I interviewed 57 security leaders and asked them “What sucks in security?” Their top pain points were inconsistent access management, vulnerability prioritization and remediation, and obtaining SaaS logs in case of an incident.

In an era where digital threats are becoming more sophisticated, the need for advanced cybersecurity strategies has never been more critical. Discover how to balance security with business agility, implement best practices for secrets management, and leverage automation to safeguard your operations. We’ll also delve into securing the software supply chain and predicting future trends in cybersecurity.

We’ll pitch five startups (that don’t exist) and share why they should: the problem they solve, a view of the market, who the target buyer is, and what skills you’d need to be successful. If you’ve ever thought of starting something, but are just waiting for the ‘right’ idea, this talk is for you.

Maya Kaczorowski, Chief Product Officer at Tailscale, joins Corey on Screaming in the Cloud to discuss what sets the Tailscale product approach apart, for users of their free tier all the way to enterprise.

You might have experience working on a product in some capacity, and with a product manager… but what do they do, exactly? Maya covers what the responsibilities of a product manager are.

Launching a product can be exhilarating and nerve-wracking at the same time. Learn how to strike a balance between speed and sustainability, enabling your team to deliver rapid launches without compromising quality.

The friction between developer and security teams is oftentimes tangible. While developers aim to work quickly, security teams are begging them to slow down. Leveraging technology that prioritizes both security & engineering teams is the key to creating synchronicity within your company.

Organizations that fail to effectively secure their valuable data expose themselves to significant risks such as reputational damage and operational interruptions. The remediation costs alone can cost a fortune because security personnel is typically hired to identify how the breach occurred, then how to close security gaps and determine the extent of the damage occurs. In this panel, we will discuss cloud security and managing visibility, accessibility, and risk. We hope you take away some key pieces of advice that can protect yourself from having information stolen.

How should your development team secure access to the internal services you’re running on Kubernetes? We’ll focus on the networking and security questions you should consider when exposing Kubernetes services to your users, including authentication and authorization, load balancing, traffic filtering, and encryption; and discuss the different options you have for managing access to these services.

Maya Kaczorowski of Tailscale’s Product Team moderated a panel discussion on cloud-native network security, with contributions from software developers Matt Turner of Tetrate, Tom D’Netto from Tailscale, and Security Architect Dr James Callaghan from ControlPlane.

Maya Kaczorowski (@MayaKaczorowski, Product @Tailscale) talks about the new world of remote systems access, zero-config VPNs, and why everyone loves using Tailscale.

With the movement towards CI/CD, new code written by developers is deployed continuously at sophisticated companies. However, security practices haven’t kept up. As leaders in the space, Chainguard’s Kim Lewandowksi, Snyk’s Randall Degges, and Tailscale’s Maya Kaczorowski are not strangers to these challenges. In a panel moderated by Accel’s Casey Aylward, they will discuss security resources for developers, and how to understand and effectively apply them before it’s too late.

In this episode of TFiR Let’s Talk, Swapnil Bhartiya sits down with Maya Kaczorowski, Product Manager at Tailscale, to discuss Tailscale SSH in beta and how it simplifies remote connections, taking away the need for SSH keys. She explains the motivation behind creating Tailscale SSH and what sticking points it is tackling.

Supply chain security has become a massive talking point across the software industry over the last several years. This talk covers the state of software supply chain security over the last 40 years, and new techniques for mitigating and protecting against these threats, in both open source and proprietary software development environments.

What is WireGuard, how does it work, and when should you use it? Simply put, WireGuard offers end to end encryption of traffic between two endpoints. We’ll cover WireGuard’s implementation, protocol, and cryptography and compare it to IPsec, ngrok, and OpenVPN in terms of security and performance.

Panel discussion and Q&A on detection and response.

BeyondCorp is Google’s initial implementation of a zero trust architecture, which grants application access based on the user, device, and application. Despite all the excitement about zero trust architecture, there’s little concrete guidance (and a lot of vendor noise) on how to successfully implement one. In this talk, Maya and Eric will provide insight into BeyondCorp fundamentals, common misconceptions, and a roadmap for your organization to get to a zero trust architecture.

Although many development teams have now adapted to working remotely, far fewer are developing remotely. In this talk, we’ll discuss a few ways that developing remotely can actually help address some of the hurdles your team might face working remotely.

The goal of DevOps has stayed the same, but our tools, infrastructure, and operating models have changed. To support modern software delivery, it’s critical for organizations to know and prepare for what’s coming next.

Software composition analysis is a term coined by the industry, and refers to identifying the dependencies and components used in a piece of software that is shipping, and their vulnerabilities, licenses, and other metadata. We’ll discuss the common components of software composition analysis.

How secure is your software? Carl and Richard talk to Maya Kaczorowski of GitHub about The State of the Octoverse Security Report — one of three annual reports coming from GitHub about how software is being built.

As a maintainer of your open-source project, what can, and should you be doing to improve your project’s security?

Sometimes, adding a single library to your manifest file can result in bringing in a massive dependency tree. How can we make sure that we stay on top of any known vulnerabilities, and update our dependency versions as needed?

Dependency Review is a new GitHub Advanced Security feature that allows you to view a “rich diff” of what has changed in your dependency manifest file while reviewing a pull request.

Shifting left allows development teams to implement security controls earlier, thus helping your team catch issues earlier, too. In this talk, we’ll dive into what GitHub can do to help you address vulnerabilities in these dependencies and alert you when new vulnerabilities arise using Dependency Graph and Dependabot, and new updates that that will help you shift left.

A panel that doesn’t suck about security, from multiple perspectives. Categories, organisations and security practices are being reinvented, but what does it look like from the practitioner perspective?

Following DevSecOps means approaching security as an ongoing part of software development — and staying up to date on the code your software depends on. Join Mikail Tunç, Principal AppSec Engineer at Mettle, and Maya Kaczorowski, GitHub Product Manager for an in-depth conversation into how Mettle uses GitHub’s application security capabilities to understand which dependencies they use, their vulnerabilities, how to patch them — and get back to work.

La sécurité est un aspect fondamental et pourtant souvent négligé de nos systèmes d’information. Le code est la base de code sont aujourd’hui au coeur de toute entreprise technologique. Mais alors quels sont les problèmes soulevés, quelles solutions y apporter et avec quels outils ?

Following DevSecOps means approaching security as an ongoing part of software development — and staying up to date on the code your software depends on. Join Jon Kohler, Nutanix Technical Director, and GitHub Product Manager Maya Kaczorowski for an in-depth conversation into how Nutanix uses Dependabot and the GitHub dependency graph to understand which dependencies they use, their vulnerabilities, how to patch them — and get back to work.

Episode 23 - GitHub’s Maya Kaczorowski on Software Supply Chain Security and Puzzles!

Software supply chain threats are real! As more developers and companies rely on open-source code — that anyone can contribute to, including attackers — this opens the door to a new vector of attack. There are increasing supply chain compromises which successfully sneak in new backdoored packages, use typosquatting, or even compromise build tooling and signing keys. What’s actually happening in the wild, how do you determine your dependencies, and properly secure yourself?

Maya joins Cornelia’s keynote to share key ways in which GitOps can contribute to your security needs.

Writing secure code is hard in its own right, but understanding what vulnerabilities exist in your code — and how to keep up to date with the latest patches — is daunting for even the most sophisticated software teams. In this session, you’ll learn how GitHub is making it easier to secure your software supply chain, and how to get started in protecting your code and its dependencies.

Software supply chain threats are real! What’s actually happening in the wild, how do you determine your dependencies, and properly secure yourself?

How do you determine your code’s cryptic dependencies, and what should you do when a new vulnerability is discovered? And how do you solve cryptic crosswords?

Docker provides a convenient --privileged flag to create “privileged containers” but what does it actually do? In this talk, we will explain the internals of how docker provides isolation, and what happens when these security features are disabled. Spoiler alert: trivial container escapes.

Maya joins us to discuss how containers improve security, a high-level threat model of containers and orchestration, and tips for enhancing security as you role out containers and Kubernetes.

Many IT teams begin moving their applications to containers and Kubernetes after their managers mandate the switch. Then in the rush to deploy they may forget, or simply delay, some fundamentals. Only six to 12 months later does integrating security into their CI/CD pipeline becomes a priority. This gradual evolution toward cloud native security best practices is worrisome, but it’s the norm among organizations adopting Kubernetes today. This is what we learned from a panel of cloud native security experts at The New Stack’s pancake and podcast from KubeCon+CloudNativeCon North America this week.

How do your cluster components talk to each other?

Open-source projects have a more nebulous operating model, and that also means it’s harder to figure out who’s on the hook when something goes wrong. We’ll discuss what a mature open-source project does for security, including dependencies, incident response, vulnerabilities, and bug bounties.

Does eating ice cream slower prevent a brain freeze?

Maya Kaczorowski covers how containers change your development pipeline and how this helps, rather than hurts, your overall security model.

Google Product Manager, Dustin Kirkland interviews Google Product Manager, Maya Kaczorowski to discuss interesting vulnerabilities in the Kubernetes space.

We’ll go over where to get information about what’s happening in your cluster, including logs and open source tools you can install, and how to tie this information together to get a better idea of what’s happening in your infrastructure. Armed with this info, we’ll review the common mitigation options such as to alert, isolate, pause, restart, or kill a container.

We’re live from #CloudNativeSecDay for a conversation with TNS Founder & EiC Alex Williams & Google Product Manager Maya Kaczorowski to explore all the latest in public cloud providers today from #KubeCon Barcelona.

In today’s show we discuss the attack surface of a managed Kubernetes service.

Listen to this very insightful episode with special guest from Google, Maya Kaczorowski, as she discusses container security with BMC Solutions Architect, Ajoy Kumar.

On Google Kubernetes Engine, Google manages the control plane, whereas the user manages the nodes. From a security point of view, what does this mean? Who is responsible for managing security updates and responding to incidents?

In this talk, we’ll cover what containers and Kubernetes are, basic security properties so you can start protecting them, and what features exist on Google Cloud to protect your containers.

In this talk, Maya and Dan will cover what changes in your patch management story if you use containers instead of virtual machines in production.

Kubernetes has made giant strides in 2018 to improve security for end users. Here’s an overview of what’s happened in 2018.

Container infrastructure security is about ensuring that your developers have the tools they need to securely build containerized services. Container networking is a key element of it. Join us to understand the nuances of container network security and learn how you can segment containers in a network, what traffic flows should you allow and maintain the security and privacy of your container network.

Container security often focuses on runtime best-practices whilst neglecting the software shipped in the supply chain. In this talk we detail an ideal software supply chain, describe the current state of the ecosystem, and dig into specific tools. Grafeas, Kritis, in-toto, Clair, Micro Scanner, TUF, and Notary are covered, and we demo how to identify a vulnerable image then automatically rebuild and redeploy it.

Secrets are the cornerstones of Kubernetes’ security model; they are used both by Kubernetes itself (e.g., service accounts) and by users (e.g., API keys). In this talk, we will discuss users’ options for protecting secrets in Kubernetes.

Containers are making it easier for developers to build and deliver applications in the cloud. However, managing risk around container deployments remains a significant challenge for security teams. Join this session to learn about the security challenges around container deployments and best practices to follow while securing containers.

Containers are increasingly being used to deploy applications, and with good reason, given their portability, scalability and lower management burden. However, the security of containerized applications is still not well understood.

Let’s talk container security! This week, Melanie and Mark learn all about the three main pillars of container security and more with our guest, Maya Kaczorowski.

Did you know that Google has invested $30.9 billion to build out our global infrastructure over the past 3 years? Learn more about Google’s infrastructure security through a tour with product manager Maya Kaczorowski and developer advocate Cassie Kozyrkov.

In this breakout, attendees will learn how their data is protected at rest and in transit on Google Cloud. We’ll discuss how data is protected from the user to Google and within Google’s infrastructure between services, at which network layers these protections are applied, and when these protections are in place. We’ll also cover options for additional protections on Google Cloud, including IPsec tunnels, Gmail S/MIME, and Istio; as well as efforts by Google to increase encryption in transit at large.

Follow our Showcase reporters they tour the venue and get the inside scoop on #GoogleNext18 products.

An increasing number of enterprises see containers as the next step in their infrastructure’s evolution, but are blocked by security, compliance, and other regulatory requirements. At the same time, large corporations are already running workloads in production. So how are they doing it? In this talk, we’ll go through some of the most common enterprise security requirements, discuss how you can use native Kubernetes features and other tools to meet these needs, and what specifically, a security-focused company like Fleetsmith is doing.

We look for the balance between developers’ security responsibility and the security team. Maya Kaczorowski from Google, Shannon Lietz from Intuit and Larry Maccherone from Comcast help weigh the options.

On this week’s Kubernetes Podcast, your hosts talk to Maya Kaczorowski from Google Cloud about Kubernetes security, and look at announcements from Microsoft, Docker, Cisco and Spotify.

Maya Kaczorowski works on container security at Google. In a recent talk at KubeCon, Maya discussed runtime security of containers on Kubernetes. Maya joins the show to discuss container security, and what it means to software developers and operators.

With container adoption on the rise, new security strategies are needed to address the unique challenges that containers represent. In this panel discussion, container experts will discuss the security risks of containers and briefly examine many of the multiple approaches that can be taken to achieve security in a container-based environment and a hybrid cloud world.

Containers are increasingly being used to deploy applications, and with good reason — given their portability, simple scalability and lower management burden. But there’s one myth worth clearing up — containers do not provide an impermeable security boundary, nor do they aim to.

As public cloud adoption continues to accelerate, security becomes a top priority for many organizations. Maya Kaczorowski, Product Manager at Google Container Security explains what security consisted of in legacy systems. We then talked about the security panorama in the cloud, specifically in containerized applications. Maya explained various security risks in these applications as well as solutions. One of these is gVisor, a new open source sandbox that provides secure isolation for containers.

Using containers, enterprises now have strong, secure-by-default primitives available for deploying apps to their infrastructure. Containers are enabling organizations to adopt better engineering practices like immutable infrastructure — increasing deployment agility and reducing mean time to patch. Companies are thinking strategically about to securely manage their software supply chains. Moderated by eWeek’s Senior Editor, Sean Michael Kerner, collaborators in the container ecosystem will share how containers are revolutionizing the way apps are secured and how we can expect container security to evolve in the future. The panel will also touch on open source projects Notary, TUF, SPIFFE, and OPA.

Runtime security is about mitigating damage done when part of your deployment is compromised.

At KubeCon + CloudNativeCon Copenhagen we announced that five container security companies have integrated their tools with the Cloud Security Command Center to help you better secure the containers you’re running on Kubernetes Engine. Our PM in container security, Maya Kaczorowski, will meet them to discuss their technical integrations.

To do cloud-native computing, you need to identify all your workloads, and, more importantly, they need the ability to identify each other, so they can work together in automated chains. To aid in this task, the Cloud Native Computing Foundation has adopted the open source SPIFFE specification, and its associated SPIRE runtime. SPIFFE provides a standard for securely identifying software components in heterogeneous IT systems and SPIRE is the engine that can make it happen (and, in this setup, CNCF’s Open Policy Agent [OPA] can enforce the authorization duties).

Panel discussion with women working in Google Cloud infrastructure and containers.

You’ll soon be able to manage security alerts for your clusters in Cloud Security Command Center (Cloud SCC), a central place on Google Cloud Platform (GCP) to unify, analyze and view security data across your organization. Further, even though we just announced Cloud SCC a few weeks ago, already five container security companies have integrated their tools with Cloud SCC to help you better secure the containers you’re running on Google Kubernetes Engine.

This panel will discuss open-source security tools that have been developed across the industry. We’ll discuss what tools already exist, difficulties in developing tooling for common infrastructure, and best practices for starting new projects. We’ll also discuss what gaps we’d like to see addressed for new projects.

This panel will debate the responsibility model and discuss best practices for the container lifecycle: secure deployment, infrastructure components, and runtime. We’ll discuss an ideal model, what’s provided by Docker and Kubernetes, and unsolved problems. We’ll end with practical tips for securing containers in production today, threats we’ve seen in the wild, and what we hope to see next.

Applications often require access to sensitive data at build or run time, known as secrets. As a cloud application developer, you have many options to store these secrets, such as in code, environment variables, or purpose built solutions.

Maya Kaczorowski, Google Cloud Security & Privacy Product Manager, speaks at the opening of the Google Cloud region in Montréal.

At Google Cloud, customer data is encrypted at rest by default. Check out our video to learn all about the mechanisms used by Google to encrypt data at rest.

Watch this video to learn how Google Cloud encrypts data as it moves within and across Google Cloud datacenters.

La protection des données personnelles, la conformité et le GDPR sont des sujets centraux dans lesquels Google investit pour la sécuration des applications Google et de ses utilisateurs. Découvrez plus en détails ce que Google fait en termes de sécurité.

Maya et Julien parlent de la manière dont Google protège la de sécurité des données.

Learn more about Google’s infrastructure security, including encryption, network protections, and containers.

Maya and Julien talk about how Google encrypts data at rest, and other data security protections.

Can management of encryption keys be easier in the cloud than on-premise? During this video, Maya Kaczorowski discusses the continuum of encryption options available, from encryption of data at rest by default, to Cloud Key Management System, to Customer Supplied Encryption Keys. You’ll learn how our encryption tools allow management of your own keys, including generation, rotation and destruction of those keys. She also shares best practices for managing and securing secrets.

How does Google encrypt data at rest? This talk will cover how Google shards and encrypts data by default, Google’s key management system, root of trust, and Google’s cryptographic library. Google Cloud Platform encrypts customer content stored at rest, without any action from the customer, using one or more encryption mechanisms. We will also discuss best practices in implementing encryption for your storage system(s).

Maya talks about how Google encrypts data, Google’s key management system, root of trust, and Google’s cryptographic library.

Maya will talk about how Google shards and encrypts data, Google’s key management system, root of trust, and Google’s cryptographic library. Google Cloud Platform encrypts customer content stored at rest, without any action from the customer, using one or more encryption mechanisms. Maya will also talk about best practices in implementing encryption for your storage system(s).