A recent survey on supply chain security practices found that some practices are widely adopted but key practices are lagging behind. The survey was based on the Supply-chain Levels for Software Artifacts (SLSA) framework. Key practices, such as generating provenance, were noted for lagging behind in adoption. The survey also found that the perceived usefulness of a practice is highly correlated with the adoption of that practice.
SLSA is an open-source security framework providing standards and controls related to supply chain security. It suggests a number of practices for preventing and mitigating security attacks related to the software supply chain. These practices are arranged in four levels ranging from fully scripted builds to hermetic, reproducible builds. The survey asked respondents about the adoption, difficulty, and perceived usefulness of these practices.
The results showed that some practices are more widely adopted. For example, over 50% of respondents report that they always use a centralized build service. Ephemeral builds and isolated builds round out the top three most used practices.
However, providing provenance, considered a key SLSA-related practice required for level 1 of SLSA, lagged behind in adoption. Provenance is metadata about how the artifact was built including information on ownership, sources, dependencies, and the build process used.
The report found that the extent to which a participant viewed a practice as helpful did positively correlate with the likelihood of adoption. The report's authors recommend focusing on explaining why practices are beneficial to potentially drive more adoption. A recent publication by Amélie Koran, Wendy Nather, Stewart Scott, and Sara Ann Brackett confirmed this finding as it relates to SBOMs. They note that the absence of clearly defined use cases for SBOMs risks poor adoption due to the practice's value being undersold.
Some respondents questioned the usefulness of generating provenance indicating a need for further explanations around the benefits of the practice:
This seems like a way to produce a ton of paperwork and make it easy to go back after the fact and say "oh, here's the attack"... while doing little to prevent compromises from happening in the first place.
Other respondents had similar things to say on the usefulness of generating Software Bill of Materials (SBOMs):
This is the kind of paperwork that is tedious and disliked by everyone: devs (because they have to write up and possibly defend their many random dependencies), management (because this introduces delays and unhappy devs), even legal (because it risks turning accidental infringement into wilful). Still, being mindful of dependencies seems like the only good way to reduce the risk of supply-chain attack.
Some SLSA practices, such as hermetic builds, were reported to be more difficult to adopt than others. The report found that there was no correlation between the perceived difficulty of the practice and whether or not an organization adopts the practice.
The survey results, as it relates to adoption, align closely with the recent Google 2022 Accelerate State of DevOps Report. That report also focused on supply chain security and used both the SLSA framework and NIST's Secure Software Development Framework (SSDF). Similarly, they found that a majority of respondents reported at least partial adoption of every practice.
More details from the recent SLSA++ survey can be found on the OpenSSF blog. The draft version 1.0 of SLSA is also now open for review and comments from the community.