Google this week introduced Supply chain Levels for Software Artifacts (SLSA), an end-to-end framework to ensure the integrity of software artifacts throughout the software supply chain.
SLSA, pronounced "salsa," is inspired by Google's internal "Binary Authorization for Borg" (BAB), a code review process that aims to reduce insider risk by ensuring production software deployed at Google is reviewed and authorized – especially if it can access user data. Google has used BAB for more than eight years, and it's mandatory for all production workloads.
The goal for SLSA is to help defend against supply chain integrity attacks that Google says have been increasing over the past two years. Following attacks such as those against SolarWinds and Codecov, Google points to the need for a framework to secure a complex supply chain.
"In its current state, SLSA is a set of incrementally adoptable security guidelines being established by industry consensus," wrote Kim Lewandowski of Google's Open Source Security Team, and Mark Lodato of the Binary Authorization for Borg team, in a blog post.
Its final form will be different from a list of best practices, they noted. SLSA will "support the automatic creation of auditable metadata," which can be fed into policy engines to give "SLSA certification" to a package or build platform.
SLSA is designed to be both incremental and actionable, Lewandowsi and Lodato explained. It will consist of four levels, with level four indicating the ideal state. Lower levels represent incremental guarantees of security integrity. At level four, consumers have greater assurance that the code hasn't been tampered with and can be securely traced back to its source.
Read Google's full blog post for more information.