A tailored course, built for your situation
Reference of choice on cross-functional SLSA reviews
Become the practitioner your peers turn to when secure software supply chains demand clarity.
The situation this course is for
Technical contributors often deliver strong work that stays under the radar. Without recognition as a definitive voice on frameworks like SLSA, their input gets diluted in cross-functional discussions, even when they hold the deepest understanding.
Who this is for
Senior individual contributor in a software or platform engineering role focused on security, compliance, or systems architecture within a large tech environment.
Who this is not for
Entry-level engineers, product managers without technical depth, or leaders looking for high-level governance overviews.
What you walk away with
- Lead SLSA tier assessments with confidence and consistency
- Build reusable attestation templates aligned to real-world pipeline designs
- Anticipate pushback on SLSA Level 3+ requirements and respond with precedent
- Guide cross-functional teams through SLSA gap analysis without deferring to external consultants
- Establish personal authority as the internal reference on SLSA implementation
The 12 modules (with all 144 chapters)
- What SLSA solves that other frameworks don’t
- The role of provenance in software integrity
- Key differences between SLSA Level 1 and 2
- Common misconceptions about SLSA signing
- How SLSA integrates with CI/CD pipelines
- Real-world examples of SLSA Level 1 adoption
- Barriers to automated provenance generation
- The dependency on reproducible builds
- Signing policies across environments
- Verifiable build definitions explained
- Understanding metadata completeness
- Common tooling gaps in early SLSA
- Purpose of attestation objects
- Creating DSSE envelopes correctly
- Signing keys lifecycle management
- Key discovery mechanisms
- Timestamping with trusted services
- When to chain multiple attestations
- Attestation scope definition
- Handling multi-team contributions
- Signing thresholds and policies
- Metadata integrity checks
- Schema version control
- Tooling support for attestation
- Build configuration traceability
- Source integrity verification
- Reproducible build requirements
- Container image provenance capture
- Provenance file structure
- Linking source to build platform
- Build environment sandboxing
- Provenance signing triggers
- Integrating with GitOps workflows
- Handling third-party dependencies
- Provenance validation pre-deploy
- Automated remediation paths
- Criteria for SLSA Level 3
- Build isolation requirements
- Reproducibility across systems
- Dedicated build service setup
- Code review enforcement
- Separation of duties in builds
- Verification before signing
- Immutable build logs
- Access controls for build systems
- Audit trail completeness
- Toolchain integrity checks
- Documentation for Level 3 claims
- Verification policy creation
- Trusted timestamp validation
- Signature chain validation
- Metadata completeness checks
- Policy engine integration
- Verification in staging environments
- Handling failed verifications
- Automated rollback triggers
- Manual override governance
- Cross-team verification teams
- Logging verified status
- Reporting on verification gaps
- SBOM integration with SLSA
- Validating upstream attestations
- Trusted source registries
- Pin-based dependency verification
- Vulnerability scanning linkage
- Automated SBOM generation
- Dependency provenance review
- Allowlist enforcement rules
- License compliance checks
- Transitive dependency risks
- Fallback verification paths
- Vendor attestation requirements
- Phased rollout planning
- Team-specific SLSA goals
- Onboarding template distribution
- Internal training materials
- SLOs for SLSA compliance
- Feedback loops from teams
- Common objections and rebuttals
- Documentation standardization
- Internal audit coordination
- Progress reporting dashboards
- Leadership update frameworks
- Celebrating early wins
- Mapping SLSA to SOC 2
- NIST CSF alignment points
- Evidence for ISO 27001 controls
- GDPR software provenance needs
- Audit trail retention policies
- Regulator-facing documentation
- SLSA in financial services
- Healthcare software validation
- Government software standards
- Third-party assessment readiness
- Internal control assertions
- Compliance automation strategies
- Build system compatibility
- Sigstore integration options
- TUF and Rekor use cases
- In-toto with SLSA
- CI pipeline modifications
- Policy engines: Kyverno and Gatekeeper
- Logging and observability setup
- Key management solutions
- Secrets handling in builds
- Automated attestation triggers
- Tool interoperability testing
- Vendor tool evaluation
- Assessment scope definition
- Tier gap identification
- Provenance completeness scoring
- Signing process audit
- Build environment inspection
- Dependency validation check
- Attestation coverage review
- Verification mechanism test
- Policy enforcement evaluation
- Remediation prioritization
- Stakeholder reporting format
- Post-remediation validation
- Hermetic build environments
- Reproducibility guarantees
- Trusted hardware roots
- Independent build verification
- Multi-party build consensus
- Time-based verification windows
- Tamper-proof logs
- Hardware-backed key storage
- Formal verification integration
- Zero-trust build pipelines
- Cross-organization validation
- Long-term retention planning
- Creating internal playbooks
- Presenting at tech forums
- Mentoring junior engineers
- Publishing internal memos
- Leading design reviews
- Responding to escalations
- Building credibility preemptively
- Handling peer challenges
- Documenting precedent cases
- Influencing architecture boards
- Shaping internal policy
- Becoming the reference point
How this maps to your situation
- When onboarding new microservices to SLSA
- During audit preparation cycles
- Before third-party software integration
- After security incident reviews
Before vs. after
What's included with your purchase
- 12 modules with 12 chapters each (144 chapters)
- Downloadable templates and worked examples for every module
- Hand-built implementation playbook delivered alongside course access
- 30-day money-back guarantee
Delivery and format
- Course and learning environment access provisioned within 24 hours of purchase
- Hand-built implementation playbook delivered alongside course access
Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.
Time investment: Approximately 2.5 hours per module, designed for technical practitioners balancing production work. Total course time: 30 hours.
How this compares to the alternatives
Unlike generic compliance courses or vendor documentation, this course delivers field-tested implementation patterns, peer-tested rebuttals, and real-world templates designed for practitioners leading actual SLSA adoption, not just passing audits.
Frequently asked
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.