Software supply chain security is bigger than SBOMs and package dependencies. It includes the producer writing first-party code, the consumer combining libraries and services into new software, and the end user who installs, operates, or depends on the finished product. It also includes the systems that shape trust along the way: developer desktops, IDEs, repositories, CI/CD, deployment tooling, container images, package ecosystems, and cloud environments.
Those perspectives matter because each persona inherits risk differently. A producer has to secure how software is authored and shipped. A consumer has to understand what external components, services, and build dependencies are being pulled into a product. An end user has to evaluate what software can be trusted, how it was built, and what signals are available when something goes wrong.
Cyfinoid specializes in this area. Our software supply chain security research reflects the same broader view behind this training program: supply chain security is not just about generating SBOMs or scanning dependencies, but about understanding how software is built, moved, trusted, attacked, and defended from the developer’s desktop to cloud deployment.
What This Training Is
This page gives a high-level overview of the training program. Cyfinoid runs both attack-focused and defense-focused software supply chain classes. Public conference deliveries are primarily attack-led, while private / corporate engagements more often emphasize defending the software supply chain, improving internal controls, and helping teams operationalize the lessons.
The exact syllabus for a given run depends on the conference, audience, duration, and lab design for that event. If you plan to attend a public session, please review that conference page beforehand for the authoritative module list, labs, student requirements, and delivery specifics.
Across these courses, we aim to provide a 360-degree view of software supply chain security, from the developer’s desktop and repository workflows through CI/CD, deployment systems, containers, and cloud environments. The material is designed to give practical guidance to producers, consumers, and end users rather than treating software supply chain security as a dependency-only problem.
Why It Matters
Software supply chain risk no longer starts and ends with open-source dependencies. Attackers look for trust boundaries they can abuse across first-party code, developer tooling, repositories, build systems, package ecosystems, release automation, and deployment platforms.
This training helps participants understand both sides of that problem: how supply chain attacks happen in practice, and how to build defenses that hold up in real delivery environments. The goal is not to teach a single checklist, but to help teams see how trust breaks across the full path from code creation to software consumption.
What Participants Will Learn
Participants will learn how to:
- Understand software supply chain risk beyond SBOMs and third-party packages
- Analyze supply chain risk from the perspectives of producers, consumers, and end users
- Attack developer environments, VS Code workspaces, extensions, Git, and repository workflows
- Abuse CI/CD pipelines, custom runners, release processes, and deployment platforms
- Create and analyze malicious dependencies and package ecosystem attack paths
- Explore container, Kubernetes, cloud, and IAM-related supply chain exposure
- Translate frameworks such as SLSA and NIST SSDF into practical controls
- Improve inventory, SBOM generation, provenance, hardening, detection, and response
How The Program Is Delivered
- Cyfinoid runs both attack and defense classes in this area
- Conference deliveries are primarily attack-focused and typically emphasize offensive labs, attacker methodology, and exploitation paths
- Private / corporate deliveries can be tailored toward defense, governance, hardening, and operational improvements for internal teams
- Hands-on labs, real-world case studies, and guided walkthroughs are adapted to the event format and audience
- Exact coverage varies by run, so attendees should always check the specific conference or event page beforehand
Guidance For All Three Personas
- Producers: teams building and maintaining first-party code, internal tooling, and release pipelines
- Consumers: teams taking libraries, platforms, SaaS components, and third-party dependencies and turning them into new software
- End users: organizations that deploy, buy, or rely on finished software and need to evaluate its trustworthiness and exposure
Topics Covered
- Introduction to software supply chain security
- Supply chain risk beyond code dependencies
- Exploiting VS Code workspaces
- Trojanizing IDE and browser extensions
- Exploiting Git and GitHub misconfigurations
- Attacking CI pipelines and custom runners
- Creating malicious dependencies
- Attacking package ecosystems such as npm and Gradle
- Exploiting deployment systems such as GitHub Actions and ArgoCD
- Leveraging container image misconfigurations
- Exploring cloud and Kubernetes attack paths
- Attacking cloud environments through IAM, data exposure, and configuration flaws
- Exploiting Kubernetes misconfigurations and insecure defaults
- Applying SLSA and NIST SSDF in practical settings
- Improving governance, inventory, SBOMs, provenance, and baseline controls
- Strengthening runtime security, detection, response, and recovery
Who Should Attend
- Software producers such as developers, engineers, and platform teams
- Software consumers such as product teams, DevOps practitioners, and teams integrating third-party components into delivered software
- Software end users such as security teams, risk owners, IT managers, engineering managers, and leadership stakeholders
Training Format
- Attack-led, defense-led, or blended delivery depending on the event
- Hands-on labs with intentionally vulnerable environments
- Real-world case studies and guided walkthroughs
- Practical takeaways that can be used across the path from developer desktop to cloud deployment
Student Requirements
Basic knowledge of software development and IT security concepts is assumed. Familiarity with cloud platforms and CI/CD processes is helpful, but not mandatory.
Exact prerequisites may vary by run. Always check the conference or event page for the authoritative student requirements.
What Students Should Bring
- Laptop with a working browser and unrestricted Internet access
- Administrative access on the laptop in case troubleshooting is needed during labs
Some labs may require access to common development or cloud services. Instructions will be provided before the class so students can prepare accounts in advance when needed.
What Students Receive
- Detailed step-by-step lab manual for the challenges covered during class
- Slide deck for the material covered during the training
- Post-training capture-the-flag challenges for further practice
- Attack and defense infrastructure guide for self-practice
Next Sessions
Testimonials
Previous Run of this class
How to attend
Cyfinoid offers its trainings via multiple international conference such as BlackHat USA and others, We do offer private trainings also.