Natalie is a principal solutions engineer at Chainguard serving the public sector market. She spent years designing, building, and leading complex systems in regulated environments at a major systems integrator, but has also taken her career in many other directions - including detours into project management, systems engineering, and teaching.

She’s passionate about diversity in technology and empowering engineers to build better.

🎤 Sessionize profile


Whodunnit? A Git Repository Mystery

BSides Boulder (14 June) - With all the recent focus on software supply chain security, let’s look at the very far left of this process - how does git know who did what, when, where, and why?

It seems straightforward to assume that you have all of this information in a git repository, but that’s probably not the case. In this talk, we’ll walk through how to determine the answers to each of these questions, edge cases and technical gotchas to watch out for, and why each are important to your company’s security posture.

  • Abstract on Sessionize
  • 🌻 Slides and writeup to be posted soon after the talk!

A Gentle Intro to Container Escapes and No-Clump Gravy

PancakesCon 5 (24 March) - Lots of security and sysadmin courses talk about a “container escape”, but what is that really? We’ll go over what a container is, demonstrate how to escape from it, and why that’s not a good thing. Then we’ll talk about common ways to prevent this exploit.

Nest, stop ruining your gravy, pan sauces, etc. with clumpy flour or adding so much it becomes solid. Learn how to balance fat and flour for perfect pan gravy, then a couple techniques on how to recover just in case it wasn’t right the first time. 👩🏻‍🍳

  • Slides, with writeup and links
  • Video coming soon!


Threat Modeling the GitHub Actions Ecosystem


BSides Boulder (23 June) - A tour through the four questions outlined in the Threat Modeling Manifesto to provide an enterprise-ready threat model for implementing GitHub Actions securely. GitHub Actions is one of the most popular CI tools in use today. If you need or want to use it for business, though, there are a lot of choices to make that have huge implications to the information security and compliance posture of your organization. These questions get harder with more users and projects, moving faster and not prioritizing security.

In this talk, we’ll dive deep into what an Action really is, what goes into an Action out of the marketplace, and how each of the three types of Action can be exploited with a demonstration. With each exploit, a few control strategies will be discussed to counter it.

Securing Self-Hosted GitHub Actions with Kubernetes and Actions-Runner-Controller


CNCF CloudNativeSecurityCon North America (1 Feb) - A deep dive into the security considerations of running self-hosted GitHub Actions compute with actions-runner-controller. We’ll review typical deployment architectures, then cover 3 distinct places where security risk and ease of use collide with insight and resources for navigating these design choices. First the cluster settings are examined to show methods to limit the “blast radius” of a potential bad actor and provide insight into the why and how of using privileged pods. Next, the controller settings are reviewed for how to scope runner deployments and grant permissions within GitHub to provide least-privilege. Lastly, the runner pod is taken apart to show how to build supply chain security into the image and the software it builds for you.


Containerized CI at an Enterprise Scale

Colorado Kubernetes & Cloud Native (21 Nov) - Let’s summarize what to think about as an enterprise moving continuous integration workloads into containers orchestrated with Kubernetes - everything from the benefits and drawbacks of nested virtualization to the how and why of privileged pods - from the perspective of having done the thing a few times over!

  • Slides, with writeup and links

Linux Software Packaging, maybe in a nutshell

Boulder Linux/Unix User Group (8 Sept) - A quick tour through the history of packaging software in Linux - moving from compiling it at each computer using it, to RPM and DEB packages, to snaps/flatpaks and containers on the desktop. This was a very interactive demo/talk at about an hour and the conclusion changes every time, but it’s sadly unrecorded.



… or building GitHub Actions compute on-premises without (many) tears (14 Oct) at the Boulder Linux/Unix User Group

The above source code repository isn’t maintained. Please look to kubernoodles for a newer take on the same problem.


Getting Started in DevSecOps in a Regulated Environment

DevSecOps Days Denver 2020

This post is licensed under CC BY 4.0 by the author.