Certified Cloud-Native Security Expert CCNSE

Cloud-Native technologies like Microservices, containers, and Kubernetes have emerged as the go-to way to create, deploy and manage microservices for both on-prem and cloud environments. Cloud-Native technologies bring a wealth of benefits; however, The task of securing your cloud-native environment is daunting.

The Certified Cloud-Native Security Expert (CCNSE) is a vendor-neutral course and certification program that is designed to assess the level of security knowledge a candidate has on Cloud Native Technologies like Microservices, APIs, and Kubernetes.

The course is designed to give students a practical view of Kubernetes security, covering not only the theory but also hands-on abilities to immediately apply tools and techniques. The course is project-oriented, with 60+ hands-on labs that will put your newly gained knowledge into action and guide you along the way.

The curriculum will also focus on educating students on Container Security, and vulnerability management tools to improve infrastructure security, vulnerability scanning, and detecting suspicious activities and anomalous behavior.

This course is targeted towards individuals or teams interested in devoting their careers to learning and implementing industry security best practices around Cloud Native technologies.

After the training, you will be able to:

Earn the Certified Cloud-Native Security Expert(CCNSE) Certification by passing a 12-hour practical exam.
Prove to employers and peers, practical understanding of the cloud-native security landscape and the tools to secure it.

Enroll Now

Prerequisites

Course participants should have knowledge of running basic Linux commands like ls, cd, mkdir, etc.,
Basic knowledge in container technology and k8s helps but is needed.
Understanding of OWASP Top 10 vulnerabilities

Learning Objectives

Build a solid foundation that is required to understand the container and Kubernetes security landscape
Gain the necessary skills to analyze, assess, evaluate, and secure applications; APIs and microservices; containers; and Kubernetes
Gain a practical understanding of how to hack misconfigured Kubernetes workloads
Learn and implement different ways of Authentication and Authorization methods used in Kubernetes.
Learn how different Admission controllers help apply defense in depth to regulate and audit workloads in a Kubernetes Cluster
Learn, apply and practice different techniques to manage clusterwide data in a distributed setup.
Practice and implement a myriad of techniques to secure secrets and other sensitive data processed and consumed in a Kubernetes Cluster.
Experience Network security and Zero Trust in action using Network policies and Service Meshes.
Gain the necessary skills to Defend Kubernetes cluster from most common attacks.

Module 1: Introduction to Cloud-Native Concepts and its Security

Course Introduction (About the course, syllabus, and how to approach it)
About Certification and how to approach it
Lab Environment
Lifetime course support (Slack)
Overview of the Cloud Native Technologies
The 4C’s of Cloud-Native Security
1. Cloud
2. Clusters
3. Containers
4. Code (SCA, SAST, DAST) – DevSecOps
Security and Threat Model of Cloud-Native technologies
1. Overview of Cloud Security
2. Overview of Container Security (Container Vulnerability, Supply Chain Attack, Least Privilege)
3. Overview of Kubernetes Security
4. Overview of Microservices Security
Hands-on Exercise: Learn how to use our browser-based lab environment

Module 2: Introduction to Microservices Architecture

The need for microservices
Monolith vs Microservices
Technical and Business pros and cons of Microservices
Tools of the trade
1. 1. Source code management
  2. CI/CD tools
  3. Artefact management
  4. Cloud Platform
  5. Infrastructure as code
  6. Monitoring and logging tools
  7. Collaboration tools
REST APIs
1. 1. What is an API
  2. API Security
  3. Introduction to OWASP API Top 10
    1. Software Component Analysis of API
    2. Static Application Security Testing of API
    3. Dynamic Application Security Testing of API
Hands-on Exercises:
1. Create a simple CI/CD pipeline
2. Create advanced CI/CD pipeline
3. Continuous Deployment
4. Exploiting Containerized Application
5. Docker Privilege Escalation
6. Hardening container workload (host

Module 3: Containers and Container Security

What is a container?
Container vs Virtualization
1. 1. Container Advantages
  2. Container Disadvantages
Docker Architecture and its components
1. 1. Command Line Interface(CLI)
  2. Engine (Daemon, API)
  3. Runtime (containerd, shim, runc)
Basics of container technology and its challenges
Container fundamentals
1. 1. Namespaces
  2. Cgroup
  3. Capabilities
Ways to interact with container ecosystem
Container security issues
Container Defenses
Hands-on Exercises:
1. Docker command basics
2. Docker image
3. Image-based attacks
4. Build a secure and miniature docker image
5. Docker registry
6. Registry-based attacks
7. Docker Content Trust
8. Securing container using seccomp
9. Securing container using apparmor

Module 4: Introduction to Kubernetes

Introduction to Kubernetes
Kubernetes Use Cases
Kubernetes Architecture (Core Components)
1. 1. Cluster, Nodes, and Pods
  2. API Server
  3. Controller Manager
  4. Etcd
  5. kube-scheduler
  6. kubelet
  7. Kube-proxy
  8. Container Runtime
Bootstrapping the Kubernetes cluster
Kubernetes Package Manager
1. 1. Understanding Helm Workflow
  2. Creating Helm Charts
Hands-on Exercises:
1. Bootstrapping the cluster using kubeadm, kind
2. Kubernetes basics component
3. kubectl basics commands
4. Kubernetes storage
5. Kubernetes networking

Module 5: Hacking Kubernetes Cluster

Kubernetes Attack Surface and Threat Matrix
Common Kubernetes security issues
Differences in k8s installations (support for PSP vs no PSP)
Hands-on Exercises:
1. Kubernetes Reconnaissance:
  1. Port scanning
  2. Misconfigured Kubernetes components
  3. Access Kubernetes dashboard
2. Reconnaissance using kube-hunter
3. Exploiting Privileged Containers
4. Crashing Kubernetes cluster
5. Compromising Kubernetes secrets
6. Supply chain attack using the poisoned image and malicious helm charts
7. Sniffing Kubernetes Network Traffic

Module 6: Kubernetes Authentication and Authorization

Fundamentals of Kubernetes Authentication and Authorization
Authentication mechanisms in Kubernetes
1. 1. Authentication with Client Certificates
  2. Authentication with Bearer Tokens
  3. HTTP Basic Authentication
  4. Remote Authentication
Authorization mechanisms in Kubernetes
1. 1. Node Authorization
  2. Attribute Based Access Control (ABAC)
  3. Role-Based Access Control (RBAC)
Hands-on Exercises:
1. Kubernetes Authentication using Keycloak
2. Find misconfigured RBAC using KubiScan
3. Static Analysis of the Access Control using Krane

Module 7: Kubernetes Admission Controllers

Fundamentals of Admission Controllers
Static Admission Controllers
1. 1. LimitRanger
  2. DefaultStorageClass
  3. AlwaysPullImages
Dynamic Admission Controllers
1. 1. Introduction to Custom Admission Controllers
  2. Working with Custom Admission WebHooks
  3. Authenticating API Servers
  4. Open Policy Agent (OPA) and Rego Policies
  5. Using OPA with Kubernetes
  6. OPA Gatekeeper
  7. OPA Kube-mgmt vs OPA Gatekeeper
Pod Security Context
Pod Security Policies
Pod Security Admission
1. 1. Pod Security Standards
  2. Policy Modes
  3. Applying Policies
Different Options to Write Custom Policies for K8s
Hands-on Exercises:
1. Enforcing custom resource limits with LimitRanger
2. Enforcing images are always pulled with Authorization
3. Enforced trusted image using OPA Gatekeeper

Module 8: Kubernetes Data Security

Kubernetes Data Storage mechanisms
1. 1. Image Layers
  2. Container Mounts and Volumes
  3. Distributed Volumes in Kubernetes
  4. Persistent Volumes on Cloud
  5. Dynamically Provisioning Cloud Storage for Workloads
Managing secrets in traditional infrastructure
Managing secrets in containers at Scale
1. 1. Exploring Secret Storage Options
  2. Kubernetes Secrets Object
  3. Encrypted Configurations
  4. Managing Encryption Keys in External KMS
  5. Encrypting Secret Objects in Version Control Systems
  6. Mozilla SOPS for Secret OPerationS
  7. Introducing Secrets Store CSI Drivers
  8. Environment Variables and Volume Mounts
  9. Injecting Secrets with Hashicorp Vault
Sanning for Secrets Exposure
Hands-On Exercises:
1. Encrypting Secrets Data at rest
2. Storing secrets securely using HashiCorp Vault
3. Managing secrets using Sealed Secrets
4. Automated Image scanning in
  1. Build stage
  2. Release stage (artifact release)
  3. Integration stage
  4. Deployment stage

Module 9: Kubernetes Network Security

Introduction to Kubernetes Networking
1. 1. Kubernetes Networking Architecture
  2. Challenges with Kubernetes Networking
Network Policies in Kubernetes
1. 1. Network Policy and Its Characteristics
  2. Anatomy of a Network Policy
Fallacies of Distributed Computing
Service Mesh Architecture
1. 1. Exploring Linkerd
  2. Zero Trust with Consul Connect
  3. Service Identities with Istio
Hands-on exercises:
1. Implementing a Service Mesh with Istio
2. Implementing a Service Mesh with Linkerd
3. Enable mTLS in Service Mesh
4. Writing custom Network Policies

Module 10: Defending Kubernetes Cluster

Compliance and Governance
1. 1. Kubernetes Compliance with Kubebench
  2. Kubernetes Compliance with Inspec
Threat Modeling for Kubernetes
Static Analysis of Kubernetes clusters
Building Secure Container Images
Dynamic and Runtime Security Analysis
Security Monitoring
Hands-on Exercises:
1. Kubernetes Least Privilege
2. Kubernetes Static Analysis Analysis
3. Defining Kubernetes Resource Quotas
4. Kubernetes compliance using CIS benchmark
5. Security monitoring of Kubernetes cluster using Wazuh
6. Kubernetes Threat Detection using Falco
7. Threat Hunting with Kubernetes audit logging

Practical DevSecOps Certification Process

After completing the course, you can schedule the CCNSE exam on your preferred date.
Process of achieving Practical DevSecOps CCNSE Certification can be found here.