Achieving End-To-End Software Supply Chain Security With in-toto - Santiago Torres

The speaker discusses the complexities and vulnerabilities of software supply chains and the need for higher degrees of assurance and resiliency in the pipeline.

• Software supply chains are vulnerable to compromise, with examples including version control systems, build farms, packaging, and testing infrastructure.
• Compromises in the supply chain can have a significant impact on users, reputation, budget, and intellectual property.
• Integrity checks, reproducible builds, verifiable compilers, and secure package delivery can provide higher degrees of assurance and resiliency.
• Centralized metadata storage and integration with CI systems are possible solutions.
• The speaker emphasizes the need for addressing the problem and improving the software supply chain.

The speaker cites examples of compromises in the supply chain, such as the Xcodeghost event where a backdoored version of the Xcode SDK compromised all iOS apps built using it, and the hacking of a South Korean server hosting PHP my admin, which had geopolitical implications. These incidents highlight the need for higher degrees of assurance and resiliency in the pipeline.

in-toto is a CNCF Incubated project that can be used to secure software supply chains. Since joining incubation this year, in-toto has grown in various ways through community contributions. This includes features to perform better artifact tracking (e.g., to include Git, GitBOM, SBOMs and OCI images), as well as extending the base attestation type to include more expressive notions (e.g., SLSA provenance, measured execution, or to sign and attach SBOMs to their corresponding artifacts). Lastly, better integration with CNCF projects for cloud-native identity have been developed through projects such as SPIFFE and Sigstore. In this talk, we will showcase these exciting contributions, and help introduce new members of the audience to ways to particpate, collaborate, and use in-toto to protect their software supply chains. We will showcase in-toto's existing integrations. This will include projects such as Tekton Chains, Jenkins, Gitlab Runners, and rebuiderd (from the reproducible builds project). Finally, the talk will also feature current work on exciting features like Sigstore, SPDX, GitBOM and more!