The Open Source Security Foundation (OpenSSF) has announced the release of the first version of its supply chain security language, Supply-chain Levels for Software Artifacts (SLSA). The project provides specifications for software supply chain that have been established by community consensus.
SLSA’s framework is split into several different levels that describe increasing security severity so users can feel confident that software has not been tampered with and can be traced back to its source.
“The OpenSSF is working hard to put more rigor into the software development process,” said Brian Behlendorf, general manager of the OpenSSF. “The stable release of SLSA v1.0 is an important milestone in improving software supply chain security and providing organizations with the tools they need to protect their software.”
According to the company, SLSA’s specifications can be helpful for software consumers and producers alike. Producers can follow the guidelines to increase the security of their software supply chain, and consumers can use SLSA to make choices about whether to trust a software package.
With SLSA, users gain a common vocabulary to speak about software supply chain security, a method for assessing upstream dependencies by determining how trustworthy the artifacts a customer uses are, and a checklist designed to help improve the security of the software being developed.
Furthermore, this release provides a way to measure developers’efforts towards compliance with Executive Order Standards in the Secure Software Development Framework.
To get started using SLSA, visit the website.