Pro Content
This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.
Learning Objectives
- Define Supply-chain Levels for Software Artifacts (SLSA)
- Understand build system attestations
- Identify the levels of SLSA maturity
SLSA: Boosting Build Integrity
While SBOMs tell you what is in your software, SLSA (Supply-chain Levels for Software Artifacts) tells you how it was built and ensures it hasn't been tampered with.
Why SLSA Exists
Even if you have a perfect SBOM, an attacker could compromise your Build Server (CI/CD) and inject malicious code during the compilation process. This code wouldn't show up in your source repository, making it extremely hard to find. This is exactly what happened in the SolarWinds attack.
The Core Concept: Attestations
SLSA introduces the concept of signed attestations. When a build server finishes a job, it generates a cryptographically signed document stating:
"I am BuildServer-X. I took SourceCode-Y, ran BuildScript-Z, and produced Binary-A. Here is my signature to prove it."
SLSA Levels
SLSA provides a roadmap for increasing maturity:
* Level 1: Basic documentation of the build process.
* Level 2: Tamper-resistant builds with signed metadata.
* Level 3: Hardened infrastructure and "Non-falsifiable" attestations (built on a dedicated, isolated build service).
Answer the Questions0 / 3 completed
📚 KnowledgeQuestion 1
What framework provides "Levels" for build pipeline integrity?
Format: ****(4 chars)
Exact match required
⌨️ Hands-OnQuestion 2
What is a signed statement about how a piece of software was built?
Format: ***********(11 chars)
Exact match required
📚 KnowledgeQuestion 3
What is the highest "gold standard" level in the SLSA framework?
Format: ***** #(7 chars)
Exact match required
Answer all questions correctly to unlock the next lesson
Previous
Answer all questions to continue