• All about that Base(line): How Cybersecurity Frameworks are Evolving with Foundational Guidance

    posted by Jennifer Privette on 25 Jul 2022

    In coordination with Aaron Bacchi, Emmy Eide, Melba Lopez, Brandon Lum, and Moshe Zioni

  • General Availability of SLSA 3 Go native builder for GitHub Actions

    posted by Laurent Simon, Asra Ali, Ian Lewis, Mark Lodato, Jose Palafox, Joshua Lock on 20 Jun 2022

    A couple of months ago, Google and GitHub demonstrated how to generate non-forgeable SLSA 3 provenance for packages/binaries created via GitHub Actions (1, 2). Since then, we’ve been working hard to turn the reference example into a production-ready system for everyone to use. Today, we’re announcing the v1 release of the trusted builders that can be used in GitHub Actions and verification tools.

  • SLSA for Success: Using SLSA to help achieve NIST’s SSDF

    posted by Isaac Hepworth, Meder Kydyraliev, Brandon Lum on 15 Jun 2022

    Since February’s release of the latest version of the Secure Software Development Framework’s (SSDF), software organizations have been poring over the dozens of best practices and tasks laid out by the National Institute of Standards and Technology (NIST) in response to last year’s Executive Order on Cybersecurity. Implementation is tough, though: the guidelines cover organizations of all sizes, cybersecurity sophistication, and operating environment. The descriptive requirements are not prioritized and explicitly not meant to be a checklist to follow. Each organization must find ways to interpret the recommendations for their particular needs.

  • SBOM + SLSA: Accelerating SBOM success with the help of SLSA

    posted by Brandon Lum, Isaac Hepworth, Meder Kydyraliev on 02 May 2022

  • SLSA Is No Free Lunch

    posted by Mike Lieberman on 11 Apr 2022

    “What is SLSA?” followed closely by “What does SLSA do for me?” are the two most common questions I get when people learn about SLSA. This has led to a lot of confusion as to how folks apply SLSA, and the benefits they get. You can’t just apply SLSA practices to a pipeline that runs a build, generate a SLSA attestation and magically be protected from supply chain compromise. Contrary to a lot of the hype being thrown around, SLSA is no free lunch, and we must help protect our lunch!

  • Introducing the SLSA Blog

    posted by SLSA Community on 08 Apr 2022

    We’re excited to launch our very own blog, from which we will be posting project news, documentation, and other information about SLSA. Stay tuned for more posts coming your way soon.