ActiveState enables organizations to achieve Level 3 SLSA compliance through a hardened build service and automatically generated Provenance

VANCOUVER, BC, April 26, 2023 /PRNewswire/ — Today, ActiveState announced the availability of the security industry’s most complete provenance solution for open source languages. ActiveState already provides secure open source dependencies for organizations that need to comply with software supply chain security requirements, such as those laid out in President Biden’s Executive Order 14028 (EO 14028).  Those security-conscious organizations will now also benefit from ActiveState’s software attestations, Software Bill Of Materials (SBOMs) and hardened build service – features that also deliver the highest level of Supply chain Levels for Software Artifacts (SLSA) Level 3 compliance out of the box.  ActiveState released these capabilities to support Developers, DevSecOps and Application Security teams as pressure continues to mount around the implementation of supply chain security and proactive protection of public and private code repositories. 

The SLSA 1.0 framework’s three Build Levels provide security implementation teams with vendor-agnostic guidelines on how to securely import third-party code and create secure builds in order to realize supply chain security.  Key to this process is the introduction of Provenance Attestations, which provide organizations with the ability to gauge the risk of the third-party packages, libraries and code they import. Provenance must allow for component-level auditing back to source, which organizations can then use to prevent vulnerable or insecure packages from infiltrating critical infrastructure.

“One universal truth in software development; you can’t optimize what you can’t measure,” said Scott Robertson, CTO of ActiveState. “This is why SLSA is exciting, since it provides the data in a machine-readable form that we need to validate the chain of custody from the code authors to the binaries we deploy in production systems. By independently verifying who built the packages we import and how they were built, we can now reason about the provenance of what we deploy in our most sensitive operating environments. This is a foundational step for all of us with a vested interest in secure supply chains and building code securely; Engineers, DevOps teams, Compliance and AppSec and the C-Suite. We, as a development community, have learned that there are consequences to trusting code without verifying its origins and contributors, which is what we built the ActiveState Platform to do.”

“We have prioritized the capabilities that regulated industries need in order to quickly and easily go from zero observability to proactive security,” said Loreli Cadapan, who was recently promoted to Chief Product Officer at ActiveState.  “We will continue to build out our package ecosystem and compliance-oriented features to support developers that want to use open source freely and security teams that want to let their devs code fearlessly.”

ActiveState has made automatically generated, machine-readable provenance simple and accessible via the ActiveState Platform. Interested participants can join a free Early Access Program for our Software Attestations available until May 15, 2023.

ActiveState customers also benefit from a catalog of hundreds of thousands of trusted and verified packages for Python, Perl, Ruby and Tcl, including versions of these languages that are no longer supported by the community, like Python 2.7.  Learn more about how to secure your software supply chain for your entire development organization and get up to date with security best practices at https://www.activestate.com/get-slsa/.

ActiveState is the de-facto standard for millions of developers around the world who have been using our  commercially-backed,  secure  open  source  solutions  for  over  20  years.  Automatically build  secure  open  source  language  runtime  environments  (such  as  Python,  Perl,  Ruby  and  more)  from  source  code  for  Windows,  Linux  or  Mac—all  without  requiring  language or operating system expertise.  Visit www.activestate.com to learn more about how to secure your software supply chain.

©2023, ActiveState, Inc. All rights reserved.