Commit 160f3901 authored by Kara Olive's avatar Kara Olive
Browse files

Update landing page to use language from blogpost

parent 82bfd093
# SLSA: Supply-chain Levels for Software Artifacts
Supply-chain Levels for Software Artifacts (SLSA, pronounced _[salsa]_) is an
end-to-end framework for ensuring the integrity of software artifacts throughout
the software supply chain. The requirements are inspired by Google’s internal
"[Binary Authorization for Borg]" that has been in use for the past 8+ years and
that is mandatory for all of Google's production workloads.
**IMPORTANT:** SLSA is an evolving specification and we are looking for
wide-ranging feedback via GitHub issues, [mailing list], or [feedback form].
SLSA is being developed as part of the [OpenSSF Digital Identity WG].
## Overview
SLSA consists of:
1. **[Standards](requirements.md):** Industry consensus on the definition of a
"secure" software supply chain. There may be multiple standards to represent
multiple aspects of security.
2. **Accreditation:** Process for organizations to certify compliance with
these standards.
3. **[Technical controls](controls/README.md):** To record provenance and
detect or prevent non-compliance.
Ultimately, the software consumer decides whom to trust and what standards to
enforce. In this light, accreditation is a means to transfer trust across
organizational boundaries. For example, a company may internally "accredit" its
in-house source and build systems while relying on OpenSSF to accredit
third-party ones. Other organizations may trust other accreditation bodies.
## Next
* [What is SLSA?](about.md)
* [SLSA Requirements](requirements.md)
* [Detailed Example](walkthrough.md)
[Binary Authorization for Borg]: https://cloud.google.com/security/binary-authorization-for-borg
[OpenSSF Digital Identity WG]: https://github.com/ossf/wg-digital-identity-attestation
[feedback form]: https://forms.gle/93QRfUqF7YY2mJDi9
[mailing list]: https://groups.google.com/g/slsa-discussion
[salsa]: https://www.google.com/search?q=how+to+pronounce+salsa
Supply chain integrity attacks—unauthorized modifications to software
packages—have been
[on the rise](https://www.sonatype.com/hubfs/Corporate/Software%20Supply%20Chain/2020/SON_SSSC-Report-2020_final_aug11.pdf#page=7)
in the past two years, and are proving to be common and reliable attack vectors
that affect all consumers of software. The software development and deployment
supply chain is quite complicated, with numerous threats along the source ➞
build ➞ publish workflow. While point solutions do exist for some specific
vulnerabilities, there is no comprehensive end-to-end framework that both
defines how to mitigate threats across the software supply chain, and provides
reasonable security guarantees. There is an urgent need for a solution in the
face of the eye-opening, multi-billion dollar attacks in recent months (e.g.
[SolarWinds](https://www.solarwinds.com/sa-overview/securityadvisory),
[Codecov](https://about.codecov.io/security-update/)), some of which could have
been prevented or made more difficult had such a framework been adopted by
software developers and consumers.
Our proposed solution is
[Supply chain Levels for Software Artifacts](https://github.com/slsa-framework/slsa)
(SLSA, pronounced "salsa"), an end-to-end framework for ensuring the integrity
of software artifacts throughout the software supply chain. It is inspired by
Google's internal
"[Binary Authorization for Borg](https://cloud.google.com/security/binary-authorization-for-borg)"
which has been in use for the past 8+ years and is mandatory for all of Google's
production workloads. The goal of SLSA is to improve the state of the industry,
particularly open source, to defend against the most pressing integrity threats.
With SLSA, consumers can make informed choices about the security posture of the
software they consume.
IMPORTANT: SLSA is an evolving specification and we are looking for wide-ranging
feedback via GitHub issues,
[email](https://groups.google.com/g/slsa-discussion), or [feedback
form](https://forms.gle/93QRfUqF7YY2mJDi9). SLSA is being developed as part of
the
[OpenSSF Digital Identity WG](https://github.com/ossf/wg-digital-identity-attestation)
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment