A tailored course, built for your situation
More Defensible Software Supply Chain Outputs with SLSA
Produce audit-ready, high-integrity software artefacts consistently and with confidence
Who this is for
Mid-to-senior level practitioner in software engineering, platform governance, or internal tooling at a technology company with public SaaS products and a focus on secure development lifecycle practices
Who this is not for
Entry-level developers without ownership of build pipelines or release artefacts, or practitioners focused exclusively on frontend UX or marketing tech stacks
What you walk away with
- Generate software supply chain artefacts with higher accuracy and completeness the first time
- Produce SLSA-compliant provenance data that survives auditor follow-up questions
- Reduce rework cycles when responding to internal or external review requests
- Build repeatable templates for attestation and verification that compound across projects
- Demonstrate mastery of SLSA levels with working examples applicable to real release pipelines
The 12 modules (with all 144 chapters)
- What makes a software artifact verifiable
- The role of reproducible builds
- Integrity vs authenticity in distribution
- Trusted build platforms and their controls
- Key components of SLSA framework
- SLSA Level 1 vs higher thresholds
- Build steps as data sources
- Metadata completeness criteria
- Signing vs attestation
- Common gaps in initial implementations
- Version control provenance tracking
- First steps toward compliant output
- Assessing project risk tiers
- Mapping controls to SLSA Level 2
- Build platform requirements for Level 3
- Identity and access in build systems
- Separation of duties in CI/CD
- Source repository protections
- Trigger validation rules
- Provenance metadata schema
- Signing key management
- Immutable logs and timestamps
- Attestation format selection
- Compliance threshold planning
- Hardened container images
- Minimal build base images
- Network egress controls
- Build step logging
- Resource identity binding
- Task-specific service accounts
- Build graph validation
- Dependency pinning
- Artifact immutability settings
- Log export to secure storage
- Time-bound execution windows
- Post-build scan integration
- Provenance schema structure
- Subject artifact reference
- Builder identity assertion
- Build config input listing
- Materials consumed list
- Build environment specs
- Invocation parameters
- Metadata timestamps
- Signature format standards
- Public key inclusion
- Metadata expiration rules
- Verification script bundling
- Source normalization methods
- Timestamp removal techniques
- Random seed control
- File order consistency
- Compiler flag standardization
- Dependency version locking
- Build environment snapshots
- Rebuild trigger workflows
- Diff-based validation
- Automated rebuild verification
- Tolerance thresholds for variation
- Handling non-reproducible components
- Key management best practices
- Hardware vs software keys
- Short-lived key rotation
- Signature bundling methods
- Attestation types overview
- SLSA provenance attestation
- Vulnerability attestations
- License compliance statements
- Policy evaluation results
- Attestation aggregation
- Signature verification automation
- Multi-party signing models
- Trusted source identification
- Provenance data retrieval
- Signature verification steps
- Attestation validation logic
- Policy engine integration
- SLSA level conformance checks
- Dependency tree analysis
- Vulnerability data correlation
- Transitive dependency risks
- Automated validation gates
- Manual review triggers
- Escalation procedures
- Pipeline trigger validation
- Pre-build environment checks
- Provenance generation step
- Signing step placement
- Post-build verification
- Failure handling logic
- Pipeline-as-code templates
- Reusable configuration modules
- Pipeline versioning
- Change approval workflows
- Audit trail capture
- Pipeline health monitoring
- Compliance narrative drafting
- Control mapping templates
- Evidence collection checklist
- Audit trail alignment
- Cross-reference index building
- Glossary of terms
- Version history tracking
- Responsible party attribution
- External reviewer guidance
- Frequently asked questions prep
- Common auditor inquiries
- Evidence retention schedule
- Predicting likely questions
- Evidence indexing strategy
- Response drafting templates
- Escalation path definition
- Timeline reconstruction
- Build environment recreation
- Provenance data access
- Third-party verification access
- Legal hold procedures
- Confidentiality handling
- Response review workflow
- Post-audit feedback loop
- Adoption roadmap planning
- Cross-team onboarding plan
- Centralized tooling strategy
- Shared template library
- Training material development
- Support channel setup
- Feedback collection system
- Compliance dashboarding
- Team-specific adaptations
- Maturity assessment model
- Internal audit program
- Recognition and incentives
- Automated conformance scanning
- Policy update workflows
- Toolchain upgrade planning
- New team onboarding process
- External standard alignment
- Regulatory change tracking
- Annual review cycle
- Lessons learned documentation
- Incident response integration
- Third-party audit prep
- Public disclosure readiness
- Community contribution
How this maps to your situation
- When preparing for an external audit
- While designing a new build pipeline
- After a security review identifies gaps
- During rollout of secure software supply chain practices
Before vs. after
What's included with your purchase
- 12 modules with 12 chapters each (144 chapters)
- Downloadable templates and worked examples for every module
- Hand-built implementation playbook delivered alongside course access
- 30-day money-back guarantee
Delivery and format
- Course and learning environment access provisioned within 24 hours of purchase
- Hand-built implementation playbook delivered alongside course access
Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.
Time investment: Approximately 3 hours per module, designed to be completed at your pace over 6-8 weeks with full access to all materials immediately upon enrollment.
How this compares to the alternatives
Unlike generic security training or vendor-specific tool courses, this program focuses exclusively on producing higher-quality, defensible software supply chain outputs using SLSA, a skill increasingly required in modern engineering organizations but rarely taught with concrete implementation detail.
Frequently asked
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.