OpenSSF Announces SLSA Version 1.0 Release
The Linux Foundation | 19 April 2023
Framework for Improving Software Supply Chain Security Announces Stable Release, Helps Secure Builds Against Supply Chain Attacks
SAN FRANCISCO, CA, April 19, 2023 – The Open Source Security Foundation (OpenSSF) is proud to announce the release of version 1.0 of Supply-chain Levels for Software Artifacts (SLSA, pronounced “salsa”). SLSA is an OpenSSF project that provides specifications for software supply chain security, established by community expert consensus. SLSA’s framework is organized into a series of levels that describe increasing security rigor, designed to give confidence that software hasn’t been tampered with and can be securely traced back to its source. SLSA is a supply chain security language that everyone can speak to help identify where software stands and how to mature their security posture.
“The OpenSSF is working hard to put more rigor into the software development process,” said Brian Behlendorf, General Manager of the OpenSSF. “The stable release of SLSA v1.0 is an important milestone in improving software supply chain security and providing organizations with the tools they need to protect their software.”
Supply chain attacks are an ever-present threat, exploiting weak points in the process of building and distributing software to interfere with it. SLSA provides a framework to prevent source code and build system tampering. The specification set by SLSA is useful for both software producers and consumers: producers can follow SLSA’s guidelines to make their software supply chain more secure, and consumers can use SLSA to make decisions about whether to trust a software package.
SLSA offers:
- A common vocabulary to talk about software supply chain security
- A way to assess your upstream dependencies by evaluating the trustworthiness of the artifacts you consume such as source code, builds, and container images
- An actionable checklist to improve your own software’s security
- A way to measure your efforts toward compliance with forthcoming Executive Order standards in the Secure Software Development Framework (SSDF)
SLSA aims to create a comprehensive, adaptable framework that addresses critical pieces of software supply chain security. The SLSA v1.0 release makes a significant conceptual change in the division of SLSA’s level requirements into multiple tracks, with each focusing on one area of the software supply chain, such as build, source, and dependencies. Previously, there was a single track, but this new division makes SLSA adoption easier for users. SLSA v1.0 starts with the Build Track, which establishes a robust foundation on which to expand the framework to address other critical aspects of the Software Delivery Lifecycle. SLSA Tracks help end users, whether they are open source project maintainers or companies, better understand and mitigate the risks associated with software supply chains, and ultimately develop more secure and reliable software.
There are many benefits of adopting SLSA for:
- Software producers, such as a software vendor or a team writing first-party code for use within the same company. SLSA gives you protection against tampering along the supply chain to your consumers, both reducing insider risk and increasing confidence that the software you produce reaches your consumers as you intended. For open source projects and ecosystems, SLSA provides a framework to demonstrate that your releases contain source code and dependencies that haven’t been tampered with. Since many open source projects are volunteer-run, tools are available to easily add SLSA to existing projects.
- Software consumers, such as a development team using open source packages, a government agency using vendored software, or a CISO judging organizational risk. SLSA gives you a way to judge the security practices of the software you rely on and be sure that what you receive is what you expected.
- Infrastructure providers, who provide infrastructure such as an ecosystem package manager, build platform, or CI/CD system. As the bridge between the producers and consumers, your adoption of SLSA enables a secure software supply chain between them.
The stable release of the SLSA 1.0 Build Track lowers the barrier of entry for improvements, helps you focus efforts on improving your build, and reduces the chances of tampering across a large swath of the supply chain.
To begin using SLSA, visit https://slsa.dev/.
Contributing Company Quotes
ActiveState
In development, you can’t optimize what you can’t measure, and this is why SLSA is exciting; it provides auditable data, in machine-readable form, that validates the chain of custody from code authors to the binaries deployed in production systems. It gives us the provenance of binaries used in sensitive operating environments, so we can make informed decisions on whether or not to trust and incorporate certain packages into builds. These are foundational concepts to actually achieving what has largely been a buzz-phrase; supply chain security. At ActiveState, we make it easy for technical teams to enact SLSA by allowing our customers to identify and trust good faith components with the most complete provenance, automatically available in our platform as attestations and SBOMs.
– Scott Robertson, CTO, ActiveState
Chainguard
The evolution of SLSA since our original proof of concept in 2021 has been remarkable, positioning it as one of the most accessible frameworks for implementing software supply chain security practices today. The release of SLSA v1.0 represents a significant step forward in building trust between software consumers and producers, as it provides a well-established framework that outlines how software is protected and developed based on software supply chain security principles. At Chainguard, we are invested in advancing SLSA as a critical industry standard while adhering to its core principles to ensure the integrity of our offerings and the open-source community projects we maintain. We support the OpenSSF’s ongoing efforts to further develop SLSA, enabling more organizations and community projects to achieve their security objectives.
– Kim Lewandowski, Head of Product and Co-Founder, Chainguard
SLSA 1.0 is a major milestone in the journey to secure our software supply chains. It is the culmination of two years of collaboration with the open source community, and it builds on Google’s experience protecting production workloads for a decade. SLSA provides a common framework for assessing the security of software supply chains, and it will help organizations to make informed decisions about the software they use. I am excited to see the impact that SLSA will have on the security of our software supply chains.
– Abhishek Arya, Engineering Director, Google Open Source Security Team
IBM
At IBM, belief in the power of Open Innovation is driving our current actions and future plans. That is why we have been actively contributing to the Supply chain Levels for Software Artifacts (SLSA) v1.0 specification. By openly collaborating with the OpenSSF community to provide build integrity clarity, package consistency, and adopt-ability at scale, we are certain this framework will help software developers restrict tampering, improve integrity, and better secure packages and infrastructure in software supply chains.
– Jamie Thomas, General Manager, Infrastructure Strategy & Development IBM
Intel
In today’s interconnected world, software supply chain security is crucial to ensure the safety and reliability of the software we use. With the increasing complexity and interdependence of software systems, any compromise in the software supply chain can have severe consequences for individuals, organizations, and society. SLSA is a major milestone in building this common framework aimed at solving a very real problem and hard to tackle. I am excited to have SLSA as a common ground enabling the reusability and composability of the software economy with a trustworthy software supply chain foundation.
– Bruno Domingues, CTO – Worldwide Financial Services and Principal Engineer, Intel
Kusari
As a member of the SLSA steering committee, I am thrilled to see the release of SLSA 1.0. This milestone signifies the collective efforts of the SLSA, OpenSSF and the broader open source security community in creating a critical framework that enhances the security of our software supply chains. At Kusari, we are committed to adopting and promoting SLSA as a key piece in the cybersecurity picture. Together, we’re driving innovation while safeguarding the future of the technology we all use.
– Michael Lieberman, CTO, Kusari
Microsoft
Being an active member and contributor within the OpenSSF allows Microsoft to empower every person and every organization on the planet to do more… securely. By contributing to OpenSSF’s Supply chain Levels for Software Artifacts (SLSA) v1.0 Build Track, our commitment to empowerment and the ability to do more, securely, is on display with true partnership in mind. In conjunction with the consumer-focused Secure Supply Chain Consumption Framework (S2C2F), also developed openly with the OpenSSF, the release of the producer-focused SLSA is a testament to what can be accomplished when we come together towards the creation of a first-of-its-kind collaborative and trusted framework. Through this collaboration, we are able to produce the most up-to-date and scalable security controls and maturity levels which strengthen our software and supply chain security.
– Mark Russinovich, Azure CTO and Technical Fellow, Microsoft
Red Hat
At Red Hat, we understand that product security can be a complicated issue for companies of all sizes. That’s why we are committed to simplifying it by supporting initiatives like the SLSA and OpenSSF. We believe that transparency is essential in protecting our customers’ interests. As we continue to pursue our goals in supply chain security, we will use SLSA and other industry standards to provide customers with greater visibility into our security initiatives. As an open-source company, we value collaboration and SLSA is a perfect example of what can be achieved when people come together to create widely accepted criteria to strengthen software security.
– Emmy Eide, Director, Red Hat
VMware
SLSA’s 1.0 specification brings a shared system of expectations around open source project security posture. The initial three levels enable more robust conversation and reasoning across the ecosystem’s complex producer-consumer networks. VMware sees SLSA as a positive contribution toward ever improved trustworthiness both in the open source artifacts we create and from the community projects which underpin and accelerate our own offerings.
– Tim Pepper, Principal Engineer / VP, VMware
End User Company Quote
GitHub
As we continue to enhance the security of how npm packages are built, the SLSA framework has served as a launchpad for us in determining what capabilities to provide. It has been instrumental in moving forward the security of open source packages in a way that makes sense for users, open source maintainers, and vendors.
– Zach Steindler, Principal Security Engineer, GitHub
About the OpenSSF
The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.
Media Contact
Jennifer Bly
OpenSSF
jbly@linuxfoundation.org
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.