The ActiveState Platform Secure Build Service Supports SLSA Levels 1-4 to Mitigate Software Supply Chain Risk
VANCOUVER, British Columbia – June 23, 2022 – Today, ActiveState announced the availability of their secure build service, a major component of the ActiveState Platform, which implements the greatest number of Supply Chain Levels for Software Artifacts (SLSA) Level 4 controls of any publicly available build platform. As defined by slsa.dev, SLSA is “a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. It’s how you get from safe enough to being as resilient as possible, at any link in the chain.”
Click to tweet: The ActiveState Platform secure build service provides controls to meet SLSA Level 4 standards which decreases the cost and risk of working with open source dependencies. #secureyoursoftwaresupplychain https://ctt.ac/fXicO+
ActiveState’s Supply Chain Security survey showed that too many organizations (regardless of size) continue to implicitly trust open source language repositories, despite the fact that they provide no guarantee of security or integrity for the millions of third-party software assets they provide to software developers.
The ActiveState Platform secure build service implements the controls to generate SLSA level 4 artifacts for open source components that:
- Are fully scripted and automated
- Generate authenticated provenance
- Provide auditability of the source and the integrity of the provenance, respectively
- Deliver isolated, ephemeral, hermetic and reproducible builds
ActiveState pairs these controls with its unique open source management capabilities to deliver comprehensive software supply chain security that includes:
- Automated, tamper-proof builds of open source language dependencies from source code, including native libraries
- A catalog of source code that is maintained in perpetuity, ensuring build reproducibility even if dependencies are deleted or corrupted in public repositories
- Enriched dependency metadata, including vulnerability and licensing information
- Signed artifacts, ensuring that they haven’t been tampered with
- Optional distribution from an Artifact Repository hosted by ActiveState
This means that DevOps now has a trusted vendor for open source supply chain management as an alternative to setting up their own supply chains, which are time-consuming and inherently insecure.
The ActiveState Platform secure build service supports SLSA Level 4 standards to enable DevOps to dramatically reduce the risk and cost of securing their software supply chain while ensuring the security and integrity of the products and services they create.
Loreli Cadapan, Vice President, Product Management, ActiveState, said: “The effort of building and verifying the security and integrity of every open source dependency used by DevOps teams worldwide can be expensive, requiring significant engineering time and resources. The ActiveState Platform secure build service enables DevOps to consume trusted artifacts at a fraction of the cost by implementing controls to meet SLSA Level 4 standards.”
Read the blog, Why DevOps Leaders Should Understand and Prioritize SLSA
Visit the ActiveState SLSA web page
ActiveState has a 20+ year history of providing secure, scalable open source language solutions to more than 2 million developers and 97% of Fortune 1,000 enterprises. Enterprises choose ActiveState to support mission-critical systems and speed up software development while enhancing the security and integrity of their open source supply chain.
More information about ActiveState’s software supply chain security solutions can be found here.
The original article exists on PR Newswire