Positioning SIG: Assess additional frameworks in relation to SLSA - Githubissues

slsa-framework / slsa

Supply-chain Levels for Software Artifacts

https://slsa.dev

Other

1.52k stars 220 forks source link

Positioning SIG: Assess additional frameworks in relation to SLSA #452

Open melba-lopez opened 2 years ago

melba-lopez commented 2 years ago

Objective: Assess additional frameworks raised in the 7/26 SLSA Positioning SIG meeting.

Outcomes:

Identify common criteria for assessing various frameworks
Assessing the following frameworks/standards in relation to SLSA in addition to NIST SSDF v1.1 | | NIST 800-53r5 | EO14028 | NIST SP800-161r1
- [ ] SLSA vs SCITT (formerly SCIM)
- [ ] SLSA vs SPDX efforts (brought up by Brandon in last SLSA bi-weekly meeting)
- [ ] SLSA vs CIS Supply Chain Security Benchmark
- [ ] SLSA vs. CD foundation architecture
- [ ] SLSA vs. CNCF Supply Chain Security Best Practices/Secure Software Factory Ref Arch
- [ ] SLSA vs SCVS

melba-lopez commented 2 years ago

(Brandon) Define the objectives of evaluating

Should SLSA increase/decrease scope? How does SLSA work with other frameworks? (informing/assisting organizations on what frameworks to choose) Is there overlap in SLSA with other frameworks? Is there deficiencies/out of scope SLSA items with relation to other frameworks? Map to the specs (SLSA spec - source l1 = SSDF control PW1.X) Capture use cases/personas to address target audience and how they would use SLSA vs other frameworks.