Reason 1: SLSA keeps it simple with its framing of supply chain best practices Here’s why the SLSA framework prevents attacks. In combination with the right tooling that covers each step of your build and deployment process, we believe SLSA provides the best protection against different types of supply chain attacks. While there is no one-size-fits-all security magic wand, we do recommend SLSA highly as a framework that is actionable, scalable and proactive at the highest levels. So customers frequently ask us where to start and which (if any) combination of frameworks and tools will work for a specific set of security requirements. Among the most notable frameworks are the Secure Software Development Framework (SSDF), Software Assurance Maturity Model (SAMM), and now Supply Chain Levels for Software Artifacts (SLSA). When it comes to solutions, the traditional SCA tooling, as well as the “AST” toolset, for Infrastructure, Dynamic and Static testing have emerged with varying scopes and capabilities. What has come of this realization is a diverse (and oft-confusing) set of solutions and frameworks designed to provide security checkpoints at various points at the dependency, source, build, and deployment stages of the app lifecycle. The collective security world all realized at once, that if it could happen in some of the most regulated environments, it could happen to anyone. Government but also some other 18,000 customers. The world collectively started to take supply chain security (or 3SC) seriously in 2020 after the Solarwinds Attack very publicly devastated not only the U.S. Add to this that it is both implausible and unscalable to expect maintainers to check for and remediate security vulnerabilities in their community’s projects, or for developers to reliably update dozens or hundreds of dependencies before writing their first line of code. The opportunity for malicious actors to leverage attack vectors particular to open source have grown in kind with the explosive popularity of public repositories like PyPI and Ruby Gems and the libraries and packages they contain. Open source software, while at the heart of over 80% of all modern development, has also become globally recognized as a supply chain risk.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |