In-person + Virtual
November 6-9
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Central Standard Time (UTC -6). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.
Back To Schedule
Tuesday, November 7 • 12:10pm - 12:45pm
All Things in-Toto: Supply Chain Attestations, Policies and Adoption Stories, Oh My! - Santiago Torres-Arias, Purdue University & Marcela Melara, Intel Corporation

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

in-toto is a widely-deployed CNCF project for software supply chain security which allows you to generate and verify information such as SBOMs, vulnerability scans, and more through the use of "attestations". This talk presents a brief introduction to in-toto, and community updates on new attestation formats for supply chain contexts like code reviews and test results. We will discuss the v1.0 release of the specification, the new governance, and introduce new mechanisms for specifying policies on attestations. In addition, we will showcase how companies like GitHub, Docker, and NPM use in-toto to highlight the security and compliance requirements in-toto enables vendors like them to meet. Finally, the talk will show a demo of Supply Chain Attribute Integrity (SCAI), an attestation format for capturing attributes and evidence in a number of key use cases, including secure boot attestations for build system integrity, and other evidence artifacts needed for supply chain compliance.

avatar for Marcela Melara

Marcela Melara

Research Scientist, Intel Corporation
Marcela Melara is a research scientist in the Security and Privacy Group at Intel Labs. Her current work focuses on solutions for high-integrity software supply chains and trustworthy distributed systems. She leads a number of internal, open-source and academic efforts on supply chain... Read More →
avatar for Santiago Torres-Arias

Santiago Torres-Arias

Assistant Professor, Purdue University
Santiago is an Assistant Professor at Purdue ECE. His interests include binary analysis, cryptography, distributed systems security. His current research focuses on securing the software development lifecycle, cloud security, and update systems. Santiago is a member of the Arch Linux... Read More →

Tuesday November 7, 2023 12:10pm - 12:45pm CST
W187 (Ground Level)