Banner with 1s and 0s on dark background

Graduate Certificate in Software Supply Chain Security

Professional software developers who understand security are in high demand. Designed for software developers who have coding experience, this highly technical graduate certificate program prepares you to better support your team and organization in securely designing, writing, packaging, and deploying software.

Format Option: A 100% online option is available
Courses: 4
GIAC Certifications: 4
Credits: 12
Duration: 18-24 months
Total Program Cost: $22,800 USD

470x382-cybersecurity-student-8.jpg

Strengthen Your Technical Knowledge and Skills

Gain practical skills you can immediately apply at your job or in a new infosec role.

  • Learn the latest cybersecurity tactics to protect your organization
  • Keep your skills current for career growth and advancement
  • Earn professional GIAC certifications as you complete the program
  • Train on your schedule, to balance work and school
  • Get personalized support from a student advisor 

APPLICATIONS ACCEPTED MONTHLY

The SANS.edu Advantage

Because cyber threats are constantly changing, our courses are continually updated for real-world relevance. But that's just the beginning.
STI_Advantage_Icons-07.svg

GIAC Certifications

Earn 4 industry-recognized GIAC cybersecurity certifications.

STI_Advantage_Icons-09.svg

100% Online Option Available

You have the option of completing the program through live or rewindable online courses.

STI_Advantage_Icons-10.svg

World-class Faculty

Learn the latest skills and techniques from the world's top cybersecurity practitioners.

STI_Advantage_Icons-11.svg

Pathway to a Master’s Degree

All credits earned in this program can transfer into our master’s degree program.

STI_Advantage_Icons-12.svg

SANS.edu Academic Pricing

Get SANS.edu academic pricing on SANS courses and GIAC certifications.

STI_Advantage_Icons-13.svg

Powerful Network

Make connections with some of the most talented students and teachers in the industry.

Frank Kim

Special Online Information Session: New Graduate Certificate Program in Software Supply Chain Security

Join SANS Fellow Frank Kim to learn about the new graduate certificate program in Software Supply Chain Security designed for working professionals in software development who have coding experience.

Tuesday, March 5 at 1:00 pm (ET)

InfoSec professional attends SANS.edu info session

Join an Online Info Session for Graduate Cybersecurity Programs

  • Learn about the new graduate certificate program in Software Supply Chain Security from faculty member and CISO-in-Residence at YL Ventures Frank Kim. Tue, March 5, 1 pm (ET). Register here.
  • Get tips on crafting a strong application to our cybersecurity master’s degree program and information on the next steps in the admissions process. Wed, March 6, 12 pm (ET). Register here.
  • Learn more about our cybersecurity master's degree and graduate certificate programs for working professionals. Have questions? We'll answer them. Tue, March 12, 12 pm (ET). Register here.

“I have my master's in computer science, but I completed three graduate certificate programs with SANS so I could truly dive deep into technical areas of cybersecurity and learn from instructors who are leading the industry.” - Jeff Sass, Director of Application Security, Adobe

Who Should Enroll

  • Developer team leads who can implement these practices in the development process
  • Developers in mid to senior or managerial-level positions
  • Operations engineers
  • Quality assurance engineers
  • Cloud automation engineers and specialists
  • DevOps/DevSecOps professionals
  • Security engineers with an overlap in the SDLC space
  • Sales engineers working in the SDLC/DevSecOps space
  • Cloud architects with development overlap

Learn How To

  • Understand and articulate the importance of a "Security First" or "Shift Left" mindset.
  • Understand the opportunities and risks of public cloud platforms and infrastructure.
  • Recognize and mitigate common application and web application attacks.
  • Holistically secure Software Development Lifecycles (SDLC), APIs, and microservices.
  • Better implement and automate security, infrastructure, compliance, and auditing capabilities.

Curriculum | 12 credit hours

The SANS.edu Software Supply Chain Security curriculum is unmatched in its depth and breadth. Each class is composed of a SANS course and the corresponding GIAC exam. This is the curriculum order for this program. (Note that if you choose ISE 6610: Cloud Security Essentials as your elective course, you must take it as your first class in this graduate certificate program.)

Required Core Courses | 9 credit hours

  • SANS Course: SEC540: Cloud Security and DevSecOps Automation
    Certification: GIAC Cloud Security Automation (GCSA)

    3 Credit Hours

    ISE 6650 provides development, operations, and security professionals with a methodology to build and deliver secure infrastructure and software using DevOps and cloud services. Students will explore how DevOps principles, practices, and tools of DevOps can improve the reliability, integrity, and security of on-premise and cloud-hosted applications. You will gain hands-on experience using popular tools such as Jenkins, GitLab, Puppet, Vault, and Grafana to automate Configuration Management ("Infrastructure as Code"), Continuous Integration (CI), Continuous Delivery (CD), cloud infrastructure, containerization, micro-segmentation, Functions as a Service (FaaS), Compliance as Code, and Continuous Monitoring.

    You will be prepared to:

    • Recognize how DevOps works and identify keys to success
    • Utilize Continuous Integration, Continuous Delivery, and Continuous Deployment workflows, patterns, and tools
    • Identify the security risks and issues associated with DevOps and Continuous Delivery
    • Use DevOps practices to secure DevOps tools and workflows
    • Conduct effective risk assessments and threat modeling in a rapidly changing environment
    • Design and write automated security tests and checks in CI/CD
    • Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
    • Implement self-serve security services for developers
    • Inventory and patch your software dependencies
    • Threat model and secure your build and deployment environment
    • Automate configuration management using Infrastructure as Code
    • Secure container technologies (such as Docker and Kubernetes)
    • Build continuous monitoring feedback loops from production to engineering
    • Securely manage secrets for continuous integration servers and applications
    • Automate compliance and security policy scanning
    • Understand how to automate cloud architecture components
    • Use CloudFormation and Terraform to create Infrastructure as Code
    • Build CI/CD pipelines using Jenkins and CodePipeline
    • Wire security scanning into Jenkins and CodePipeline workflows
    • Containerize applications with Elastic Container Service and Azure Kubernetes Service
    • Integrate cloud logging and metrics with Grafana
    • Create Slack alerts from CloudWatch metrics
    • Manage secrets with Vault, KMS, and the SSM Parameter store
    • Protect static content with CloudFront Signatures
    • Leverage Elastic Container Service for blue/green deployments
    • Secure REST APIs with API Gateway
    • Implement an API Gateway custom authorization Lambda function
    • Deploy the AWS WAF and build custom WAF rules
    • Perform continuous compliance scans with CloudMapper
    • Enforce cloud configuration policies with Cloud Custodian
  • SANS Course: SEC510: Public Cloud Security: AWS, Azure, and GCP
    Certification: GIAC Public Cloud Security (GPCS)

    3 Credit Hours

    ISE 6612, Public Cloud Security: Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) teaches students how the major cloud providers work and how to securely configure and use their services and Platform as a Service (PaaS) offerings. This course provides cloud security practitioners, analysts, and researchers with an in-depth understanding of the inner workings of the most popular public cloud providers: AWS, Microsoft Azure, and GCP. You will learn industry-renowned standards and methodologies, such as the MITRE ATT&CK Cloud Matrix and CIS Cloud Benchmarks, then apply that knowledge in hands-on exercises to assess a modern web application that leverages the cloud native offerings of each provider. Through this process you will learn the philosophies that undergird each provider and how these have influenced their services.

    You will be prepared to:

    • Understand the inner workings of cloud services and Platform as a Service (PaaS) offerings in order to make more informed decisions in the cloud
    • Understand the design philosophies that undergird each provider and how these have influenced their services in order to properly prescribe security solutions for them
    • Discover the unfortunate truth that many cloud services are adopted before their security controls are fully fleshed out
    • Understand Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) in depth
    • Understand the intricacies of Identity and Access Management, one of the most fundamental concepts in the cloud and yet one of the last understood
    • Understand cloud networking and how locking it down is a critical aspect of defense in depth in the cloud
    • Analyze how each provider handles encryption at rest and in transit in order to prevent sensitive data loss
    • Explore the service offering landscape to discover what is driving the adoption of multiple cloud platforms and to assess the security of services at the bleeding edge
    • Understand the complex connections between cloud accounts, providers, and on-premise systems and the cloud
    • Perform secure data migration to and from the cloud
    • Understand Terraform Infrastructure-as-Code well enough to share it with your engineering team as a starting point for implementing the controls discussed in the course
  • SANS Course: SEC522: Application Security: Securing Web Applications, APIs, and Microservices
    Certification: GIAC Certified Web Application Defender (GWEB)

    3 Credit Hours

    ISE 6615 presents mitigation strategies from an infrastructure, architecture, and coding perspective alongside real-world techniques that have been proven to work. The course introduces the nature of each vulnerability to help you understand why it happens, then shows you how to identify the vulnerability and provide options to mitigate it.

    To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. The focus will be maintained on security strategies rather than coding-level implementation.

    The course is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in enhancing the defense of web applications. The course will also cover additional issues the authors have found to be important in their day-to-day web application development practices.

    The topics covered include:

    • The OWASP Top 10
    • Selected specific web application issues from the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors
    • Infrastructure security and configuration management
    • Securely integrating cloud components into a web application
    • Authentication and authorization mechanisms, including single sign-on patterns
    • Application language configuration
    • Application coding errors like SQL injection, cross-site request forgery, and cross-site scripting
    • Web 2.0 and its use of web services (REST/SOAP)
    • Cross-domain web request security
    • Business logic flaws
    • Protective HTTP headers

Elective Courses | 3 credit hours

Students select one of the following.

  • SANS Course: SEC488: Cloud Security Essentials
    Certification: GIAC Cloud Security Essentials Certification (GCLD)

    NOTE: If you choose ISE 6610 as your elective course, it must be the first class you take in this graduate certificate program.

    3 Credit Hours

    ISE 6610: Cloud Security Essentials will equip you to implement appropriate security controls in the cloud, often using automation to "inspect what you expect." Mature cloud service providers (CSPs) have created a variety of security services that can help customers use their products in a more secure manner, but much about cloud security still resides with the customer organization. This course covers real-world lessons using security services created by the CSPs as well as open-source tools. Each lesson features hands-on lab exercises to help you practice the lessons learned. You will progressively layer multiple security controls in order to end the course with a functional security architecture implemented in the cloud. The course begins by addressing one of the most crucial aspects of the cloud — Identity and Access Management (IAM). From there, you will learn to secure the cloud through discussion and practical, hands-on exercises related to several key topics to defend various cloud workloads operating in the different CSP models of: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

    You will be able to:

    • Identify the risks and risk control ownership based on the deployment models and service delivery models of the various products offered by cloud service providers (CSPs)
    • Evaluate the trustworthiness of CSPs based on their security documentation, service features, third-party attestations, and position in the global cloud ecosystem
    • Create accounts and use the services of any one the leading CSPs and be comfortable with the self-service nature of the public cloud, including finding documentation, tutorials, pricing, and security features
    • Articulate the business and security implications of a multi-cloud strategy
    • Secure access to the consoles used to access the CSP environments
    • Use command line interfaces to query assets and identities in the cloud environment
    • Use hardening benchmarks, patching, and configuration management to achieve and maintain an engineered state of security for the cloud environment
    • Evaluate the logging services of various CSPs and use those logs to provide the necessary accountability for events that occur in the cloud environment
    • Configure the command line interface (CLI) and properly protect the access keys to minimize the risk of compromised credentials
    • Use basic Bash and Python scripts to automate tasks in the cloud
    • Implement network security controls that are native to both AWS and Azure
    • Employ an architectural pattern to automatically create and provision patched and hardened virtual machine images to multiple AWS accounts
    • Use Azure Security Center to audit the configuration in an Azure deployment and identify security issues
    • Use Terraform to deploy a complete "infrastructure as code" environment to multiple cloud providers
    • Leverage the Cloud Security Alliance Cloud Controls Matrix to select the appropriate security controls for a given cloud network security architecture and assess a CSP's implementation of those controls using audit reports and the CSP's shared responsibility model
    • Follow the penetration testing guidelines put forth by AWS and Azure to invoke your "inner red teamer" to compromise a full stack cloud application
    • Use logs from cloud services and virtual machines hosted in the cloud to detect a security incident and take appropriate steps as a first responder according to a recommended incident response methodology
    • Perform a preliminary forensic file system analysis of a compromised virtual machine to identify indicators of compromise and create a file system timeline
  • SANS Course: SEC542: Web App Penetration Testing and Ethical Hacking
    Certification: GIAC Web Application Penetration Tester (GWAPT)

    3 Credit Hours

    ISE 6315 is a highly technical information security course in offensive strategies where students learn the art of exploiting Web applications so they can find flaws in enterprise Web apps before they are otherwise discovered and exploited. Through detailed, hands-on exercises students learn the four-step process for Web application penetration testing. Students will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. They then utilize cross-site scripting attacks to dominate a target infrastructure in a unique hands-on laboratory environment. Finally students explore various other Web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regimen.

  • SANS Course: SEC573: Automating Information Security with Python
    Certification: GIAC Python Coder (GPYC)

    3 Credit Hours

    The ISE 6350 course teaches student in the pen testing specialization, and other students who want to use the Python programming language, how to enhance their overall effectiveness during information security engagements. Students will learn how to apply core programming concepts and techniques learned in other courses through the Python programming language. The course teaches skills and techniques that can enhance an information security professional in penetration tests, security operations, and special projects. Students will create simple Python-based tools to interact with network traffic, create custom executables, test and interact with databases and websites, and parse logs or sets of data.

  • SANS Course: SEC588: Cloud Penetration Testing
    Certification: GIAC Cloud Penetration Tester (GCPN)

    3 Credit Hours

    ISE 6630 dives into the latest in penetration testing techniques focused on the cloud, how to assess cloud environments, as well as other new topics that appear in the cloud like microservices, in-memory data stores, files in the cloud, serverless functions, Kubernetes meshes, and containers. The course also specifically covers Azure and AWS penetration testing, which is particularly important given that Amazon Web Services and Microsoft account for more than half of the market. The goal is not to demonstrate these technologies, but rather to teach you how to assess and report on the true risk that the organization could face if these services are left insecure.

    Students will be able to:

    • Conduct cloud-based penetration tests
    • Assess cloud environments and bring value back to the business by locating vulnerabilities
    • Understand how cloud environments are constructed and how to scale factors into the gathering of evidence
    • Assess security risks in Amazon and Microsoft Azure environments
  • SANS Course: AUD507: Auditing Systems, Applications, and the Cloud
    Certification: GIAC Systems and Network Auditor Certification (GSNA)

    3 Credit Hours

    ISE 6715 is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high-level audit issues and general audit best practice, students will dive deep into the technical how to for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatably verify these controls and techniques for continuous monitoring and automatic compliance validation are given from real world examples.

  • SANS Course: LDR525: Managing Cybersecurity Initiatives & Effective Communication
    Certification: GIAC Certified Project Manager (GCPM)

    3 Credit Hours

    In ISE 5800 you will learn how to improve your project planning methodology and project task scheduling to get the most out of your critical IT resources. The course utilizes project case studies that highlight information technology services as deliverables. ISE 5800 follows the basic project management structure from the PMP® Guide 5th edition and also provides specific techniques for success with information assurance initiatives. All aspects of IT project management are covered — from initiating and planning projects through managing cost, time, and quality while your project is active, to completing, closing, and documenting as your project finishes.

Study with the best faculty in cybersecurity

470x382-cybersecurity-student-4.jpg

Take Your Next Step

Need more information? We’re happy to answer your questions. Join us for an info session, email info@sans.edu or call 301.241.7665.

Ready to apply? We look forward to learning about you and your career goals.

“I chose the SANS graduate program because the technical content and faculty are unparalleled, and the mix of live and online instruction fit into my work life.” - Joshua Lewis, VP, Threat Intelligence & Incident Response, Umpqua Bank

“After I passed my GCIH certification exam, I got a job offer for twice my current salary. I’m happy where I am, but it’s great to see recruiters going after GIAC certified professionals.” - Agnel D’Silva, IT Administrator, City of Danville, IL

Christopher Haller

SANS.edu Graduate Certificate Student Wins National Cyber League Championship

Christopher Haller beat out more than 6,000 competitors to earn the #1 individual player ranking in the Spring 2022 National Cyber League competition. See why he chose to pursue a graduate certificate at SANS.edu — and learn about his career path from the US Navy to his current role as Director of Professional Services at Centripetal Networks.

Course Delivery Options

Your mind has no borders. Why should your college? Our online and in-person course options are designed to fit your life and how you like to learn.

“You get a lot of personal attention to get through the program because of the student advisors. They are the foundation of the SANS.edu experience.” - Christopher Hurless, Systems Engineer, Northwestern University in Qatar

Join us for a free online info session to learn more.

470x382_STI_Masters_Degree_Tuition.jpg

Tuition

Total program cost: $22,800 USD

Tuition includes the cost of the course, textbooks, and certification tests that serve as mid-term or final exams for courses.

Get the Credit You Deserve
Students who have taken SANS training classes and have active GIAC certifications may be able to waive one course and GIAC certification into the program. See our waiver policy.



TuitionPaymentProgram.png

Fund Your SANS.edu Program in Monthly Installments with No Interest

For students who are U.S. citizens or permanent residents — and don’t use employer education benefits or veterans’ education benefits to fund their SANS.edu program — we offer a Tuition Payment Program (TPP) that enables eligible you to spread out the cost of your program in monthly installments with no interest.

Employer_Education_Benefits_vb_470x382.png

Finance your education, build new skills, and add value for your company — using your employer-sponsored education benefits.

If you want to get the best education in cybersecurity while you work, and your organization offers education benefits, let them help you take your next step. SANS.edu cybersecurity degree and certificate programs are designed for working professionals, and your employee benefits package may help cover the cost of pursing your goals.

Questions?

We're happy to help. Email info@sans.edu or call 301.241.7665.

About the SANS Technology Institute

Founded in 2005, the SANS Technology Institute (SANS.edu) is the independent, regionally-accredited, VA-approved subsidiary of SANS, the world's largest and most trusted provider of cybersecurity training, certification, and research. Offering undergraduate and graduate programs at the cutting edge of cybersecurity, SANS.edu is strengthening the cyber workforce through a career-focused curriculum built on proven SANS courses and industry-recognized GIAC certifications.

The SANS Technology Institute is accredited by The Middle States Commission on Higher Education (1007 North Orange Street, 4th Floor, MB #166, Wilmington, DE 19801 - 267.284.5000), an institutional accrediting agency recognized by the U.S. Secretary of Education and the Council for Higher Education Accreditation.