내 정보 수정










내 정보 수정





Build Security Expertise from Code to Cloud

The ways we build in the cloud have evolved, and the ways we secure it should too. Code to Cloud by Bridgecrew and Prisma® Cloud takes the next leap forward. Made for practitioners by practitioners, Code to Cloud features 15+ keynotes, technical breakout sessions, panel discussions and a hands-on lab on all things security – from code to cloud and everything in between.

Watch the summit on demand to learn from 25+ experts on security best practices across cloud native tech stacks and the development lifecycle—from IaC and open source packages to containers and workloads. This summit is for anyone at any skill level that’s interested in the intersection of cloud, DevOps, and security.


Dr. Nicole Forsgren

Author, Accelerate: The Science of Lean Software and DevOps

Ashish Rajan

Head of Security & Compliance
Host, Cloud Security Podcast

Joylynn Kirui

Senior Cloud Security Advocate

Emily Freeman

DevOps For Dummies

Srinath Kuruvadi

Head of Cloud Infrastructure Security

Rosemary Wang

Developer Advocate

Nancy Gariché

Developer Advocate, GitHub Security Lab

Shannon Lietz

VP, Security, Adobe

Rob Richardson

Developer Advocate, Cyral

Madhu Akula

Product Security, Miro

Tim Davis

DevOps Advocate, env0

Cagri Cetin

Tech Lead - Identity and Access Management, Yelp

Bryan Ross

Head of Technology Products, Sky

Leif Dreizler

Engineering Manager, Security Features, Segment

Julie Gunderson

Sr. Reliability Advocate, Gremlin

Edwin Kwan

Head of Application Security and Advisory, Tyro Payments

Guy Eisenkot

Bridgecrew Senior Director, Product Management,
Palo Alto Networks

Jeroen Willemsen

Principal Security Architect, Xebia

Stefania Chaplin

Solutions Architect, GitLab

Or Weis

Co-Founder, Permit.io


Panel: Working Together for Shift-Left Security Nirvana 

Bryan Ross, Head of Technology Products, Sky
Leif Dreizler, Engineering Manager, Security Features, Segment
Shannon Lietz, VP, Security, Adobe
Moderated by John Furrier, siliconANGLE

On one end of the shift-left security spectrum, your developers have learned to tune out noisy alerts caused by security tooling you thought had buy-in. On the opposite end, you have DevSecOps nirvana: your roadmap is dotted with security features and developers have willingly baked security checks into their individual workflows. In reality, most shift-left efforts land somewhere in between.

In this panel discussion we’re bringing together different perspectives across security and engineering orgs to start to unpack what “shifting security left” really means and what it takes to get there in terms of people, processes, and technology.

Keynote: Security + DevOps = BFF4L

Dr. Nicole Forsgren, Author, Accelerate: The Science of Lean Software and DevOps

Most folks think about dev, test, and ops when they hear “DevOps,” but the methods apply to so much more. In this talk, Dr. Nicole Forsgren talks about why DevOps is important for security and reliability, and why the methods are still relevant today. She will cover some key tips for integrating DevOps and security practices, as well as some of the latest research on the state of software security, showing why it’s so important to make security efficient and collaborative.

Security vs. Delivery: Win with Dependency Inversion

Rosemary Wang, Developer Advocate, HashiCorp

Security tools, separate policies everywhere and not one place to audit! How do you solve the multi-platform management problem for security? After all, we’ve solved some multi-cloud management problems with infrastructure as code. In this talk, I’ll outline how you can apply dependency inversion to maintain the security of your system as it quickly evolves.

You’ll learn about patterns, technologies, and approaches to evolve your systems while minimizing the erosion of your security practices. We’ll explore one solution with HashiCorp Terraform, Consul, Vault, and Boundary, but you’ll find the patterns broadly apply to your system architecture. This talk will be useful to platform, infrastructure, or security architects, and anyone designing or engineering infrastructure systems.

You Can’t Secure What You Can’t See: The Complexities of Supply Chain Security

Guy Eisenkot, Sr. Director Product, Palo Alto Networks

For cloud-native applications, getting visibility across complete software supply chains is easier said than done. Without that visibility, it’s almost impossible to prioritize known risks and threat model the blast radius of potential tampering attacks, vulnerabilities, or misconfigurations. In this talk, I’ll address how supply chain attacks can happen with real-world, headline-making examples as the backdrop. From there, we’ll walk through the individual pieces of supply chain security and how to prevent chained attacks with complete visibility into both software components as well as version control systems and CI pipelines.

Authorization as Code as a Business Enabler: OPA, OPAL, Zanzibar

Or Weis, Co-Founder at Permit.io

With the growing complexity of modern applications and microservices based architectures getting access-control right has become a huge ongoing pain-point, as companies find themselves reimplementing access-control multiple times. Solutions are found in the new tool sets of policy and authorization as code.

The talk covers the problem space, how it changed in recent years, as well as the 5 best practices and the open-source tools (e.g. OPA, OPAL, Zanzibar) we can use to face the challenge.

Ensuring Continuous Least Privilege Across Different Systems

Cagri Cetin, Tech Lead - Identity and Access Management, Yelp

Yelp has been implementing modern and least-privilege compliant authorization mechanisms for its systems including Linux, Kubernetes, and AWS. During the implementation of each authorization mechanism, Yelp spent a significant amount of time to come up with least-privileged access groups. However, in a dynamic environment, manual one-time least-privileging efforts will not be sufficient as the access groups will quickly become overly provisioned or users will retain access more than they need. To ensure the principle of least privilege, Yelp has implemented an automated privilege revocation mechanism that periodically checks the unused privileges and revokes them from users if they are not used.

This talk covers common problems with least-privilege in a dynamic environment and potential solutions to ensure continuous least-privilege. It will discuss:

  • Yelp’s journey from manually provisioning access in different systems to discovering common least-privilege problem space with manual one-time least-privileging efforts across different systems
  • Processes to ensure continuous least privilege across different systems
  • Issues encountered along the way and lessons learned
  • The tradeoffs between security and usability while ensuring continuous least-privilege

Securing DevOps: Where to Start and What to Measure

Stefania Chaplin, Solutions Architect, GitLab

How do we secure our DevOps processes? Why is shifting left important? How do we get developers to care about security and empower them to make a difference?

Often in software development we operate in silos. Different tribes have different priorities and lexicons. How do we break down these preexisting silos and continue innovating and optimising our software development process?

Join this session to find out the answers to all these questions and importantly, when it comes to securing DevOps: where to start and what to measure.

Security as Code: A DevSecOps Approach

Nancy Gariché, Senior GitHub Security Lab, Developer Advocate, GitHub

Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization.

In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that allows us to implement security checks with code, and will demo how we can code queries for vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline.

The Road to Reliability

Julie Gunderson, Sr. Reliability Advocate, Gremlin

Over the years a lot of research has been conducted and many books have been written on how to improve the resilience of our software. This talk will dive deep into the three keep practices identified by the authors of Accelerate to improve reliability: Chaos Engineering, GameDays, and Disaster Recovery. We will discuss the key measures of tempo and stability, and how practicing Chaos Engineering will increase both.

We will be walking through the Google Cloud open source Bank of Anthos application to illustrate why teams should focus on the customer experience and how to test for failures and why reliability is important to the security of your systems.

Attendees will learn practical tips that you can put into action focused on resource consumption, capacity planning, region failover, decoupling services and deployment pain.

Learn How to (Not) Use Secrets with OWASP WrongSecrets!

Jeroen Willemsen, Principal Security Architect, Xebia

If you want to bring an app to production, you need to know where to put your secrets and how to access them safely. In this session, we'll go into how to not use secrets with a purposefully vulnerable application. We hope you'll take this knowledge and not make the same mistakes in your own app. Of course, you'll also learn a thing or two on how to do secrets management, IaC, and IAM in the cloud properly!

It's Not Your Developers’ Fault

Edwin Kwan, Head of Application Security and Advisory, Tyro Payments

The number of security incidents and data breaches are increasing. It feels like not a week goes by without hearing of another breach or compromise. Are we getting worse at doing security? In this talk I'll provide my opinion on this, from an application security perspective, by taking a look at how software development has changed over the years. As we move towards Cloud Native workloads, staying secure is harder; and it's not always your developers' fault.

Pitfalls of Infrastructure as Code (And How to Avoid Them!)

Tim Davis, DevOps Advocate, env0

Are you looking to start your journey into Infrastructure as Code? Or have you already jumped in head-first? Either way, this session is for you! We'll talk about many of the common pitfalls of IaC, and how you can avoid them. From infrastructure pitfalls to coding pitfalls, we'll go over all kinds of things that you may not have thought of yet. Get your questions ready, because I'm here to help you be successful in your IaC journey!

Container Scanning: Run Fast and Stay Safe

Rob Richardson, Developer Advocate, Cyral

Have you struggled to get security baked into your DevOps process or have your security needs taken a back seat to "run fast and break things"? Just because we’re moving fast doesn't mean we can’t be secure. Join us for this deep dive into adding container scanning to a DevOps pipeline. We'll enumerate the security tool categories, and give you tips for adding these tools to your development workflow, build pipeline, and production monitoring setup. You can achieve a robust security posture and still release continuously.

Kubernetes Goat: Interactive Kubernetes Security Playground

Madhu Akula, Product Security, Miro

Kubernetes Cluster environment to practice and learn about Kubernetes Security.

In this session, Madhu Akula will present the latest version of the Kubernetes Goat by exploring different vulnerabilities in Kubernetes Cluster and Containerised environments. Also, he demonstrates the real-world vulnerabilities and maps the Kubernetes Goat scenarios with them. As a defender you will see how we can learn these attacks, misconfigurations to understand and improve your cloud native infrastructure security posture.

We see a ton of newly added vulnerabilities, CVEs and mapping with some opensource security tools to perform from writing developer code to deploying into production security using different layers like Infrastructure security, Supply chain security, Runtime security.

Panel: Where Does AppSec End and CloudSec Begin?

Ashish Rajan, Head of Security & Compliance, PageUP / Host, Cloud Security Podcast
Joylynn Kirui, Senior Cloud Security Advocate, Microsoft
Srinath Kuruvadi, Head of Cloud Infrastructure Security, Netflix
Moderated by Alex Williams, The New Stack

With the rise of cloud-native technologies such as containers and infrastructure as code (IaC), the way we build applications is changing rapidly. As the lines between application components and infrastructure components are blurred, we need to rethink how we approach security—from the way we structure our teams to the tools we invest in.

Cloud-native security requires broader coverage across technologies, sophisticated access control management, and more contextual awareness across the entire software supply chain. In this panel, we’ll discuss the challenges of traditional approaches to AppSec and cloud security and their nuances for cloud-native applications.

The Psychology of InfoSec Teams

Emily Freeman, Author, DevOps For Dummies

When security is perceived as keeping people out, what’s the best approach to letting people in? The truth is security can’t exist in a silo, at least not successfully. This talk focuses on how the psychology of crowds impacts your system’s security. And what you can do to make your security practice more inclusive without compromising your standards.