<!DOCTYPE html> <html lang="en"><head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="viewport" content="width=device-width, initial-scale=1" /><!-- Begin Jekyll SEO tag v2.8.0 --> <meta name="generator" content="Jekyll v3.9.5" /> <meta property="og:title" content="Blog" /> <meta property="og:locale" content="en_US" /> <meta name="description" content="Recent blog posts from the SLSA community." /> <meta property="og:description" content="Recent blog posts from the SLSA community." /> <meta property="og:site_name" content="SLSA" /> <meta property="og:image" content="/images/icons/android-chrome-192x192.png" /> <meta property="og:type" content="website" /> <meta name="twitter:card" content="summary_large_image" /> <meta property="twitter:image" content="/images/icons/android-chrome-192x192.png" /> <meta property="twitter:title" content="Blog" /> <script type="application/ld+json"> {"@context":"https://schema.org","@type":"WebPage","description":"Recent blog posts from the SLSA community.","headline":"Blog","image":"/images/icons/android-chrome-192x192.png","publisher":{"@type":"Organization","logo":{"@type":"ImageObject","url":"/images/icons/android-chrome-512x512.png"}},"url":"/blog"}</script> <!-- End Jekyll SEO tag --> <link rel="stylesheet" href="/vendor/tailwindcss-2.2.19/tailwind.min.css"> <link rel="stylesheet" href="/assets/main.css"> <link rel="apple-touch-icon" sizes="180x180" href="/images/icons/apple-touch-icon.png"> <link rel="icon" type="image/png" sizes="32x32" href="/images/icons/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="/images/icons/favicon-16x16.png"> <link rel="icon" type="image/png" sizes="16x16" href="/images/icons/favicon-16x16.png"> <link rel="icon" type="image/x-icon" href="/images/icons/favicon.ico"> <link rel="mask-icon" href="/images/icons/safari-pinned-tab.svg" color="#5bbad5"> <meta name="msapplication-TileColor" content="#da532c" /> <meta name="msapplication-square150x150logo" content="/images/icons/mstile-150x150.png" /> <meta name="theme-color" content="#ffffff" /> <title>SLSA • Blog</title> <link rel="stylesheet" href="/fonts/inter/inter.css"> <link rel="stylesheet" href="/fonts/ibm_plex/IBMPlexMono-Regular.css"> <link rel="stylesheet" href="/fonts/prodigy/ProdigySans.css"> <script src="/vendor/swiper-6.8.4/swiper-bundle.min.js"></script> <link rel="stylesheet" href="/vendor/swiper-6.8.4/swiper-bundle.min.css"> <script defer src="/vendor/alpinejs-3.10.2/cdn.min.js"></script><link type="application/atom+xml" rel="alternate" href="/feed.xml" title="SLSA" /></head> <body x-data="{navOpen: false}" x-init="$refs.body.style.setProperty('--scrollbar-width', `${window.innerWidth - document.body.offsetWidth}px`)" x-ref="body" ><aside class="site-aside flex flex-col flex-none" :class="{'is-open': navOpen}" > <div class="aside-header p-5 flex justify-between items-center show-laptop"> <a rel="author" href="/" class="logo block"> <img class="logo-white" src="/images/logo.svg" alt="SLSA logo" /> </a> <a class="desktop-github-icon" href="https://github.com/slsa-framework/slsa" target="_blank"> <svg width="22" height="22" viewBox="0 0 22 22" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M11.2344 0.150879C5.28641 0.150879 0.468811 4.96848 0.468811 10.9165C0.468811 15.6803 3.55046 19.7039 7.82978 21.1303C8.36806 21.2245 8.56991 20.9016 8.56991 20.619C8.56991 20.3633 8.55646 19.5155 8.55646 18.6139C5.8516 19.1118 5.15184 17.9545 4.93653 17.3489C4.81541 17.0394 4.29059 16.084 3.83306 15.8283C3.45626 15.6264 2.91798 15.1285 3.8196 15.1151C4.66739 15.1016 5.27295 15.8956 5.47481 16.2185C6.44371 17.8468 7.99126 17.3893 8.61028 17.1067C8.70448 16.4069 8.98708 15.9359 9.29659 15.6668C6.90125 15.3977 4.39825 14.4691 4.39825 10.3513C4.39825 9.18051 4.81541 8.21161 5.50172 7.45802C5.39407 7.18888 5.01727 6.08541 5.60938 4.60514C5.60938 4.60514 6.51099 4.32254 8.56991 5.70861C9.43116 5.46639 10.3462 5.34527 11.2613 5.34527C12.1764 5.34527 13.0914 5.46639 13.9527 5.70861C16.0116 4.30909 16.9132 4.60514 16.9132 4.60514C17.5053 6.08541 17.1285 7.18888 17.0209 7.45802C17.7072 8.21161 18.1244 9.16706 18.1244 10.3513C18.1244 14.4826 15.6079 15.3977 13.2126 15.6668C13.6028 16.0032 13.9392 16.6492 13.9392 17.6584C13.9392 19.0983 13.9258 20.2556 13.9258 20.619C13.9258 20.9016 14.1276 21.238 14.6659 21.1303C16.8031 20.4088 18.6602 19.0353 19.9758 17.2031C21.2915 15.3708 21.9994 13.1721 22 10.9165C22 4.96848 17.1824 0.150879 11.2344 0.150879Z" /> </svg> </a> </div> <div class="aside-content px-5 py-1 flex-1 overflow-auto"> <select id="redirectSelect.show-laptop" disabled class="select-dropdown p-1 mx-1 my-4 opacity-0 show-laptop border-gray-400"> <option selected value="" class="inline-block"></option> </select> <nav class="site-nav"><ul><li> <a class="nav-link" href="/spec/v1.0/"> Overview </a> </li><li> <span class="section-title">Understanding SLSA</span> <ul><li> <a class="nav-link" href="/spec/v1.0/whats-new"> What&#39;s new in v1.0 </a> </li><li> <a class="nav-link" href="/spec/v1.0/about"> About SLSA </a> </li><li> <a class="nav-link" href="/spec/v1.0/threats-overview"> Supply chain threats </a> </li><li> <a class="nav-link" href="/spec/v1.0/use-cases"> Use cases </a> </li><li> <a class="nav-link" href="/spec/v1.0/principles"> Guiding principles </a> </li><li> <a class="nav-link" href="/spec/v1.0/faq"> FAQ </a> </li><li> <a class="nav-link" href="/spec/v1.0/future-directions"> Future directions </a> </li> </ul> </li><li> <span class="section-title">Core specification</span> <ul><li> <a class="nav-link" href="/spec/v1.0/terminology"> Terminology </a> </li><li> <a class="nav-link" href="/spec/v1.0/levels"> Security levels </a> </li><li> <a class="nav-link" href="/spec/v1.0/requirements"> Producing artifacts </a> </li><li> <a class="nav-link" href="/spec/v1.0/distributing-provenance"> Distributing provenance </a> </li><li> <a class="nav-link" href="/spec/v1.0/verifying-artifacts"> Verifying artifacts </a> </li><li> <a class="nav-link" href="/spec/v1.0/verifying-systems"> Verifying build platforms </a> </li><li> <a class="nav-link" href="/spec/v1.0/threats"> Threats &amp; mitigations </a> </li> </ul> </li><li> <span class="section-title">Attestation formats</span> <ul><li> <a class="nav-link" href="/attestation-model"> General model </a> </li><li> <a class="nav-link" href="/spec/v1.0/provenance"> Provenance </a> </li><li> <a class="nav-link" href="/spec/v1.0/verification_summary"> Verification Summary </a> </li> </ul> </li><li> <span class="section-title">How to SLSA</span> <ul><li> <a class="nav-link" href="/get-started"> For developers </a> </li><li> <a class="nav-link" href="/how-to-orgs"> For organizations </a> </li><li> <a class="nav-link" href="/how-to-infra"> For infrastructure providers </a> </li> </ul> </li><li> <a class="nav-link" href="/spec-stages"> Specification stages </a> </li><li> <a class="nav-link" href="/community"> Community </a> </li><li> <a class="nav-link is-active" href="/blog"> Blog </a> </li><li> <a class="nav-link" href="/spec/v1.0/onepage"> Single-page view </a> </li> </ul> </nav> </div> </aside> <div class="site-main"> <header class="site-header flex-none" x-data="{ fixed: false, hidden: false, lastPos: window.scrollY, scrolledPast: false }" x-ref="navbar" x-on:scroll.window=" fixed = window.scrollY > lastPos ? window.scrollY >= $refs.navbar.offsetHeight : window.scrollY > 0; hidden = fixed && window.scrollY > lastPos; if (window.scrollY > $refs.navbar.offsetHeight && !scrolledPast) { setTimeout(() => $refs.navbar.classList.add('is-scrolled-past'), 500); scrolledPast = true; } else if (window.scrollY === 0) { $refs.navbar.classList.remove('is-scrolled-past'); scrolledPast = false; } lastPos = window.scrollY; " x-bind:class="{ 'is-fixed': fixed, 'is-hidden': hidden, 'menu-open': navOpen }" > <div class="site-header-inner h-full flex items-center gap-5" > <button x-on:click="navOpen = !navOpen" :class="{ 'active': navOpen }" class="mobile-menu-button inline-block hide-laptop"> <span></span> <span></span> <span></span> </button> <a rel="author" href="/" class="logo block"> <img class="logo-white" src="/images/logo.svg" alt="SLSA logo" /> </a> <select id="redirectSelect.hide-laptop" disabled class="select-dropdown p-1 mx-1 my-4 opacity-0 hide-laptop border-gray-400"> <option selected value="" class="inline-block"></option> </select> <a class="desktop-github-icon ml-auto" href="https://github.com/slsa-framework/slsa" target="_blank"> <svg width="22" height="22" viewBox="0 0 22 22" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M11.2344 0.150879C5.28641 0.150879 0.468811 4.96848 0.468811 10.9165C0.468811 15.6803 3.55046 19.7039 7.82978 21.1303C8.36806 21.2245 8.56991 20.9016 8.56991 20.619C8.56991 20.3633 8.55646 19.5155 8.55646 18.6139C5.8516 19.1118 5.15184 17.9545 4.93653 17.3489C4.81541 17.0394 4.29059 16.084 3.83306 15.8283C3.45626 15.6264 2.91798 15.1285 3.8196 15.1151C4.66739 15.1016 5.27295 15.8956 5.47481 16.2185C6.44371 17.8468 7.99126 17.3893 8.61028 17.1067C8.70448 16.4069 8.98708 15.9359 9.29659 15.6668C6.90125 15.3977 4.39825 14.4691 4.39825 10.3513C4.39825 9.18051 4.81541 8.21161 5.50172 7.45802C5.39407 7.18888 5.01727 6.08541 5.60938 4.60514C5.60938 4.60514 6.51099 4.32254 8.56991 5.70861C9.43116 5.46639 10.3462 5.34527 11.2613 5.34527C12.1764 5.34527 13.0914 5.46639 13.9527 5.70861C16.0116 4.30909 16.9132 4.60514 16.9132 4.60514C17.5053 6.08541 17.1285 7.18888 17.0209 7.45802C17.7072 8.21161 18.1244 9.16706 18.1244 10.3513C18.1244 14.4826 15.6079 15.3977 13.2126 15.6668C13.6028 16.0032 13.9392 16.6492 13.9392 17.6584C13.9392 19.0983 13.9258 20.2556 13.9258 20.619C13.9258 20.9016 14.1276 21.238 14.6659 21.1303C16.8031 20.4088 18.6602 19.0353 19.9758 17.2031C21.2915 15.3708 21.9994 13.1721 22 10.9165C22 4.96848 17.1824 0.150879 11.2344 0.150879Z" /> </svg> </a> </div> </header> <main class="site-clamp" aria-label="Content"> <header class="content-header"> <h1 class="mb-16">Blog</h1> </header> <div class="site-content"> <div class="content markdown main-content"> <ul style="list-style: none;"> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2024/08/dep-confusion-and-typosquatting">Defender's Perspective: Dependency Confusion and Typosquatting Attacks</a></h2> <p><b> by Meder Kydyraliev (Google) on 13 Aug 2024</b></p> <p><em>Dependency confusion</em> and <em>typosquatting</em> attacks are very similar in their nature. They both exploit the weakness in the way many package managers identify packages using only their names. Successfully exploiting this weakness enables the attacker to run arbitrary code at install time or at application’s run time. These attacks are scalable, portable, and extremely cost-effective to carry out—making them very appealing to malicious actors.</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2024/04/tekton-chains-ibm-devsecops">Securing software artifacts with Tekton Chains and IBM's DevSecOps</a></h2> <p><b>Guest post by Arnaud J Le Hors on 16 Apr 2024</b></p> <p>Tekton Chains, and the IBM DevSecOps offering that builds on it, can now be used to secure software artifacts with SLSA.</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2023/08/bring-your-own-builder-github">Build your own SLSA 3+ provenance builder on GitHub Actions</a></h2> <p><b> by Andres Almiray (JReleaser), Adam Korczynski (Ada Logics), Philip Harrison (GitHub), Laurent Simon (Google) on 28 Aug 2023</b></p> <p>It has been an exciting quarter for supply chain security and SLSA, with the release of the <a href="2023-04-19-slsa-v1-final.md">SLSA v1.0 specification</a>, <a href="https://github.blog/2023-04-19-introducing-npm-package-provenance/">SLSA provenance support for npm</a>, and the announcement of new SLSA Level 3 builders for <a href="2023-05-11-bringing-improved-supply-chain-security-to-the-nodejs-ecosystem.md">Node.js</a> and <a href="2023-06-13-slsa-github-workflows-container-based.md">containers</a>!</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2023/06/slsa-github-workflows-container-based">Announcing Container-based SLSA 3 Builder on GitHub Actions</a></h2> <p><b> by Asra Ali, Razieh Behjati, Tiziano Santoro (Google) on 13 Jun 2023</b></p> <p>Following the recent <a href="https://openssf.org/press-release/2023/04/19/openssf-announces-slsa-version-1-0-release/">launch of SLSA v1.0</a>, we’re announcing a new, <a href="https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker">GitHub Actions workflow</a> that achieves SLSA Build Track Level 3 for provenance generation. This lets users generate <a href="/spec/v1.0/requirements#provenance-unforgeable">unforgeable provenance</a>, allowing consumers to trust <em>and</em> verify how their software artifacts were built. The container-based SLSA 3 builder is the result of a collaboration between the Google Open Source Security Team (GOSST), the SLSA community, and <a href="https://github.com/project-oak/oak">Project Oak</a>.</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem">Bringing Improved Supply Chain Security to the Node.js Ecosystem</a></h2> <p><b> by Ian Lewis & Laurent Simon (Google), Fredrik Skogman (GitHub) on 11 May 2023</b></p> <p>It has been a big month for supply chain security! <a href="https://github.blog/2023-04-19-introducing-npm-package-provenance/">GitHub recently announced the public beta</a> for npm package provenance. This adds new functionality to npmjs.com and the npm CLI that allows package maintainers to generate and upload SLSA Build Level 2 provenance along with their packages. Integration with <a href="https://www.sigstore.dev/">Sigstore</a> enables verification of signature and certificate metadata so users know that the package came from the expected source repository.</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2023/05/in-toto-and-slsa">in-toto and SLSA</a></h2> <p><b>Guest post by Aditya Sirish (NYU) and Tom Hennen (Google) representing the in-toto Community on 02 May 2023</b></p> <p>As an adopter of SLSA, you have likely encountered the <a href="https://in-toto.io/">in-toto project</a>. <a href="https://github.com/in-toto/attestation">in-toto attestations</a> are part of <a href="/attestation-model#recommended-suite">SLSA’s recommended suite</a> for expressing software supply chain claims. As in-toto maintainers, we’ve interacted with a number of people who know of in-toto through SLSA but don’t fully understand the project. For example, some were surprised to learn that “in-toto isn’t just a format of attestations”, and that the framework also defines verification workflows that make use of attestations that are not SLSA Provenance. So, we decided to author this post as a quick primer on in-toto, how SLSA uses in-toto, and how other attestations can be used to complement SLSA.</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2023/04/slsa-v1-final">SLSA v1.0 is now final!</a></h2> <p><b> by Mark Lodato on 19 Apr 2023</b></p> <p>After almost two years since SLSA’s initial preview release, we are pleased to announce our first official stable version, <a href="/spec/v1.0">SLSA v1.0</a>! The full announcement can be found at the <a href="https://openssf.org/press-release/2023/04/19/openssf-announces-slsa-version-1-0-release/">OpenSSF press release</a>, and a description of changes can be found at <a href="/spec/v1.0/whats-new">What’s new in v1.0</a>. Thank you to all members of the SLSA community who made this possible through your feedback, suggestions, discussions, and pull requests!</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2023/04/slsa-v1-rc2">Announcing SLSA v1.0 Release Candidate 2</a></h2> <p><b> by SLSA Community on 04 Apr 2023</b></p> <p>We’re excited to announce <a href="/spec/v1.0-rc2/">SLSA v1.0 Release Candidate 2 (RC2)</a> following the valuable feedback we received on the <a href="/blog/2023/02/slsa-v1-rc">first release candidate</a>. This is intended to be the final release candidate before marking v1.0 as an <a href="/spec-stages#approved">Approved Specification</a>.</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2023/04/the-breadth-and-depth-of-slsa">The Breadth and Depth of SLSA</a></h2> <p><b> by Mike Lieberman on 03 Apr 2023</b></p> <p>Interested in getting involved? Now’s the chance to <a href="/blog/2023/02/slsa-v1-rc">provide your feedback on the foundational v1 release of the SLSA framework.</a></p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2023/02/slsa-v1-rc">Announcing SLSA v1.0 Release Candidate</a></h2> <p><b> by Mark Lodato, Kris Kooi, Joshua Lock on 24 Feb 2023</b></p> <p>Today, we are excited to announce the important milestone of a release candidate (RC) SLSA Specification. This is the first major update to SLSA since its v0.1 release in June 2021, and the RC finalizes multiple revisions to the SLSA specifications and requirements. We’re grateful for the huge community engagement that went into shaping this work.</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2023/02/slsa-github-workflows-container-ga">General availability of SLSA 3 Container Generator for GitHub Actions</a></h2> <p><b> by Asra Ali, Ian Lewis, Laurent Simon on 01 Feb 2023</b></p> <p>Today, we are announcing the general availability of the <a href="https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container">SLSA 3 Container Generator for GitHub Actions</a> starting with v1.4.0. This free tool allows any GitHub project to produce SLSA level 3 compliant provenance statements so users can verify the origin of container images they use. While previous tools allowed users to generate provenance for file artifacts, the Container Generator is able to support container ecosystems. It does this by allowing provenance statements to be distributed alongside your images in a container registry and integrating directly with <a href="https://www.sigstore.dev/">Sigstore</a>-compatible tooling for inspection and verification.</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2022/12/gcb-slsa-verification">Safeguarding builds on Google Cloud Build with SLSA</a></h2> <p><b>Guest post by Asra Ali, Ian Lewis, Laurent Simon, Stephen Anastos on 05 Dec 2022</b></p> <p>Earlier this year, <a href="https://cloud.google.com/build/docs/overview">Google Cloud Build</a> (GCB) announced support for Level 3 assurance of <a href="/">Supply-chain Levels for Software Artifacts</a> (SLSA) for container images. Users can now automatically generate verifiable provenance documents (build records) of builds that take place in Cloud Build. Provenance can be used to provide assurance that a trusted builder (in this case, GCB) produced the resulting image through some declared process with trusted source material. To make verification effortless, we are announcing support for verifying the provenance document in the open-source <a href="https://github.com/slsa-framework/slsa-verifier">slsa-verifier</a> CLI tool, which previously only had support for <a href="/blog/2022/06/slsa-github-workflows">GitHub Actions</a>. With the slsa-verifier, everyone — not just the container authors — can verify the SLSA provenance document.</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2022/09/eo-in-plain-english">Executive Order on Secure Supply Chain — in Plain English</a></h2> <p><b>Guest post by Isaac Hepworth on 26 Sep 2022</b></p> <p>You may have heard about <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">EO 14028</a>, the “Executive Order on Improving the Nation’s Cybersecurity”, which mandates the establishment of minimum supply chain security standards for all software consumed by the US government. On September 14th the White House Office of Management and Budget (OMB) issued <a href="https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf">a memorandum</a> setting firm and aggressive timelines for implementation of guidelines stemming from the EO, and you might reasonably be wondering what it all means. If so, this post is for you. We’re going to try to lay it out in plain English and share steps to help you get ready to meet the timelines</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2022/08/slsa-github-workflows-generic-ga">General availability of SLSA3 Generic Generator for GitHub Actions</a></h2> <p><b> by Ian Lewis, Laurent Simon, Asra Ali on 29 Aug 2022</b></p> <p>A few months ago Google and GitHub announced <a href="/blog/2022/06/slsa-github-workflows">the release of a Go builder</a> that would help software developers and consumers more easily verify the origins of software by using verification files known as provenance. Since then, the SLSA community has been working to enable provenance generation for other projects that may use any number of languages or build tools. Today, we’re pleased to announce that we’re adding a new tool to generate similar provenance documents for projects developed in any programming language, while keeping your existing building workflows.</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2022/07/slsa-foundational-framework">All about that Base(line): How Cybersecurity Frameworks are Evolving with Foundational Guidance</a></h2> <p><b>Guest post by Jennifer Privette on 25 Jul 2022</b></p> <!-- markdownlint-disable MD036 --> <p><em>In coordination with Aaron Bacchi, Emmy Eide, Melba Lopez, Brandon Lum, and Moshe Zioni</em></p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2022/06/slsa-github-workflows">General Availability of SLSA 3 Go native builder for GitHub Actions</a></h2> <p><b> by Laurent Simon, Asra Ali, Ian Lewis, Mark Lodato, Jose Palafox, Joshua Lock on 20 Jun 2022</b></p> <p>A couple of months ago, Google and GitHub demonstrated how to generate non-forgeable SLSA 3 provenance for packages/binaries created via GitHub Actions (<a href="https://security.googleblog.com/2022/04/improving-software-supply-chain.html">1</a>, <a href="https://github.blog/2022-04-07-slsa-3-compliance-with-github-actions/">2</a>). Since then, we’ve been working hard to turn the reference example into a production-ready system for everyone to use. Today, we’re announcing the v1 release of the <a href="https://github.com/slsa-framework/slsa-github-generator">trusted builders</a> that can be used in GitHub Actions and <a href="https://github.com/slsa-framework/slsa-verifier">verification tools</a>.</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2022/06/slsa-ssdf">SLSA for Success: Using SLSA to help achieve NIST’s SSDF</a></h2> <p><b>Guest post by Isaac Hepworth, Meder Kydyraliev, Brandon Lum on 15 Jun 2022</b></p> <p>Since February’s release of the latest version of the <a href="https://csrc.nist.gov/publications/detail/sp/800-218/final">Secure Software Development Framework’s (SSDF)</a>, software organizations have been poring over the dozens of <a href="https://csrc.nist.gov/csrc/media/Publications/sp/800-218/final/documents/NIST.SP.800-218.SSDF-table.xlsx">best practices and tasks</a> laid out by the National Institute of Standards and Technology (NIST) in response to last year’s <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">Executive Order on Cybersecurity</a>. Implementation is tough, though: the guidelines cover organizations of all sizes, cybersecurity sophistication, and operating environment. The descriptive requirements are not prioritized and explicitly not meant to be a checklist to follow. Each organization must find ways to interpret the recommendations for their particular needs.</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2022/05/slsa-sbom">SBOM + SLSA: Accelerating SBOM success with the help of SLSA</a></h2> <p><b>Guest post by Brandon Lum, Isaac Hepworth, Meder Kydyraliev on 02 May 2022</b></p> <!-- markdownlint-disable-next-line MD033 --> <center> <img src="https://user-images.githubusercontent.com/3060102/165816019-184fdd3d-1fa6-4d33-933f-49c1642006c0.png" width="300" alt="The OpenSSF mascot, a goose in armor, in a red salsa dress holds a sheaf of paper the topmost of which is titled SBOM"/></center> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2022/04/slsa-is-no-free-lunch">SLSA Is No Free Lunch</a></h2> <p><b>Guest post by Mike Lieberman on 11 Apr 2022</b></p> <p>“What is SLSA?” followed closely by “What does SLSA do for me?” are the two most common questions I get when people learn about SLSA. This has led to a lot of confusion as to how folks apply SLSA, and the benefits they get. You can’t just apply SLSA practices to a pipeline that runs a build, generate a SLSA attestation and magically be protected from supply chain compromise. Contrary to a lot of the hype being thrown around, SLSA is no free lunch, and we must help protect our lunch!</p> </li> <li class="mb-8"> <h2 class="h2 mb-6"><a href="/blog/2022/04/blog-launch">Introducing the SLSA Blog</a></h2> <p><b> by SLSA Community on 08 Apr 2022</b></p> <p>We’re excited to launch our very own blog, from which we will be posting project news, documentation, and other information about SLSA. Stay tuned for more posts coming your way soon.</p> </li> </ul> </div> </div> </main><footer class="site-footer flex-none h-card text-white"> <div class="site-clamp py-4 flex flex-wrap items-start justify-between w-full"> <div class="w-full md:w-1/3 mb-8 md:mb-0"> <p><strong>SLSA is a cross-industry collaboration.</strong><br> © 2024 The Linux Foundation, under the terms of the <a href="https://github.com/slsa-framework/governance">Community Specification License 1.0</a></p> </div> <div class="w-full md:w-1/3 mb-8 md:mb-0"> <p><strong>Privacy statement</strong><br> We use <a href="https://goatcounter.com">GoatCounter</a> to help us improve our website by collecting and reporting information on how it's used. We do not store advertising or tracking cookies. The information we collect does not identify anyone and does not track an individual's use of the site.</p> </div> <div class="w-full md:w-1/4 mb-8 md:mb-0 flex md:justify-end"> <p> <a href="https://github.com/slsa-framework/slsa/blob/910587ad00cc1f893b1e1ef6af3fb00c382e72f3/docs/blog.html?plain=1" target="_blank" class="flex gap-4 h5 font-normal"> View source on GitHub <svg width="22" height="22" viewBox="0 0 22 22" fill="none" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M11.2344 0.150879C5.28641 0.150879 0.468811 4.96848 0.468811 10.9165C0.468811 15.6803 3.55046 19.7039 7.82978 21.1303C8.36806 21.2245 8.56991 20.9016 8.56991 20.619C8.56991 20.3633 8.55646 19.5155 8.55646 18.6139C5.8516 19.1118 5.15184 17.9545 4.93653 17.3489C4.81541 17.0394 4.29059 16.084 3.83306 15.8283C3.45626 15.6264 2.91798 15.1285 3.8196 15.1151C4.66739 15.1016 5.27295 15.8956 5.47481 16.2185C6.44371 17.8468 7.99126 17.3893 8.61028 17.1067C8.70448 16.4069 8.98708 15.9359 9.29659 15.6668C6.90125 15.3977 4.39825 14.4691 4.39825 10.3513C4.39825 9.18051 4.81541 8.21161 5.50172 7.45802C5.39407 7.18888 5.01727 6.08541 5.60938 4.60514C5.60938 4.60514 6.51099 4.32254 8.56991 5.70861C9.43116 5.46639 10.3462 5.34527 11.2613 5.34527C12.1764 5.34527 13.0914 5.46639 13.9527 5.70861C16.0116 4.30909 16.9132 4.60514 16.9132 4.60514C17.5053 6.08541 17.1285 7.18888 17.0209 7.45802C17.7072 8.21161 18.1244 9.16706 18.1244 10.3513C18.1244 14.4826 15.6079 15.3977 13.2126 15.6668C13.6028 16.0032 13.9392 16.6492 13.9392 17.6584C13.9392 19.0983 13.9258 20.2556 13.9258 20.619C13.9258 20.9016 14.1276 21.238 14.6659 21.1303C16.8031 20.4088 18.6602 19.0353 19.9758 17.2031C21.2915 15.3708 21.9994 13.1721 22 10.9165C22 4.96848 17.1824 0.150879 11.2344 0.150879Z" fill="white"/> </svg> </a> <br> This site is powered by <a href="https://www.netlify.com">Netlify</a> </p> </div> </div> <div class="site-clamp py-4 flex items-start justify-between w-full mb-16 md:mb-0"> <a rel="author" href="/"><img src="/images/logo.svg" alt="SLSA logo" /></a> </div> </footer> </div> </body> </html>