Against the backdrop of a recent software supply chain attacks, including SolarWinds and Codecov, Google has proposed a solution to ensure software package integrity and prevent unauthorized modifications.

A framework to secure the software development and deployment pipeline, SLSA (pronounced “salsa”)

aims to detect and mitigate threats arising from tampering with the source code, the build platform, and the artifact repository at every step of the development process.

Google’s input

Google developed the SLSA from the company’s own internal compliance mechanisms,

such as Binary Authorization for Borg,

a set of tools that verify source code provenance and implement code identification to

verify that production software is reviewed and authorized.

According to Kim Lewandowski of Google Open Source Security Team and Mark Lodato of Binary Authorization for Borg,

SLSA is still in its infancy and is one set of incrementally adoptable security guidelines

creating industry consensus.

A key feature of the SLSA framework is that it’s designed to be incremental and

actionable in the software supply chain.

SLSA 4 provides a high degree of confidence that the software hasn’t been improperly tampered with,

comprised of four levels of progressive software security sophistication.

Four levels

SLSA 1 —

Requires that the build process be fully scripted/automated and generate provenance

SLSA 2 —

Requires using version control and a hosted build service that generates authenticated provenance

SLSA 3 —

Requires that the source and build platforms meet specific standards to guarantee the suitability of the source and the integrity of the provenance

SLSA 4 —

Requires a two-person review of all changes and a hermetic, reproducible build process

Additionally,

with the announcement, Google provided details on the Source & Build requirements

that must be met and asked the industry to standardize the process

and prepare a threat model that explains how SLSA will address specific risks over the long term.

The company said.

“Achieving the highest level of SLSA for most projects may be difficult,

but incremental improvements recognized by lower SLSA levels will already go a long

way toward improving the security of the open-source ecosystem.”