Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SLSA Meetup by WhizUs GmbH 15.05.2025

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Julian Zhuang Julian Zhuang
May 19, 2025
4
0

SLSA Meetup by WhizUs GmbH 15.05.2025

Avatar for Julian Zhuang

Julian Zhuang

May 19, 2025

More Decks by Julian Zhuang

See All by Julian Zhuang
Let the Bot Review it - Reducing Toil with Fossabot
Avatar for Julian Zhuang jwzhuang99
0
3
eBPF Signature with Hornet
Avatar for Julian Zhuang jwzhuang99
0
19

Featured

See All Featured
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
Avatar for Tech SEO Connect techseoconnect
PRO
0
140
Darren the Foodie - Storyboard
Avatar for Kevinho.art khoart
PRO
3
3.1k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
Avatar for konakalab konakalab
0
390
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
200k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.4k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
370
20k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
75
12k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
287
14k
16th Malabo Montpellier Forum Presentation
Avatar for AKADEMIYA2063 akademiya2063
PRO
0
88
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
3k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
How to make the Groovebox
Avatar for あそなす asonas
2
2.1k

Transcript

  1. 15.05.2025 WhizUs GmbH by Julian Zhuang SLSA The taco dip

    for software supply chain security

  2. recap (SBOM meetup)

  3. 15.05.2025 WhizUs GmbH 3 recap In our previous talk we

    looked into such things like the need for security in supply chains SBOM VEX But we did not (yet) talk about how do we use that in production more usable approach that scales | SBOM Meetup

  4. Intro

  5. 15.05.2025 WhizUs GmbH 5 Intro | The Supply Chain ref:

    https://jfrog.com/de/learn/software-supply-chain/

  6. 15.05.2025 WhizUs GmbH 6 Intro where are the security problems

    here? | The Security Issue ref: https://jfrog.com/de/learn/software-supply-chain/

  7. SLSA

  8. 15.05.2025 WhizUs GmbH 8 SLSA Supply-chain Levels for Software Artifacts,

    or SLSA ("salsa"). It’s a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. | What is it? ref: https://slsa.dev/ https://www.activestate.com/resources/quick-reads/software-supply-chain-security/

  9. 15.05.2025 WhizUs GmbH 9 SLSA | levels

  10. 15.05.2025 WhizUs GmbH 10 SLSA | Why do we need

    it?

  11. 15.05.2025 WhizUs GmbH 11 SLSA Aspect SLSA v1.0 SLSA v1.1

    Release Type Initial stable release Incremental update Definitions & Terminology Baseline definitions Clarified and refined terminology Provenance Requirements Basic provenance guidance Expanded, more detailed provenance requirements Build Model Support Focused on common build scenarios Better support for ephemeral/distributed builds Security Requirements Initial requirements Strengthened and more precise requirements | specification

  12. 15.05.2025 WhizUs GmbH 12 SLSA authenticated statement about a software

    artifact in reality it’s all about artifact/code signing | specification (attestations)

  13. DEMO

  14. Thank You

  15. 15.05.2025 WhizUs GmbH 15 References https://www.cisa.gov/sbom https://www.cisa.gov/sites/default/files/2023-01/VEX_Use_Cases_Aprill2022.pdf https://slsa.dev/ https://www.meetup.com/security-meetup-by-sba-research/events/304127699/ https://chainloop.dev/

  16. None