Natalie is a principal solutions engineer at Chainguard serving the public sector market. She spent years designing, building, and leading complex systems in regulated environments at a major systems integrator, but has also taken her career in many other directions - including detours into project management, systems engineering, and teaching.
She’s passionate about diversity in technology and empowering engineers to build better.
BSides Boulder (23 June) - A tour through the four questions outlined in the Threat Modeling Manifesto to provide an enterprise-ready threat model for implementing GitHub Actions securely. GitHub Actions is one of the most popular CI tools in use today. If you need or want to use it for business, though, there are a lot of choices to make that have huge implications to the information security and compliance posture of your organization. These questions get harder with more users and projects, moving faster and not prioritizing security.
In this talk, we’ll dive deep into what an Action really is, what goes into an Action out of the marketplace, and how each of the three types of Action can be exploited with a demonstration. With each exploit, a few control strategies will be discussed to counter it.
CNCF CloudNativeSecurityCon North America (1 Feb) - A deep dive into the security considerations of running self-hosted GitHub Actions compute with actions-runner-controller. We’ll review typical deployment architectures, then cover 3 distinct places where security risk and ease of use collide with insight and resources for navigating these design choices. First the cluster settings are examined to show methods to limit the “blast radius” of a potential bad actor and provide insight into the why and how of using privileged pods. Next, the controller settings are reviewed for how to scope runner deployments and grant permissions within GitHub to provide least-privilege. Lastly, the runner pod is taken apart to show how to build supply chain security into the image and the software it builds for you.
Colorado Kubernetes & Cloud Native (21 Nov) - Let’s summarize what to think about as an enterprise moving continuous integration workloads into containers orchestrated with Kubernetes - everything from the benefits and drawbacks of nested virtualization to the how and why of privileged pods - from the perspective of having done the thing a few times over!
- Slides, with writeup and links
Boulder Linux/Unix User Group (8 Sept) - A quick tour through the history of packaging software in Linux - moving from compiling it at each computer using it, to RPM and DEB packages, to snaps/flatpaks and containers on the desktop. This was a very interactive demo/talk at about an hour and the conclusion changes every time, but it’s sadly unrecorded.
- Makefile example for going through a modestly complex Makefile
- RPM file example walking through the process of building RPMs from the source RPM
- DEB file example walking through the contents and process of building DEBs from a source tarball
… or building GitHub Actions compute on-premises without (many) tears (14 Oct) at the Boulder Linux/Unix User Group
The above source code repository isn’t maintained. Please look to kubernoodles for a newer take on the same problem.