Security News > 2021 > June > Google dishes out homemade SLSA, a recipe to thwart software supply-chain attacks

Google has proposed a framework called SLSA for dealing with supply chain attacks, a security risk exemplified by the recent compromise of the SolarWinds Orion IT monitoring platform.

SLSA - short for Supply chain Levels for Software Artifacts and pronounced "Salsa" for those inclined to add convenience vowels - aspires to provide security guidance and programmatic assurance to help defend the software build and deployment process.

"The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats," said Kim Lewandowski, Google product manager, and Mark Lodato, Google software engineer, in a blog post on Wednesday.

Supply chain attacks - attempting to exploit weaknesses in the software creation and distribution pipeline - have surged recently.

"In its final form, SLSA will differ from a list of best practices in its enforceability: it will support the automatic creation of auditable metadata that can be fed into policy engines to give 'SLSA certification' to a particular package or build platform," explain Lewandowski and Lodato.

The hope is that SLSA will help catch issues like hypocrite commits, compromised source control platforms, maliciously modified or compromised build infrastructure, subverted dependencies, dangerous build artifacts, hijacked repositories, and typosquatting attacks.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/06/18/google_slsa_supply_chain_rust/