AppSec California 2020

Everybody is talking about Kubernetes these days. Whether you are in DevOps, Development Security, you’re thinking about containers, micro-services and orchestrators. Kubernetes has become the standard orchestrator to manage containerized applications. Kubernetes is accelerating the move from monolithic applications to distributed, containerized applications. This technology shift is also forcing companies and people to adapt to organizational changes, for example adopting DevOps and CI/CD workflows, and the ever increasing decentralization of IT and development teams.

Security has to evolve along with these technology and process changes. Security requirements for monolithic applications must be translated to distributed micro-applications, it has to “shift left” to the developer teams to allow for continuous deployments, and new threats models have to be created. Unfortunately, most companies transitioning to Kubernetes are rightly concerned that their Security Teams are not ready to help them maintain the same level of security they had before.

In the past year, I have been working directly with many developers, DevOps, and Security teams to understand their security concerns and the new security issues they have faced. This talk explains the state of Security in Kubernetes, how to secure the different layers of this new infrastructure, what are the common threats and how to respond. I will share real-world examples of security issues and best practices that companies are putting in place, how Security Teams are changing to adapt, and how the responsibility for security is being split between different teams in the organization.