Our great sponsors
-
s2c2f
The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
wg-best-practices-os-developers
The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
The OpenSSF is a cross-industry collaboration that aims to improve the security of OSS, founded in 2020 as part of the Linux Foundation and including among its first members leading companies and organizations, such as Google, Microsoft, IBM, GitHub, and others. The authors of this Manifesto are members of the OpenSSF End Users Working Group, which focuses on addressing the needs and challenges of OSS consumers and is chaired by Jonathan Meadows, a senior security engineer, and it was published in August 2023 as a blog post on the OpenSSF website inspired by another famous manifesto, the Agile Manifesto.
S2C2F stands for Secure Supply Chain Consumption Framework, and it is a framework developed by Microsoft and contributed to the OpenSSF2. S2C2F is a consumption-focused framework, and it defines a set of practices and a maturity model-based implementation guide to help organizaziont improve the security of their software supply chain.
SLSA stands for Supply chain Levels for Software Artifacts, and it is a framework that aims to provide a set of best practices for the software supply chain, with a focus on OSS. It was created by Google, and it is now part of the OpenSSF. It consists of four levels of assurance, from Level 1 to Level 4, that correspond to different degrees of protection against supply chain attacks. Our CTO Paolo Mainardi mentioned SLSA in a very good article on software supply chain security, and we also mentioned it in another article about securing OCI Artifacts on Kubernetes.
These are technical details that are out of the scope of this article, but we think that it is important to mention them because the security strategy of a company should be based on a solid foundation, and these frameworks show that there are already some good starting points, companies don't have to start from scratch. If you want to know more about them or other ways to improve the security of your software supply chain, visit the OpenSSF website.
Related posts
- SLSA – Supply-Chain Levels for Software Artifacts
- SLSA • Supply-Chain Levels for Software Artifacts
- GitHub - Legit-Labs/legitify: Detect and remediate misconfigurations and security risks across all your GitHub GitLab assets. Version 1.0 is out, check out the new enterprise-level policies.
- Legitify: Detect and remediate misconfigurations, security and compliance issues across all your GitHub and GitLab assets with ease
- CLOUD SECURITY PODCAST BY GOOGLE - EP116 SBOMs: A Step Towards a More Secure Software Supply Chain -