Achieving SLSA Level 3 is crucial for software producers to ensure their build and delivery process is tamper-proof and safeguarded against supply chain attacks. In this blog post, we will explore SLSA, its various levels, and how you can efficiently achieve SLSA Level-3 compliance using Harness Continuous Integration (CI) and Software Supply Chain Assurance (SSCA) modules.
Introduction
The rise of software supply chain attacks, including notable incidents like SolarWinds and Codecov, underscores the critical risks throughout the software delivery ecosystem. These attacks demonstrate the potential to compromise software integrity at any stage of the software delivery process, resulting in severe and costly consequences for software producers, consumers, and users alike. For instance, the SolarWinds attack disrupted operations for government agencies and many Fortune 500 companies, resulting in substantial financial costs.
In response to a growing number of software supply chain threats, the Software Supply Chain Levels for Software Artifacts or SLSA (pronounced "salsa”) was defined. SLSA is a security framework originally developed by Google to protect the integrity of software artifacts throughout their lifecycle; it is a means of evaluating the trustworthiness of a software artifact. In 2021, stewardship of SLSA transitioned to the Open Source Security Foundation (OpenSSF). SLSA is set up as a sequence of levels, each increasing the security of the software supply chain. This approach assures that the software is protected from tampering and can be confidently traced back to its original source.
Why is SLSA so important?
Mitigates supply chain attacks: SLSA helps prevent unauthorized alterations and ensures software integrity from development to delivery.
Builds trust with consumers: By adhering to SLSA, producers can assure customers that their software is secure and trustworthy.
Enhances software transparency: SLSA’s guidelines improve traceability, allowing software to be confidently traced back to its source.
Enables compliance with EO 14028: Aligning with SLSA helps meet some of the requirements of Executive Order 14028 on improving the nation's cybersecurity.
Proactive defense strategy: Adopting SLSA is a proactive step towards protecting against emerging threats targeting the software supply chains.
Achieve SLSA Levels with Harness SSCA
Harness recognizes the challenges of securing software supply chains and ensuring artifact integrity, so we built the Software Supply Chain Assurance (SSCA) module. SSCA enables customers to meet all SLSA levels(L1, L2, L3) in the build track. Let's dive into the details of each level, its requirements, and how Harness SSCA helps you achieve them.
Build L1 - Provenance shows how the package was built
SLSA Requirements:
Software producer follows a consistent build process so that others can form expectations about what a “correct” build looks like.
Provenance exists, describing how the artifact was built, including the build platform, build process, and top-level inputs.
Software producer distributes provenance to consumers, preferably using a convention determined by the package ecosystem.
Achieving SLSA-L1 compliance with Harness SSCA:
The Harness SSCA module automatically generates detailed provenance, which outlines the build platform, process, and top-level inputs involved in creating the artifact. This provenance can be downloaded or distributed as needed. To explore this feature, please refer to the detailed instructions on generating SLSA provenance.
(The image shows the Provenance details of the build process in the Harness CI pipeline)
Build L2 - Signed provenance, generated by a hosted build platform
SLSA Requirements:
Build platform runs on dedicated infrastructure, not an individual’s workstation, and the provenance is tied to that infrastructure through a digital signature.
Downstream verification of provenance includes validating the authenticity of the provenance.
Achieving SLSA-L2 compliance with Harness SSCA:
Organizations can connect their hosted infrastructure with Harness to execute builds.
Following the in-toto attestation framework with cosign, Harness digitally signs the generated provenance, ensuring its authenticity and integrity. Refer to generate SLSA provenance for the implementation.
Downstream systems can verify provenance attestation, validate authenticity, and secure the supply chain against unauthorized changes. To try this out, refer to Verify SLSA provenance document.
(The image shows the digitally signed provenance attestation in the artifact’s container registry)
Prevent runs from influencing one another, even within the same project.
Prevent secret material used to sign the provenance from being accessible to the user-defined build steps.
Achieving SLSA-L3 with Harness SSCA:
The Harness CI Cloud environment is designed to isolate build processes, preventing any potential influence between runs. The hosted containerized step in Harness CI restricts build steps to access the provenance key information in compliance with SLSA specifications.
Here’s a complete overview of the process.
Conclusion
With Harness SSCA, organizations can attain SLSA Level 3 compliance, fulfilling all of the prescriptive requirements as outlined in the SLSA v1.0 specification. This ensures that tampering by hackers during the build process is effectively prevented. When this capability is combined with open-source governance through SBOM (Software Bill of Materials) lifecycle management, it results in the most advanced platform-based shift-left supply chain security solutions available today.
.svg)
.png)
.svg){kind=small}
