Google wants to bring “salsa” to drive enforcement at the software supply chain security party.
The U.S. tech giant this week unveiled SLSA (Supply chain Levels for Software Artifacts), a new end-to-end framework the company hopes will drive the enforcement of standards and guidelines to ensuring the integrity of software artifacts throughout the software supply chain.
The framework, released as part of the OpenSSF Foundation, is essentially a set of security guidelines being established by industry consensus but the long-term play is for SLSA to support the automatic creation of auditable metadata that can be fed into policy engines to give "SLSA certification" to a particular package or build platform.
“SLSA is designed to be incremental and actionable, and to provide security benefits at every step. Once an artifact qualifies at the highest level, consumers can have confidence that it has not been tampered with and can be securely traced back to source—something that is difficult, if not impossible, to do with most software today,” Google explained in a statement.
“The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, consumers can make informed choices about the security posture of the software they consume.”
[ READ: New Code Execution Flaws In Solarwinds Orion Platform ]
The company said the SLSA framework was inspired by its mandatory internal “Binary Authorization for Borg” enforcement checker that ensures production software is properly reviewed and authorized, especially if the code has access to user data.
Binary For Borg has been in use at Goo ..
Support the originator by clicking the read the rest link below.
