OWASP Chicago Meetup - 7-18-2019
Details
Hi Everyone!
We have a joint meeting with Cloud Security Alliance! This month's meeting with focus on container security and microservices strategy. We will be having speakers and discussions around how we secure the new rapidly adopted paradigm and how it differs from traditional monolith applications. Security needs to move to a DevSecOps model, incorporating the agile methods that microservices allow for. Join us this July with the top security thought leaders from Motorola, Relativity, and Twistlock.
OWASP is always looking for great speakers. If you're interested in presenting at an upcoming event please submit your talk using the following link: https://docs.google.com/forms/d/e/1FAIpQLSc-9HFUENuZfDg1mC-xCRJf7JrmTRd24aqauSDHiCjeYf4xIw/viewform?usp=sf_link
Thanks!
Mike and Adam
Agenda:
Talk #1:
Title:
Docker Image Provenance with Notary
Abstract:
Docker Registries represent the source of truth for Docker Images, and an attractive target for. An attacker that man-in-the-middles your registry, uploads their own images into your registry, or otherwise gains access to your registry, essentially poisons the drinking water, enabling them to serve arbitrary code into your deployments at scale. You are owned.
Thankfully work has been done within the community, with specifications such as The Update Framework (TUF), open source software like Notary, and container software like Kubernetes and Docker Content Trust (DCT) working together to mitigate such attacks.
This talk will provide an overview of TUF, Notary and DCT including the relationships between them, discuss features of Notary including Image Signing, Trust Pinning and Yubikey support, show how it it is possible to Automate of Docker Image signing via integration with the CI/CD pipeline, and explore the challenges and pain points one can expect in deploying such solutions. Demo gods willing, a demo will be provided.
BIOS:
Adam is the Chief Security Architect @ Motorola Solutions, which is currently innovating the future of public safety technology for first responders. He is an advocate of all things open standards and open source, and is a passionate supporter of the broader technology community, speaking at various conferences and local meetups (#chitown). He is co-leader of the OWASP Chicago Chapter, BSides Chicago volunteer, and importantly is also a foodie, hopeless comic book geek, and obsessive about green tea & the outdoors. You can find him on twitter @lewiada
Jerrin is an application Security Engineer at Motorola Solutions. He is responsible for automating security tools into the DevOps pipeline and making sure developers have instant access to the tools required to develop secure software. He reviews source code for weaknesses and besides his day job also likes contributing to open source tools and watching Anime (AoT and One Piece anyone?). You can find him on Twitter @JerrinJacob26
Talk #2:
Title:
Adventures in New Technologies: The Kubernetes Story
Abstract:
In this talk, we discuss the trials and tribulations of the Relativity security department in dealing with containers in general, and Kubernetes in particular. Instead of focusing on the specific technology, we will be focusing on the process of kickstarting your security organization to be experts in a new area without becoming the roadblock in the release timeline that sounds like high-quality fiction.
Speaker:
Jeffrey Stanford - Relativity
Talk #3:
James Jones Principal Solutions Architect, Twistlock
A big thank you to Motorola for providing the meeting space and Twistlock for providing the food/drinks.