Certified Software Supply Chain Security Expert (CSSE)

EDU Trainings s.r.o.

Popis kurzu

Obsah kurzu

Chapter 1: Introduction to Supply Chain Security


Course Introduction (About the course, syllabus, and how to approach it)
About Certification and how to approach it
Course Lab Environment
Lifetime course support (Mattermost)
An overview of the Supply Chain Security
Supply Chain Security Building Blocks

Code Creation

Source Code Management (SCM)
Internal and external (third-party) software inventory
Build system (CI/CD)
Application


Containers
Clusters
Cloud


Threat Model of Software Supply Chain

Overview of Code Creation (SCM, CI/CD and Application)
Overview of Containers
Overview of Clusters
Overview of Cloud


Evolution of Software Supply Chain Security
Hands-on Exercise: 

Learn how to use our browser-based lab environment
How CI/CD Works
Working with Gitlab CI/CD
Understanding Stages in CI/CD Pipelines
Continuous Deployment
How the Equifax Hack Happened



Chapter 2: Attacking Code and Application Supply Chain


Introduction to code supply chain
Code creation process and systems involved

Source code management (git, svn)
Package managers
Build and CI/CD systems


Attacks on SCM systems

Breaking out of restricted Git shells
Git servers leaking confidential information
Exploiting pre-commit hooks
Repo Jacking
Executing Arbitrary Code With Git Commands
Risks of unencrypted Git traffic
Insufficient Authentication In Git Servers


Supply Chain Attacks on package managers

Magecart attack in an Airways
Supply Chain Attacks on CDNs
Bypassing security mechanisms like CSP
Typo-squatting techniques
Combosquatting
Brandjacking
Dependency confusion
Abusing IDE behaviors through dependency confusion
Package Masquerading
Abusing Generative AI for package masquerading


Attacks on Build and CI/CD Systems

Poisoning build pipelines for complete pwnage
Manual code reviews and sneaking PR/MR
Abusing webhooks to compromise CI/CD systems
Cross Build Injection (XBI) Attacks
Misconfigured Github Actions


Attacks on Application Side

Injection attacks
Cross Site Scripting (XSS)
Server Side Request Forgery


Real-World case studies of code supply chain attack

Stealing environment variables from build servers
Exposing private source code on GitHub
Leaking source code of patented technologies
Stolen code-sign certificates or signed malicious apps


Best practices for securing application supply chain

SBOMs
Code Signing and Commit Signing
Artifact Signing
Dependency Hashing
Dependency Pinning
Defending GitHub Actions With Pinning


Technologies and solutions for securing applications

SCA
SAST
DAST
Fuzz Testing


Hands-on Exercises:

Dependency confusion
GitLab privilege escalation
Git commit spoofing
Git commit signing
Typosquatting dependency
How the Codecov attack happened
Working with pre-commit hooks
Exploiting pre-commit hooks
Software Component Analysis (SCA)

Static Application Security Testing (SAST)
SCA/SAST using pre-commit hooks
Dynamic Analysis





Chapter 3: Attacking Container Supply Chain


Introduction to container technology

What is a container
Basics of container


Ways to interact with containers ecosystem
Attack surface of containers and supply chain risks

Overview of container security
Attack surface of the container ecosystem
Attack surface analysis using native and third party tools

Attack surface analysis with native tools
Kernel features: Namespaces, Cgroups, Capabilities




Attacking Container Supply Chain ecosystem

Malicious images
Insecure container registry
Attacking through container misconfigurations


Best practices for securing container applications

Container Image Security

Distroless and scratch image
Multi-stage builds


Securing Docker daemon


Technologies and solutions for securing containerized applications

Docker host security configurations

Seccomp
Apparmour
Image signing and Content Trust




Hands-on Exercises:

Working with docker command
Creating container snapshots
Malicious container image
Backdooring docker image
Attacking docker registry
Exploiting containerized apps
Unsecured docker daemon
Minimize docker security misconfigurations
Build a secure, miniature image to minimize attack footprint
Typosquatting attack in docker image
Backdooring docker image
Malicious container image



Chapter 4: Attacking Kubernetes/Cluster Supply Chain


Microservices and Kubernetes

Introduction to Microservices Architecture
Introduction to Kubernetes Architecture


Core Components of Kubernetes
Supply Chain Threats for a cluster
Kubernetes Package Manager

Helm and its security
Understanding Helm charts workflow
Creating Helm Charts


Abusing Kubernetes Request Pipeline

Authentication, Authorization, and Admission Controllers
Attacks on Admission Controllers and webhooks
Insecure RBAC rules


Common Attack Vectors in Kubernetes Clusters
Technologies and solutions for securing container orchestration

Static analysis of Kubernetes clusters
Dynamic analysis and runtime security of Kubernetes clusters


Hands-on Exercises:

Kubernetes basic commands
Working with Kubernetes
Kuberntes secrets
Kubernetes service accounts
Kubernetes networking using Calico
Reconnaissance using Kube-hunter
Stealing Kubernetes secrets
Exploiting Kubelet API
Privileged pods in Kubernetes
Sniffing Kubernetes network traffic
Kubernetes image scanning

Static analysis of Kubernetes manifests





Chapter 5: Attacking Cloud Supply Chain

Introduction to Cloud Ecosystem (Public, On-Premise)
Cloud Attack Surface and Threat Matrix
Shared Security Model of the Cloud
Attack Vectors in AWS

Misconfigurations (exposed secrets, metadata service, etc.)
Attacking Managed Services Like S3, CloudFront CDN
Attacking Serverless Computing
Attacking Application Deployment Services


Attack Vectors in Azure

Misconfigurations (exposed secrets, metadata services, etc.)
Attacking Azure Blob storage, Azure Application Gateway
Attacking Azure Functions
Attacking Web Apps


Attack Vectors in GCP

Misconfigurations (exposed secrets, metadata services, etc.)
Attacking Google Cloud Storage GCS, Cloud CDN
Attacking Google Cloud Functions
Attacking Google Kubernetes Engine


Best Practices for Securing the Cloud


Chapter 6: Common Defenses Against Supply Chain Attacks


Prove the sanity of the software components using Cryptography

Code Signing
Component Signing
Artifact signing
The Update Framework


Evaluate dependencies before use

Analyze the security and compliance of dependencies
Implement integrity checks or policies


Implement Change Control

Protected Branches
Licensed Code
Configuration management and change control


Create asset Inventory
Generate a Software Bill Of Materials

Application SBOM
Container SBOM
Hosts SBOM


Code Isolation and Sandboxing
Automation of Common Controls in CI/CD

Software Component Analysis of Code, and Containers
Static Security Analysis of Application Code, Infrastructure as Code
Dynamic Security Analysis of Applications, APIs, Containers, and Clusters
Detecting Unexpected Behaviors Through Fuzz Testing


Compliance and Governance of Supply Chain Risk
Hands-on Exercises:

Generate the SBOM for Application using Syft
Generate the SBOM for Docker Image using Syft
Create an SBOM with Tern
Identify malicious Package using guarddog
Finding Risky Packages using packj
Secrets Scanning using Trivy
Secrets Scanning using TruffleHog
False Positive Analysis (FPA)
Container Registry using Harbor
Container Vulnerability Scanning using Snyk
Scanning Docker for Vulnerabilities with Trivy
Signing Container Images for Trust
Container Malware Scanning using YaraHunter
Find Misconfigured RBAC Using KubiScan
Finding Misconfigurations Using Kubescape
Finding Helm Charts Misconfigurations using Kubescape
How to Embed Syft into CI/CD pipeline
Scan SBOM for Vulnerabilities using bomber
Implement SAST as part DevOps pipelines
Implement DAST as part DevOps pipelines



Chapter 7: Managing a Secure Software Supply Chain Program


Problems with current Supply Chain Attack Visibility

Detection of only known vulnerabilities
Detection of unknown vulnerabilities


Creating a vetting process for software components (Commercial, Open Source, Third Party, and Proprietary Code) used throughout SDLC
Automation of vetting and third-party code
Software Supply Chain Industry Standards and Best Practices

NIST C-SRM or SLSA
NIST SSDF
Software Component Verification Standard (SCVS)
Secure Supply Chain Consumption Framework (S2C2F)
Supply Chain Integrity Model
Software Supply Chain Best Practices
SBOM
CycloneDX
OpenSSF  – Automated


Core Infrastructure Initiative  – Self Assessment
Hands-on Exercises:

Achieving SLSA Level 1 using GitLab
Achieving SLSA Level 2 using GitLab
Establish a vetting process for open-source components
Working with Defect Dojo
Vulnerability Management With DefectDojo
Handling Dependency Hell

Certifikát Na dotaz.

Hodnocení