ActiveState today announced the availability of their secure build service, which is a key component of the ActiveState Platform and implements the most Supply Chain Levels for Software Artifacts (SLSA) Level 4 controls of any publicly available build platform. SLSA, as defined by slsa.dev, is “a security framework, a checklist of standards and controls for preventing tampering, improving integrity, and securing packages and infrastructure in your projects, businesses, or enterprises It’s how you go from being safe enough to being as resilient as possible at any point along the chain.”
According to the findings of ActiveState’s Supply Chain Security survey, far too many organisations (of all sizes) continue to implicitly trust open source language repositories, despite the fact that they provide no assurance of security or integrity for the millions of third-party software assets they provide to software developers.
The ActiveState Platform secure build service implements the controls for generating SLSA level 4 artefacts for open source components.
- Is everything scripted and automated?
- Create an authenticated provenance
- Provide source auditability and provenance integrity, respectively.
- Isolated, ephemeral, hermetic, and reproducible structures
ActiveState combines these controls with its proprietary open source management capabilities to provide comprehensive software supply chain security, which includes:
- Automated, tamper-proof builds of open source language dependencies, including native libraries, from source code
- A perpetual source code catalogue that ensures build reproducibility even if dependencies are deleted or corrupted in public repositories.
- Enriched dependency metadata, including vulnerability and licencing information
- Signed artefacts, ensuring that they have not been tampered with
- Optional distribution from an ActiveState Artifact Repository
This means that DevOps now has a trusted vendor for open source supply chain management to use instead of establishing their own supply chains, which are time-consuming and inherently insecure.
The ActiveState Platform secure build service adheres to SLSA Level 4 standards, allowing DevOps to significantly reduce the risk and cost of securing their software supply chain while ensuring the security and integrity of the products and services they develop.