Natalie is a principal solutions engineer at Chainguard serving the public sector market. She spent years designing, building, and leading complex systems in regulated environments at a major systems integrator, but has also taken her career in many other directions - including detours into project management, systems engineering, and teaching.

She’s passionate about diversity in technology and empowering engineers to build better.

🎤 Sessionize profile


Threat Modeling the GitHub Actions Ecosystem


BSides Boulder (23 June) - A tour through the four questions outlined in the Threat Modeling Manifesto to provide an enterprise-ready threat model for implementing GitHub Actions securely. GitHub Actions is one of the most popular CI tools in use today. If you need or want to use it for business, though, there are a lot of choices to make that have huge implications to the information security and compliance posture of your organization. These questions get harder with more users and projects, moving faster and not prioritizing security.

In this talk, we’ll dive deep into what an Action really is, what goes into an Action out of the marketplace, and how each of the three types of Action can be exploited with a demonstration. With each exploit, a few control strategies will be discussed to counter it.

Securing Self-Hosted GitHub Actions with Kubernetes and Actions-Runner-Controller


CNCF CloudNativeSecurityCon North America (1 Feb) - A deep dive into the security considerations of running self-hosted GitHub Actions compute with actions-runner-controller. We’ll review typical deployment architectures, then cover 3 distinct places where security risk and ease of use collide with insight and resources for navigating these design choices. First the cluster settings are examined to show methods to limit the “blast radius” of a potential bad actor and provide insight into the why and how of using privileged pods. Next, the controller settings are reviewed for how to scope runner deployments and grant permissions within GitHub to provide least-privilege. Lastly, the runner pod is taken apart to show how to build supply chain security into the image and the software it builds for you.


Containerized CI at an Enterprise Scale

Colorado Kubernetes & Cloud Native (21 Nov) - Let’s summarize what to think about as an enterprise moving continuous integration workloads into containers orchestrated with Kubernetes - everything from the benefits and drawbacks of nested virtualization to the how and why of privileged pods - from the perspective of having done the thing a few times over!

  • Slides, with writeup and links

Linux Software Packaging, maybe in a nutshell

Boulder Linux/Unix User Group (8 Sept) - A quick tour through the history of packaging software in Linux - moving from compiling it at each computer using it, to RPM and DEB packages, to snaps/flatpaks and containers on the desktop. This was a very interactive demo/talk at about an hour and the conclusion changes every time, but it’s sadly unrecorded.



… or building GitHub Actions compute on-premises without (many) tears (14 Oct) at the Boulder Linux/Unix User Group

The above source code repository isn’t maintained. Please look to kubernoodles for a newer take on the same problem.


Getting Started in DevSecOps in a Regulated Environment

DevSecOps Days Denver 2020