Talk Abstract:
SLSA, Supply-chain Levels for Software Artifacts (slsa.dev), is an Open Source Security Foundation (OpenSSF) project that defines incremental security levels which platforms can implement to prevent tampering with the software supply chain.
In this talk Joshua will introduce the SLSA project. He will cover: the SLSA principles, including how they are useful principles across DevSecOps processes and systems; look at the threat model which guides SLSA work; introduce SLSA's security levels; and conclude with a brief summary of the open source project, future plans, and how you can get involved.
Speaker Names:
Joshua Lock, Open Source Architect at Verizon
Speaker Bio:
Versatile software engineer and open source professional with leadership roles in several open source projects. 15 years experience working on tools to build complex software systems deterministically and securely. Passionate about build systems and software supply chain security.
Steering committee member and specification maintainer on the Supply-chain Levels for Software Artifacts (SLSA) project, The Update Framework (TUF) specification editor and implementation maintainer for python-tuf and go-tuf, contributor and root keyholder for Sigstore, friend of in-toto.
Emeritus core contributor to all aspects of OpenEmbedded and the Yocto Project.