Table of Contents

Against the backdrop of a recent software supply chain attacks, including SolarWinds and Codecov, Google has proposed a solution to ensure software package integrity and prevent unauthorized modifications.
A framework to secure the software development and deployment pipeline, SLSA (pronounced “salsa”)
aims to detect and mitigate threats arising from tampering with the source code, the build platform, and the artifact repository at every step of the development process.
Google’s input
Google developed the SLSA from the company’s own internal compliance mechanisms,
such as Binary Authorization for Borg,
a set of tools that verify source code provenance and implement code identification to
verify that production software is reviewed and authorized.
According to Kim Lewandowski of Google Open Source Security Team and Mark Lodato of Binary Authorization for Borg,
SLSA is still in its infancy and is one set of incrementally adoptable security guidelines
creating industry consensus.
A key feature of the SLSA framework is that it’s designed to be incremental and
actionable in the software supply chain.
SLSA 4 provides a high degree of confidence that the software hasn’t been improperly tampered with,
comprised of four levels of progressive software security sophistication.
Four levels
SLSA 1 —
Requires that the build process be fully scripted/automated and generate provenance
SLSA 2 —
Requires using version control and a hosted build service that generates authenticated provenance
SLSA 3 —
Requires that the source and build platforms meet specific standards to guarantee the suitability of the source and the integrity of the provenance
SLSA 4 —
Requires a two-person review of all changes and a hermetic, reproducible build process
Additionally,
with the announcement, Google provided details on the Source & Build requirements
that must be met and asked the industry to standardize the process
and prepare a threat model that explains how SLSA will address specific risks over the long term.
The company said.
“Achieving the highest level of SLSA for most projects may be difficult,
but incremental improvements recognized by lower SLSA levels will already go a long
way toward improving the security of the open-source ecosystem.”