SOFTWARE SUPPLY CHAIN SECURITY, IN 4 LEVELS.

GET SLSA LEVEL 4 COMPLIANT IN DAYS

SLSA (Supply-chain Levels for Software Artifacts) is an OpenSSF project designed to help organizations secure their software supply chain, which has seen an average 742% increase in attacks over the past 3 years. In response, governments around the world have tabled legislation, and the US government has issued Executive Order 14028 and proposed fines, all of which are designed to force software developers to secure their software supply chain.

SLSA v1.0 introduces four build levels (from 0 to 3) that can help organizations understand where they are on the journey to a secure software supply chain. You can learn more from our eBook “Journey to Software Supply Chain Security”.

Get the eBook Journey to Supply Chain Security

With the ActiveState Platform you gain SLSA Build Level 3 in a matter of days (not months). Meet government regulations and avoid potential fines. Free up your developers to work on what matters most: creating features and functionality.

Attestations

Signed attestations provide a critical piece of the EOM and SLSA security framework puzzle.

Provenance

Enable machine-readable audit trails for your builds.

SBOMs (Software Bill of Materials)

Provide auditable trails on who did what, when.

Hardened Build Service

Runtime environments created with our SLSA Build Level 3-hardened build service.

WHAT ARE SLSA BUILD LEVELS:

  • Build Level 0 – no SLSA implementation is present
  • Build Level 1: Provenance – any code, library or open source package imported into the organization must have a type of software attestation known as a “provenance attestation” that shows where the code was sourced from and how the package was built.
  • Build Level 2: Build Service + Signing – introduces a build service that includes signing of the provenance attestation. Signing ensures that packages were not tampered with after being built. A downstream service verifies the authenticity of the signature.
  • Build Level 3: Hardened Builds – specifies a number of controls that harden the organization’s build service:
  1. Pre-scripted, parameterless builds to ensure bad actors can’t get access to/edit build scripts.
  2. Build environments that are ephemeral, isolated, and hermetically sealed (i.e., no access to the internet) ensure against bad actors compromising the build process.
  3. Isolated signing service to ensure against bad actors accessing secrets used to sign the provenance.

Implementing all these requirements typically involves multiple tools, as well as extensive time and resources. Alternatively, the ActiveState Platform provides a SLSA Build Level 3-compliant service for your open source runtime environments that can be easily integrated with your existing software development process in days.

 

Recommended Reads