Software Bill of Materials (SBOM) & Supply Chain Security Professional
What you will learn:
- Effectively generate and validate Software Bill of Materials (SBOMs) in both CycloneDX and SPDX formats, utilizing tools like Syft, Trivy, and OWASP Dependency-Track for real-world software development projects.
- Precisely identify and mitigate supply chain vulnerabilities by accurately mapping CVEs, analyzing transitive dependencies, and detecting malicious packages embedded within SBOMs.
- Design and implement comprehensive SBOM programs that fully comply with critical regulatory requirements from NTIA, Executive Order 14028, FDA guidelines, and the EU Cyber Resilience Act for organizations operating in regulated sectors.
- Construct an end-to-end SBOM pipeline featuring automated data ingestion, continuous monitoring, robust vendor risk scoring mechanisms, and executive-ready reporting capabilities for enhanced transparency and decision-making.
Description
Are you prepared to become a pivotal expert in software supply chain security by leveraging Software Bill of Materials (SBOM) for your organization's resilience in the coming years? The landscape of software supply chain attacks has seen an alarming surge, with a staggering 245% increase year-over-year. High-profile incidents like SolarWinds, Log4Shell, XZ Utils, and 3CX underscore a critical vulnerability: you cannot effectively defend what remains unseen. SBOM emerges as the essential visibility layer that transforms security posture, enabling organizations to pinpoint and respond to critical CVEs within moments, rather than weeks.
---
What is SBOM and its current imperative?
A Software Bill of Materials (SBOM) serves as a machine-readable, comprehensive inventory detailing every component, library, and dependency integrated into a software product. Its significance is now undeniable: Executive Order 14028 mandates SBOMs for all software supplied to the US federal government. The EU Cyber Resilience Act makes it a compulsory requirement for all CE-marked products by December 2027. Furthermore, the FDA necessitates SBOM inclusion in premarket submissions for medical devices. SBOM is no longer a discretionary practice; it is a fundamental compliance prerequisite, a standard expectation in procurement, and an absolute security necessity.
Despite this critical need, a significant 86% of organizations report difficulties in generating SBOMs, and many security teams still lack the specialized skills required for correct implementation. This comprehensive course is designed to completely bridge this knowledge and skill gap, empowering you to lead the charge.
---
Core Competencies You Will Develop
- Gain a deep understanding of the prevailing software supply chain threat landscape, with detailed analysis of the anatomy of attacks like SolarWinds, Log4Shell, XZ Utils, and 3CX.
- Acquire proficiency in generating SBOMs using leading tools such as Syft, Trivy, cdxgen, and various CycloneDX build plugins.
- Attain mastery over key SBOM standards, including SPDX (ISO/IEC 5962:2021), CycloneDX (ECMA-424), and SWID Tags.
- Learn to seamlessly integrate automated SBOM generation processes into your CI/CD pipelines, covering platforms like GitHub Actions, GitLab CI, and Jenkins.
- Master the deployment and configuration of OWASP Dependency-Track for robust enterprise-grade SBOM management and continuous vulnerability monitoring.
- Implement effective VEX (Vulnerability Exploitability eXchange) workflows to accurately triage and communicate the exploitability status of CVEs.
- Establish automated policy gates to enforce open-source license compliance, mitigating legal and operational risks.
- Ensure full compliance with crucial regulatory frameworks and guidelines such as EO 14028, NTIA Minimum Elements, EU CRA, FDA, and NIST SSDF.
- Formulate precise SBOM contractual language for secure software supplier procurement.
- Secure your SBOMs with cosign (Sigstore) for tamper-evident attestation, enhancing trust and integrity.
- Develop rapid incident response capabilities for zero-day CVEs and supply chain compromises, utilizing SBOM data for swift scope determination.
- Design and implement a mature SBOM program, progressing from an MVP to Level 4, complete with 8 measurable Key Performance Indicators (KPIs).
---
Practical, Hands-On Labs
- Generate your initial SBOM with Syft in less than five minutes.
- Construct CI/CD pipeline YAML configurations for GitHub Actions integrating Dependency-Track.
- Configure automated policy gates to block critical CVEs and unauthorized open-source licenses.
- Set up and operationalize OWASP Dependency-Track using Docker Compose.
- Apply a comprehensive 10-point Open Source Software (OSS) intake checklist.
- Utilize a practical 72-hour CVE response runbook for critical incident management.
---
This course spans 13 distinct modules, providing comprehensive coverage from the prevailing threat landscape to advanced program maturity. It encompasses SBOM Fundamentals, a deep dive into SPDX vs CycloneDX, practical application of Syft & Trivy, SDLC Integration, Vulnerability Management, License Governance, crucial Regulatory Compliance, strategic Procurement, efficient SBOM Operations, effective Incident Response, and a pathway to program maturity and certification. Our regulatory coverage is extensive, including EO 14028, NTIA Minimum Elements, OMB M-22-18, FDA Cybersecurity requirements, NIST SSDF, the EU Cyber Resilience Act, and EU NIS2.
Enroll today and proactively build the essential supply chain security visibility your organization critically needs, ensuring you're prepared long before a critical CVE necessitates an urgent response.
Curriculum
Threat Landscape
SBOM Fundamentals
SPDX vs CycloneDX
Syft & Trivy Tools
SDLC Integration
Vulnerability Management
License Governance
Regulatory Compliance
Procurement
SBOM Operations
Incident Response
Program Maturity
Certification Path
Deal Source: real.discount
