Are you ready to master Software Bill of Materials (SBOM) and become the supply chain security expert your organisation needs in 2026?
Software supply chain attacks increased by 245% year-over-year. SolarWinds, Log4Shell, XZ Utils, and 3CX proved one brutal truth: you cannot defend what you cannot see. SBOM is the visibility layer that changes everything — and organisations that implement it respond to critical CVEs in seconds, not weeks.
—
What is SBOM and why does it matter right now?
A Software Bill of Materials (SBOM) is a machine-readable inventory of every component, library, and dependency inside a software product. Executive Order 14028 requires it for all software sold to the US federal government. The EU Cyber Resilience Act mandates it for all CE-marked products by December 2027. The FDA requires it in premarket submissions for medical devices. SBOM is no longer optional — it is a compliance requirement, a procurement expectation, and a security necessity.
Yet 86% of organisations find SBOM generation challenging, and most security teams still lack the skills to implement it correctly. This course closes that gap completely.
—
What You Will Learn
– Understand the full software supply chain threat landscape — SolarWinds, Log4Shell, XZ Utils, 3CX anatomy explained
– Generate SBOMs using Syft, Trivy, cdxgen, and CycloneDX build plugins
– Master SPDX (ISO/IEC 5962:2021), CycloneDX (ECMA-424), and SWID Tags
– Integrate SBOM generation into CI/CD pipelines — GitHub Actions, GitLab CI, Jenkins
– Deploy OWASP Dependency-Track for enterprise SBOM management and continuous CVE monitoring
– Implement VEX workflows to triage and communicate CVE exploitability status
– Enforce open-source license compliance with automated policy gates
– Meet EO 14028, NTIA, EU CRA, FDA, and NIST SSDF requirements
– Write SBOM contractual language for supplier procurement
– Sign SBOMs with cosign (Sigstore) for tamper-evident attestation
– Respond to zero-day CVEs and supply chain compromises using SBOM-powered scope determination
– Build a mature SBOM program from MVP to Level 4 — with 8 measurable KPIs
—
Hands-On Labs
– Generate your first SBOM in under 5 minutes with Syft
– CI/CD pipeline YAML for GitHub Actions and Dependency-Track
– Configure policy gates blocking critical CVEs and prohibited licenses
– Set up OWASP Dependency-Track with Docker Compose
– Apply the 10-point OSS intake checklist
– Use the 72-hour CVE response runbook
—
13 Modules covering: Threat Landscape · SBOM Fundamentals · SPDX vs CycloneDX · Syft & Trivy Tools · SDLC Integration · Vulnerability Management · License Governance · Regulatory Compliance · Procurement · SBOM Operations · Incident Response · Program Maturity · Certification Path
—
Regulatory Coverage: EO 14028 · NTIA Minimum Elements · OMB M-22-18 · FDA Cybersecurity · NIST SSDF · EU Cyber Resilience Act · EU NIS2
—
Enrol now and build the supply chain security visibility your organisation needs — before a CVE forces the question.




