One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8331269 |
| Date de publication | 2023-04-26 11:00:21 (vue: 2023-04-26 16:07:29) |
| Titre | Célébrer SLSA v1.0: sécuriser la chaîne d'approvisionnement des logiciels pour tout le monde Celebrating SLSA v1.0: securing the software supply chain for everyone |
| Texte | Bob Callaway, Staff Security Engineer, Google Open Source Security team Last week the Open Source Security Foundation (OpenSSF) announced the release of SLSA v1.0, a framework that helps secure the software supply chain. Ten years of using an internal version of SLSA at Google has shown that it\'s crucial to warding off tampering and keeping software secure. It\'s especially gratifying to see SLSA reaching v1.0 as an open source project-contributors have come together to produce solutions that will benefit everyone. SLSA for safer supply chains Developers and organizations that adopt SLSA will be protecting themselves against a variety of supply chain attacks, which have continued rising since Google first donated SLSA to OpenSSF in 2021. In that time, the industry has also seen a U.S. Executive Order on Cybersecurity and the associated NIST Secure Software Development Framework (SSDF) to guide national standards for software used by the U.S. government, as well as the Network and Information Security (NIS2) Directive in the European Union. SLSA offers not only an onramp to meeting these standards, but also a way to prepare for a climate of increased scrutiny on software development practices. As organizations benefit from using SLSA, it\'s also up to them to shoulder part of the burden of spreading these benefits to open source projects. Many maintainers of the critical open source projects that underpin the internet are volunteers; they cannot be expected to do all the work when so many of the rewards of adopting SLSA roll out across the supply chain to benefit everyone. Supply chain security for all That\'s why beyond contributing to SLSA, we\'ve also been laying the foundation to integrate supply chain solutions directly into the ecosystems and platforms used to create open source projects. We\'re also directly supporting open source maintainers, who often cite lack of time or resources as limiting factors when making security improvements to their projects. Our Open Source Security Upstream Team consists of developers who spend 100% of their time contributing to critical open source projects to make security improvements. For open source developers who choose to adopt SLSA on their own, we\'ve funded the Secure Open Source Rewards Program, which pays developers directly for these types of security improvements. Currently, open source developers who want to secure their builds can use the free SLSA L3 GitHub Builder, which requires only a one-time adjustment to the traditional build process implemented through GitHub actions. There\'s also the SLSA Verifier tool for software consumers. Users of npm-or Node Package Manager, the world\'s largest software repository-can take advantage of their recently released beta SLSA integration, which streamlines the process of creating and verifying SLSA provenance through the npm command line interface. We\'re also supporting the integration of Sigstore into many major |
| Envoyé | Oui |
| Condensat | 100 2021 accessible across actionable actions adjustment adopt adopting adoption advantage against all also announced api are artifacts associated attacks automatic available back been benefit benefits best beta beyond bob build builder builds built burden but callaway can cannot celebrating chain chains choose cite climate come command communities community consists consumers continue continued contributing contributions contributors create creating critical crucial currently cybersecurity database dedicate depend dependencies dependency deps dev developers development difficulty directive directly donated each easier easily ecosystem ecosystems effort efforts encouraging engineer especially european everyone executive expand expected factors first foundation framework free frictionless from funded future generate get github give goal google government graphs gratifying guide has have having helps high hope implemented importance improvements increased industry information integrate integration integrations intention interests interface internal internet invisible keeping keys know knowing lack largest last laying like limiting line list log4shell maintainers major make making manage management manager many meaning meeting metadata might minimizing modern national network nis2 nist node not npm off offers often one only onramp open openssf order organizations osv other out own package part patching pays platforms possible practices prepare process produce program project projects protecting provenance quality reaching real recently release released rely remediation repository requires resources rewards rising roll safer scanner scorecard scores scrutiny secure securing security see seen service shoulder shown sign sigstore similarly since slsa software solutions source spend spreading ssdf staff standards streamlines supply support supporting take tampering team ten that them themselves there these those through time today together tool tooling traditional types ultimately underpin understand union universal upstream use used users using variety verifier verify verifying version volunteers; vulnerabilities want warding way weaknesses week well what when where which who why will without work world wouldn years |
| Tags | Patching Tool |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.