Competencies: DevSecOps > Supply Chain Security

Supply Chain Security

Body of Knowledge

Topic	Description	Relevance	Career Tracks
Supply Chain Fundamentals	Software supply chain risks, attack vectors (SolarWinds, Log4j), trust boundaries, verification.	Critical	DevSecOps, Security Engineer
Dependency Management	Lock files, version pinning, vulnerability scanning, Dependabot, Renovate, automated updates.	Critical	DevSecOps, Developer
Software Bill of Materials (SBOM)	SPDX, CycloneDX formats, syft/trivy generation, NTIA minimum elements, consumption workflows.	High	DevSecOps, Security Engineer, Compliance
Sigstore (cosign)	Keyless signing, container image signing, verification, transparency logs (Rekor), Fulcio.	High	DevSecOps, Platform Engineer
SLSA Framework	Build provenance, hermetic builds, attestations, SLSA levels 1-4, compliance verification.	Medium	DevSecOps, Platform Engineer
Container Image Security	Base image selection, minimal/distroless images, multi-stage builds, image pinning, vulnerability tracking.	Critical	DevSecOps, Platform Engineer
Package Repository Security	Private registries, upstream verification, artifact caching, dependency proxies.	High	Platform Engineer, DevSecOps
License Compliance	License scanning, SPDX identifiers, license compatibility, legal review workflows.	Medium	DevSecOps, Compliance
Vendor Security Assessment	Third-party risk, security questionnaires, vendor SOC reports, dependency vendor review.	Medium	Security Engineer, Compliance
Binary Authorization	Admission control for verified images, policy enforcement, attestation verification.	Medium	Platform Engineer, DevSecOps

Topic

Description

Relevance

Career Tracks

Supply Chain Fundamentals

Software supply chain risks, attack vectors (SolarWinds, Log4j), trust boundaries, verification.

Critical

DevSecOps, Security Engineer

Dependency Management

Lock files, version pinning, vulnerability scanning, Dependabot, Renovate, automated updates.

Critical

DevSecOps, Developer

Software Bill of Materials (SBOM)

SPDX, CycloneDX formats, syft/trivy generation, NTIA minimum elements, consumption workflows.

High

DevSecOps, Security Engineer, Compliance

Sigstore (cosign)

Keyless signing, container image signing, verification, transparency logs (Rekor), Fulcio.

High

DevSecOps, Platform Engineer

SLSA Framework

Build provenance, hermetic builds, attestations, SLSA levels 1-4, compliance verification.

Medium

DevSecOps, Platform Engineer

Container Image Security

Base image selection, minimal/distroless images, multi-stage builds, image pinning, vulnerability tracking.

Critical

DevSecOps, Platform Engineer

Package Repository Security

Private registries, upstream verification, artifact caching, dependency proxies.

High

Platform Engineer, DevSecOps

License Compliance

License scanning, SPDX identifiers, license compatibility, legal review workflows.

Medium

DevSecOps, Compliance

Vendor Security Assessment

Third-party risk, security questionnaires, vendor SOC reports, dependency vendor review.

Medium

Security Engineer, Compliance

Binary Authorization

Admission control for verified images, policy enforcement, attestation verification.

Medium

Platform Engineer, DevSecOps

Personal Status

Topic	Level	Evidence	Active Projects	Gaps
Dependency Management	Awareness	Understand concepts — dependency pinning, lock files, SBOM; use pyproject.toml with pinned versions	CISSP Study Guide	No Sigstore/cosign, no SBOM generation, no dependency scanning (Dependabot/Snyk)
Software Bill of Materials (SBOM)	Awareness	Conceptual understanding from CISSP study; no hands-on SBOM generation	—	No syft/trivy SBOM generation, no SBOM consumption workflows
Artifact Signing & Verification	—	—	—	No Sigstore/cosign experience, no Notary
SLSA Framework	—	—	—	No SLSA implementation or attestation generation

Topic

Level

Evidence

Active Projects

Gaps

Dependency Management

Awareness

Understand concepts — dependency pinning, lock files, SBOM; use pyproject.toml with pinned versions

CISSP Study Guide

No Sigstore/cosign, no SBOM generation, no dependency scanning (Dependabot/Snyk)

Software Bill of Materials (SBOM)

Awareness

Conceptual understanding from CISSP study; no hands-on SBOM generation

—

No syft/trivy SBOM generation, no SBOM consumption workflows

Artifact Signing & Verification

—

No Sigstore/cosign experience, no Notary

SLSA Framework

—

No SLSA implementation or attestation generation