Google Launches SLSA, a New Framework for Supply Chain IntegrityGoogle Launches SLSA, a New Framework for Supply Chain Integrity
The "Supply chain Levels for Software Artifacts" aims to ensure the integrity of components throughout the software supply chain.
June 18, 2021
Google this week introduced Supply chain Levels for Software Artifacts (SLSA), an end-to-end framework to ensure the integrity of software artifacts throughout the software supply chain.
SLSA, pronounced "salsa," is inspired by Google's internal "Binary Authorization for Borg" (BAB), a code review process that aims to reduce insider risk by ensuring production software deployed at Google is reviewed and authorized – especially if it can access user data. Google has used BAB for more than eight years, and it's mandatory for all production workloads.
The goal for SLSA is to help defend against supply chain integrity attacks that Google says have been increasing over the past two years. Following attacks such as those against SolarWinds and Codecov, Google points to the need for a framework to secure a complex supply chain.
"In its current state, SLSA is a set of incrementally adoptable security guidelines being established by industry consensus," wrote Kim Lewandowski of Google's Open Source Security Team, and Mark Lodato of the Binary Authorization for Borg team, in a blog post.
Its final form will be different from a list of best practices, they noted. SLSA will "support the automatic creation of auditable metadata," which can be fed into policy engines to give "SLSA certification" to a package or build platform.
SLSA is designed to be both incremental and actionable, Lewandowsi and Lodato explained. It will consist of four levels, with level four indicating the ideal state. Lower levels represent incremental guarantees of security integrity. At level four, consumers have greater assurance that the code hasn't been tampered with and can be securely traced back to its source.
Read Google's full blog post for more information.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023