Security in Delivery Pipelines
SBOMs, signing hooks, and threat modeling for the path from commit to artifact—not just prod firewalls.
We thread supply-chain basics into CI stages you already run: dependency pinning discipline, provenance metadata, and proportionate scanning that does not numb developers to alerts.
What the syllabus includes
- SBOM generation lab with diff review
- Signing hook placement options diagrammed
- Secret scanning false-positive triage drill
- Threat modeling canvas for build service accounts
- Dependency update policy template
- Container base image refresh checklist
- Office hour on severity vs noise trade-offs
Artifacts you leave with
- Attach an SBOM artifact to a sample pipeline run
- Write a proportionate scanning policy paragraph for eng handbook
- List three realistic threats mitigated by signing metadata
Lead mentor
Fatima Al-Hassan — AppSec partner to platform teams; prefers incremental guardrails.
Duration: 4 weeks · evenings · Format: cohort · Category: certification prep · Level: intermediate
Price (informational): 10,800 THB — see Money-Back Policy for eligibility notes.
FAQ
Out of scope—this is pipeline hygiene, not offensive security.
We reference ISO-style thinking without certifying you.
Hardware security modules and on-prem HSM workflows are excluded.
Participant notes
Security in Delivery Pipelines gave our devs vocabulary for SBOM diffs without turning every PR into a lecture.
Threat modeling canvas for build accounts surfaced a shared key we had rationalized away.