A look at historical Kubernetes breaches, the high level security primitives, and an overview of multi-tenancy models in Kubernetes.

I’ll show what Istio is, and how it does what it does. We’ll explore that from the point of view of one packet travelling in from the internet and back out again, to show us all the major data and control plane components.

An introduction to Istio security, looking at how Istio helps to keeps your security team happy by satisfying Kubernetes security requirements for multi-tenancy, and your developers happy by reducing implementation effort. Istio is still an evolving technology, and outstanding issues and impending improvements will be discussed.


HOT TOPIC 2: After taking a decision to establish DevSecOps mindset at an organisation, what key skills and experience (cultural as well as technical) should I look for in a first hire? 


This is a continuation of Chris Rutter’s security talks (typically focused around Threat Modelling). In this talk Chris will explore real techniques, both technical and organisational, to introduce security into DevOps without hitting people with bricks [Not literally].


HOT TOPIC 3: Incorporating traditional Security Operations Centre (SOC) function into DevOps/DevSecOps?


The talk will be about …. Shifting left significantly reduces costs and diminishes release delays. Continuous security validation should be added at each step from development through production to help ensure the application is always secure. I’ll be focusing on work done with Pride in London (a project using Gatsby2, Contentful and Netlify) and showing you how to create a secure CI/CD pipeline. You’ll learn how GitHub Marketplace helped the team automating and improving our workflow with different tools for accessibility, code coverage, code review, code quality, security and other functionalities. You’ll also find out what OWASP is and how to improve the workflow for your own open source projects using GitHub Marketplace applications.


HOT TOPIC 4: Supply Chain Security: Should the approach be the same for COTS vs developed business applications … is one more “DevSecOps related” than the other?


There is no legal obligation to ship secure code, but is there an ethical obligation?

This talk will be about…whether we have an obligation to ship secure code. Customers, and even users of free products, share their data with companies on the assumption that those companies will make a good faith effort to protect them. But what about our obligations as individual developers? Can we rely on QA or pen testers, if we’re in a larger organisation? What if we’re individual indie devs, what then?


Session 1
1230 – Vendor (Sonatype)
1330 – Community Speaker 2 (Glenn Wilson)
1430 – Refreshments & Network
Session 2
1500 – Vendor (Checkmarx)
1600 – Vendor (Contrast)
Session 3
1730 – Food & Network
1800 – Community Speaker 1 (Dr. Helen Thackray)
1900 – Vendor (AquaSec)
2000 – Community Speaker 3 (Chris Rutter)


Modern Software Delivery: Supply Chain Security Critical
Software is no longer delivered on a CD-ROM with occasional updates. Software delivery has become a continuous process for SaaS, mobile and desktop apps with technology suppliers woven in. Open source, service provider APIs, and of course cloud are all woven in and changing continuously. What value is a point in time assessment to understand the risk accepted by the enterprise or software users? Software assessments must become continuous and process based. There is also a need to balance the transparency desired by software users with the needs of vendors to be effective in software delivery and maintenance. We need continuous assessment with the right level of transparency to keep up with our rapidly changing and deeply nested software supply chains.


This talk is about maturing a security programme in an organization’s DevOps/DevSecOps transformation. We will discuss how maturity models can be used to help organizations in achieving systematic improvements in any DevSecOps programs.