At Qbee, security is at the heart of everything we do. As organizations use more connected devices and automated systems, we need to make sure the software supply chain is safe. That’s why we’re proud to announce that the qbee-agent release process is now SLSA Level 3 compliant.
What Is SLSA?
SLSA, or Supply-chain Levels for Software Artifacts, is a security framework originally developed by Google. It has since evolved into an open standard governed by the OpenSSF. It provides a structured, step-by-step path to securing the software supply chain.
The framework defines four levels, starting from Level 0. Each level adds stronger protections against tampering, forgery, and supply chain threats.
- Level 0 provides no guarantees.
- Level 1 ensures the build process is scripted and consistent.
- Level 2 adds authenticated source control and hosted build services.
- Level 3 represents the highest level, requiring that builds are isolated, tamper-resistant, and come with strong, non-falsifiable provenance.
By reaching Level 3, Qbee demonstrates its commitment to delivering software with the strongest supply chain security guarantees currently available under the SLSA standard.
Trustworthy Device Management at Scale
Qbee enables organizations to manage fleets of connected devices, often spread across critical industries such as energy, manufacturing, and infrastructure. In these contexts, trust in the underlying software is essential. Customers must be confident that what runs on their devices is genuine, tested, and secure.
By achieving SLSA Level 3, Qbee ensures that every build of the qbee-agent is created, packaged, and signed in a controlled, tamper-resistant environment. Customers can verify that the binaries originate from reviewed and tested source code, free from unauthorized modifications, which strengthens confidence in the integrity of their infrastructure.
Provenance and Traceability for Every Update
At the heart of SLSA is the concept of software provenance: the ability to trace a binary back to its precise source code and build process. For Qbee users, this provides an additional layer of assurance. Every build of the qbee-agent now comes with a signed attestation, created as part of our controlled build pipeline. This attestation serves as cryptographic proof of how and when the agent was built, ensuring customers can trust its origin and integrity. Full details on the attestation process are available in our documentation.
Security Built for IoT and Edge Environments
Cloud systems already benefit from multiple layers of security, but IoT and edge devices face unique challenges. They are deployed in the field, often in remote or unsecured locations, and cannot rely on constant monitoring or physical protection. In such environments, the security of updates is critical. A compromised update pushed to a device in an energy grid, a manufacturing line, or a smart city infrastructure could have devastating consequences.
With SLSA Level 3 compliance, Qbee ensures that the qbee-agent running on customer devices is built in a controlled environment and protected against unauthorized modifications. This provides strong assurance that the agent software in use across a distributed device fleet is exactly what our engineers released, giving customers confidence in the integrity of their infrastructure.
Qbee’s Commitment to Security
Achieving SLSA Level 3 compliance is not a one-time milestone but part of our ongoing mission. We continuously invest in improving the integrity of our processes, from secure development practices to transparent software delivery.
With this achievement, we reaffirm our role as a trusted partner, ensuring that every device managed through Qbee benefits from a secure, verifiable, and resilient software supply chain.
