Online Course
Cybersecurity: From Foundations to Advanced Practice

Software Supply Chain Security

A structured 3-month open source learning program covering the full spectrum of software supply chain security — threat landscape, SBOM, tooling, frameworks, and hands-on labs.

12 weeks
36 classes
5 phases
70 resources
👥 For: Software engineers, DevSecOps practitioners, security engineers
📋 Prerequisites: Basic understanding of software development and CI/CD pipelines
$35.00
per month · cancel anytime
Enroll Now → Sign In if you already have an account
36 structured classes
Content unlocks week by week
70 expert resources & readings
Capstone project submissions
Book 1-on-1 calls with Dr. Joshua
Career Mentor AI available as add-on
5
Phases
36
Classes
12
Weeks
70
Resources
Learning Outcomes

What You'll Be Able to Do

Understand what the software supply chain is and why it is a critical attack surface
Identify and describe the five major supply chain attack classes
Analyze landmark real-world incidents and extract lessons
Map attack techniques to attacker motivations and target types
Explain how transitive dependencies amplify risk
Generate, read, and compare SBOMs in SPDX and CycloneDX formats
Explain provenance and why it differs from an SBOM
Configure keyless signing with Sigstore/Cosign
Describe in-toto attestation and the SLSA provenance model
Implement basic SBOM generation and signing in a CI pipeline
Set up and tune Grype and Trivy for container and repository scanning
Use OSV-Scanner across multiple ecosystems
Course Curriculum

Complete Course Structure

36 classes across 5 phases — delivered over 12 weeks. Each class includes readings, exercises, and real-world activities. Capstone projects let you apply everything you've learned.

Phase Learning Objectives
Understand what the software supply chain is and why it is a critical attack surface
Identify and describe the five major supply chain attack classes
Analyze landmark real-world incidents and extract lessons
Map attack techniques to attacker motivations and target types
Explain how transitive dependencies amplify risk
1
What is the software supply chain?
⏱ 75 min 📖 3 resources 🛠 1 exercise ⭐ Capstone
Define the software supply chain end-to-end: from upstream open source code through registries, build systems, CI/CD pip…
2
Attack class 1 — Dependency confusion and typosquatting
⏱ 75 min 📖 2 resources 🛠 1 exercise ⭐ Capstone
Deep dive into registry-based attacks: how attackers exploit package name resolution, namespace conflicts, and lookalike…
3
Attack class 2 - Malicious code injection and maintainer compromise
⏱ 75 min 📖 2 resources 🛠 1 exercise
How attackers gain control of legitimate packages through account takeovers, social engineering, and malicious pull requ…
4
Attack class 3 — Build system and CI/CD compromise
⏱ 75 min 📖 3 resources 🛠 1 exercise
The build pipeline is a privileged, often under-secured environment. This class covers how attackers target CI/CD system…
5
Attack class 4 — Compromised update mechanisms
⏱ 60 min 📖 3 resources 🛠 1 exercise
Software update systems are trusted conduits into production. This class covers how attackers exploit update channels to…
6
Attack class 5 — Open source vulnerability exploitation
⏱ 75 min 📖 2 resources 🛠 1 exercise
Not all supply chain risk is adversarial injection — unintentional vulnerabilities in dependencies are the most common e…
7
The ENISA taxonomy — classifying 24 real attacks
⏱ 90 min 📖 2 resources 🛠 1 exercise
Work through the ENISA report systematically. Apply the taxonomy to classify each attack by supplier type, technique, an…
8
Attacker TTPs — CI/CD attack surface deep dive
⏱ 75 min 📖 2 resources 🛠 1 exercise
Study the Top 10 CI/CD Security Risks in detail. Map each risk to real incidents and understand how defenders think abou…
9
Phase 1 review and capstone — threat model your own stack
⏱ 90 min 📖 1 resource 🛠 1 exercise ⭐ Capstone
Synthesize Phase 1 learning. Complete the capstone threat model exercise. Review and correct any gaps before moving to t…
⭐ Phase Capstone Project
Phase 1 capstone — threat model your own stack
Pick a project you work on or use. Draw its dependency graph (at least 2 levels deep). Identify which of the five attack classes apply to each layer. Write a 1-page threat narrative.
📄 Deliverable: Threat model document + annotated dependency graph
Phase Learning Objectives
Generate, read, and compare SBOMs in SPDX and CycloneDX formats
Explain provenance and why it differs from an SBOM
Configure keyless signing with Sigstore/Cosign
Describe in-toto attestation and the SLSA provenance model
Implement basic SBOM generation and signing in a CI pipeline
10
What is an SBOM and why does it matter?
⏱ 75 min 📖 2 resources 🛠 1 exercise
Establish what an SBOM is, what it must contain, and the policy landscape driving adoption — including US Executive Orde…
11
SPDX specification deep dive
⏱ 75 min 📖 2 resources 🛠 1 exercise
Study the SPDX format in depth: document structure, element types, relationship graph, and snippet-level granularity.
12
CycloneDX specification and VEX
⏱ 75 min 📖 2 resources 🛠 1 exercise
Study CycloneDX as the more vulnerability-focused SBOM format, including VEX (Vulnerability Exploitability eXchange) whi…
13
Provenance — what it is and how it differs from SBOM
⏱ 75 min 📖 2 resources 🛠 1 exercise
Provenance answers 'how was this artifact built?' rather than 'what is in it?'. This class covers the provenance model, …
14
Sigstore — keyless signing infrastructure
⏱ 90 min 📖 2 resources 🛠 1 exercise
Sigstore is the public-key infrastructure the open source world has been missing. This class covers Fulcio (CA), Rekor (…
15
The Update Framework (TUF) — secure update infrastructure
⏱ 75 min 📖 2 resources 🛠 1 exercise
TUF is the reference design for secure software update systems, used by PyPI, RubyGems, and Datadog. Study the protocol …
16
SBOM tooling ecosystem — Syft, cdxgen, OWASP Dependency-Track
⏱ 90 min 📖 2 resources 🛠 1 exercise
Hands-on survey of the full SBOM tooling stack: generation, management, continuous monitoring, and integration with vuln…
17
Integrating SBOM generation and signing into CI/CD
⏱ 90 min 📖 2 resources 🛠 1 exercise
Move from manual tooling to automated pipeline integration. Build a GitHub Actions workflow that generates, signs, and p…
18
Phase 2 review and capstone — instrument a pipeline with SBOM and signing
⏱ 90 min 📖 1 resource 🛠 1 exercise ⭐ Capstone
Complete the Phase 2 capstone. Review SBOM and provenance concepts. Peer-review pipelines.
⭐ Phase Capstone Project
Phase 2 capstone — instrument a pipeline with SBOM + signing
Take a sample project. Add Syft SBOM generation, Cosign signing, and publish the SBOM alongside the artifact. Produce a signed SLSA provenance attestation.
📄 Deliverable: GitHub Actions workflow YAML + sample SBOM output + signed attestation
Phase Learning Objectives
Set up and tune Grype and Trivy for container and repository scanning
Use OSV-Scanner across multiple ecosystems
Evaluate open source project security hygiene with OpenSSF Scorecard
Configure OWASP Dependency-Check for Java ecosystems
Integrate all tools into a CI pipeline with actionable policy gates
19
Grype — vulnerability scanning for containers and SBOMs
⏱ 75 min 📖 2 resources 🛠 1 exercise
Deep dive into Grype: how it matches components to vulnerability databases, configuration tuning, and integration with S…
20
Trivy — all-in-one scanning for containers, IaC, and secrets
⏱ 90 min 📖 2 resources 🛠 1 exercise
Trivy covers more scan targets than any other single tool: container images, filesystems, git repos, IaC (Terraform, Hel…
21
Google OSV-Scanner and the OSV ecosystem
⏱ 75 min 📖 2 resources 🛠 1 exercise
OSV-Scanner is the most ecosystem-agnostic vulnerability scanner. This class covers the OSV database schema, the scanner…
22
OpenSSF Scorecard — evaluating dependency security posture
⏱ 75 min 📖 2 resources 🛠 1 exercise
Scorecard evaluates the security practices of open source projects you depend on. This class covers interpreting scores,…
23
OWASP Dependency-Check and Java ecosystem scanning
⏱ 75 min 📖 2 resources 🛠 1 exercise
OWASP Dependency-Check is the mature standard for Java/JVM vulnerability scanning. This class covers its architecture, M…
24
Phase 3 capstone — complete scanning pipeline in CI
⏱ 90 min 📖 2 resources 🛠 1 exercise ⭐ Capstone
Integrate all scanning tools into a unified CI pipeline. Set policy gates. Generate consolidated reports. Complete the P…
⭐ Phase Capstone Project
Phase 3 capstone — build a complete scanning pipeline
Implement a GitHub Actions workflow that runs Trivy (container), OSV-Scanner (dependencies), and Scorecard (top 5 OSS dependencies) on every pull request. Fail on CRITICAL CVEs with no fix available w
📄 Deliverable: GitHub Actions YAML + scan results + policy configuration
Phase Learning Objectives
Map a build pipeline to SLSA levels and identify gaps to Level 3
Align a development program with SSDF practices
Apply NIST SP 800-161r1 C-SCRM concepts to an organization
Evaluate an open source project against OpenSSF Best Practices criteria
Design a cross-framework compliance mapping
25
SLSA — Supply chain Levels for Software Artifacts
⏱ 90 min 📖 2 resources 🛠 1 exercise
SLSA is the most actionable framework for supply chain security. This class covers the four levels in depth, the require…
26
SSDF — NIST Secure Software Development Framework
⏱ 75 min 📖 2 resources 🛠 1 exercise
SSDF (SP 800-218) is mandated by US Executive Order 14028 for federal software suppliers. This class maps SSDF practices…
27
NIST SP 800-161r1 — Enterprise C-SCRM
⏱ 75 min 📖 1 resource 🛠 1 exercise
For organizations that need to govern supply chain risk at the enterprise level, NIST 800-161r1 provides the comprehensi…
28
OpenSSF Best Practices and Scorecard as a producer
⏱ 75 min 📖 2 resources 🛠 1 exercise
Switch perspective from consumer to producer. Learn how to apply OpenSSF Best Practices and Scorecard to projects you ma…
29
Cross-framework mapping — SLSA, SSDF, CSF, and NIST 800-161r1
⏱ 75 min 📖 2 resources 🛠 1 exercise
Build a unified compliance view by mapping requirements across all frameworks studied. Identify overlapping controls and…
30
Phase 4 capstone — SLSA gap assessment and remediation roadmap
⏱ 90 min 📖 1 resource 🛠 1 exercise ⭐ Capstone
Complete the Phase 4 capstone. Present the SLSA gap assessment and produce a time-bound remediation roadmap.
⭐ Phase Capstone Project
Phase 4 capstone — SLSA gap assessment
Take the pipeline built in Phases 2 and 3. Assess it against SLSA v1.0 requirements for Levels 1, 2, and 3. Document gaps and produce a remediation roadmap.
📄 Deliverable: SLSA gap assessment document with remediation tasks and effort estimates
Phase Learning Objectives
Explain and implement reproducible builds for a language of choice
Configure Kubernetes admission control to enforce supply chain policies
Analyze a real malicious package using static and dynamic techniques
Complete Damn Vulnerable CI/CD attack scenarios
Design a comprehensive supply chain security program for an organization
31
Reproducible builds — making tampering detectable
⏱ 90 min 📖 2 resources 🛠 1 exercise
Reproducible builds are the gold standard for build integrity: if anyone else can reproduce the exact same binary from t…
32
Kubernetes policy enforcement — Ratify, Gatekeeper, and OPA
⏱ 90 min 📖 2 resources 🛠 1 exercise
At the deployment layer, Kubernetes admission control is the last enforcement point before untrusted workloads run. This…
33
Malicious package analysis — static and dynamic techniques
⏱ 90 min 📖 2 resources 🛠 1 exercise
Learn to analyze suspicious packages the way security researchers do. Study real examples from the ossf/malicious-packag…
34
Attack lab — Damn Vulnerable CI/CD (DVCICD)
⏱ 120 min 📖 1 resource 🛠 1 exercise
Offensive hands-on lab. Complete multiple DVCICD challenge scenarios to deeply understand attacker techniques — which in…
35
OpenSSF LFD121 course consolidation + emerging topics
⏱ 90 min 📖 2 resources 🛠 1 exercise
Complete any remaining OpenSSF LFD121 modules. Survey emerging topics: AI/ML model supply chain security, memory-safe la…
36
Final capstone — design a supply chain security program
⏱ 120 min 📖 2 resources 🛠 1 exercise ⭐ Capstone
Final class and program wrap-up. Present the supply chain security program design. Reflect on the 3-month journey. Estab…
⭐ Phase Capstone Project
Final capstone — design a supply chain security program
Produce a complete supply chain security program document for a realistic organization profile. Include threat model, tooling selection, SLSA roadmap, SBOM strategy, scanning policy, and KPIs. Present
📄 Deliverable: Program design document (10–15 pages) + executive summary slide deck (5 slides)
Your Instructor

Meet Dr. Joshua Sopuru

👨‍🏫
Dr. Joshua Sopuru
Associate Professor of Cyber Security · Kyrenia, Cyprus
PhD-qualified academic, published researcher with 87+ citations, software engineer, and practitioner. Dr. Sopuru brings both rigorous academic depth and real-world engineering experience to every course. He works directly with students — no intermediaries, no generic content.
📚 Published author 🔬 Active researcher 💻 Software engineer 🎓 Associate Professor

Ready to start learning?

Join 1 other student and get structured, expert-led content delivered straight to your portal — week by week, at your own pace.

Enroll Now — $35.00/mo → Browse All Courses

Pay via bank transfer · Subscription activates within 24 hours of verification