Yesterday we wrapped up our inaugural Code to Cloud Summit featuring 25+ speakers, 15+ sessions, and 3 regional event blocks. Code to Cloud was our first major DevSecOps event, designed specifically for practitioners working at the intersection of cloud, DevOps, and security. We truly couldn't be happier with the attendee turnout and speaker sessions.
Over the course of 24 hours, hundreds of security architects, DevOps engineers, infrastructure developers, and everyone in between tune in for panels, keynotes, breakout sessions, lightning talks, and hands-on workshops across the globe.
To reflect on all the great sessions, we took a moment to recap the sessions and some of the themes that emerged throughout the summit:
- Bridging the gap between dev, sec, and ops
- Shifting security left in practice
- Keeping up with cloud-native tech stacks
- Managing secrets and access in distributed systems
24 hours of Code to Cloud in 24 minutes or keep reading for a play-by-play of sessions by theme:
Shifting Security Left in Practice
"Shift-left" security and DevSecOps have been on the tips of everyone's tongues the past few years and for a good reason. With the rise of new cloud native technologies, developers have started to play a more significant part in security. DevSecOps ventures to embed security in developer workflows and empower developers to have more security ownership for the software they build. But as we know, that's easier said than done, which is why almost all the sessions at Code to Cloud touched on it in some way or another. However, a few sessions, in particular, gave specific practical and tactical advice for how actually to achieve shift-left security in reality.
Who else better to talk about embedding security in developer workflows and bringing developers into the security fold than Nancy Gariché, Senior GitHub Security Lab, Developer Advocate, GitHub? In her breakout session, Security as Code: A DevSecOps Approach, Nancy gave us a primer on security-as-code and an awesome OSS code framework, CodeQL, and showed us how they can be used to implement a successful DevSecOps culture.
In her closing keynote, The Psychology of InfoSec Teams, Emily Freeman, Author, DevOps for Dummies, joined us to dive deep into in-groups and out-groups and how they relate to InfoSec. Don't let the title intimidate you because this talk is all about how to make security more inclusive without compromising standards.
Grounding us in the quantitative, Stefania Chaplin, Solutions Architect, GitLab, gave us a framework for Securing DevOps: Where to Start and What to Measure. Her breakout session explored the processes and metrics to break down preexisting development silos and empower developers to care about security with a common language.
To put that theory into practice, we also held a live workshop with our friends at HashiCorp and AWS in each region, which is now available to watch on demand. Since these are all about getting hands-on experience and guidance, I recommend registering for one of our upcoming DevSecOps Bootcamps to get hands-on experience automating and streamlining cloud security throughout existing developer tools and processes.
Bridging the Gap Between Dev and Sec
Shifting security left requires collaboration between all stakeholders across the development lifecycle and IT organization. Without that collaboration, DevSecOps can actually end up creating friction rather than alleviating it.
That is the very challenge we at Prisma Cloud and Bridgecrew aim to solve every day and a significant motivating factor for putting this summit together. We wanted to get different perspectives in one (virtual) room to share their opinions and ideas on making this transition mutually beneficial — or at least as painless as possible.
Kicking us off in this endeavor was Dr. Nicole Forsgren, Author of Accelerate: The Science of Lean Software and DevOps. In her opening keynote, Keynote: Security + DevOps = BFF4L, Nicole used a mix of data and years of experience to correlate strong security and reliability with good DevOps practices.
The discussion heated up for our opening panel, Working Together for Shift-Left Security Nirvana featuring different perspectives across security and engineering: Bryan Ross, Head of Technology Products, Sky, Leif Dreizler, Engineering Manager, Security Features, Segment, and Shannon Lietz, VP, Security, Adobe. This panel ventured to answer the question "What does shift-left security look like (in theory and in reality)?" Moderated by John Furrier of siliconANGLE, our panelists shared their experiences managing expectations, balancing priorities, and aligning on shared goals on the way to DevSecOps nirvana.
Understanding where we are in the shift-left security journey requires looking back on how we got here. That's precisely what Edwin Kwan, Head of Application Security and Advisory, Tyro Payments walked through during his breakout session It's Not Your Developers' Fault.
From the front lines of security at a financial services company, Edwin showed us how software development has evolved and sped up over the past decades, while the number of security incidents and data breaches keep increasing. Causation or correlation?
Balancing Performance and Security
A key component of our approach to DevSecOps is maintaining productivity. Of course, as one of the leading cybersecurity companies, our top priority is helping our customers secure their assets, but we know that comes at a price. Our speakers know that first-hand, and a few gave us tips for balancing security and efficiency.
In his breakout session, Container Scanning: Run Fast and Stay Safe, Rob Richardson, Developer Advocate, Cyral surmised that speed doesn't need to come at the expense of security. In his deep dive into container scanning, Rob demoed his approach to automating securing within your development workflow, build pipeline and production monitoring setup.
Rosemary Wang, Developer Advocate, HashiCorp followed that up by sharing through experience how to evolve systems while minimizing the erosion of security practices in her breakout session, Security vs. Delivery: Win with Dependency Inversion. Coming from the ops angle, Julie Gunderson, Sr. Reliability Advocate, Gremlin showed how resilience and reliability are correlated with security in her breakout session The Road to Reliability.
Managing Secrets and Access in Distributed Systems
In some ways, the balance between maintaining security best practices without hurting productivity is exemplified in the never-ending challenge of identity and access management and secrets management. Getting these topics right is key to keeping systems secure. But too stringent controls can lead to the friction and reduced efficiency we're trying to avoid with DevSecOps.
Or Weis, Co-Founder at Permit.io, walked us through one solution to this challenge — managing access control through authorization as code. His breakout session, Authorization as Code as a Business Enabler: OPA, OPAL, Zanzibar, covered the problem space, best practices, and the open-source tools you can use to bake in permissions and access control.
On similar threads, Jeroen Willemsen, Principal Security Architect, Xebia helped us Learn How to (Not) Use Secrets with OWASP WrongSecrets! And Cagri Cetin, Tech Lead - Identity and Access Management, Yelp, shared his experience Ensuring Continuous Least Privilege Across Different Systems.
Keeping up With Cloud Native Tech Stacks
This is the core theme of Code to Cloud Summit and what we really wanted to explore by getting speakers with different backgrounds and roles together. With the rise of new cloud native technologies, the way we build in the cloud has evolved and we know how easy it is for security to get left behind.
Infrastructure as Code (IaC) and Kubernetes are two such technologies that present opportunities and challenges when it comes to security. First, Tim Davis, DevOps Advocate, env0, shared some of those in his lightning talk: Pitfalls of Infrastructure as Code (And How to Avoid Them!) Then, Madhu Akula, Product Security, Miro, showed off his "vulnerable-by-design" open source project Kubernetes Goat: Interactive Kubernetes Security Playground, designed to help learn how to spot and prevent Kubernetes security risks.
Alex Williams of The New Stack moderated an incredible global panel, Where Does AppSec End and CloudSec Begin? that dove into the clashing of age-old security norms and new ideals. Panelists included Ashish Rajan, Head of Security & Compliance, PageUP / Host, Cloud Security Podcast, Joylynn Kirui, Senior Cloud Security Advocate, Microsoft and Srinath Kuruvadi, Head of Cloud Infrastructure Security, Netflix. If you have any doubts about your current security tooling and want a peek into the future of cloud native security, this panel is a must-watch.
Last but not least, we were lucky to be joined by our very own Guy Eisenkot, Sr. Director Product, Palo Alto Networks, for his breakout session You Can't Secure What You Can't See: The Complexities of Supply Chain Security. On the heels of our recent Supply Chain Security launch, this dove into the weaknesses that cloud native applications face across components and delivery pipelines supported by research data.
If you want to watch any of these sessions on demand, you can register for the on-demand Code to Cloud Summit here and watch them on demand until Sunday, April 23.
We hope that by bringing together different perspectives to share information, we can work together to move the cloud native security space forward to make software more secure without sacrificing innovation.