CH
Uploaded byCheryl Hung
PPTX, PDF51 views

Top Trends in Kubernetes Security: TalosCon 2025

In this talk I discuss some of the fundamental challenges of security in a Kubernetes, cloud native environment, and how Shift-Down Security can help. Reading: https://github.com/kubernetes/sig-security/blob/main/sig-security-docs/papers/shift-down/shift-down-security.md#shift-down-security

Download to read offline
SideroLabs 2025 | All rights reserved. Top Trends in K8s Security Space Cheryl Hung, 17 Oct 2025, Amsterdam
2 oicheryl.com Independent Previously Sr Director, Ecosystem at Arm Cheryl Hung
3
4 What are your challenges when using/deploying containers?
5 What % said security? What are your challenges when using/deploying containers?
6 % say security is a challenge when using containers
7 % say security is a challenge when using containers
8 % say security is a challenge when using containers
9 % say security is a challenge when using containers
10 % say security is a challenge when using containers
11 % say security is a challenge when using containers
12 Why is security so tricky?!
13 1. Shared responsibility leads to gaps
14 1. Shared responsibility leads to gaps 2. Misconfiguration is the killer
15 1. Shared responsibility leads to gaps 2. Misconfiguration is the killer 3. Identity is the new perimeter
16 1. Shared responsibility leads to gaps 2. Misconfiguration is the killer 3. Identity is the new perimeter 4. Speed vs security tensions
17 So what now?
18 “Shift Down” Kubernetes Security Paper Published Feb 2025
19 ✨ Application team ● Develop features ● Fix defects
20 ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects
21 ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain
22 ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 🤖 Platform team ● Self-service / Automation 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain
23 ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 🤖 Platform team ● Self-service / Automation ● Vulnerabilities ● Misconfigurations ● Supply chain 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain
24 ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain 🤖 Platform team ● Self-service / Automation ● Vulnerabilities: Manage base images ● Misconfigurations ● Supply chain
25 ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain 🤖 Platform team ● Self-service / Automation ● Vulnerabilities: Manage base images ● Misconfigurations: Manage policies ● Supply chain
✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 26 ✨ Application teams ● Develop features ● Fix defects 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain 🤖 Platform team ● Self-service / Automation ● Vulnerabilities: Manage base images ● Misconfigurations: Manage policies ● Supply chain: Secure, attest, verify
✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 27 ✨ Application teams ● Develop features ● Fix defects 🤖 Platform team ● Self-service / Automation ● Vulnerabilities: Manage base images ● Misconfigurations: Manage policies ● Supply chain: Secure, attest, verify 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain
28 1. Embrace the chaos - platform team manages common concerns
29 1. Embrace the chaos - platform team manages common concerns 2. Automate trust - Policy as Code
30 1. Embrace the chaos - platform team manages common concerns 2. Automate trust - Policy as Code 3. Less is more - complements Shift Left, but reduces developer overhead
31 github.com/kubernetes/sig-se curity/blob/main/sig-security-d ocs/papers/shift-down/shift-do wn-security.md
Thank you 32 oicheryl.com

More Related Content

PPTX
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
PDF
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
PDF
The Hacker's Guide to Kubernetes
byPatrycja Wegrzynowicz
 
PPTX
KubeSecOps
byKarthik Gaekwad
 
PPTX
10 tips for Cloud Native Security
byKarthik Gaekwad
 
PPTX
Kubernetes Security
byKarthik Gaekwad
 
PPTX
Application security meetup k8_s security with zero trust_29072021
bylior mazor
 
PDF
Why Should Developers Care About Container Security?
byAll Things Open
 
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
The Hacker's Guide to Kubernetes
byPatrycja Wegrzynowicz
 
KubeSecOps
byKarthik Gaekwad
 
10 tips for Cloud Native Security
byKarthik Gaekwad
 
Kubernetes Security
byKarthik Gaekwad
 
Application security meetup k8_s security with zero trust_29072021
bylior mazor
 
Why Should Developers Care About Container Security?
byAll Things Open
 

Similar to Top Trends in Kubernetes Security: TalosCon 2025

PDF
ATO 2022 - Why should devs care about container security.pdf
byEric Smalling
 
PDF
Container Stranger Danger - Why should devs care about container security
byEric Smalling
 
PDF
Why should developers care about container security?
byEric Smalling
 
PDF
Hacking into your containers, and how to stop it!
byEric Smalling
 
PPTX
DevSecOps in a cloudnative world
byKarthik Gaekwad
 
PDF
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
byEric Smalling
 
PDF
DevSecCon Lightning 2021- Container defaults are a hackers best friend
byEric Smalling
 
PDF
Keeping your Kubernetes Cluster Secure
byGene Gotimer
 
PDF
GDG SLK - Why should devs care about container security.pdf
byJames Anderson
 
PDF
Embedding security into your Terraform code
byBarak Schoster Goihman
 
PDF
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
byJames Anderson
 
PDF
The Art of Cloud Native Defense on Kubernetes
byJacopo Nardiello
 
PPTX
Practical Approaches to Cloud Native Security
byKarthik Gaekwad
 
PDF
Python Web Conference 2022 - Why should devs care about container security.pdf
byEric Smalling
 
PPTX
Security Practices in Kubernetes
byFibonalabs
 
PDF
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
byJuan Vicente Herrera Ruiz de Alejo
 
PDF
Containers At-Risk A Review of 21,000 Cloud Environments
byLacework
 
PDF
Containers at risk a review of 21,000 cloud environments
bydhubbard858
 
PPTX
"Building Trust: Strengthening Your Software Supply Chain Security", Serhii V...
byFwdays
 
PPTX
Keeping Your Kubernetes Cluster Secure
byGene Gotimer
 
ATO 2022 - Why should devs care about container security.pdf
byEric Smalling
 
Container Stranger Danger - Why should devs care about container security
byEric Smalling
 
Why should developers care about container security?
byEric Smalling
 
Hacking into your containers, and how to stop it!
byEric Smalling
 
DevSecOps in a cloudnative world
byKarthik Gaekwad
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
byEric Smalling
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
byEric Smalling
 
Keeping your Kubernetes Cluster Secure
byGene Gotimer
 
GDG SLK - Why should devs care about container security.pdf
byJames Anderson
 
Embedding security into your Terraform code
byBarak Schoster Goihman
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
byJames Anderson
 
The Art of Cloud Native Defense on Kubernetes
byJacopo Nardiello
 
Practical Approaches to Cloud Native Security
byKarthik Gaekwad
 
Python Web Conference 2022 - Why should devs care about container security.pdf
byEric Smalling
 
Security Practices in Kubernetes
byFibonalabs
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
byJuan Vicente Herrera Ruiz de Alejo
 
Containers At-Risk A Review of 21,000 Cloud Environments
byLacework
 
Containers at risk a review of 21,000 cloud environments
bydhubbard858
 
"Building Trust: Strengthening Your Software Supply Chain Security", Serhii V...
byFwdays
 
Keeping Your Kubernetes Cluster Secure
byGene Gotimer
 

More from Cheryl Hung

PDF
10k and counting 0 Insights and Trends from Cloud Native London.pdf
byCheryl Hung
 
PDF
Building the Customer Identity Community, Together.pdf
byCheryl Hung
 
PDF
SlideShare a Scribd company logo Search Submit Search Upload Download free...
byCheryl Hung
 
PDF
Building AI platforms together, for everyone @ SOOCon25.pdf
byCheryl Hung
 
PDF
Building the Future, Together - Kubernetes Community Days, 2024
byCheryl Hung
 
PDF
Key Trends Shaping Cloud Infrastructure and Edge Infrastructure
byCheryl Hung
 
PDF
Key Trends Shaping the Future of Infrastructure.pdf
byCheryl Hung
 
PDF
Key Trends Shaping the Future of Infrastructure.pdf
byCheryl Hung
 
PPTX
Multi-Arch Infra From the Ground Up.pptx
byCheryl Hung
 
PDF
Multi-arch from the ground up
byCheryl Hung
 
PDF
Crossing the chasm with multi-arch
byCheryl Hung
 
PDF
Lessons Learned from 3 years inside CNCF
byCheryl Hung
 
PDF
Infrastructure matters - The DevOps Conference, Copenhagen
byCheryl Hung
 
PDF
Infrastructure matters.pdf
byCheryl Hung
 
PDF
Cloud Native Trends and 2022 Predictions - Cheryl Hung, 16 June 2022 - Cloud ...
byCheryl Hung
 
PDF
Lessons learned from 3 years inside cncf - WTF is Cloud Native, 4 September 2021
byCheryl Hung
 
PDF
Lessons learned from 3 years inside CNCF - Swiss Cloud Native Day
byCheryl Hung
 
PDF
10 predictions for cloud native in 2021 - Fidelity Cloud Cast
byCheryl Hung
 
PDF
10 predictions for cloud native in 2021 - Cheryl Hung GIFEE day
byCheryl Hung
 
PPTX
Data and Storage Ecosystem Opportunities and Need - Cheryl Hung Sodacon2020 k...
byCheryl Hung
 
10k and counting 0 Insights and Trends from Cloud Native London.pdf
byCheryl Hung
 
Building the Customer Identity Community, Together.pdf
byCheryl Hung
 
SlideShare a Scribd company logo Search Submit Search Upload Download free...
byCheryl Hung
 
Building AI platforms together, for everyone @ SOOCon25.pdf
byCheryl Hung
 
Building the Future, Together - Kubernetes Community Days, 2024
byCheryl Hung
 
Key Trends Shaping Cloud Infrastructure and Edge Infrastructure
byCheryl Hung
 
Key Trends Shaping the Future of Infrastructure.pdf
byCheryl Hung
 
Key Trends Shaping the Future of Infrastructure.pdf
byCheryl Hung
 
Multi-Arch Infra From the Ground Up.pptx
byCheryl Hung
 
Multi-arch from the ground up
byCheryl Hung
 
Crossing the chasm with multi-arch
byCheryl Hung
 
Lessons Learned from 3 years inside CNCF
byCheryl Hung
 
Infrastructure matters - The DevOps Conference, Copenhagen
byCheryl Hung
 
Infrastructure matters.pdf
byCheryl Hung
 
Cloud Native Trends and 2022 Predictions - Cheryl Hung, 16 June 2022 - Cloud ...
byCheryl Hung
 
Lessons learned from 3 years inside cncf - WTF is Cloud Native, 4 September 2021
byCheryl Hung
 
Lessons learned from 3 years inside CNCF - Swiss Cloud Native Day
byCheryl Hung
 
10 predictions for cloud native in 2021 - Fidelity Cloud Cast
byCheryl Hung
 
10 predictions for cloud native in 2021 - Cheryl Hung GIFEE day
byCheryl Hung
 
Data and Storage Ecosystem Opportunities and Need - Cheryl Hung Sodacon2020 k...
byCheryl Hung
 

Recently uploaded

PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
PPTX
Momentum Developer Con 2025 - How To Better Developer Estimates
byBrian McKeiver
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
PDF
“Lessons Learned Building and Deploying a Weed-killing Robot,” a Presentation...
byEdge AI and Vision Alliance
 
PDF
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
PDF
Session 3 - Specialized AI Associate Series: AI Powered Automation through sp...
byDianaGray10
 
PPTX
Cloud Metrics: The Cost-Value Equation (All Things Open 2025)
byEric D. Schabell
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PDF
AI assisted software — Cathedral or Bazaar?.pdf
byMindtrek
 
PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
PDF
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
Optimizing a Global Training Strategy: An LKQ Corporation Case Study
byRustici Software
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PDF
Artificial Intelligence and YOU - Thinking Thoughtfully about AI
byMicah Melling
 
PPTX
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
Momentum Developer Con 2025 - How To Better Developer Estimates
byBrian McKeiver
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
“Lessons Learned Building and Deploying a Weed-killing Robot,” a Presentation...
byEdge AI and Vision Alliance
 
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
Session 3 - Specialized AI Associate Series: AI Powered Automation through sp...
byDianaGray10
 
Cloud Metrics: The Cost-Value Equation (All Things Open 2025)
byEric D. Schabell
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
AI assisted software — Cathedral or Bazaar?.pdf
byMindtrek
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Optimizing a Global Training Strategy: An LKQ Corporation Case Study
byRustici Software
 
2025 October Patch Tuesday
byIvanti
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
Artificial Intelligence and YOU - Thinking Thoughtfully about AI
byMicah Melling
 
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 

Top Trends in Kubernetes Security: TalosCon 2025

  • 1.
    SideroLabs 2025 |All rights reserved. Top Trends in K8s Security Space Cheryl Hung, 17 Oct 2025, Amsterdam
  • 2.
  • 3.
  • 4.
    4 What are yourchallenges when using/deploying containers?
  • 5.
    5 What % saidsecurity? What are your challenges when using/deploying containers?
  • 6.
    6 % say security is achallenge when using containers
  • 7.
    7 % say security is achallenge when using containers
  • 8.
    8 % say security is achallenge when using containers
  • 9.
    9 % say security is achallenge when using containers
  • 10.
    10 % say security is achallenge when using containers
  • 11.
    11 % say security is achallenge when using containers
  • 12.
  • 13.
  • 14.
    14 1. Shared responsibilityleads to gaps 2. Misconfiguration is the killer
  • 15.
    15 1. Shared responsibilityleads to gaps 2. Misconfiguration is the killer 3. Identity is the new perimeter
  • 16.
    16 1. Shared responsibilityleads to gaps 2. Misconfiguration is the killer 3. Identity is the new perimeter 4. Speed vs security tensions
  • 17.
  • 18.
  • 19.
    19 ✨ Application team ●Develop features ● Fix defects
  • 20.
    20 ✨ Application teams ●Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects
  • 21.
    21 ✨ Application teams ●Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain
  • 22.
    22 ✨ Application teams ●Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 🤖 Platform team ● Self-service / Automation 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain
  • 23.
    23 ✨ Application teams ●Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 🤖 Platform team ● Self-service / Automation ● Vulnerabilities ● Misconfigurations ● Supply chain 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain
  • 24.
    24 ✨ Application teams ●Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain 🤖 Platform team ● Self-service / Automation ● Vulnerabilities: Manage base images ● Misconfigurations ● Supply chain
  • 25.
    25 ✨ Application teams ●Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain 🤖 Platform team ● Self-service / Automation ● Vulnerabilities: Manage base images ● Misconfigurations: Manage policies ● Supply chain
  • 26.
    ✨ Application teams ●Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 26 ✨ Application teams ● Develop features ● Fix defects 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain 🤖 Platform team ● Self-service / Automation ● Vulnerabilities: Manage base images ● Misconfigurations: Manage policies ● Supply chain: Secure, attest, verify
  • 27.
    ✨ Application teams ●Develop features ● Fix defects ✨ Application teams ● Develop features ● Fix defects 27 ✨ Application teams ● Develop features ● Fix defects 🤖 Platform team ● Self-service / Automation ● Vulnerabilities: Manage base images ● Misconfigurations: Manage policies ● Supply chain: Secure, attest, verify 🔒 Security team ● Runtime security ● Compliance ● Vulnerabilities ● Misconfigurations ● SW supply chain
  • 28.
    28 1. Embrace thechaos - platform team manages common concerns
  • 29.
    29 1. Embrace thechaos - platform team manages common concerns 2. Automate trust - Policy as Code
  • 30.
    30 1. Embrace thechaos - platform team manages common concerns 2. Automate trust - Policy as Code 3. Less is more - complements Shift Left, but reduces developer overhead
  • 31.
  • 32.

Editor's Notes

  • #13 Shared responsibility leads to complexity and visibility gaps The biggest source of trouble is that cloud providers secure the infrastructure, but you're responsible for what you put on it. Many organizations don't realize they still own securing their data, applications, access controls, and configurations. This blurred line leads to dangerous assumptions about what's actually protected. Traditional security tools were built for networks you control. In the cloud, your resources are abstracted away, spread across regions, and constantly changing. You often can't see what's running, who has access, or where your data actually lives. Shadow IT makes this worse—teams spin up services without security's knowledge.
  • #14 Cloud platforms are incredibly flexible, which means there are countless ways to configure them incorrectly. An S3 bucket left publicly readable, overly permissive IAM roles, unencrypted databases—these mistakes are easy to make and hard to detect at scale. Most major breaches involve misconfiguration rather than sophisticated attacks.
  • #15 Your network boundary dissolved when you moved to the cloud. Now security hinges entirely on identity and access management, which is notoriously difficult to get right across multiple platforms, services, and user types. Credential compromise becomes catastrophic.
  • #16 Cloud enables rapid deployment, but security reviews can't always keep pace. DevOps teams prioritize velocity, and security is often an afterthought or a blocker to be worked around. Shift left = Too much expectations on developers, overload
  • #18 How many people have heard of Shift Down vs Shift Left?
  • #24 Deliver minimal and hardened images to application teams, removing unnecessary packages and dependencies that could introduce vulnerabilities.. Plus scanning can be done during the CI/CD pipeline
  • #25 Cloud native Policy as Code (PaC) solution, that provides flexibility, reporting and visibility. version control and two-person code reviews.
  • #26 Sign container images, and verify provenance and integrity of these images prior to deployment, using Policy as Code solutions that integrate with admission controls.
  • #27 Development can focus on their core tasks. Security establish organizational standards and SLAs, monitor for compliance, approve exceptions
  • #31 Who does some of these? All?