SLSA and FRSCA: Beyond Snacks and Soda! - Christopher Hanson, RX-M, llc.
Abstract
As the systems where we build software grow in complexity and interconnectedness, so do potential risks. Thus, ensuring the security of the software supply chain has become a critical concern for any organization providing or consuming build platforms or packaging infrastructure. To address this concern, the Supply-chain Levels for Software Artifacts (SLSA) framework provides a set of guidelines to help organizations articulate how secure their systems are. This talk will begin by discussing the concepts of the SLSA framework: tracks, levels, and requirements. We will then build artifacts using a build system based on open source tooling from the Factory for Repeatable Secure Creation of Artifacts (FRSCA) reference implementation to demonstrate how to iteratively achieve increasing SLSA build levels. By the end, attendees should be able to begin assessing the security of their own organization’s software development and distribution processes and have a vocabulary for improvement goals