Skip to main content
Image coming soon

MFG0655 Mastering SLSA for Software Supply Chain Integrity

$199.00
Adding to cart… The item has been added

A tailored course, built for your situation

Mastering SLSA for Software Supply Chain Integrity

A complete guide to securing software provenance in modern engineering organizations

$199 one-time
24-hour access provisioning 30-day money-back guarantee Hand-built implementation playbook
12 modules. 12 chapters per module. 144 chapters total.
12 modules, each with 12 chapters (144 chapters total), text-based, plus downloadable templates and a hand-built implementation playbook delivered alongside course access.
End the pre-audit scramble for software provenance evidence

The situation this course is for

Software teams face growing scrutiny around build integrity, yet evidence collection remains reactive and fragmented. The burden falls on platform leaders to reconcile development velocity with audit readiness, often under compressed cycles and cross-functional pressure.

Who this is for

Senior engineering or platform leaders in software companies who own or influence software supply chain integrity, build environment governance, and compliance readiness for external audits.

Who this is not for

Individual contributors focused only on coding, developers without influence over build pipelines, or teams operating outside regulated software delivery environments.

What you walk away with

  • Produce verifiable software attestations that stand up to external auditor scrutiny
  • Design SLSA-compliant build environments with automated evidence generation
  • Reduce time spent compiling audit packages by over 85%
  • Anticipate regulator questions about provenance and respond with confidence
  • Establish repeatable patterns for software signing and integrity verification

The 12 modules (with all 144 chapters)

Module 1. Understanding SLSA and Its Role in Modern Software Supply Chains
Explore the origins and evolution of SLSA, its alignment with NIST SSDF and SBOM standards, and why it’s becoming foundational for secure software development in enterprise environments.
12 chapters in this module
  1. What SLSA means for software integrity in practice
  2. How SLSA levels map to real-world build environments
  3. Key differences between SLSA and other attestation frameworks
  4. The relationship between SLSA and zero-trust architecture
  5. Why enterprise software companies are adopting SLSA now
  6. How regulators reference SLSA in software assurance reviews
  7. The role of provenance in post-breach forensic analysis
  8. SLSA as a response to rising third-party software risk
  9. Comparing SLSA to ISO 27001 controls for code integrity
  10. How cloud-native platforms are integrating SLSA by default
  11. The business case for investing in SLSA compliance early
  12. Common misconceptions about SLSA implementation complexity
Module 2. Mapping SLSA Levels to Real Build Environments
Translate SLSA’s four levels into concrete build pipeline requirements, identifying gaps in current tooling, access controls, and artifact signing practices.
12 chapters in this module
  1. What Level 0 means for untrusted internal builds
  2. Level 1 requirements for structured build definitions
  3. Level 2 controls for platform and build integrity
  4. Level 3 safeguards against insider threats and tampering
  5. Level 4 protections for fully reproducible builds
  6. How to assess your current build pipeline against SLSA
  7. Common pitfalls when upgrading from Level 1 to Level 2
  8. Tools that support each SLSA level out of the box
  9. Integrating SLSA checks into CI/CD workflows
  10. Documenting build environment compliance for auditors
  11. Handling exceptions and temporary deviations from SLSA
  12. Roadmap for incremental SLSA adoption across teams
Module 3. Designing Attestations That Stand Up to Audit Scrutiny
Learn how to create tamper-proof software attestations using in-toto and Sigstore, ensuring verifiable, machine-readable evidence for compliance reviews.
12 chapters in this module
  1. What an attestation is and why it matters for audits
  2. How in-toto defines software supply chain steps
  3. Signing attestations with Sigstore and Fulcio
  4. Storing attestations in public transparency logs
  5. Linking attestations to SBOMs and vulnerability scans
  6. Automating attestation generation in CI pipelines
  7. Validating attestations during deployment gates
  8. Common attestation formatting errors that fail review
  9. How auditors verify attestation authenticity
  10. Handling key rotation and expiration in attestation systems
  11. Integrating attestations with existing PKI infrastructure
  12. Troubleshooting failed attestation validation checks
Module 4. Integrating SBOMs with SLSA Compliance
Combine Software Bill of Materials with SLSA attestations to create a complete picture of software provenance and build integrity.
12 chapters in this module
  1. What an SBOM includes and why it’s not enough alone
  2. Generating SBOMs automatically from build pipelines
  3. Linking SBOMs to SLSA attestations for full traceability
  4. Validating SBOM accuracy against source code repositories
  5. Handling third-party and open-source component attribution
  6. Updating SBOMs when dependencies change post-build
  7. Using SPDX and CycloneDX formats in enterprise settings
  8. Storing SBOMs securely for audit access
  9. Responding to auditor questions about SBOM completeness
  10. Automating SBOM review and approval workflows
  11. Integrating SBOM data into vulnerability management tools
  12. Training developers to maintain accurate SBOMs
Module 5. Securing Build Environments Against Tampering
Identify and mitigate risks in build infrastructure, from compromised credentials to unauthorized configuration changes.
12 chapters in this module
  1. Common attack vectors in CI/CD pipelines
  2. Hardening build agents against privilege escalation
  3. Implementing least-privilege access for build jobs
  4. Detecting unauthorized changes to build definitions
  5. Using immutable infrastructure for build environments
  6. Monitoring for anomalous build activity
  7. Integrating build logs with SIEM systems
  8. Responding to suspected build environment compromise
  9. Validating build inputs against trusted sources
  10. Preventing dependency confusion attacks in pipelines
  11. Enforcing code signing policies for internal libraries
  12. Auditing build environment configurations quarterly
Module 6. Automating Evidence Collection for Audits
Replace manual evidence gathering with automated pipelines that generate compliance-ready packages on demand.
12 chapters in this module
  1. What auditors typically request for software integrity
  2. Mapping audit questions to SLSA controls
  3. Automating evidence export from build systems
  4. Storing evidence in auditor-accessible repositories
  5. Versioning compliance packages for review cycles
  6. Generating narratives that explain technical controls
  7. Integrating legal and policy statements into evidence
  8. Redacting sensitive information before sharing
  9. Tracking evidence completeness across teams
  10. Validating evidence package integrity before submission
  11. Using templates to standardize compliance narratives
  12. Reducing pre-audit workload through automation
Module 7. Implementing Reproducible Builds at Scale
Achieve SLSA Level 4 by ensuring builds are deterministic and verifiable across environments.
12 chapters in this module
  1. What makes a build reproducible in practice
  2. Identifying sources of non-determinism in builds
  3. Standardizing build environments across teams
  4. Using containerization to lock down dependencies
  5. Managing timestamps and random seeds in builds
  6. Verifying build outputs match expected hashes
  7. Scaling reproducible builds across large codebases
  8. Troubleshooting build divergence issues
  9. Documenting reproducibility for auditors
  10. Integrating reproducibility checks into release gates
  11. Training teams on reproducible build practices
  12. Balancing speed and reproducibility in CI pipelines
Module 8. Managing Keys and Signatures in Distributed Teams
Secure cryptographic signing practices across geographically dispersed engineering organizations.
12 chapters in this module
  1. Best practices for key generation and storage
  2. Using hardware security modules for signing keys
  3. Implementing short-lived certificates with Sigstore
  4. Rotating keys without breaking verification chains
  5. Handling team member onboarding and offboarding
  6. Delegating signing authority securely
  7. Auditing key usage across repositories
  8. Integrating with enterprise identity providers
  9. Recovering from key compromise incidents
  10. Training developers on secure signing workflows
  11. Standardizing signature formats across teams
  12. Monitoring for expired or misconfigured signatures
Module 9. Aligning SLSA with Organizational Risk Appetite
Connect technical controls to business risk thresholds and executive expectations.
12 chapters in this module
  1. Defining risk tolerance for software supply chain gaps
  2. Mapping SLSA levels to business impact scenarios
  3. Communicating technical risks to non-technical leaders
  4. Setting SLSA adoption targets by product line
  5. Prioritizing efforts based on customer-facing exposure
  6. Incorporating SLSA into vendor assessment questionnaires
  7. Benchmarking against industry peers
  8. Reporting SLSA progress to executive leadership
  9. Adjusting controls based on threat intelligence
  10. Balancing security and development velocity
  11. Integrating SLSA into incident response planning
  12. Updating risk registers with SLSA findings
Module 10. Scaling SLSA Across Product Lines and Teams
Drive consistent adoption of SLSA practices across diverse engineering groups with varying maturity levels.
12 chapters in this module
  1. Assessing team readiness for SLSA implementation
  2. Creating centralized tooling and templates
  3. Establishing SLSA champions across product areas
  4. Running pilot programs before org-wide rollout
  5. Providing role-specific training for developers and leads
  6. Integrating SLSA into onboarding for new hires
  7. Measuring adoption through automated metrics
  8. Addressing resistance to new compliance requirements
  9. Sharing success stories across teams
  10. Maintaining consistency without stifling innovation
  11. Updating standards as SLSA evolves
  12. Auditing compliance across product lines
Module 11. Preparing for Regulator and Third-Party Reviews
Anticipate and respond to questions from auditors, customers, and partners about software integrity practices.
12 chapters in this module
  1. Common questions from external auditors about SLSA
  2. Preparing responses to customer security questionnaires
  3. Sharing attestations and SBOMs with partners
  4. Handling requests for build environment details
  5. Explaining technical controls in non-technical terms
  6. Demonstrating continuous improvement in practices
  7. Responding to findings from third-party assessments
  8. Maintaining versioned documentation for reviews
  9. Coordinating responses across legal and engineering
  10. Training spokespeople on software integrity topics
  11. Using past reviews to improve future submissions
  12. Building trust through transparency and consistency
Module 12. Sustaining and Evolving SLSA Practices Over Time
Ensure long-term success by embedding SLSA into culture, tooling, and ongoing improvement cycles.
12 chapters in this module
  1. Monitoring for changes in SLSA standards and guidance
  2. Updating build systems to meet new requirements
  3. Conducting annual reviews of attestation practices
  4. Incorporating lessons from audits into improvements
  5. Sharing updates across the engineering organization
  6. Engaging with open-source communities on SLSA
  7. Contributing back to tooling and documentation
  8. Recognizing teams that excel in compliance
  9. Integrating feedback from developers into tooling
  10. Measuring maturity over time with SLSA benchmarks
  11. Planning for future levels of assurance
  12. Making software integrity a core engineering value

How this maps to your situation

  • Software supply chain risk
  • Audit readiness for engineering teams
  • Secure software delivery at scale
  • Regulatory and customer scrutiny on provenance

Before vs. after

Before
Manual, reactive evidence collection for software integrity audits, with fragmented tooling and inconsistent practices across teams.
After
Automated, verifiable attestations and SBOMs generated as part of CI/CD, with standardized compliance packages ready for any review.

What's included with your purchase

  • 12 modules with 12 chapters each (144 chapters)
  • Downloadable templates and worked examples for every module
  • Hand-built implementation playbook delivered alongside course access
  • 30-day money-back guarantee

Delivery and format

  • Course and learning environment access provisioned within 24 hours of purchase
  • Hand-built implementation playbook delivered alongside course access

Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.

Time investment: Approximately 6-8 hours of focused reading and implementation planning, designed to be completed in short sessions over a two-week period.

If nothing changes
Without structured software supply chain controls, organizations face increased audit friction, reputational damage from breaches, and loss of customer trust due to unverifiable software provenance.

How this compares to the alternatives

Unlike generic security compliance courses, this program focuses specifically on SLSA and software supply chain integrity, providing actionable tooling, templates, and real-world implementation patterns tailored to enterprise engineering environments.

Frequently asked

Is this course only for security engineers?
No. It's designed for platform leads, engineering managers, and technical architects who influence build pipelines and software delivery practices.
How is the course structured?
12 modules, each containing 12 chapters (144 chapters total).
Will I get hands-on labs or just theory?
The course is text-based with detailed implementation examples, templates, and a custom playbook , no simulated environments, but real-world applicability.
$199 one-time. Approximately 6-8 hours of focused reading and implementation planning, designed to be completed in short sessions over a two-week period..

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

30-day money-back guarantee· 144 chapters· Hand-built playbook included· Account access within 24 hours