A tailored course, built for your situation
Standing Reference on SLSA for Engineering Leaders
Become the internal authority on secure software supply chain frameworks others consult first
Who this is for
Engineering-adjacent program leader in a high-velocity software org, trusted across teams but not formally in security or architecture
Who this is not for
Dedicated software supply chain security engineers who already own SLSA rollout, or ICs focused exclusively on tooling configuration
What you walk away with
- Recognized as the first internal name for SLSA interpretation and application
- Proven templates to implement SLSA levels 1-4 across diverse build environments
- Internal credibility to guide engineering teams without being in their chain of command
- Documented framework for evaluating build integrity claims from vendors and open-source projects
- Repeatable process to align security, engineering, and product on SLSA adoption milestones
The 12 modules (with all 144 chapters)
- Origins of SLSA at Google
- Why not SBOMs alone suffice
- Key stakeholders in adoption
- Level 1 vs Level 4 scope
- How Atlassian teams approach build integrity
- Common missteps in rollout
- Vendor pressure points
- Open source project readiness
- Internal resistance patterns
- Executive questions to anticipate
- Mapping to NIST SSDF
- First-mover advantage cases
- What provenance really means
- Build platform requirements
- Attestation formats compared
- Signing pipeline outputs
- Timestamp authority role
- Verifying third-party claims
- Internal logging standards
- Toolchain integration points
- K8s-native build setups
- CI system audit trails
- Evidence collection workflow
- Common gaps in attestation
- Reproducibility reality check
- Docker layer hashing
- Base image provenance
- Controlled build environments
- Secrets in pipeline protection
- Vulnerability scanning triggers
- Binary transparency logs
- Build metadata completeness
- Container signing workflows
- Time-bound build validity
- Rebuild validation timing
- Audit trail completeness
- Git history integrity
- Signed commits at scale
- Branch protection rules
- PR approval chains
- Automated gate enforcement
- Emergency bypass logging
- Fork protection patterns
- Monorepo vs polyrepo trade-offs
- Code ownership validation
- Reviewer authority levels
- Audit-ready history logs
- Supply chain hijacking examples
- Level 1 as entry point
- Level 2 timestamp requirements
- Level 3 attestation depth
- Level 4 build redundancy
- Team readiness assessment
- Tooling maturity benchmarks
- Cross-org coordination needs
- Security review gates
- Documentation expectations
- External validation prep
- Internal certification process
- Roadmap alignment techniques
- CI system compatibility
- Jenkins plugin ecosystem
- GitHub Actions integration
- GitLab CI enhancements
- Buildkite adaptability
- Argo Workflows support
- Monitoring integration points
- Failure mode detection
- Rollback preparedness
- Significance of uptime logs
- Pipeline observability
- Alerting on attestation gaps
- Requesting SLSA attestations
- Validating provided proofs
- Gaps in vendor documentation
- Escalation paths for non-compliance
- Minimum bar for onboarding
- Open source library evaluation
- Transitive dependency risks
- SBOM correlation with SLSA
- Third-party audit reports
- Certification reciprocity
- Contractual obligations
- Liability implications
- Identifying early adopters
- Engineering team motivations
- Security team alignment
- Product manager incentives
- Leadership messaging
- Pilot project selection
- Success metric definition
- Feedback loop design
- Documentation ownership
- Training rollout timing
- Champion network growth
- Metrics for buy-in
- Policy scope definition
- Enforceable vs aspirational
- Version control for policies
- Review cycle cadence
- Exception handling process
- Automated compliance checks
- Staged rollout plans
- Metrics for adherence
- Audit trail requirements
- Stakeholder sign-off
- Legal team alignment
- Policy decomposition patterns
- Audit scope planning
- Sampling vs full verification
- Automated attestation checks
- Log retention policies
- Incident response triggers
- Tooling for continuous check
- False positive handling
- Remediation workflows
- Audit report templates
- Stakeholder distribution
- Regulatory alignment
- Lessons from real audits
- Center of excellence model
- Internal training design
- Template sharing patterns
- Cross-team sync meetings
- Standardization vs flexibility
- Ownership model options
- Knowledge transfer workflows
- Support channel structure
- Metrics for scale
- Tooling standardization
- Documentation portals
- Lessons from early adopters
- SLSA roadmap awareness
- NIST SSDF alignment
- CISA guidance updates
- Industry working groups
- OpenSSF contributions
- Version transition planning
- Deprecation timelines
- Feedback to maintainers
- Alternative frameworks
- Insurance requirement trends
- Legal precedent tracking
- Adaptation playbooks
How this maps to your situation
- When engineering teams resist new build constraints
- Before vendor software is approved for integration
- During security audit prep cycles
- After a supply chain incident elsewhere in the sector
Before vs. after
What's included with your purchase
- 12 modules with 12 chapters each (144 chapters)
- Downloadable templates and worked examples for every module
- Hand-built implementation playbook delivered alongside course access
- 30-day money-back guarantee
Delivery and format
- Course and learning environment access provisioned within 24 hours of purchase
- Hand-built implementation playbook delivered alongside course access
Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.
Time investment: Approximately 3 hours per module, designed for integration into real-world delivery cycles.
How this compares to the alternatives
Unlike generic compliance courses, this focuses on practitioner-level SLSA application with templates and decision frameworks you can use immediately in engineering environments.
Frequently asked
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.