Certified Software Supply Chain Security Expert (CSSE)TM
The Certified Software Supply Chain Expert Course offers a deep dive into the security risks associated with software supply chains, providing you with the knowledge and skills to identify, validate, and mitigate these risks. We will begin the course with an overview of the risks of using commercial, open-source, and proprietary third-party code. You will then explore security threats involving container and orchestration systems like Kubernetes and attack scenarios involving the cloud and its managed services. Finally, you will learn how to manage a Secure Software Supply Chain Program.
After the Software Supply Chain Expert course, you will be able to:
- Understand the role of supply chain security in protecting organizations from attacks.
- Identify various supply chain attacks and how they can be exploited via code, container, clusters, and cloud.
- Develop strategies for assessing and mitigating supply chain risks.
- Develop an understanding of best practices for supply chain management and security, including guidance from the SDF, CIS, SLSA, and SCVS frameworks.
Check Out Reviews
-
Self-paced Learning Mode
-
Browser-based Lab Access
-
24/7 Instructor Support via Mattermost
Prerequisites
- Course participants should have knowledge of running basic Linux commands like ls, cd, mkdir, etc.,
- Basic knowledge of Git, CI/CD pipelines, containers, and Cloud Platforms.
- A good understanding of OWASP Top 10 vulnerabilities.
- Familiarity with any scripting language like Python, Golang, or ruby helps. However, itβs not a necessity.
Chapter 1: Introduction to Supply Chain Security
- Course Introduction (About the course, syllabus, and how to approach it)
- About Certification and how to approach it
- Course Lab Environment
- Lifetime course support (Mattermost)
- An overview of the Supply Chain Security
- Supply Chain Security Building Blocks
- Code Creation
- Source Code Management (SCM)
- Internal and external (third-party) software inventory
- Build system (CI/CD)
- Application
- Containers
- Clusters
- Cloud
- Code Creation
- Threat Model of Software Supply Chain
- Overview of Code Creation (SCM, CI/CD and Application)
- Overview of Containers
- Overview of Clusters
- Overview of Cloud
- Evolution of Software Supply Chain Security
- Hands-on Exercise:
- Learn how to use our browser-based lab environment
- How CI/CD Works
- Working with Gitlab CI/CD
- Understanding Stages in CI/CD Pipelines
- Continuous Deployment
- How the Equifax Hack Happened
Chapter 2: Attacking Code and Application Supply Chain
- Introduction to code supply chain
- Code creation process and systems involved
- Source code management (git, svn)
- Package managers
- Build and CI/CD systems
- Attacks on SCM systems
- Breaking out of restricted Git shells
- Git servers leaking confidential information
- Exploiting pre-commit hooks
- Repo Jacking
- Executing Arbitrary Code With Git Commands
- Risks of unencrypted Git traffic
- Insufficient Authentication In Git Servers
- Supply Chain Attacks on package managers
- Magecart attack in an Airways
- Supply Chain Attacks on CDNs
- Bypassing security mechanisms like CSP
- Typo-squatting techniques
- Combosquatting
- Brandjacking
- Dependency confusion
- Abusing IDE behaviors through dependency confusion
- Package Masquerading
- Abusing Generative AI for package masquerading
- Attacks on Build and CI/CD Systems
- Poisoning build pipelines for complete pwnage
- Manual code reviews and sneaking PR/MR
- Abusing webhooks to compromise CI/CD systems
- Cross Build Injection (XBI) Attacks
- Misconfigured Github Actions
- Attacks on Application Side
- Injection attacks
- Cross Site Scripting (XSS)
- Server Side Request Forgery
- Real-World case studies of code supply chain attack
- Stealing environment variables from build servers
- Exposing private source code on GitHub
- Leaking source code of patented technologies
- Stolen code-sign certificates or signed malicious apps
- Best practices for securing application supply chain
- SBOMs
- Code Signing and Commit Signing
- Artifact Signing
- Dependency Hashing
- Dependency Pinning
- Defending GitHub Actions With Pinning
- Technologies and solutions for securing applications
- SCA
- SAST
- DAST
- Fuzz Testing
- Hands-on Exercises:
- Dependency confusion
- GitLab privilege escalation
- Git commit spoofing
- Git commit signing
- Typosquatting dependency
- How the Codecov attack happened
- Working with pre-commit hooks
- Exploiting pre-commit hooks
- Software Component Analysis (SCA)
- Static Application Security Testing (SAST)
- SCA/SAST using pre-commit hooks
- Dynamic Analysis
Chapter 3: Attacking Container Supply Chain
- Introduction to container technology
- What is a container
- Basics of container
- Ways to interact with containers ecosystem
- Attack surface of containers and supply chain risks
- Overview of container security
- Attack surface of the container ecosystem
- Attack surface analysis using native and third party tools
- Attack surface analysis with native tools
- Kernel features: Namespaces, Cgroups, Capabilities
- Attacking Container Supply Chain ecosystem
- Malicious images
- Insecure container registry
- Attacking through container misconfigurations
- Best practices for securing container applications
- Container Image Security
- Distroless and scratch image
- Multi-stage builds
- Securing Docker daemon
- Container Image Security
- Technologies and solutions for securing containerized applications
- Docker host security configurations
- Seccomp
- Apparmour
- Image signing and Content Trust
- Docker host security configurations
- Hands-on Exercises:
- Working with docker command
- Creating container snapshots
- Malicious container image
- Backdooring docker image
- Attacking docker registry
- Exploiting containerized apps
- Unsecured docker daemon
- Minimize docker security misconfigurations
- Build a secure, miniature image to minimize attack footprint
- Typosquatting attack in docker image
- Backdooring docker image
- Malicious container image
Chapter 4: Attacking Kubernetes/Cluster Supply Chain
- Microservices and Kubernetes
- Introduction to Microservices Architecture
- Introduction to Kubernetes Architecture
- Core Components of Kubernetes
- Supply Chain Threats for a cluster
- Kubernetes Package Manager
- Helm and its security
- Understanding Helm charts workflow
- Creating Helm Charts
- Abusing Kubernetes Request Pipeline
- Authentication, Authorization, and Admission Controllers
- Attacks on Admission Controllers and webhooks
- Insecure RBAC rules
- Common Attack Vectors in Kubernetes Clusters
- Technologies and solutions for securing container orchestration
- Static analysis of Kubernetes clusters
- Dynamic analysis and runtime security of Kubernetes clusters
- Hands-on Exercises:
- Kubernetes basic commands
- Working with Kubernetes
- Kuberntes secrets
- Kubernetes service accounts
- Kubernetes networking using Calico
- Reconnaissance using Kube-hunter
- Stealing Kubernetes secrets
- Exploiting Kubelet API
- Privileged pods in Kubernetes
- Sniffing Kubernetes network traffic
- Kubernetes image scanning
- Static analysis of Kubernetes manifests
Chapter 5: Attacking Cloud Supply Chain
- Introduction to Cloud Ecosystem (Public, On-Premise)
- Cloud Attack Surface and Threat Matrix
- Shared Security Model of the Cloud
- Attack Vectors in AWS
- Misconfigurations (exposed secrets, metadata service, etc.)
- Attacking Managed Services Like S3, CloudFront CDN
- Attacking Serverless Computing
- Attacking Application Deployment Services
- Attack Vectors in Azure
- Misconfigurations (exposed secrets, metadata services, etc.)
- Attacking Azure Blob storage, Azure Application Gateway
- Attacking Azure Functions
- Attacking Web Apps
- Attack Vectors in GCP
- Misconfigurations (exposed secrets, metadata services, etc.)
- Attacking Google Cloud Storage GCS, Cloud CDN
- Attacking Google Cloud Functions
- Attacking Google Kubernetes Engine
- Best Practices for Securing the Cloud
Chapter 6: Common Defenses Against Supply Chain Attacks
- Prove the sanity of the software components using Cryptography
- Code Signing
- Component Signing
- Artifact signing
- The Update Framework
- Evaluate dependencies before use
- Analyze the security and compliance of dependencies
- Implement integrity checks or policies
- Implement Change Control
- Protected Branches
- Licensed Code
- Configuration management and change control
- Create asset Inventory
- Generate a Software Bill Of Materials
- Application SBOM
- Container SBOM
- Hosts SBOM
- Code Isolation and Sandboxing
- Automation of Common Controls in CI/CD
- Software Component Analysis of Code, and Containers
- Static Security Analysis of Application Code, Infrastructure as Code
- Dynamic Security Analysis of Applications, APIs, Containers, and Clusters
- Detecting Unexpected Behaviors Through Fuzz Testing
- Compliance and Governance of Supply Chain Risk
- Hands-on Exercises:
- Generate the SBOM for Application using Syft
- Generate the SBOM for Docker Image using Syft
- Create an SBOM with Tern
- Identify malicious Package using guarddog
- Finding Risky Packages using packj
- Secrets Scanning using Trivy
- Secrets Scanning using TruffleHog
- False Positive Analysis (FPA)
- Container Registry using Harbor
- Container Vulnerability Scanning using Snyk
- Scanning Docker for Vulnerabilities with Trivy
- Signing Container Images for Trust
- Container Malware Scanning using YaraHunter
- Find Misconfigured RBAC Using KubiScan
- Finding Misconfigurations Using Kubescape
- Finding Helm Charts Misconfigurations using Kubescape
- How to Embed Syft into CI/CD pipeline
- Scan SBOM for Vulnerabilities using bomber
- Implement SAST as part DevOps pipelines
- Implement DAST as part DevOps pipelines
Chapter 7: Managing a Secure Software Supply Chain Program
- Problems with current Supply Chain Attack Visibility
- Detection of only known vulnerabilities
- Detection of unknown vulnerabilities
- Creating a vetting process for software components (Commercial, Open Source, Third Party, and Proprietary Code) used throughout SDLC
- Automation of vetting and third-party code
- Software Supply Chain Industry Standards and Best Practices
- NIST C-SRM or SLSA
- NIST SSDF
- Software Component Verification Standard (SCVS)
- Secure Supply Chain Consumption Framework (S2C2F)
- Supply Chain Integrity Model
- Software Supply Chain Best Practices
- SBOM
- CycloneDX
- OpenSSF β Automated
- Core Infrastructure Initiative β Self Assessment
- Hands-on Exercises:
- Achieving SLSA Level 1 using GitLab
- Achieving SLSA Level 2 using GitLab
- Establish a vetting process for open-source components
- Working with Defect Dojo
- Vulnerability Management With DefectDojo
- Handling Dependency Hell
Practical DevSecOps Certification Process
- After completing the course, you can schedule the CSSE exam on your preferred date.
- Process of achieving Practical DevSecOps CSSE Certification can be found here.