"Google: Use SLSA Framework for Better Software Security"

Google recommends that organizations use the Supply Chain Levels for Software Artifacts (SLSA) framework when developing software to improve software security and integrity, following an exploration of best practices for securing the software supply chain. Google made several recommendations for improving supply chain security, including the need for organizations to take more direct responsibility for open-source software and to take a more holistic approach to address risks like the Log4J vulnerability and the SolarWinds breach. Google's report on software security is the first in a new research series called "Perspectives on Security," which looks at emerging security trends and how to address them. The report's publication coincides with the second anniversary of the SolarWinds breach disclosure, and its recommendations are based on Google's analysis of that incident and other software supply chain breaches that have occurred since then. These include incidents at Codecov, Kaseya, and public code repositories such as PyPI. The breaches have elevated software supply chain security to the top of the enterprise Information Technology (IT) priority list. According to a recent Mandiant report, supply chain compromises accounted for 17 percent of all intrusions in 2021. Supply chain issues were the second most common initial intrusion vector in 2021, trailing only software vulnerability exploits. This article continues to discuss the main takeaways for security decision-makers from Google's new security perspectives report. 

Dark Reading reports "Google: Use SLSA Framework for Better Software Security"