Austin is home to a lot of natural beauty and some pretty welcoming weather in February. You might know this city for its bats and maybe for being the "Live Music Capital of the World." Or perhaps you might know it because it is one of North America's fastest-growing tech hubs. There is a real sense of community in Austin, evidenced by the vast number of active Meetup groups focused on technology. This spirit of community was felt by all the attendees who gathered for Civo Navigate North America 2024.
Hundreds of attendees came to see the many talks and attend workshops focused on Kubernetes and scaling applications at The University of Texas at Austin's picturesque campus. Sessions covered a wide range of topics, including cloud native technology, AI and machine learning, and emerging technologies. There was also a thought leadership track that featured Solomon Hykes, founder of Docker, as the keynote speaker for day one. He shared the advice to "stick to something long enough to see the results" and the truth that "it can take time to find your path."
Here are just a few of the many other highlights from Civo Navigate North America 2024.
The challenges of securing cloud native environments
The workshop from the co-founders of Initializ.ai, MK and Paras Arora, "Enhancing Security and Delivery in Cloud Native Environments," covered the fundamentals of securely building & packaging applications. Along the way, they also uncovered where the folks in the room, and likely most of the industry, are struggling with security. When polled about "What roadblocks are slowing you down?" the anonymous reactions in the room identified Complexity as the number one issue. The other most popular answers included:
- Security.
- Testing.
- Infrastructure challenges.
- Code Merge Issues.
- Too many alerts.
- Too many tools.
- Communication issues.
The next survey was very revealing as well. They asked the room: "What does Shift Left mean for you?" Here are the most popular answers in descending order:
- Secure code practices.
- Secure images/dependencies.
- CVE scanning during development.
- Early DAST.
- Validating supply chain provenance.
- Something else.
If you have been feeling a bit overwhelmed by the complexity of modern development and security, it turns out you are not alone. The biggest takeaway from the session, I think, was the fact we are all struggling with this together, all while building some really interesting projects and learning from each other.
Embracing dashboard security
One of the first things Marc Boorshtein, CTO at Tremolo Security, wanted us to know in his session "Securing Dashboards in a Command Line World" was that "Dashboards are good." While development seems to focus more on the CLI and API for an app, dashboards can help you visualize data in ways CLIs don't.
Historically, dashboards were installed within a closed ecosystem or secured perimeter, but this is no longer the case, and unfortunately, this means many dashboards are not adequately secured. Marc shared some of the major security missteps in securing dashboards, including:
- Using alternate ports, which you hope people don't discover, practicing 'security through obscurity.'
- Running with private Service Accounts.
- Allowing Unauthenticated ingress.
- Using long lived tokens for login.
- Lack of logout policy.
- No multifactor authentication.
Marc thinks we can "do it right" by addressing the basics, such as using MFA whenever possible. He also strongly encouraged leveraging reverse proxy servers to handle incoming traffic. At the very least, you should be embracing OIDC wherever possible and eliminating long-lived credentials.
What show biz can teach us about application availability
Not all the sessions at Civo Navigate were technical in nature, but all shared ways to better manage our deployments. Such as the case with "The Show Must Go On: High Availability & Zero Downtime in Kubernetes" from Joshua Cassin, Product Management Lead at Portainer.io.
Before he joined the tech world, Joshua worked behind the scenes in showbiz. He described it as spending two decades plugging in chords, but it taught him much about uptime and resiliency. He laid out multiple lessons he learned while running sound equipment at large entertainment venues but found they could also be applied directly to managing Kubernetes at scale.
Just like with live music, our applications need to work when people expect the show to go on; that is when they try to use the app. He said he learned that redundancy is key to ensuring your app is available. We must also practice for when things go wrong, so when we do need to troubleshoot in real-time, we can do so with less stress and better results. He also said we need to embrace mentorship and better training, as sharing our stories of going through issues can help us all prepare for the unexpected.
Better understanding SBOMs and PURLs
In his talk "The Problems with SBOMs — And How to Fix Them, "Cortez Frazier Jr., Sr. Product Manager at FOSSA, laid out the most important elements that comprise a Software Bill Of Materials and what most commonly goes wrong. He pointed to Log4J as a major motivator for the rapid evolution and adoption of this standard way to report on what your software contains. During that security incident, he painfully ran regex against hundreds of repos, trying to determine what needed to be patched. He said a properly maintained SBOM would have made his life a lot easier.
After walking us through the history of SBOMs and their importance from a software consumer and buyer perspective, he pointed out the most common issue he sees as he helps organizations adopt them. First among these issues was data normalization, as all the standards are for the report format, not the data fields within. For example, the Author and Supplier fields are ultimately defined by each organization and can mean different things between reports.
Cortez said one of the most important elements in any SBOM is the Package URL, commonly shortened to PURL. This needs to lead to a working repository or package at all times and employ a proper namespace. This is the only way an element can be independently verified, which is critical for SBOMs to be useful. He concluded by urging us all to think about how we share and store our SBOMs, as they should be secured, just like our code and other private information.
A wider community of communities
One of the best aspects of Civo Navigate is that it brought together a number of communities in the Austin area. On one slide from day two, opening remarks, they showed 8 different community logos represented as part of the event, including DevOpsDays Austin and Austin Women in Technology. I was able to speak about OWASP, giving an updated version of my introduction to the community and the many projects they offer.
Community is vital for us to improve our practices and security. It definitely can help us feel less isolated, sharing our experiences and voicing our frustrations together. No matter what community you belong to or where you are on your security journey, GitGuardian wants to work with you to help make 'shifting left' easier when it comes to secrets security. In the ever more complex world of evolving threats, we would love to help you get some peace of mind for your repos.
If you see anyone from GitGuardian at an event near you, stop by and say hello; we would love to hear from you. Maybe we will even see you at an upcoming Civo Navigate.