Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SLSA Meetup by WhizUs GmbH 15.05.2025

Avatar for Julian Zhuang Julian Zhuang
May 19, 2025
10
0

SLSA Meetup by WhizUs GmbH 15.05.2025

Avatar for Julian Zhuang

Julian Zhuang

May 19, 2025

More Decks by Julian Zhuang

See All by Julian Zhuang
Let the Bot Review it - Reducing Toil with Fossabot
Avatar for Julian Zhuang jwzhuang99
0
24
eBPF Signature with Hornet
Avatar for Julian Zhuang jwzhuang99
0
40

Featured

See All Featured
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
51
52k
Groundhog Day: Seeking Process in Gaming for Health
Avatar for Sebastian Deterding codingconduct
0
210
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
Avatar for Ines Montani inesmontani
PRO
0
410
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
Avatar for MADOX madoxten
62
54k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
3.2k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
225
10k
Navigating the moral maze — ethical principles for Al-driven product design
Avatar for Skipper Chong Warson skipperchong
2
390
Building Experiences: Design Systems, User Experience, and Full Site Editing
Avatar for Michelle Schulp Hunt marktimemedia
0
530
Collaborative Software Design: How to facilitate domain modelling decisions
Avatar for Kenny Baas-Schwegler baasie
1
250
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
Avatar for Mine Cetinkaya-Rundel minecr
1
290
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Chasing Engaging Ingredients in Design
Avatar for Sebastian Deterding codingconduct
0
220

Transcript

  1. 15.05.2025 WhizUs GmbH by Julian Zhuang SLSA The taco dip

    for software supply chain security

  2. recap (SBOM meetup)

  3. 15.05.2025 WhizUs GmbH 3 recap In our previous talk we

    looked into such things like the need for security in supply chains SBOM VEX But we did not (yet) talk about how do we use that in production more usable approach that scales | SBOM Meetup

  4. Intro

  5. 15.05.2025 WhizUs GmbH 5 Intro | The Supply Chain ref:

    https://jfrog.com/de/learn/software-supply-chain/

  6. 15.05.2025 WhizUs GmbH 6 Intro where are the security problems

    here? | The Security Issue ref: https://jfrog.com/de/learn/software-supply-chain/

  7. SLSA

  8. 15.05.2025 WhizUs GmbH 8 SLSA Supply-chain Levels for Software Artifacts,

    or SLSA ("salsa"). It’s a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. | What is it? ref: https://slsa.dev/ https://www.activestate.com/resources/quick-reads/software-supply-chain-security/

  9. 15.05.2025 WhizUs GmbH 9 SLSA | levels

  10. 15.05.2025 WhizUs GmbH 10 SLSA | Why do we need

    it?

  11. 15.05.2025 WhizUs GmbH 11 SLSA Aspect SLSA v1.0 SLSA v1.1

    Release Type Initial stable release Incremental update Definitions & Terminology Baseline definitions Clarified and refined terminology Provenance Requirements Basic provenance guidance Expanded, more detailed provenance requirements Build Model Support Focused on common build scenarios Better support for ephemeral/distributed builds Security Requirements Initial requirements Strengthened and more precise requirements | specification

  12. 15.05.2025 WhizUs GmbH 12 SLSA authenticated statement about a software

    artifact in reality it’s all about artifact/code signing | specification (attestations)

  13. DEMO

  14. Thank You

  15. 15.05.2025 WhizUs GmbH 15 References https://www.cisa.gov/sbom https://www.cisa.gov/sites/default/files/2023-01/VEX_Use_Cases_Aprill2022.pdf https://slsa.dev/ https://www.meetup.com/security-meetup-by-sba-research/events/304127699/ https://chainloop.dev/

  16. None