Easy Learning with SBOM: Software Supply Chain Security Masterclass
IT & Software > IT Certifications
2h 17m
Free
4

Enroll Now

Language: English

Software Bill of Materials (SBOM) & Supply Chain Security Professional

What you will learn:

  • Effectively generate and validate Software Bill of Materials (SBOMs) in both CycloneDX and SPDX formats, utilizing tools like Syft, Trivy, and OWASP Dependency-Track for real-world software development projects.
  • Precisely identify and mitigate supply chain vulnerabilities by accurately mapping CVEs, analyzing transitive dependencies, and detecting malicious packages embedded within SBOMs.
  • Design and implement comprehensive SBOM programs that fully comply with critical regulatory requirements from NTIA, Executive Order 14028, FDA guidelines, and the EU Cyber Resilience Act for organizations operating in regulated sectors.
  • Construct an end-to-end SBOM pipeline featuring automated data ingestion, continuous monitoring, robust vendor risk scoring mechanisms, and executive-ready reporting capabilities for enhanced transparency and decision-making.

Description

Are you prepared to become a pivotal expert in software supply chain security by leveraging Software Bill of Materials (SBOM) for your organization's resilience in the coming years? The landscape of software supply chain attacks has seen an alarming surge, with a staggering 245% increase year-over-year. High-profile incidents like SolarWinds, Log4Shell, XZ Utils, and 3CX underscore a critical vulnerability: you cannot effectively defend what remains unseen. SBOM emerges as the essential visibility layer that transforms security posture, enabling organizations to pinpoint and respond to critical CVEs within moments, rather than weeks.


---

What is SBOM and its current imperative?


A Software Bill of Materials (SBOM) serves as a machine-readable, comprehensive inventory detailing every component, library, and dependency integrated into a software product. Its significance is now undeniable: Executive Order 14028 mandates SBOMs for all software supplied to the US federal government. The EU Cyber Resilience Act makes it a compulsory requirement for all CE-marked products by December 2027. Furthermore, the FDA necessitates SBOM inclusion in premarket submissions for medical devices. SBOM is no longer a discretionary practice; it is a fundamental compliance prerequisite, a standard expectation in procurement, and an absolute security necessity.


Despite this critical need, a significant 86% of organizations report difficulties in generating SBOMs, and many security teams still lack the specialized skills required for correct implementation. This comprehensive course is designed to completely bridge this knowledge and skill gap, empowering you to lead the charge.


---

Core Competencies You Will Develop


- Gain a deep understanding of the prevailing software supply chain threat landscape, with detailed analysis of the anatomy of attacks like SolarWinds, Log4Shell, XZ Utils, and 3CX.

- Acquire proficiency in generating SBOMs using leading tools such as Syft, Trivy, cdxgen, and various CycloneDX build plugins.

- Attain mastery over key SBOM standards, including SPDX (ISO/IEC 5962:2021), CycloneDX (ECMA-424), and SWID Tags.

- Learn to seamlessly integrate automated SBOM generation processes into your CI/CD pipelines, covering platforms like GitHub Actions, GitLab CI, and Jenkins.

- Master the deployment and configuration of OWASP Dependency-Track for robust enterprise-grade SBOM management and continuous vulnerability monitoring.

- Implement effective VEX (Vulnerability Exploitability eXchange) workflows to accurately triage and communicate the exploitability status of CVEs.

- Establish automated policy gates to enforce open-source license compliance, mitigating legal and operational risks.

- Ensure full compliance with crucial regulatory frameworks and guidelines such as EO 14028, NTIA Minimum Elements, EU CRA, FDA, and NIST SSDF.

- Formulate precise SBOM contractual language for secure software supplier procurement.

- Secure your SBOMs with cosign (Sigstore) for tamper-evident attestation, enhancing trust and integrity.

- Develop rapid incident response capabilities for zero-day CVEs and supply chain compromises, utilizing SBOM data for swift scope determination.

- Design and implement a mature SBOM program, progressing from an MVP to Level 4, complete with 8 measurable Key Performance Indicators (KPIs).


---

Practical, Hands-On Labs


- Generate your initial SBOM with Syft in less than five minutes.

- Construct CI/CD pipeline YAML configurations for GitHub Actions integrating Dependency-Track.

- Configure automated policy gates to block critical CVEs and unauthorized open-source licenses.

- Set up and operationalize OWASP Dependency-Track using Docker Compose.

- Apply a comprehensive 10-point Open Source Software (OSS) intake checklist.

- Utilize a practical 72-hour CVE response runbook for critical incident management.


---

This course spans 13 distinct modules, providing comprehensive coverage from the prevailing threat landscape to advanced program maturity. It encompasses SBOM Fundamentals, a deep dive into SPDX vs CycloneDX, practical application of Syft & Trivy, SDLC Integration, Vulnerability Management, License Governance, crucial Regulatory Compliance, strategic Procurement, efficient SBOM Operations, effective Incident Response, and a pathway to program maturity and certification. Our regulatory coverage is extensive, including EO 14028, NTIA Minimum Elements, OMB M-22-18, FDA Cybersecurity requirements, NIST SSDF, the EU Cyber Resilience Act, and EU NIS2.


Enroll today and proactively build the essential supply chain security visibility your organization critically needs, ensuring you're prepared long before a critical CVE necessitates an urgent response.

Curriculum

Threat Landscape

This module provides a foundational understanding of the modern software supply chain threat landscape. It thoroughly dissects high-impact incidents like SolarWinds, Log4Shell, XZ Utils, and 3CX, explaining their methodologies, consequences, and the critical lessons learned. You'll explore the evolving attack vectors and the strategic importance of visibility in preventing future compromises, setting the stage for why SBOM is indispensable.

SBOM Fundamentals

Dive into the core concepts of Software Bill of Materials (SBOM). This section clarifies what an SBOM is, its structure, and its role as a machine-readable inventory of software components. It covers the essential data elements required in an SBOM, how they contribute to transparency, and the foundational principles behind its generation and utilization for enhanced security and compliance.

SPDX vs CycloneDX

Gain expertise in the two predominant SBOM standards: SPDX (Software Package Data Exchange, ISO/IEC 5962:2021) and CycloneDX (ECMA-424). This module provides a detailed comparison of their structures, use cases, strengths, and weaknesses. You'll learn when to use each standard, how to interpret their formats, and strategies for converting between them to meet diverse organizational and regulatory requirements.

Syft & Trivy Tools

Master the practical application of industry-leading SBOM generation tools. This module offers hands-on experience with Syft for generating comprehensive component inventories and Trivy for vulnerability scanning, which can enrich SBOM data. You'll learn to use these tools effectively in various development environments, integrate them into workflows, and troubleshoot common generation issues, including generating your first SBOM in under 5 minutes.

SDLC Integration

Learn to seamlessly embed SBOM generation into your Software Development Life Cycle (SDLC). This section focuses on integrating SBOM tools and processes into CI/CD pipelines using platforms like GitHub Actions, GitLab CI, and Jenkins. You'll explore strategies for automated SBOM creation at various stages of development, ensuring that up-to-date component information is available from code commit to deployment.

Vulnerability Management

Develop advanced skills in leveraging SBOMs for proactive vulnerability management. This module covers how to map CVEs to SBOM components, identify transitive dependencies, and detect malicious packages. You'll learn to implement VEX (Vulnerability Exploitability eXchange) workflows to accurately triage and communicate the exploitability status of identified CVEs, enhancing your incident response capabilities and reducing false positives.

License Governance

Understand the critical role of SBOMs in managing open-source license compliance. This section teaches you how to identify and track licenses within your software components, establish automated policy gates to block prohibited licenses, and mitigate legal risks associated with open-source software usage. You'll apply the 10-point OSS intake checklist for responsible open-source component adoption.

Regulatory Compliance

Navigate the complex landscape of SBOM-related regulations and mandates. This module provides a detailed overview of compliance requirements stemming from Executive Order 14028, NTIA Minimum Elements, OMB M-22-18, FDA Cybersecurity guidance, NIST SSDF, the EU Cyber Resilience Act (CRA), and EU NIS2. You'll learn how to implement SBOM programs that satisfy these diverse governmental and industry mandates.

Procurement

Discover best practices for integrating SBOM requirements into your software procurement processes. This section guides you through writing effective SBOM contractual language for suppliers, evaluating vendor SBOM submissions, and establishing clear expectations for software supply chain transparency. It focuses on reducing third-party risk through robust vendor vetting and ongoing monitoring using SBOMs.

SBOM Operations

Master the operational aspects of managing an enterprise-scale SBOM program. This module covers deploying and configuring OWASP Dependency-Track using Docker Compose for continuous monitoring, vulnerability tracking, and policy enforcement. You'll learn how to manage SBOM ingestion, integrate with existing security tools, and automate reporting for various stakeholders.

Incident Response

Equip yourself with the skills to effectively respond to zero-day CVEs and sophisticated supply chain compromises using SBOM data. This module focuses on developing rapid response strategies, utilizing SBOMs for precise scope determination, and applying a practical 72-hour CVE response runbook. You'll learn to minimize impact and accelerate recovery during critical security incidents.

Program Maturity

Learn to build and mature a sustainable SBOM program within your organization. This section outlines a structured approach to program development, from establishing an Minimum Viable Product (MVP) to achieving Level 4 maturity. It details 8 measurable Key Performance Indicators (KPIs) to track progress, demonstrate ROI, and continuously improve your software supply chain security posture.

Certification Path

This module guides you through potential certification paths and professional development opportunities in software supply chain security and SBOM. It provides resources and recommendations for advancing your career as a supply chain security expert, consolidating the knowledge and skills gained throughout the course to prepare you for industry recognition and leadership roles.

Deal Source: real.discount