Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Intros SLSA Framework to Enforce Supply Chain Integrity

Google wants to bring “salsa” to drive enforcement at the software supply chain security party.

Google wants to bring “salsa” to drive enforcement at the software supply chain security party.

The U.S. tech giant this week unveiled SLSA (Supply chain Levels for Software Artifacts), a new end-to-end framework the company hopes will drive the enforcement of standards and guidelines to ensuring the integrity of software artifacts throughout the software supply chain.

The framework, released as part of the OpenSSF Foundation, is essentially a set of security guidelines being established by industry consensus but the long-term play is for SLSA to  support the automatic creation of auditable metadata that can be fed into policy engines to give “SLSA certification” to a particular package or build platform. 

“SLSA is designed to be incremental and actionable, and to provide security benefits at every step. Once an artifact qualifies at the highest level, consumers can have confidence that it has not been tampered with and can be securely traced back to source—something that is difficult, if not impossible, to do with most software today,” Google explained in a statement.

“The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, consumers can make informed choices about the security posture of the software they consume.”

[ READ: New Code Execution Flaws In Solarwinds Orion Platform ]

The company said the SLSA framework was inspired by its mandatory internal “Binary Authorization for Borg” enforcement checker that ensures production software is properly reviewed and authorized, especially if the code has access to user data.

Binary For Borg has been in use at Google for the past eight years and is mandatory for all of Google’s production workloads. 

The long-term goal is for SLSA to support the automatic creation of auditable metadata that can be fed into policy engines to give “SLSA certification” to a particular package or build platform. “Once an artifact qualifies at the highest level, consumers can have confidence that it has not been tampered with and can be securely traced back to source — something that is difficult, if not impossible, to do with most software today,” the company said.

[ ON DEMAND: Sessions From SecurityWeek’s 2021 Supply Chain Security Summit ]

The company said the framework consists of four levels — SLSA 1-4 — with incremental milestones corresponding with incremental integrity guarantees.

For example, the SLSA 1 requirement calls for the build process to be fully scripted/automated and generate provenance (metadata about how an artifact was built, including the build process, top-level source, and dependencies); while SLSA 2 would require using version control and a hosted build service that generates authenticated provenance. 

At the higher levels, SLSA 3 would require the source and build platforms meet specific standards to guarantee the auditability of the source and the integrity of the provenance; and the SLSA 4 would mandate two-person review of all changes and a hermetic, reproducible build process. 

“Two-person review is an industry best practice for catching mistakes and deterring bad behavior,” Google said.

The proposed framework, available here on GitHub, currently consists of an attempt to find consensus on the definition of a “secure” software supply chain; an accreditation process for organizations to certify compliance with adopted standards; and technical controls to record provenance and detect or prevent non-compliance.

“A minimum, SLSA can be used as a set of guiding principles for software producers and consumers. More importantly, SLSA allows us to talk about supply chain risks and mitigations in a common language. This allows us to communicate and act on those risks across organizational boundaries,” Google argued.

Related: Codecov Dev Tool Compromised in Supply Chain Hack

Related: Remote Hacker Caught Poisoning Florida City Water Supply

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.