A tailored course, built for your situation
Reference of Choice on SLSA Implementation Questions
Become the internal expert your team turns to for secure software supply chain decisions
The situation this course is for
Even strong practitioners hesitate when asked to explain SLSA level transitions or justify build environment controls without clear reference material or implementation history.
Who this is for
Senior platform or security engineer operating in a regulated, engineering-intensive environment with growing software supply chain scrutiny
Who this is not for
This is not for entry-level administrators or those focused solely on end-user tooling. It assumes experience with systematizing compliance across development workflows.
What you walk away with
- Lead SLSA Level 1 to Level 3 transitions with documented rationale
- Field peer escalation calls on provenance, build integrity, and signing workflows
- Produce audit-ready attestation packages that survive technical scrutiny
- Advise product teams on minimal-friction SLSA integration paths
- Serve as the internal reference point for SLSA in vendor reviews and architecture gates
The 12 modules (with all 144 chapters)
- Origins of SLSA in software integrity
- Key players in SLSA ecosystem
- SLSA vs SBOM: distinct roles
- NIST SSDF mapping
- Level 0 use cases
- Level 1 requirements
- Level 2 scope
- Level 3 targets
- Google’s internal adoption
- GitHub’s SLSA integration
- Attestation formats
- Signing infrastructure basics
- Source URI standardization
- Build config identification
- Reproducible outputs definition
- Metadata schema setup
- Provenance generation tools
- Intoto attestation basics
- File integrity checks
- Logging build events
- CI job naming conventions
- Time-bound build windows
- Signed build logs
- Verification script templates
- Build platform separation
- Immutable build environments
- Ephemeral runner setup
- Container signing requirements
- Remote execution verification
- Build platform attestation
- Hardware vs cloud trade-offs
- Scheduled rebuild validation
- Build entry point controls
- Authentication for triggers
- Network access restrictions
- Build metadata completeness
- Hermetic environment design
- Dependency pinning methods
- Build graph verification
- Toolchain provenance
- Deterministic output generation
- Time-independent builds
- Resource consumption limits
- Isolated build networks
- Rebuild frequency standards
- Binary diffing techniques
- Cross-platform reproducibility
- Rebuild validation reporting
- Sigstore architecture overview
- Fulcio certificate issuance
- Rekor transparency log use
- Cosign CLI integration
- Keyless signing setup
- OIDC identity binding
- Signing policy enforcement
- Timestamp authorities
- Signature aggregation
- Multi-party signing workflows
- Revocation considerations
- Audit trail generation
- Pipeline-as-code integration
- Pre-commit hooks for SLSA
- Provenance generation in CI
- Policy decision points
- Gate enforcement before merge
- Artifact signing automation
- Provenance metadata format
- SLSA-aware CI runners
- Build environment logging
- Pipeline configuration signing
- Dependency graph export
- SBOM generation alongside
- Vendor SLSA readiness checklist
- Attestation request templates
- Provenance verification steps
- Build environment inspection
- Third-party audit package review
- Gap analysis for Level 2
- Remediation paths
- Contractual language suggestions
- Integration risk scoring
- Escalation protocols
- Cross-org collaboration
- Shared attestation repositories
- SOC 2 control mapping
- ISO 27001 Annex A alignment
- NIST CSF PR.DS-6 linkage
- GDPR software integrity ties
- Audit package structure
- Attestation as evidence
- Regulator communication templates
- Internal control narratives
- Compliance automation
- Cross-framework reporting
- Policy integration
- Control ownership models
- Internal workshop design
- Level transition playbooks
- Engineering onboarding content
- Leadership briefing decks
- Success metric tracking
- Adoption KPIs
- Feedback collection
- Champion network setup
- Documentation templates
- Escalation routing
- Cross-team sync formats
- Progress reporting
- Assessment framework design
- Interview questions for teams
- Artifact collection plan
- Build environment inspection
- Provenance verification test
- Signing infrastructure review
- Dependency tracking depth
- Reproducibility testing
- Gap scoring rubric
- Remediation prioritization
- Roadmap development
- Stakeholder alignment
- Threat actor profiles
- Dependency confusion attacks
- Build hijacking risks
- Signed malware patterns
- Registry poisoning
- CI pipeline compromise
- Provenance forgery attempts
- Detection via Rekor logs
- Rebuild validation alerts
- Incident response integration
- Post-breach attestation checks
- Lessons from real incidents
- SBOM correlation methods
- CVE linkage strategies
- VEX document integration
- Identity binding patterns
- SSO for build systems
- Zero Trust alignment
- Artifact threat scoring
- Security orchestration
- SIEM integration
- Alerting rules
- Dashboard design
- Cross-tool automation
How this maps to your situation
- New SLSA requirement in vendor contract
- Post-incident software supply chain review
- Audit preparation with software integrity focus
- Internal push to standardize build attestations
Before vs. after
What's included with your purchase
- 12 modules with 12 chapters each (144 chapters)
- Downloadable templates and worked examples for every module
- Hand-built implementation playbook delivered alongside course access
- 30-day money-back guarantee
Delivery and format
- Course and learning environment access provisioned within 24 hours of purchase
- Hand-built implementation playbook delivered alongside course access
Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.
Time investment: Approximately 45 minutes per module, designed for integration into weekly workflows over three months.
How this compares to the alternatives
Unlike vendor-specific certifications or broad security courses, this program delivers targeted, implementation-grade SLSA expertise with direct applicability to audit, engineering, and vendor governance contexts.
Frequently asked
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.