Open Source Summit Europe 2024

However good the tools and processes you use to catch CVEs and security problems pre-deployment, it's still possible that your code and the platform it's running on could be compromised. When a new CVE and its patches are announced, it's called a "zero day", and it's a race against time for security teams to understand whether their deployments are vulnerable, and to get updated versions of all affected components deployed. 

In this talk (with demos) you'll learn about strategies for using the open source runtime security tool, Cilium Tetragon, to detect components that are affected by a CVE. You'll see how eBPF allows Tetragon to generate rich forensic information to understand whether a vulnerability has been exploited in your system, and understand how the component was compromised.

Kubernetes does not provide a rich multi-tenant experience out-of-the-box outside of Namespaces. Third-party tools try to bridge the gap generically, but there is no targeted solution to deal with telemetry data (logs, metrics, and traces). Sandor - the founder of Logging Operator that helps deal with logging on Kubernetes - gathered the team once again to re-evaluate the solution. The three main objectives were: to introduce tenants as first-class citizens, use OpenTelemetry Collector, and make it as simple as possible. The result is a new open-source project called Telemetry Controller. In this talk, Sandor will guide you through challenges like noisy neighbors, invalid configurations, parsing errors of multi-tenant logging, and how to solve them.

Previous generations of networking made up of point solutions organized by Conway's law are inconsistent, incompatible, and slow down developers. Open source alternatives have emerged to provide compelling networking solutions for Platform Engineers but may overlap. In this talk, we introduce the concept of "the CAKES stack" for modern cloud networking based on OSS projects: (C)ilium, (A)mbient mesh, (K)ubernetes, (E)nvoy, and (S)PIFFE/SPIRE. A twist on the stack, BAKES, includes (B)ackstage.io for a platform's internal developer portal which ties everything together like frosting. Each layer in the "cake" was specifically chosen as it represents the "best of breed" for the role required. These technologies come together to provide a consistent solution for zero trust, observability, ingress/egress, traffic control and significantly improved developer experience and velocity.

Traefik is one of the most popular open source projects in the world, with over 3 billion downloads to date, and one of the top 15 most downloaded open source projects on DockerHub. Traefik is an Ingress Controller and API Gateway capable of exposing and securing services and APIs simply, dynamically and at scale. Designed specifically for cloud-native environments, Traefik is the solution of choice from the simplest to the most complex case. If you spend your time managing, exposing and securing your applications and microservices, then this is the session for you! During this session, Emile Vauge (Traefik Creator) will show you how the new features in Traefik version 3 will simplify your daily life: - Support for Open Telemetry to monitor your infrastructure - Support for GatewayAPI resources to expose your resources in Kubernetes - Integration of WASM plugins to create your own middleware And much more...

The distributed development effort across individual teams to build secure software in a constantly evolving security threat landscape results in massive duplication of CI/CD automation work and inconsistent security and compliance postures across teams. The solution is to standardize the CI/CD security & compliance automation for development teams and centralize platform operations and maintenance. Our centralized CI/CD platform prevents software security problems from reaching production systems and streamlines compliance audits using built-in DevSecOps practices. Tekton is used as the open source orchestrator to standardize CI/CD and contribute open source enhancements through our valued ecosystem partnerships to benefit all users. The platform includes open source scanning tools such as Clair for OSS threat intelligence, SonarQube for SAST, and OWASP ZAP for DAST. The platform also extends the traditional CI and CD pipelines with a Continuous Compliance (CC) pipeline which ensures that deployed applications are scanned for new vulnerabilities on a daily basis with unique capabilities to auto remediate identified vulnerabilities and auto close resolved incident issues.

Containers revolutionized the software development and deployment process. But there are still practical concerns, especially related to software supply chain integrity and security, that require further improvements. Software Composition Analysis (SCA) identifies components used in software applications and systems, often for software supply chain concerns like SBOMs, which is increasingly important for distributed, containerized systems. Many open source and proprietary SCA tools are marketed specifically for containers. After testing many open source and proprietary tools, we completed a project comparing the accuracy, depth, and breadth of these tools' detection capabilities. The results were not always good. In this talk, Arun from Siemens Healthineers and Philippe from AboutCode will share their experiences so you don't make the same mistakes.