Loading…
May 10-12, 2023
Vancouver, British Columbia, Canada + Virtual
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (UTC/GMT -8). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Friday, May 12 • 3:10pm - 3:50pm
Toto-Ally TUF: Simple Tools for a Secure Software Supply Chain - Marina Moore, NYU & Aditya Sirish A Yelgundhalli, New York University

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Feedback form is now closed.
Software supply chain attacks have seen a 742% increase in the last three years. in-toto is a battle-tested and broadly deployed CNCF incubated project that counters these threats. The framework connects security efforts such as SLSA, Sigstore, and SBOMs, where signed and verifiable in-toto attestations are used to express claims about software supply chain steps and artifacts. However, trusting attestations and their policies is predicated on bootstrapping their verification keys and securely distributing them to end users. Enter TUF! The Update Framework (TUF) is a widely adopted CNCF graduated project used to secure software repositories. TUF protects against a range of subtle attacks on software distribution, and is designed to be secure even when some components of the system are compromised. TUF can be used to unambiguously associate artifacts with their in-toto metadata, thereby bootstrapping trust for attestations. Thus, combining in-toto and TUF provides a secure way to verify end-to-end software supply chain integrity. This talk covers the fundamentals of both in-toto and TUF, discusses how to combine them with a real world case study where the two have been used together for years, and presents new open source tooling that simplifies deploying the two systems together.
Speakers
MM

Marina Moore

PhD Candidate, New York University
TODO
avatar for Aditya Sirish A Yelgundhalli

Aditya Sirish A Yelgundhalli

Ph.D. Candidate, New York University
Aditya is a Ph.D. candidate at New York University where he researches software supply chain security. He is a maintainer of in-toto, which is incubated at the CNCF. He is also a contributor to TUF, another CNCF project, and a maintainer of gittuf, a sandbox project at the OpenSSF... Read More →

Open Source Summit NA 2023 toto ally tuf pdf
Friday May 12, 2023 3:10pm - 3:50pm PDT
121 (Level 1)
  SupplyChainSecurityCon, Ensuring safe transition of software artifacts