Supply Chain Security Was A Hot Topic At KubeCon EU, Valencia: Stephen Giguere, Bridgecrew

In this series of interviews conducted at KubeCon + CloudNativeCon Europe 2022 (unfortunately this one was done remotely due to some flight changes), we sat down with Stephen Giguere, Developer Advocate at Bridgecrew, to talk about his experience at the event. It was clear that KubeCon is ‘back’. The attendees were more focused with actual practitioners at the event – DevOps and SREs were among the crowd. Once again, supply chain security was one of the hottest topics and got more attention than usual, which is what we need today. In this episode, Giguere shared his experience at the event, trends and patterns that he saw and then also talked about how Bridgecrew (a Palo Alto Networks company) actually helps users solve many of these challenges that we talked about at KubeCon.

Key highlights from this video interview are:

Giguere discusses some of the keynotes that really caught his attention and why. He explains why it is so beneficial to hear a keynote speech where it is an actual user of the cloud-native ecosystem, since as a practitioner and vendor it can be a reality check.
Giguere discusses how the introduction of Docker and Kubernetes meant that the tools and methods used before no longer worked and why people struggled to make the change.
Giguere explains how DevSecOps came about and the challenges this transition has presented. He discusses the role security has been playing in the DevOps initiative and some of the key considerations.
The move to adopting cloud-native technologies is presenting challenges due to the sheer velocity. Giguere explains how security is being used to accommodate these needs, from making tools that are secure by default to enabling Ops to do things in CI/CD.
Giguere discusses the impact security has on the developer experience to enable them to continue to focus on creating applications that add business. He explains how bringing in the idea of DevSecOps can make it easier for developers, by providing them with tools that make sense.
Kubernetes presents a number of unique challenges, both cultural and technological. Giguere explains the problems of security in Kubernetes and how a lack of education and best practices can contribute to the situation.
Giguere feels that the supply chain is a big focus right now. He explains how everything as code can be used to find weaknesses and fix them earlier in the life cycle.

Connect with Stephen Giguere (LinkedIn)

The summary of the show is written by Emily Nicholls.

[expander_maker]

Here is the automated and unedited transcript of the recording. Please note that the transcript has not been edited or reviewed.

Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya and welcome to another episode of Let’s Talk. This was supposed to be recorded at KubeCon and Cloud Native Con in EU, Valencia, Spain. But due to flight changes, we had to fly back early. And so we are doing it remotely, virtually. And today we have with us, once again, Stephen Giguere, developer advocate at Bridgecrew. Stephen, it’s great to have you on the show.

Stephen Giguere: Yeah, it’s great to be back. And I’m really sorry. We didn’t get to do this live.

Swapnil Bhartiya: Maybe next time. There’s always a next time. As you were at the event, it was incredible to see because if you compare with the last year’s, [inaudible 00:00:34] at LA, a lot of people were there. A lot of excitement was there. But I did not attend too many sessions or Keynotes because I was stuck in the studio room regarding all those videos. But you were there out. So tell me, first of all, what kind of energy do you feel?

Stephen Giguere: Yeah. It was… I guess there’s just a really general vibe of excitement. I wasn’t able to go to the one in LA. So for me, this was my post pandemic coming out of the pandemic room. I felt like with the bright lights and so many people around, and I guess it was just a kind of interesting sense of almost over excitement. I think people were just happy to attend and go to anything. And there’s great forgiving attitude, certainly. And obviously a little bit of safety first as well. Probably. Yeah. Some of the talks were… Some of them felt like they were two years in the making, because there’s been so much talk. And I imagine there were so many submissions, the quality was high. That was my first impression.

Swapnil Bhartiya: I think the last KubeCon was in 2019 or ’18. It’s been so long. I don’t even remember when it was. Did you see any change in patterns or focus? What I do remember that two or three years ago there was increased focus on security a lot because in Cloud [inaudible 00:02:00] security was not… But people were talking about it. So there was a big gap of suddenly you’re like, “Hey, we were at KubeCon X and now we’re at KubeCon Y.” And this is a cultural change or… So what did you feel that, “Hey, you know what, certainly this is the focus there”.

Stephen Giguere: Well, certainly security was a hot topic again and supply chain without any question was on everybody’s lips. If you’re in the security community and you were looking to dive into anything that could help you in that domain, the co-located event, or what used to be called Day Zero events, SecureCon was unique in that it was two days. Most of the other events were only one day and yet I went to that as well. And it was 80% super solid some and it was interesting all the way through. I rarely have I sat at the front row of a conference for two days rapidly making notes and learning things that I just weren’t even sometimes on my radar. So I think the fact that you can fill two days and yet still have spillover content that was spotted throughout the regular KubeCon agenda was phenomenal. So if it looked like security was a focus a few years ago, it had its own solid place this time. It was incredible.

Swapnil Bhartiya: You said, you’re taking some notes and stuff like that. Of course, I will not ask you to share your notebook with us, but what are your key take away when you came back, you sitting the plane, flying back from there, when you’re like, “Hey, this is what… This was incredible. This is…” So basically key takeaways from the event, from your perspective.

Stephen Giguere: One of the best things I saw was Liz Rice did two talks. Liz Rice is somebody I know pretty well. And I feel like I, generally, because I talked to her often enough that I know it’s coming. And yet I was still kind of bowled over by the one of the new releases, an Open Source from [inaudible 00:03:52] to do with prevention using EBPF in runtime. And I was, I don’t want to say excited, but I walked out of there thinking, “Okay, this is an actual…” This is the first time I’ve seen a game changer in a long time. And so that was one that I thought was, “Okay, this is pretty special.” Another one is I’m maybe a sucker or a big fan for war stories. So there was a Keynote by Shopify talking about securing their supply chain. So anytime I hear an actual story is, it doesn’t even matter if it’s just a short one. I think it was like 10, 15 minutes in the Keynote speech where it’s an actual user of the Cloud Native ecosystem explaining what they do.

I think as a practitioner and as coming from a vendor also, it’s sometimes it’s a real reality check because it’s like, there’s sometimes a gap between what we think is happening and what’s actually happening. So I love stories like that. So that was one that I came away with writing those thing, “Okay, this is the way we need to get or think about things.” And how they’re consuming the industry as opposed to the way we’re producing it. I think there’s a lot more scope and I would really love in a future KubeCon to see more user group stories. That would be amazing.

Swapnil Bhartiya: We continue to see new term, new jargons, depending on how you look at them as an evolution or a just… We were trying to build down old silos and with the whole DevOps movement, but we do see, [inaudible 00:05:19] they have their own focus. DevOps, DevSecOps, NetOps. So how have you seen the role of developer’s practitioner evolve? Is it really the same guy taking care of everything or you do see the different teams are responsible for different or responsibility and security is something which is not an easy thing to do.

Stephen Giguere: Yeah. It’s funny. As security working in sort of the vendor space as I’ve been, oh my goodness, for eight years. So I saw Docker and Kubernetes completely disrupt the security space when it first came out of what seemed like nowhere and suddenly everything we were doing, our overarching philosophy still worked, but the tools and the methods no longer did and the people didn’t understand how to make change. And then slowly over time we started saying words like DevSecOps. We started saying phrases like shift left. Now we said them when we mostly said them to each other and we thought, “Yes, it’s working. We said, shift left to each other. All right.” But the reality was that the message wasn’t getting to the developers, it wasn’t getting to Ops, it wasn’t getting there. And that was kind of our fault really because we made sure our bubble was happy with it so that we felt assured enough to go out into the world and say, “Hi, we’re security. We really actually would like to be involved with you now, is that okay?” And I think the messages getting out there.

A lot of the tooling and a lot of the messaging that I see spoken about is talking about why we’re going to do this and it’s a DevOps initiative. But here’s also how we’re going to secure it. And they say things back to us. Now we’re hearing the word shift left, but it’s not coming from the bubble it’s coming from outside. They understand what it is. There isn’t too much eye rolling going on. And you saw that actually throughout KubeCon even talks that weren’t about security sometimes had a mention of how security was going to be involved from the outset.

And I thought, “Are we done it? Have we passed the tipping point where we’re not saying it, but it’s actually a part of it.” And I hope that’s the case. And I certainly think a lot of the vendors out there are now saying the words developer first, they’re saying things like, we’re developing security tools, not for the security team. We’re making them for developers so that they live in their ecosystem. And they’re just there. They’re easy. It’s as simple as safety is for us. We can make security simple for them. So I think we’re there, but we’re not there there, there’s a long way to go.

Swapnil Bhartiya: Right. This may be a kind of, it might sound a stupid question, but the world that we are moving towards the whole Cloud-centric or centralized, decentralized, distributed, whatever, we look at it. Things are not as isolated that they used to be in the older world. If you look at AIML, they play a very big role with scanning and all those things there. If you look at IOT, of course they are remote edge devices are there, but you also need your on term data centers. And you are also a hyperscale as well.

So same thing is there with security, that security is not going to be something separate. When you go buy a car, you don’t install airbag or brakes later on. When you buy, build a house, you don’t do all the fires to everything later on, it comes built in with a lot of things. So why should software be any different. Security should not be something separately. You know what? Yeah, we will install airbags and brakes later on. We don’t need them right now. So basically, it’s a cultural thing. Also, technology is also there. As I said, it might be totally stupid question. Or do you think it makes some sense?

Stephen Giguere: No, it does make sense. And those comparisons are actually pretty accurate. But I think where we kind of sit when we’re talking about the move to Cloud Native technologies specifically, where we’re looking at how fast we’re moving in that space and how the motivations for developers and Ops and just organizations is velocity. Then we have to compare the software that we’re producing, not to a car that I would go into the shop and buy, but to something more like an early F1 car or something. But I’m going to go back in time to the forties and fifties where these things did not have safety features built in. They were designed for velocity first and it was quite dangerous. And that’s kind of where to go do a timeline comparison as to where we sit, we’re way back there. Now there will come a time when security seems easy and we feel like we’re crazy for not having done it, but we are still a little bit like we’re grabbing the new shiny, shiny. We’re slapping it all together and it’s going out the door.

But we are a little bit coming back to what I said earlier. We are looking at where, if a new shiny, shiny shows up, there’s some security in it, which is fantastic. Because now we’re not troubling developers. We’re making the tools that they use and the new shiny, shiny pieces that we’re putting together secured by default when we can. And when we can’t, we’re enabling Ops and SecOps to do things in CI and do things in CD. That mean that the imposition of security seemed minor. I think we’re getting there.

Swapnil Bhartiya: When we look at security and I will listening to you that developers and folks… Not developer, everybody looks at the new shiny object that’s security at time become hindrance to progress. Does it become, that the focus shifts? Does it also lead to burnout? Because security is not a product, it’s a process. So talk about the impact of security on the whole developer experience. It could be performance. It could be efficiency. There can be so many things. We are also struggling with the whole talent crunch. There’s a huge supply and demand of there and this could not be… So let’s talk about the problem. And then also, of course what Bridgecrew is doing to make it easier for them. So developer is still can continue to focus on what their focus is to create application that add business value.

Stephen Giguere: Right. Yeah. Well, let’s kind of unpack that in reverse. You’re talking about business value. I think when the business is assessing the objectives of the software, they’re trying to do, they are looking to… Let’s just face it, make money from whatever it is they’re doing, right? That’s generally the first thing. And sometimes security can fall by the wayside unless it’s built into the process from the beginning. If they look at what they have to do from a security perspective, many companies just go into the industry to see compliance. What is the compliance industry telling me I have to do? Is it PCI DSS? Is it HIPAA? Is it any number of new compliance directives? And it’s funny you should ask this, because I had a conversation earlier today and we were specifically speaking about how compliance, let’s say call it directives.

They first come into play because people aren’t doing anything right. And usually some people who may or may not know the best practices, create a compliance and then people go, “Oh great. I don’t have to think for myself anymore. I’m just going to do this compliance thing.” And then away we go. So that actually, long after the industry has matured, but beyond the requirement for the compliance, the compliance just doesn’t go away. And that can actually can get in the way of doing security better. Amazingly. It’s great at the start, but way down, it’s not always the best thing for us because people rely on it and it’s not necessarily providing best practice. So that’s the first thing where security can get in the way. And it’s nothing to do with developers or vendors or anything. It’s just something that can be a problem from a business perspective.

The other alternative is if I go back in time and you mentioned older processes. I used to live in the world of AppSec and we thought we were making tools for security and we would make shiny dashboards and pretty colors and graphs. And it was wonderful, right? Without considering it all that we are providing the developers with an epic amount of noise and tool fatigue just straight out of the box. So security has a reputation. It needs to rewrite. I think a lot of what’s being done by security right now is really, really good. But we’re not the department of no anymore. We are something that is part of the ecosystem. The idea of DevSecOps is in fact real now, even though I, myself made fun of it a lot about two years ago. And it is something that we need to overcome, which is simply only reputation, which is interesting.

So that is something that just culturally, we need to get over. In terms of what we’re doing now in terms of making things slower. I think we’re actually at the tipping point. Where we are actually making things faster and I maybe I might get some people rolling their eyes or [inaudible 00:14:08] at me saying that. But I think when we’re a lot of us are doing it right, and we’re not sending security reports back to developers. We’re not doing slow feedback loops anymore. We’re providing the tools in the ways that make sense and are familiar such that we are doing things in a way that is hopefully correct.

Swapnil Bhartiya: Let’s talk specifically about Cloud data in a sense of Kubernetes, itself is quite complicated. What kind of unique challenges that you see that come with Kubernetes, which could be cultural or it could be technological?

Stephen Giguere: Oh, well you’re right. Just straight up. Kubernetes is complicated. You hit the nail on the head there. If you’re dealing with how to secure Kubernetes, if you’ll just look at the certifications under CNCF, the CKS is the hardest one. Not even by a slight bit by a large margin. CKD and CKA, I think I kind of breezed through, but CKS, I stressed forever to try and get it. And it was, I still got it in there and sweated, it was hard. And that was a real reality check and a wake up call for me who thought I kind of knew security in Kubernetes pretty well. And without question, that is something that if it’s difficult, people just won’t do it. We also have an issue in Kubernetes where if you try to find secure defaults or you try to find the way to implement secure Kubernetes securely, there’s not a lot of materials out there.

We don’t have an education system for it. We don’t have… Really, we don’t have a lot of best practices around it. There’s some great books. Andrew Martin and Michael, [inaudible 00:15:45] just released Hacking Kubernetes. It’s huge understandably. And I highly recommend that. That’s a great read and it’s a great story. But other than that, we’re still kind of flying by the seat of our pants in terms of making sure people understand it. But I think if we look forward, say five years in Kubernetes, we will start abstracting the security requirements away from that. Kubernetes will start to become ubiquitous and secure Kubernetes implementations or secure as you can, Kubernetes implementations will start to become something where hopefully DevOps teams aren’t going to have to be so distracted by that. But it absolutely technologically is still very much a thing that we’re having to overcome. I don’t think so much culturally. I think people love people who love Kubernetes fully love to geek out on it, but it’s not an easy thing.

Swapnil Bhartiya: Right. No, once again, very well said. I think, I mean, to be honest with you and I can sit for hours to talk I would. But if I look at my agenda today that yeah, I’m sure, I think we touched on some of those points. Is there anything that you feel [inaudible 00:16:48] in terms of, because you’re talking KubeCon specifically. Something we should talk about that, or you think that we have, covered some main topics here?

Stephen Giguere: I think there’s one more thing I tapped at the beginning where I spoke about some mentioned supply chain. I think there’s a really big focus that’s happening right now with that. And certainly, I mean, maybe it’s a bit of a self-serving subject because within Bridgecrew, it’s something that we’re looking at, so it’s something I’m involved with. And it’s the idea of combining all the different security silos. So combining InfoSec with AppSec such that we’re looking at not just vulnerabilities, but a vulnerability in a manifest, in a Cloud that has been provisioned by Terraform combining all of the security postures of each of these to bring context to a vulnerability that a vulnerability previously did not have. So a vulnerability in isolation becomes noise, but in the context of the entire Cloud ecosystem, so you can go code to Cloud and you can see, all right, well, this vulnerability actually touches this in this way. And I can see that as code.

I’m not looking at it. I’m not reacting to runtime. If I can see all of this infrastructure or everything is code, and I can map that to know where my weak points are, then I’ve got a really good look at my supply chain. And at the same time, if I’m using… Everything is code or infrastructure’s code to configure my GitLab or my GitHub, and I’m using it to create my workflows, actually if everything’s code, we can kind of find all of our weaknesses really early and we can prioritize our vulnerabilities. And I think that’s something in its infancy. And I think not just us, a lot of people are working on that. And I hope by next KubeCon, we’ll see some more developments in that space.

Swapnil Bhartiya: Stephen, thank you so much for taking time out today. And first of all, it’s really, I wish I could have done that in person at KubeCon, but there are more KubeCons coming in, so we’ll sit down and do that. But thanks for sharing those insight and especially how it improves security posture there. And I would love to have you back on the show. Thank you.

Stephen Giguere: Amazing. Thank you very much. It’s been an absolute pleasure.

[/expander_maker]

You may also like

CIQ announces support for upstream stable kernels in Rocky Linux

Red Hat updates Trusted Software Supply Chain solutions

Kubernetes is not for the weakhearted, so we are trying to simplify it | Sudeep Goswami

Cribl launches new data lake solution to eliminate storage complexity

Salt Security sheds light on security risks of LLMs

You need a robust cyber materiality program | CISO Insights E2