Technology giant Google is wearing its hat when it comes to clearing the mess of software security. Today, we are announcing a new framework designed to protect the coding and development processes that underpin modern software, potentially damaging supply chain attacks.

Rather than focusing on how to protect against specific attacks at specific points in the software development process, the supply chain level of software artifacts (SLSA, or Salsa if you’re looking for a simple abbreviation) is developed by developers. And guide the security process to find and defend against common attacks on all links in the production chain.

Similar to frameworks like the Pentagon’s implementation of cybersecurity maturity model certification for contractors, Google’s framework implements a myriad of processes and practices across four different levels of software security sophistication. Map. It also flags eight points in development and production workflows that are vulnerable to various forms of corruption.

According to software engineer Dan Lorenk, you can’t get people up and running, start somewhere, jump to the highest level from the beginning, and depending on what you’re doing, you don’t even have to jump. Notice. In an interview on Google.

Since open source code is open source code, the framework is primarily aimed at open source developers. [common] A link between everyone in the supply chain, he said. However, it can also be applied to aspects of the commercial software development process.

Sending malicious or malicious code to the source repository, endangering the build or update server, modifying code when moving from source control to the build platform, attacks that bypass continuous integration and development processes, etc. I will explain the scenario. Each weakness is underpinned by real-world attacks and instructions on how to use the framework to detect or stop breaches before infecting downstream customers. For example, hack the SolarWindsOrion build server and inject malicious code into the software. update.

Higher levels of SLSA include security controls that make it more difficult to carry out similar attacks or limit the long-term potential of threat attackers in an endangered environment. Similarly, there are multiple controls that help establish the source of your software code and prevent bypassing the CI / CD process. This allowed an attacker to violate CodeCov and obtain customer test code and other data.

A Google security officer said in a blog post that the idea serves as general guidance for now, but ultimately envisions a more formal process.

In its current state, SLSA is a set of step-by-step adoptable security guidelines established by industry consensus, working with Kim Lewandowski, a member of Google’s open source security team, to protect Google’s internal software processes. Mark Lodato writes. In the final form, [it] It differs from the list of best practices in terms of enforcement. Supports the automatic creation of auditable metadata that can be fed to the policy engine to grant SLSA certification for specific packages or build platforms.

With scale and reach across a variety of software and hardware products, Google provides both game skins and the potential reach to make many companies compliant. You can also create powerful tools for for-profit companies to beat potential competitors and rivals.

Lorenc has still decided for SC Media how to configure or implement such a certification program, but it is possible that a vendor-neutral third party, rather than Google itself, will oversee the certification process. He said there was.

I don’t think we have [many] He said he was still solid in his head about it.I don’t think it will be anything [where] Supervised or controlled by a single company. That probably doesn’t really make sense.

The project is currently open for open comments (see SLSA’s GitHub page here), and Google is giving outsiders how to further improve and standardize the framework to make it widely relevant. We are actively seeking.

We think we are in good shape where people can start using it and try to figure out if it is, and then we want to see how it works I will. We want feedback to enhance it and make sure everything is done correctly, Lorenc said.

