In this presentation, you will

1. Understand the six pillars of DevSecOps proposed by the authoritative organization on cloud security, Cloud Security Alliance (CSA).

2. Get acquainted with Kubescape, the latest CNCF sandbox project, and how it enhances security and scalability for Kubernetes (K8s) clusters.

3. Learn which key elements of the six pillars Kubescape implements for better security and scalability.

The most important iron rule when using cloud platforms, SaaS platforms, and CI/CD platforms is the Principle of Least Privilege (PoLP). We always believe that by setting the minimal amount of privileges possible, we can ensure the security of the system. But is this really the case? This session will present an intriguing case study where the misuse of the Github Actions API led to privilege escalation and the hijacking of the CI/CD process, as well as tampering with the Repository. In this instance, despite the developers adhering strictly to the official documentation's recommended settings for all permissions, in line with the Principle of Least Privilege, it still resulted in the exploitation of vulnerabilities that compromised the website.

Share the traditional web application system in the public sector, from the integration of container tool applications in CI, to the establishment of pipelines such as CICD and information security detection, SBOM listing, etc., until the automatic deployment to the formal environment container platform. It shows that it can be achieved after converting the container platform. Achieving the DevSecOps process that combines security and agility will result in amazing savings in resources, time, manpower, and maintenance operations. I hope to share it with the participants for reference.

In my upcoming presentation, I'll highlight how our company, a cloud SaaS and application development provider, has effectively integrated Infrastructure as Code (IaC) with DevSecOps to enhance our development and operational efficiency. This integration leverages IaC's automation and minimal manual intervention to strengthen the DevSecOps framework, boosting our performance and security.

Integrating IaC with DevSecOps has not only accelerated infrastructure deployment and improved consistency but also minimized human errors, enhancing security and reliability. This is vital for our cloud SaaS services and cross-platform application development. I'll share our practical experiences in automating various stages, such as code submission, security review, and infrastructure deployment, demonstrating how combining IaC and DevSecOps enhances technical efficiency and revolutionizes business processes and security management.

My goal is to showcase the substantial value of this integration and offer practical strategies to help attendees replicate our success in their projects.

As enterprises mature in their usage of containers, container security is increasingly gaining attention. Container security is a multifaceted issue involving various potential threats and complex technical challenges. In this sharing session, common security reminders and recommendations in development and operational usage will be discussed to assist teams in leveraging container technology more intelligently, securely, and effectively, thereby managing and mitigating risks efficiently.