It's just a jump to the left: the Time Warp of DevSecOps.

Transcript

1. It's just a jump to the le/ DevOpsCon Berlin 2026

   ! infosec.exchange/@bea [email protected] 1

2. It's just a jump to the le/: the Time Warp

   of DevSecOps. • Chapter 1: Security vs. Compliance • Chapter 2: Containers for produc;on • Chapter 3: Compartmentalisa;on • Conclusion DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 2

3. Who's this clown? 2 • Staff Security Engineer at Color.

   • Various securi6es at PagerDuty, Stripe, Etsy. • Opera6ons engineer at Puppet once upon a 6me. • Is in a book Tribe of Hackers Blue Team: Tribal Knowledge from the Best in Defensive Cybersecurity 2 h$ps:/ /xcancel.com/skullmandible/status/411281851131523072 DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 3

4. Firstly, A defini/on Supply Chain A-ack This is when some

   company/group/person you don't pay any money or support to for the so=ware they're wri-en and released is compromised, and your company eagerly downloads their so=ware with some expecta@on of integrity or updates in spite of the license saying exactly the opposite. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 4

5. Chapter 1: Security vs. Compliance This is a security talk,

   despite talking about CVEs DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 5

6. ⿚ Compliance tries to prevent what the most basic a3acker

   would possibly do ⿚ Security dreams up what the most advanced [hypothe:cal] a3acker could possibly do DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 6

7. Security vs. Compliance Compliance is rooted in legal. When the

   bad thing happens, you have contracts and agreements to face, people can face real consequence, even go to jail/prison*. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 7

8. Security is hopefully not rooted. (jokes! I said there'd be

   jokes!) DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 8

9. Security is trying to keep people out, and your data

   in. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 9

10. - Compliance is a sign saying "Trespassers will be prosecuted"

    - Security is a fence and some locks. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 10

11. h"ps:/ /xcancel.com/kmcnam1/status/2048764537080291557 11

12. "But we have to be compliant" So what do we

    do? We "Shi( Le(™"! DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 12

13. Shi$ le$! • Step 1: Buy an incredibly expensive vuln

    scanner. • Alternate step 1: get cheap open source loss leader vuln scanner. • Step 2: Annoy developers by making it block PRs with any vulns in. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 13

14. "But security was solved 5 years ago?" SBOMS! Media Type

    Format application/vnd.cyclonedx+xml XML application/vnd.cyclonedx+json JSON application/x.vnd.cyclonedx+protobuf Protocol Buffer (From the thrilling bed0me reading of h3ps:/ /github.com/ CycloneDX/specifica0on) DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 14

15. Shi$ le$! • ❌ Step 1: Buy an incredibly expensive

    vuln scanner. • ✅ Alternate step 1: get cheap open source loss leader vuln scanner. • # Step 2: Annoy developers by making it block PRs with any vulns in. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 15

16. Chapter 2: Containers for produc3on <it's 2026, you're not ge2ng

    a stock image of a bunch of containers on a cargo ship> DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 16

17. How do we... Stop developers pushing more code to produc3on?

    Just in case they accidentally fix a problem? (okay or make it worse. Let's assume both are equal? sure) DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 17

18. (care of snyk.io as an example) DevOpsCon Berlin 2026 !

    infosec.exchange/@bea [email protected] 18

19. Container scanning on PR This works great... • so long

    as you don't have anything legacy • on new fresh repos with the latest packages • if developers know what to do with it? DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 19

20. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 20

21. Make your scanner upload some SARIF files - name: Run

    Trivy vulnerability scanner uses: aquasecurity/[email protected] with: image-ref: 'bigevilcorp/myancientcontainer:Final (copy)-backup.docx' format: 'sarif' output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: 'trivy-results.sarif' DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 21

22. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 22

23. So you think, throw it in the PR - name:

    Scan image with Trivy uses: aquasecurity/[email protected] with: image-ref: 'bigevilcorp/myancientcontainer:Final (copy)-backup.docx' format: "table" output: trivy-result.txt - name: Format Trivy Scan Result run: | out='formatted-trivy-result.md' echo -e "## Vulnerability Scan Results\nNo vulnerabilities were detected." > $out [ -s trivy-result.txt ] && \ { echo -e "## Vulnerability Scan Results\n<details><summary>Details</summary>" ; echo -e "\n\n\`\`\`\n$( cat trivy-result.txt)\n\`\`\`\n</details>" ;} > $out - name: Comment PR with Trivy scan results uses: marocchino/sticky-pull-request-comment@v3 with: path: formatted-trivy-result.md DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 23

24. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 24

25. Shi$ le$! 1. So now we've shi.ed le.! 2. And

    pushed all the problems to the developer. 3. With absolutely no indica?on of what to priori?se. 4. Or how to go about fixing it! DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 25

26. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 26

27. Shi$ the blame le$! Let's look at the manual steps

    that literally no one but me should be going through to fix this. (Examples are all Docker containers with Javascript, but it's all generic) DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 27

28. FROM node:20.11.1-bullseye as build COPY . ./ RUN npm install

    && npm run build #### Stage 2: Serve the JS application from nginx FROM nginx:1.17.2 # Copy the react build from Stage 1 COPY --from=build /app/build /var/www # Copy our custom nginx config COPY nginx.conf /etc/nginx/nginx.conf DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 28

29. 29

30. Keeping up with the Joneses FROM node:20-bullseye as build [snip]

    #### Stage 2: Serve the JS application from nginx FROM nginx:stable [snip] DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 30

31. Keeping up with the Joneses "RepoTags": [ "nginx:1.30.2", "nginx:stable" ],

    "RepoDigests": [ "nginx@sha256:42ff6c6704359b80306f35a0c7bb0bbc9b65a058e63f0cc1e91a48fd22e3e1e5" ], "Created": "2026-05-22T18:25:59.231195374Z", "Config": { "Env": [ "NGINX_VERSION=1.30.2", DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 31

32. "But it will break!!!1" Right, so you test it? You

    are tes*ng your containers, right? Not just the code you put in it? You are tes*ng your containers before you deploy them...? DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 32

33. BUT ZOMG SUPPLY CHAIN ATTACKS!!!!!!!!!11111 container registry tags aren't a

    real thing. They're merely a string. TeamPCP> docker tag malware_image nginx:1.17.837 \ && docker push nginx:1.17.837 TeamPCP> docker tag malware_image nginx:1.17.2 \ && docker push nginx:1.17.2 DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 33

34. BUT ZOMG SUPPLY CHAIN ATTACKS!!!!!!!!!11111 "We pin every container image

    to an immutable SHA256 to avoid supply chain a=acks!" vs. "Every single thing in our en1re image is out of date and vulnerable." DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 34

35. BUT ZOMG SUPPLY CHAIN ATTACKS!!!!!!!!!11111 SHA256 "Versioning" FROM node@sha256:c0122351f25f04facee976f9db7214789eabadb489f4e4aea9cd00a0d6af77c4 as

    build [snip] #### Stage 2: Serve the JS application from nginx FROM nginx@sha256:42ff6c6704359b80306f35a0c7bb0bbc9b65a058e63f0cc1e91a48fd22e3e1e5 DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 35

36. BUT ZOMG SUPPLY CHAIN ATTACKS!!!!!!!!!11111 "German Versioning" FROM node@sha256:c0122351f25f04facee976f9db7214789eabadb489f4e4aea9cd00a0d6af77c4 as

    build [snip] #### Stage 2: Serve the JS application from nginx FROM nginx@sha256:42ff6c6704359b80306f35a0c7bb0bbc9b65a058e63f0cc1e91a48fd22e3e1e5 DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 36

37. Dependabot, no ,s a silly place DevOpsCon Berlin 2026 !

    infosec.exchange/@bea [email protected] 37

38. Dependabot, no ,s a silly place • Really opaque errors

    when it doesn't work. • Hard to get support for, unless you throw more money at GitHub. • Only works if you use GitHub, (hopefully obviously). • GitHub don't like monorepos. It has struggled in them in the past. • ( ! Relies on GitHub being online ) DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 38

39. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 39

40. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 40

41. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 41

42. Basic renovate.json5 config { '$schema': 'https://docs.renovatebot.com/renovate-schema.json', extends: ['config:recommended'], dependencyDashboard: true,

    // because this is JSON5, you can have comments!!! } DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 42

43. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 43

44. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 44

45. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 45

46. Renova'ons! node@sha256:c0122351f25f04facee976f9db7214789eabadb489f4e4aea9cd00a0d6af77c4 node:20-bullseye: Total: 733 (UNKNOWN: 1, LOW: 35, MEDIUM:

    546, HIGH: 148, CRITICAL: 3) Total: 15 (UNKNOWN: 0, LOW: 2, MEDIUM: 2, HIGH: 11, CRITICAL: 0) node@sha256:980c5420a7a2ddcb44037726977f2a349e5c7b64217516c7488dce4c74d71583 node:26.2.0: Total: 292 (UNKNOWN: 0, LOW: 2, MEDIUM: 242, HIGH: 46, CRITICAL: 2) Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0) (Output courtesy of trivy image --ignore-unfixed -- scanners vuln) DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 46

47. Chapter 3: Compartmentali[sz]a4on / Kompar4men4erung DevOpsCon Berlin 2026 ! infosec.exchange/@bea

    [email protected] 47

48. What's be*er than 300 CVEs? node@sha256:980c5420a7a2ddcb44037726977f2a349e5c7b64217516c7488dce4c74d71583 node:26.2.0: Total: 292 (UNKNOWN:

    0, LOW: 2, MEDIUM: 242, HIGH: 46, CRITICAL: 2) Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0) DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 48

49. What's be*er than 300 CVEs? Image: node:26.2.0-trixie: Size: 1.16G Node

    version: v26.2.0 Trivy vuln findings: Total: 292 (UNKNOWN: 0, LOW: 2, MEDIUM: 242, HIGH: 46, CRITICAL: 2) Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0) Image: node:26.2.0-alpine: Size: 168.60M Node version: v26.2.0 Trivy vuln findings: Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0) DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 49

50. <Kylo Ren's "More, More!" but sadly copyrighted> Image: cgr.dev/chainguard/node:latest: Size:

    169.17M Node version: v26.2.0 Trivy vuln findings: > trivy image --ignore-unfixed --skip-version-check --quiet --scanners vuln cgr.dev/chainguard/node:latest +-------------------------------------------------+-------+-----------------+ | Target | Type | Vulnerabilities | +-------------------------------------------------+-------+-----------------+ | cgr.dev/chainguard/node:latest (wolfi 20230201) | wolfi | 0 | +-------------------------------------------------+-------+-----------------+ Legend: '0': Clean (no security findings detected) DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 50

51. Meanwhile, back at stately Wayne Manor Of course, this doesn't

    apply to anyone here. You all work in Business™, and thus use Java. And all your images are 20GB. And full of Business Logic. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 51

52. But another world is possible > docker run -it --rm

    cgr.dev/chainguard/jre:latest --version openjdk 26.0.1 2026-04-21 OpenJDK Runtime Environment openjdk-26-26.0.1-r2 (build 26.0.1+-wolfi-r2) OpenJDK 64-Bit Server VM openjdk-26-26.0.1-r2 (build 26.0.1+-wolfi-r2) > docker inspect --format "{{ .Size }}" cgr.dev/chainguard/jre:latest \ | numfmt --to iec --format "%.2f" 309.82M DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 52

53. Renovate vs. Supply Chain A4acks h"ps:/ /docs.renovatebot.com/configura6on-op6ons/ #minimumreleaseage { '$schema':

    'https://docs.renovatebot.com/renovate-schema.json', extends: ['config:recommended'], dependencyDashboard: true, minimumReleaseAge: '1 day', // updates must be at least a day old! } DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 53

54. pnpm vs. Supply Chain A1acks > cat pnpm-workspace.yaml # in

    minutes, also the default minimumReleaseAge: 1440 # don't ignore the above setting, lmao minimumReleaseAgeStrict: true pnpm's docs on minimumReleaseAgeStrict DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 54

55. rubby vs. Supply Chain A2acks > head -5 Gemfile |

    grep -m 1 ^source source "https://beta.gem.coop/cooldown" The gem.coop public cooldown server hides gems un5l they have been published for 48 hours. — gem.coop/docs/cooldowns DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 55

56. pnpm vs. Supply Chain A1acks vs. LLMs h"ps:/ /xcancel.com/encrypted/status/2058658244328124562 56

57. Other ecosystems vs. Supply Chain A7acks The blog post on

    We should all be using dependency cooldowns • Python , Rust , .NET , yarn , Go , GitHub Ac7ons are all men(oned in cooldowns-redux#ecosystem-updates DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 57

58. S3* (*or equivalent object store) DevOpsCon Berlin 2026 ! infosec.exchange/@bea

    [email protected] 58

59. S3 "But it's encryped" DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected]

    59

60. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 60

61. S3 "But it's encryped" DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected]

    61

62. S3 "But it's encryped" DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected]

    62

63. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 63

64. S3 "But it's encryped" > aws s3api get-bucket-encryption --bucket bea-devopscon-berlin-2026-demo7

    \ --query 'ServerSideEncryptionConfiguration.Rules[0]' { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" }, "BucketKeyEnabled": true, "BlockedEncryptionTypes": { "EncryptionType": [ "SSE-C" ] } } DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 64

65. So let me get this straight, You have to 1.

    find out which AWS building your data is in. 2. break in. 3. find where the S3 arrays are. 4. decode their isle / rack / chassis encoding scheme. 5. work out which drive it is. 6. exfil that. Per blob you've uploaded to a bucket. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 65

66. S3 "But it's encryped" "So are you saying don't encrypt?!"

    NO! Because you can't anyway. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 66

67. S3 "But Encrypt more!" • AWS KMS • GCP Cloud

    Key Management Service • Azure Key Vault for Clippy So that if you mess up bucket ACLs, or make it public, or leak a key, the data is s9ll protected! DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 67

68. Gasp: A conclusion DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 68

69. Concludé 1. Compliance and security aren't the same team nor

    interchangeable. 2. Regula:on probably isn't going to save us. 3. Nor has giving Cisco/CloudStrike/Wiz/Palo Alto/Tenable/Rapid7 infinite money for CNAPPs. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 69

70. Concludé 1. If your so+ware is never ge3ng updated, use

    tags like stable or lts 2. If it's ge3ng updated too o+en, and ge3ng "Mini Shai-Hulud"- ed, pin digests 3. Either way, test your containers, not just your code! 4. Make your containers smaller & then have fewer things to update. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 70

71. Concludé 1. So%ware needs upda0ng, always, but we can use

    so%ware to do that! 2. And avoid "supply chain" a?acks on the way. 3. LLMs might help you, and it might also enthusias0cally hinder you in that. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 71

72. Concludé 1. Encryp)on at rest only ma2ers if the thing

    rests. 2. You can s)ll encrypt it yourself, and it's easier than ever. 3. I really need to cancel my credit card. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 72

73. Thank you! DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 73

74. DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 74

75. Readling list of things men0oned but not explained (page 1)

    • Docker Docs - Immutable tags • Renovate Docs - Installing and onboarding • Cooldowns.dev more evolving Cooldowns talk • grype scanner by Anchore • trivy scanner by AquaSecurity • Chainguard images DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 75

76. Readling list of things men0oned but not explained (page 2)

    • The Missing GitHub Status Page • Unsplash - Free use images used in this talk • Beau=ful slides made by Deckset DevOpsCon Berlin 2026 ! infosec.exchange/@bea [email protected] 76