Attack and Defend Software Supply Chains

What is this training about ?

• Section 1: From the Attacker’s Perspective – Understanding Software Supply Chain Attacks The journey begins by exploring the reality of today’s software supply chains, the software supply chain is not just your code dependencies there is a whole other set of software that is part of your supply chain and all need to be protected. We will dissect real-world attacks on software supply chains, understand how they unfolded, and examine their impacts. Through hands-on exercises, you’ll step into the shoes of attackers, exploiting common vulnerabilities from developer environments and code repositories to dependencies and build/release tools. By the end of section one, you’ll fully comprehend how exposed your software supply chain could be in this interconnected digital world
• Section 2: From Vulnerability to Fortification – Securing Your Software Supply Chain In this section, we shift gears from understanding vulnerabilities to implementing robust defenses. We delve into industry standard frameworks such as SLSA and NIST SSDF, translating th
• In modern, fast-moving organizations, keeping pace with digital transformation initiatives without compromising security is a growing conundrum. This course caters to everyone in the IT industry, from developers and engineers to IT managers, security analysts, and CTOs The class will contain a holistic view of software supply chain security both from the attack and defense side, with a focus on a practical approach of learning with demos and hands-on labs

Attack

• Introduction to Software Supply Chain
• Supply chain beyond code dependencies
• Exploiting VS Code Workspaces
• Trojanizing IDE & Browser Extensions
• Exploiting Git & GitHub Misconfigurations
• Attacking CI Pipelines & custom runners
• Creating malicious dependencies
• Attacking package management ecosystems (like npm, gradle, etc.)
• Exploiting Deployment Systems (like GitHub & ArgoCD)
• Leveraging container image misconfigurations
• Looking at Cloud & Kubernetes attack paths
• Attacking Cloud Environment (IAM, Data, Configurations)
• Exploiting Kubernetes Misconfigurations & Insecure Defaults

Defend

• Introduction to Defense Strategies: SLSA and NIST SSDF
• 360° Security strategies & Top-down Defense from Governance
• Effective Inventory Management & SBOMs
• Establishing, storing & verifying Provenance
• Protecting The Assets & Establishing Baseline Security
• Cloud Audits
• Runtime Security
• Threat detection
• Responding and Recovering from the Security Breaches
• Mapping Different Roles and Responsibilities
• Securing yourself from the above-discussed attacks.

Additional Information

• Each section consists of
• Overview and Case studies of the attack surface.
• Hands-on Labs with vulnerable environment for the participants to play with.
• The class is extensively hands-on with elaborate case studies from the real world and replicating the attacks to understand how to protect against them in depth.
• At the end of the course, we will summarize the key points covered and offer suggestions for further learning. Each student will receive access to presentation slides, a constantly updated knowledge base, and a guide on setting up attack and defense infrastructure for self-practice purposes.

• Laptop with administrative access and capability to run Virtual Machines. We will try to reduce system requirements as much as we can but would still need the capability to spare 2 threads per VM and 2 VMs to be run on the laptop so a decent 6 or 8-core processor is recommended. We are working on ensuring the Apple M series can be used and will provide instructions over emails for all of the laptops and VMs to be loaded.

• Software Developers and Engineers
• IT Managers
• Security Analysts
• DevOps Practitioners
• CTOs and Decision Makers in IT
• Pentesters
• Red Teamers

• Comprehensive understanding of software supply chain vulnerabilities and defenses
• Expert guidance on implementing security measures across different components of the software supply chain
• Knowledge of industry-standard security frameworks such as SLSA and NIST SSDF

• Zero to hero in one class

• Very Detailed step-by-step instruction manual for all challenges covered during the class.
• A detailed documentation of all the content covered during the class.
• VM's to take home for practice later