Raunak Parmar - Attacking & Securing CI/CD Pipeline Certification (ASCPC) by White Knight Labs - DCTLV2025
Name of Training: Attacking & Securing CI/CD Pipeline Certification (ASCPC) by White Knight Labs
Trainer(s): Raunak Parmar
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2,000
Course Description:
The Attacking and Securing CI/CD course is an on-demand and self-paced program designed to equip participants with the knowledge and skills to identify vulnerabilities and implement security measures within Continuous Integration and Continuous Deployment (CI/CD) pipelines. This course combines theoretical knowledge with practical, hands-on labs that simulate real-world scenarios in a CI/CD environment.
Course Outline:
-
Fundamentals
- CI/CD Overview
-
GitHub Actions Security
- GitHub Actions Overview
- Hijacking Techniques
- Artifact Handling:
- Secret Leakage via Uploads
- Artifact Poisoning
- Advanced Exploitation:
- Race Conditions
- Bypassing Protected Branches
- OIDC Misconfigurations
- Dependabot Automerge Vulnerabilities
- GitHub Actions Security Best Practices
-
CircleCI Security
- CircleCI Overview
- Config.yml Hijacking
-
AWS Codebuild Pipeline Security
- Codebuild Overview
- Exploiting Pipeline misconfiguration
-
Attacking Docker Registries
- Understanding Docker and its use case
- Lateral movement using Registries Keys
- Injecting Malicious Image to steal Credentials
-
Vulnerable Kubernetes Environment
- Exploring K8s Infrastructure
- Abusing CI/CD Pipeline to Compromise Kubernetes
- Enumeration Techniques
- Privilege Escalation via CI/CD in Kubernetes
- Hopping Over Pods
-
Azure Devops Security
- Azure Devops CI/CD Overview
- Azure DevOps Pipeline Security Risks
- Insecure Service Connections & Credential Leaks
- Build Agent Exploitation & Privilege Escalation
- Azure Devops Pipeline Exploitation
- Abusing Azure Services
Difficulty Level:
Intermediate/advanced
Suggested Prerequisites:
- Scripting: Familiarity with scripting languages such as python and bash
- Prerequisite knowledge: A background in CI/CD processes, DevSecOps practices, and a basic understanding of cybersecurity principles is recommended. Familiarity with scripting and automation in CI/CD environments will be beneficial.
What Students Should Bring:
-
Resources: 2 GitHub accounts, an AWS environment, Docker installed on host system
-
Hardware requirements: Admin access to your host system and cloud
Trainer(s) Bio:
Raunak Parmar works as a senior cloud security engineer at White Knight Labs. His areas of interest include web penetration testing, Azure/AWS security, source code review, scripting, and development. He enjoys researching new attack methodologies and creating open-source tools that can be used during cloud red team activities. He has worked extensively on Azure and AWS and is the author of Vajra, an offensive cloud security tool. He has spoken at multiple respected security conferences like Black Hat, Defcon, Nullcon, RootCon, and also at local meetups.
Registration Terms and Conditions:
Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after July 8, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.
Training Justification Request – DEF CON Training
To: [Manager Name]
From: [Employee Name]
Date: [Date]
Subject: Business Justification for Attendance at DEF CON Training
Dear [manager’s name],
I am requesting approval to attend DEF CON Training, one of the cybersecurity industry's most recognized technical training programs. I’ve reviewed the options and selected a course to expand my skills with [1-2 key skills focus areas for the course].
DEF CON has been one of the world’s leading cybersecurity communities for more than three decades, known for convening industry, government, and independent experts to exchange advanced knowledge and practical skills. Building on this tradition, DEF CON Training delivers intensive courses taught by recognized global instructors. DEF CON Training courses offer hands-on instruction in a challenging, fast-paced environment. Many of the courses offered by DEF CON Training align with the National Institute of Standards and Technology (NIST) NICE Framework and Department of Defense Cyber Workforce Framework (DCWF), and attending this course will help me build and sharpen the skills required for my role.
Training: [Name of DEF CON Training Course]
Instructor/Provider: [Trainer Name(s)]
Dates: [Training Dates]
Location: Las Vegas, NV
Cost: [Course Fee]
Travel Expenses: [estimated travel & accommodations costs]
Course Description: [Copy short description of the selected class from the website here]
Trainer Bio: [Copy bio of the trainers of the selected class from the website here]
Once I’ve completed the course, I’ll be able to:
[copy student outcomes from course page where available or choose 3-4 skills or topic areas from the outline that are applicable to your current role, will help you fill a skill gap, etc.]
Business Need
As cyber threats continue to evolve, it is critical that our organization maintains current knowledge of emerging techniques and industry best practices. The selected DEF CON training aligns directly with my responsibilities in [your role/field here - for example, security operations, incident response, threat detection and hunting, application security, cloud security, risk management, security engineering].
The course will provide practical, hands-on experience that can be immediately applied to our environment and security initiatives. DEF CON training emphasizes real-world attack and defense scenarios, enabling participants to develop skills that extend beyond traditional classroom learning.
Request for Approval
I respectfully request approval and funding to attend DEF CON Training this August in Las Vegas. The knowledge, hands-on experience, and industry insights gained will directly support our cybersecurity objectives and contribute to strengthening our organization's security capabilities.
Thank you for your consideration. Please let me know if you have questions or need additional information to support this request.
Sincerely,
[Employee name]