Aug 2023
21 Mon
22 Tue
23 Wed
24 Thu
25 Fri 05:30 PM – 06:25 PM IST
26 Sat
27 Sun
Oct 2023
2 Mon
3 Tue
4 Wed
5 Thu
6 Fri 05:30 PM – 06:30 PM IST
7 Sat
8 Sun
Sas3
@sas3
SLSA in action against unauthorized modifications to source code
Submitted Sep 20, 2023
In the first masterclass, we talked about the need for software supply chain security, introduced the core concepts of SLSA, and showed how an existing build platform (GitHub) enables this through a demonstration of provenance generation and verification.
In this second session, we will take a closer look at a specific threat scenario - that of building from a source code that has been unauthorizedly modifed in transit (Threat C in SLSA documentation), or a compromised build process (Threat E in SLSA documentation). We describe this attack and real-world examples briefly in the introduction section.
We then show that without the proper security in place, how the attack succeeds. Next we show that with SLSA implemented properly, the latter stages of the CI/CD pipeline detects the issue and aborts.
This would be a good guide to developers who want an example of “SLSA as intended”.
Comments
Hosted by
{{ gettext('Login to leave a comment') }}
{{ gettext('Post a comment…') }}{{ errorMsg }}
{{ gettext('No comments posted yet') }}