Security News > 2021 > June > Google dishes out homemade SLSA, a recipe to thwart software supply-chain attacks
Google has proposed a framework called SLSA for dealing with supply chain attacks, a security risk exemplified by the recent compromise of the SolarWinds Orion IT monitoring platform.
SLSA - short for Supply chain Levels for Software Artifacts and pronounced "Salsa" for those inclined to add convenience vowels - aspires to provide security guidance and programmatic assurance to help defend the software build and deployment process.
"The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats," said Kim Lewandowski, Google product manager, and Mark Lodato, Google software engineer, in a blog post on Wednesday.
Supply chain attacks - attempting to exploit weaknesses in the software creation and distribution pipeline - have surged recently.
"In its final form, SLSA will differ from a list of best practices in its enforceability: it will support the automatic creation of auditable metadata that can be fed into policy engines to give 'SLSA certification' to a particular package or build platform," explain Lewandowski and Lodato.
The hope is that SLSA will help catch issues like hypocrite commits, compromised source control platforms, maliciously modified or compromised build infrastructure, subverted dependencies, dangerous build artifacts, hijacked repositories, and typosquatting attacks.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/06/18/google_slsa_supply_chain_rust/
Related news
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
- Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems (source)
- Samsung phone users under attack, Google warns (source)
- LottieFiles hit in npm supply chain attack targeting users' crypto (source)
- LottieFiles hacked in supply chain attack to steal users’ crypto (source)
- LottieFiles supply chain attack exposes users to malicious crypto wallet drainer (source)
- Google fixes two Android zero-days used in targeted attacks (source)