In this episode, we dive deep into the SLSA (Supply-chain Levels for Software Artifacts) framework, the definitive standard for securing your software supply chain. With software supply chain attacks increasing by 742% between 2019 and 2022, understanding frameworks like SLSA—pronounced "salsa"—is no longer optional; it is an operational reality.

We explore the origins of SLSA, which began at Google as "Binary Authorization for Borg" before being contributed to the Open Source Security Foundation (OpenSSF) in 2021. We break down what SLSA provides: a common vocabulary for security maturity, verifiable provenance metadata, and incremental security levels that align with NIST SSDF and EO 14028 requirements.

Join us as we dissect the four SLSA security levels, from Level 0 (the default state of no provenance) to Level 3, which mandates hardened builds with isolated and ephemeral environments. We discuss how these Level 3 protections could have potentially stopped major breaches like the SolarWinds attack by preventing persistent access to build environments and isolating signing keys. We also touch on other high-profile incidents like Codecov and Log4Shell that highlight the urgent need for artifact integrity.

The episode also covers the technical mechanics of SLSA, specifically "provenance"—the tamper-evident metadata that answers who built an artifact, what sources were used, and how it was constructed. We examine the Sigstore toolchain, including Cosign, Fulcio, and Rekor, which enables the "keyless" cryptographic signing essential for modern supply chain security.

For those ready to move from theory to practice, we outline a implementation roadmap starting from Level 1 (fully scripted builds) to Level 3 (enforced verification in production), a journey that typically takes between three to six months. We also highlight the critical roles of different stakeholders, from developers signing commits to organizations establishing policy enforcement at deployment boundaries.

Finally, we address the limitations of the framework—noting that it focuses on build integrity rather than code quality or runtime security—and point you toward the Certified Software Supply Chain Security Expert (CSSE) course for those ready to master these concepts through hands-on labs.

Whether you are an AppSec engineer, a security professional, or a cybersecurity analyst, this episode provides the practical, research-backed insights you need to defend against source tampering, dependency poisoning, and provenance forgery.

Key Topics Covered:

Defining SLSA and its role in the OpenSSF.

The 742% increase in supply chain attacks and lessons from SolarWinds.

The roadmap from Level 0 to Level 3 "Hardened Builds".

The power of Sigstore and cryptographic provenance.

Common implementation mistakes, such as skipping Level 1 or ignoring verification.

How to get certified as a Software Supply Chain Security Expert.

Upgrade your security career today by mastering the framework that secures the world's most critical workloads.

https://www.linkedin.com/company/practical-devsecops/
https://www.youtube.com/@PracticalDevSecOps
https://twitter.com/pdevsecops