Certified Cloud-Native Security Expert CCNSE

The Cloud-Native technologies like Microservices, containers, and Kubernetes have emerged as the go-to way to create, deploy and manage microservices for both on-prem and cloud environments. Cloud-Native technologies bring a wealth of benefits; however, The task of securing your cloud-native environment is daunting.

The Certified Cloud-Native Security Expert (CCNSE) is a vendor-neutral course and certification program that is designed to assess the level of security knowledge a candidate has on Cloud Native Technologies like Microservices, APIs, and Kubernetes.

The course is designed to give students a practical view of Kubernetes security, covering not only the theory but immediately applicable tools and techniques. The course is project-oriented, with 60+ hands-on labs that will put your newly gained knowledge into action and guide you along the way.

The curriculum will also focus on educating students on API Security, Container Security, and vulnerability management tools to improve infrastructure security, vulnerability scanning, and detecting suspicious activities and anomalous behavior.

This course is targeted towards individuals or teams interested in devoting their careers to learning and implementing industry security best practices around Cloud Native technologies.

After the training, you will be able to:

Prerequisites

  1. Course participants should have knowledge of running basic Linux commands like ls, cd, mkdir, etc.,
  2. Basic knowledge in container technology and k8s helps but not necessary.
  3. Understanding of OWASP Top 10 vulnerabilities

Learning Objectives

  1. Build a solid foundation that is required to understand the container and k8s security landscape
  2. Gain a practical understanding of the cloud-native security landscape and the tools to secure it
  3. Understand and implement the modern ways of scaling and securing the cloud-native stack

Module 1: Introduction to Cloud-Native Concepts and its Security

  1. Course Introduction (About the course, syllabus, and how to approach it) 
  2. About Certification and how to approach it
  3. Lab Environment
  4. Lifetime course support (Slack)
  5. Overview of the Cloud Native Technologies
  6. The 4C’s of Cloud-Native Security
    1. Cloud
    2. Containers
    3. Clusters
    4. Code (SCA, SAST, DAST) – DevSecOps
  7. Security and Threat Model of Cloud-Native technologies
    1. Overview of Cloud Security
    2. Overview of Container Security (Container Vulnerability, Supply Chain Attack, Least Privilege)
    3. Overview of Kubernetes Security
    4. Overview of Microservices Security
  8. Hands-on Exercise: Learn how to use our browser-based lab environment

Module 2: Introduction to Microservices Architecture

  1. The need for microservices
  2. Monolith vs. Microservices
  3.  Technical and Business pros and cons of Microservices
  4.  Tools of the trade
    1. Source code management
    2. CI/CD tools
    3. Artifact management
    4. Cloud Platform
    5. Infrastructure as code
    6. Monitoring and logging tools
    7. Collaboration tools
  5. REST APIs
    1. API Security 
    2. OpenAPI/Swagger
    3. Introduction to OWASP API Top 10
      1. Software Component Analysis of API
      2. Static Application Security Testing of API
      3. Dynamic Application Security Testing of API
  6. Hands-on Exercises:
    1. Create a simple CI/CD pipeline
    2. Deploy a microservice/docker container to production
    3. Exploit the above microservice using docker misconfiguration
    4. Exploit a microservice using API vulnerabilities
    5. Find and Fix API Security issues using SCA, SAST, and DAST in CI/CD pipelines

Module 3: Containers and Container Security

  1. What is a container?
  2. Basics of the container technology and its challenges
  3. Container vs. Virtualization
    1. Container Advantages
    2. Container Disadvantages
  4. Container fundamentals
    1. Namespaces
    2. Cgroup
    3. Capabilities
  5. Docker Architecture and its components
    1. Command Line Interface(CLI)
    2. Engine(Daemon, API)
    3. Runtime (containerd, shim, runc)
  6. Ways to interact with container ecosystem
  7. Hands-on Exercises:
    1. Learn Docker commands
    2. Create Docker Image using Dockerfile
    3. Networking in Docker
    4. Learn how to work with data in a container
    5. How to use container registry
    6. Writing the Dockerfile
    7. Learn Docker Compose

Module 4: Attacking Containers and Containerised Apps

  1. Overview of Container Security
  2. Capabilities and namespaces in Docker
  3. Vulnerabilities in images (Public and Private)
  4. Denial of service attacks
  5. Privilege escalation methods in Docker
  6. Security misconfiguration
  7. Hands-on Exercises:
    1. Image-based attacks
    2. Registry-based attacks
    3. Container-based attack
    4. Docker host (Daemon) / kernel attacks
    5. Privilege escalation methods in Docker
    6. Security misconfigurations

Module 5: Defending Containers and Containerized Apps on Scale

  1. Content Trust and Integrity checks
  2. Segregating Networks
  3. Container ecosystem Hardening using:
  4. Static Analysis of container (Docker) images
  5. Dynamic Analysis of container hosts and daemons
  6. Monitoring and incident response in containers
  7. Docker Tools, Techniques and Tactics
  8. Hands-on Exercises:
    1. Minimize security misconfigurations in Docker with CIS
    2. Build a secure & most miniature image to minimize the footprint
    3. Build a distro less image to reduce the footprint
    4. Docker Content Trust with Notary
    5. Securing the container by default using Harbor
    6. Scanning Docker for vulnerabilities with Trivy

Module 6: Introduction to Kubernetes

  1. Introduction to Kubernetes
  2. Kubernetes use cases 
  3. Kubernetes Architecture (Core Components)
  4. Core components
    1. API Server
    2. Kube Proxy
    3. Control Manager
    4. kube-scheduler
    5. etcd
    6. Node
    7. Kubelet
  5. Bootstrapping a cluster
  6. Deploying a microservice on kubernetes
  7. Hands-on Exercises:
    1. Bootstrapping the cluster using kubeadm, KinD
    2. Deploying a microservice on Kubernetes(k8s)
    3. Basic of the kubectl commands
    4. Storage in Kubernetes
    5. Networking in Kubernetes
    6. Monitoring and Logging in Kubernetes

Module 7: Hacking Kubernetes Cluster

  1. Kubernetes Attack Surface and Threat Model
  2. Common k8s security issues and misconfigurations
  3. Differences in k8s installations (support for PSP vs. no PSP)
  4. Hands-on Exercises:
    1. Reconnaissance techniques for k8s clusters
      1. Port Scanning
      2. Service enumeration
    2. Pivoting from Pod to Nodes
    3. Denial of Service attacks on k8s clusters
    4. Exploiting Image registries and supply chain issues
    5. Attacking Kubernetes Metadata API
    6. Exploiting Privileged Container/Pod
    7. Secrets Scanning in Kubernetes (k8s)
    8. Exploiting misconfiguration with the kube-hunter utility

Module 8: Kubernetes Authentication and Authorization

  1. Authentication mechanisms in Kubernetes (k8s)
  2. k8s Access Control mechanisms
  3. Role-Based Access Control (RBAC) basics
  4. Admission control
  5. Pod Security policies
  6. Hands-on Exercises:
    1. Authentication Policy
    2. Authentication with Keycloak
    3. Whitelisting container registry
    4. Find risky RBAC permissions with KubiScan
    5. Static Analysis the Access Control with Krane
    6. Admission Controller
    7. Authorization with OPA Gatekeeper

Module 9: Kubernetes Data Security

  1. Kubernetes Data Storage mechanisms
    1. Image Layers
    2. Container mounts and volumes
    3. Distributed storage solutions
  2. Managing secrets in traditional infrastructure
  3. Managing secrets in containers at Scale
  4. Secret Management in Cloud
    1. Version Control Systems and Secrets
    2. Environment Variables and Configuration files
    3. Docker, Immutable systems and its security challenges
    4. Secrets management with Hashicorp Vault and consul
  5. Hands-On Exercises: 
    1. Securely store Encryption keys and other secrets using Vault/Consul
    2. Encrypting Kubernetes Secrets at rest
    3. Securing Environment Variables with Vault
    4. Automated Image scanning in:
      1. Build stage
      2. Release stage (artifact release)
      3. Integration stage and
      4. Production/Deploy stage

Module 10: Kubernetes Network Security

  1. Network Security in Kubernetes
    1. Network Segregation and Network Security policies
    2. Introduction to Calico and Cilium as Network Policy Layers
    3. Zero-Trust and Service Mesh
    4. Service Mesh – Istio and Envoy
  2. Network scanning tools
  3. Configuring the cluster using SecComp and AppArmor profiles
  4. Hands-on exercises:
    1. Implementing a Service Mesh with Istio
    2. Enable mTLS in Service Mesh
    3. Harden the clusters using SecComp policies
    4. Harden the clusters using AppArmor policies
    5. Writing a custom Network Policies

Module 11: Automated Container Orchestration Security Tools

  1. Hardening of k8s clusters
  2. Static Analysis of k8s clusters
  3. Dynamic Analysis of k8s clusters
  4. Runtime Security Analysis and Security monitoring of k8s clusters
  5. Sysdig Falco as a DaemonSet
  6. Compliance and benchmark checks
  7. Hands-on Exercises:
    1. Static Analysis and Dynamic Analysis of clusters in CI/CD pipeline
    2. Hardening and Automated patching of k8s cluster issues
    3. Security monitoring of k8s clusters using Wazuh
    4. Security monitoring of k8s clusters using Falco
    5. Automated CIS k8s benchmark checks using compliance as code

Practical DevSecOps Certification Process

  1. After completing the course, you can schedule the CCNSE exam on your preferred date.
  2. Process of achieving Practical DevSecOps CCNSE Certification can be found here.

Ready to learn DevSecOps?

Get in touch, or Register now!