As the conversation around software supply chain security has matured, many organizations have begun providing robust guidance, frameworks, and resources for the industry to bolster their security posture against this style of attacks. In the coming chapters, we discuss some of these resources and the organizations that provide them, which include the Cloud Native Computing Foundation (CNCF), National Security Agency (NSA), and the National Institute of Standards and Technology (NIST), among several others.

Supply Chain Levels for Software Artifacts

With the increase of software supply chain attacks, it became clear that there was a need for a comprehensive end-to-end framework for defining both software supply chain attacks and methods for mitigation. In June 2021, the Google Open Source Security Team launched the Supply Chain Levels for Software Artifacts (SLSA) effort (https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html). The effort's goal is to ensure that the integrity of software artifacts is maintained throughout the software supply chain life cycle.

SLSA includes four levels, and each provides higher levels of integrity assurances but with coinciding levels of maturity and rigor from those implementing it. Organizations have various needs that guide the SLSA levels they pursue, driven by their specific industry and regulatory or security requirements. Much like other security endeavors, ...