|Securing Your Software Supply Chain With This Free Course|
|Written by Nikos Vaggalis|
|Monday, 01 August 2022|
A new course from the Linux Foundation on edX aims to educate the industry on how to digitally sign software artifacts. Targeted at both software developers and DevOps and security engineers, it focuses on using the Sigstore toolkit to secure the software supply chain.
Sigstore is really upping its game. Supporting new tools, like GitSign which I recently covered, it produces announcements, consortiums and educational material. It really is taking supply chain security seriously.
For those still not aware of the concept, the desired outcome is to protect the software supply chain.
How can this be achieved?
By signing every component along the chain, a product would prove its authenticity. That's what Sigstore does; by empowering software developers to securely sign software artifacts such as release files, container images and binaries. These signatures are then stored in a tamper-proof public log - for free.
Towards that goal Sigstore releases tools and sets up the infrastructure. The following tools are under the Sigstore umbrella:
But the tools mean nothing without documentation and training in applying them to real use cases. For that reason the Linux Foundation, in partnership with Chainguard, has launched this new course. Note that the Foundation is very interested in software security in general,and also offers a 3-course Professional Certificate In Secure Software Development Fundamentals on edX which educates developers in:
the fundamentals of developing secure software. Geared towards software developers, DevOps professionals, software engineers, web application developers, and others interested in learning how to develop secure software, this course focuses on practical steps that can be taken, even with limited resources, to improve information security.
Securing Your Software Supply Chain with Sigstore, in contrast, is not about strengthening your code, but about strengthening its supply chain. As such this course targets software developers, DevOps engineers, security engineers, software maintainers, and related roles. Therefore you will need to be familiar with Linux terminals and using command line tools and have knowledge of cloud computing and DevOps concepts.
It starts by teaching you the basics such as: “What is Software Supply Chain Security?” and defines key terms and concepts like SLSA and SBOM. By the end, you’ll have learned how to set up your own Sigstore Rekor server with hands-on labs and code examples.
The syllabus is as follows:
The course is self paced and typically requires 7 weeks to complete if dedicating 1–2 hours per week to it. While it is free to audit if you want to engage in the graded assignments and exams and earn a certificate there's a optional upgrade costing $149. We've repeatedly reported that gaining certification is likely to enhance your career prospects and also that employers, keen to hire and retain those with open source skills are increasingly willing to pay for course completion. Following the Verified Track option also gives you unlimited access to the course, whereas you only have around 8 weeks on the free, audit, track.
In summary, this is a first class opportunity to make yourself part of the software supply ecosystem by learning how to fortify it.
|Last Updated ( Monday, 01 August 2022 )|