
Ram Iyengar
Developer Advocate at the Cloud Foundry Foundation
Chennai, India
Actions
Ram Iyengar is an engineer by practice and an educator at heart. He was (cf) pushed into technology evangelism along his journey as a developer and hasn’t looked back since! He enjoys helping engineering teams around the world discover new and creative ways to work. He is a proponent of community-first product development.
Links
Area of Expertise
Topics
What Should Cloud Native Devs Know About Security?
The topic of software supply chain security has become mainstream today. Everyone is talking about it, but not a lot of folks know what to do about it. In this talk, I aim to showcase some actionable tips, tools, and techniques towards improved security postures for those working on cloud native technologies.
Specifically, I aim to cover information about securing repos, improved build processes, CI/CD security, SBOM generation, and runtime protection for applications running on Kubernetes.
Use SBOMs to Avoid Those F-bombs
Everyone of us has had to face security incidents. If not, I highly encourage you to face one. It changes your life!
For the less adventurous, I recommend using SBOMs as part of software builds and releases in order to really be on top of the security game. Modern build and deploy systems are making use of SBOMs for preventive security as well as in responding to active incidents.
Come learn how to put SBOMs to good use in this session.
The Basics Of Software Supply Chain Security For Cloud Native Workflows
The Cloud Native community has made many strides in improving the security of containers and Kubernetes. The aim of this talk is to showcase these efforts such as signing Kubernetes artefacts with sigstore, SBOMs for Kubernetes (sigs/bom), etc.
The second part of this talk will focus on how to secure basic cloud native workflows. The will be a demo component that will educate attendees about signing images, generating SBOMs, consuming them, creating deployment policies, and other ways to secure images and other artefacts.
Supply Chain Secure Your Distributed Applications
This session is designed to cover two questions: What are security fundamentals for distributed applications and How to apply and automate them.
Part slides and part demo, the broad areas of signing builds, applying policy, SBOM generation, SLSA levels for builds, security scorecards will all be explained in theory and demonstrated on sample infrastructure.
The talk will showcase several open source tools such as Sigstore, Cloud Native Buildpacks, Kyverno, Scorecards, and others. The aim is to introduce each of these tools and demonstrate how small steps can have a disproportionate impact on the security posture for applications in production.
Supple Supply Chain Security With kpack!
The software industry at large is abuzz with supply chain security! In this short talk, attendees will learn what this is and how to secure themselves in simple ways. The talk will introduce the concept of hermetic and parameterless builds, SBOMs, and signing infrastructure ― three pieces which will improve the security stature. Attendees will walk away with knowledge about a starting point for supply chain security for their container-based workflows.
Sum Of Parts: GitOps + Supply Chain Security
The Open Source Security Foundation stewards a Supply Chain Integrity Working Group. Using the directives published by this group, there is a prototype implementation of a secure pipeline known as FRSCA (Factory for Repeatable Secure Creation of Artifacts).
It follows the architecture laid out by the Cloud Native Computing Foundation (CNCF)'s Secure Software Factory Reference Architecture, as outlined in their Software Supply Chain Best Practices White Paper.
In this talk, I would like to demo a slight variation of FRSCA to use GitOps principles and corresponding GitOps tooling. The goal of my presentation is to demonstrate the viability of FRSCA/Supply Chain Security principles in a GitOps realm.
Three key principles are found at the core of FRSCA. These are (a) Simple and fast (b) SLSA ready (c) Secure by default. I firmly believe that these can be realized using GitOps operators and tooling. This will further the boundaries of the CNCF example implementation by including a GitOps specific implementation of the same reference architecture.
Stronger Supply Chain Security Postures
Open Source Software is used by DevOps practitioners in a large number of organizations, big and small. Leadership teams within these organizations are being required to answer questions about the integrity of software artifacts and require establish provenance at each stage. For engineering teams who report to them and who write, build, and maintain software – security and compliance is paramount.
Recent evidence of these changing requirements can be found here:
[1] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf
[2] https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Secure Open Source Supply Chains are crucial to those involved in creating and distributing open source software.
Those engineers, engineering managers, and program managers who are responsible for delivering software that is or consumes open source software are under increasing scrutiny to establish provenance of their software artifacts.
This talk will demonstrate the impact of adopting various projects of the OpenSSF within software supply chains. Various tools and techniques using open source projects to generate SBOMs, improve SLSA levels, and introduce signed builds.
The projects demonstrated will be Cloud Native Buildpacks, kpack, and cosign — all of which are fully open source.
Security: The Thing That Everyone Loves To Hate
Security often takes center stage—only after “something” goes wrong. When DevOps teams return a DevOops response! Teams scramble after breaches, misconfigurations, and compliance failures only to realize too late that preventive measures had been missing all along.
For the millions of marketing dollars poured into Shift-left and DevSecOps, security shouldn’t be an afterthought—it needs to be woven into every stage of the Software Development Lifecycle (SDLC).
In this panel, we will share real-world stories and discuss how to build a more security-conscious team culture. Security issues span a spectrum of causes ranging from communication breakdowns, lack of training, and plain old human error. We'll cut through the marketing noise and explore the tools and techniques that make a difference. No buzzwords. Just actionable advice you can take home and implement. Honest narratives, shot straight from the heart.
Secure Your Deployments: Projects, Assemble!
This talk will be a live demonstration of using various CNCF projects available currently to improve the security of applications deployed on Kubernetes. The typical flow for teams is to build, push to a container registry, and deploy. During the talk, we will modify each of these steps to become more secure.
First, using Cloud Native Buildpacks to generate Software Bill Of Materials for the app by default. This will allow users to know what exactly is inside the image.
Next, sign the build using cosign to provide attestation and provenance.
Third, use of private registries (ex Harbor) and the ORAS project to store images and other OCI artifacts.
Finally, using Kyverno as a policy engine that will allow only compliant, secure, and verified images to be deployed on the Kubernetes cluster.
The four steps highlighted above will benefit users greatly by making their deployments secure and resilient from supply chain attacks.
Scorecard: Assessments Made Easy
Scorecard is a project of the OpenSSF, which makes it simple to assess the health of any repository. It is a fully open source project built with the aim of bringing transparency and standardization around security health metrics.
Scorecard is a cross-industry collaboration between big and small names in OSS/security. Scorecard checks for vulnerabilities affecting different parts of the software supply chain including source code, build, dependencies, testing, and project maintenance.
SBOMs With Cloud Native Buildpacks
In the past couple of years, the cloud native community has become greatly invested in security, and in particular, the idea of Software Supply Chain security. Through a collective impetus, amplified by government orders, the notion of a secure supply chain is gaining traction.
Thanks to the foresight of astute contributors, the Cloud Native Buildpacks team has been able to future-proof themselves by working on two major areas. First, the availability of lean images. The second is the inclusion of SBOMs as part of their base specification.
This talk will focus on SBOMs. Specifically, attendees will learn about the ways in which SBOMs are generated, how they can be put to use, different SBOM formats, and SBOMs in different language families. All while using Cloud Native Buildpacks.
SBOMs serve to enhance supply chain security postures greatly. This talk will demonstrate how to ingest SBOMs to identify vulnerabilities and gain transparency into containers. Attendees will also learn to apply the same principles across many workflows which use Buildpacks (such as kpack, knative, etc.)
SBOMs for All: Cloud Native Buildpacks
In this lightning taik, I will demonstrate how SBOMs can be generated for apps written in any language when using Cloud Native Buildpacks. It is a part of the Buildpacks spec to create SBOMs and store it as metadata for various artefacts created using Buildpacks.
Protobom: Converging SBOM Standards
Protobom is an open-source software supply chain tool designed to address the challenge of multiple Software Bill of Materials (SBOM) formats. This project presents a universal format, thereby has the potential to bridge the gap between different SBOM formats. This would simplify SBOM creation, consumption, and sharing across tools and vendors.
This talk is about introducing this technology to to the larger community and help adoption.
Open Source To Close The Container Security Gap
In this talk, the audience will be exposed to a number of open source projects that will help implement better security for their containers-based workflows.
Containers form the basis of a functional Kubernetes environment. Therefore the quality of your Kubernetes experience becomes a direct function of the quality of your containers. Learn to make use of o0pen source tools to improve the quality of your containers greatly. List of tools include:
1. Cloud Native Buildpacks
2. Chainguard Base Images
3. Sigstore
4. Software Bill of Materials
Let's Shift Left And Not Swipe Left When It Comes To Kubernetes Security!
For years, the industry has been talking about shifting security left but unfortunately there is still a phase shift in practice. Kubernetes security has been improving in leaps and bounds. In this talk, I will help make sense of acronyms that abound this space (CNAPP, CSPM, CNWPP, CASB), navigate your way through projects you can get started with (Sigstore, Falco, OPA, Trivy), and take the first steps towards making your CISO happy.
In-toto, in total
Come learn all the ways in-toto is used within the CNCF ecosystem. If you're actively building software using cloud native tools and meant for deployment on Kubernetes, there are many ways in which in-toto attestations can be useful.
In-toto is a framework that guarantees the security and integrity of the software supply chain. It verifies that each task within the chain is completed as intended, only by authorized individuals, and that the final product remains unaltered during transportation.
Improved Containers With Buildpacks and Wolfi
The container ecosystem runs a large part of the web's workloads. Despite the large community of developers that it impacts, the container ecosystem has a lot of areas for improvement.
In this talk, attendees will be introduced to two areas which will improve their containers in quality. These are container security and automation. By using Wolfi images as the base image for their containers, engineers can boast of near-zero CVEs in their runtime stacks. By taking advantage of Cloud Native Buildpacks, creating and maintaining containers is so much easier.
The talk will demo how to make use of these two technolgies for improved container experiences for app developers and platform operators alike.
Everything About Security For Cloud Native Engineers
This talk describes all the pieces of the cloud native ecosystem that have to do with security. Container scanning, attestation, minimal container images, runtime security, policy, and confidential containers will all be demonstrated with examples.
There is also a path to runtime security when using cloud native projects and running applications on Kubernetes. Similarly, traffic from CI/CD can be monitored and analyzed for outliers.
CD Threat Vectors: Examples and Mitigation Strategies
CD is the backbone of the software development, delivery, and deployment process. In recent times, vulnerabilities in the CD pipeline have been discovered leading to alarming consequences for the industry as a whole. Securing the pipeline, therefore is critical to every organization, in addition to other forms.
In this talk I intend to demonstrate a couple of threat vectors along with strategies to discover, mitigate, and contain them. These threats are based on OWASP and CISA+ NIST frameworks. The examples will include egress filtering and potential file tampering. I intend to demonstrate a combination of tools and techniques that will help improve the CD pipeline by making it more secure.
Becoming a Software Supply Chain Security Samurai
Recent years have really altered the landscape of security tooling . This has had a profound effect on DevOps culture especially cloud native adopters. Come watch this talk where I will introduce a bunch of security tools which will transform cloud native workloads into a secure yet performant one. A demo which will include minimal base images, container scanning, attestation tracing policy and confidential computing.
Baby Steps in Supply Chain Security
In this session, attendees will be exposed to the very basics of software supply chain security, especially for the cloud native ecosystem. The talk distills the work of the Supply Chain Security TAG.
The talk will cover the use of SBOMs, SLSA, signatures, and policy to gradually improve the security posture around creating and deploying containers .
A Supply Chain Security View of OpenSearch
Supply Chain Software Security is a hot-button topic in the security and compliance domain of the open source software world. Specifically for end-user companies that are large, risk-averse, and depend on open source heavily. OSS projects, and the communities that surround them, are now compelled to adopt security best practices in order to position these projects as viable ones for commercial adoption.
OpenSearch is a perfect example of a popular open source project, backed by heavyweights, and in use by a large number of companies. Therefore, securing this project is of paramount importance for the community.
In this talk I intend to walk users through some security basics, while showcasing how to adopt them for OpenSearch. Some of the information will include scanning the repository, container images, dependency management, and deploying attestations, among others.

Ram Iyengar
Developer Advocate at the Cloud Foundry Foundation
Chennai, India
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top