Certified Software Supply Chain Security ExpertTM
Over 5,000+
Learners Certified
Self-paced learning
Browser based lab access
24/7 Instructor support
Self-paced learning mode
Browser based lab access
24/7 Instructor support
Self-paced learning mode
Browser based lab access
24/7 Instructor support
Trusted by top companies across industries, empowering thousands of professionals worldwide. Join the ranks of security leaders
Prerequisites
- Course participants should have knowledge of running basic Linux commands like ls, cd, mkdir, etc.,
- Basic knowledge of Git, CI/CD pipelines, containers, and Cloud Platforms.
- A good understanding of OWASP Top 10 vulnerabilities.
- Familiarity with any scripting language like Python, Golang, or ruby helps. However, it’s not a necessity.
Chapter 1: Introduction to Supply Chain Security
- Course Introduction (About the course, syllabus, and how to approach it)Â
- About Certification and how to approach it
- Course Lab Environment
- Lifetime course support (Mattermost)
- An overview of the Supply Chain Security
- Supply Chain Security Building Blocks
- Code Creation
- Source Code Management (SCM)
- Internal and external (third-party) software inventory
- Build system (CI/CD)
- Application
- Containers
- Clusters
- Cloud
- Code Creation
- Threat Model of Software Supply Chain
- Overview of Code Creation (SCM, CI/CD and Application)
- Overview of Containers
- Overview of Clusters
- Overview of Cloud
- Evolution of Software Supply Chain Security
- Hands-on Exercise:
- Learn how to use our browser-based lab environment
- How CI/CD Works
- Working with Gitlab CI/CD
- Understanding Stages in CI/CD Pipelines
- Continuous Deployment
- How the Equifax Hack Happened
Chapter 2: Attacking Code and Application Supply Chain
- Introduction to code supply chain
- Code creation process and systems involved
- Source code management (git, svn)
- Package managers
- Build and CI/CD systems
- Attacks on SCM systems
- Breaking out of restricted Git shells
- Git servers leaking confidential information
- Exploiting pre-commit hooks
- Repo Jacking
- Executing Arbitrary Code With Git Commands
- Risks of unencrypted Git traffic
- Insufficient Authentication In Git Servers
- Supply Chain Attacks on package managers
- Magecart attack in an Airways
- Supply Chain Attacks on CDNs
- Bypassing security mechanisms like CSP
- Typo-squatting techniques
- Combosquatting
- Brandjacking
- Dependency confusion
- Abusing IDE behaviors through dependency confusion
- Package Masquerading
- Abusing Generative AI for package masquerading
- Attacks on Build and CI/CD Systems
- Poisoning build pipelines for complete pwnage
- Manual code reviews and sneaking PR/MR
- Abusing webhooks to compromise CI/CD systems
- Cross Build Injection (XBI) Attacks
- Misconfigured Github Actions
- Attacks on Application Side
- Injection attacks
- Cross Site Scripting (XSS)
- Server Side Request Forgery
- Real-World case studies of code supply chain attack
- Stealing environment variables from build servers
- Exposing private source code on GitHub
- Leaking source code of patented technologies
- Stolen code-sign certificates or signed malicious apps
- Best practices for securing application supply chain
- SBOMs
- Code Signing and Commit Signing
- Artifact Signing
- Dependency Hashing
- Dependency Pinning
- Defending GitHub Actions With Pinning
- Technologies and solutions for securing applications
- SCA
- SAST
- DAST
- Fuzz Testing
- Hands-on Exercises:
- Dependency confusion
- GitLab privilege escalation
- Git commit spoofing
- Git commit signing
- Typosquatting dependency
- How the Codecov attack happened
- Working with pre-commit hooks
- Exploiting pre-commit hooks
- Software Component Analysis (SCA)
- Static Application Security Testing (SAST)
- SCA/SAST using pre-commit hooks
- Dynamic Analysis
What you’ll learn from the Certified Software Supply Chain Security Expert Course?
Shield your organization from advanced software supply chain attacks that target your source code, container registries, Kubernetes clusters, and cloud infrastructure.
Detect and neutralize potential vulnerabilities and dependency confusion attacks before malicious actors exploit your CI/CD pipeline.
Create robust DevSecOps defense strategies that protect your entire development ecosystem from repository to production deployment.
Implement industry-leading security frameworks including NIST SDF, CIS, SLSA, and OWASP SCVS to secure your supply chain security posture.
Integrate software supply chain security controls directly into your enterprise risk management framework for NIST CSF compliance.
Enforce rigorous security standards across all third-party vendors, external service providers, and contractors who access your development systems.
Chapter 3: Attacking Container Supply Chain
- Introduction to container technology
- What is a container
- Basics of container
- Ways to interact with containers ecosystem
- Attack surface of containers and supply chain risks
- Overview of container security
- Attack surface of the container ecosystem
- Attack surface analysis using native and third party tools
- Attack surface analysis with native tools
- Kernel features: Namespaces, Cgroups, Capabilities
- Attacking Container Supply Chain ecosystem
- Malicious images
- Insecure container registry
- Attacking through container misconfigurations
- Best practices for securing container applications
- Container Image Security
- Distroless and scratch image
- Multi-stage builds
- Securing Docker daemon
- Container Image Security
- Technologies and solutions for securing containerized applications
- Docker host security configurations
- Seccomp
- Apparmour
- Image signing and Content Trust
- Docker host security configurations
- Hands-on Exercises:
- Working with docker command
- Creating container snapshots
- Malicious container image
- Backdooring docker image
- Attacking docker registry
- Exploiting containerized apps
- Unsecured docker daemon
- Minimize docker security misconfigurations
- Build a secure, miniature image to minimize attack footprint
- Typosquatting attack in docker image
- Backdooring docker image
- Malicious container image
Chapter 4: Attacking Kubernetes/Cluster Supply Chain
- Microservices and Kubernetes
- Introduction to Microservices Architecture
- Introduction to Kubernetes Architecture
- Core Components of Kubernetes
- Supply Chain Threats for a cluster
- Kubernetes Package Manager
- Helm and its security
- Understanding Helm charts workflow
- Creating Helm Charts
- Abusing Kubernetes Request Pipeline
- Authentication, Authorization, and Admission Controllers
- Attacks on Admission Controllers and webhooks
- Insecure RBAC rules
- Common Attack Vectors in Kubernetes Clusters
- Technologies and solutions for securing container orchestration
- Static analysis of Kubernetes clusters
- Dynamic analysis and runtime security of Kubernetes clusters
- Hands-On Exercises:
- Kubernetes basic commands
- Working with Kubernetes
- Kuberntes secrets
- Kubernetes service accounts
- Kubernetes networking using Calico
- Reconnaissance using Kube-hunter
- Stealing Kubernetes secrets
- Exploiting Kubelet API
- Privileged pods in Kubernetes
- Sniffing Kubernetes network traffic
- Kubernetes image scanning
- Static analysis of Kubernetes manifests
Chapter 5: Attacking Cloud Supply Chain
- Introduction to Cloud Ecosystem (Public, On-Premise)
- Cloud Attack Surface and Threat Matrix
- Shared Security Model of the Cloud
- Attack Vectors in AWS
- Misconfigurations (exposed secrets, metadata service, etc.)
- Attacking Managed Services Like S3, CloudFront CDN
- Attacking Serverless Computing
- Attacking Application Deployment Services
- Attack Vectors in Azure
- Misconfigurations (exposed secrets, metadata services, etc.)
- Attacking Azure Blob storage, Azure Application Gateway
- Attacking Azure Functions
- Attacking Web Apps
- Attack Vectors in GCP
- Misconfigurations (exposed secrets, metadata services, etc.)
- Attacking Google Cloud Storage GCS, Cloud CDN
- Attacking Google Cloud Functions
- Attacking Google Kubernetes Engine
- Best Practices for Securing the Cloud
Chapter 6: Common Defenses Against Supply Chain Attacks
- Prove the sanity of the software components using Cryptography
- Code Signing
- Component Signing
- Artifact signing
- The Update Framework
- Evaluate dependencies before use
- Analyze the security and compliance of dependencies
- Implement integrity checks or policies
- Implement Change Control
- Protected Branches
- Licensed Code
- Configuration management and change control
- Create asset Inventory
- Generate a Software Bill Of Materials
- Application SBOM
- Container SBOM
- Hosts SBOM
- Code Isolation and Sandboxing
- Automation of Common Controls in CI/CD
- Software Component Analysis of Code, and Containers
- Static Security Analysis of Application Code, Infrastructure as Code
- Dynamic Security Analysis of Applications, APIs, Containers, and Clusters
- Detecting Unexpected Behaviors Through Fuzz Testing
- Compliance and Governance of Supply Chain Risk
- Hands-On Exercises:
- Generate the SBOM for Application using Syft
- Generate the SBOM for Docker Image using Syft
- Create an SBOM with Tern
- Identify malicious Package using guarddog
- Finding Risky Packages using packj
- Secrets Scanning using Trivy
- Secrets Scanning using TruffleHog
- False Positive Analysis (FPA)
- Container Registry using Harbor
- Container Vulnerability Scanning using Snyk
- Scanning Docker for Vulnerabilities with Trivy
- Signing Container Images for Trust
- Container Malware Scanning using YaraHunter
- Find Misconfigured RBAC Using KubiScan
- Finding Misconfigurations Using Kubescape
- Finding Helm Charts Misconfigurations using Kubescape
- How to Embed Syft into CI/CD pipeline
- Scan SBOM for Vulnerabilities using bomber
- Implement SAST as part DevOps pipelines
- Implement DAST as part DevOps pipelines
Chapter 7: Managing a Secure Software Supply Chain Program
- Problems with current Supply Chain Attack Visibility
- Detection of only known vulnerabilities
- Detection of unknown vulnerabilities
- Creating a vetting process for software components (Commercial, Open Source, Third Party, and Proprietary Code) used throughout SDLC
- Automation of vetting and third-party code
- Software Supply Chain Industry Standards and Best Practices
- NIST C-SRM or SLSA
- NIST SSDF
- Software Component Verification Standard (SCVS)
- Secure Supply Chain Consumption Framework (S2C2F)
- Supply Chain Integrity Model
- Software Supply Chain Best Practices
- SBOM
- CycloneDX
- OpenSSF – Automated
- Core Infrastructure Initiative – Self Assessment
- Hands-on Exercises:
- Achieving SLSA Level 1 using GitLab
- Achieving SLSA Level 2 using GitLab
- Establish a vetting process for open-source components
- Working with Defect Dojo
- Vulnerability Management With DefectDojo
- Handling Dependency Hell
Practical DevSecOps Certification Process
- After completing the course, you can schedule the CSSE exam on your preferred date.
- Process of achieving Practical DevSecOps CSSE Certification can be found here.
Benefits of enrolling in the
Practical DevSecOps Courses
Master today’s security challenges with our updated curriculum and hands-on labs, preparing you for real-world threats.
Browser-based lab
Access all tools and exercises directly in your browser. Enjoy a practical, hassle-free learning experience - no downloads or installations needed!
Explore commands with our new AI-Powered 'Explain to me' feature
Gain detailed insights into any command with our AI-powered feature, designed to enhance your understanding and accelerate your learning.
Master cutting-edge tools
Enhance your security skills through hands-on experience with the latest industry tools in our labs. Get equipped for real-world applications and stay ahead of industry changes.
Frequently asked questions (FAQs)
What are the prerequisites required before enrolling in the Software Supply Chain Security certification Course?
What’s included in the Software Supply Chain Security course package?
3-years of access to the videos and checklists, 60 days of browser-based labs, PDF Manual, 24/7 student support, and one exam attempt.
Do the labs for the course start immediately after enrollment?
No, the course doesn’t start automatically after you enroll. You’ll choose your preferred start date after completing your purchase. Once your selected start date arrives, we’ll provide access to all course materials and resources.
Does the course come with CPE points?
Yes, the course comes with 36 hours of CPE points.
What is the exam format?
You must solve 5 challenges within 6 hours during this task-oriented exam. After completing the challenges, you have 24 additional hours to write and submit your report for evaluation. For more information, visit this link.
Should I go to an exam center, or is the exam online?
Yes, this is an online exam. You can take it from your home or office without traveling to a testing center.
How long is the Software Supply Chain Security Expert Certification Valid?
Once you earn it, the certification remains valid for a lifetime, hence no renewal requirements.
Why Certified Software Supply Chain Security Course?
The Certified Software Supply Chain Security Expert Course delivers complete protection against emerging software supply chain threats across the entire software ecosystem. We deliver practical training that spans code creation, containers, Kubernetes clusters, and cloud environments through intensive hands-on labs and 50+ guided exercises based on actual real-world attacks – setting us apart from other training programs.
We align with industry frameworks like SLSA, OWASP SCVS, and NIST while offering student support through our dedicated Mattermost community. Organizations choose us to develop internal expertise in:
- Identifying advanced supply chain vulnerabilities
- Implementing security controls at each layer
- Automating security verification in CI/CD pipelines
- Creating effective risk management programs
Transform your Organizations into software supply chain security experts and safeguard your enterprise from today’s most dangerous attacks.Â
We also offer Instructor-Led Training (ILT) for enterprises
Hear from our learners
Explore the global impact of our Software Supply Chain Security Certification through our learners’ testimonials.
After two months of studying and a grueling 12-hour exam last Saturday, I'm happy to share I can now call myself a Certified DevSecOps Professional!
Would recommend the course to anyone that wants to really get hands-on and technical with tooling such as SCA, SAST, DAST, IaC and CaC.
I received good news over the Thanksgiving week: I passed my Certified Container Security Expert exam! This is exam is provided by the Practical DevSecOps training group, which I highly recommend for hands-on skills in the DevSecOps field. The practical labs and 6 hour exam covers a number of security strategies and tools, including: Harbor, Cosign, Trivy, Grype, Snyk, Dockle, Seccomp and many more! The training is FIRST CLASS!
I am happy to share that I have lately gained the Practical DevSecOps Professional Certification (CDP).
Thanks to the Practical DevSecOps team, for both excellent material and a lot of great practical labs.
The certification finished off with a challenging 12 hours practical exam and extensive report writing.
I'm excited to share that I have successfully obtained the CCNSE certification!
This accomplishment has provided me with advanced abilities to effectively secure microservices, containers and Kubernetes environments.
I now possess comprehensive expertise in handling attacks, implementing defenses, and ensuring compliance within these complex systems.
I would like to give big thanks to the very responsive team at Practical DevSecOps.
After two months of studying and a grueling 12-hour Practical exam, I'm happy to share that I can now call myself a Certified DevSecOps Professional!
Warmly recommend this excellent course for technical architects, or engineers who want to gain hands-on skills on how to embed security across modern SDLC.
The labs covered running below mentioned security tools using Docker and building E2E DevOps pipeline with integrated security automation using GitLab, Jenkins, CircleCI, and GitHub Actions.
SCA, SAST, DAST, Infra as Code/hardening (IaC), Compliance as Code(CaC), Vulnerability mgmt
Thanks Practical DevSecOps
This was a great course with practical training for how to embed automated security scanning into a CI/CD pipeline, plus hardening and compliance checks using an everything-as-code approach. Finishing off with a challenging 12 hour practical exam and extensive report writing requirement and assessment to gain the Certified DevSecOps Professional (CDP) certificate. Thanks to Mohammed A. Imran and Raj Shekar of Practical DevSecOps.
After very challenging 12-hours hands-on exam and preparing extensive exam report I am now Certified DevSecOps Professional (CDP)!
The quality of the course material was surprisingly good and the lab environment is better than any other that I've come across. And in the AppSec field, I have seen quite a few of them. If you want to learn about application security, CI/CD pipelines, Docker, IaC, CaC, SAST, DAST, SCA and these other crazy but very cool acronyms and buzzwords, you would be very wise to join this course.
Whoa! After completing 139 lab exercises and intensive 12 hour exam in 1,5 months, I am finally a Certified DevSecOps Professional too. 🎉
Warmly recommend this excellent course for technical Product Owners, architects or engineers who want to gain hands-on skills on how to embed security across modern SDLC.
The labs covered running below mentioned security tools using Docker and building E2E DevOps pipeline with integrated security automation using GitLab, Jenkins, CircleCI and GitHub Actions.
SCA: Safety, pip-audit, RetireJS, dependency-check, Snyk, npm audit, auditjs, bundler-audit SAST: Trufflehog, detect-secrets, Bandit, Gosec, semgrep, hadolint, FindSecBugs, njsscan, pylint, Brakeman, SonarQube DAST: nikto, nmap, SSLyze, ZAP, Dastardly Infra as Code/hardening: Ansible, AnsibleVault, TFLint, Checkov, Terrascan, tfsec, Snyk Compliance as Code: Inspec for CIS Benchmark, ASVS, Docker compliance Vulnerability mgmt using DefectDojo
I am happy to share that I have lately gained the Practical DevSecOps Professional Certification (CDP).
Thanks to the Practical DevSecOps team, for both excellent material and a lot of great practical labs.
The certification finished off with a challenging 12 hours practical exam and extensive report writing.
I recently took the Certified DevSecOps Professional (CDP) certification from Practical DevSecOps. I would recommend the course for anybody that is interested in DevSecOps. The course material was well-written and presented. The labs were very helpful for real-world applications, and the test was a fun challenge.
Future-Proof Your Career with Software Supply Chain Security Training
Unlock your potential with Software Supply Chain Security Training! Our Certified Software Supply Chain Security Expert Course equips you with job-ready skills. Conquer the 6-hour exam with confidence and open doors to exciting opportunities and Challenges.
Unmatched practical focus
70% hands-on labs for Master real-world scenario’s.
Expert-crafted curriculum
Get real-world insights from the experienced Security Experts.
Practical exam
6-hours hands-on examination to assess the learning.
24/7 expert support
Unbeatable guidance throughout your learning journey.