10-26, 18:00–18:05 (Europe/Berlin), Main stage
Join us as we delve into secure software releases, focusing on the real-world scenario of implementing the SLSA (Supply-Chain Levels for Software Artifacts) v1.0 standard in popular CI/CD systems such as GitHub and Azure Pipelines. In the face of growing threats to packages, distributions, releases, and dependencies from software supply chain attacks, SLSA offers a crucial standard to secure artifacts.
We will explore SLSA in detail, the differences the v1.0 standard offers comparing its predecessor, and understand how SLSA would have helped mitigate previous software supply chain attacks.
Then we dive into the implementation of SLSA and show how to apply it to secure builds done in popular systems, such as GitHub and Azure Pipelines, including a live demo of how to generate and use SLSA to secure a containerized software release in an OCI registry.
In today's highly interconnected digital world, software packages' security is crucial to ensuring trust and integrity. In response, the industry introduced the Supply Chain Levels for Software Artifacts (SLSA) framework to enhance the security of software packages.
As part of this talk, we will explore SLSA v1.0 and its practical implementation for secure software package releases, and gain a comprehensive understanding of how SLSA safeguards the software supply chain, including:
- Introduction to SLSA and SLSA levels
- Learning about the principles of SLSA, including provenance, integrity, and transparency, and how it could have prevented major software supply chain attacks.
- The changes introduced with SLSA v1.0 and the requirements to achieve each level are explained in detail.
- We will use these core concepts and demonstrate the best practices for integrating them with Azure Pipelines and GitHub. This includes configuring build pipelines, signing artifacts, and leveraging CI system security features.
During implementation, we faced many challenges and roadblocks that we would like to share with the community, such as:
- Properly building provenance documents' data structures
- When Azure Pipelines lack the tooling that Github does, how do you reach the higher SLSA level (level 3)?
- The most seamless way to generate SLSA in terms of user experience
And more.
Additionally, we will demonstrate how we incorporate SLSA standards using a free tool named Cimon to enhance the security of released artifacts in the mentioned CI systems.
Elad Pticha is a passionate security researcher with a focus on software supply chain and API security. Elad specializes in finding vulnerabilities in SDLC-related software. In his free time, Elad loves to code, hunt for vulnerable technologies, and use his skills to help companies mitigate their security risks. Before his current work at Cycode, Elad dedicated his time to finding critical vulnerabilities in web applications, IoT devices, and pretty much anything with an IP address, but his recent focus has shifted towards software supply chain security vulnerabilities. Elad is committed to staying up-to-date with the latest security trends and technologies and always seeking new challenges to tackle.