slsa-framework
content: draft: Flesh out "Usage" threat
There are two ways to look at the usage threat:
- Can the attacker modify the software being delivered to a consumer.
- Can the consumer use the software insecurly allowing an attacker to take advantage of that insecurity to exploit them.
IMO 1 has the same solutions as 'G' (PR https://github.com/slsa-framework/slsa/pull/1190). I could repeat them here under usage, but instead I've updated 'G' to include modification in transit, and I've had 'Usage' address 2 above (albeit by just deferring to CISA's work in this area).
fixes https://github.com/slsa-framework/slsa/issues/1182
NOTE: this PR is based on top of #1190 since the solution presented in 1190 obviates the need for addressing that here.
Deploy Preview for slsa ready!
| Name | Link |
|---|---|
| Latest commit | 0c7e4a34239874ef01d1c20a28a274e6d2eb58d7 |
| Latest deploy log | https://app.netlify.com/sites/slsa/deploys/67110d860ceb360009097e04 |
| Deploy Preview | https://deploy-preview-1191--slsa.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hey @MarkLodato, if you have time can you take a quick look at 'I' in this PR and double-check my logic? I'd like to make sure I'm not missing anything (or if there's a good reason to include much of 'G' here too).
Thanks!
Oh, note that this is based on #1190 so that one needs to be merged first.
I think we're good to here. Issues have been filed where we might want to make some other things more clear.