Home > Solutions > Governance and Regulations > SLSA
Software Supply Chain Security
A software supply chain, similar to a traditional supply chain, is all of the processes, code components, activities and environments used to build the end product. A company needs to be aware of what goes into their software to threat model and mitigate risks. The process of reviewing and accepting or mitigating risk in your software supply chain leads to more secure software. Increase your Software Supply Chain Security by utilizing the SLSA framework.
We want to help you with your compliance and security needs. ActiveState implements the controls you need to generate SLSA Level 4 artifacts for the OpenSource you build with our platform.
What is SLSA?
The Supply Chain Levels for Software Artifacts (SLSA) framework was introduced to enable consumers to make more informed choices about the software they consume as part of their supply chain, or to provide to their own consumers.
SLSA is a “security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. It’s how you get from safe enough to being as resilient as possible, at any link in the chain.” ¹
“The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, consumers can make informed choices about the security posture of the software they consume.” ²
Read our blog
How to Immunize Your Software Supply Chain From End To End
Source
Maintaining source control integrity
ActiveState sources and maintains copies of OpenSource dependencies acting as a proxy and source repository maintaining an indefinite build history of all dependencies in all projects that are built on our platform.
ActiveState does not store your first party source code as we are not a source control system. We integrate with popular source control systems such as GitHub so you can utilize your existing source repository for your first party source code.
Please note Source will not be a part of the SLSAv1 spec.
Build
Enabling secure and repeatable builds
The ActiveState Platform secure build service generates artifacts to deliver ephemeral, isolated, hermetic and completely scripted reproducible builds.
Provenance
Documenting and verifying the specifics of the source and build details
ActiveState generates a Software Bill of Materials (SBOM) for each build to provide you with a non-falsifiable, complete list of all of your dependencies. We are actively working to add a selection of industry standards and signing for the artifacts.
ActiveState generates a Software Bill of Materials (SBOM) for each build to provide you with a non-falsifiable, complete list of all of your dependencies. We are actively working to add a selection of industry standards and signing for the artifacts.
Common
Defining the common security standards which must be followed
ActiveState currently leverages industry best practices of least-privilege, RBAC, and multi-factor-authentication for all employees. We look forward to ensuring that our security practices align with this part of the spec as it evolves.
Please note Common will not be a part of the SLSAv1 spec.
Sources
¹ SLSA’s Website:
² Google Online Security Blog:
Introducing SLSA, an End-to-End Framework for Supply Chain Integrity
Get SLSA level 4 compliant in days
SLSA (Supply-chain Levels for Software Artifacts) is an OpenSSF project designed to help organizations secure their software supply chain, which has seen an average 742% increase in attacks over the past 3 years. In response, governments around the world have tabled legislation, and the US government has issued Executive Order 14028 and proposed fines, all of which are designed to force software developers to secure their software supply chain.
SLSA v1.0 introduces four build levels (from 0 to 3) that can help organizations understand where they are on the journey to a secure software supply chain. You can learn more from our eBook “Journey to Software Supply Chain Security”.