Implementing Secure Software Supply Chain Practices in DevSecOps
Designed for Senior DevOps engineers and DevSecOps leads responsible for integrating security controls throughout the software supply chain in regulated industries (e.g., fintech, healthcare). to spark real collaboration and high-energy learning.
A 90-minute hybrid workshop held in a tech conference suite with both onsite and remote DevSecOps professionals. Attendees are highly technical but often struggle to move from theory to practice—especially under compliance pressure, where abstract security principles rarely translate to actionable steps. Time is limited, and participants expect real-world examples, peer validation, and hands-on engagement.
Supply Chain Mystery Box
Open the session with a digital 'mystery box' containing the source code of a popular open-source project (e.g., Log4j) and several disguised vulnerabilities. Participants are challenged to predict where supply chain attacks might lurk and what clues they’d look for first—without opening the box. Facilitator then reveals surprising facts and sets the stage for curiosity.
Tap to view the full activity.
Why this works
Curiosity primes attention and motivates learners to actively seek relevance. The unpredictability and real-world context make participants eager to discover answers.
Mythbusting ‘Secure by Default’
Facilitator reads aloud three statements about supply chain security (e.g., 'Open-source packages are always safer than proprietary code') and asks the group to vote 'True' or 'False' using colored cards or virtual reactions. Immediate discussion reveals why these common beliefs are flawed, sharing real-world breach examples.
Tap to view the full activity.
Why this works
Addressing misconceptions early prevents faulty assumptions and primes learners for deeper, more accurate engagement. Interactive mythbusting leverages social proof.
Pipeline Snap Polls
Facilitator launches rapid-fire poll questions around key DevSecOps pipeline steps—'Where do you scan for vulnerabilities?' ‘Who reviews dependency updates?’—using Mentimeter or sticky notes. No wrong answers, just quick sharing. Results appear instantly, forming a heatmap of group habits and perceptions.
Tap to view the full activity.
Why this works
Low-pressure polling lets everyone participate without spotlight or judgment, surfacing patterns and gaps that inform later discussions.
Security Relay Race
Split participants into small teams—each receives a simulated CI/CD pipeline diagram with blank security checkpoints. Teams have 5 minutes to ‘race’ and annotate the diagram with automated tools, manual checks, and reporting steps. Facilitator plays energetic music and counts down. Teams present their annotated pipelines for friendly comparison.
Tap to view the full activity.
Why this works
Kinesthetic, time-bound activities raise energy, foster peer learning, and make complex workflows tangible. Gamifying encourages fast thinking without over-analysis.
Incident Case Study Dilemma
Facilitator shares an anonymized real-world supply chain incident (e.g., SolarWinds, dependency hijacking) and presents a timeline with decision points—“At this moment, what would you prioritize: containment, reporting, or remediation?” Groups debate in breakout rooms, then share their chosen strategies and rationale.
Tap to view the full activity.
Why this works
Real-world dilemmas prompt critical thinking and strategic discussion; learners connect theory to the emotional reality of high-stakes choices.
Personal Security Commitment Wall
To close, participants write a personal supply chain security commitment—something they will implement or advocate for in their own pipeline—on a digital sticky note (Miro board) or physical card. Commitments are added to a shared 'wall,' creating visual accountability. Facilitator invites 2–3 volunteers to share their note aloud, linking individual action to collective impact.
Tap to view the full activity.
Why this works
Reflection and commitment deepen learning, connect abstract concepts to personal context, and reinforce group accountability. Public sharing strengthens resolve.
Sign up to unlock 3 more activities
Get the full pack, facilitation flow, and more ready-to-run ideas.