- Watch Out For the Ruling Trends in Mobile Game App Development
- Essential Tips to Help You Create Successful Game Apps
- Fintech vs Techfin: Where Does the Future of Banking Lies?
- Vulnerability Management Process: The Crucial Way to Maintain Your Cyber Security Posture
- Why React Native Framework is the Right Choice for Hybrid App Development
- Why Do You Need Financial Software Development Service for Your Business
- Importance of Fintech Solutions in This Digital Age
- Learn Why it Important To Integrate Content Marketing & SEO
- How Mobile Apps Are Making A Difference in Real Estate Industry
- 10 Useful Tips to Create Highly Engaging Social Media Content
- Building A Website Gets Easy Without Coding
- Five Main Stages of Game Development
- Top SEO Trends You Must Follow in 2022
- Things to Learn for High-End App Development in 2022
- The Right Strategy to Make Your Mobile App Equipped with Sound Social Networking Tools
- 6 Common Mistakes in Ecommerce Website Development To Avoid
- The Year 2021 and The Challenges In Cybersecurity Industry
- Top Benefits of Having an Impactful UI/ UX Design For Your App
- Useful SEO Tips For Small Businesses Website Optimization
- Know The Different Channels Important To Build Your Online Reputation
- Structured Data: An Important Tool in SEO to Mark Strong Online Presence
- Learn the Different Strategies to Use for B2B Lead Generation in Digital Marketing
- Things to Consider Before Launching Your App in Google Play Store
- Google’s Page Experience Update Now Fully Rolled Out- Here’s What You Can Expect
- 7 Useful Tips to Ensure the Best Android App Development
- Learn Professional Web Development Tips to Build an Efficient Website
- Learn the Effective Ways to Manage Your Online Reputation
- Three Principles Every User Experience Designers Should Follow
- Top 5 Benefits of Integrating Cyber Security Services with Your Business
- Google’s New Safeguards for Minors to Create Safer Space on the Internet
- Benefits of Android Game Development You Must Not Ignore
- Google Removes Safe Browsing and Ad Experience Widgets from Page Experience Ranking Signal Criteria
- Google Changes Eligibility for Fact Check Rich Results
- Why You Need To Hire an Online Reputation Management Company for Your Business
- Complete Guide on 2d and 3d Game Development
- MITRE Engenuity releases first ATT&CK evaluations for Industrial Control Systems Security Tools
- WordPress SEO: 3 Quick and Easy Hacks for PageSpeed & Core Web Vitals
- Researchers Reveal New Trick of Hackers to Disable Macro Security Warnings in Malicious Office Files
- Top PHP Development Tools Leading Website Development Company Uses
- Cloud Security Analysis Solutions: The Next Step to Make Your Data Secure
- Learn How to Optimize Your Site for Google’s Page Experience Update
- Amid Rising Cybersecurity Threat Indian Military Personnel to Get Trained in the US on Cyber Warfare
- How the Network Change in Pandemic Steered to Must Cybersecurity
- 7 Reason You Should Get Mobile App for Your Business
- Google Rolls Out New Spam Algorithm Update: What Changes You Can Expect
- Top 10 Benefits of Unity Game Development
- VPN Attacks: A Rising Threat for Remote Work in the COVID-19 Era
- Google Releases New Framework to Prevent Software Supply Chain Attacks
- GitHub Discloses Details of Easy-to-Exploit Linux Vulnerability
- Read Key Highlights of Google Ads API version 8.0
- Here How the Gaming Giant EA was Hacked
- Know How A Malvertising Campaign On Google Distributed Trojanized AnyDesk Installer
- Learn How to Find the Best UI/UX Development Company
- Trends of 2021 Every Top Cyber Security Company in India Follows
- Improve your Conversion Rate with 10 Essential Elements of Good SEO
- Google Announces New Features for App Advertisers to Improve ROI
- FragAttacks: Set of New Vulnerabilities that Expose Nearly All Wi-Fi Devices to Attacks
- Latest Technologies and Trends in Mobile Game App Development
- Babuk – How a Newcomer soon becomes a Growing Ransomware Threat
- 5 Characteristics of the Best Digital Marketing Services Provider
- Here are the Tips to Choose the Best Game App Development Company
- 7 Reasons to do Search Engine Optimization for your Website
- Integrating AI with Cyber Security – Tomorrow of Cyber Security
- How Much Does HIPAA Compliance Cost?
- Best Android Game App Development Company Doesn’t Miss out Following Features
- Effective Voice Search Statistics for 2020
- Android 10: Everything You Need to Know
- How to Make Massive Money with Mobile Apps In 2020
- Drastic boost in mobile gaming during coronavirus lockdown
- Cyber security – A Tool to Address Digital World’s Major Issues; Cyber Attack
- 5 facts to keep in mind before hiring Game app development Company in India.
- Best iOS games app development
Google Releases New Framework to Prevent Software Supply Chain Attacks
Google has proposed a solution to the growing concern related to the rising attack on the supply chain integrity with unauthorized modification to software packages in the past two years. These malicious threats are proving to be common and affecting all consumer software with reliable attack vectors. The recent security incidents of SolarWinds and Codecov appeared as the face of an eye-opening breach that resulted in a multi-billion dollar attack, which according to Google, could be averted had the proposed framework been adopted by software developers and consumers.
“The software development and deployment supply chain is quite complicated, with numerous threats along the source ➞ build ➞ publish workflow. While point solutions do exist for some specific vulnerabilities, there is no comprehensive end-to-end framework that both defines how to mitigate threats across the software supply chain and provides reasonable security guarantees,” said Google.
Introducing the solution through a blog post, the tech giant stated, “our proposed solution is Supply chain Levels for Software Artifacts (SLSA, pronounced “salsa”), an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain.”
The SLSA is said to be inspired by Google’s internal, “Binary Authorization for Borg”, which is mandatorily used for all of Google's production workloads. SLSA is aimed at improving the open-source state of the industry to defend against the most pressing integrity threats. It can help consumers to make an informed choice about the security posture of the software. It helps to protect against common supply chain attacks.
What is SLSA
"In its current state, SLSA is a set of incrementally adoptable security guidelines being established by industry consensus," said Kim Lewandowski of Google Open Source Security Team and Mark Lodato of the Binary Authorization for Borg Team.
“In its final form, SLSA will differ from a list of best practices in its enforceability: it will support the automatic creation of auditable metadata that can be fed into policy engines to give "SLSA certification" to a particular package or build platform. SLSA is designed to be incremental and actionable, and to provide security benefits at every step.”
The SLSA is designed with four levels, where SLSA 4 represents the ideal end state. The incremental milestones with corresponding incremental integrity guarantees, are represented in the lower levels. When an artefact will qualify the highest level in the design of SLSA, consumers will be more confident about its safety and can be able to securely trace it back to the source- a difficult but not impossible in most software today.
Kim Lewandowski of Google Open Source Security Team and Mark Lodato of the Binary Authorization for Borg Team in their blog post have mentioned each level of SLSA design with its requirements. The design levels as per the team are defined as follows.
SLSA 1: The first level requires a fully scripted/automated build process be generating provenance. Provenance is metadata about how an artifact was built, including the build process, top-level source, and dependencies.
It let the software consumers make risk-based security decisions although. At SLSA 1 provenance does not protect against tampering, but it offers a basic level of code source identification and may aid in vulnerability management.
SLSA 2: At this level, it requires generating authenticated provenance using version control and a hosted build service. It makes the consumer a little more confident in the origin of the software. Unlike SLSA 1, at this level, provenance will prevent tampering to the extent that the build service is trusted. SLSA 2 also provides an easy upgrade path to SLSA 3.
SLSA 3: Further moving to level 3, the requirement advances as the source and build platforms meet specific standards to guarantee the auditability of the source, and the integrity of the provenance, respectively. “We envision an accreditation process whereby auditors certify that platforms meet the requirements, which consumers can then rely on.”
SLSA 3 is said to prevent specific classes of threats, such as cross-build contamination, to provide much stronger protections against tampering than earlier levels.
SLSA 4: This is the end state and currently the highest level in SLSA design. It requires a two-person review of all changes and a hermetic, reproducible build process. A two-person review is known as an industry best practice, to catch any mistakes and deterring bad behaviour. Whereas hermetic builds guarantee that the provenance’s list of dependencies is complete. Although reproducible builds are not strictly required, they may provide many auditability and reliability benefits.
Thus, SLSA 4 offers the consumer a high degree of confidence indicating the software has not been tampered with.
"Higher SLSA levels require stronger security controls for the build platform, making it more difficult to compromise and gain persistence," Lewandowski and Lodato noted.
The company is planning to work with popular source, build, and packaging platforms to make reaching higher levels of SLSA an easier process. They are looking forward to automatically generate provenance in build systems, propagating it natively in package repositories, and adding security features across the major platforms. The company’s long-term goal is to raise the security bar across the industry, making the higher-level SLSA security standards the default expectation, minimising the effort on the part of software producers.
Google claims SLSA to be a practical framework for end-to-end software supply chain integrity ensuring its security. The SLSA solution is based on a model proven to work at scale in one of the world’s largest software engineering organizations.
“Achieving the highest level of SLSA for most projects may be difficult, but incremental improvements recognized by lower SLSA levels will already go a long way toward improving the security of the open-source ecosystem,” the company said.
“We look forward to working with the community on refining the levels as we begin adopting SLSA for our own open-source projects. If you are a project maintainer and interested in trying to adopt and provide feedback on SLSA, please reach out or come join the discussions taking place in the OpenSSF Digital Identity Attestation Working Group,” concluded Google in the blog post.