SLSA masterclasses

Empower DevOps to do security

Tickets

Loading…

Sas3

@sas3

SLSA in action against unauthorized modifications to source code

Submitted Sep 20, 2023

In the first masterclass, we talked about the need for software supply chain security, introduced the core concepts of SLSA, and showed how an existing build platform (GitHub) enables this through a demonstration of provenance generation and verification.

In this second session, we will take a closer look at a specific threat scenario - that of building from a source code that has been unauthorizedly modifed in transit (Threat C in SLSA documentation), or a compromised build process (Threat E in SLSA documentation). We describe this attack and real-world examples briefly in the introduction section.

We then show that without the proper security in place, how the attack succeeds. Next we show that with SLSA implemented properly, the latter stages of the CI/CD pipeline detects the issue and aborts.

This would be a good guide to developers who want an example of “SLSA as intended”.

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hybrid access (members only)

Hosted by

We care about site reliability, cloud costs, security and data privacy