Achieving SLSA Certification with a “Bring-Your-Own-Builder” Framework

Supply-chain Levels for Software Artifacts, or SLSA (pronounced “salsa”), is a security framework to reason about and improve the integrity of released artifacts. With the recent release of SLSA version 1.0, SLSA is seeing increased adoption, both from industry and open source projects. The framework provides guidelines and compliance programs for infrastructure providers to integrate SLSA requirements in their build platforms. However, implementing a SLSA-compliant builder requires expertise in both SLSA and the underlying platform used to build it.

Come to this talk to learn about recent work that allows you to wrap existing tools (in the form of a binary, a GitHub Action, or a container) into a SLSA-compliant builder with minimal effort on existing open-source CI/CD platforms. We will show how SLSA builders for several package managers, such as npm and maven, are implemented with this framework on GitHub Actions. We will also report the lessons learned and the challenges we faced, in the hope it will help others that our experiences will help others implement trusted builders more effectively.

At the end of this talk, attendees will have enough background to make a tool attest to its output using SLSA provenance.


Speaker

Asra Ali

Software Engineer @Google

Asra is Software Engineer at Google working on Privacy, Safety, and Security. Her primary focus is on developing a transpiler for Fully Homomorphic Encryption and on the side contributes to the Google Open Source Security Team (GOSST) where she works on projects to improve software supply chain integrity. She’s a maintainer of Sigstore projects and open-source Supply-chain Levels for Software Artifacts (SLSA) tooling repositories. Previously, she worked on Envoy, fuzzing, and privacy-preserving technologies. She's passionate about making the internet a more private and secure space.

Read more

Date

Tuesday Jun 13 / 04:10PM EDT ( 50 minutes )

Location

Dumbo / Navy Yard

Topics

Software Supply Chain Security Security Open Source

Share

From the same track

Session WebAssembly

Wasm: What is Universal Compute Good For?

Tuesday Jun 13 / 10:35AM EDT

WebAssembly represents the future of portable computing, providing an efficient and secure runtime for many languages. In the last year there has been an explosion of growth in Wasm on the backend, from managed platforms, tooling, and further standardization work around WASI.

Speaker image - Sean Isom

Sean Isom

Senior Engineer @Adobe

Session jvm

Virtual Threads for Lightweight Concurrency and Other JVM Enhancements

Tuesday Jun 13 / 02:55PM EDT

Concurrent applications, those serving multiple independent application actions simultaneously, are the bread and butter of server-side programming. The thread has long been software’s primary unit of concurrency, and has also served as a core construct for observability and debugging, but i

Speaker image - Ron Pressler

Ron Pressler

Technical Lead OpenJDK's Project Loom @Oracle

Session WebAssembly

Build Features Faster With WebAssembly Components

Tuesday Jun 13 / 01:40PM EDT

Wasm modules revolutionized portable application code. For the first time, they allowed us to write in a high-level language - like Go or Rust - and then target WebAssembly as the platform-agnostic bytecode.

Speaker image - Bailey Hayes

Bailey Hayes

Director @Cosmonic

Session Security

Sigstore: Secure and Scalable Infrastructure for Signing and Verifying Software

Tuesday Jun 13 / 11:50AM EDT

Sigstore is an open-source project that aims to provide a transparent and secure way to sign and verify software artifacts.

Speaker image - Billy Lynch

Billy Lynch

Staff Software Engineer @Chainguard

Speaker image - Zack Newman

Zack Newman

Research Scientist @Chainguard

Session Software Supply Chain Security

Securing the Software Supply Chain: How in-toto and TUF Work Together to Combat Supply Chain Attacks

Tuesday Jun 13 / 05:25PM EDT

Software supply chain attacks have seen a 742% increase in the last three years. in-toto is a battle-tested and broadly deployed CNCF incubated project that counters these threats.

Speaker image - Marina Moore

Marina Moore

PhD Candidate @NYU & Tech Lead for CNCF's TAG Security