2024

The Cloud-Native Club | Project Spotlight: Edera

  • Type: Podcast
  • Youtube
  • Date: 26 Sept 2024

OSS North America - The Overconfident Operator Vs the Nefarious Ne’er-Do-Well

Ozzie the Overconfident Operator has secured their cluster! They have done it all: role-based access control, encryption at rest, TLS…and as they congratulate themself on a job well done, Nova the Nefarious Ne’er-do-well watches from around the corner, drooling with anticipation. Spoiler alert⎯Ozzie is about to get HACKED. In this talk, the speakers play the characters of Ozzie and Nova and playfully demo cluster security as Nefarious Nova exploits each of Ozzie’s security decisions. What can Overconfident Ozzie do when Nova gets the upper hand? How can Ozzie proactively keep Nova’s threats at bay? Take security beyond the firewall and discover cloud native security concepts such as identity management, container image scanning and signing, creating and implementing policies, runtime security, and secrets management. Learn security basics alongside Overconfident Ozzie, who is sure the cluster is COMPLETELY secure this time. There is nothing Nova can do to break… uh-oh. Not again!

KCD Guadalajara 2024 - The Overconfident Operator Vs the Nefarious Ne’er-Do-Well

2023

KubeCon NA 2023 - The Overconfident Operator Vs the Nefarious Ne’er-Do-Well

  • Type: Talk
  • Where: YouTube
  • Date: 08th November 2023

Lighting Talk 2 aka WTF is the Journey

  • Type: Lighting Talk
  • Where: YouTube
  • Date: 17th October 2023

As per X:

I gave a lightning talk at KCD UK 2023, it was impromptu, sleep deprived, anxiety ridden, but described as a good rant. This is me sharing the advice I wish I had when I got started in my career

⚡️ Enlightning - Signed, Sealed, Delivered, I’m Yours! An Introduction to Sigstore

  • Type: Discussion
  • Where: YouTube
  • Date: 23rd March 2023

How do you know that the software you’re running on your laptop or in production is actually the software you think you’re running? Attackers may try to modify source code or compiled binaries/containers as they move about the internet and your network. We can check the authenticity of software and other digital artefacts with digital signatures. But, in practice, almost nobody does! Today, we’ll see why not, and what the Sigstore project is doing to fix that. We’ll explore digital signatures, losing your Yubikey on the street, why the price of security for OSS projects should be zero, how you achieve more security by promising less, and why software signatures need “sunshine laws,” all in the context of the Sigstore project and its constituent components Fulcio, Rekor, and Cosign. You’ll learn how the OSS ecosystem is getting more secure every day and how you can apply the same tools and principles.

Cloud Native Manchester - Some like it hot (SLSA)

Public Cloud Kubernetes London - Some like it hot (SLSA)

Fosdem - What Does Rugby Have To Do With Sigstore?

Cosign, fulcio, rekor are all components in keyless signing with Sigstore.

Each piece has its responsibility to provide a smooth developer experience for container signing.

How does it all work together to complete that complicated dance to tie identity to cryptographic signatures?

And what’s more cryptic than rugby?

In this talk, James and Lewis will educate attendees about sigstore and container signing using examples from the best sport in the world, rugby.

If you’re interested in learning more about sigstore and what a hooker does, this talk is for you.

2022

KubeCon NA 2022 - Hack Back; Let’s Learn Security With CTFs

Threat actors have always been looking to attack clusters. Do you have the right security in place to detect and defeat if they are targeting yours? Or they are already in?

Kubernetes has become the de facto cloud operating system and production environments have increased in maturity. So have the threats.

Security Teams don’t necessarily have the expertise to detect state-of-art attack scenarios specific to cloud-native environments, like Kubernetes.

So, where do they get started? Capture-The-Flag (CTF) events are a great way to learn about the techniques of both attack (Red Team) and defence (Blue Team).

This talk will give you a framework for your own internal CTF events, with Red and Blue Team assessments, as a best practice for improving security in your organisation.

We’ll give a hands-on, live walkthrough of the top 3 state-of-art attack scenarios as CTF exercises using common open source projects like Simulator and Tetragon.

Remember, the best way to learn how to detect is to first know how to attack!

KCDC 2022 - The Hand That Feeds - How to Misuse Kubernetes

We usually trust the hand that feeds, but what happens when we can’t trust the hand that feeds us? How do we run applications when there is little to no trust?

In this session, we’re going to start by taking a look at attack paths in and around Kubernetes, acting as a Red Team. We’ll take advantage of an OWASP vulnerability within a Supply Chain attack giving us an entry point. From there, together we’ll explore how an attacker can take further control of the cluster via lateral and vertical movements.

Once we have your attention from seeing how this could be someone’s worst day, we’ll look at how we can patch this up as a Blue Team. What do we have available from Kubernetes that can mitigate some of this disaster, and what practices should we put in place to further strengthen and defend our compute.

From attending this session, you’ll leave with a Purple Team understanding of core concepts within Kubernetes, that defence is strengthened with depth, and how we can defend from Script Kiddies to Nation States.

KCDC 2022 - The Lost Art Of Keeping A Secret

One thing that L**** has noticed recently is that with all the advances that we have in technology, we still appear to have problems in keeping secrets to ourselves.

In this talk, *E*** will introduce the core concepts of secrets. We look at an overview as to how best we can manage secrets, from creating them to using them in our applications.

**W** will then look at the actors involved, the role of a developer consuming a secret, an engineer providing and defending them to an attacker on the lookout for some more data.

***I* will then look at ways that we can manage secrets over many environments, from development to production. Finally, we check what to do when our secrets aren’t so secret anymore.

Finally, ****S will finish with case studies of where security first has won and the instances where the secrets have been given away.

This talk will focus on the implementation of secrets based on cloud technologies, but the core concepts can be used within any system and the best practices that should be followed to give you a fighting chance to keep it to yourself.

DevSecCon24 - Threat Modelling Kubernetes: A Lightspeed Introduction

  • Type: Talk
  • Where: Online
  • Date: 14th June 2022

Cloud native container and Kubernetes systems bring new threats and risks to our precious workloads. As cloud technologies undergo rapid innovation and new tools and techniques emerge, security can get left behind. The answer to this conveyor-belt of potential insecurity? Threat modelling! Join us for a primer on threat modelling cloud native systems, understanding adversarial techniques and preventative measures, and helping security and engineering teams increase the security and velocity of system delivery.

OWASP AppSec EU - The Hand That Feeds - How to Misuse Kubernetes

  • Type: Talk
  • Link: Online
  • Where: Online
  • Date: 09th June 2022

We usually trust the hand that feeds, but what happens when we can’t? How do we run applications when there is little to no trust?

In this session, we’re going to start by taking a look at attack paths in and around Kubernetes, acting as a Red Team. We’ll take advantage of an OWASP vulnerability within a Supply Chain attack to give us an entry point. From there, together we’ll explore how an attacker can take further control of the cluster via lateral and vertical movements.

Once we have your attention from seeing how this could be someone’s worst day, we’ll look at how we can patch this attack up as a Blue Team. We’ll see how Kubernetes can mitigate some of this disaster, and what practices we should put in place to further strengthen and defend our compute.

From attending this session, you’ll leave with a Purple Team understanding of core concepts within Kubernetes, that defence is strengthened with depth, and how we can defend from Script Kiddies to Nation States.

KubeCon EU 2022 - Threat Modelling Kubernetes: A Lightspeed Introduction

  • Type: Talk
  • Video: YouTube
  • Where: Feria Valencia, Valencia, Spain
  • Date: 19th May 2022

Cloud native container and Kubernetes systems bring new threats and risks to our precious workloads. As cloud technologies undergo rapid innovation and new tools and techniques emerge, security can get left behind. The answer to this conveyor-belt of potential insecurity? Threat modelling! Join us for a primer on threat modelling cloud native systems, understanding adversarial techniques and preventative measures, and helping security and engineering teams increase the security and velocity of system delivery.

Cloud Native Security Days EU 2022 - CTF Overview and Experience

Prepare yourself for tomorrow’s CTF event with a warm-up session based on introductory SecurityCon CTF events. All experience levels are welcome!

Learn how to engage with confounding container breakouts, confusing Kubernetes misconfigurations, and the art of engaging with CTF events to prepare yourself for the high-flying no-holds-barred super-inverted gravity-defying capture the flag event at SecurityCon tomorrow!

NDC London 2022 - An Introduction to Kubernetes

  • Type: Workshop
  • Link: London, UK
  • Where: Queen Elizabeth II Centre, London
  • Date: 09th May 2022

In this workshop, we’re going to introduce you to the orchestrator formally known as Kubernetes. This isn’t about why or if you should be using it, more of I need to work with a Kubernetes cluster and how do I connect to it and get it to work for me.

In this workshop, you will:

  • have your very own cluster already setup and show you how to connect to it from your own machine
  • understand how we run our workloads and how to update them
  • how do we load balancer our workloads and make them available to others on the internet
  • some common mistakes that you can avoid

By the end of the workshop, you will be able to hold your head high and say that you can work with a Kubernetes cluster and be ready for your next Cloud Native adventure!

DevSecCon Wales - HackTheBox-athon Workshop 2022

CNW / AI Wales - The One When We Went To Newport

KernelCon - The Hand That Feeds: How to Misuse Kubernetes

We usually trust the hand that feeds, but what happens when we can’t? How do we run applications when there is little to no trust? In this session, we’re going to start by taking a look at attack paths in and around Kubernetes, acting as a Red Team. We’ll take advantage of an OWASP vulnerability within a Supply Chain attack to give us an entry point. From there, together we’ll explore how an attacker can take further control of the cluster via lateral and vertical movements. Once we have your attention from seeing how this could be someone’s worst day, we’ll look at how we can patch this attack up as a Blue Team. We’ll see how Kubernetes can mitigate some of this disaster, and what practices we should put in place to further strengthen and defend our compute. From attending this session, you’ll leave with a Purple Team understanding of core concepts within Kubernetes, that defence is strengthened with depth, and how we can defend from Script Kiddies to Nation States.

.NET Beyond - The Hand That Feeds: How to Misuse Kubernetes

  • Type: Talk
  • Where: Online
  • Date: 31st March 2022

We usually trust the hand that feeds, but what happens when we can’t trust the hand that feeds us? How do we run applications when there is little to no trust?

In this session, we’re going to start by taking a look at attack paths in and around Kubernetes, acting as a Red Team. We’ll take advantage of an OWASP vulnerability within a supply chain attack giving us an entry point. From there, together we’ll explore how an attacker can take further control of the cluster via lateral and vertical movements.

Once we have your attention from seeing how this could be someone’s worst day, we’ll look at how we can patch this up as a Blue Team. We’ll see what we have available from Kubernetes that can mitigate some of this disaster, and what practices we should put in place to further strengthen and defend our compute.

From attending this session, you’ll leave with a Purple Team understanding of core concepts within Kubernetes, that defence is strengthened with depth, and how we can defend from Script Kiddies to Nation States.

KernelCon - Kubernetes Security: Learn By Hacking

  • Type: Workshop
  • Where: Omaha, USA
  • Date: 30th - 31st March 2022

Understand why many cloud native services have evolved quickly, and often miss vital security considerations, with Hacking Kubernetes, GKE CIS Benchmark, and SANS authors:

  • Secure containerized applications and defend orchestration workloads.
  • Use real-world exploits to target key application deployment components.
  • Understand the risks involved in running cloud native infrastructure.
  • Explore vulnerabilities to cloud native deployments through authentication, pipeline, and supply chain exploits.
  • Exploit and then secure application deployments via Docker and Kubernetes.
  • Determine how vulnerabilities are exploited and how defences are designed.

CNW / AI Wales - Spring Awakening

Private Kubernetes Training February 2/2

  • Type: Training
  • Where: Online
  • Date: 08th - 09th February 2022

Private Kubernetes Training February 1/2

  • Type: Training
  • Where: Online
  • Date: 02nd - 03rd February 2022

Private Kubernetes Training January 2022 2/2

  • Type: Training
  • Where: Online
  • Date: 26th - 27th January 2022

Private Kubernetes Training January 2022 1/2

  • Type: Training
  • Where: Online
  • Date: 20th - 21st January 2022

Tanzu Tuesdays - Kubernetes Capture the Flag - Again

  • Type: Talk
  • Where: Online
  • Date: 11th January 2022

Podcast - The KubeCon CTF

In this episode Steve speaks with the Control Plane Kubernetes security training gurus, Lewis Denham-Parry and Andy Martin about their brain-child, the KubeCon Capture the Flag!

We get into how it began, the community the enables it and the inspiration for some of the concepts within its structure and scenes.

Recorded back in June 2021 and long overdue thanks to some editing nightmares, this is one to listen to before we meet up for KubeCon 2022.

2021

Private Kubernetes Training December 2021 2/2

  • Type: Training
  • Where: Online
  • Date: 08th - 09th December 2021

Private Kubernetes Training December 2021 1/2

  • Type: Training
  • Where: Online
  • Date: 01st - 02nd December 2021

Tanzu Tuesdays November 2021 - Kubernetes CTF

  • Type: Talk
  • Where: Online
  • Date: 30th November 2021

BSides London November 2021 - Kubernetes CTF

  • Type: CTF
  • Where: London, UK
  • Date: 12th November 2021

Delve deeper into the dark and mysterious world of Kubernetes security! Exploit a supply chain attack and start your journey deep inside the target infrastructure, exploit your position to hunt and collect the flags, and hopefully learn something new and wryly amusing along the way!

Attendees can play six increasingly beguiling and demanding scenarios to bushwhack their way through the dense jungle of Kubernetes security. Everybody is welcome, from beginner to hardened veteran, as we venture amongst the low-hanging fruits of insecure configuration and scale the lofty peaks of cluster compromise!

KubeCon Cloud Native Security Conference Day - Capture The Flag NA 2021

Review of the Capture the Flag event hosted at Cloud Native Security Conference NA that was part of KubeCon NA 2021.

Private Kubernetes Security Training October 2021

  • Type: Training
  • Where: Online
  • Date: 04th - 06th October 2021

Private Kubernetes Training September 2021 2/2

  • Type: Training
  • Where: Online
  • Date: 22nd - 23rd September 2021

Klustered

  • Type: Debugging
  • Where: Online
  • Date: 16th September 2021

KCD UK

  • Type: Conference
  • Where: Online
  • Date: 16th September 2021

Private Kubernetes Training September 2021 1/2

  • Type: Training
  • Where: Online
  • Date: 15th - 16th September 2021

KCD UK - Kubernetes Threat Modelling Workshop

  • Type: Workshop
  • Where: Online
  • Date: 13th September 2021

Private Kubernetes Security Training August 2021

  • Type: Training
  • Where: Online
  • Date: 23rd - 25th August 2021

Cloud Natives UK - with special guest Liz Rice and Andrew Martin

  • Type: Meetup
  • Where: Online
  • Date: 12th August 2021

O’Reilly - Kubernetes Threat Modelling August 2021

  • Type: Workshop
  • Where: Online
  • Date: 10th August 2021

Private Kubernetes Talk August 2021

  • Type: Talk
  • Where: Online
  • Date: 03rd August 2021

Private Kubernetes Training July 2021

  • Type: Training
  • Where: Online
  • Date: 21st - 22nd July 2021

Private Kubernetes Security Training July 2021

  • Type: Training
  • Where: Online
  • Date: 12th - 14th July 2021

Private Kubernetes Talk June 2021

  • Type: Talk
  • Where: Online
  • Date: 29th June 2021

Private Kubernetes Training June 2021 2/2

  • Type: Training
  • Where: Online
  • Date: 16th - 17th June 2021

Private Kubernetes Training June 2021 1/2

  • Type: Training
  • Where: Online
  • Date: 09th - 10th June 2021

Private Kubernetes Training May 2021

  • Type: Training
  • Where: Online
  • Date: 10th - 11th May 2021

Cloud Natives UK - with special guest Justin Garrison

  • Type: Training
  • Where: Online
  • Date: 06th May 2021

KubeCon Cloud Native Security Day - Capture The Flag EU 2021

Review of the Capture the Flag event hosted at Cloud Native Security Day EU that was part of KubeCon EU 2021.

Cloud Natives UK - with special guest Dan “Pop” Papandrea

  • Type: Training
  • Where: Online
  • Date: 25th March 2021

2020

Cloud Native Wales Meetup v2.0.2

  • Type: Meetup
  • Where: Online
  • Date: 16 Nov 2020

Cloud Native Wales Meetup v2.0.1

  • Type: Meetup
  • Where: Online
  • Date: 29th Sept 2020

Cloud Native Wales Meetup v2.0.0-alpha

  • Type: Meetup
  • Where: Online
  • Date: 09th Apr 2020

Cloud Native Wales Meetup v1.8.0

  • Type: Meetup
  • Where: Online
  • Date: 12th Mar 2020

Cloud Native Wales Meetup v1.7.0

  • Type: Meetup
  • Where: Online
  • Date: 13th Feb 2020

PubConf London 2020 - You’ve Just Lost The Game

  • Type: Talk
  • Where: London, UK
  • Date: 31st January 2020

2019

CNW / AI Wales: Christmas Social

Cloud Native Wales Meetup v1.6.0

Cloud Native Wales Meetup v1.5.0

Cloud Native Wales Meetup v1.4.0

KCDC - What vulnerabilities? Live hacking of Containers and Orchestrators

Cloud Native Wales Meetup v1.2.0

NDC Oslo - What vulnerabilities? Live hacking of Containers and Orchestrators

We often see alerts about vulnerabilities being found in frameworks that we use today, but should we really care about them? What’s the worst that can happen? Can someone own a container? Could they run a bitcoin miner on my servers? Are they able to own the cluster?

In this talk, we look at one of the worst-case scenarios from a real-world perspective. We have a red team member attempting to hack a cluster we own with a live hack on stage whilst the blue team member tries to stop it from happening.

We’ll discuss developing best practices, implement security policies and how best to monitor your services to put preventative measures in place.

Cloud Native Wales Meetup v1.1.0

  • Type: Meetup
  • Where: Meetup
  • Date: 13th Jun 2019

BlueConf - Contributing With No Code

  • Type: Lightning Talks
  • Where: BlueConf
  • Date 08th Jun 2019

BlueConf - WTF is Cloud Native

µCon London 2019 - How do we become Cloud Native?

KubeCon EU - How we contributed to the community with no code

This time last year, two people from Wales, United Kingdom decried to bring the CNCF to their doorstep.

Previously, they were attending international conferences and national meetups to meet and be a part of the community.

Knowing that they were in a privileged position, they wanted to share it with others that, for whatever reason, were unable to make these events.

Cloud Native Wales will be soon celebrating a year of meetups, and best of all, we get to share this with the 100’s of people within our meetup community.

This talk will inspire you to take the chance to branch the CNCF and build a community closer to home, help others learn, share and contribute to the world wide community.

Cloud Native Wales Meetup v1.0.0

PubConf Minnesota 2019 - Captain Planet: Not the Hero We Want or Need

NDC Minnesota 2019 - Scaling Microservices with Message Queues, DotNet Core

and Kubernetes

Cloud Native Wales Meetup v0.12.0

Docker London: State of the Union Address

Cloud Native Wales Meetup v0.11.0

Podcast - CTO and Co-Founder Talk with Dave Albert

  • Type: Podcast
  • Where: player.fm
  • Date: 12th March 2019.

Find out the parallels of mental health to monoliths versus microservices!

Cloud Native Wales Meetup v0.10.0

PubConf London 2019 - Shaun of the Dev

Rapid-fire funny talks, musical acts, and comedy stunts from amazing developers.

NDC London 2019 - Scaling Microservices with Message queues, .NET and

Kubernetes

When you design and build applications at scale, you deal with two significant challenges: scalability & robustness. You should design your service so that even if it is subject to intermittent heavy loads, it continues to operate reliably. But how do you build such applications? And how do you deploy an application that scales dynamically? Kubernetes has a feature called autoscaler where instances of your applications are increased or decreased automatically based on metrics that you define.

In this talk, you’ll learn how to design, package & deploy reliable .NET applications to Kubernetes & decouple several components using a message broker. You will also learn how to set autoscaling rules to cope with an increasing influx of messages in the queue.

Cloud Native Wales Meetup v0.9.0

2018

Cloud Native Wales Meetup v0.8.0

Cloud Native Wales Meetup v0.7.0

µCon London 2018 - One Monolith / One Macroservice / Many Microservices

  • Type: Talk
  • Where: London, UK
  • Date: 05th November 2018

From working with a number of companies, the only constant is seeing that each company has their own way of migrating from a monolith to a microservice architecture, and it never working out as planned. In this talk Lewis will share with you the idea of embracing your monolith and making it a macroservice. He’ll explore the benefits of this approach from both a technical and business perspective, and plan how to convert this macroserivce into microservices.

Cloud Native Wales Meetup v0.6.0

Cloud Native Wales Meetup v0.5.0

  • Type: Meetup
  • Where: Meetup
  • Date: 13th Sept 2018

ProgNet London 2018 - Use Kubernetes to Deploy .NET Applications

  • Type: Workshop
  • Where: London, UK.
  • Date: 12th September 2018.

With the explosive momentum of Docker, Kubernetes has become the de-facto standard for orchestrating and managing containerised apps in production.

Cloud Native Wales Meetup v0.4.0

Cloud Native Wales Meetup v0.3.0

Cloud Native Wales Meetup v0.2.0

Cloud Native Wales Meetup v0.1.0