04-01, 13:20–13:50 (UTC), Track 1 (UTC)
How do we safely introduce Cloud Native software without opening unexpected security holes? By understanding risk, modelling threats, and attacking our own systems.
“Simulation” (i.e. playing hacking games on production-like infrastructure) is rising to prominence as a comprehensive training method for penetration testers, Red Teams, and infrastructure engineers. It safely demonstrates the risks an organisation or platform may face by using a controlled environment that looks and feels like production — but is only a clone.
In this highly technical talk we:
- cover the challenges faced introducing Cloud Native to financial organisations
- show the steps taken to threat model Kubernetes
- build and automate attack trees and kill chains for likely (and perversely difficult) compromise scenarios
- demonstrate an open-source Kubernetes CTF platform
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is comfortable profiling and securing every tier of a bare metal or cloud native system, and has battle-hardened experience delivering containerised solutions to enterprise and government. He is a co-founder at https://control-plane.io