The "Supply chain Levels for Software Artifacts" aims to ensure the integrity of components throughout the software supply chain.
Google this week introduced Supply chain Levels for Software Artifacts (SLSA), an end-to-end framework to ensure the integrity of software artifacts throughout the software supply chain.
SLSA, pronounced "salsa," is inspired by Google's internal "Binary Authorization for Borg" (BAB), a code review process that aims to reduce insider risk by ensuring production software deployed at Google is reviewed and authorized – especially if it can access user data. Google has used BAB for more than eight years, and it's mandatory for all production workloads.
The goal for SLSA is to help defend against supply chain integrity attacks that Google says have been increasing over the past two years. Following attacks such as those against SolarWinds and Codecov, Google points to the need for a framework to secure a complex supply chain.
"In its current state, SLSA is a set of incrementally adoptable security guidelines being established by industry consensus," wrote Kim Lewandowski of Google's Open Source Security Team, and Mark Lodato of the Binary Authorization for Borg team, in a blog post.
Its final form will be different from a list of best practices, they noted. SLSA will "support the automatic creation of auditable metadata," which can be fed into policy engines to give "SLSA certification" to a package or build platform.
SLSA is designed to be both incremental and actionable, Lewandowsi and Lodato explained. It will consist of four levels, with level four indicating the ideal state. Lower levels represent incremental guarantees of security integrity. At level four, consumers have greater assurance that the code hasn't been tampered with and can be securely traced back to its source.
Read Google's full blog post for more information.
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024