Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TODO: Need mitigation description for "Software producer intentionally submits bad code" threat #1178

Open
lehors opened this issue Oct 9, 2024 · 2 comments · May be fixed by #1236
Open

TODO: Need mitigation description for "Software producer intentionally submits bad code" threat #1178

lehors opened this issue Oct 9, 2024 · 2 comments · May be fixed by #1236
Assignees
@zachariahcox
Labels
slsa 1.1

Comments

@lehors
Copy link
Member

lehors commented Oct 9, 2024

No description provided.

@github-project-automation github-project-automation bot moved this to 🆕 New in Issue triage Oct 9, 2024
@lehors lehors changed the title TODO: Needs mitigation description for "Software producer intentionally submits bad code" threat TODO: Need mitigation description for "Software producer intentionally submits bad code" threat Oct 9, 2024
@lehors lehors added the slsa 1.1 label Oct 9, 2024
@zachariahcox
Copy link
Contributor

zachariahcox commented Oct 14, 2024
edited
Loading

I think the changes needed are here:
https://github.com/search?q=repo%3Aslsa-framework%2Fslsa%20Software%20producer%20intentionally&type=code

EDIT: nope!
it's in the draft folder: https://github.com/search?q=repo%3Aslsa-framework%2Fslsa+Software+producer+intentionally+path%3A%2F%5Edocs%5C%2Fspec%5C%2Fdraft%5C%2F%2F&type=code

https://github.com/slsa-framework/slsa/tree/main/docs/spec/draft

@zachariahcox zachariahcox self-assigned this Oct 14, 2024
@michaelwinser
Copy link

Mitigating against this threat and more generally across major organizational trust boundaries is not a well solved problem.

Question: is this a case of the "software producer intentionally submits bad code" or "someone inside the software producer organization intentionally submits bad code."

The most formal approach is to trest all externally produced software as source code that is being imported into your internal source tree.

  1. All changes should be reviewed by two internal parties
  2. Always build from source

In practice this is not always possible. Organizations can and do rely on 3rd party auditors. Organizations can and should also ask for evidence of secure practices.

At the end of the day, if an organization cannot be trusted but its software is essential then sandboxing and runtime auditing woudl be required.

@zachariahcox zachariahcox moved this from 🆕 New to 📋 Backlog in Issue triage Nov 11, 2024
@zachariahcox zachariahcox linked a pull request Nov 18, 2024 that will close this issue
Open
@lehors lehors added this to SLSA 1.1 Nov 26, 2024
@lehors lehors moved this to Todo in SLSA 1.1 Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zachariahcox zachariahcox

Labels
slsa 1.1
Projects
Issue triage
Status: 📋 Backlog
SLSA 1.1
Status: Todo
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

content: source track: update source threats for draft spec zachariahcox/slsa
3 participants
@michaelwinser @lehors @zachariahcox