Certified Software Supply Chain Security Expert E-Learning

Participants should have:

• Experience with basic Linux commands
• A general understanding of Git, CI/CD, containers, and cloud platforms
• Familiarity with the OWASP Top 10 vulnerabilities
• Some experience with scripting languages such as Python, Go, or Ruby is helpful but not required

Target audience

This course is ideal for:

• DevSecOps professionals securing the software development lifecycle
• Security architects and engineers overseeing CI/CD environments
• Cloud-native security teams responsible for Kubernetes and container security
• Developers and SREs integrating security controls across their toolchains

By the end of this course, learners will be able to:

• Implement secure development lifecycle practices using frameworks like NIST SSDF and SLSA
• Detect and neutralise attacks such as dependency confusion, typo squatting, and CI/CD abuse
• Secure containers and Kubernetes clusters through advanced threat modelling and runtime controls
• Protect cloud environments by mitigating misconfigurations and monitoring for supply chain risks
• Deploy SBOMs, code signing, and artifact integrity checks to strengthen trust and traceability
• Embed secure code vetting and continuous monitoring across third-party and internal components
• Align enterprise governance with software supply chain risk management strategies

Introduction to supply chain security

• Course goals, syllabus, and certification process
• Overview of software supply chain stages
• Threat models for CI/CD, containers, clusters, and cloud
• Tools and lab environment orientation
• Case study: Equifax breach
• Hands-on: GitLab CI/CD, pre-commit hooks, continuous deployment

Attacking code and application supply chains

• Source code and package manager attack vectors
• SCM misconfigurations, pre-commit hooks, repo jacking
• Dependency confusion and masquerading techniques
• CI/CD abuse: poisoned pipelines, GitHub Actions vulnerabilities
• Application-layer threats and stolen code-signing credentials
• Defensive measures: SBOMs, SCA, SAST, DAST
• Hands-on: typo squatting, Git commit spoofing, secure hooks

Attacking container supply chains

• Container lifecycle and security overview
• Malicious container images and insecure registries
• Kernel-level attack surface: namespaces, capabilities, cgroups
• Hardening practices: minimal base images, daemon security
• Image signing and Docker Content Trust
• Hands-on: Docker image backdoors, typo squatting, SCA scanning

Attacking Kubernetes and cluster supply chains

• Kubernetes architecture and Helm security
• Admission controllers, insecure RBAC, and service accounts
• Attack vectors via API, secrets, and network sniffing
• Tools and strategies for cluster hardening
• Hands-on: privilege escalation, kube-hunter, Kubescape analysis

Attacking cloud supply chains

• Shared responsibility models and threat matrices
• Attack vectors in AWS, Azure, and GCP environments
• Targeting managed services, metadata, and serverless components
• Tools for secrets scanning, access control, and misconfiguration detection
• Hands-on: Trivy, TruffleHog, Harbor registry, Snyk, YaraHunter

Common defences against supply chain attacks

• Cryptographic assurance: signing, integrity, and provenance
• SBOM creation and automation
• Secure CI/CD enforcement with pinned dependencies and change control
• Analysis techniques: SAST, DAST, Fuzz Testing
• Hands-on: SBOM tools (Syft, Tern), Trivy, Bomber, SCAP

Managing a secure software supply chain programme

• Building and automating a component vetting process
• Identifying known and unknown vulnerabilities
• Aligning practices with NIST SSDF, SLSA, and OWASP SCVS
• Governance, compliance, and open-source risk monitoring
• Hands-on: achieving SLSA levels using GitLab, DefectDojo workflows

Exams and assessments

Participants will complete a certification exam to earn the Certified Software Supply Chain Security Expert™ credential. The course includes:

• One exam attempt included with enrolment
• Scenario-based assessments and lab exercises throughout the course
• False positive analysis and misconfiguration identification activities
• The exam is a task-oriented examination in which you will be required to solve 5 challenges within a timeframe of 6 hours, with an additional 24 hours to complete the report and submit it for evaluation.

Hands-on learning

This course with approx. 20hrs of e-learning includes:

• Over 50 guided, browser-based labs replicating real-world supply chain attacks
• Exercises across Git, CI/CD, containers, Kubernetes, and cloud platforms
• Secure coding, monitoring, and automation labs
• Integrated use of open-source and enterprise-grade tools
• Upon completion of the purchase, learners will have the opportunity to select their preferred commencement date. The course will be provided on the chosen start date.
• 3-years of access to the videos and checklists, 60 days of browser-based labs, PDF Manual.

• Exam included
• Online exam voucher
• Dedicated tutor support via email during your course from expert instructors