Software supply chain attacks have seen a 742% increase in the last three years. in-toto is a battle-tested and broadly deployed CNCF incubated project that counters these threats. The framework connects security efforts such as SLSA, Sigstore, and SBOMs, where signed and verifiable in-toto attestations are used to express claims about software supply chain steps and artifacts. However, trusting attestations and their policies is predicated on bootstrapping their verification keys and securely distributing them to end users.

Enter TUF! The Update Framework (TUF) is a widely adopted CNCF graduated project used to secure software repositories. TUF protects against a range of subtle attacks on software distribution, and is designed to be secure even when some components of the system are compromised. TUF can be used to unambiguously associate artifacts with their in-toto metadata, thereby bootstrapping trust for attestations. Thus, combining in-toto and TUF provides a secure way to verify end-to-end software supply chain integrity. This talk covers the fundamentals of both in-toto and TUF, discusses how to combine them with a real world case study where Datadog has been using two technologies together for years, and presents new open source tooling that simplifies deploying the two systems together.

From the same track

Session WebAssembly

Wasm: What is Universal Compute Good For?

Tuesday Jun 13 / 10:35AM EDT

WebAssembly represents the future of portable computing, providing an efficient and secure runtime for many languages. In the last year there has been an explosion of growth in Wasm on the backend, from managed platforms, tooling, and further standardization work around WASI.

Sean Isom

Senior Engineer @Adobe

Session jvm

Virtual Threads for Lightweight Concurrency and Other JVM Enhancements

Tuesday Jun 13 / 02:55PM EDT

Concurrent applications, those serving multiple independent application actions simultaneously, are the bread and butter of server-side programming. The thread has long been software’s primary unit of concurrency, and has also served as a core construct for observability and debugging, but i

Ron Pressler

Technical Lead OpenJDK's Project Loom @Oracle

Session WebAssembly

Build Features Faster With WebAssembly Components

Tuesday Jun 13 / 01:40PM EDT

Wasm modules revolutionized portable application code. For the first time, they allowed us to write in a high-level language - like Go or Rust - and then target WebAssembly as the platform-agnostic bytecode.

Bailey Hayes

Director @Cosmonic

Session Security

Sigstore: Secure and Scalable Infrastructure for Signing and Verifying Software

Tuesday Jun 13 / 11:50AM EDT

Sigstore is an open-source project that aims to provide a transparent and secure way to sign and verify software artifacts.

Billy Lynch

Staff Software Engineer @Chainguard

Zack Newman

Research Scientist @Chainguard

Session Software Supply Chain Security

Achieving SLSA Certification with a “Bring-Your-Own-Builder” Framework

Tuesday Jun 13 / 04:10PM EDT

Supply-chain Levels for Software Artifacts, or SLSA (pronounced “salsa”), is a security framework to reason about and improve the integrity of released artifacts. With the recent release of SLSA version 1.0, SLSA is seeing increased adoption, both from industry and open source projects.

Asra Ali

Software Engineer @Google

Securing the Software Supply Chain: How in-toto and TUF Work Together to Combat Supply Chain Attacks

Abstract

Speaker

Marina Moore

Speaker

Marina Moore

Date

Location

Track

Topics

Share

From the same track

Wasm: What is Universal Compute Good For?

Virtual Threads for Lightweight Concurrency and Other JVM Enhancements

Build Features Faster With WebAssembly Components

Sigstore: Secure and Scalable Infrastructure for Signing and Verifying Software

Achieving SLSA Certification with a “Bring-Your-Own-Builder” Framework

Follow QCon

Contact

Menu

Conferences around the World