SEC547: Cyber Security Training at SANS Stay Sharp: Jan 2025
Provided by SANS
What You Will Learn
From Procurement to Product: Secure Your Supply Chain Journey
SEC547 covers the broad topic of supply chain risk management and expands on traditional definitions of vendor risk management to include more modern concepts such as software transparency and assurance. Tackling not only the why of supply chain security, but how as well. Through a series of case studies and real-world threat scenarios, the course provides effective guidance that transcends conventional wisdom to land at ground truths necessary to build and mature a supply chain program.
The landscape of supply chain security is fraught with peril, not only with the adversaries we seek to disrupt, but also the internal and external stakeholders that complicate this process. Through a blend of both traditional risk management disciplines interwoven with technical concepts required to defend against nation state level and criminal organizations, SEC547 will give you confidence in keeping your organization safe. Exploration of concepts such as procurement and contracting, risk assessments, software bill of materials (SBOMs), counterfeit and other hardware threats, and coordinated vulnerability remediation and response provide the context needed to secure your organization.
SEC547 is constructed around a fictional industrial manufacturing company as an illustrative showcase of the challenges faced by both buyers and sellers of technology. As we walk through course objectives, aspiring supply chain professionals will be able to identify with and apply the lessons learned to tackle these critical concerns.
What Is Supply Chain Security??
The practice of supply chain security is focused on securing the upstream dependencies we ingest into the products and services we rely upon to run our business. The scope of these activities can be broad and impact the people, processes, and technology we rely on to run the business. Likewise, our people, processes, and technology are the supply chain for other downstream organizations, and as such, both upstream and downstream concerns become part of the global supply chain concern. This connected ecosystem creates a rapidly expanding spider web of risks that function as a force multiplier for adversaries seeking to maximize the returns on their offensive investments.
Business Takeaways
SEC547's hands-on focus comprise of 13 immersive labs across 3 days and explores the supply chain security concepts taught through instructor presentation. Using a custom Linux lab environment purpose-built for this course, you will leverage industry supply chain tools such as Dependency Track, CycloneDX, Syft, in-toto, CSAF VEX standard, and even utilities such as gitgeo to interrogate GitHub for noteworthy observations about open-source projects. As working with supply chain artifacts is a big part of this work, we will also cover advanced command line introspection of these file formats such as processing and parsing of JSON files and learning to optimize testing workflows. Additional tools covered in the labs include sha1sum, openssl, sigstore, sbomqs, blint, and a variety of open-source intelligence (OSINT) tools such as nmap, subfinder, and more, useful for information collection and assessment activities.
"The labs/exercises today were great! I'm able to walk away with some great tools and processes that can be implemented to immediately enhance my team's aspect of the security review." - Liana Torres, Savannah River Nuclear Solutions
"I very much enjoyed the labs. Great way to learn what's happening in the background of some of our security tools. Also enjoyed the use cases it applied to. Definitely provided good insights into how other organizations might be approaching some of these problem sets." - Alan Millington, Self Employed
Syllabus Summary
Webcasts
Depending on your current role or future plans, one of these courses is a great next step in your supply chain security journey:
From Procurement to Product: Secure Your Supply Chain Journey
SEC547 covers the broad topic of supply chain risk management and expands on traditional definitions of vendor risk management to include more modern concepts such as software transparency and assurance. Tackling not only the why of supply chain security, but how as well. Through a series of case studies and real-world threat scenarios, the course provides effective guidance that transcends conventional wisdom to land at ground truths necessary to build and mature a supply chain program.
The landscape of supply chain security is fraught with peril, not only with the adversaries we seek to disrupt, but also the internal and external stakeholders that complicate this process. Through a blend of both traditional risk management disciplines interwoven with technical concepts required to defend against nation state level and criminal organizations, SEC547 will give you confidence in keeping your organization safe. Exploration of concepts such as procurement and contracting, risk assessments, software bill of materials (SBOMs), counterfeit and other hardware threats, and coordinated vulnerability remediation and response provide the context needed to secure your organization.
SEC547 is constructed around a fictional industrial manufacturing company as an illustrative showcase of the challenges faced by both buyers and sellers of technology. As we walk through course objectives, aspiring supply chain professionals will be able to identify with and apply the lessons learned to tackle these critical concerns.
What Is Supply Chain Security??
The practice of supply chain security is focused on securing the upstream dependencies we ingest into the products and services we rely upon to run our business. The scope of these activities can be broad and impact the people, processes, and technology we rely on to run the business. Likewise, our people, processes, and technology are the supply chain for other downstream organizations, and as such, both upstream and downstream concerns become part of the global supply chain concern. This connected ecosystem creates a rapidly expanding spider web of risks that function as a force multiplier for adversaries seeking to maximize the returns on their offensive investments.
Business Takeaways
- Increase your organization's resilience in the face of adversarial threats
- Decrease the cost of your security program through risk reduction
- Conduct vendor and product supply chain assessments
- Reduce the impact of supply chain attacks on your organization
- Prioritize risks inside your supply chain program
- Identify leakage of sensitive intellectual property
- Identify foreign presence risks in your supply chain
- Coordinate supply chain security conversations with stakeholders
- Create SBOMs from source code
- Create attestation pipelines
- Understand how vulnerabilities are published
- Learn to validate vulnerable components
- Identify counterfeit components
- Build a supply chain security program
- Understand how foreign adversaries manipulate supply chains
- Learn to use open-source supply chain security tools
- Work with developers to inject security into your product development process
- Become more effective at responding to supply chain threats
- Learn effective techniques to respond to the next major supply chain vulnerability
SEC547's hands-on focus comprise of 13 immersive labs across 3 days and explores the supply chain security concepts taught through instructor presentation. Using a custom Linux lab environment purpose-built for this course, you will leverage industry supply chain tools such as Dependency Track, CycloneDX, Syft, in-toto, CSAF VEX standard, and even utilities such as gitgeo to interrogate GitHub for noteworthy observations about open-source projects. As working with supply chain artifacts is a big part of this work, we will also cover advanced command line introspection of these file formats such as processing and parsing of JSON files and learning to optimize testing workflows. Additional tools covered in the labs include sha1sum, openssl, sigstore, sbomqs, blint, and a variety of open-source intelligence (OSINT) tools such as nmap, subfinder, and more, useful for information collection and assessment activities.
"The labs/exercises today were great! I'm able to walk away with some great tools and processes that can be implemented to immediately enhance my team's aspect of the security review." - Liana Torres, Savannah River Nuclear Solutions
"I very much enjoyed the labs. Great way to learn what's happening in the background of some of our security tools. Also enjoyed the use cases it applied to. Definitely provided good insights into how other organizations might be approaching some of these problem sets." - Alan Millington, Self Employed
Syllabus Summary
- Section 1: Supply chain overview and deep dive into conducting vendor risk assessments and how to scale the process.
- Section 2: Foray into product security, including hardware threats and counterfeit and a deep dive into SBOM and the challenges and solutions associated with managing them.
- Section 3: Attestations for supply chain artifacts and process assurance, as well as vulnerability and threat mitigation and response.
Webcasts
- Enhanced Vendor Risk Assessments: Maximizing Risk Reduction and Strengthening Vendor Relations
- Building and Scaling SBOM Programs: Navigating the Challenges for Effective Risk Management
- Supply Chain Security Incident Response: Strategies for Responding to Emerging Threats
- Eight Essential Lessons for Resilient Supply Chain Security
- Maximizing Vendor Risk Assessments
- Vendor Risk Assessment Matrix
- Who Knew Grandpa was a Supply Chain Security Expert?
- A custom Linux virtual machine with 50+ tools purpose-built for supply chain work that you will use in course labs and can be used when you return to work
- An electronic workbook with step-by-step instructions for 13+ fully functional labs that do not expire and can be repeated any time after the course
- A digital download package that includes additional industry resources and white papers that help build upon course content
- Printed and electronic courseware
- MP3 audio files of the complete course lecture
Depending on your current role or future plans, one of these courses is a great next step in your supply chain security journey:
- Product Security Engineer:
- SEC568: Combating Supply Chain Attacks with Product Security Testing
- SEC556: IOT Penetration Testing
- Software Security Architect:
- SEC540: Cloud Security and DevSecOps Automation
Enquire
Start date | Location / delivery | |
---|---|---|
21 Jan 2025 | Virtual | Book now |