Last updated: April 29, 2026
Software supply chain security is the discipline of knowing what is in your software, where it came from, and whether it was tampered with en route. Regulators (US Executive Order 14028, EU Cyber Resilience Act, India’s CERT-In requirements) have moved this from a best practice to a compliance requirement. This module covers SBOM, provenance, signing, the SLSA framework, and the dependency-security practices that actually work.
Why supply chain is under regulatory pressure
High-profile incidents changed the landscape:
- SolarWinds (2020): compromised build pipeline inserted malicious code into signed updates distributed to 18,000 organizations
- Log4Shell (2021): a single library vulnerability affected thousands of products; most organizations couldn’t even answer “do we use log4j?”
- xz Utils (2024): long-running social-engineering attack against an open-source maintainer; backdoor nearly shipped to all Linux distributions
Regulatory response: US federal vendors must provide SBOMs (EO 14028). EU CRA requires SBOMs and vulnerability handling for all “products with digital elements” from 2027. India’s CERT-In issued similar draft guidance in 2025.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.