Ya Got Trouble (And SLSA may help) - Nicole Schwartz - Shmoocon 2023

Shmoocon January 20-22, 2023

FRIDAY, JANUARY 20, 2023 1630

Ya Got Trouble (And SLSA May Help)

Nicole Schwartz

Yes you got lots and lots of trouble
I’m thinkin’ of the devs in CICD
Shirt-tail young ones, peekin’ in the IDE window after school
You got trouble, folks
Right here in ShmooCon, trouble with a capital “T”
And that rhymes with “C” and that stands for cooooode

Have you been asked if you have a secure software supply chain? Or which SLSA level your software is built to? If you have, but you are unsure what exactly they are asking for, this talk is for you. Luckily, this is not another step to add, it’s a framework and you may be closer to compliance than you think! I’ll explain what the Supply chain Level for Software Artifacts (SLSA) framework is, why it is useful, what it can’t do for you, how it fits into your development process, and a variety of tools you can use (Open Source, Free, Paid, and roll your own) to help you meet your desired level of SLSA.