SLSA v1.0 has been designed to make the software supply chain security framework more accessible and specific to areas of the software delivery lifecycle. Credit: SuperOhMo / Shutterstock The Open Source Security Foundation (OpenSSF) has announced the release of Supply-chain Levels for Software Artifacts (SLSA) v.1.0 with structure changes designed to make the software supply chain security framework more accessible and specific to individual areas of the software delivery lifecycle.SLSA is a community-driven supply chain security standards project that outlines increasing security rigor within the software development process. It aims to address critical pieces of software supply chain security, giving producers, consumers, and infrastructure providers an effective way to assess software security and gain confidence that software hasn’t been tampered with and can be securely traced back to its source. SLSA is backed by several high-profile technology organizations including Google, Intel, Microsoft, VMware, and IBM. The stable release of the SLSA 1.0 lowers the barrier of entry for improvements, helps users focus efforts on improving builds, and reduces the chances of tampering across a large swath of the supply chain, OpenSSF said.Supply chain attacks are an ever-present threat, often exploiting weak points in the building and distribution of software. Software supply chain security is of increasing importance for governments, businesses, and the wider cybersecurity sector, with open-source resources playing a key role in both software development and related security risks.SLSA v1.0 introduces Build Track, outlining protection against software tamperingThe SLSA v1.0 release makes a significant conceptual change in the division of SLSA’s level requirements into multiple tracks, each providing separate sets of levels that measure a particular aspect of software supply chain security, OpenSSF said. Previously, there was a single track, but new divisions will help users better understand and mitigate the risks associated with software supply chains and ultimately develop, demonstrate, and use more secure and reliable software, it added. SLSA v1.0 starts with the Build Track, which describes levels of protection against tampering during or after software build. Higher SLSA build levels provide increased confidence that a package truly came from the correct sources, without unauthorized modification or influence, OpenSSF said.The new Build Track Levels 1-3 roughly correspond to Levels 1-3 of v0.1, minus the source requirements, OpenSSF wrote. The Build Track requirements have been structured to reflect the division of labor across the software supply chain: producing artifacts, verifying build systems, and verifying artifacts. The Build Track establishes a robust foundation on which to expand the framework to address other critical aspects of the software delivery lifecycle, with future versions of the specification expected to continue building on requirements without changing those defined in v1.0, according to OpenSSF.SLSA v1.0 also documents the need for provenance verification by providing more explicit guidance on how to verify provenance, along with making corresponding changes to the specification and provenance format. “SLSA 1.0 is a major milestone in the journey to secure our software supply chains,” said Abhishek Arya, engineering director, Google Open Source Security Team. “SLSA provides a common framework for assessing the security of software supply chains, and it will help organizations to make informed decisions about the software they use.”Software supply chain security high on agenda for governments, cybersecurity sectorSoftware supply chain security is a key component of the US National Cybersecurity Strategy, released by the Biden administration in May. It requires software providers to assume greater responsibility for the security of their products. Last week, a collection of international government agencies released new guidelines urging software manufacturers to take necessary steps to ship products that are secure-by-design and -default. These include removing default passwords, writing in safer programming languages, and establishing vulnerability disclosure programs for reporting flaws.Vendors, collectives, and governments launched significant initiatives in 2022 to improve the security of open-source code, software, and development to help improve the overall cyber resilience of the software supply chain.A lack of cohesion between software development teams and cybersecurity functions has traditionally compounded the software supply chain risks organizations face. Cybersecurity leaders and their teams have been urged to better engage with and educate developers, tailoring security awareness training to address the specific cyber risks surrounding the software development lifecycle. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe