Open source devs finally get a taste of full strength SLSA

Open source devs finally get a taste of full strength SLSA
Supply chain security

The Open Source Security Foundation (OpenSSF) has delivered a full digit version of one of its key software supply chain security projects.

SLSA 1.0 (Supply Chain Levels for Software Artifacts) was served up at Kubecon Europe in Amsterdam this week, just as the Cloud Native Computing Foundation released the results of a wide-ranging security audit of Kubernetes 1.24, which highlighted that a number of issues from an audit on version 1.13 remain unaddressed.

Software supply chain security has raced up the agenda over the last couple of years, as the Log4J and Solar Winds crises highlighted the threat from both open source and proprietary code. The issue is a central part of rapidly evolving cyber security strategies from the US, EU and the UK.

The OpenSSF describes the SLSA framework “as a series of levels that describe increasing security rigor, designed to give confidence that software hasn’t been tampered with and can be securely traced back to its source.”

The framework was originally developed at Google before being donated to the OpenSSF. It focuses on the source code and build system parts of open source supply chains.

The new release establishes multiple “tracks” covering build, source and dependencies, which the organization says will make it easier to adopt. New tracks and levels can be expected in the future. It also provides more explicit guidance on verifying the provenance of components.

Brian Behlendorf, general manager of the OpenSSF, said: “The stable release of SLSA v1.0 is an important milestone in improving software supply chain security and providing organizations with the tools they need to protect their software.”

OpenSSF also looks after the Secure Supply Chain Consumption Framework, contributed by Microsoft last year, which, as the name suggests, focuses on the consumption part of the supply chain. It also has a working group bringing together different elements of the supply chain – repos, package managers, etc – to learn from and help each other.

The announcement came as the CNCF released the latest third-party audit of Kubernetes, conducted by NCC Group together with the Kubernetes SIG Security Third Party Audit Working Group.

In a statement the CNCF said the audit identified “concerns with the administrative experience as it relates to restricting user or network permission.” Flaws in user input “sanitization” could allow “a restricted form of authentication bypass by modifying the request made to the etcd datastore.”

It also flagged up “flaws in inter-component authentication which allow a suitably positioned malicious user to escalate permissions to cluster-admin.” And it found “weaknesses in logging and auditing which could be abused by an attacker.”

There were numerous other findings, but these “pose limited risk to users.”

The report noted that the Kubernetes project has “demonstrated” efforts to improve security, but also said “A number of findings from the previous audit performed against Kubernetes version 1.13 remain open or unfixed.”

Overall, the report highlighted 19 issues, of which six were classed as medium risk, nine as low, and four as “informational”.

Simple fixes should be implemented in code as soon as possible, it recommended, though in the case of more complicated fixes, “it may be more pertinent to update Kubernetes documentation to inform users of the identified risks while longer-term fixes are applied.”