SEC547: Defending Product Supply Chains

  • Online
18 CPEs

The threat landscape has changed and gone are the days when erecting a strong perimeter is sufficient to keep adversaries at bay. Supply chain attacks are one of the many effective ways to circumvent traditional perimeter-based controls. In these difficult to spot attacks, organizations unintentionally invite the adversary inside using unvalidated but "trusted" technologies, effectively leading to self-compromise. SEC547: Defending Product Supply Chains teaches how to minimize the risk of supply chain attacks via in-depth supply chain risk management strategies and tactics. The course covers the threat landscape and provides critical skills for defenders across 13 custom tailored labs, provides real-world examples of how these attacks work and how to stop them from happening to you. You'll leave this course with the industry best practice required to inject security and assurance into your organization's technology acquisitions.

Course Authors:

What You Will Learn

From Procurement to Product: Secure Your Supply Chain Journey

SEC547 covers the broad topic of supply chain risk management and expands on traditional definitions of vendor risk management to include more modern concepts such as software transparency and assurance. Tackling not only the why of supply chain security, but how as well. Through a series of case studies and real-world threat scenarios, the course provides effective guidance that transcends conventional wisdom to land at ground truths necessary to build and mature a supply chain program.

The landscape of supply chain security is fraught with peril, not only with the adversaries we seek to disrupt, but also the internal and external stakeholders that complicate this process. Through a blend of both traditional risk management disciplines interwoven with technical concepts required to defend against nation state level and criminal organizations, SEC547 will give you confidence in keeping your organization safe. Exploration of concepts such as procurement and contracting, risk assessments, software bill of materials (SBOMs), counterfeit and other hardware threats, and coordinated vulnerability remediation and response provide the context needed to secure your organization.

SEC547 is constructed around a fictional industrial manufacturing company as an illustrative showcase of the challenges faced by both buyers and sellers of technology. As we walk through course objectives, aspiring supply chain professionals will be able to identify with and apply the lessons learned to tackle these critical concerns.

What Is Supply Chain Security??

The practice of supply chain security is focused on securing the upstream dependencies we ingest into the products and services we rely upon to run our business. The scope of these activities can be broad and impact the people, processes, and technology we rely on to run the business. Likewise, our people, processes, and technology are the supply chain for other downstream organizations, and as such, both upstream and downstream concerns become part of the global supply chain concern. This connected ecosystem creates a rapidly expanding spider web of risks that function as a force multiplier for adversaries seeking to maximize the returns on their offensive investments.

Business Takeaways

  • Increase your organization's resilience in the face of adversarial threats
  • Decrease the cost of your security program through risk reduction
  • Conduct vendor and product supply chain assessments
  • Reduce the impact of supply chain attacks on your organization
  • Prioritize risks inside your supply chain program
  • Identify leakage of sensitive intellectual property
  • Identify foreign presence risks in your supply chain
  • Coordinate supply chain security conversations with stakeholders

SEC547 Alan Millington Quote

Skills Learned

  • Create SBOMs from source code
  • Create attestation pipelines
  • Understand how vulnerabilities are published
  • Learn to validate vulnerable components
  • Identify counterfeit components
  • Build a supply chain security program
  • Understand how foreign adversaries manipulate supply chains
  • Learn to use open-source supply chain security tools
  • Work with developers to inject security into your product development process
  • Become more effective at responding to supply chain threats
  • Learn effective techniques to respond to the next major supply chain vulnerability

Hands-On Supply Chain Security Training

SEC547's hands-on focus comprise of 13 immersive labs across 3 days and explores the supply chain security concepts taught through instructor presentation. Using a custom Linux lab environment purpose-built for this course, you will leverage industry supply chain tools such as Dependency Track, CycloneDX, Syft, in-toto, CSAF VEX standard, and even utilities such as gitgeo to interrogate GitHub for noteworthy observations about open-source projects. As working with supply chain artifacts is a big part of this work, we will also cover advanced command line introspection of these file formats such as processing and parsing of JSON files and learning to optimize testing workflows. Additional tools covered in the labs include sha1sum, openssl, sigstore, sbomqs, blint, and a variety of open-source intelligence (OSINT) tools such as nmap, subfinder, and more, useful for information collection and assessment activities.

"The labs/exercises today were great! I'm able to walk away with some great tools and processes that can be implemented to immediately enhance my team's aspect of the security review." - Liana Torres, Savannah River Nuclear Solutions

"I very much enjoyed the labs. Great way to learn what's happening in the background of some of our security tools. Also enjoyed the use cases it applied to. Definitely provided good insights into how other organizations might be approaching some of these problem sets." - Alan Millington, Self Employed

Syllabus Summary

  • Section 1: Supply chain overview and deep dive into conducting vendor risk assessments and how to scale the process.
  • Section 2: Foray into product security, including hardware threats and counterfeit and a deep dive into SBOM and the challenges and solutions associated with managing them.
  • Section 3: Attestations for supply chain artifacts and process assurance, as well as vulnerability and threat mitigation and response.

Additional Free Resources




What You Will Receive

  • A custom Linux virtual machine with 50+ tools purpose-built for supply chain work that you will use in course labs and can be used when you return to work
  • An electronic workbook with step-by-step instructions for 13+ fully functional labs that do not expire and can be repeated any time after the course
  • A digital download package that includes additional industry resources and white papers that help build upon course content
  • Printed and electronic courseware
  • MP3 audio files of the complete course lecture

What Comes Next?

Depending on your current role or future plans, one of these courses is a great next step in your supply chain security journey:

Syllabus (18 CPEs)

Download PDF
  • Overview

    Starting with an introduction to supply chain concepts, we explore how supply chains function and why they are such an attractive target. We will discuss corporate processes and the way people procure products and how these dynamics between buyer and seller influence supply chain risks. Going deeper into threat models for these attack vectors, we cover how to perform risk assessments that are contextual to the risk you are trying to manage. This section discusses the role that suppliers play in the product manufacturing process and how you can build and mature a supply chain risk management program.

    • Vendor Risk Assessments
    • OSINT Analysis
    • Technical Vendor Assessments
    • Foreign Presence
    • An Introduction to Supply Chain
    • Risk Assessment Process
    • OSINT Analysis
    • Program Execution
    • Contracting and Foreign Ownership, Control, or Influence (FOCI)
    • Product Development
  • Overview

    Diving deep into hardware threats, this section covers how to assess hardware risks and identify counterfeit hardware in your intake process. Hardware bill of materials (HBOMs) as a historical manufacturing technique have evolved, and we will show you how you can evolve your understanding for holistic product evaluation. Software authenticity and trust attributes such as provenance and pedigree and understanding how to prioritize the ocean of products to be assessed will all be covered in this section. The latter part of this section is focused solely on a variety of SBOM topics from exploring use cases to creating SBOMs yourself from existing open-source projects, firmware, binaries, and containers. We explore how to use them in your risk management workflows, as well as verify, correct and enrich them with supply chain metadata. Lastly, we explore how the SBOM space is evolving to include Software as a Service (SaaS), configuration management, cryptography, and other bill of materials types.

    • HBOM
    • Risk Ranking Software
    • Software Authenticity
    • SBOM Generation
    • SBOM Management
    • SBOM Enrichment
    • Hardware Threats
    • Counterfeits
    • Building a Hardware Lab
    • Software Threats
    • Trust Attributes
    • Supply Chain Regulations
    • SBOM Basics
    • SBOM Challenges
    • SBOM Process Flows and BOM Maturity
    • Operationalizing SBOM Initiatives
    • CycloneDX SBOM
    • Software Package Data Exchange (SPDX) SBOM
    • Other BOM Types
  • Overview

    This final section starts with a focus on attestations and related tools and frameworks such as in-toto, SLSA, and other models to measure the processes in your supply chains and CI/CD pipelines. By establishing verifiable evidence, we start to gain more trust in the software we use. We will dive deep into vulnerability management, one of the most important use cases for supply chain, and how to work with different vulnerability databases. Lastly, we will explore topics related to product security incident response teams (PSIRT) and the role they play in responding to supply chain incidents as well as a few notable attacks and how to disrupt them.

    Day 3 concludes with a vulnerability incident simulation that pulls together many of the concepts covered in this course to provide context on all the material over this 3-day course.

    • Supply Chain Attestations
    • Interpreting Vulnerability Reports
    • Vulnerability Assessment Simulation
    • Supply Chain Attestations
    • Vulnerability Management
    • Triaging Vulnerabilities
    • Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosure Report (VDR)
    • Responding to Threats
    • PSIRT


The following are course or equivalent experience prerequisites for SEC547:


Students should have a basic awareness of how their organization buys and sells technology and services from both a process standpoint as well as the security requirements and frameworks that align with technology acquisition and implementation. While not required, having conversations with peers inside your organization beforehand on these topics will be helpful as we touch on these areas in the course.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • CPU: 64-bit Intel i5/i7 (8th generation or newer) or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected in case changes are necessary.
  • 16GB of RAM or more is required.
  • 65GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled, or you must have the administrative privileges to disable it.
  • Download and install Vmware Workstation Pro 16.2.X+ or Vmware Player 16.2.X+ (for Windows 10 hosts), Vmware Workstation Pro 17.0.0+ or Vmware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or Vmware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of Vmware Workstation Pro or Vmware Fusion Pro, you can download a free 30-day trial copy from Vmware. Vmware will send you a time-limited serial number if you register for the trial at their website. Also note that Vmware Workstation Player offers fewer features than Vmware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, Vmware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure Vmware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take prior to starting the online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

With high profile incidents such as Solarwinds and Log4j dominating news cycles and urgent action called for from the federal government and industry at large, supply chain risk management is one of the most charged topics in security today. It's a vast topic covering many domains of knowledge and is challenging for many to understand where to even start. The guidance from industry is deafening but hard to navigate. Do we need security questionnaires? Vendor scorecards? SBOMs? Firmware analysis? AppSec tools? Something else?

There are many fantastic solutions out there, but the reality is they are not all well-suited for where you are in your security journey, nor do the terms mean the same things to everyone. The guidance from industry analysts is also dated and unhelpful. This can be very confusing! I drew on a career of over 25 years, supporting supply chain use cases in electronics manufacturing, vendor risk and software supply chain for critical infrastructure in writing this course to help navigate through the noise and provide real world examples of what works and what doesn't. Join me as we chart a path forward to Defending Product Supply Chains!

- Tony Turner, SANS Instructor

"The instructor is extremely knowledgeable as he is able to explain things clearly and thoroughly, providing pertinent information and pointing out pros and cons for each topic that is covered."

- Liana Torres, Savannah River Nuclear Solutions


This [course] has helped me identify key factors, procedures, relevant tools, and guidance I can use to develop a strategically aligned, efficient yet systematic, method to tackle the issues in the supply chain process.
Liana Torres
Savannah River Nuclear Solutions
I value the examples, potential tools, and guidance provided [in SEC547] for enhancing security reviews. I feel this information will be instrumental in boosting the productivity of my team and organization.
Liana Torres
Savannah River Nuclear Solutions
I loved the course. [It is] full of useful information I plan to include in my internal projects!
Rossano Ferraris

    Register for SEC547

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.