• Executive Order on Secure Supply Chain — in Plain English

    Guest post by Isaac Hepworth on 26 Sep 2022

    You may have heard about EO 14028, the “Executive Order on Improving the Nation’s Cybersecurity”, which mandates the establishment of minimum supply chain security standards for all software consumed by the US government. On September 14th the White House Office of Management and Budget (OMB) issued a memorandum setting firm and aggressive timelines for implementation of guidelines stemming from the EO, and you might reasonably be wondering what it all means. If so, this post is for you. We’re going to try to lay it out in plain English and share steps to help you get ready to meet the timelines

  • General availability of SLSA3 Generic Generator for GitHub Actions

    by Ian Lewis, Laurent Simon, Asra Ali on 29 Aug 2022

    A few months ago Google and GitHub announced the release of a Go builder that would help software developers and consumers more easily verify the origins of software by using verification files known as provenance. Since then, the SLSA community has been working to enable provenance generation for other projects that may use any number of languages or build tools. Today, we’re pleased to announce that we’re adding a new tool to generate similar provenance documents for projects developed in any programming language, while keeping your existing building workflows.

  • All about that Base(line): How Cybersecurity Frameworks are Evolving with Foundational Guidance

    Guest post by Jennifer Privette on 25 Jul 2022

    In coordination with Aaron Bacchi, Emmy Eide, Melba Lopez, Brandon Lum, and Moshe Zioni

  • General Availability of SLSA 3 Go native builder for GitHub Actions

    by Laurent Simon, Asra Ali, Ian Lewis, Mark Lodato, Jose Palafox, Joshua Lock on 20 Jun 2022

    A couple of months ago, Google and GitHub demonstrated how to generate non-forgeable SLSA 3 provenance for packages/binaries created via GitHub Actions (1, 2). Since then, we’ve been working hard to turn the reference example into a production-ready system for everyone to use. Today, we’re announcing the v1 release of the trusted builders that can be used in GitHub Actions and verification tools.

  • SLSA for Success: Using SLSA to help achieve NIST’s SSDF

    Guest post by Isaac Hepworth, Meder Kydyraliev, Brandon Lum on 15 Jun 2022

    Since February’s release of the latest version of the Secure Software Development Framework’s (SSDF), software organizations have been poring over the dozens of best practices and tasks laid out by the National Institute of Standards and Technology (NIST) in response to last year’s Executive Order on Cybersecurity. Implementation is tough, though: the guidelines cover organizations of all sizes, cybersecurity sophistication, and operating environment. The descriptive requirements are not prioritized and explicitly not meant to be a checklist to follow. Each organization must find ways to interpret the recommendations for their particular needs.

  • SBOM + SLSA: Accelerating SBOM success with the help of SLSA

    Guest post by Brandon Lum, Isaac Hepworth, Meder Kydyraliev on 02 May 2022

  • SLSA Is No Free Lunch

    Guest post by Mike Lieberman on 11 Apr 2022

    “What is SLSA?” followed closely by “What does SLSA do for me?” are the two most common questions I get when people learn about SLSA. This has led to a lot of confusion as to how folks apply SLSA, and the benefits they get. You can’t just apply SLSA practices to a pipeline that runs a build, generate a SLSA attestation and magically be protected from supply chain compromise. Contrary to a lot of the hype being thrown around, SLSA is no free lunch, and we must help protect our lunch!

  • Introducing the SLSA Blog

    by SLSA Community on 08 Apr 2022

    We’re excited to launch our very own blog, from which we will be posting project news, documentation, and other information about SLSA. Stay tuned for more posts coming your way soon.