Major attacks forced Google to propose a new framework for prevention

Google has the solution that should prevent unauthorized modifications to the software

The new framework from Google can help avoid supply chain attacksSLSA levels can help prevent software supply chain attacks.

Google launches the new framework for supply chain integrity.[1] Supply chain Levels for Software Artifacts should ensure the integrity of particular software packages and help avoid unwanted alterations. Software supply chain attacks become a real concern since the incidents like SolarWinds[2] hacking affected people and industries worldwide.

SLSA is the end-to-end framework that should secure the software development and deployment line. It reduced the insider risk by ensuring authorized reviews when it comes to data accessibility. The functionality is inspired by the Binary Authorization for Borg, the feature that Google uses for years now. This BAB is mandatory for all the production workloads.[3]

A particular goal of this SLSA is a defense against supply chain integrity attacks.[4] These incidents have significantly increased or the few years, and it is believed that such issues can get more dangerous. Google stresses that the need for a proper framework and security of the complex supply chain is crucial.

Kim Lewandowski from Google's Open Source Security Team and Mark Lodato from the Binary Authorization for Borg team reported:

In its current state, SLSA is a set of incrementally adoptable security guidelines being established by industry consensus

SLSA levels make it hard to compromise and gain any access

The new framework is designed to act as both incremental and actionable solutions. It has four levels that offer software security implementations and provides value in every step. It is difficult and, in most cases impossible to track activities back to the source. However, SLSA provides a high confidence level that the software is not messed with and can securely trace activities to the source.

SLSA 1 – a basic level of code source identification and vulnerability management. Doesn't have protection against tampering.

SLSA 2 – the level where tampering to the extent can be prevented.

SLSA 3 – stronger protections against forging. Particular classes of malware like cross-build contaminations can be prevented.

SLSA 4 – the highest level to this day requires a two-person review and can protect the software from tampering.

Adapting all levels can be difficult, but it is crucial

Supply chain Levels for Software Artifacts is a practical framework for end-to-end software supply chain integrity. It is based on an already proven model. It works at a scale in one of the world's largest software engineering companies. According to the blog post from Google,[5], it might be difficult to achieve the highest level of SLSA for many projects, but lower levels still are a great start for improvements. With the SLSA 1 security of the open-source systems can get advanced.

We look forward to working with the community on refining the levels as we begin adopting SLSA for our own open source projects.

Google tries to improve software security and help companies, developers, customers to keep their data and devices safe. The company constantly fixes[6] various flaws and releases improvements to avoid any exploitation, cyber attacks. Zero-day vulnerabilities can lead to major incidents with arbitrary code execution on unpatched computers. Ensure to follow all the suggestions from large security companies and other experts, whether you are an everyday user or a software developer.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References