Beyond the Code: Securing Your Software Supply Chain

Course Outline

In an era where up to 80% of your code can come from third parties, the security of your software supply chain is more critical than ever. Software isn’t built in silos anymore. It’s built on a complex web of dependencies, with each component sourced from different providers across the globe. This opens up a myriad of vulnerabilities, making your software supply chain a prime target for cybercriminals.

Welcome to our two-day intensive course on Software Supply Chain Security. This is not just another IT security course. It’s a journey that takes you beyond the confines of your own code, diving into the interconnected world of software development and delivery

  • Day 1
    • From the Attacker’s Perspective – Understanding Software Supply Chain Attacks
    • The journey begins by exploring the reality of today’s software supply chains, where the bulk of your code is sourced externally. We will dissect real-world attacks on software supply chains, understand how they unfolded, and examine their impacts.
    • Through hands-on exercises, you’ll step into the shoes of attackers, exploiting common vulnerabilities from developer environments and code repositories to dependencies and build/release tools. By the end of day one, you’ll fully comprehend how exposed your software supply chain could be in this interconnected digital world
  • Day 2:
    • From Vulnerability to Fortification – Securing Your Software Supply ChainOn the second day, we shift gears from understanding vulnerabilities to implementing robust defenses. We delve into industry standard frameworks such as SLSA and NIST SSDF, translating them into practical strategies for each component of your supply chain.
    • You’ll get your hands dirty by applying these strategies to secure your developer environments, code repositories, and CI/CD pipelines. You will learn how to use Software Composition Analysis (SCA) tools to manage package/dependency vulnerabilities effectively. By the end of the course, you’ll be equipped to transform your software supply chain from a security liability to an asset.
    • In modern, fast-moving organizations, keeping pace with digital transformation initiatives without compromising security is a growing conundrum. This course caters to everyone in the IT industry, from developers and engineers to IT managers, security analysts, and CTOs
    • The nature of software development has changed; it’s high time our approach to securing it evolves too. This course offers not just knowledge, but practical skills to secure your software supply chain amidst this paradigm shift. It’s no longer enough to secure your code. You need to secure your software’s lifeline – the supply chain.

Course Syllabus

Understanding & Attacking

  • Introduction to Software Supply Chain
  • Supply chain beyond code dependencies
  • Attacking Development Environments
  • Attacking Code Repositories
  • Attacking Dependencies and Package Management
  • Attacking CICD Pipeline
  • Attacking Container & Virtualization Environments
  • Mapping the attacks to MITRE ATT&CK

Defending Software Supply Chains

  • Introduction to Defense Strategies: SLSA and NIST SSDF
  • Securing Development Environments
  • Securing Code Repositories
  • Secure Package Management and Dependency Security
  • Secure CICD Pipeline
  • Secure Container & Virtualization Environments

Next Session

c0c0n 2023

4-5 October 2023

Contact Us for Private / Corporate Session

Scroll to Top