Beyond the Code: Securing Your Software Supply Chain

Oct 4th and 5th, 2023
Grand Hyatt, Kochi, India


Beyond the Code: Securing Your Software Supply Chain

In an era where up to 80% of your code can come from third parties, the security of your software supply chain is more critical than ever. Software isn't built in silos anymore. It's built on a complex web of dependencies, with each component sourced from different providers across the globe. This opens up a myriad of vulnerabilities, making your software supply chain a prime target for cybercriminals.

Welcome to our two-day intensive course on Software Supply Chain Security. This is not just another IT security course. It's a journey that takes you beyond the confines of your own code, diving into the interconnected world of software development and delivery

  • Day 1
    • From the Attacker's Perspective - Understanding Software Supply Chain Attacks

      The journey begins by exploring the reality of today's software supply chains, where the bulk of your code is sourced externally. We will dissect real-world attacks on software supply chains, understand how they unfolded, and examine their impacts.

    • Through hands-on exercises, you'll step into the shoes of attackers, exploiting common vulnerabilities from developer environments and code repositories to dependencies and build/release tools. By the end of day one, you'll fully comprehend how exposed your software supply chain could be in this interconnected digital world

  • Day 2:
    • From Vulnerability to Fortification - Securing Your Software Supply Chain

      On the second day, we shift gears from understanding vulnerabilities to implementing robust defenses. We delve into industry standard frameworks such as SLSA and NIST SSDF, translating them into practical strategies for each component of your supply chain

      You'll get your hands dirty by applying these strategies to secure your developer environments, code repositories, and CI/CD pipelines. You will learn how to use Software Composition Analysis (SCA) tools to manage package/dependency vulnerabilities effectively. By the end of the course, you'll be equipped to transform your software supply chain from a security liability to an asset.

      In modern, fast-moving organizations, keeping pace with digital transformation initiatives without compromising security is a growing conundrum. This course caters to everyone in the IT industry, from developers and engineers to IT managers, security analysts, and CTOs

      The nature of software development has changed; it’s high time our approach to securing it evolves too. This course offers not just knowledge, but practical skills to secure your software supply chain amidst this paradigm shift. It’s no longer enough to secure your code. You need to secure your software’s lifeline - the supply chain.

Course Content (ToC):

  • Day One: Understanding and Attacking Software Supply Chains
    • Introduction to Software Supply Chain
    • Supply chain beyond code dependencies
    • Attacking Development Environments
    • Attacking Code Repositories
    • Attacking Dependencies and Package Management
    • Attacking CICD Pipeline
    • Attacking Container and Virtualization Environments
    • Mapping the attacks to MITRE ATT&CK
  • Day Two: Defending Software Supply Chains
    • Introduction to Defense Strategies: SLSA and NIST SSDF
    • Securing Development Environments
    • Securing Code Repositories
    • Secure Package Management and Dependency Security
    • Secure CICD Pipeline
    • Secure Container and Virtualization Environments


Basic knowledge of software development and IT security concepts is assumed. Familiarity with cloud platforms and CICD processes would be beneficial but not mandatory. Participants Requirements

  • A laptop with a modern web browser and stable internet connection
  • We will prefer keeping the scenarios cloud based however for some scenarios local system would be best so we would recommend
    • 80 GB Free Disk Space
    • Minimum 16 GB Ram (8gb max would be used by VM's)
    • capability to run Virtual Machine via VirtualBox or VMWare
    • X86 64 bit machines
    • M1 or M2 machines can run software’s but there is no guarantee everything will work as expected.
  • We will need to make accounts on services like GitHub/bitbucket/AWS etc for practical hands-on experience those accounts will be created as part of the program itself (Instructions will be provided prior to the class so students can come prepared).

Who should attend:

Anyone involved in the IT industry would benefit from this course, including:

  • Software Developers and Engineers
  • IT Managers
  • Security Analysts
  • DevOps Practitioners
  • CTOs and Decision Makers in IT

What to expect:

  • Comprehensive understanding of software supply chain vulnerabilities and defenses
  • Hands-on experience with real-world scenarios and exercises
  • Expert guidance on implementing security measures across different components of software supply chain
  • Knowledge of industry-standard security frameworks such as SLSA and NIST SSDF

What not to expect:

  • In-depthcoding or programming lessons
  • Detailed walkthroughs of proprietary or niche tools
  • A focus on theoretical knowledge without practical application
  • An instant fix to all your organization's software supply chain security issues. Security is an ongoing process and this course equips you with the knowledge and skills to start and continue that journey.


Anant Shrivastava

Information Scurity Professional , India

Anant Shrivastava is an information security professional with 15+ yrs of corporate experience in Network, Mobile, Application and Linux Security. Anant is an avid opensource supporter and runs multiple opensource projects prominent of them being TamerPlatform and CodeVigilant.

He contributes to multiple Open communities like null and Garage4Hackers. He has also helped establishing local chapter in his hometown null Bhopal

He has been a speaker and a trainer at a multitude of conferences such as Black Hat -USA/ASIA/EU, Defcon, Nullcon, c0c0n, Rootconf and many more).

He also participates in various communities as a cfp reviewer. Notable of them being Blackhat EU, nullcon, Rootconf by Hasgeek, recon village @ Defcon , cloud village @ defcon, Adversary Village @ defcon

His code contributions can be found on Github. He is active on Twitter and Fediverse and his talks and presentations can be found here. He writes about his experiments at his blog.


Information Security Research Association Kerala Police


UNICEF UNICRI Centre for Artificial Intelligence and Robotics International Centre for Missing & Exploited Children WeProtect Global Alliance CESP | Conseil Européen des Syndicats de Police Kerala IT Mission


Federal Bank Synthite RP GRPUP


Keyzotrick Intelligence Pvt. Ltd National Critical Information Infrastructure Protection Centre Bharat Petroleum Palo Alto Networks Cyble - Cybersecurity Threat Intelligence Platform & Solutions Seqrite


Cochin Shipyard ICICI Bank State Bank of India SBI Life Geojit SFS Homes Cochin International Airport Manage Engine Resecurity: Cybersecurity Solutions and Services Fortinet Technologies India Pvt Ltd &


GAIL (india) LIMITED Canara Bank Elite Foods CSB Bank Petronet LNG Luker India Trend Micro AVT Natural CYFIRMA Indian Oil Corporation Cochin Port Trust Kerala State Industrial Development Corporation ESAF Bank The Kerala Minerals and Metals Limited


PureID Cyble - Cybersecurity Threat Intelligence Platform & Solutions Resecurity: Cybersecurity Solutions and Services Prophaze Manage Engine Darwis Fortinet Technologies India Pvt Ltd & Alibi Global Private Limited eSec Forte Technologies Palo Alto Networks Seqrite Innspark Enterprise Security C-DAC: Centre for Development of Advanced Computing, India ECS Biztech State Bank of India Kratikal Tech Pvt. Ltd. CYFIRMA TerraEagle Netskope Geojit


EliteCISOs GTech - Group of Technology Companies - Technopark, Infopark, Cyberpark BSides Odisha


WTC Kochi


Information Security Media Group The 420



Jet Suit demo partner


c0c0n @16

c0c0n is a 15 years old platform that is aimed at providing opportunities to showcase, educate, understand and spread awareness on Information Security, data protection, and privacy...

Where & When?

Oct 04th to 07th 2023
Grand Hyatt, Kochi, India

Reach us @

(+91) 974-690-6654