SLSA v1.0 has been designed to make the software supply chain security framework more accessible and specific to areas of the software delivery lifecycle. Credit: SuperOhMo / Shutterstock The Open Source Security Foundation (OpenSSF) has announced the release of Supply-chain Levels for Software Artifacts (SLSA) v.1.0 with structure changes designed to make the software supply chain security framework more accessible and specific to individual areas of the software delivery lifecycle.SLSA is a community-driven supply chain security standards project that outlines increasing security rigor within the software development process. It aims to address critical pieces of software supply chain security, giving producers, consumers, and infrastructure providers an effective way to assess software security and gain confidence that software hasn’t been tampered with and can be securely traced back to its source. SLSA is backed by several high-profile technology organizations including Google, Intel, Microsoft, VMware, and IBM. The stable release of the SLSA 1.0 lowers the barrier of entry for improvements, helps users focus efforts on improving builds, and reduces the chances of tampering across a large swath of the supply chain, OpenSSF said.Supply chain attacks are an ever-present threat, often exploiting weak points in the building and distribution of software. Software supply chain security is of increasing importance for governments, businesses, and the wider cybersecurity sector, with open-source resources playing a key role in both software development and related security risks.SLSA v1.0 introduces Build Track, outlining protection against software tamperingThe SLSA v1.0 release makes a significant conceptual change in the division of SLSA’s level requirements into multiple tracks, each providing separate sets of levels that measure a particular aspect of software supply chain security, OpenSSF said. Previously, there was a single track, but new divisions will help users better understand and mitigate the risks associated with software supply chains and ultimately develop, demonstrate, and use more secure and reliable software, it added. SLSA v1.0 starts with the Build Track, which describes levels of protection against tampering during or after software build. Higher SLSA build levels provide increased confidence that a package truly came from the correct sources, without unauthorized modification or influence, OpenSSF said.The new Build Track Levels 1-3 roughly correspond to Levels 1-3 of v0.1, minus the source requirements, OpenSSF wrote. The Build Track requirements have been structured to reflect the division of labor across the software supply chain: producing artifacts, verifying build systems, and verifying artifacts. The Build Track establishes a robust foundation on which to expand the framework to address other critical aspects of the software delivery lifecycle, with future versions of the specification expected to continue building on requirements without changing those defined in v1.0, according to OpenSSF.SLSA v1.0 also documents the need for provenance verification by providing more explicit guidance on how to verify provenance, along with making corresponding changes to the specification and provenance format. “SLSA 1.0 is a major milestone in the journey to secure our software supply chains,” said Abhishek Arya, engineering director, Google Open Source Security Team. “SLSA provides a common framework for assessing the security of software supply chains, and it will help organizations to make informed decisions about the software they use.”Software supply chain security high on agenda for governments, cybersecurity sectorSoftware supply chain security is a key component of the US National Cybersecurity Strategy, released by the Biden administration in May. It requires software providers to assume greater responsibility for the security of their products. Last week, a collection of international government agencies released new guidelines urging software manufacturers to take necessary steps to ship products that are secure-by-design and -default. These include removing default passwords, writing in safer programming languages, and establishing vulnerability disclosure programs for reporting flaws.Vendors, collectives, and governments launched significant initiatives in 2022 to improve the security of open-source code, software, and development to help improve the overall cyber resilience of the software supply chain.A lack of cohesion between software development teams and cybersecurity functions has traditionally compounded the software supply chain risks organizations face. Cybersecurity leaders and their teams have been urged to better engage with and educate developers, tailoring security awareness training to address the specific cyber risks surrounding the software development lifecycle. Related content news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Security feature Key findings from the CISA 2022 Top Routinely Exploited Vulnerabilities report CISA’s recommendations for vendors, developers, and end-users promote a more secure software ecosystem. By Chris Hughes Sep 21, 2023 8 mins Zero Trust Threat and Vulnerability Management Security Practices news Insider risks are getting increasingly costly The cost of cybersecurity threats caused by organization insiders rose over the course of 2023, according to a new report from the Ponemon Institute and DTEX Systems. By Jon Gold Sep 20, 2023 3 mins Budget Data and Information Security news US cyber insurance claims spike amid ransomware, funds transfer fraud, BEC attacks Cyber insurance claims frequency increased by 12% in the first half of 2023 while claims severity increased by 42% with an average loss amount of more than $115,000. By Michael Hill Sep 20, 2023 3 mins Insurance Industry Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe