OpenSSF releases SLSA v1.0, adds software supply chain-specific tracks

The Open Source Security Foundation (OpenSSF) has announced the release of Supply-chain Levels for Software Artifacts (SLSA) v.1.0 with structure changes designed to make the software supply chain security framework more accessible and specific to individual areas of the software delivery lifecycle.

SLSA is a community-driven supply chain security standards project that outlines increasing security rigor within the software development process. It aims to address critical pieces of software supply chain security, giving producers, consumers, and infrastructure providers an effective way to assess software security and gain confidence that software hasn’t been tampered with and can be securely traced back to its source. SLSA is backed by several high-profile technology organizations including Google, Intel, Microsoft, VMware, and IBM. The stable release of the SLSA 1.0 lowers the barrier of entry for improvements, helps users focus efforts on improving builds, and reduces the chances of tampering across a large swath of the supply chain, OpenSSF said.

Supply chain attacks are an ever-present threat, often exploiting weak points in the building and distribution of software. Software supply chain security is of increasing importance for governments, businesses, and the wider cybersecurity sector, with open-source resources playing a key role in both software development and related security risks.

SLSA v1.0 introduces Build Track, outlining protection against software tampering

The SLSA v1.0 release makes a significant conceptual change in the division of SLSA’s level requirements into multiple tracks, each providing separate sets of levels that measure a particular aspect of software supply chain security, OpenSSF said. Previously, there was a single track, but new divisions will help users better understand and mitigate the risks associated with software supply chains and ultimately develop, demonstrate, and use more secure and reliable software, it added.

SLSA v1.0 starts with the Build Track, which describes levels of protection against tampering during or after software build. Higher SLSA build levels provide increased confidence that a package truly came from the correct sources, without unauthorized modification or influence, OpenSSF said.

The new Build Track Levels 1-3 roughly correspond to Levels 1-3 of v0.1, minus the source requirements, OpenSSF wrote. The Build Track requirements have been structured to reflect the division of labor across the software supply chain: producing artifacts, verifying build systems, and verifying artifacts.

The Build Track establishes a robust foundation on which to expand the framework to address other critical aspects of the software delivery lifecycle, with future versions of the specification expected to continue building on requirements without changing those defined in v1.0, according to OpenSSF.

SLSA v1.0 also documents the need for provenance verification by providing more explicit guidance on how to verify provenance, along with making corresponding changes to the specification and provenance format. “SLSA 1.0 is a major milestone in the journey to secure our software supply chains,” said Abhishek Arya, engineering director, Google Open Source Security Team. “SLSA provides a common framework for assessing the security of software supply chains, and it will help organizations to make informed decisions about the software they use.”

Software supply chain security high on agenda for governments, cybersecurity sector

Software supply chain security is a key component of the US National Cybersecurity Strategy, released by the Biden administration in May. It requires software providers to assume greater responsibility for the security of their products. Last week, a collection of international government agencies released new guidelines urging software manufacturers to take necessary steps to ship products that are secure-by-design and -default. These include removing default passwords, writing in safer programming languages, and establishing vulnerability disclosure programs for reporting flaws.

Vendors, collectives, and governments launched significant initiatives in 2022 to improve the security of open-source code, software, and development to help improve the overall cyber resilience of the software supply chain.

A lack of cohesion between software development teams and cybersecurity functions has traditionally compounded the software supply chain risks organizations face. Cybersecurity leaders and their teams have been urged to better engage with and educate developers, tailoring security awareness training to address the specific cyber risks surrounding the software development lifecycle.