The OpenSSF recently made a big announcement with the release of SLSA (Supply-chain Levels for Software Artifacts) version 1.0. This framework was developed by community experts and provides guidelines for enhancing the security of the software supply chain. SLSA consists of a series of levels, each representing a higher degree of security, designed to ensure the authenticity and integrity of software products. Using SLSA, software developers and users can have greater confidence that their products have not been compromised and can be traced back to their original source.
What is SLSA?
SLSA is a framework that provides a set of best practices for ensuring the security and integrity of the software supply chain. The SLSA framework defines a set of levels, each with specific requirements for securing software artifacts. The levels range from basic security measures, such as verifying software sources and using secure software repositories, to more advanced measures, such as code signing and supply chain attestation. The SLSA framework aims to provide a standardized approach to securing the software supply chain, making it easier for organizations to ensure the security and integrity of the software they use and develop.
What are the benefits of adopting SLSA?
Adopting SLSA can bring several benefits to organizations that develop, deploy, and maintain software, including:
- Improved security and reduced risk of supply chain attacks
- Compliance with security and data privacy regulations
- Improved quality of software by ensuring that it is free from known vulnerabilities and meets certain security standards
- Easier to ensure the security and integrity of the software being used and developed
- A standardized approach to securing the software supply chain
Main Changes in 1.0 Standard
The release of SLSA v1.0 is a significant milestone in the world of software supply chain security. This latest version represents a substantial rework of the specification, incorporating feedback and input from the SLSA community and early adopters to create a more stable and better-defined foundation upon which future versions can build.
The key changes in v1.0 are designed to prioritize simplicity, practicality, and stability, aiming to make it easier for organizations and ecosystems to begin implementing and adopting SLSA with minimal risk of future breaking changes.
SLSA Tracks
A significant conceptual change from v0.1 is the division of SLSA level requirements into multiple tracks. The requirements are now divided into SLSA tracks that each focus on one area of the software supply chain, making adoption easier for users. The division into tracks also benefits the SLSA community, allowing developers to parallelize work on multiple tracks without blocking each other.
SLSA v1.0 defines the SLSA Build track to begin this separation of requirements, with other tracks to come in future versions. The v1.0 also explains the principles behind SLSA track requirements, which will guide future track additions.
The new SLSA Build track Levels 1-3 roughly correspond to Levels 1-3 of v0.1, minus the source requirements. The SLSA community anticipates that future versions of the specification will continue building on requirements without changing the requirements defined in v1.0. The specification will likely expand to incorporate new tracks and additional levels for existing tracks, with plans currently in place for Build Level 4 and a Source track.
Requirements
Another key improvement in v1.0 is simplifying and reorganizing the core specification, making it easier to understand and apply. Terminology has been expanded to define all necessary concepts fully and to be consistent across the specification, while the security levels have been completely rewritten to provide a high-level overview of the SLSA tracks and levels, explaining the benefits provided by each level.
Furthermore, the producing artifacts section explains requirements for the software producer and the build platform, with some minor changes made to make SLSA easier to adopt. Distributing provenance (new for v1.0) guides software producers and package ecosystems on distributing provenance alongside artifacts, bringing consistency across open-source package ecosystems as they adopt SLSA.
Summary
In conclusion, the release of SLSA v1.0 is a significant step forward for software supply chain security, providing a stable and well-defined foundation for future development and adoption. With the division of levels into multiple tracks, a simplified and reorganized core specification, and more explicit guidance on artifact verification, SLSA is now more accessible than ever before, enabling organizations and ecosystems to take advantage of its benefits.Â
Cycode can assist organizations in adopting SLSA 1.0 by providing a comprehensive software supply chain security solution that aligns with the SLSA requirements. This includes features such as code analysis, vulnerability scanning, and pipeline security to help ensure that software is developed and delivered securely.
to learn more? Book a demo now.
Originally published: April 25, 2023