Loading…
Attending this event?
← Back to schedule
1-Day Training: Red Teaming the Software Supply Chain
Tuesday October 1, 2024 9:00am - 5:00pm GMT+08
Level 3 Jasmine Ballroom 3805
***Training tickets require a separate ticket purchase than the conference***


The software supply chain is under increasing threat. New attacks and threats have popped up that we couldn't have imagined even two years ago. Total attacks on the software supply chain are increasing by more than 730% year on year since 2019.  One way for organizations to combat this growing threat is to empower their offensive security teams to test the software supply chains for that organization.  But many offensive security teams are ill-prepared to tackle this new attack surface so that’s why I created this training curriculum.


The purpose of this training is to help security practitioners learn how to expand the scope of their knowledge and toolkit to address the security posture of a specific software supply chain (SSC).   I will show them a framework (TVPO) that will show them how to assess and test existing supply chains via focused red-teaming activities.


This framework helps red-teamers learn how software is created by identifying how a target writes, builds and deploys its applications.   Not all existing red-teamers will know how this process works, so we will use a typical CI/CD workflow as an example.  Are malicious actors targeting your customers?  Are they targeting your tech stack or are they targeting you for political reasons?  Do they want your source code?  Do they want access to the data you have?  These are important questions to ask and talk about with your red team because they help the team identify and assess risk for their organizations specific circumstances, which then allows them to prioritize their operations.


This presentation will rely heavily on the Visualizing Software Supply Chain document and its in-depth description of the ten stages of the software supply chain:  People, local requirements, source code, integration, deployment, runtime, hardware, DNS, services and cloud.


We will go through the different stages of the SSC and talk about the different security controls that exist at each stage.   We will reference the OSC&R framework to identify specific attack vectors and security controls for a target software supply chain.  From that insight will come an understanding of the weaknesses and attack vectors available against that target.

Finally, in the second half of the day we will get very hands on and learn how to craft attacks for different stages of the software supply chain.  


This 8 hour training session will have 4 main takeaways:

  1. How broad the software supply chain is. There is a LOT of attack surface across the whole of the software supply chain.
  2. How to use the TVPO methodology to threat model a specific software supply chain. What are attackers looking for?
  3. The participants will learn a framework to build their red team infrastructure and functions, so they can run offensive operations against different types of software supply chains.  
  4. Finally, we will work with a custom built interactive CTF that I built just for this training session.  The audience will be able to enjoy an interactive red team engagement against a real open-source project.
Speakers
avatar for Paul McCarty

Paul McCarty

Founder, SourceCodeRED
Paul is a DevSecOps OG and has built a reputation for delivering offensive security functions for (and against!) the software supply chain. He founded SecureStack, a pioneering cloud-native software supply chain security startup in 2017. More recently, he's founded SourceCodeRED a... Read More →
Tuesday October 1, 2024 9:00am - 5:00pm GMT+08
Level 3 Jasmine Ballroom 3805 Marina Bay Sands Singapore
  Training
Log in to leave feedback.

Attendees (2)


Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share