slsa icon indicating copy to clipboard operation
slsa copied to clipboard
verified publisher icon slsa-framework

Differentiation between security framework, compliance requirements, maturity model

Open camaleon2016 opened this issue 2 years ago • 4 comments

Submitted on behalf of the SCI Positioning SIG

There may be a need to discuss in what instances SLSA is a Security Framework, are a set of Compliance Requirements, or is a Maturity Model of the aforementioned security controls or compliance requirements. There have been many questions during presentations, etc. That may be answered through specifying SLSAs use, when, and for what purpose. This will also help with using the "AND" idea behind SLSA and its compliment with what an organizations is currently using.

camaleon2016 avatar May 22 '23 15:05 camaleon2016

In some sense I guess it's a "maturity model" in the sense that "higher numbers are better" (though it doesn't claim to be inspired by Deming's model). However, that's in part because there's only 1 track currently. Once there are multiple tracks, it would still be better to have higher numbers, but now it's multidimensional.

david-a-wheeler avatar May 22 '23 15:05 david-a-wheeler

Based on the conversations we had, I think it's worthwhile to highlight some distinctions in the vocabulary between the different areas.

For example attestation means different things depending on context even in the space of IT:

Compliance - A statement usually about an organization's compliance to the requirements of a framework, standard, regulation, etc.

Hardware - A mechanism to provide proof that some action was performed on a particular piece of hardware or that some data came from a particular piece of hardware.

Software - A statement with a set of claims cryptographically tied to an identity. In many cases this set of claims should be verifiable in some way.

The thing that complicates SLSA here is that SLSA given that it's a framework could lead folks to confuse SLSA attestations that are software attestations with compliance attestations. The conformance program doesn't help here and can add to confusion.

mlieberman85 avatar May 25 '23 05:05 mlieberman85

Discussed during the community meeting on 6/26/2023, and unfortunately most of the SLSA contributors don't have the context to make this sort of clarification.

We think a good way forward would be to enhance the "SLSA for " documentation with a page for compliance engineers (or officers?). Would that satisfy your concerns @camaleon2016? If not, how would you suggest we proceed?

kpk47 avatar Jun 26 '23 17:06 kpk47

A page for security and compliance, and perhaps privacy engineers or a separate page for each would work here. A "SLSA for" page would be great to have. This, along with a true terms and definitions page that aligns with the OpenSSF to account for how we are using specific terms, e.g. "attestation" would be great as well.

camaleon2016 avatar Jun 27 '23 14:06 camaleon2016