Skip to content
cognixia-logo-white-text
  • Contact
  • Profile
  • Approach
  • Companies

    Cognixia Approach Uncover skill gaps in your human capital, acquire agile training solutions, and plot your roadmap to a future-proofed workforce. Get Started Workforce Transformation Enterprise digital empowerment starts with a digitally-enabled workforce. Discover how Cognixia can deliver the right mix of skills to your talent. Transform Now Hire Skilled Talent Transform your talent acquisition…


    Know More
    Quick Link
    CompaniesCompanies
    Companies
    • Workforce Transformation

      Upskill your existing workforce with our digital training solutions Hire digitally native talent to solve your? digital needs Rewire by Cognixia Full team of industry veterans as trainers Customized training solutions to suit the needs of companies 24/7 support for learners anywhere in the world Course completion certification A globally-recognized certificate after course completion. Hands-on…


      Know More
      Quick Link
      Workforce TransformationWorkforce Transformation
      Workforce Transformation
    • Hire Skilled Talent

      Hire digitally native talent to solve your digital needs Skills Attitude Assessments Mindset Assessments Location Based To know more about JUMP Contact Us


      Know More
      Quick Link
      Hire Skilled TalentHire Skilled Talent
      Hire Skilled Talent
  • Individuals

    Upgrade Your Digital Skills Specialize your talents, learn new skills and stay indispensable to your organization with Cognixia’s upskilling programs. Learn More   ❱ Get Hired Fast-track your path to career growth with thousands of fresh opportunities and find the job you’ve always dreamed of. Learn More   ❱


    Know More
    Quick Link
    IndividualsIndividuals
    Individuals
    • Upgrade Your Digital Skills

      Enhance your digital skillset with our robust course offering Direct mentorship with experienced instructors Classroom, virtual, self-paced and hybrid learning modes Lifetime access to all training materials To know more on what course you should pick Contact Us


      Know More
      Quick Link
      Upgrade Your Digital SkillsUpgrade Your Digital Skills
      Upgrade Your Digital Skills
    • Get Hired

      Apply today to launch your digital career Apply Get Trained Location Based To know more about JUMP Contact Us


      Know More
      Quick Link
      Get HiredGet Hired
      Get Hired
  • Courses

    Dive into the latest technology frameworks and business paradigms to build a future-proofed career


    Know More
    Quick Link
    CoursesCourses
    Courses
    • Industry

      • Global Aviation
      • Global Automobile
      • Global BFSI
      • Global E-commerce
      • Global Food-tech
      • Global Healthcare
      • Global Media and Entertainment
      • Global Oil and Gas
      • Global Pharmaceutical
      • Global Telecommunication

      Know More
      Quick Link
      IndustryIndustry
      Industry
    • Application Development

      • Python v3.7
      • Self-Paced Python Developer Training
      • Self-Paced Java Programming Training

      Know More
      Quick Link
      Python v3.7Python v3.7
      Application Development
    • Big Data and Analytics

      • CouchDB
      • Self-Paced Analytics with R
      • Self-Paced Big Data Hadoop Administrator Training
      • Self-Paced Big Data Hadoop Developer Training

      Know More
      Quick Link
      Cassandra DeveloperCassandra Developer
      Big Data and Analytics
    • Business Intelligence

      • QlikView
      • Microstrategy

      Know More
      Quick Link
      MicrostrategyMicrostrategy
      Business Intelligence
    • Cloud and DevOps

      • Cloud Development Professional Training
      • Advanced Ansible Training
      • DevOps Training
      • Advanced DevOps Training
      • GCP- Google Cloud Platform
      • DevOps Plus Training
      • Cloud Computing with AWS Training

      Know More
      Quick Link
      DevOps Plus TrainingDevOps Plus Training
      Cloud and DevOps
    • Cyber Security

      • Cyber Crime and Cyber Security Training
      • Self-Paced Linux Administration Training

      Know More
      Quick Link
      Cyber Crime and Cyber Security TrainingCyber Crime and Cyber Security Training
      Cyber Security
    • Development

      • Docker and Kubernetes Bootcamp
      • FULL Stack (MEAN) Developer Training
      • Google Certified Android App Development Training
      • Blockchain Training
      • Apache Spark & Scala Training
      • Big Data Hadoop Administrator Training
      • Big Data Hadoop Developer Training

      Know More
      Quick Link
      Docker and Kubernetes TrainingDocker and Kubernetes Training
      Development
    • Internet of Things

      • Internet of Things Security Expert Training
      • IoT Analytics Training
      • Internet of Things (IoT) with Amazon Web Services (AWS)
      • IoT Security Training
      • Self-Paced Internet of Things
      • Azure IoT

      Know More
      Quick Link
      Internet of Things (IoT) TrainingInternet of Things (IoT) Training
      Internet of Things
    • ITIL® and IT Service Management

      • ITIL® 4 Awareness
      • ITIL® Service Operations
      • ITIL® Foundation (v3, 2011)
      • ITIL® 4 Foundation
      • ITIL® Service Design

      Know More
      Quick Link
      ITIL® 4 FoundationITIL® 4 Foundation
      ITIL® and IT Service Management
    • Java/J2EE

      • Web Services
      • Spring Cloud
      • Node.js
      • Angular.JS
      • Spring Boot

      Know More
      Quick Link
      Spring BootSpring Boot
      Java/J2EE
    • Machine Learning and Analytics

      • Tableau Training
      • Machine Learning, AI, & Deep Learning Training
      • Machine Learning with Python and R
      • Advanced Machine Learning with Deep Learning Training
      • Machine Learning with Python Training

      Know More
      Quick Link
      Machine Learning with Python TrainingMachine Learning with Python Training
      Machine Learning and Analytics
    • Management

      • PMP Training
      • Certified Scrum Master Training
      • Six Sigma Black Belt Training
      • Six Sigma Green Belt Training

      Know More
      Quick Link
      PMP TrainingPMP Training
      Management
    • Microsoft Technologies

      • AZ-300: Microsoft Azure Architect Technologies
      • AZ-104: Microsoft Azure Administrator
      • AZ-103: Microsoft Azure Administrator
      • AZ-101: Microsoft Azure Integration & Security
      • AZ-100: Microsoft Azure Infrastructure & Deployment

      Know More
      Quick Link
      AZ-104: Microsoft Azure AdministratorAZ-104: Microsoft Azure Administrator
      Microsoft Technologies
    • Mobile

      • Self Paced Android App Development

      Know More
      Quick Link
      React NativeReact Native
      Mobile
    • Web Technologies

      • React.js
      • Knockout.js
      • JavaScript & Ajax
      • HTML5 AND CSS3
      • Ember.JS
      • Backbone.js

      Know More
      Quick Link
      HTML5 AND CSS3HTML5 AND CSS3
      Web Technologies
  • Events


    Know More
    Quick Link
    EventsEvents
    Events
    • Master Class


      Know More
      Quick Link
      Master ClassMaster Class
      Master Class
    • Webinars


      Know More
      Quick Link
      WebinarsWebinars
      Webinars
    • Workshops


      Know More
      Quick Link
      WorkshopsWorkshops
      Workshops
  • Resources


    Know More
    Quick Link
    ResourcesResources
    Resources
    • Blog


      Know More
      Quick Link
      BlogBlog
      Blog
    • Tech News


      Know More
      Quick Link
      Tech NewsTech News
      Tech News
  • About

    Mission To bring about a shift in the mindsets of people and enterprises through future-proofed, digitally-ready talent solutions. We shape the future by grooming the next generation of disruptors, innovators and leaders and aim to bridge the global supply/demand gap in the number of digital-ready professionals who are skilled in the technologies of tomorrow.


    Know More
    Quick Link
    AboutAbout
    About
    • Awards

      Cognixia creates some of the most comprehensive and relevant online learning experiences for professionals in nearly every field imaginable. And we’re proud to be recognized for the passion and dedication that we bring to thousands of lives.


      Know More
      Quick Link
      AwardsAwards
      Awards
    • Careers

      Apply for a dream career at Cognixia. Join our global team of thought leaders and educators as we transform people and companies. Think you could add something we have missed? Why not submit your CV and a covering letter?


      Know More
      Quick Link
      CareersCareers
      Careers
    • Our Culture

      Disciplined in performance Responsive in approach Passionate to achieve Competitive to succeed Industrious from start to finish


      Know More
      Quick Link
      Our CultureOur Culture
      Our Culture
    • Locations


      Know More
      Quick Link
      LocationsLocations
      Locations
    • Referrals

      Success tastes best when shared. Tell us about a friend, colleague or a family member, who might be interested in pursuing a career in digital technologies or transforming their workforce.


      Know More
      Quick Link
      ReferralsReferrals
      Referrals
  • Contact
  • Cart
  • Profile
Search Courses
banner

What are Supply chain Levels for Software Artifacts, or SLSA (SALSA)?

HomeResourcesBlogWhat are Supply chain Levels for Software Artifacts, or SLSA (SALSA)?
August 1, 2022 | Podcast, Software
Read Time: 08:00

Hello everybody and welcome back to the Cognixia podcast. In this podcast, every week we pick a topic relating to emerging technologies – the latest developments, how-to guides, and Q&As, among other things and discuss it in more detail to help our listeners learn something new. We appreciate everybody who tunes in to our podcasts and listens to us, we hope we can help you in some way.

In today’s episode, we talk about a burning issue and a need of the hour – security. Security could be about a lot of different elements and aspects across the value chain could be about the software artifacts, data, information, cloud, anything, and everything. Today, we will talk about the security and integrity of software artifacts, and then go on to dig deeper into what is SLSA. If you have been keeping up with the news, you would probably have heard that Kubernetes achieved the SLSA Level 1 Compliance and the community is now working towards an SLSA Level 3 Compliance. We got some of our listeners asking us about it, so we decided to let us have an episode where we talk about the security and integrity of the software artifacts and the SLSA compliances.

As a software developer, one of the biggest challenges that one faces is how to make informed choices about which external software and products to use in their builds. It can be quite challenging to determine if a system that is being built is appropriately secured, and it becomes even more challenging when there is an external entity or third-party involved.
As technology advances, systems become increasingly vulnerable. To keep up with the growing needs for maintaining the security and integrity of software artifacts, Google in collaboration with the OpenSSF came up with the SLSA.

This brings us to the million-dollar question of today’s podcast episode –

What is Supply Chain Levels for Software Artifacts (SLSA)?

SLSA stands for Supply chain Levels for Software Artifacts. It is a security framework, we would say a checklist of standards and controls of sorts, to prevent tampering, improve the integrity, and secure packages & infrastructure in your projects, businesses, or enterprises. SLSA, in a way, represents how you can go from being safe enough to be as resilient as possible, no matter where you stand in the software supply chain. No matter what software you are building, a vulnerability can arise at any stage of the software supply chain. The more complex a system becomes, the more important it is to have the necessary checks and best practices in place to ensure that the artifact integrity is maintained and to ensure that the source code that the development team is counting on is the code that is being used. To ensure all this, one needs to have solid foundations and proper plans in place to scale up as the system scales. In the absence of this, it would become extremely difficult to focus one’s efforts on tomorrow’s hacks and breaches and compromises and would only make the system increasingly vulnerable to these attacks.

This is where SLSA steps in. SLSA is a set of guiding principles not just for the software producers but also for the software consumers. The software producers can use the SLSA to make their software more secure while the software consumers can make informed decisions that are based on a software package’s security posture.

The SLSA is organized into a series of levels that provide increasing integrity guarantees. This, in turn, gives all the stakeholders the confidence that the software has not been tampered with and can be smoothly traced back to its source. These SLSA levels are like a common language that can be used by development teams across the globe to discuss securing software, supply chains, or even individual components. The levels extend from the source to the system, and they blend the industry-recognized best practices to deliver four SLSA compliance levels with increasing assurance at each level. The SLSA compliance levels cover builds, sources, and dependencies in open-source as well as licensed commercial software.

Four Supply Chain Levels for Software Artifacts (SLSA) compliance levels?

  • SLSA Level 1:

    The first level of SLSA compliance is relatively easy to adopt and gives one the supply chain visibility while enabling them to generate provenance. This level requires the build process to be fully scripted or automated and generate provenance. Here, provenance represents the metadata about how a software artifact is built. This would include the build process, top-level source, dependencies, etc. When software consumer knows about provenance, they can make informed risk-based security decisions. However, it is important to note here that at SLSA level 1, provenance would not provide a tamper-proof guarantee, instead, it would offer a basic level of code source identification while also aiding in vulnerability management.

  • SLSA Level 2:

    The second level of SLSA compliance is where it starts to protect the software against tampering while also adding minimal build integrity guarantees. The SLSA level 2 requires the usage of version control and a hosted build service that would generate authenticated provenance. This additional requirement of the SLSA Level 2 generates more consumer confidence in the software origin. Besides, the SLSA 2 would also provide an easy upgrade path to the SLSA Level 3.

  • SLSA Level 3:

    The third level of SLSA compliance focuses on hardening the infrastructure against attacks, and it involves more trust integrated into the complex systems. At SLSA Level 3, the source and build platforms meet the specific standards to guarantee the auditability of the source and the integrity of the provenance respectively. The SLSA Level 3 offers much stronger protections against tampering than earlier levels by preventing specific classes of threats, like cross-build contamination. This is the level that the Kubernetes community is working towards achieving currently.

  • SLSA Level 4:

    The highest level of SLSA compliance provides the highest assurances of building integrity and measures for dependency management in place. The SLSA Level 4 requires a two-person review of all changes and a hermetic reproducible build process. This two-person review is an industry best practice that is immensely helpful in identifying errors and deterring any undesirable behavior. Having hermetic builds would guarantee that the provenance’s list of dependencies is complete. Having reproducible builds would be beneficial from an auditability and reliability perspective. The SLSA Level 4 also gives consumers a very high level of confidence that the software they are choosing has not been tampered with.

What are Supply chain Levels for Software Artifacts, or SLSA (SALSA)?

Read a Blog post: Is platform engineering the same as DevOps?

One very important thing we need to mention here is that the SLSA levels are not transitive. Thus, every software artifact’s SLSA rating would be independent of one another, which facilitates parallel progress and effective risk-based prioritization.

At this point, we need to answer one very important question.

Who is the Supply Chain Levels for Software Artifacts (SLSA) for?

Now, you could be a developer, you could be a business or an enterprise, and the SLSA would still be suitable for you. SLSA compliance levels provide an industry standard, a recognizable level of protection and compliance. SLSA is adaptable and it is designed keeping in mind the wider security ecosystem. It is easy for just about anybody to adopt and use.

So, no matter what you are developing, the SLSA standards would be helpful for you. It works very well with DevOps and all the other standards and frameworks that your organization would already be following for good development practices.

Security, after all, cannot be an afterthought, it has to be weaved into the process right from the beginning.

And with that, we come to the end of this week’s episode. If you are looking for DevOps certifications to validate your skills, do talk to us to learn more about our live, instructor-led, online learning solutions. Until next week then. Happy learning!

Tagged software
  • Share
  • LinkedIn
  • FaceBook
  • Twitter
  • Youtube
  • RSS

Post navigation

〈 Accelerate Your Migration And Modernization With Azure
Transforming Employee Experience: What The IT Service Desk Can Do? 〉
  • Share
  • LinkedIn
  • FaceBook
  • Twitter
  • Youtube
  • RSS

Related Courses

Leading SAFe® 5.1 Training  (SAFe® Agilist Certification)
Leading SAFe® 5.1 Training (SAFe® Agilist Certification)
Professional Scrum Master – Level II
Professional Scrum Master – Level II
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Security Professional (CISSP)
Machine Learning & Deep Learning
Machine Learning & Deep Learning

Recent Posts

What can ChatGPT NOT do?
What can ChatGPT NOT do?
Digital Transformation is more than just an IT decision
Digital Transformation is more than just an IT decision
What is Zero-Copy Integration for Enterprise APIs?
What is Zero-Copy Integration for Enterprise APIs?
ChatGPT vs. Google Sparrow – Everything you need to know
ChatGPT vs. Google Sparrow – Everything you need to know

Get future Insights

Subscribe to our newsletter for updates on our latest opportunities, courses and events.

  • This field is for validation purposes and should be left unchanged.

Cognixia Logo
4th Floor, Collabera House,
Gotri, Sevasi Road, Vadodara,
Gujarat, 390021
+91-7227048672
  • LinkedIn
  • FaceBook
  • Twitter
  • Instagram
  • Youtube
Courses
  • Cloud and DevOps
  • Internet of Things
  • Development
  • Management
  • Mobile
Companies
  • Workforce Transformation
  • Hire Skilled Talent

Individuals
  • Upgrade Your Digital Skills
  • Get Hired
Resources
  • Blog
  • Tech News

About

  • About
  • Awards
  • Referrals
  • Careers
  • Locations

Support

  • Contact
  • Site Map

  • US United States
  • Globe Global
  • Cognixia-iso
  • Refund Policy
  • Terms & Conditions
  • Privacy Policy
Copyright © 2023 Cognixia. All rights reserved
×
banner

Cognixia Special Offer