Loading…
December 10, 2024
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for SOSS Community Day India 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in India Standard Time (UTC+5:30). To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

or to bookmark your favorites and sync them to your phone or calendar.
strong>Mid Level [clear filter]
arrow_back View All Dates
Tuesday, December 10
 

9:25am IST

Cooking up Secure OCI Artifacts with SLSA - Harsh Thakur, Civo & Saiyam Pathak, Loft Labs
Tuesday December 10, 2024 9:25am - 9:45am IST
Achieving Software Supply Chain Security Assurance (SLSA) compliance is essential in today's world of increasing cyber threats. This talk will provide a hands-on approach to implementing SLSA standards for your OCI artifacts, starting from your existing build pipelines. We will delve into the practical steps involved, including: * Generating high-quality Software Bill of Materials (SBOM) and provenance: Learn how to create accurate and comprehensive metadata for your artifacts. * Leveraging cosign for keyless attestations: Discover how to securely sign attestations without relying on traditional key management. * Integrating with Buildkit providers for hermetic builds: Ensure the integrity and reproducibility of your builds by isolating them from the surrounding environment. * Addressing best practices for dependency pinning, automated patching, attestation sharing, and collaboration with compliance teams: Gain insights into effective strategies for maintaining compliance and security. By the end of this talk, you will have a clear understanding of how to implement SLSA principles in your build processes and create secure, trustworthy OCI artifacts.
Speakers
avatar for Saiyam Pathak

Saiyam Pathak

Principal Developer Advocate, Loft Labs
Saiyam is working as Principal Developer Advocate at Loft Labs. He is the founder of Kubesimplify and BuildSafe. Previously at Civo, Walmart Labs, Oracle, and HP, Saiyam has worked on many facets of Kubernetes.When not coding, Saiyam contributes to the community by writing blogs and... Read More →
avatar for Harsh Thakur

Harsh Thakur

Infrastructure Engineer, Civo
Harsh's tech journey began in software development, leading to open-source contributions in the CNCF. His passion for complex systems propelled him into infrastructure engineering, gaining expertise in building control planes and designing APIs, and architecting cost-effective solutions... Read More →
Tuesday December 10, 2024 9:25am - 9:45am IST
Room 201 (Level 2)
  Breakout Sessions

10:15am IST

Towards a Quantum Proof Software Supply Chain with Post Quantum Cryptographic Algorithms - Anitha Natarajan & Savita Ashture, Red Hat
Tuesday December 10, 2024 10:15am - 10:35am IST
We depend on cryptography to secure our software supply chain. But what if that cryptography didn't work? What if an adversary could casually break your key signing? This session will detail one possible approach to convert a Quantum Vulnerable Stack to Quantum Resistant Stack focusing on Tekton, a powerful open-source framework for creating CI/CD as a sample. Chains is a component of Tekton that integrates with Sigstore to offer a Secure CI/CD solution. We will explore the steps to make Tekton Quantum Proof in the following sequence: - What are the Quantum threats to existing Cryptographic algorithms? - How to Identify the Quantum Vulnerabilities in Tekton? - What are Post Quantum Cryptographic (PQC) Algorithms? - Walkthrough of NIST standards and guidelines for migrating to PQC - Importance of HYBRID approach that includes classical quantum-resistant and new quantum signing algorithms in while transitioning. Key takeaway for the audience would be an understanding of Quantum Vulnerabilities, PQC, reliable guidelines for transitioning to quantum safe state along with a deep dive of how we transitioned Tekton quantum safe as reference implementation.
Speakers
avatar for Savita Ashture

Savita Ashture

Software Engineer, Red Hat
Savita Ashture works at RedHat as a Senior Software Engineer India, Bangalore.She is an Open-Source enthusiast who contributes to Open Source in every possible way. She has working experience on Public, Private Cloud, Kubernetes, Knative, Tekton, Service Mesh etc... around Cloud native... Read More →
avatar for Anitha Natarajan

Anitha Natarajan

Principal Software Engineer, RedHat
An Open-Source enthusiast and an aspiring enterprise architect adept at technology requirements analysis, application design & development. Hands on leveraging multicloud services and DevOps solutions to meet technology requirements.
Tuesday December 10, 2024 10:15am - 10:35am IST
Room 201 (Level 2)
  Breakout Sessions

10:40am IST

How Have We Adopted Secure Software Delivery Practices for Fission OSS Serverless Platform? - Sanket Sudake, InfraCloud Technologies
Tuesday December 10, 2024 10:40am - 10:55am IST
In an era of rising software supply chain attacks, this talk explores how we implemented robust security practices in Fission, an open-source serverless framework for Kubernetes used by thousands globally. We will detail our implementation of SLSA(Supply chain Levels for Software Artifacts) specifications, addressing critical threats like compromised builds and unauthorized modifications through reproducible builds, signed artifacts, and secure dependency management. We will demonstrate how we addressed these challenges through: - Implementing reproducible builds to ensure build integrity - Adopting signed artifacts and attestations for authenticity verification - Securing our base images and dependency chain - Establishing automated security scanning and verification pipelines Through practical code examples, we'll show how organizations can implement these security practices in their CI/CD pipelines. We'll share our experiences, challenges faced during implementation, and lessons learned while securing a widely-used open-source platform.
Speakers
avatar for Sanket Sudake

Sanket Sudake

Principal Engineer, InfraCloud Technologies
I am a Principal Engineer at InfraCloud with 10+ years of experience. My interest areas are containers, Cloud and Distributed Systems. I am an open-source contributor and maintainer for the Fission serverless platform on Kubernetes. I am a tech enthusiast and like to explore different... Read More →
Tuesday December 10, 2024 10:40am - 10:55am IST
Room 201 (Level 2)
  Breakout Sessions

11:15am IST

Who Guards the Guards? - Arnab Chatterjee, Nomura
Tuesday December 10, 2024 11:15am - 11:35am IST
The question "Who guards the guards?" often relates to the challenge of ensuring security even for those tasked with providing it. In the context of securing open-source software, this can mean asking: how do we secure the very tools, libraries, and frameworks that we rely on to protect our systems? In open-source ecosystems, the “guards” are often the developers, maintainers, and security tools that help manage code integrity, vulnerabilities, and trustworthiness. Here’s how different aspects of the open-source community address this: Present on the below 5 points. 1. Transparency as Defense 2. Automated Security Tools 3. Supply Chain Security Initiatives 4. Maintainer Oversight 5. Community and Bug Bounty Programs The ultimate goal is to create an ecosystem where multiple layers of checks and balances — human, automated, and cryptographic — watch each other.
Speakers
avatar for Arnab Chatterjee

Arnab Chatterjee

Vice President, Nomura
Arnab Chatterjee is a seasoned technologist who has nearly two decades of industry experience in Data Platforms ,Tools and best practices. He currently the Global head of container plaform and is a kubernetes expert who is responsible in setting container orchestration strategy in... Read More →
Tuesday December 10, 2024 11:15am - 11:35am IST
Room 201 (Level 2)
  Breakout Sessions

11:40am IST

Patch It Up: Real-Time Vulnerability Management with Kyverno and KubeArmor - Barun Acharya & Ramakant Sharma, Accuknox Inc.
Tuesday December 10, 2024 11:40am - 12:00pm IST
Organizations rely on Admission Controllers like Kyverno and Static Analysis tools to enforce a wide range of security best practices, but these measures alone may not protect against future vulnerabilities. When new vulnerabilities are discovered, application upgrades often take time, and it can be more effective to sandbox these vulnerabilities than to wait for upstream fixes. Preventing application downtime due to vulnerabilities is crucial, and virtual patching helps by containing and preventing the exploitation of vulnerabilities at runtime without impacting application behavior or deployment processes. In this talk, we will explore live examples using well-known vulnerabilities such as Log4j, PwnKit, xz, and Leaky Vessels. We will demonstrate how to use Kyverno to identify vulnerable workloads, leverage results from image vulnerability scanners, and generate KubeArmor policies to apply virtual patches to specific deployments, ensuring security without disrupting operations.
Speakers
avatar for Barun Acharya

Barun Acharya

Software Engineer, Accuknox
Barun likes hacking on low level stuff and fiddling around developer toolings. He currently is maintainer and leading the development efforts for KubeArmor, CNCF Sandbox project and works as a Software Engineer at Accuknox . He loves to speak at conferences talking about Open Source... Read More →
avatar for Ramakant Sharma

Ramakant Sharma

Software Engineer @AccuKnox | Maintainer @KubeArmor, Accuknox Inc.
Passionate software engineer, actively contributing to open souce and serving as a maintainer of a CNCF project, focused on collaborative development.
Tuesday December 10, 2024 11:40am - 12:00pm IST
Room 201 (Level 2)
  Breakout Sessions

12:05pm IST

AI-Driven Policy Automation with Kyverno - Sonali Srivastava & Pavan N G, Infracloud
Tuesday December 10, 2024 12:05pm - 12:20pm IST
Finalizing the right policies to secure a Kubernetes cluster involves tedious manual effort, from selecting relevant policies to running them in AUDIT mode and reviewing compliance reports. Moreover, addressing non-compliant configurations and handling exceptions, such as Istio's `initContainer` requiring `runAsRoot` but conflicting with a `runAsNonRoot` policy, further complicates the workflow. Managing policies at scale is a significant challenge, often leading to misconfigurations, delays, and security risks. In this talk, we'll explore tools like k8sGPT or GPTScript to simplify Kyverno policy management by scanning a Kubernetes cluster and suggesting optimal policies based on best practices. Compliant policies can be automatically applied, while non-compliant ones are analyzed with AI-driven checks for fixes to your infrastructure. By integrating it as part of platform engineering, organizations can reduce human intervention, and ensure compliance and security with zero downtime.
Speakers
avatar for Sonali Srivastava

Sonali Srivastava

Developer Advocate, InfraCloud Technologies
Sonali is an experienced IT professional with a diverse background. She began her career as a Linux System Administrator. Sonali's passion for open source and Linux led her to Outreachy, where she contributed to the systemd project. Recently, she created LFS255, Mastering Kubernetes... Read More →
avatar for Pavan N G

Pavan N G

Site Reliability Engineer, Infracloud
I'm a SRE with a decade of IT experience and certifications in AWS and Azure. I specialize in cloud technologies, Kubernetes, and Argo CD. My expertise includes infrastructure automation, container orchestration, and platform engineering. I enhance system reliability and scalability... Read More →
Tuesday December 10, 2024 12:05pm - 12:20pm IST
Room 201 (Level 2)
  Breakout Sessions

12:45pm IST

From CVE Chaos to Control: Building a "0 CVE" Strategy - Rakshit Gondwal, BuildSafe & Harsh Thakur, Civo
Tuesday December 10, 2024 12:45pm - 1:05pm IST
Overwhelmed by the constant flood of CVEs? With vulnerabilities expected to rise by 25% this year, many security teams are experiencing "CVE fatigue"—the exhausting cycle of identifying, prioritizing, and remediating vulnerabilities. This talk will guide you toward a "Zero CVE" strategy, where vulnerabilities are minimized, and management is streamlined. We’ll explore actionable strategies to combat CVE fatigue, including reducing software dependencies, automating OS package updates, and simplifying vulnerability management with a single package manager. We’ll also discuss prioritizing remediation using runtime analysis and VEX (Vulnerability Exploitability eXchange) documents. By integrating security into the software development lifecycle, attendees will gain practical knowledge to build a strategy that not only minimizes CVEs but also strengthens the overall security posture.
Speakers
avatar for Rakshit Gondwal

Rakshit Gondwal

Developer, BuildSafe
Rakshit is currently a contributor at BuildSafe, which is an open source supply chain security project. He is also an Approver of the CNCF Incubating project, Keptn, and a Reviewer for the Hydrophone (Kubernetes sig) project. He has earlier worked as a CNCF'23 Fall Intern for the... Read More →
avatar for Harsh Thakur

Harsh Thakur

Infrastructure Engineer, Civo
Harsh's tech journey began in software development, leading to open-source contributions in the CNCF. His passion for complex systems propelled him into infrastructure engineering, gaining expertise in building control planes and designing APIs, and architecting cost-effective solutions... Read More →
Tuesday December 10, 2024 12:45pm - 1:05pm IST
Room 201 (Level 2)
  Breakout Sessions

2:45pm IST

Case Study on Adversarial Emulation Using MITRE Caldera for Kubernetes - Rudraksh Pareek, AccuKnox
Tuesday December 10, 2024 2:45pm - 3:05pm IST
Showcase how to use MITRE Caldera for adversarial emulation by leveraging Hashicorp Vault as the scapegoat app and showing attacks such as cryptominer attack, privilege escalation and most importantly a real time ransomware attack pawning vault secrets store. Audience will learn first hand how to use open source advesarial emulation tooling to validate security tooling that they may have in their organization. Mapping the attacks back to MITRE Att&ck framework and showing users how the attackers gains foothold in their assets.
Speakers
avatar for Rudraksh Pareek

Rudraksh Pareek

SWE, AccuKnox
Tuesday December 10, 2024 2:45pm - 3:05pm IST
Room 201 (Level 2)
  Breakout Sessions

3:25pm IST

How to Resolve Top 3 Security and Risk Challenges for Enterprises Consuming Open Source - Nitish Tyagi, Gartner
Tuesday December 10, 2024 3:25pm - 3:35pm IST
Gartner believes that more than 95% of IT organizations are using open source whether they are aware of it or not. With the inclusion of GenAI, this consumption is only increasing. This session will enable organizations to tackle the top three challenges of open source: legal implications, software supply chain and community viability by bringing the right collaborations and processes in place.
Speakers
avatar for Nitish Tyagi

Nitish Tyagi

Principal Analyst, Gartner
Nitish Tyagi is a Gartner Analyst, serving software engineering leaders with insights on open source software, programming languages & frameworks, super apps and technical skills assessment platforms. Under the open-source coverage, Nitish Tyagi has published multiple Gartner research... Read More →
Tuesday December 10, 2024 3:25pm - 3:35pm IST
Room 201 (Level 2)
  Breakout Sessions

3:40pm IST

Automating Container Security: Docker Scout in CI/CD for Safer Software Supply Chains - Pradumna V Saraf, Independent
Tuesday December 10, 2024 3:40pm - 4:00pm IST
As containerized applications dominate the software development landscape, securing these environments has become essential. Vulnerabilities within container images can expose your applications to significant risks and potential attacks. Docker Scout provides an effective solution to detect and fix these vulnerabilities, enhancing the overall security of your software supply chain. This talk will help you understand the process of integrating Docker Scout into Continuous Integration and Continuous Deployment (CI/CD) pipelines using GitHub Actions. We will walk through the process of setting up automated vulnerability scans for incoming Pull Requests, comparing the current image with the base image to ensure continuous security checks are embedded within your development workflow. The session will include practical insights and real-world examples.
Speakers
avatar for Pradumna V Saraf

Pradumna V Saraf

Open Source Developer, Independent
Pradumna is a Developer Advocate, Docker Captain, and a DevOps and Go Developer. He is passionate about Open Source and has mentored hundreds of people to break into the ecosystem. He also creates content on X (formerly Twitter) and LinkedIn, educating others about Open Source and... Read More →
Tuesday December 10, 2024 3:40pm - 4:00pm IST
Room 201 (Level 2)
  Breakout Sessions

4:50pm IST

Quarantining and Locking Down Your Cloud Infrastructure - Prerit Munjal, KubeCloud
Tuesday December 10, 2024 4:50pm - 5:05pm IST
Security can be a daunting task when managing hundreds of applications running simultaneously in a hybrid+multi-cloud architecture. Starting from choosing the right base image to implementing run-time security, not to forget about the Day 2 exploits that can arise post-release. But what if your underlying clusters are compromised? Join the session as Prerit takes you on a safari ride to streamline and sanitize your Cloud Infrastructure. We’ll explore how Popeye, an open-source cluster sanitizer tool can help cleanse and optimize your underlying infrastructure. We will explore a diverse range of 20 sanitizers, each offering a unique security flavour to identify potential issues with deployed resources and configurations. These sanitizers effectively identify potential over/under allocations, RBAC misconfigurations, and other issues related to various Kubernetes objects. Don't miss this session for valuable insights on strengthening the security posture of your Kubernetes environment, ensuring resilience and optimized performance.
Speakers
avatar for Prerit Munjal

Prerit Munjal

CTO, KubeCloud
Prerit is working as a Software Architect, directing his expertise towards harnessing Cloud Native Technologies to design resilient architectures that can seamlessly scale in the future, all while prioritizing technical cost, security, availability and end-user experience. As the... Read More →
Tuesday December 10, 2024 4:50pm - 5:05pm IST
Room 201 (Level 2)
  Breakout Sessions
 
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Filtered by Date -