Session
GCP's Secure Supply Chain in practical terms: securing your containers
Typically, when we talk about security in containerised workloads, we mostly mean the runtime security. Occasionally, in-registry scanning of components and libraries for known vulnerabilities is brought into the discussion. But what about build time? What if a malicious actor compromised your CI? What if a rogue image is deployed, bypassing all the steps in your CD? And wouldn't it be better if developers didn't use vulnerable libraries in the first place?
All of these questions prompted Google Cloud to develop a set of tools known under the umbrella term "Secure Supply Chain". These have various scanning, verification, and cryptographic assurance services seamlessly integrated into GCP's CI/CD patterns for GKE (Google Kubernetes Engine) and Cloud Run. It all looks great, but it is a) a lot b) assuming that you use all of the GCP tools to manage your entire software lifecycle.
But what does it mean in practical terms? In this talk, let's look at specific services and their implementation "in the wild". You will learn how to set up Binary Authorization in an enterprise environment, how to enable and make use of built-in scanning capabilities of GKE and the Artifact Registry, and how to manage the security posture of your Kubernetes and Cloud Run deployments.
You can find some of my recorded talks here: https://www.youtube.com/playlist?list=PLS3g1K3mnmajt5Eu3nNaAiMK3hXjVRRNL This is a new talk, it will be purely technical and go through details of configuration for parts of the Secure Supply Chain and their integration with CI/CD (probably Github Actions), GKE Security Posture dashboard and real-life applications of these security tools.
Natalie Godec
Cloud Architect | Google Dev Expert in Cloud | GCP Champion Innovator
London, United Kingdom
Links
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top