Commit 160f3901 authored by Kara Olive's avatar Kara Olive
Browse files

Update landing page to use language from blogpost

parent 82bfd093
# SLSA: Supply-chain Levels for Software Artifacts # SLSA: Supply-chain Levels for Software Artifacts
Supply-chain Levels for Software Artifacts (SLSA, pronounced _[salsa]_) is an Supply chain integrity attacks—unauthorized modifications to software
end-to-end framework for ensuring the integrity of software artifacts throughout packages—have been
the software supply chain. The requirements are inspired by Google’s internal [on the rise](https://www.sonatype.com/hubfs/Corporate/Software%20Supply%20Chain/2020/SON_SSSC-Report-2020_final_aug11.pdf#page=7)
"[Binary Authorization for Borg]" that has been in use for the past 8+ years and in the past two years, and are proving to be common and reliable attack vectors
that is mandatory for all of Google's production workloads. that affect all consumers of software. The software development and deployment
supply chain is quite complicated, with numerous threats along the source ➞
**IMPORTANT:** SLSA is an evolving specification and we are looking for build ➞ publish workflow. While point solutions do exist for some specific
wide-ranging feedback via GitHub issues, [mailing list], or [feedback form]. vulnerabilities, there is no comprehensive end-to-end framework that both
SLSA is being developed as part of the [OpenSSF Digital Identity WG]. defines how to mitigate threats across the software supply chain, and provides
reasonable security guarantees. There is an urgent need for a solution in the
## Overview face of the eye-opening, multi-billion dollar attacks in recent months (e.g.
[SolarWinds](https://www.solarwinds.com/sa-overview/securityadvisory),
SLSA consists of: [Codecov](https://about.codecov.io/security-update/)), some of which could have
been prevented or made more difficult had such a framework been adopted by
1. **[Standards](requirements.md):** Industry consensus on the definition of a software developers and consumers.
"secure" software supply chain. There may be multiple standards to represent
multiple aspects of security. Our proposed solution is
2. **Accreditation:** Process for organizations to certify compliance with [Supply chain Levels for Software Artifacts](https://github.com/slsa-framework/slsa)
these standards. (SLSA, pronounced "salsa"), an end-to-end framework for ensuring the integrity
3. **[Technical controls](controls/README.md):** To record provenance and of software artifacts throughout the software supply chain. It is inspired by
detect or prevent non-compliance. Google's internal
"[Binary Authorization for Borg](https://cloud.google.com/security/binary-authorization-for-borg)"
Ultimately, the software consumer decides whom to trust and what standards to which has been in use for the past 8+ years and is mandatory for all of Google's
enforce. In this light, accreditation is a means to transfer trust across production workloads. The goal of SLSA is to improve the state of the industry,
organizational boundaries. For example, a company may internally "accredit" its particularly open source, to defend against the most pressing integrity threats.
in-house source and build systems while relying on OpenSSF to accredit With SLSA, consumers can make informed choices about the security posture of the
third-party ones. Other organizations may trust other accreditation bodies. software they consume.
## Next IMPORTANT: SLSA is an evolving specification and we are looking for wide-ranging
feedback via GitHub issues,
* [What is SLSA?](about.md) [email](https://groups.google.com/g/slsa-discussion), or [feedback
* [SLSA Requirements](requirements.md) form](https://forms.gle/93QRfUqF7YY2mJDi9). SLSA is being developed as part of
* [Detailed Example](walkthrough.md) the
[OpenSSF Digital Identity WG](https://github.com/ossf/wg-digital-identity-attestation)
[Binary Authorization for Borg]: https://cloud.google.com/security/binary-authorization-for-borg \ No newline at end of file
[OpenSSF Digital Identity WG]: https://github.com/ossf/wg-digital-identity-attestation
[feedback form]: https://forms.gle/93QRfUqF7YY2mJDi9
[mailing list]: https://groups.google.com/g/slsa-discussion
[salsa]: https://www.google.com/search?q=how+to+pronounce+salsa
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment