Date | Day | Time | Duration |
17 Apr | Monday | 09:00 to 17:00 CEST/GMT+2 | 8 Hours |
18 Apr | Tuesday | 09:00 to 17:00 CEST/GMT+2 | 8 Hours |
This training is a deep hands-on, red-team exploration of application supply-chains. We commence with an understanding of application supply chains, and subsequently dive into story-driven scenarios of exploiting supply-chains like exploiting CI systems, build systems.Container infrastructure and cloud-native infrastructure hosted on Kubernetes, AWS and Azure.
People learn better with stories. Our exploit and lateral movement scenarios are intricately designed labs that are backed by real-world stories that help students understand this subject-matter a lot better. This training was sold-out at Blackhat USA 2022 with a 4.8/5 Rating.
Application Dependencies – Stories and Hands-on Labs
This section of the class is where we do a couple of case studies (stories) on identifying vulnerabilities against Application Dependencies and compromising them. Once compromised, we’ll be looking at possibilities of post-exploitation and lateral movement against these dependencies. In these stories, we’ll be showcasing the following type of attacks and exploits:
○ Magecart-style and other JavaScript client-side attacks leading to user compromise, browser-hooking and so on
○ Attacking client-side supply chain elements by attacking private CDNs, static stores, etc.
○ Exploring additional client-side exploit possibilities with CSP Bypasses, etc.
○ Attacking CDN infrastructure like Cloudfront and S3 with CSP bypasses to perform client-side supply-chain exploits
○ Leveraging vulnerable components to perform application exploits and Lateral movement. This includes:
○ Typo-squatting flaws
○ Dependency Confusion attacks
○ Jenkins
○ Bamboo
○ GitHub Actions
○ GitLab CI
In this section we’ll be covering multiple attacks and exploit scenarios around attacking CI Services. These attacks specifically look at approaches where adversaries compromise the CI tools to be able to inject malicious code or otherwise taint the build process and environments of organizations. The case studies and stories that we’ll cover as part of this module include the following:
○ Cross build Injection attacks
Cloud-native environments are a massive source of supply-chain risk. With Infrastructure-as-Code, to Continuous Deployment Systems, to Cloud-native package management, there’s tremendous scope for attacking, exploiting and escalating privileges against cloud-native environments. In this section we’ll be looking at case studies and stories of supply chain security risks against Kubernetes and AWS environments as a reference point. Naturally, these will be replete with deep-dive hands-on labs that will walk you through the multi-step flaws and exploits against cloud-native supply chains
○ AWS
○ Azure
○ Cloud
○ Kubernetes & Microservices
○ Common attack patterns
○ Understanding layers
Rajesh Kanumuru works at we45 as a Cloud Security Lead. Rajesh is a builder and breaker of Cloud applications. He has created some pioneering works in the area of Cloud Security. He is actively researching the effects of emerging technologies on cloud security. Since 2020, Rajesh has mostly been involved with research, development, and building solutions around the training offerings and consults with organizations to help them implement Cloud Security successfully. Rajesh has co-authored and trained a course on Purple Team AWS that was delivered by we45 at Blackhat USA 2022.
Abhay Bhargav is the founder at AppSecEngineer, a revolutionary training platform committed
to solving the Security Skills Shortage.
He has created some pioneering works in the area of DevSecOps and AppSec Automation,
including the world’s first hands-on training program on DevSecOps, focused on Application
Security Automation. In addition to this, Abhay is active in his research of new technologies and
their impact on Application Security, namely Containers, Orchestration and Serverless
Architectures.
Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP
AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like
AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat, SHACK and so on.