Justin Cappos
New York University
Friday, November 15, 2024
3:30 PM
3147 MEB (Large Conference Room)
Securing the Software Supply Chain with in-toto
ABSTRACT
Time and time again, hackers have broken into software distributed by major companies and tampered with their software. This does not happen at a single point in the company’s infrastructure, but instead could happen due to tampering in the version control system, build system, testing process, software repository or anywhere in between.
This talk introduces in-toto, a framework which ensures the integrity of the supply chain as a whole. Using in-toto grants the end user the ability to verify the integrity of the project from inception to the installation in their device. The project is hosted by the Linux Foundation under the Cloud Native Computing Foundation, and is the de facto way in which software supply chain attestations are done in practice. This includes deployments across thousands of companies, including automatic generation of in-toto attestations by GitHub.
BIO
Justin Cappos is a professor in the Computer Science and Engineering department at New York University. He is a creator of five Linux Foundation projects, including TUF, Uptane, gittuf, SBOMit, and in-toto. He leads the security assessment process for the CNCF and also was elected to the Governing Board of the OpenSSF.