Security News > 2021 > June > Google Intros SLSA Framework to Enforce Supply Chain Integrity
The U.S. tech giant this week unveiled SLSA, a new end-to-end framework the company hopes will drive the enforcement of standards and guidelines to ensuring the integrity of software artifacts throughout the software supply chain.
"The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, consumers can make informed choices about the security posture of the software they consume."
The company said the framework consists of four levels - SLSA 1-4 - with incremental milestones corresponding with incremental integrity guarantees.
The SLSA 1 requirement calls for the build process to be fully scripted/automated and generate provenance; while SLSA 2 would require using version control and a hosted build service that generates authenticated provenance.
At the higher levels, SLSA 3 would require the source and build platforms meet specific standards to guarantee the auditability of the source and the integrity of the provenance; and the SLSA 4 would mandate two-person review of all changes and a hermetic, reproducible build process.
"A minimum, SLSA can be used as a set of guiding principles for software producers and consumers. More importantly, SLSA allows us to talk about supply chain risks and mitigations in a common language. This allows us to communicate and act on those risks across organizational boundaries," Google argued.