Explore a comprehensive overview of SLSA (Supply-chain Levels for Software Artifacts) in this informative conference talk presented by Tom Hennen from Google and Joshua Lock from VMware. Dive into the methodology designed to prevent tampering with the software supply chain, following the journey of mischievous gremlins attempting to introduce malicious code into a widely-used container image. Learn how SLSA controls effectively raise the cost of attacks at each step of the supply chain, thwarting potential threats. Discover the concept of SLSA levels, trust boundaries, and both implicit and explicit policy checks. Through engaging examples and scenarios, gain insights into how SLSA safeguards against various attack vectors, including housekeeping attacks. Conclude with an introduction to SLSA Level 1 and a glimpse into future developments in supply chain security.
Overview
Syllabus
Intro
Supply Chain Overview
What is SLSA?
SLSA Levels
What is tampering?
How?
SLSA Trust Boundaries
Gremlins in the supply chain
Vax Trial Analysis runs evil fetcher
SLSA to the rescue!
Implicit Policy Checks
Explicit policy
SLSA saves the day!
Gremlin housekeeping attack
SLSA does it again!
SLSA Level 1
What's cooking
Taught by
CNCF [Cloud Native Computing Foundation]
