Open Source Security

  1. Security Frameworks and Standards
    1. Supply-chain Levels for Software Artifacts (SLSA)
      1. SLSA Framework Overview
        1. Security Levels and Requirements
          1. Build Integrity Focus
          2. SLSA Level Requirements
            1. Level 1: Documentation and Version Control
              1. Level 2: Build Service and Signed Provenance
                1. Level 3: Hardened Build Platform
                  1. Level 4: Two-Person Review and Hermetic Builds
                  2. SLSA Implementation
                    1. Tooling and Automation
                      1. Compliance Assessment
                        1. Continuous Improvement
                      2. Sigstore Ecosystem
                        1. Sigstore Components
                          1. Cosign for Container Signing
                            1. Rekor Transparency Log
                              1. Fulcio Certificate Authority
                              2. Keyless Signing
                                1. OIDC-Based Identity
                                  1. Short-Lived Certificates
                                    1. Transparency and Auditability
                                    2. Sigstore Integration
                                      1. CI/CD Integration
                                        1. Verification Workflows
                                          1. Policy Enforcement
                                        2. OpenSSF Initiatives
                                          1. OpenSSF Scorecards
                                            1. Automated Security Assessment
                                              1. Best Practice Evaluation
                                                1. Scoring Methodology
                                                2. Security Best Practices Guide
                                                  1. Alpha-Omega Project
                                                    1. Package Analysis Project
                                                    2. Other Relevant Standards
                                                      1. NIST Secure Software Development Framework (SSDF)
                                                        1. ISO/IEC 27034 Application Security
                                                          1. OWASP Software Assurance Maturity Model (SAMM)

                                                        Previous

                                                        7. Securing the Software Supply Chain

                                                        Go to top

                                                        Next

                                                        9. Vulnerability Management and Incident Response