With the SolarWinds and Codecov security incidents putting software supply chain attacks in the spotlight, Google came up with a solution to ensure the integrity of software packages and prevent unauthorized modifications.
Called “Software artifacts at all Levels of the Supply Chain” (SLSA, pronounced “Salsa”), the end-to-end framework is designed to ensure software development and deployment pipelines-source code ➞ build ➞ release workflows – and mitigate the threat of tampering with source code, build platforms and artifact repositories at every step of the chain.
Google said SLSA was inspired by the company’s internal enforcement mechanism, Binary Authorization for Borg, an audit tool that verifies the source of code and implements code identification to determine whether deployed product software has been properly vetted and authorized.
In its current form, SLSA is a set of security guidelines established by industry consensus and gradually adopted, according to Google’s open source security team.
In its final form, SLSA will support the automatic creation of auditable metadata in its executable form, which can be fed into a policy engine to provide “SLSA authentication” for a particular package or build platform.
The SLSA framework promises end-to-end software supply chain integrity and is designed to be incremental and operational. With four different levels of progressive software security complexity, SLSA 4 ensures that software is not improperly modified or corrupted.
SLSA framework has four levels:
SLSA 1 – Requires the build process to be fully scripted/automated and source generated
SLSA 2 – You need to use version control and managed build services to generate authenticated sources
SLSA 3 – Requires source code and build platforms to meet specific standards to ensure the auditability and integrity of source code
SLSA 4 — Requires two people to review all changes and a sealed, repeatable build process
Security personnel point out that higher SLSA levels require stronger security control over the build platform, which makes compromise and persistence more difficult.
While SLA 4 represents the ultimate ideal, the lower levels provide incremental integrity assurance while making it difficult for malicious actors to hide in a compromised developer environment for extended periods of time.
Google also shared more details about the Source and Build requirements that need to be met, and called on the industry to standardize and model the system, detailing the specific threats SLSA wants to address over the long term. They say that while it may be difficult to implement the highest level OF SLSA for most projects, the recognition and incremental improvement of lower SLSA can also go a long way toward making the open source ecosystem more secure.
Supply chain attack
In supply chain attacks, attackers search for insecure network protocols, unprotected server infrastructure, and insecure code. They break during generation and update, change source code, and hide malware.
Because the software is generated and distributed by trusted vendors, these applications and updates are signed and certified. In a software supply chain attack, the vendor is unaware that their application or update was infected with malicious code when it was publicly released, so the malicious code runs with the same trust and permissions as the application.
According to the SolarWinds incident, the malicious code was inserted before the digital signature of the file, so it could be in the source code development environment, compilation environment and binary distribution to be signed. This also verifies the necessity of security shift to the left. Static security detection of the code in the coding stage can find known and unknown vulnerabilities and prevent the generation of defective codes. At the same time, through static code detection, some runtime vulnerabilities can be checked in advance, coupled with dynamic application testing and interactive application testing, so that security throughout the whole development and online operation process.
Software supply chain attacks also show that security problems in any link may cause serious chain reactions, so security detection and review should be carried out at all levels to avoid supply chain attacks.
Reference link:
www.woocoom.com/b021.html?i…
Thehackernews.com/2021/06/goo…