2025-12-13 –, Rookie Track 1
Cloud and container security feels like a scattered puzzle: development standards, CI/CD pipelines, guardrails, runtime security, logging, monitoring, and assurance. Together, they form a resilient system. This 15-minute talk assembles these pieces, showing their critical connections. Development standards catch vulnerabilities early. CI/CD pipelines enforce automated checks. Guardrails secure cloud environments, maintaining compliance. Runtime security hardens containers against drifts. Logging and monitoring spot threats, like API enumeration, routing alerts for rapid response. Assurance binds it with attestations and revocation certificates: a test exposing pipeline risks proved unverified flows fail. Banking deployments showed stage gates save chaotic pipelines. Developers thrive with sandboxes, tightening controls towards production. For beginners or experts, this talk highlights pitfalls tripping teams and offers a visual cheat sheet, mapping components for audits. Attendees will gain a framework to align security and operations seamlessly, strengthening their stacks.
Cloud and container security seems fragmented: development standards, CI/CD pipelines, guardrails, runtime security, logging, monitoring, and assurance. Together, they form a robust framework. This 15-minute talk assembles this puzzle for BSides London, highlighting why each piece matters and pitfalls derailing teams. For beginners and experts, it draws on OWASP and NIST 800-53 to deliver insights.
Development standards embed OWASP guidelines, catching flaws like injection via linters. CI/CD pipelines enforce checks; skipping gates risks errors. Guardrails, aligned with NIST 800-53, use policy-as-code to prevent drifts, often neglected. Runtime security uses immutable images and monitoring to stop pod escapes; build-only focus fails. Logging and monitoring, via OpenTelemetry, catch threats like rate-limited tokens, with Slack alerts. Out-of-the-box tools suit fast teams, unlike complex Prometheus setups, though open-source users should contribute. Assurance, with attestations, avoids pitfalls like unverified pipelines, shown by a “signed” malware test. Banking stage gates proved critical. The talk ends with a cheat sheet slide, mapping:
* Development Standards: OWASP-based checks.
* CI/CD Pipelines: Automated gates.
* Guardrails: Cloud compliance.
* Runtime Security: Container protection.
* Logging/Monitoring: Threat detection.
* Assurance: Pipeline trust.
This transforms fragmented components into a unified strategy.
Ashley Barker is a technical leader who bridges the worlds of security and technology, with over 10 years in cybersecurity and deep experience in digital delivery, products, and user-focused solutions. A passionate advocate for NIST CSF, OWASP, and SANS, he simplifies complex security challenges, building robust cloud and DevSecOps systems for global organisations. Staying hands-on, Ashley crafts practical solutions that secure critical systems while driving innovation, making him a go-to for turning chaotic projects into clear, effective outcomes.