The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Europe 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.
Please note: This schedule is automatically displayed in Central European Summer Time (UTC +2). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis.
To graduate, a CNCF project must complete a third party security audit and publish the results publicly. Because of the nature of the work, much of it is done behind closed doors. In this talk, Adam and David present their experiences with auditing CNCF projects, how a security audit progresses, what the projects should expect, and what the outcomes have been so far. We also examine which vulnerabilities have been found, and what is required from the CNCF projects to complete a third party security audit. Over the last year and a half, Ada Logics has carried out security audits of six CNCF projects and worked with the projects on mitigating found issues and publishing the results. The projects the team audited were: Flux, CRI-O, KubeEdge, Argo, Istio and Cilium. The talk will also go over the audit reports and how they are helpful to contributors, adopters and other security researchers looking to contribute security work. The talk will cover both high-level problems and results as well as a technical look into the security issues that CNCF projects face.
David Korczynski is a security researcher at Ada Logics and his focus is on building tools that automate software security analysis. In the open source community David is a top contributor to OSS-Fuzz and has worked on fuzzing several CNCF projects, e.g. Fluent Bit, Envoy and Linkerd2-proxy... Read More →
Adam is a security engineer at Ada Logics where his work mainly focuses on security automation. He is heavily involved in open source projects and is a top contributor to OSS-Fuzz.
