A software supply chain, similar to a traditional supply chain, is all of the processes, code components, activities and environments used to build the end product. A company needs to be aware of what goes into their software to threat model and mitigate risks. The process of reviewing and accepting or mitigating risk in your software supply chain leads to more secure software. Increase your Software Supply Chain Security by utilizing the SLSA framework.
We want to help you with your compliance and security needs. ActiveState implements the controls you need to generate SLSA Level 4 artifacts for the OpenSource you build with our platform.
The Supply Chain Levels for Software Artifacts (SLSA) framework was introduced to enable consumers to make more informed choices about the software they consume as part of their supply chain, or to provide to their own consumers.
SLSA is a “security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. It's how you get from safe enough to being as resilient as possible, at any link in the chain.” ¹
“The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, consumers can make informed choices about the security posture of the software they consume.” ²
ActiveState sources and maintains copies of OpenSource dependencies acting as a proxy and source repository maintaining an indefinite build history of all dependencies in all projects that are built on our platform.
ActiveState does not store your first party source code as we are not a source control system. We integrate with popular source control systems such as GitHub so you can utilize your existing source repository for your first party source code.
Please note Source will not be a part of the SLSAv1 spec.
The ActiveState Platform secure build service generates artifacts to deliver ephemeral, isolated, hermetic and completely scripted reproducible builds.
ActiveState generates a Software Bill of Materials (SBOM) for each build to provide you with a non-falsifiable, complete list of all of your dependencies. We are actively working to add a selection of industry standards and signing for the artifacts.
ActiveState currently leverages industry best practices of least-privilege, RBAC, and multi-factor-authentication for all employees. We look forward to ensuring that our security practices align with this part of the spec as it evolves.
Please note Common will not be a part of the SLSAv1 spec.
¹ SLSA's Website:http://slsa.dev
² Google Online Security Blog:Introducing SLSA, an End-to-End Framework for Supply Chain Integrity