Security News > 2021 > June > Google Releases New Framework to Prevent Software Supply Chain Attacks
As software supply chain attacks emerge as a point of concern in the wake of SolarWinds and Codecov security incidents, Google is proposing a solution to ensure the integrity of software packages and prevent unauthorized modifications.
Called "Supply chain Levels for Software Artifacts", the end-to-end framework aims to secure the software development and deployment pipeline - i.e., the source build publish workflow - and mitigate threats that arise out of tampering with the source code, the build platform, and the artifact repository at every link in the chain.
Google said SLSA is inspired by the company's own internal enforcement mechanism called Binary Authorization for Borg, a set of auditing tools that verifies code provenance and implements code identity to ascertain that the deployed production software is properly reviewed and authorized.
The SLSA framework promises end-to-end software supply chain integrity and is designed to be both incremental and actionable.
It comprises four different levels of progressive software security sophistication, with SLSA 4 offering a high degree of confidence that the software has not been improperly tinkered.
Along with the announcement, Google has shared additional details about the Source and Build requirements that need to be satisfied, and is also calling on the industry to standardize the system and define a threat model that details specific threats SLSA hopes to address in the long term.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/wObvIrqchyE/google-releases-new-framework-to.html
Related news
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
- Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems (source)
- Samsung phone users under attack, Google warns (source)
- LottieFiles hit in npm supply chain attack targeting users' crypto (source)
- LottieFiles hacked in supply chain attack to steal users’ crypto (source)
- LottieFiles supply chain attack exposes users to malicious crypto wallet drainer (source)
- Google fixes two Android zero-days used in targeted attacks (source)