Certified Software Supply Chain Security Expert CSSE

Software supply chain attacks are causing havoc in the industry! The recent high-profile attacks like Solarwinds, Log4Shell are attributed to supply chain attacks. In fact, a report found that 80% of the code in modern applications is third-party code, and a significant portion of these packages are outdated or have reached end-of-life, creating serious security and operational issues.

The CSSE Course offers a deep dive into the security risks associated with software supply chains, providing you with the knowledge and skills to identify, validate, and mitigate these risks. 

Through hands-on exercises in our browser-based labs, you will gain real-world experience dealing with supply chain attack scenarios. Once you have compromised a system, you will also fix issues to gain a comprehensive understanding of supply chain issues.

We will begin the course with an overview of the risks involved in using commercial, open-source, and proprietary third-party code. You will then explore security threats involving container and orchestration systems like Kubernetes. Finally, we will showcase the attack scenarios involving the cloud and its managed services.

In the last sections of the course, you will map risks against MITRE ATT&CK and NIST SSDF frameworks to manage supply chain security effectively.

You will also learn about the latest technologies and solutions for securing your software supply chain, as well as the role of industry standards and regulations. 

By the end of this course, you will have a comprehensive understanding of supply chain attacks in code, containers, clusters, and the cloud.

After the training, you will be able to:

  1. Earn the Certified Software Supply Chain Security Expert (CSSE) Certification by passing a 12-hour practical exam.
  2. Prove to employers and peers, a practical understanding of the supply chain risks and mitigations.

Prerequisites

  1. Course participants should have knowledge of running basic Linux commands like ls, cd, mkdir, etc.
  2. Basic knowledge of Git, CI/CD pipelines, containers, and Cloud Platforms.
  3. A good understanding of OWASP Top 10 vulnerabilities.
  4. Familiarity with any scripting language like Python, Golang, or ruby helps. However, it’s not a necessity.

Learning Objectives

Upon successful completion of this course, students will be able to:

  1. Understand the role of supply chain security in protecting organisations from attacks.
  2. Identify the various supply chain attacks and how they can be exploited via code, container, clusters, and cloud.
  3. Develop strategies for assessing and mitigating supply chain risks.
  4. Develop an understanding of best practices for supply chain management and security, including guidance from the MITRE ATT&CK framework.

Chapter 1: Introduction to Supply Chain Security

  1. Course Introduction (About the course, syllabus, and how to approach it) 
  2. About Certification and how to approach it
  3. Course Lab Environment
  4. Lifetime course support (Mattermost)
  5. An overview of the Supply Chain Security
  6. Supply Chain Security Building Blocks
    1. Code Creation
      1. Source Code Management (SCM)
      2. Internal and external (third-party) software inventory
      3. Build system (CI/CD)
      4. Application
    2. Containers
    3. Clusters
    4. Cloud
  7. Threat Model of Software Supply Chain
    1. Overview of Code Creation (SCM, CI/CD and Application)
    2. Overview of Containers
    3. Overview of Clusters
    4. Overview of Cloud
  8. Evolution of Software Supply Chain Security
  9. Demo: How SolarWinds and Equifax came to be
  10. Hands-on Exercise: 
    1. Learn how to use our browser-based lab environment
    2. Equifax Data Breach

Chapter 2: Attacking Code/Application Supply Chain

  1. Introduction to code supply chain
  2. Code creation process and systems involved
    1. Source code management (git, svn)
    2. Package managers
    3. Build and CI/CD systems
  3. Ways to abuse the trust in the supply chain pipeline
  4. Attacks on SCM systems
    1. Abusing git server misconfigurations
    2. Exploiting pre-commit hooks
    3. Untrusted code in git repositories
    4. Injecting malicious code into the master branch
    5. Repo Jacking
  5. Supply Chain Attacks on package managers
    1. Internal and third-party components
    2. Front End Components (client side)
      1. Embedded scripts like analytics, advertising, tracking, fonts, and icons
      2. Advertising Supply Chain Attacks (AdMaxim, CloudCMS and Picreel network like Megacart group)
      3. Outdated and vulnerable components
      4. Supply Chain Attacks on CDNs, Static assets(s3)
      5. Bypassing security mechanisms like CSP
    3. Back End Components (server side)
      1. Equifax hack
      2. Exploiting vulnerabilities in Backend Components like Injection, RCE, and SSRF
    4. Typo Squatting
    5. Dependency Confusion
    6. Brand Jacking
  6. Attacks on Build and CI/CD Systems
    1. Attacking artifact repositories to inject malicious code and repositories
    2. Abusing default behavior of CI/CD systems 
    3. Exploiting Build and CI/CD components/plugins ( vulnerable components used by CI/CD systems)
    4. Cross Build Injection (XBI) Attacks
    5. Template injection Attacks
    6. Abusing webhooks to compromise CI/CD systems
    7. Stealing Credentials to inject malicious code in artifacts
  7. Attacks on Application Side
    1. Injection attacks
    2. Remote Code Execution
    3. Server Side Request Forgery
    4. Stolen code-sign certificates or signed malicious apps
  8. Real-World case studies of code supply chain attack
  9. Best practices for securing application supply chain
    1. Code Signing
    2. SBOMs
    3. Artifact Signing
    4. Pinning Dependencies
  10. Technologies and solutions for securing applications
  11. Designing and implementing application security strategies
    1. SCA
    2. SAST
    3. DAST
    4. Fuzz Testing
  12. Hands-on Exercises:
    1. Case Study of Magecart attack on the Forbes magazine subscription site
    2. The above topics will have numerous exercises 
    3. Establish a vetting process for open-source components
    4. Handling Dependency Hell
    5. Implement Code and artifact Signing process
    6. Implement SCA/SAST/DAST as part DevOps pipelines

Chapter 3: Attacking Container Supply Chain

  1. Introduction to container technology
  2. Ways to interact with containers ecosystem
  3. Overview of container security and the supply chain risks
  4. Attacking Container Supply Chain ecosystem
    1. Malicious images
    2. Vulnerable images
    3. Insecure container registry
  5. Real-World case studies of container supply chain attack
  6. Best practices for securing containers applications
  7. Technologies and solutions for securing containerized applications
  8. Designing and implementing container security strategies
  9. Hands-on Exercises:
         1.Inserting backdoors and malware into container images
         2.Defenses:
    1. Reduce Bloated Dependencies 
    2. Remove unused dependencies
    3. Handle end-of-life packages gracefully

Chapter 4: Attacking Kubernetes/Cluster Supply Chain

  1. Introduction to Microservices and Kubernetes
  2. An overview of Kubernetes Architecture (Core Components)
  3. Supply Chain Threats for a cluster
  4. Kubernetes Package Manager – Helm
      1. Abusing the helm charts to exploit the cluster
  5. Attacks on Admission Controllers
  6. Exploiting k8s misconfigurations like RBAC, webhooks
  7. Leveraging CI/CD tools in Kubernetes like ArgoCD and Registries to gain a foothold in cluster
  8. Real-World case studies of cluster supply chain attack
  9. Best practices for securing clusters
  10. Technologies and solutions for securing container orchestration
  11. Hands-on Exercises:
    1. kubectl basics commands
    2. Kubernetes Reconnaissance
    3. Reconnaissance using Kube-hunter
    4. Exploiting Privileged Pods
    5. Pwning Kubernetes cluster through pods pivoting
    6. Compromising Kubernetes secrets
    7. Supply chain attacks using the poisoned image and malicious helm charts
    8. Escalating the cluster privileges using webhooks
    9. Maintaining a foothold in the cluster using malicious packages
    10. Full attack walkthrough from container to cluster access

Chapter 5: Attacking the cloud supply chain

  1. Introduction to Cloud ecosystem (Public, On-Premise)
  2. Cloud Attack Surface and Threat Matrix
  3. Shared Security Model of the Cloud
  4. Attack Vectors in AWS
    1. Misconfigurations (Expose secrets, metadata service, etc.)
    2. Attacking managed services like S3, CloudFront CDN
    3. Serverless 
    4. App
  5. Best practices for securing the cloud
  6. Technologies and solutions for securing container orchestration
  7. Hands-on Exercises:
    1. Attacking managed services like S3, and CloudFront CDN to insert backdoors into the scripts.
    2. Abusing AWS metadata service (SSRF) to steal credentials
    3. Complete compromise of AWS account from code to cloud
    4. Maintaining a foothold in the cloud using malicious packages

Chapter 6: Common Defense against Supply Chain Attacks

  1. Prove the sanity of the software components using Cryptography
    1. Code Signing
    2. Component Signing
    3. Artifact signing 
  2. Evaluate dependencies before use
    1. Analyse the security and compliance of dependencies
  3. Implement integrity checks or policies
  4. Implement Change Control
    1. Protected Branches
    2. Licensed Code
    3. Configuration management and change control
  5. Create asset Inventory
  6. Generate a Software Bill Of Materials (SBOM)
    1. Application
    2. Container
    3. Hosts (Virtual Machine Image)
  7. Code Isolation and Sandboxing
  8. Automation of Common Controls in CI/CD
    1. Software Component Analysis of Code, Container, Clusters, and Cloud
    2. Static Security Analysis of Code, Container, Clusters, and Cloud
    3. Dynamic Security Analysis of, Container, Clusters, and Cloud
    4. Fuzz testing of Code, Third party components, and Clusters
  9. Compliance and Governance of Supply Chain Risk
  10. Hands-on Exercises:
    1. Identify malicious packages/third party
    2. Generate SBOM for application and container
    3. Handling Dependency Hell

Chapter 7: Managing a Secure Software Supply Chain Program

  1. Problems with current Supply Chain Attack Visibility
    1. Detection of only known vulnerabilities
    2. Detection of unknown vulnerabilities
  2. Creating a vetting process for software components(Commercial, Open Source, Third Party, and Proprietary Code) used throughout SDLC 
  3. Automation of vetting and third-party code
  4. Software Supply Chain Industry Standards and Best Practices
    1. NIST C-SRM or SLSA 
    2. NIST SSDF
    3. Software Component Verification Standard (SCVS)
    4. Supply Chain Integrity Model
    5. SBOM
    6. CycloneDX
    7. OpenSSF  – Automated
  5. Core Infrastructure Initiative  – Self Assessment

Practical DevSecOps Certification Process

  1. After completing the course, you can schedule the CSSE exam on your preferred date.
  2. Process of achieving Practical DevSecOps CSSE Certification can be found here.