Software supply chain security has become a lively topic. Many people and groups in the software industry are discussing what it is, the important trends, best practices, and more. But until recently, it has been difficult to discern between what is being talked about and what is actually being done.
To help resolve this information gap, the Eclipse Foundation, Chainguard, the Rust Foundation, and the Open Source Security Foundation came together to survey industry professionals on their usage of the Supply-chain Levels for Software Artifacts (SLSA) framework.
The responses from 167 participants are nuanced, interesting, and ultimately encouraging. They suggest that existing practices are perceived as useful — that the community is primarily motivated by what works rather than what is easy and that there is notable adoption, even though this is a relatively new phenomenon.
Existing Practices Perceived as Useful
Anyone working on a security framework wants to be sure it’s actually useful at the end of the day. This can be a tricky thing to measure, but it’s helpful to know how users perceive its usefulness.
One encouraging result of the study was that most practices are considered useful: Over 50% of respondents rated every practice the survey asked about as either “very” or “extremely” helpful. Additionally, the perceived usefulness of different practices appears to be driving adoption. The relationship between how useful respondents perceive certain practices and the adoption rates of those processes was statistically significant. Yet more encouraging, there was no statistically significant relationship between how difficult a given practice is perceived to be and how likely it is to be adopted. Users appear to be more motivated by effective practices than easy ones.
This is excellent news for groups developing frameworks that are difficult to adopt. It implies that the best way to drive adoption is to simply demonstrate the utility of these practices, whether that’s simple evangelism, explanation of the theoretical logic, or by taking testimonials from companies that have used them.
Notable Levels of Adoption
It’s also worth noting that while there are differences in the levels of adoption, there’s broad usage of a large variety of SLSA practices: Over 50% of practices we asked about are being used either “always” or at least “more than sometimes.”
“Use of centralized build services” seems to be the standout in adoption, as about half of the professionals who responded said they use these. This is great news because these services provide a controlled, understood, logged, and audited record of what is getting built. This is perfect for supply chain integrity, which is what SLSA is all about. There are several other practices where we’re seeing a critical mass developing already, including “ephemeral builds” and “isolated builds,” which are always being used by nearly 50% of respondents.
On the flipside, while there certainly is adoption of provenance, it is considerably lower compared to other practices: fewer than 25% of respondents said they always make provenance available.
Provenance is also considered one of the more difficult practices to adopt — it was rated the third highest in perceived difficulty to implement in this survey, after reproducible and hermetic builds. But crucially, it is quite central to SLSA. Other security frameworks deal with it, but none have made it so central and important. It’s a very interesting innovation, but the community hasn’t jumped on it yet.
Of course, it is encouraging that there seems to be a path forward for increasing the adoption of provenance. The issue, based on our findings, is likely more that it’s not well-known in the community than that it’s perceived as too difficult, since statistical analysis suggests usefulness, not difficulty, drives adoption.
Still Early Days, Opinions Still Forming
Another thing worth noting is that the SLSA framework itself is not that old and software supply chain security in general is still new. This may explain some of the survey results: Many different practices may be perceived as equally useful because strong opinions about their relative efficacy simply haven’t emerged yet.
But one of the great things about the software industry, and open source in particular, is that it forms strong communities of knowledge. As time goes on, and usage of these practices continues to proliferate, knowledge will spread about which practices are more useful, which ones are less useful, and how easy or difficult different ones are to implement.
Since SLSA just hit version 1.0, it’s already clear that these sorts of announcements about the framework becoming more mature are generating more interest. Many projects over the next couple of years will likely be asking themselves if they should implement SLSA, and they’ll look to leading projects like Kubernetes to understand how and why they did it.
To get more insights into current perceptions of software supply chain security, read the full survey results.