Google SLSA & NIST SSDF: Emerging Software Supply Chain Security Best Practices

The presentation discusses the OnSiteCode platform and its capabilities in assisting with anomaly detection and adhering to security frameworks in software development pipelines.

• OnSiteCode connects to various tools in the software supply chain to analyze changes in real-time and provide notification of intrusive events
• The platform is policy-based and covers different layers of security, including access, insecure configurations, sequence detection, leak detection, infrastructure as code, and cloud security scanning
• Access-related configurations and privileged access are analyzed to ensure adherence to security standards
• The platform can detect anomalies and behaviors such as commits outside of normal working hours, peer reviews from non-developer accounts, and changes in work patterns for employees leaving the company
• The platform can assist with mitigating the risk of intellectual property theft
• Additional tooling is recommended for organizations with complicated release cycles to conform to NIST guidelines

The platform can detect anomalies and behaviors such as commits from outside a user's normal working hours, which can be identified as an anomaly and behavior. With the great recession happening, there has been a significant amount of intellectual property theft reported by employees or questioned by employers, and it is imperative for organizations to mitigate this risk.

The severity and frequency of software supply chain attacks have increased significantly. How should software teams react to these new threats? Several new frameworks are emerging. At the behest of an executive order from the Whitehouse, The National Institute of Standards and Technology (NIST) created the NIST Secure Software Development Framework (SSDF) with robust guidance on securing the software supply chain. Similarly, Google has also released the Supply chain Levels for Software Artifact (SLSA) framework for ensuring software supply chain and build integrity.  While there is some overlap, NIST tends to focus on the “what” and Google SLSA focuses on the “how.” Combined, these two frameworks make an excellent roadmap on securing software supply chains. Yet, this combined roadmap is still not without security gaps. This presentation will compare and contrast NIST SSDF and Google SLSA:Introduction & the rise of software supply chain attacksNIST SSDFGoogle SLSAComparing SSDF & SLSACovering gapsDemoQ&A