•  
  •  
 

Publication Date

6-29-2026

Abstract

Supply-chain attacks (including typosquatting, dependency confusion, compromised builds, dataset poisoning, and backdoored models) pose growing threats to analytics platforms central to Information Systems (IS). While frameworks like the Secure Software Development Framework (SSDF) and Supply-chain Levels for Software Artifacts (SLSA) offer guidance, IS curricula often lack accessible, infrastructure-light modules that build practical skills for mitigating these risks. This experience report presents a two-week module embedded in a graduate Secure Coding course required for a Master’s in Applied Security and Analytics degree. The module operationalizes secure development habits across both traditional software and machine learning (ML) pipelines. The module addresses a gap in IS education: the absence of hands-on, replicable interventions that integrate supply-chain hygiene with ML provenance. Students engage in sequenced drills using deterministic Python environments, private package indexes, CI policies that prohibit public fallback, and concise Software and Model Bills of Materials (SBOM/MBOM). The module emphasizes (i) visibility of dependencies and provenance, (ii) integrity enforcement by default, and (iii) evidence-based risk triage. Qualitative analysis of student artifacts and reflections reveals improved onboarding, clearer transitive risk differentiation, stronger policy awareness, and greater fluency in stakeholder-oriented documentation. These outcomes suggest meaningful gains in workforce readiness, especially for roles requiring secure AI/ML deployment and DevSecOps fluency. Aligned with IS2020 competencies and SSDF/SLSA compliance, the module offers a scalable blueprint for IS educators. Future work includes signed attestations, objective pre/post assessments, and cross-institution replication to validate generalizability and deepen cybersecurity pedagogy.

Share

COinS