Having just joined Aqua Security feels a lot like a destination on a journey I started back in 2014. I was doing a security architecture review for a company and where I would usually have expected to see some virtual machines or even physical servers (remember those!) instead some of their supporting applications were running in Docker.
Having never heard of it, I did what anyone would do, and went to install the software. In the documentation I found a notice:
"Please note this project is currently under heavy development. It should not be used in production."
Beyond being a free finding for my review, it left me curious about why this software was so useful that people would be using it in production at such an early stage...
In the years that followed, I kept exploring Docker and then Kubernetes and as they became more popular, the amount of time I spent with them increased. One of the ways I like to try and improve my knowledge of topics is to give talks about them as I have to make sure I know what I'm about to say!
That led me to speaking about Docker and Kubernetes security at several UK BSides conferences, including BSides London and then in 2018 I got the opportunity to speak at Kubecon EU which was a great opportunity to start talking more to the wider open source cloud native community.
Doing talks also led to developing a training course around container security. Starting off as an internal course, it got developed to the level that it was delivered successfully at four Black Hat conferences. Training turned out to be another way to develop your understanding of a topic, as when you've got to be able to spend four days talking about something it's a good motivation to learn!
One of the interesting things about working in the cloud native security space is that there's a lot of people with different background who have come together to work on it. Last year I did an "AMA" with the other members of SIG-Honk. The AMA provided a good example of four people all in the cloud native security space, but all coming at it from very different backgrounds.
So Why Aqua?
When Aqua got in touch about this role, it was quite an easy conversation to have, as I already knew quite a bit about the company and their contributions to open source and the general container and cloud native security scene.
I got the opportunity to speak at the KubeSec Enterprise summits in 2019 in Barcelona and then online in 2020, so I’d had the chance to get to know people in the company there and also through working with Liz Rice on the CIS Benchmark for Kubernetes.
Then, of course, there’s Aqua’s open source security tooling which I’ve been using for years now, both in delivering security reviews for customers and also as part of the training course work I’ve done.
It’s fair to say that tools like kube-bench, kubectl-who-can, kube-hunter and trivy are core parts of the toolbags of most container security reviewers, and I’ll be looking forward to working more with other Aqua open source tools like Starboard.
I can safely say that these tools have saved me hundreds of hours of manually parsing JSON and YAML files!
The other area I knew Aqua from, and one that’s key to my role going forward, is advocacy and education. Trying to help people with security problems is something I’ve been working on for over 10 years on security stackexchange, and even longer on my blog, so working with a company that I know is interested and active in that area, as Aqua are, is important to me.
For all of these reasons and more, working with Aqua seems like a natural progression for me.
What will I be doing now?
Of course, it’s early days yet and, like everything in the cloud native world, I’m sure changes will come thick and fast, but we’ve got some great ideas for where I can help already.
The high-level goal is to help educate and inform about cloud native security. There are a load of good venues to help in these days, so I’ll be seeing where I can best chip-in.
CFP gods permitting I’ll be speaking at events (maybe even back in person one day!), then I’ll also be carrying on with things like blogging on container and Kubernetes security topics that are interesting, helping out with industry efforts like the CIS benchmarks and participating in forums like Kubernetes SIG-Security.
I’m very fortunate to be able to work in a dynamic field like cloud native security and one where there are always lots of interesting challenges to take on. One thing you can be sure of is, it’s not likely to be boring, and I’m sure that’ll be as true in the future as it has been since I started my cloud native journey back in 2014!
