Attesting and Verifying Your Software Supply-Chain With In-toto - Alan Chung Ma & Justin Cappos
Alan Chung Ma, Justin Cappos
KubeCon + CloudNativeCon Europe 2025 · Session
In an era of escalating software supply chain attacks, securing the integrity and provenance of software artifacts has become paramount. This talk by Justin Cappos, a professor at NYU and creator of **In-toto**, and Alan Chung Ma, an In-toto maintainer, delves into how In-toto provides a robust framework for attesting and verifying the software supply chain. They highlight In-toto's role in establishing transparency and cryptographic guarantees throughout the software development lifecycle, from source control to distribution.
AI review
This talk provides a thorough, technically deep dive into In-toto, a critical framework for securing the software supply chain. Presented by its creator and a key maintainer, it cuts through the hype to deliver substantive information on how to achieve verifiable provenance and enforce security policies. While In-toto itself isn't a brand-new concept, the session effectively details its evolution, practical tooling, and crucial role in addressing current supply chain attacks and regulatory mandates. It's a no-nonsense exposition of a defensive innovation that actually works.