Trusted by 10,000+ Learners
Certified Software Supply Chain Security ExpertTM
Self-paced learning
Browser based lab access
24/7 Instructor support
Self-paced learning mode
Browser based lab access
24/7 Instructor support
Self-paced learning mode
Browser based lab access
24/7 Instructor support
Trusted by top companies across industries, empowering thousands of professionals worldwide. Join the ranks of security leaders
Course Chapters
Prerequisites
- Course participants should have knowledge of running basic Linux commands like ls, cd, mkdir, etc.,
- Basic knowledge of Git, CI/CD pipelines, containers, and Cloud Platforms.
- A good understanding of OWASP Top 10 vulnerabilities.
- Familiarity with any scripting language like Python, Golang, or ruby helps. However, it’s not a necessity.
Chapter 1: Introduction to Supply Chain Security
- Course Introduction (About the course, syllabus, and how to approach it)
- About Certification and how to approach it
- Course Lab Environment
- Lifetime course support (Mattermost)
- An overview of the Supply Chain Security
- Supply Chain Security Building Blocks
- Code Creation
- Source Code Management (SCM)
- Internal and external (third-party) software inventory
- Build system (CI/CD)
- Application
- Containers
- Clusters
- Cloud
- Code Creation
- Threat Model of Software Supply Chain
- Overview of Code Creation (SCM, CI/CD and Application)
- Overview of Containers
- Overview of Clusters
- Overview of Cloud
- Evolution of Software Supply Chain Security
- Hands-on Exercise:
- Learn how to use our browser-based lab environment
- How CI/CD Works
- Working with Gitlab CI/CD
- Understanding Stages in CI/CD Pipelines
- Continuous Deployment
- How the Equifax Hack Happened
Chapter 2: Attacking Code and Application Supply Chain
- Introduction to code supply chain
- Code creation process and systems involved
- Source code management (git, svn)
- Package managers
- Build and CI/CD systems
- Attacks on SCM systems
- Breaking out of restricted Git shells
- Git servers leaking confidential information
- Exploiting pre-commit hooks
- Repo Jacking
- Executing Arbitrary Code With Git Commands
- Risks of unencrypted Git traffic
- Insufficient Authentication In Git Servers
- Supply Chain Attacks on package managers
- Magecart attack in an Airways
- Supply Chain Attacks on CDNs
- Bypassing security mechanisms like CSP
- Typo-squatting techniques
- Combosquatting
- Brandjacking
- Dependency confusion
- Abusing IDE behaviors through dependency confusion
- Package Masquerading
- Abusing Generative AI for package masquerading
- Attacks on Build and CI/CD Systems
- Poisoning build pipelines for complete pwnage
- Manual code reviews and sneaking PR/MR
- Abusing webhooks to compromise CI/CD systems
- Cross Build Injection (XBI) Attacks
- Misconfigured Github Actions
- Attacks on Application Side
- Injection attacks
- Cross Site Scripting (XSS)
- Server Side Request Forgery
- Real-World case studies of code supply chain attack
- Stealing environment variables from build servers
- Exposing private source code on GitHub
- Leaking source code of patented technologies
- Stolen code-sign certificates or signed malicious apps
- Best practices for securing application supply chain
- SBOMs
- Code Signing and Commit Signing
- Artifact Signing
- Dependency Hashing
- Dependency Pinning
- Defending GitHub Actions With Pinning
- Technologies and solutions for securing applications
- SCA
- SAST
- DAST
- Fuzz Testing
- Hands-on Exercises:
- Dependency confusion
- GitLab privilege escalation
- Git commit spoofing
- Git commit signing
- Typosquatting dependency
- How the Codecov attack happened
- Working with pre-commit hooks
- Exploiting pre-commit hooks
- Software Component Analysis (SCA)
- Static Application Security Testing (SAST)
- SCA/SAST using pre-commit hooks
- Dynamic Analysis
Chapter 3: Attacking Container Supply Chain
- Introduction to container technology
- What is a container
- Basics of container
- Ways to interact with containers ecosystem
- Attack surface of containers and supply chain risks
- Overview of container security
- Attack surface of the container ecosystem
- Attack surface analysis using native and third party tools
- Attack surface analysis with native tools
- Kernel features: Namespaces, Cgroups, Capabilities
- Attacking Container Supply Chain ecosystem
- Malicious images
- Insecure container registry
- Attacking through container misconfigurations
- Best practices for securing container applications
- Container Image Security
- Distroless and scratch image
- Multi-stage builds
- Securing Docker daemon
- Container Image Security
- Technologies and solutions for securing containerized applications
- Docker host security configurations
- Seccomp
- Apparmour
- Image signing and Content Trust
- Docker host security configurations
- Hands-on Exercises:
- Working with docker command
- Creating container snapshots
- Malicious container image
- Backdooring docker image
- Attacking docker registry
- Exploiting containerized apps
- Unsecured docker daemon
- Minimize docker security misconfigurations
- Build a secure, miniature image to minimize attack footprint
- Typosquatting attack in docker image
- Backdooring docker image
- Malicious container image
Chapter 4: Attacking Kubernetes/Cluster Supply Chain
- Microservices and Kubernetes
- Introduction to Microservices Architecture
- Introduction to Kubernetes Architecture
- Core Components of Kubernetes
- Supply Chain Threats for a cluster
- Kubernetes Package Manager
- Helm and its security
- Understanding Helm charts workflow
- Creating Helm Charts
- Abusing Kubernetes Request Pipeline
- Authentication, Authorization, and Admission Controllers
- Attacks on Admission Controllers and webhooks
- Insecure RBAC rules
- Common Attack Vectors in Kubernetes Clusters
- Technologies and solutions for securing container orchestration
- Static analysis of Kubernetes clusters
- Dynamic analysis and runtime security of Kubernetes clusters
- Hands-On Exercises:
- Kubernetes basic commands
- Working with Kubernetes
- Kuberntes secrets
- Kubernetes service accounts
- Kubernetes networking using Calico
- Reconnaissance using Kube-hunter
- Stealing Kubernetes secrets
- Exploiting Kubelet API
- Privileged pods in Kubernetes
- Sniffing Kubernetes network traffic
- Kubernetes image scanning
- Static analysis of Kubernetes manifests
Chapter 5: Attacking Cloud Supply Chain
- Introduction to Cloud Ecosystem (Public, On-Premise)
- Cloud Attack Surface and Threat Matrix
- Shared Security Model of the Cloud
- Attack Vectors in AWS
- Misconfigurations (exposed secrets, metadata service, etc.)
- Attacking Managed Services Like S3, CloudFront CDN
- Attacking Serverless Computing
- Attacking Application Deployment Services
- Attack Vectors in Azure
- Misconfigurations (exposed secrets, metadata services, etc.)
- Attacking Azure Blob storage, Azure Application Gateway
- Attacking Azure Functions
- Attacking Web Apps
- Attack Vectors in GCP
- Misconfigurations (exposed secrets, metadata services, etc.)
- Attacking Google Cloud Storage GCS, Cloud CDN
- Attacking Google Cloud Functions
- Attacking Google Kubernetes Engine
- Best Practices for Securing the Cloud
Chapter 6: Common Defenses Against Supply Chain Attacks
- Prove the sanity of the software components using Cryptography
- Code Signing
- Component Signing
- Artifact signing
- The Update Framework
- Evaluate dependencies before use
- Analyze the security and compliance of dependencies
- Implement integrity checks or policies
- Implement Change Control
- Protected Branches
- Licensed Code
- Configuration management and change control
- Create asset Inventory
- Generate a Software Bill Of Materials
- Application SBOM
- Container SBOM
- Hosts SBOM
- Code Isolation and Sandboxing
- Automation of Common Controls in CI/CD
- Software Component Analysis of Code, and Containers
- Static Security Analysis of Application Code, Infrastructure as Code
- Dynamic Security Analysis of Applications, APIs, Containers, and Clusters
- Detecting Unexpected Behaviors Through Fuzz Testing
- Compliance and Governance of Supply Chain Risk
- Hands-On Exercises:
- Generate the SBOM for Application using Syft
- Generate the SBOM for Docker Image using Syft
- Create an SBOM with Tern
- Identify malicious Package using guarddog
- Finding Risky Packages using packj
- Secrets Scanning using Trivy
- Secrets Scanning using TruffleHog
- False Positive Analysis (FPA)
- Container Registry using Harbor
- Container Vulnerability Scanning using Snyk
- Scanning Docker for Vulnerabilities with Trivy
- Signing Container Images for Trust
- Container Malware Scanning using YaraHunter
- Find Misconfigured RBAC Using KubiScan
- Finding Misconfigurations Using Kubescape
- Finding Helm Charts Misconfigurations using Kubescape
- How to Embed Syft into CI/CD pipeline
- Scan SBOM for Vulnerabilities using bomber
- Implement SAST as part DevOps pipelines
- Implement DAST as part DevOps pipelines
Chapter 7: Managing a Secure Software Supply Chain Program
- Problems with current Supply Chain Attack Visibility
- Detection of only known vulnerabilities
- Detection of unknown vulnerabilities
- Creating a vetting process for software components (Commercial, Open Source, Third Party, and Proprietary Code) used throughout SDLC
- Automation of vetting and third-party code
- Software Supply Chain Industry Standards and Best Practices
- NIST C-SRM or SLSA
- NIST SSDF
- Software Component Verification Standard (SCVS)
- Secure Supply Chain Consumption Framework (S2C2F)
- Supply Chain Integrity Model
- Software Supply Chain Best Practices
- SBOM
- CycloneDX
- OpenSSF – Automated
- Core Infrastructure Initiative – Self Assessment
- Hands-on Exercises:
- Achieving SLSA Level 1 using GitLab
- Achieving SLSA Level 2 using GitLab
- Establish a vetting process for open-source components
- Working with Defect Dojo
- Vulnerability Management With DefectDojo
- Handling Dependency Hell
Practical DevSecOps Certification Process
- After completing the course, you can schedule the CSSE exam on your preferred date.
- Process of achieving Practical DevSecOps CSSE Certification can be found here.
Become a Software Supply Chain Security Expert in 60 Days
What you’ll learn from the Certified
Software Supply Chain Security Expert?
Supply Chain Attack Defense
- Protect source code and container registries
- Secure Kubernetes clusters and cloud systems
- Prevent SolarWinds-style infrastructure attacks
Vulnerability Detection and Scanning
- Detect dependency confusion attacks early
- Scan CI/CD pipelines for vulnerabilities
- Generate SBOMs to track component risks
DevSecOps Security Implementation
- Build security from repository to production
- Secure Git and GitHub Actions workflows
- Implement automated security controls
Security Framework Compliance
- Apply NIST SSDF, CIS, and SLSA frameworks
- Implement SLSA security controls
- Achieve measurable security maturity
Enterprise Risk Management
- Build supply chain risk frameworks
- Achieve NIST CSF compliance standards
- Align security with business objectives
Third-Party and OSS Security
- Assess vendor and open-source risks
- Secure contractor development access
- Validate Docker images and dependencies
We have provided training and presented at numerous industry events.
Benefits of Enrolling in the Practical DevSecOps Courses
Master today’s security challenges with our updated curriculum and hands-on labs, preparing you for real-world threats.
Browser-based lab
Access all tools and exercise directly in your browser. Enjoy a practical, hassle-free learning experience - no downloads or installations needed!
Explore commands with our new AI-Powered 'Explain to me' feature
Gain detailed insights into any command with our AI-powered feature, designed to enhance your understanding and accelerate your learning.
Master cutting-edge tools
Enhance your security skills through hands-on experience with the latest industry tools in our labs. Get equipped for real-world applications and stay ahead of industry changes.
Become a Software Supply Chain Security Expert in 60 Days
Hear from our learners
Explore the global impact of our Practical DevSecOps Certifications through our learners’ testimonials.
I love the Practical DevSecOps Institute courses, as they strike the perfect balance between theory and practice, plus they have labs featuring different technologies.
I’ve currently taken CDP, CDE, CTMP, CSSE, a…
Whether you are just bootstrapping your Supply Chain Security knowledge or working towards increasing the maturity of your org’s processes this course is highly recommended!
As with most PDSO courses, this was jam…
The CSSE certification exam was thorough, touching on all major point of supply chain security.
The course content was very informative and the labs educative. 10/10 would recommend…
Excellent course with well-structured material! I especially appreciated the hands on labs, well done.
This course provides all the essential knowledge needed to implement supply chain security…
Frequently asked questions
What are the prerequisites required before enrolling in the Software Supply Chain Security certification Course?
Students need to know basic Linux commands, Git, CI/CD pipelines, containers, cloud platforms, and OWASP Top 10 vulnerabilities. Python scripting knowledge helps but remains optional.
What’s included in the Software Supply Chain Security course package?
3-years of access to the videos and checklists, 60 days of browser-based labs, PDF Manual, 24/7 student support, and one exam attempt.
Do the labs for the course start immediately after enrollment?
No, the course doesn’t start automatically after you enroll. You’ll choose your preferred start date after completing your purchase. Once your selected start date arrives, we’ll provide access to all course materials and resources.
Does the course come with CPE points?
Yes, the course comes with 36 hours of CPE points.
What is the exam format?
You must solve 5 challenges within 6 hours during this task-oriented exam. After completing the challenges, you have 24 additional hours to write and submit your report for evaluation. For more information, visit this link.
Should I go to an exam center, or is the exam online?
Yes, this is an online exam. You can take it from your home or office without traveling to a testing center.
How long is the Software Supply Chain Security Expert Certification Valid?
Once you earn it, the certification remains valid for a lifetime, hence no renewal requirements.
What Salary Jump Can the Certified Software Supply Chain Security Course Deliver?
The salary jump is pretty incredible—you go from making $80,000–$110,000 to earning $139,000–$174,000. We’re talking about an extra $60,000+ in your pocket every year.
Why such a huge increase? Simple—this is the first certification ever created for software supply chain security, and supply chain attacks are absolutely exploding right now. Remember SolarWinds? That’s just the tip of the iceberg. Every company is panicking about being the next victim, but there’s almost nobody who actually knows how to prevent these attacks.
Software supply chain security is ridiculously specialized. You need to understand dependencies, third-party risks, how to secure the entire pipeline from development to deployment—it’s complex stuff that most security professionals don’t even touch. That’s exactly why it pays so well.
If you’re a Security Engineer, AppSec Professional, Security Architect, or DevOps professional, this certification transforms you into one of the only people who can solve a problem that terrifies every CEO. The market’s growing from $2.16 billion to over $4 billion in the next decade, but right now? There are barely any certified experts to hire.
Why Certified Software Supply Chain Security Course?
The Certified Software Supply Chain Security Expert Course delivers complete protection against emerging software supply chain threats across the entire software ecosystem. We deliver practical training that spans code creation, containers, Kubernetes clusters, and cloud environments through intensive hands-on labs and 50+ guided exercises based on actual real-world attacks – setting us apart from other training programs.
We align with industry frameworks like SLSA, OWASP SCVS, and NIST while offering student support through our dedicated Mattermost community. Organizations choose us to develop internal expertise in:
- Identifying advanced supply chain vulnerabilities
- Implementing security controls at each layer
- Automating security verification in CI/CD pipelines
- Creating effective risk management programs
Transform your Organizations into software supply chain security experts and safeguard your enterprise from today’s most dangerous attacks.
We also offer Instructor-Led Training (ILT) for enterprises
Unmatched practical focus
70% hands-on labs for Mastering real-world scenario’s.
Expert-crafted curriculum
Get real-world insights from the experienced Security Experts.
Practical exam
Take a 6-hour examination to show what you have learned.
24/7 expert support
