In recent years, high-profile software supply chain attacks have caused significant damage to organizations. These attacks have highlighted the need for better security practices to address software-supply-chain-related risks. As a result, the U.S. government pushed for new cyber regulations and standards. This is how SLSA and SSDF came to be.
These frameworks cover a wide range of areas, including vulnerability management, code integrity, provenance validation, incident response, and enforcement of secure SDLC processes. However, implementing them can be a daunting task, particularly for organizations with limited resources.
Scribe’s platform serves as a safe harbor to software producers. It enables easy compliance with SLSA and SSDF frameworks, even with limited resources
Scribe enables customers to comply with the SSDF framework and SLSA by promoting transparency through an evidence-based hub that ensures the software hasn’t been tampered with.
Get Solution BriefComply with NIST SP 800-218 (SSDF)
The SSDF aims to reduce the volume and impact of vulnerabilities that occur across the entire SDLC. Vendors operating or planning to operate in the U.S. must react quickly and learn how to comply with the SSDF.
The SSDF is not a checklist you should follow but rather a roadmap for planning and implementing a risk-based approach to secure software development. This includes promoting transparency and using an evidence-based strategy to protect software from any tampering by unauthorized users.
Scribe users can not only apply a policy over attestations to ensure secure development and build processes or to validate that tampering hasn’t taken place, but they can also gauge compliance with the SSDF—the basis for the new U.S. cyber regulation
Get the Complete SSDF GuideScribe is the first solution to focus on the PS (Protect the Software) group of practices within the SSDF
Scribe conducts a rule-based evaluation to determine the protection level of the source code, based on the well-known CIS Software Supply Chain Security benchmark, combined with some elements from SLSA.
Read Use CaseComply with the SLSA framework
SLSA is a comprehensive checklist of security controls and standards that ensure software integrity. In addition to helping developers, organizations, and businesses make informed choices about how to build and consume secure software, it proposes 4 escalating series of steps to securing the entire software development lifecycle.
Using Scribe, users can automate compliance validation with SLSA. On top of that, in the specific areas where they do not comply, Scribe provides a set of actionable recommendations to close the gap. This solves a huge problem for software producers who need to comply with the new U.S.-led regulation by 2024.
Read Use CaseEasily verify that SW builds comply with SLSA level 2 or level 3 requirements
Scribe enables you to create SLSA provenance as part of each of your builds’ pipeline, see exactly which SLSA requirement has passed or failed, and quickly address any issues and bring the build into compliance.
You can then easily share the collected evidence with relevant stakeholders, confidently demonstrating your build or product compliance.
Scribe’s Advantage Over Other Tools
Evaluates the entire policy rather than just producing a provenance document
Producers can collect relevant SLSA information about their pipelines, in the form of a series of policies
Producers can choose to enact these policies on their pipeline and check whether the policy has passed or failed
All policies passing means you are conforming to SLSA level 3.
The SSDF and SLSA frameworks cover a wide range of areas, including vulnerability management, code integrity, provenance validation, and enforcement of secure SDLC processes. However, implementing them can be a daunting task, particularly for organizations that have limited resources. Furthermore, the need to demonstrate compliance in an unequivocal manner in response to the new federal regulation or customers’ requirements is far from trivial.
With Scribe, You Can:
Generate, Manage, and Share SBOMs
Scribe allows commercial software vendors and integrators to track vulnerabilities, generate, manage, and share SBOMs with downstream consumers and other stakeholders in the software supply chain.
Manage SBOM Access
Scribe allows contractual obligations to permit access to SBOMs. It also communicates vulnerability risk through VEX (a CISA standard).
Determine the Protection Level
Based on CIS Software Supply Chain Security benchmarking and some elements from SLSA, Scribe conducts a rule-based evaluation to determine the protection level of the build pipeline.