Supply chain security represents a complex challenge for organizations across industries, but it might be getting just a bit easier today with the release of the SLSA (pronounced salsa) 1.0 specification.
The supply chain levels for software artifacts (SLSA) project got its start as a Google-led effort in 2021 and is now managed as a multi-stakeholder initiative under the direction of the Linux Foundation‘s OpenSSF (software security foundation). SLSA is a framework that aims to help define and ensure the integrity of software artifacts throughout the software supply chain.
For any given application or service, there are multiple components, or artifacts, that are used to help build and deliver an offering. The SLSA framework provides several levels of conformance that outline escalating levels of security rigor. The goal of the SLSA framework is to provide assurance that software has not been tampered with and can be traced back to its source with a high degree of security.
“Technology like this, which is about tracing the provenance of artifacts and the degree of rigor that’s been put into the the build processes around it, really cannot be done just at the tail end of a supply chain or by one party in a supply chain,” Brian Behlendorf, general manager of the OpenSSF, told SDxCentral. “It really is only meaningful if it’s done by everybody participating in that supply chain and so it needed to become an open specification.”