Certifications Are Playing Catch-Up
Software supply chain attacks have become one of the most significant threat categories in cybersecurity. SolarWinds, Codecov, 3CX, and xz-utils demonstrated that compromising the supply chain is often more effective than attacking targets directly.
Yet the major cybersecurity certifications — the credentials that define career paths and hiring decisions — have been slow to address supply chain security comprehensively. They are updating, but there remains a meaningful gap between what certifications teach and what practitioners need to know.
Understanding these gaps matters whether you are studying for a certification, hiring certified professionals, or building a training program for your security team.
CISSP: Breadth Without Depth
The Certified Information Systems Security Professional (CISSP) is the most recognized management-level security certification globally. Its eight domains cover the breadth of cybersecurity, and several domains touch on supply chain topics.
What CISSP Covers
Domain 1 (Security and Risk Management) addresses third-party risk management, vendor assessment, and supply chain risk as components of organizational risk management. The coverage is conceptual — you learn that supply chain risk exists and that organizations should assess vendors, but the details of how to evaluate software supply chain security specifically are thin.
Domain 8 (Software Development Security) covers secure software development lifecycle (SDLC) concepts, including code review, testing, and change management. Recent exam updates have added references to software composition analysis and dependency management, but the treatment is introductory.
Domain 6 (Security Assessment and Testing) covers vulnerability assessment and penetration testing, which intersect with supply chain security when assessing third-party components.
What CISSP Misses
CISSP does not cover SBOM generation or consumption, specific supply chain attack patterns (dependency confusion, typosquatting, account takeover), package registry security, or the technical details of evaluating open source component risk. The certification is management-focused by design, and supply chain security requires both management understanding and technical depth.
A CISSP-certified professional understands that supply chain risk matters. They may not know how to assess whether a specific npm package is safe to use.
CEH: Attack Patterns Without Supply Chain Focus
The Certified Ethical Hacker (CEH) certification covers offensive security techniques. It teaches how attackers compromise systems, which should theoretically include supply chain attack vectors.
What CEH Covers
CEH covers a broad range of attack techniques including web application attacks, network attacks, social engineering, and malware. The curriculum includes modules on:
- Session hijacking and injection attacks that are relevant to web application supply chain components
- Malware analysis that includes concepts applicable to supply chain malware
- Web server and application hacking that touches on third-party component exploitation
Recent CEH versions have added content on cloud security and IoT security, both of which have supply chain dimensions.
What CEH Misses
CEH does not meaningfully cover supply chain-specific attack techniques. Dependency confusion, typosquatting, build system compromise, CI/CD pipeline attacks, package registry account takeover, and backdoored open source contributions are either absent or mentioned only briefly.
This is a significant gap because supply chain attacks are increasingly the preferred method for sophisticated threat actors. An ethical hacker who cannot assess supply chain risk is missing one of the most impactful attack surfaces in modern environments.
OSCP: Practical Skills, Limited Supply Chain Scope
The Offensive Security Certified Professional (OSCP) is widely regarded as the most rigorous hands-on penetration testing certification. Its practical exam requires candidates to compromise machines in a controlled environment.
What OSCP Covers
OSCP's hands-on methodology teaches:
- Exploitation of vulnerable software versions (directly relevant to dependency vulnerabilities)
- Privilege escalation through misconfigured or vulnerable system components
- Web application exploitation including injection and authentication bypasses
- Post-exploitation techniques for maintaining access and pivoting
What OSCP Misses
OSCP's lab environment does not include supply chain attack scenarios. Candidates do not practice dependency confusion attacks, build system compromise, or CI/CD pipeline exploitation. The certification focuses on traditional penetration testing — network and application-level attacks against deployed systems.
The recently introduced OSWE (Web Expert) and OSEP (Experienced Penetration Tester) certifications add depth in web and advanced attack scenarios but still do not address supply chain security systematically.
Emerging Supply Chain-Specific Training
The certification gap is being addressed by newer programs:
OpenSSF courses provide free training on supply chain security fundamentals, SBOM creation and consumption, and secure development practices. These are not certifications per se but provide practical knowledge that traditional certifications lack.
SANS SEC540 (Cloud Security and DevSecOps Automation) covers CI/CD pipeline security, container security, and infrastructure-as-code security — all with supply chain dimensions.
CKS (Certified Kubernetes Security Specialist) covers container image verification, admission controllers, and supply chain security for Kubernetes environments.
Software Supply Chain Security courses from organizations like the Linux Foundation specifically address SBOM, SLSA, Sigstore, and related supply chain security technologies.
Recommendations for Professionals
If you hold CISSP: Supplement with technical training on SBOMs, SCA tools, and supply chain attack patterns. The management framework is solid; you need the technical specifics.
If you hold CEH: Add supply chain attack techniques to your toolkit. Practice dependency confusion in lab environments. Study real-world supply chain compromises in detail.
If you hold OSCP: Extend your penetration testing methodology to include CI/CD pipelines, build systems, and dependency analysis. Supply chain compromise is often the most realistic attack path in well-defended environments.
For hiring managers: Do not assume that certified professionals have supply chain security expertise. Supplement certification requirements with specific experience or training in supply chain risk assessment.
How Safeguard.sh Helps
Certifications teach concepts; tools enable practice. Safeguard provides hands-on experience with SBOM generation, vulnerability monitoring, and supply chain policy enforcement — the practical skills that certifications do not yet fully cover. For security professionals building supply chain expertise, working with Safeguard provides the operational experience that complements certification knowledge. For organizations, Safeguard automates the supply chain security controls that your certified staff should be overseeing.