Certified Container Security Expert (CCSE)

I. Overview:

Container Security Expert is the training program for professionals tasked with securing the container environment. The course allows you to get hands-on experience as you work with live containers in our lab, gaining significant insights that will arm you to secure a containerized platform in any environment.

II. Objectives:

After the training, you will be able to:

  • Building solid foundations that are required to understand the container security landscape
  • Embedding security while creating, building container
  • images, and securing running containers
  • Gaining knowledge in limiting the blast radius in case of a container compromise
  • Gaining expert skills in analyzing container weaknesses, attacking containers, and defending containers through various tools and tactics
  • Gaining abilities to apply practical container security skills in real-world container deployments
III. Duration:  40 hours
IV. Prerequisites:
  • Course participants should have knowledge of running basic Linux commands like ls, cd, mkdir, etc.,
V. Course outlines:

1. Module 1: Introduction to Containers

  • What is a container?
  • Basics of a container and its challenges
  • Container vs. Virtualization
    • Container Advantages
    • Container Disadvantages
  • Container fundamentals
    • Namespaces
    • Cgroup
    • Capabilities
  • Docker architecture and its components
    • Docker CLI
    • Docker Engine (Daemon, API)
    • Docker Runtime (containerd, shim, runc)
  • Interacting with container ecosystem
    • Docker images and image layers
    • Build Container images using Dockerfile
    • Docker image repository
    • Running a container
  • Managing / Orchestrating multiple containers
    • Using CLI/API to manage multiple containers
    • Docker Compose
    • Docker Swarm
    • Kubernetes
  • Docker alternatives
    • Podman
    • CRI-O
  • Hands-on Exercises:
    • Working with docker commands
    • Docker networking
    • Manage data in Docker
    • Create Docker Image using Dockerfile
    • Writing Dockerfile
    • How to use container registry
    • Learn Docker Compose
    • Working with Docker SDK
    • Creating container snapshots

2. Module 2: Container Reconnaissance

  • Overview of Container Security
  • Attack surface of the container ecosystem
  • Identifying the components and their security state
    • Get an inventory of containers  

      - Docker Images

      - Dockerfile and Environment variables

      - Docker volumes

      - Docker Networking

      - Ports used/Port forwarding

      - Docker Registries

    • Exhaustive review of Namespaces, cgroups and capabilities

  • Analysis of the attack surface
    • Using native tools
    • Using third-party tools
  • Hands-on Exercises:
    • Using built-in docker tools for reconnaissance
    • Using third party tools for image inspection
    • Scanning the remote host for unauthenticated Docker API access
    • Identify a container and extract sensitive information
    • Create and restore a snapshot (tar) of the container for further analysis

3. Module 3: Attacking Containers and Containerized Apps

Note: Every topic/sub topic has an exercise in this module

  • Containers Attack Matrix
  • Image-based attacks
    • Malicious Images
    • Extracting passwords, tokens, TLS certs, etc.
    • Exploiting vulnerable components
  • Registry-based attacks
    • Insecure Docker registries
    • Open Docker registries
    • Lack of authorization (RBAC)
  • Container-based attacks
    • Manipulating the Privileged mode containers
    • Attacking mounted docker volumes
    • Abusing SetUID/SetGID binaries
    • Exploiting shared namespaces
    • Attacking Linux capabilities
  • Docker host (Daemon) / kernel attacks
    • Exploiting unauthenticated Docker API
    • Insecure Docker endpoint
    • Lack of network segregation
    • Denial of service attacks
    • Kernel exploits
  • Privilege escalation methods in Docker
    • Security misconfigurations 

      - Attacking management tools (Portainer)

      - Exploiting OWASP Top 10 issues in containerized apps

  • Hands-on Exercises:
    • Backdooring Docker images
    • Inspecting docker daemon activities
    • Malicious container images
    • Exploiting containerized apps
    • Unsecured Docker daemon
    • Docker exploitation using deepce
    • Attacking misconfigured Docker registry

4. Module 4: Defending Containers and Containerized Apps on Scale

  • Container image security
    • Building secure container images 

      - Choosing base images

      - Distroless images

      - Scratch images

    • Security Linting of Dockerfiles

    • Static Analysis(SCA) of container images

    • Scan for vulnerabilities in container 

      - Choosing the right container scanner tool for your needs

  • Docker Daemon security configurations
    • Docker user remapping
    • Docker runtime security (gVisor, Kata)
    • Docker socket configuration 

      - fd

      - TCP socket

      - TLS authentication

    • Dynamic Analysis of the container hosts and daemons

  • Docker host security configurations
    • Kernel Hardening using Seccomp and AppArmor
    • Custom policy creation using Seccomp and AppArmor
  • Network Security in containers
    • Segregating networks
  • Misc Docker Security Configurations
    • Content Trust and Integrity checks
  • Docker Registry security configurations
    • Private vs. Public Registries
    • Authentication and Authorization (RBAC)
    • Built-in Image scanning capabilities
    • Policy enforcement
    • DevOps CI/CD Integration
  • Docker Tools, Techniques and Tactics
    • Tools 

      - Dive (Forensic)

      -  Dockle

    • Techniques

    • Tactics

  • Hands-on Exercises:
    • Securing container images by default using Harbor
    • Scanning Docker for vulnerabilities with Trivy
    • Embedding Trivy scan in GitLab CI
    • Build a secure & most miniature image to minimize the footprint
    • Build a distro less image to reduce the footprint
    • Minimize Docker security misconfigurations with CIS compliance
    • Signing container images for trust

5. Module 5: Security Monitoring of Containers

  • Monitoring Docker events, logs
  • Incident response in containers
  • Docker runtime prevention
  • Policy creation, enforcement, and management
  • Docker security monitoring using Wazuh
  • Hands-on Exercises:
    • Auditing docker using auditd
    • Sysdig Falco – Runtime protection and monitoring
    • Tracee – Runtime security

6. Practical DevSecOps Certification Process

  • After completing the course, you can schedule the CCSE exam on your preferred date.

  • Học trực tuyến

  • Học tại Hồ Chí Minh

  • Học tại Hà Nội

Các khóa học khác