2025-08-06 –, Florentine E
Syscall filtering with seccomp is one of the most effective defenses for containerized workloads, but despite its power, it's underused, misunderstood, or plain painful to deploy at scale.
This talk goes beyond theory: we'll get hands-on with practical seccomp profile generation, live demos of defending real vulnerable apps, and show how syscall filtering can contain actual exploits — using an Apache Druid vulnerability as a live case study.
You'll leave knowing not just why seccomp matters but also how to build, tune, and deploy real-world profiles with open-source tools like Kubescape and how to avoid the common traps that derail seccomp adoption in production.
Containers have transformed how we build and deploy applications, but the attack surface at runtime remains dangerously exposed in many environments. Seccomp, Linux’s built-in syscall filtering mechanism, offers a powerful way to reduce that surface, but it’s often seen as too painful or risky to apply in production. This talk takes a practical, hands-on approach to solving that.
We'll start by grounding the audience in what seccomp is, why it's critical for modern container security, and where profiles and the ecosystem fall short. From there, we'll dive into live demonstrations: showing how to monitor actual container behavior, generate tailored seccomp profiles using open-source tools like Kubescape, and deploy these profiles effectively within Kubernetes environments.
We'll walk through a real-world vulnerable application (Apache Druid) and demonstrate a remote code execution exploit inside a container. Then, using a generated seccomp profile, we'll block the attacker’s execution path live, without changing the application code.
Along the way, we’ll tackle real operational pitfalls: handling noisy apps, evolving profiles with your software lifecycle, and keeping the dev team moving without constant breakages.
Attendees will leave with precise, repeatable techniques for using syscall filtering to harden their workloads against real-world attacks and a realistic sense of the strengths and limitations of seccomp as a defense-in-depth strategy.
Ben is a cloud security researcher, open-source contributor, and co-founder of ARMO, the creators of Kubescape. With over 15 years of experience in cybersecurity, Ben specializes in Cloud and Kubernetes security, runtime hardening, and cloud-native defense strategies. His work bridges the gap between theory and practical security, helping organizations protect their workloads against real-world threats.
Ben frequently speaks at security and open-source conferences, bringing a hands-on, honest perspective rooted in real operational experience. When he's not building tools to defend containers, he usually tries to break them and then writes about what he learned.