The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.
Please note: This schedule is automatically displayed in Central Standard Time (UTC -6). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.
in-toto is a widely-deployed CNCF project for software supply chain security which allows you to generate and verify information such as SBOMs, vulnerability scans, and more through the use of "attestations". This talk presents a brief introduction to in-toto, and community updates on new attestation formats for supply chain contexts like code reviews and test results. We will discuss the v1.0 release of the specification, the new governance, and introduce new mechanisms for specifying policies on attestations. In addition, we will showcase how companies like GitHub, Docker, and NPM use in-toto to highlight the security and compliance requirements in-toto enables vendors like them to meet. Finally, the talk will show a demo of Supply Chain Attribute Integrity (SCAI), an attestation format for capturing attributes and evidence in a number of key use cases, including secure boot attestations for build system integrity, and other evidence artifacts needed for supply chain compliance.
Marcela Melara is a research scientist in the Security and Privacy Group at Intel Labs. Her current work focuses on solutions for high-integrity software supply chains and trustworthy distributed systems. She leads a number of internal, open-source and academic efforts on supply chain... Read More →
Santiago is an Assistant Professor at Purdue ECE. His interests include binary analysis, cryptography, distributed systems security. His current research focuses on securing the software development lifecycle, cloud security, and update systems. Santiago is a member of the Arch Linux... Read More →
