What Is Supply Chain Levels for Software Artifacts (SLSA)?
Called Supply Chain Levels for Software Artifacts, or SLSA for short, the solution is an end-to-end framework that ensures the integrity of software artifacts throughout the supply chain. The solution is inspired by Google’s internal “Binary Authorization for Borg,” a specific enforcement check that reduces insider risk by ensuring that production software deployed at Google is properly reviewed and authorized.
“The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, consumers can make informed choices about the security posture of the software they consume,” Google explained in its security blog.
The idea of the framework is to shield against common supply chain attacks. The solution consists of four levels, where SLSA 5 represents “the ideal end state.” The lower levels symbolize incremental milestones with corresponding incremental integrity guarantees:
- SLSA 1 requires that the build process be fully scripted/automated and generate provenance;
- SLSA 2 requires using version control and a hosted build service that generates authenticated provenance;
- SLSA 3 further requires that the source and build platforms meet specific standards to guarantee the auditability of the source and the integrity of the provenance, respectively;
- SLSA 4 is currently the highest level, requiring two-person review of all changes and a hermetic, reproducible build process.
Proof-of-concept also available
Google has also released a proof-of-concept for SLSA 1 provenance generator, thus allowing users to create and upload provenance alongside their build artifacts.
In the future, the company plans to work with popular source, build, and packaging platforms “to make it as easy as possible to reach higher levels of SLSA.”
In conclusion, SLSA is an efficient framework aimed for end-to-end software supply chain integrity. The solution is based on a model that has been successful in one of the largest software engineering organizations, Google noted.
A few days ago, Google made another important announcement regarding client-side encryption for its Google Workspace, previously known as G Suite. This latest security feature will give its enterprise customers direct control of encryption keys and the identity service they select to access the keys.
Client-side encryption makes customer data indecipherable to Google. Of course, customers will still be able to use the company’s native web-based collaboration, access content on mobile devices, and share encrypted files externally.