, et cetera, et cetera. So really, really fascinated about that too.
KASLIN FIELDS: What would you like to see at the next Cloud Native Security Con?
DAVID WOLF: I'd like to see breakouts by infrastructure provider that provide more granular cohesiveness for AWS as compared to Azure as compared to GCP, if there were a way to sharpen skills with a given provider, and to have a sense of, for example, vendors and exhibitors and offerings that span across cloud and with the differentiation between cloud Infrastructure and workspaces.
ERIC KNAUER: Well, I was excited to see some hands on tutorials actually on the program. I didn't get to attend either of the two that I saw this year. But I'd like to see more of those and then participate in them.
JOSH KNARR: More labs, certainly. The YouTubes and the Stack exchanges and all the rest of it are fine. But somebody who's got a Git repo where I can pull it, I can clone it, fork it in my own thing and actually bang on it, I'm like, oh, that's cool. Sit down with those guys, get advice from the experts, those kind of things. That's super valuable to me.
LIZ RICE: Yeah, I think this has been fantastic. I want to see more. I want to hear about the CTF and how that's gone because I know a lot of people were really excited about it. I think having these interactive elements to a show can be really, really great. I hope we will see the same atmosphere that this event will-- I'm sure it will.
I don't know for sure. I don't think an official decision has been taken. But I'm sure we'll see more events like this. And also, whether or not there are some other elements of KubeCon that could be spun off into standalone events like this. Security is a very broad topic, and the security tag folks have done such a great job of building a community around the work that they do.
So I think it was a natural choice for the first one of these. But maybe there are other areas of discussion that could also stand alone. Be interesting to think about.
MITCH CONNORS: I love that this one is in Seattle. I imagine that future ones probably won't be, which will be sad. I'm a local to Seattle, so it's them great to have the conference here. In the future, I would love to see a little bit more maturity out of the supply chain side of things. It's very hot space right now. There's awesome work being done.
It's still not clear to me as a developer on the Istio project, what can I do for supply chain security? And what should I be telling my customers to do to validate my work on supply chain security because we're at completely different organizations. I can't tell them what to do. They can't tell me what to do. I think it's a little bit less clear for us how to implement software supply chain security.
And yet, as a security product, if anything needs supply chain security, Istio should be near the top of the list there. So seeing a little bit more of a model of what to do with SBOMs once they're created, how to build those best practices out and encourage your customers to adopt them so that we're not just writing attestations for no one to read.
NICK YOUNG: More of this sort of thing. I think this event feels a lot to me, what for me as a Kubernetes contributor is the best part of KubeCon, which is the contributor summit. And these smaller events where you get to hang out with people more directly and there's more serendipity really make a big difference. I think KubeCon absolutely is really important in that it gets everyone in the one place. But having smaller events like this where you get people-- you really get a chance to have more in-depth discussions and know that the people are interested in the same thing as you are because you're here for one thing is really, really useful.
TAYLOR DOLEZAL: In the future, I want to see more ways to break things, 100%.
KASLIN FIELDS: I'd like to see that.
TAYLOR DOLEZAL: Yeah, and just to keep being shocked, awed, and surprised.
KASLIN FIELDS: Awesome. Thank you.
TAYLOR DOLEZAL: Thank you.
ABDEL SGHIOUAR: Well, thank you, Kaslin, for all these interviews. That was a lot of interesting viewpoints, I guess, about the conference, especially it's the first edition.
KASLIN FIELDS: Yeah, it's always great to hear what other folks think. Having a collection of perspectives is, I think, much more useful.
ABDEL SGHIOUAR: Yeah, it actually resonates with me because one of the things that me and Emily discussed during the interview was how the Cloud Data Security Con was like a space for a community of security professionals. So it's, of course, her baby project, but it's like-minded people all together in the same room for a few days, right?
KASLIN FIELDS: Yeah, and you also mentioned that it is this new spin-off of the event that used to be part of KubeCon. And I will mention that a lot of the attendees were very confused by that.
A lot of folks were like, this is the first one, right? But they said in the keynote that they've done this a bunch of times before. So a lot of the folks who actually attended this one I ended up having conversations with them about that.
ABDEL SGHIOUAR: Yeah, it used to be a co-located event, as we discussed with Emily. But this is not going to be the last one because there is another version coming in the EU, in Valencia actually where we had KubeCon last year.
KASLIN FIELDS: And I expect it'll just grow from there. It was such a wonderful event.
ABDEL SGHIOUAR: Yeah.
KASLIN FIELDS: I heard a lot of really positive feedback.
ABDEL SGHIOUAR: Exactly, so we are going to put the website in the show notes. It's the 16th and 17th of May in Valencia. I hope it's not going to be in the same venue because the venue of KubeCon last year was interesting.
KASLIN FIELDS: It depends on the size of the event, how you use the space.
ABDEL SGHIOUAR: Yeah, it was far away from everything, to say just a little bit about--
KASLIN FIELDS: Yes, it was kind of far away from most of things in Valencia.
ABDEL SGHIOUAR: Exactly.
KASLIN FIELDS: Yeah, I'm looking forward to more of those events though. It was really, really good.
ABDEL SGHIOUAR: Well, I'll see you in KubeCon EMEA in Amsterdam.
KASLIN FIELDS: Yes, and I was really excited to hear from Emily about-- you all talked about so many wonderful topics. One thing that I was really excited about in there is hearing more about the Technical Oversight Committee. The Technical Oversight Committee, if you're involved in CNCF activities, is this mysterious body that decides if projects will become part of the CNCF and if they reach different statuses between incubating and graduated from Sandbox.
So they're this very important group that makes a lot of really important decisions. But I, at least personally, I think they have some public meetings, but I've never attended them. So it was really interesting to me to hear from a member of the Technical Oversight Committee a little bit about what they do. So I found that really interesting during the interview.
ABDEL SGHIOUAR: Yeah, and also, I think one other interesting thing from the interview for me was, as we have mentioned this many times in many episodes before, is a lot of people when they think about the CNCF and open-source, they think that only developers have to be or can be involved in open-source projects. And Emily makes it super clear on her LinkedIn that she's not a developer. It's actually one of the first things we discussed.
KASLIN FIELDS: I love that. I also have this conversation with people a lot. Like you mentioned, we're more in the infrastructure space. And I have never been an application developer. I've always been in the infrastructure space. So I appreciate that distinction.
ABDEL SGHIOUAR: Yeah, so it goes to show that the CNCF or all the open-source projects that CNCF is governing, requires more than just people who know how to write code because security is not everybody's specialty. I'm not really good with security myself. So I appreciate also that there are people who specialize on that and they can just let them do the stuff they're good at.
KASLIN FIELDS: I always feel really intimidated by security-focused events and activities and things like that. But especially attending Cloud Native Security Con made me feel like I can actually understand a surprising amount of these topics though because the core concepts of security are understandable for anyone. You want to keep your system secure.
So hearing people talk about how they achieve that, you can actually find ways to understand it even if you're not super familiar with security. So a lot of folks find it a very intimidating area, but I think it's actually a place where people should learn more. And it's a great place to learn and grow.
ABDEL SGHIOUAR: Yeah, and during the interview, we discussed with Emily about what makes cloud native security different than regular security. And basically, the overarching theme was it's based on the same concepts. It's the CIA triad but just applied in a different environment using different tools. The core concepts are the same.
KASLIN FIELDS: So thank you so much, Abdel, for doing that wonderful interview, and I hope folks enjoy this episode.
ABDEL SGHIOUAR: Thank you for listening to us.
KASLIN FIELDS: That brings us to the end of another episode. If you enjoyed this show, please, help us spread the word and tell a friend. If you have any feedback for us, you can find us on Twitter @KubernetesPod, or reach out to us by email at email@example.com.
You can also check out the website at Kubernetespodcast.com where you'll find transcripts and show notes and links to subscribe. Please, consider rating us in your podcast player so we can help more people find and enjoy the show. Thanks for listening, and we'll see you next time.