Matt Jarvis Senior Developer Advocate @ Snyk In the world of continuous delivery and cloud native, the boundaries between what is our application and what constitutes infrastructure is becoming increasing blurred. Our workloads, the containers they ship in, and our platform configuration is now often developed and deployed by the same teams, and development velocity is the key metric to success. This presents us with a challenge which the previous models of security as a final external gatekeeper step cannot keep up with. To ensure our apps and platforms are secure, we need to integrate security at all stages of our pipelines and ensure that our developers and engineering teams have tools and data with enable them to make decisions about security on an ongoing basis. In this session I will talk through the problem space, look at the kinds of security issues we need to consider, and look at where the integration points are to build in security as part of our CI/CD process. — 00:00 Intro 00:40 $whoami 00:50 What is an application? 01:38 Shifting security 03:50 New vulnerabilities each year by ecosystem 04:20 The direct and indirect dependency split across ecosystems 05:32 Developers own the security of container images 06:02 Number of OS vulnerabilities by docker image 06:44 Linux OS vulnerabilities steadily increasing 08:02 Configuration is increasing in code 08:20 Configuration is everywhere 09:01 Configuration is a security risk 09:45 Insecure by default 11:15 Container Security Spectrum 11:44 Developer First... 12:11 Remediation guidance to minimize exposure and reduce time-to-fix 12:54 Make sure our repos are secure! 14:20 Pull request scanning and repository monitoring 15:04 Scan images in registries ... 15:34 CI Pipelines 15:57 Protect your application 17:00 It is critical for developers to secure containers from the start 17:37 Detect vulnerabilities 17:51 Thank you! — 🥇 Gold Sponsors: Chaos Native Fugue Honeycomb.io StackPulse Teleport 🥈 Silver Sponsors: 7bulls.com Aerospike Alwaysdata Aspecto bxblue Capgemini CircleCi Container Solutions CloudSkiff Earthly Hazelcast Imply Lightrun Logz.io Lumigo MongoDB Nuaware Qwinix Zeti 🤝 Media Partners: AWS Inside Dev Manning — Website 🚀🪐 https://www.conf42.com​ Reach Out 📧📭 mark@conf42.com Discord Server 🧑‍🤝‍🧑💬 https://discord.com/invite/dT6ZsFJ5ZM​ LinkedIn 👨‍💼💼 https://www.linkedin.com/company/4911...​ Twitter 🎵🐦https://twitter.com/conf42com​ Conf42Cast 🎧 http://www.conf42.com/podcast