Gitpod takes a central position in the software development lifecycle. As such, the security of our product is paramount; not only at runtime, but also as we build and deliver Gitpod. Next to a host of other initiatives (e.g. becoming SOC 2 compliant), we aim to secure our own software supply chain. Today, we are proud to announce that we’ve taken a first step in that direction: Gitpod is now SLSA Level 1 compliant. 🎉
SLSA is an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain. It aims for the software to be shipped securely from source to production, and is inspired by Google’s internal ”Binary Authorization for Borg”. But what is a software supply chain anyways?
In manufacturing, many different components make up an assembly, and many assemblies make up a finished product. Think of a car that consists of multiple parts such as doors, wheels and seats built from raw materials like steel, plastics, aluminium and rubber. Many of these parts and raw materials come from different vendors and suppliers, forming the supply chain.
Software engineering is similar. While developing an application, we rely on open source code and external services. We build, test and deploy applications using CI/CD pipelines which have far reaching access to development and production systems. Deep dependency trees without controls (think log4shell), insecure CI/CD pipelines and developer’s laptops make for attractive attack vectors. Such attacks have been carried out successfully, with SolarWinds and Kaseya it’s not only the Fortune 500 who are at risk, but their suppliers, too. No one wants to become a vehicle for malicious actors and irrevocably destroy the trust that cost so much to build. We must not underestimate the importance of Software Supply Chain Security.