To address the growing threat of attacks on the software supply chain, Google has proposed the supply chain level of the software artifact framework, or SLSA, pronounced “salsa.”

Sophisticated attackers understand that the software supply chain is at the root of the software industry. Beyond the groundbreaking SolarWinds hack, Google points out recent Codecov supply chain attacks. It stabbed cybersecurity company Rapid7 through a contaminated Bash uploader.

Supply chain attacks aren’t new, but Google says it has escalated over the past year and has shifted its focus from exploiting known or zero-day software vulnerabilities.

Google describes SLSA as “an end-to-end framework for ensuring the integrity of software deliverables throughout the software supply chain.”

This is the process that Google has taken control of from Google’s internal Binary Authorization for Borg (BAB) and has been using it for over eight years to verify the source of the code and implement the code ID.

BAB’s goal is to mitigate insider risk by ensuring that production software deployed on Google is properly reviewed. In particular, if your code has access to your user data, Google will list it in a white paper.

“SLSA’s goal is to improve the state of the industry, especially open source, to protect against the most pressing integrity threats. With SLSA, consumers are informed about the security regime of the software they consume. You can make your choice, “said Mark Lodato of Google’s open source security and BAB teams.

SLSA seeks to lock down everything in the software build chain, from developers to source code, build platforms and CI / CD systems, package repositories, and dependencies.

Dependencies are a major weakness of open source software projects. In February, Google required a code review by two independent parties and proposed a new protocol for important open source software development where maintainers use two-factor authentication.

Higher SLSA levels may help prevent attacks on SolarWinds’ software build system. This system was compromised to install an implant that injects a backdoor with every new build. He also claims that SLSA is useful for CodeCov attacks because “the history of artifacts in GCS buckets indicates that the artifacts were not built the expected way from the expected source repository.”

The SLSA framework is just a set of guidelines so far, but Google expects its final form to go beyond best practices by force.

“We support the automatic creation of auditable metadata that can be fed to the policy engine to give” SLSA certification “to a particular package or build platform,” Google said.

This scheme consists of four levels of SLSA, four of which are ideal for protecting all software development processes, as shown below.

Google

