Open source software’s speed and innovation benefits have made it an essential element of modern software development, despite multiple vectors of attack that can introduce malware into an Independent Software Vendor’s (ISV) organization, which may then be propagated downstream to its customers.
It’s this force multiplier – a single cyberattack on a major ISV that can compromise tens of thousands of end user companies – that caused President Biden to issue an executive order. In response, Google launched an initiative that has since become an industry-wide collaboration: Supply chain Levels for Software Artifacts (SLSA), a security framework designed to:
- Prevent tampering within the software development process
- Improve the integrity of built artifacts
- Ensure the security of open source packages
- Secure the infrastructure your projects rely on
ActiveState is committed to helping developers ensure the security and integrity of the open source language packages they use in their software development processes. With our ActiveState Platform, we’re delivering all the controls required to generate SLSA Level 4 artifacts for the open source language runtime environments your projects rely on.
This paper introduces each SLSA criteria, and details how ActiveState can help you meet all requirements up to and including the highest level of security and integrity: SLSA Level 4.
Check out these additional resources to learn more about securing your software supply chain with SLSA: