Software supply chain attacks have seen a 742% increase in the last three years. in-toto is a battle-tested and broadly deployed CNCF incubated project that counters these threats. The framework connects security efforts such as SLSA, Sigstore, and SBOMs, where signed and verifiable in-toto attestations are used to express claims about software supply chain steps and artifacts. However, trusting attestations and their policies is predicated on bootstrapping their verification keys and securely distributing them to end users.
Enter TUF! The Update Framework (TUF) is a widely adopted CNCF graduated project used to secure software repositories. TUF protects against a range of subtle attacks on software distribution, and is designed to be secure even when some components of the system are compromised. TUF can be used to unambiguously associate artifacts with their in-toto metadata, thereby bootstrapping trust for attestations. Thus, combining in-toto and TUF provides a secure way to verify end-to-end software supply chain integrity. This talk covers the fundamentals of both in-toto and TUF, discusses how to combine them with a real world case study where Datadog has been using two technologies together for years, and presents new open source tooling that simplifies deploying the two systems together.
PhD Candidate @NYU & Tech Lead for CNCF's TAG Security
Marina Moore is a PhD candidate at NYU Tandon’s Secure Systems Lab doing research focused on secure software updates and software supply chain security. She is a maintainer of many open source projects including The Update Framework (TUF), Uptane, in-toto, and Sigstore. She also is a Tech Lead for the CNCF's TAG Security where she has contributed to the TAG Security Whitepaper and the Software Supply Chain Security Best Practices paper.