Abhimanyu Dhamija
Co-Founder, KoalaLab
Bengaluru, India
Actions
Founder& CEO, KoalaLab:Software supply chain security & Open-source Security
Previously:
Head, Data Sciences @ Housing.com
Quant@Citigroup
Links
Badges
Area of Expertise
Topics
Debian inspired container-first Linux distro
Kubernetes drove the transition from VMs to Containers, but Linux distro tooling (package manager & package archives) remained focussed on a full blown OS. Distros didn't adapt to serve the needs of a containerised SDLC.
Containers are meant to run single-processes in isolation, but package management is built for VMs, leading to bloated containers that increase attack surface for applications and lead to patching overhead for developers.
Minimal containers are becoming the standard for modern application development.
This talk explores an approach for creating a Debian-inspired distro with a container-first design.
Debian container bloat stems from:
1. Essential packages needed for VMs but not containers - like bash, libc6
2. APT package manager footprint - installs 59 packages
3. Maintainer script dependencies in Debian packages - scripts can require runtimes like perl, python etc
Proposing a new approach:
1. Portable APT replacement implemented in Go
2. Reimplementing maintainer scripts with minimal dependencies
3. Bootstrapping a distro so that only required packages can be installed, no "essentials"
Securing CI/CD: Complexity & Inspiration from runtime security
Growth of software supply chain attacks has propelled a deeper look into security of CI/CD. Build environments are prone to secrets/sensitive data exfiltration attacks.
Covering here, the learnings around building BOLT(https://github.com/koalalab-inc/bolt), an Open-source tool which secure CI runtime(For GitHub Actions).
Taking inspiration from Runtime security, enabling a firewall on buildtime/CI runtime(Egress-filter as CI is a traffic source) should be good start.
Complexity 1: IP-based rules won't work. A lot of internet traffic is behind CDNs/WAFs, so egress-filter will require domain-name based filtering.
Complexity 2: CI runtime has outbound traffic to multi-tenant systems like github/dockerhub/jfrog etc. This demands deep SSL based inspection capabilities in egress control.
Solution: TLS interception+eBPF
Linux kernel supports eBPF which provides a way to tap into SSL traffic without the need to decrypt traffic. Such a solution does not add any overhead for developers and is efficient.
Covering implementation complexity of eBPF probing for various different kind of SSL libraries to make the solution comprehensive for all kinds of CI pipelines.
OpenSSF Community Day India 2025 Sessionize Event
SOSS Community Day India 2024 Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top