SLSA and GUAC: A Tasty Combination for Application Supply Chain Security

Supply chain attacks are an increasing security concern for organizations and developers who use third party software and build systems. In order to mitigate the risks of supply chain attacks, Supply chain Levels for Software Artifacts, or SLSA (salsa) was created in order to help improve the security of software solutions. A great pairing with SLSA - known as GUAC can help to bring together many sources of software security metadata to enhance security throughout the SDLC.

In this talk, we will introduce SLSA and GUAC and demonstrate how to implement SLSA and GUAC in a CI/CD system. This presentation will show how to utilize supply chain security with containerized applications that can run on Kubernetes. We will go through a source to deployment scenario that utilizes SLSA and GUAC to attest to a high level of software security throughout the process.