SLSA 1.0 is intended to provide a standard language for software supply chain security. The project is at an important milestone in software development security with its first stable version, according to OpenSSF.

The Open Source Security Foundation (OpenSSF) was launched in 2020 by the Linux Foundation. As the name suggests, the initiative hopes for the broad standardization of security metrics on an open-source basis.

SLSA is to be pronounced as “salsa”. The project is organized on the basis of several “levels”. Each level represents the degree of security in software development. By complying with a certain level, a developer is able to prevent the software from being tampered with. Additionally, the source can be guaranteed to be safe. This is what is meant by the so-called ‘supply chain’: the collection of components, processes and libraries, among others, that together enable the development of software. There is a lot of interaction between these components, and cyber-attacks often try to exploit vulnerabilities in these communication flows.


Whereas many software vendors are currently trying to aggregate all kinds of services, the OpenSSF uses a different method. As a foundation, its goal is to develop a common language for discussing supply chain security. This includes standardizing the meaning of technical terms and having a concrete checklist of security standards. To accomplish this, OpenSSF chooses to focus on one area first.

The “Build Track” is the main focus of SLSA 1.0. In the future, one can expect Source and Dependency tracks, which focus on other aspects of the software production process. The Build Track should become the basis for subsequent updates, which should cover an ever-increasing portion of the supply chain.


Who will benefit from adopting SLSA? First of all, version 1.0 can be extremely useful for software producers. These teams now receive tools from OpenSSF to verify their compliance with established security standards. This gives producers a chance to prove to customers that the software has been checked for weaknesses. Especially desirable in times of uncertainty among the open source community. New EU legislation could mean that open-source developers are held responsible for security weaknesses in commercial software.

On top of supporting software producers, OpenSSF states that SLSA will make consumers safe in the knowledge that their software is compliant with security standards.

Finally, the group touches on how useful SLSA can be for infrastructure providers. As the bridge between software producer and consumer, they provide the supply chain, and thus may be required to prove that they, too, have security in high regard.