Attack and Defend Software Supply Chain
In an era where up to 80% of your code can come from third parties, the security of your software supply chain is more critical than ever. Software isn’t built in silos anymore. It’s built on a complex web of dependencies, with each component sourced from different providers across the globe. This opens up a myriad of vulnerabilities, making your software supply chain a prime target for cybercriminals.
Day 1: From the Attacker’s Perspective - Understanding Software Supply Chain Attacks
The journey begins by exploring the reality of today’s software supply chains, software supply chain is not just your code dependencies there is a whole other set of software’s that are part of your supply chain and all need to be protected. We will dissect real-world attacks on software supply chains, understand how they unfolded, and examine their impacts.
Through hands-on exercises, you’ll step into the shoes of attackers, exploiting common vulnerabilities from developer environments and code repositories to dependencies and build/release tools. By the end of day one, you’ll fully comprehend how exposed your software supply chain could be in this interconnected digital world.
Day 2: From Vulnerability to Fortification - Securing Your Software Supply Chain
On the second day, we shift gears from understanding vulnerabilities to implementing robust defenses. We delve into industry standard frameworks such as SLSA and NIST SSDF, translating them into practical strategies for each component of your supply chain.
You’ll get your hands dirty by applying these strategies to secure your developer environments, code repositories, and CI/CD pipelines. You will learn how to use Software Composition Analysis (SCA) tools to manage package/dependency vulnerabilities effectively, create SBoM’s for your own software. By the end of the course, you’ll be equipped to transform your software supply chain from a security liability to an asset.
The class will contain a holistic view of software supply chain security both from attack and defense side, with focus on practical approach of learning with demos and hands-on labs covering:
- Introduction to Software Supply Chain
- Supply chain beyond code dependencies
- Exploiting VS Code Workspaces
- Trojanizing IDE & Browser Extensions
- Exploiting Git & GitHub Misconfigurations
- Attacking CI Pipelines & custom runners
- Creating malicious dependencies
- Attacking package management ecosystems (like npm, gradle, etc.)
- Exploiting Deployment Systems (like GitHub & ArgoCD)
- Leveraging container images misconfigurations
- Looking at Cloud & Kubernetes attack paths
- Attacking Cloud Environment (IAM, Data, Configurations)
- Exploiting Kubernetes Misconfigurations & insecure defaults
- Introduction to Defense Strategies: SLSA and NIST SSDF
- 360° Security strategies & Top-down Defense from Governance
- Effective Inventory Management & SBOMs
- Establishing, storing & verifying Provenance
- Protecting The Assets & Establishing Baseline Security
- Cloud Audits
- Runtime Security
- Threat detection
- Responding and Recovering from the Security Breaches
- Mapping Different Roles and Responsibilities
- Securing yourself from the above discussed attacks.