About The Training

In an era where a larger portion (~80%) of software development activities come from third parties, the security of your software supply chain is more critical than ever. Software isn't built in silos anymore. It's built on a complex web of dependencies, with each component sourced from different providers across the globe. This opens up a myriad of vulnerabilities, making your software supply chain a prime target for cybercriminals.

In this course, we focus on holistic learning around attacking and then securing the software supply chain.

Section 1 is focused on understanding and exploiting supply chain issues.

Section 2 focuses on the various fixes and security configurations to protect the supply chain.

We’ll get our hands dirty by applying these strategies to secure the developer environments, code repositories, CI/CD pipelines, and deployment environments. By the end of the course, we will be well-equipped to transform our software supply chain from a security liability to a valuable asset.

Intermediate - Advanced 

In an era where up to 80% of your code can come from third parties, the security of your software supply chain is more critical than ever. Software isn’t built in silos anymore. It’s built on a complex web of dependencies, with each component sourced from different providers across the globe. This opens up a myriad of vulnerabilities, making your software supply chain a prime target for cybercriminals.

Section 1: From the Attacker’s Perspective – Understanding Software Supply Chain Attacks

The journey begins by exploring the reality of today’s software supply chains, the software supply chain is not just your code dependencies there is a whole other set of software that is part of your supply chain and all need to be protected. We will dissect real-world attacks on software supply chains, understand how they unfolded, and examine their impacts.

Through hands-on exercises, you’ll step into the shoes of attackers, exploiting common vulnerabilities from developer environments and code repositories to dependencies and build/release tools. By the end of section one, you’ll fully comprehend how exposed your software supply chain could be in this interconnected digital world

Section 2: From Vulnerability to Fortification – Securing Your Software Supply Chain

In this section, we shift gears from understanding vulnerabilities to implementing robust defenses. We delve into industry standard frameworks such as SLSA and NIST SSDF, translating them into practical strategies for each component of your supply chain

You’ll get your hands dirty by applying these strategies to secure your developer environments, code repositories, and CI/CD pipelines. You will learn how to use Software Composition Analysis (SCA) tools to manage package/dependency vulnerabilities effectively and create SBoM’s for your own software. By the end of the course, you’ll be equipped to transform your software supply chain from a security liability to an asset.

In modern, fast-moving organizations, keeping pace with digital transformation initiatives without compromising security is a growing conundrum. This course caters to everyone in the IT industry, from developers and engineers to IT managers, security analysts, and CTOs

The nature of software development has changed; it’s high time our approach to securing it evolves too. This course offers not just knowledge, but practical skills to secure your software supply chain amidst this paradigm shift. It’s no longer enough to secure your code. You need to secure your software’s lifeline – the supply chain.

The class will contain a holistic view of software supply chain security both from the attack and defense side, with a focus on a practical approach of learning with demos and hands-on labs –

Attack

• Introduction to Software Supply Chain
• Supply chain beyond code dependencies
• Exploiting VS Code Workspaces
• Trojanizing IDE & Browser Extensions
• Exploiting Git & GitHub Misconfigurations
• Attacking CI Pipelines & custom runners
• Creating malicious dependencies
• Attacking package management ecosystems (like npm, gradle, etc.)
• Exploiting Deployment Systems (like GitHub & ArgoCD)
• Leveraging container image misconfigurations
• Looking at Cloud & Kubernetes attack paths
• Attacking Cloud Environment (IAM, Data, Configurations)
• Exploiting Kubernetes Misconfigurations & Insecure Defaults

Defend

• Introduction to Defense Strategies: SLSA and NIST SSDF
• 360° Security strategies & Top-down Defense from Governance
• Effective Inventory Management & SBOMs
• Establishing, storing & verifying Provenance
• Protecting The Assets & Establishing Baseline Security
• Cloud Audits
• Runtime Security
• Threat detection
• Responding and Recovering from the Security Breaches
• Mapping Different Roles and Responsibilities
• Securing yourself from the above-discussed attacks.

Each section consists of

• Overview and Case studies of the attack surface.
• Hands-on Labs with vulnerable environment for the participants to play with.

The class is extensively hands-on with elaborate case studies from the real world and replicating the attacks to understand how to protect against them in depth.

At the end of the course, we will summarize the key points covered and offer suggestions for further learning. Each student will receive access to presentation slides, a constantly updated knowledge base, and a guide on setting up attack and defense infrastructure for self-practice purposes.

Laptop with administrative access and capability to run Virtual Machines. We will try to reduce system requirements as much as we can but would still need the capability to spare 2 threads per VM and 2 VMs to be run on the laptop so a decent 6 or 8-core processor is recommended. We are working on ensuring the Apple M series can be used and will provide instructions over emails for all of the laptops and VMs to be loaded.

Basic knowledge of software development and IT security concepts is assumed. Familiarity with cloud platforms and CICD processes would be beneficial but not mandatory.

• Software Developers and Engineers
• IT Managers
• Security Analysts
• DevOps Practitioners
• CTOs and Decision Makers in IT
• Pentesters
• Red Teamers

• Comprehensive understanding of software supply chain vulnerabilities and defenses
• Expert guidance on implementing security measures across different components of the software supply chain
• Knowledge of industry-standard security frameworks such as SLSA and NIST SSDF

• Very Detailed step-by-step instruction manual for all challenges covered during the class.
• A detailed documentation of all the content covered during the class.
• VM's to take home for practice later

Zero to hero in one class