In-person + Virtual
October 24-28
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Eastern Daylight Time (UTC -4). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.
Wednesday, October 26 • 11:00am - 11:35am
Achieving End-To-End Software Supply Chain Security With in-toto - Santiago Torres-Arias, Purdue University & Aditya Sirish A Yelgundhalli, New York University

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

in-toto is a CNCF Incubated project that can be used to secure software supply chains. Since joining incubation this year, in-toto has grown in various ways through community contributions. This includes features to perform better artifact tracking (e.g., to include Git, GitBOM, SBOMs and OCI images), as well as extending the base attestation type to include more expressive notions (e.g., SLSA provenance, measured execution, or to sign and attach SBOMs to their corresponding artifacts). Lastly, better integration with CNCF projects for cloud-native identity have been developed through projects such as SPIFFE and Sigstore. In this talk, we will showcase these exciting contributions, and help introduce new members of the audience to ways to particpate, collaborate, and use in-toto to protect their software supply chains. We will showcase in-toto's existing integrations. This will include projects such as Tekton Chains, Jenkins, Gitlab Runners, and rebuiderd (from the reproducible builds project). Finally, the talk will also feature current work on exciting features like Sigstore, SPDX, GitBOM and more!

avatar for Santiago Torres-Arias

Santiago Torres-Arias

Assistant Professor of Electrical and Computer Engineering, Purdue University
Santiago is an Assistant Professor at Purdue's Electrical andComputer Engineering Department. His interests include binaryanalysis, cryptography, distributed systems, andsecurity-oriented software engineering. His current researchfocuses on securing the software development lifecycle... Read More →
avatar for Aditya Sirish A Yelgundhalli

Aditya Sirish A Yelgundhalli

Ph.D. Candidate, New York University
Aditya is a Ph.D. candidate at New York University where he researches software supply chain security. He is a maintainer of in-toto, which is incubated at the CNCF. He is also a contributor to TUF, another CNCF project, and a maintainer of gittuf, a sandbox project at the OpenSSF... Read More →

Wednesday October 26, 2022 11:00am - 11:35am EDT