Certified Cloud Native Security Expert (CCNSE)

EDU Trainings s.r.o.

Popis kurzu

Obsah kurzu

Chapter 1: Introduction to Cloud-Native Concepts and its Security


Course Introduction (About the course, syllabus, and how to approach it)
About Certification and how to approach it
Lab Environment
Lifetime course support (Mattermost)
Overview of the Cloud Native Technologies
The 4C’s of Cloud-Native Security

Cloud
Clusters
Containers
Code (SCA, SAST, DAST) – DevSecOps


Security and Threat Model of Cloud-Native technologies


Overview of Cloud Security
Overview of Container Security (Container Vulnerability, Supply Chain Attack, Least Privilege)
Overview of Kubernetes Security
Overview of Microservices Security


Hands-on Exercise: Learn how to use our browser-based lab environment

Chapter 2: Introduction to Microservices Architecture


 The need for microservices
 Monolith vs Microservices
 Technical and Business pros and cons of Microservices
 Tools of the trade



Source code management
CI/CD tools
Artefact management
Cloud Platform
Infrastructure as code
Monitoring and logging tools
Collaboration tools




REST APIs



What is an API
API Security
Introduction to OWASP API Top 10

Software Component Analysis of API
Static Application Security Testing of API
Dynamic Application Security Testing of API






Hands-on Exercises:

Working With GitLab CI/CD
Advanced GitLab CI/CD
Continuous Deployment Using GitLab



Chapter 3: Containers and Container Security


What is a container?
Container vs Virtualization



Container Advantages
Container Disadvantages




Docker Architecture and its components



Command Line Interface(CLI)
Engine (Daemon, API)
Runtime (containerd, shim, runc)




Basics of container technology and its challenges
Container fundamentals



Namespaces
Cgroup
Capabilities




Ways to interact with container ecosystem
Container security issues
Container Defenses
Hands-on Exercises:

Working With Docker Command
Create Docker Image Using Dockerfile
Malicious Container Image
Build a Secure, Miniature Image With Distroless To Minimize Attack Footprint
How To Use Container Registry
Attacking Misconfigured Docker Registry
Signing Container Images for Trust
Securing Container Using Seccomp
Exploiting Containerized Application
Docker Privilege Escalation



Chapter 4: Introduction to Kubernetes


Introduction to Kubernetes
Kubernetes Use Cases
Kubernetes Architecture (Core Components)



Cluster, Nodes, and Pods
API Server
Controller Manager
Etcd
kube-scheduler
kubelet
Kube-proxy
Container Runtime




Bootstrapping the Kubernetes cluster
Kubernetes Package Manager



Understanding Helm Workflow
Creating Helm Charts




Hands-on Exercises:

Bootstrapping the Kubernetes Cluster Using kubeadm
Kubernetes Basics Component
Working With Kubernetes
Kubernetes Secrets
Kubernetes Service Accounts
Kubernetes Storage
Kubernetes Networking Using Calico



Chapter 5: Hacking Kubernetes Cluster


Kubernetes Attack Surface and Threat Matrix
Common Kubernetes security issues
Differences in k8s installations (support for PSP vs no PSP)
Hands-on Exercises:

Kubernetes Reconnaissance Through Port Scanning
Hacking Kubernetes Using Kubernetes Dashboard
Reconnaissance Using kube-hunter
Crashing Kubernetes cluster
Exploiting Kubelet API
Exploiting Privileged Containers
Compromising Kubernetes Secrets
Supply Chain Attack Using Poisoned Image
Supply Chain Attack Using Malicious Helm Chart
Sniffing Kubernetes Network Traffic



Chapter 6: Kubernetes Authentication and Authorization


Fundamentals of Kubernetes Authentication and Authorization
Authentication mechanisms in Kubernetes



Authentication with Client Certificates
Authentication with Bearer Tokens
HTTP Basic Authentication
Remote Authentication




Authorization mechanisms in Kubernetes



Node Authorization
Attribute Based Access Control (ABAC)
Role-Based Access Control (RBAC)




Hands-on Exercises:

Creating Kubernetes Users Using Certificates
Kubernetes Authentication Using Keycloak
Find Misconfigured RBAC Using KubiScan
Static Analysis of the Access Control Using Krane



Chapter 7: Kubernetes Admission Controllers


Fundamentals of Admission Controllers
Static Admission Controllers



LimitRanger
DefaultStorageClass
AlwaysPullImages




Dynamic Admission Controllers



Introduction to Custom Admission Controllers
Working with Custom Admission WebHooks
Authenticating API Servers
Open Policy Agent (OPA) and Rego Policies
Using OPA with Kubernetes
OPA Gatekeeper
OPA Kube-mgmt vs OPA Gatekeeper




Pod Security Context
Pod Security Policies
Pod Security Admission



Pod Security Standards
Policy Modes
Applying Policies




Different Options to Write Custom Policies for K8s
Hands-on Exercises:

Enforcing Custom Resource Limits With LimitRanger
Enforcing Images Are Always Pulled With Authorization
Enforced Trusted Images Using OPA Gatekeeper



Chapter 8: Kubernetes Data Security


Kubernetes Data Storage mechanisms



Image Layers
Container Mounts and Volumes
Distributed Volumes in Kubernetes
Persistent Volumes on Cloud
Dynamically Provisioning Cloud Storage for Workloads




Managing secrets in traditional infrastructure
Managing secrets in containers at Scale



Exploring Secret Storage Options
Kubernetes Secrets Object
Encrypted Configurations
Managing Encryption Keys in External KMS
Encrypting Secret Objects in Version Control Systems
Mozilla SOPS for Secret OPerationS
Introducing Secrets Store CSI Drivers
Environment Variables and Volume Mounts
Injecting Secrets with Hashicorp Vault




Sanning for Secrets Exposure
Hands-On Exercises: 

Encrypting Kubernetes Secrets at Rest
Storing Secrets Securely Using HashiCorp Vault
Managing Secrets Using Sealed Secrets
Kubernetes Image Scanning Using Trivy



Chapter 9: Kubernetes Network Security


Introduction to Kubernetes Networking



Kubernetes Networking Architecture
Challenges with Kubernetes Networking




Network Policies in Kubernetes



Network Policy and Its Characteristics
Anatomy of a Network Policy




Fallacies of Distributed Computing
Service Mesh Architecture



Exploring Linkerd
Zero Trust with Consul Connect
Service Identities with Istio




Hands-on exercises:

Writing Network Policies in Kubernetes
Kubernetes Ingress Using NGINX Ingress
Implementing a Service Mesh and mTLS With Istio
Implementing a Service Mesh With Linkerd
Enforce Zero Trust Networking Using Consul Connect



Chapter 10: Defending Kubernetes Cluster


Compliance and Governance



Kubernetes Compliance with Kubebench
Kubernetes Compliance with Inspec




Threat Modeling for Kubernetes
Static Analysis of Kubernetes clusters
Building Secure Container Images
Dynamic and Runtime Security Analysis
Security Monitoring
Hands-on Exercises:

Principle of Least Privileges Using Role-Based Access Control
Kubernetes Static Analysis
Performing Static Analysis of Manifest Files in CI/CD Pipeline
Defining Kubernetes Resource Quotas
Kubernetes Compliance Using CIS Benchmarks
Securing Kubernetes Workloads Using gVisor
Security Monitoring of Kubernetes Cluster Using Wazuh
Kubernetes Threat Detection Using Falco
Threat Hunting With Kubernetes Audit Logs

Certifikát Na dotaz.

Hodnotenie