Chapter

SLSA, more than just a garnish for your pipelines

with Joshua Lock

Description:

SLSA, Supply-chain Levels for Software Artifacts (https://slsa.dev), is an Open Source Security Foundation (OpenSSF) project that defines incremental security levels which platforms can implement to prevent tampering with the software supply chain.

In this talk, Joshua introduces the SLSA project. He covers the SLSA principles, including how they are useful principles across DevSecOps processes and systems; looks at the threat model that guides SLSA work; introduces SLSA’s security levels; and concludes with a brief summary of the open source project, future plans, and how you can get involved.

Tags:

Joshua Lock

Open Source Architect at Verizon

About Joshua Lock

Joshua is a versatile software engineer and open source professional with leadership roles in several open source projects. 15 years experience working on tools to build complex software systems deterministically and securely. He is passionate about building systems and software supply chain security.

Steering committee member and specification maintainer on the Supply-chain Levels for Software Artifacts (SLSA) project, The Update Framework (TUF) specification editor and implementation maintainer for python-tuf and go-tuf, contributor and root keyholder for Sigstore, friend of in-toto.

Emeritus core contributor to all aspects of OpenEmbedded and the Yocto Project.