Get startedGet started for free

Levels of the software supply chain

1. Levels of the software supply chain

The software supply chain includes the people, processes, and technology involved in software development. As a cloud security professional, you may take on the exciting and important role of working on securing the different components of the software supply chain. In this video, you’ll learn the moves of a popular framework that cloud security teams and organizations use to strengthen their security. This type of security framework is called SLSA, which stands for Supply-chain Levels for Software Artifacts. Just as salsa dancing can be a great way to stay fit on the dance floor, I think you’ll find that the SLSA framework is a great way for a business to keep its cloud security fit as well. SLSA improves security by outlining standards and controls that enhance the integrity of artifacts. So, what is an artifact? An artifact is a digital object, like a file or image, that is used in the software development lifecycle. SLSA uses guiding principles to make security recommendations. SLSA prioritizes placing trust in build platforms and code over the individuals who have access to them. SLSA does not assume a platform implements correct security measures. Instead, it requires documentation that proves builds are securely configured. SLSA’s framework revolves around three trust boundaries: build integrity, source integrity, and dependencies. Build integrity involves verifying the software uses the correct, original dependencies. For example, developers on a cloud security team should use unmodified source code and follow the workflow prescribed in their CI/CD pipeline. Source integrity tries to ensure the source code actually reflects the developer’s goals and intent and that any code modifications are easily traced and monitored. The dependencies boundary requires that any dependencies used in an artifact are examined using security checks. Now that we’ve learned about SLSA’s trust boundaries, let’s examine the SLSA levels that work together to harden an organization’s security. Organizations can use SLSA’s standards and recommended technical controls to reinforce security throughout the supply chain. To achieve a higher level of security, SLSA splits the security levels into tracks. Developers on a cloud security team complete each track separate from the others, making it easier to address specific security concerns. Each level of the build track focuses on establishing provenance. Provenance is a description of the processes and tools used to build an artifact. Think of SLSA’s framework structure as a pyramid. L0, or the base level, indicates the artifact does not meet SLSA requirements. As a cloud security professional, you can implement the framework, starting at the bottom of the pyramid and gradually moving up to more advanced levels after you’ve cleared the previous level. In L1, document provenance, organizations must meet minimum requirements for documenting the artifact’s provenance. This might include documenting the artifact’s dependencies and detailing how it was built. With documentation standards met, advancing to L2 requires using a hosted build platform for managing builds. Finally, L3 dictates that the build platform used must provide protection against tampering with the artifact’s provenance. It’s important to note that implementing the levels takes time, especially since a cloud security team must meet each level’s requirements before advancing to the next. Depending on the size of the organization, it can take years to achieve the top level, L3. Additionally, SLSA’s framework doesn’t offer security recommendations for companies that intentionally create malicious software. Further, SLSA does not assess the integrity of a developer’s coding practices. Completing these boundary checks and integrating each level’s best practices makes artifacts more resilient, which reduces potential attacks in the software supply chain. Along with levels and boundaries, SLSA recommends incorporating technical controls such as version control, vulnerability scanning, build verification, deployment policies, and artifact management. You can research these on your own if you’re interested in learning more. In this video, you learned some great moves to apply SLSA’s framework to secure the software supply chain. You learned how implementing guidelines at each of the levels gradually secures an organization’s artifacts and build processes. You also learned how trust boundaries and controls reinforce these guidelines and best practices. All these SLSA guidelines will provide a great rhythm to keep an organization's security fit and in step.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.