Google launches new platform to help prevent Supply Chain attacks

SolarWinds and Codecov security incidents raise concerns about Supply Chain attacks. To ensure the integrity of software packages and prevent unauthorized modification, Google has come up with a solution called SLSA.

SLSA helps keep the entire software development and deployment process secure. As a result, it helps to reduce threats arising from unauthorized activities such as tampering with source code, tampering with software building platforms, etc.

In essence, SLSA is inspired by Google's internal process called Binary Authorization for Borg. This process includes a suite of tools to test and verify the origin of code and implement code identification to ensure that the software has been properly evaluated and authorized before deployment.

SLSA will be implemented to varying degrees. At higher levels, SLSA requires stronger security controls for the software building platform. Therefore, hackers will have a lot of difficulty in breaking in.

To implement SLSA, Google wishes to receive the cooperation of all agencies and businesses in the software industry. Google is also willing to share technical documents and standards necessary for partners to apply SLSA to their systems.

Google acknowledges that it is difficult to achieve the highest SLSA standards with most projects. However, adopting lower levels of SLSA would also increase security and pave the way for improved security of the open source ecosystem.

David Pac

Update 24 June 2021