José Carlos Chávez
Security Software Engineer at Okta | OWASP Coraza co-leader
Barcelona, Spain
Actions
José Carlos Chávez is a Security Software Engineer at Okta, an OWASP Coraza co-leader and a Mathematics student at the University of Barcelona. He enjoys working in Security, compiling to WASM, designing APIs and building distributed systems. While not working with code, you can find him sipping on kombuchas or enjoying his children.
Links
Area of Expertise
Topics
Managing Open Source Software Security in your organization
Widespread in software industry, open source software (OSS) facilitates rapid solution development by incorporating pre-built components built and maintained by external developers. Although the utilization of OSS has undeniable advantages, the detection of security vulnerabilities within these components can result in severe consequences. The expanding scale and intricacy of the OSS ecosystem pose specific challenges: How can one ensure the reliability of the OSS employed for critical operations? How can security risks be mitigated in a DevOps environment that prioritizes speed? When should I reinvent the wheel?
In this talk, we will describe lessons learned using OSS software in the core of an organization and explore best practices to make sure we can reliably use open source software without compromising our security.
Fine-grained policies RBAC with OpenFGA
The fine-grained nature of cloud native deployments requires fine-grained authorization at each component. However, this may require security policies to be centrally defined and the configurations reflecting them to be defined in each microservice to enable uniform, consistent enforcement across the entire system which is hard to model and maintain.
OpenFGA is an open source solution to Fine-Grained Authorization that applies the concept of Relationship-based access control (ReBAC) where a subject's permission to access a resource is defined by the presence of relationships between those subjects and resources. It was designed for reliability and low latency at a high scale.
This talk will offer an overview of OpenFGA, ReBAC and its advantages when used along with Istio to achieve a true zero-trust architecture.
Web Application Firewalls Revisited
Security has been a concern since the dawn of the internet, and today's threats are more prevalent and sophisticated than ever. Success in security today means more mechanisms to protect not just the edge of your network, but every component from attacks. In this talk we go through the Zero-Trust principles and how they play a fundamental role in the design of secure modern systems. Then, we’ll review how the Web Application Firewall concept has evolved to the point no user, device, or network traffic is trusted by default. We’ll also then meet Coraza, a modern WAF library that embraces OWASP CoreRuleSet, and how together they protect web applications from a wide range of attacks.
Use Wasm to Deploy WAF Deeper in the Service Mesh for Zero Trust and Compliance
In today's complex cybersecurity landscape, it is increasingly challenging to protect against sophisticated attacks. WAF is already critical to application security when deployed at the edge, including as a fast patch mechanism for zero-day exploits. But it's now possible, using Wasm plugins in the Service Mesh data plane, to inject WAF transparently as part of a Zero Trust Architecture where security policy is enforced at every hop.
Deploying WAF close to workloads can help organizations improve their overall security posture and reduce the likelihood of successful cyberattacks. In this talk, we will explore how Wasm can be used to deploy WAF deeper in the network, not just at the application edge.
We'll also discuss compliance requirements for sensitive applications, such as PCI DSS which will demand WAF deployment by 2025. We'll explain how open-source WAFs can help meet these requirements and provide peace of mind for organizations handling sensitive data.
The Top 10 List of Istio Security Risks and Mitigation Strategies
CNCF is developing its first ever Top 10 list of security risks facing Istio deployments. As a community-driven effort, it draws on the expertise of a wide range of security professionals and cloud native computing experts to ensure the list reflects the most current and relevant security risks facing cloud native applications.
The Top 10 will help organizations prioritize their security efforts and focus on the most significant security risks that they may face. By understanding and addressing these risks, organizations can better protect against malicious attacks, data breaches, and other security incidents.
In this talk we'll cover what's in the list, the selection criteria for it, and discuss strategies organizations should take to mitigate these critical risks to cloud native computing security.
Distributed Tracing: understanding how all your components work together
Understanding system failures traditionally starts with looking at a single component in isolation. However, this approach does not provide sufficient information with distributed services architectures. In these systems, end-user requests traverse dozens of components, and therefore a new approach is needed.
In this talk we’ll look at distributed tracing, which summarizes and contextualizes all sides of the story into a well-scoped and causal timeline. We’ll also look at distributed tracing tools, like Zipkin, which highlight the relationship between components, from the very top of the stack to the deepest aspects of the system.
NDC Security 2024 Sessionize Event
microXchg 2018 Sessionize Event
José Carlos Chávez
Security Software Engineer at Okta | OWASP Coraza co-leader
Barcelona, Spain
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top