SLSA Adoption Would’ve Muted SolarWinds Hack

Adoption of Google Cloud’s Supply-chain Levels for Software Artifacts (SLSA) security framework would have protected organizations from the SolarWinds cyberattack by alleged Russia-backed hackers, according to CEO Thomas Kurian.

The software supply chain is a vector of threats that other cloud providers had not anticipated, Kurian said.

“We had anticipated that,” Kurian said in an exclusive CRN interview ahead of the Google Cloud Next ’21 conference that started today. “Not only did we build the technology in a secure way, but we’re now making it available to customers to use in a secure way. We have now taken that framework and, working with NIST (the U.S. Department of Commerce’s National Institute of Standards and Technology), are making it available to the entire software industry, because that framework would have protected against SolarWinds.”

Pronounced “salsa,” SLSA is a source-to-service security framework for ensuring the integrity of software artifacts by helping to protect against unauthorized changes to software packages throughout the software supply chain. It’s based on Google’s internal Binary Authorization for Borg (BAB), a deploy-time enforcement check designed to minimize insider risk by ensuring that production software and configuration deployed at Google is properly reviewed and authorized, especially if that code has the ability to access user data. Google has been using BAB since 2013 and requires it for all of its production workloads.

The SolarWinds hack, which ensnared Microsoft and breached U.S. federal government agencies and private sector companies, first was detected last December. Suspected Russian intelligence attackers injected malicious code into Austin, Texas-based SolarWinds’ Orion network monitoring platform that was downloaded into as many as 18,000 of its customers’ computer networks. Last month, Microsoft said the hackers behind SolarWinds also had developed a backdoor that exfiltrates sensitive information from compromised Microsoft Active Directory Federation Services servers.

Kurian pointed to both the increasing number of cybersecurity threats and the variations of those threats.

“A year ago, if somebody…