Skip to main content
Image coming soon

The Software Portfolio Security Lead's Operating Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Software Portfolio Security Lead's Operating Playbook

An operating system for the one person who owns app inventory, SaaS risk, SDLC controls, and the customer attestation pack.

You inherited the enterprise-merchant security questionnaire. The questions span internal services, embedded SaaS, marketplace apps, sandboxed extensions, and every subprocessor any of those touch. There is no single inventory that answers it cleanly, and the buyer wants evidence this week.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Software Portfolio and Security at a commerce platform is a role nobody else wants because it sits in four lanes at once. Application security owns the codebase. GRC owns the framework mappings. Third-party risk owns the vendor reviews. Privacy owns the data-flow inventory. The portfolio security lead is the one person who has to make those four lanes return one consistent answer to a single merchant question. The inventory is the first thing that fails. An app catalogue exists somewhere, a CMDB exists somewhere else, the vendor register lives in procurement, and the data classification lives in privacy's spreadsheet. None of them agree on what counts as an app, what counts as a subprocessor, or which apps touch buyer payment data. The SDLC controls are the second thing that fails. The internal SDLC has its own gates, the third-party marketplace apps have a different review pattern, the embedded SaaS partners have contracts that pre-date the current control set, and the sandboxed extensions have an isolation model that auditors do not recognise. The third failure is evidence packaging. The buyer wants a pack that maps to SOC 2, ISO 27001, sometimes PCI DSS, sometimes a custom XLS the buyer's security team wrote, and the pack has to land in the buyer's portal in the buyer's format. The current state is heroics. The course is the operating system that retires the heroics.

What you walk away with

  • A single portfolio inventory that reconciles app catalogue, CMDB, vendor register, and data classification into one authoritative source.
  • An SDLC control set that covers first-party code, marketplace apps, embedded SaaS, and sandboxed extensions, written in the same control language.
  • A subprocessor onboarding workflow that returns a yes or no in days and produces the evidence record automatically.
  • A secrets and token rotation pattern that holds across your code and the third-party code your platform exposes.
  • A pre-built buyer attestation pack mapped to SOC 2, ISO 27001, and PCI DSS that closes most security questionnaires without bespoke work.

The 12 modules

Module 1. The portfolio security role in plain terms
What the role actually owns, where the accountability lines sit between AppSec, GRC, third-party risk, and privacy, and how to write a one-page charter that stops every adjacent team from re-routing work back to you. Covers the political language that gets a charter signed by security leadership and product without provoking a turf fight. Includes a sample charter and a meeting script for the conversation with each adjacent function.
Module 2. Building the one authoritative software inventory
How to reconcile the application catalogue, CMDB, vendor register, marketplace-app list, and data classification spreadsheet into one inventory that everyone agrees is the source of truth. Covers the entity model (what is an app, what is a service, what is a subprocessor), the reconciliation pattern when two sources disagree, and the maintenance cadence that keeps the inventory honest after launch. Includes the schema and a worked reconciliation example.
Module 3. The SDLC control set that survives external review
A control set written in the same language for first-party code, marketplace apps, embedded SaaS partners, and sandboxed extensions. Covers the gates that map cleanly to SOC 2 CC, ISO 27001 Annex A, and PCI DSS requirement 6, the evidence each gate produces, and how to handle the cases where a third-party app cannot meet a gate (compensating controls, isolation boundary, contract clause). Includes the control matrix and the gate-by-gate evidence template.
Module 4. Third-party SaaS and marketplace-app risk
The onboarding workflow that returns a yes or no in days, not weeks. Covers the tiering model (what gets a deep review, what gets a paperwork check), the standard question pack you reuse across every vendor, the contract clause library, and the escalation path when a vendor refuses to provide attestation. Includes a worked review for a high-risk and a low-risk vendor.
Module 5. Subprocessor onboarding and the buyer's subprocessor question
How to handle the buyer questionnaire question that asks for every subprocessor and the data each one touches. Covers the subprocessor register, the data-flow tagging that lets you answer the question without a one-off investigation, the notice-and-objection workflow when you add a new subprocessor, and the public subprocessor page format that buyers accept. Includes the register schema and the public-page template.
Module 6. Secrets, tokens, and rotation across first-party and third-party code
A secrets pattern that works when some code is yours, some is a partner's, and some is a marketplace developer's. Covers the secret store choice, the rotation cadence per secret class, the token scopes for third-party apps, the revocation workflow when a marketplace app misbehaves, and the audit log that proves rotation actually happened. Includes the rotation schedule and the third-party token scope catalogue.
Module 7. Buyer payment data, PCI scope, and the boundary you can actually defend
How to draw the PCI DSS scope boundary across first-party, third-party, and embedded code in a way that holds at audit. Covers the boundary diagram, the SAQ choice for each component, the third-party attestation evidence you need from each app in scope, and the change-control pattern that prevents scope creep. Includes the scope diagram template and the SAQ decision tree.
Module 8. The attestation pack that closes a security questionnaire in days
How to build a pre-mapped evidence pack that answers most buyer security questionnaires without bespoke work. Covers the question taxonomy (the few hundred questions that cover ninety percent of buyer questionnaires), the evidence index, the SOC 2 CC and ISO 27001 Annex A mappings per question, the PCI excerpt for buyers that ask for it, and the buyer-portal upload pattern. Includes the question taxonomy and the evidence index template.
Module 9. Customer-facing security pages and trust artefacts
What to publish on the public trust page so half the buyer questions get answered before the questionnaire arrives. Covers the trust-page structure, the subprocessor list, the certification badges, the responsible-disclosure programme, the data-residency statement, and the language that says what you do without overclaiming. Includes the trust-page outline and a sample data-residency statement.
Module 10. Incident response across the portfolio
How to run an incident when the cause might be first-party code, a marketplace app, an embedded SaaS, or a subprocessor. Covers the triage tree, the third-party notification clauses you need in contracts, the buyer-communication template by severity, the regulator-notification clock per jurisdiction, and the post-incident review format that produces a control improvement rather than a blame story. Includes the triage tree and a worked incident timeline.
Module 11. Metrics that show portfolio security is working
The four or five numbers that prove the operating system is working: inventory completeness, vendor review cycle time, secrets rotation compliance, buyer questionnaire turnaround, and incident mean-time-to-contain. Covers the data source for each number, the dashboard format, the monthly briefing pattern for security leadership, and the quarterly board slide that summarises portfolio risk without consultant jargon. Includes the dashboard template and a sample board slide.
Module 12. Operating the system as one person, with a roadmap to a small team
How to run the whole operating system when you are one person, where the leverage points are (templates, automation, contract clauses), and what to hire first when a second seat opens. Covers the time allocation across the four lanes, the work that automates first, the work that stays human, the case for a second hire framed in buyer-questionnaire turnaround time, and the ninety-day plan for onboarding a second portfolio security analyst. Includes the time-allocation breakdown and the second-hire job description.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Module 2 is the one to read first if your inventory question is unanswerable today.
Modules 3 and 4 are the SDLC and third-party control set, read them together.
Modules 5, 6, and 7 cover the technical boundaries (subprocessors, secrets, PCI scope) the auditor and the buyer both ask about.
Modules 8 and 9 are the buyer-facing attestation pack and trust page that close most questionnaires before they reach you.

What you get with this course

  • Twelve text modules in the Art of Service learning environment with downloadable templates and worked examples for each.
  • A hand-built implementation playbook tailored to your portfolio composition (internal services, marketplace apps, embedded SaaS, subprocessors), delivered alongside course access.
  • The portfolio inventory schema and reconciliation worksheet.
  • The SDLC control matrix and the third-party vendor question pack.
  • The buyer attestation pack template with SOC 2 CC, ISO 27001 Annex A, and PCI mappings pre-filled.
  • Thirty-day refund window.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Week 1: portfolio inventory reconciliation and one-page charter.

Week 2: SDLC control matrix and third-party vendor question pack.

Week 3: subprocessor register, secrets rotation pattern, PCI scope boundary.

Week 4: buyer attestation pack and public trust page.

Week 5: incident response across the portfolio and metrics dashboard.

Before and after

Before

Every buyer security questionnaire is a bespoke investigation. The inventory question takes a week. The SDLC question pulls in three teams. The subprocessor list is a Slack thread. The attestation answers get rewritten each time. You are the bottleneck and the buyer's procurement timeline is the deadline.

After

The inventory is one reconciled source. The SDLC control set is one document covering first-party and third-party. The subprocessor list is a public page and a register. The attestation pack is pre-mapped and you answer most questionnaires by selecting from a taxonomy. The buyer gets a clean answer in days. You spend your time on the questions the pack cannot answer, which are the ones worth your time.

What happens if you do not address this

The merchant-side enterprise buyer questionnaire volume is growing. So is the regulatory pressure on subprocessor disclosure and on marketplace-app risk in commerce platforms. The role of one person owning portfolio security across four lanes does not scale through more heroics. Either the operating system gets built and the portfolio security lead becomes a leverage point for the company, or each new buyer questionnaire pulls more engineering time and the role becomes the constraint that slows enterprise deals.

Who it is for

You own software portfolio and security at a commerce platform or a multi-tenant SaaS. Your accountability covers the application inventory, the SDLC control set, third-party SaaS and marketplace-app risk, secrets and token hygiene across first-party and third-party code, and the customer-facing attestation pack. You are one person, sometimes two with a junior, and the volume of merchant or buyer security questionnaires has grown to the point where you cannot answer each one bespoke. You have authority but no team. You report into security leadership or a CISO and you brief product and legal monthly.

Who this is NOT for. This is not for an AppSec engineer who owns code review only, a GRC analyst who owns framework mappings only, or a third-party risk analyst who owns vendor reviews only. It is also not for an enterprise that has separate teams for each lane and a programme manager coordinating them. It is for the single person who has been handed all four lanes and is now expected to produce one consistent answer to a buyer.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Plan for three to four hours per module across five weeks. The modules are self-paced and the templates are usable on day one of the week they cover.

Why $199 is the right number

The alternative is to keep treating each buyer questionnaire as a bespoke investigation, which works while the questionnaire volume is low and fails when enterprise pipeline grows. A second alternative is to hire a third-party risk consultancy at twenty to forty thousand for a one-off engagement, which produces a report but not an operating system. A third alternative is to wait for a second portfolio security hire, which takes six to nine months and does not solve the inventory or attestation problem in the meantime. This course is the operating system that the second hire would inherit and that the consultancy would have written, at a fraction of the cost and with the implementation playbook tailored to your portfolio.

FAQ

Is this useful if my company is not a commerce platform?
Yes if you own software portfolio security at any multi-tenant SaaS that exposes third-party code or partner apps to customers. The inventory, SDLC, subprocessor, secrets, and attestation modules are the same. Commerce platform language appears in the worked examples; the structure is portable.
Do I need to be technical to follow it?
You need to be technical enough to read a control statement and follow a data flow. You do not need to be a coder. The course is written for the person who owns the operating system, not the person who writes the code.
Will the implementation playbook be specific to my portfolio?
Yes. The playbook is hand-built after purchase based on what you tell us about your portfolio composition (internal services, marketplace apps, embedded SaaS partners, subprocessors). It is not a generic deliverable.
How is this different from a SOC 2 readiness course?
SOC 2 readiness courses cover the control framework. This course covers the operating system that produces the evidence the SOC 2 auditor and the buyer questionnaire both want, across first-party code, third-party apps, and subprocessors. SOC 2 readiness is a subset.
What is the refund policy?
Thirty days. If the course and the implementation playbook do not give you the operating system, we refund the 199 USD without a back-and-forth.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!