Lessons Learned from Automating SLSA-Compliance Evaluation - Daniel Nebenzahl, Scribe

The presentation discusses the implementation of the Salsa standard in supply chain security and the challenges faced in complying with its requirements.

• Salsa is an emerging standard that puts many requirements on the table for supply chain security implementation
• Compliance-driven implementation of the framework may result in minimal value and negotiation with suppliers is necessary
• Provenance documents can be built from APIs and log files to avoid opening up all pipelines
• Level three of Salsa promises better protection from developer workstations and adjacent build systems
• Strongly authenticated actors and retention of sources indefinitely are challenging requirements to comply with
• The Salsa standard provides solutions but they are hard to implement and may result in loss of accreditation

The speaker mentioned that multi-factor authentication is a requirement for strongly authenticated actors in Salsa, but it may be difficult to comply with in reality. For example, if a subcontractor loses their phone and needs to work, a natural solution would be to let them work for a day with single-factor authentication. However, this would result in loss of Salsa accreditation. The speaker also noted that the solution provided by Salsa for retaining sources indefinitely is hard to implement, as it requires a multi-seg solution for history rewrite approval.

SLSA (Supply-chain Levels for Software Artifacts) is a framework led by Google, that defines four levels of protection for a software supply chain, and provides guidelines on how to reach these levels. Since companies operate dynamic pipelines, there is a need to continuously measure the pipeline's security. This can be met by implementing automated SLSA-compliance evaluation. In this talk , we shall share lessons learned from our journey in implementing automation in real-world scenarios using open-source tools such as Sigstore and OPA. The lessons, conceptual and technical, shed light on the real-world details and challenges we encountered when evaluating, and automating the evaluation of SLSA compliance. Some of these lessons challenge part of SLSA requirements.