Eddie Knight
CNCF TAG Security Co-Chair
Actions
Eddie Knight is a Software and Cloud Engineer with a background in banking technology. When he isn’t playing with his 2-year-old son, he combines his passion and job duties by working to improve the security of open source software.
Eddie helps lead CNCF's Security Technical Advisory Group, the FINOS Technical Oversight Committee, the OpenSSF Security Baseline, and the FINOS Common Cloud Controls project.
Badges
Area of Expertise
Topics
Improving security data with ORBIT
One of the big challenges in software security is identifying and communicating security-relevant information. Where is a project’s support lifecycle documented? Who are the security contacts? Does the development follow good security practices? OpenSSF’s new ORBIT Working Group provides a home for projects that develop and maintain interoperable resources for the identification and presentation of this type of security-relevant data.
ORBIT currently houses three projects: the Open Source Project Security Baseline, Security Insights, and Open Source Project Security Assessments. Together, this working group helps open source maintainers easily define security metadata and share it downstream in meaningful ways.
OSPS: All Your Base Are Belong to Us
Contributors and maintainers will benefit from increased visibility to changes in the ecosystem, especially as LFX Insights works to display Baseline results for all projects. The baseline is already fully adopted as a project requirement by the OpenSSF TAC, and adoption is underway by the FINOS and CNCF technical oversight committees. Past or Present Chairs from each of the three bodies are leading contributors to the effort.
End User members will benefit by better understanding the measures that Linux Foundation is taking to ensure that projects are being held to robust security standards.
The Immediate and Lasting Benefits of TAG Security Assessments
The CNCF community has been doing security assessments through TAG security for years, and the value is clear.
Individual assessors are leveling up their skills, getting more connected with projects, and advancing their careers. Projects are reaching graduation faster, improving their development processes, and finding new ways to provide security features for end users.
This talk from a TAG leader and project maintainer will explore the inner workings of self- and joint-assessments, the value these bring to projects and assessors, as well as the difference between a security assessment and a threat model.
To the Left, to the Left: All your Security Shifted to the Left
Secure software development is one of the highest demanded skills in 2023. Secure CI/CD pipelines. Writing secure code. Securing supply chains. Being aware of the myriad vulnerabilities within our codebase is becoming more and more important for developers to understand in our “shift-left” world. The OWASP Top 10 vulnerabilities haven’t changed in a long time, because none of us seem to get it right. In this workshop we will take a journey through the entire SDLC with a critical eye on security.
We’ll look at how to implement secure coding practices, and then move on to discuss the ins and outs of modern continuous integration. After we lock down our CI pipelines, we’ll look at how to find vulnerabilities in our dependencies. Armed with that information we’ll learn how to properly triage threats, exploits, vulnerabilities that affect our software, and how to streamline code improvements. Before we’re done, we’ll investigate modern processes for continuous deployment, including secure infrastructure as code development and how to lock down our CD pipelines.
This workshop will get hands-on with a simple, streamlined approach to deploying code to the cloud while diving deep into essential concepts related to software security.
Keeping It SAST-y
SAST, SCA, DAST, IAST, RASP? What is the meaning of all these security tools and what do they mean to developers? With the threat to application security ever increasing, it is more important than ever to understand how to leverage tooling effectively to be your trusty sidekick in the battle against cybercrime.
In this session, we’ll dive into static application security testing (SAST), static analysis concepts, and the strategies behind it. We’ll also discuss how to take advantage of tools to painlessly improve code security.
Cutting Through the Fog: Clarifying CRA Compliance in Cloud Native
With the final release of the European Union’s Cyber Resilience Act, it would be fair to have concern about its implications to both the software you create and the resources you depend on. Much like London’s notorious fog, the hype and fear around the CRA have obscured the path our community is on.
In their role as leaders of CNCF’s Technical Advisory Group for Security and as maintainers of the OpenSSF Security Baseline, speakers Eddie Knight and Michael Lieberman are uniquely equipped to shed light on both the benefits and complexities of CRA.
This talk will be a light-hearted exploration of how cloud technology, open source projects, and end users can all benefit from the CRA— and how software creators can avoid falling on the wrong side of the law.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top