Enforceable Software Supply Chain Policies and Attestations Using in-Toto

Explore enforceable software supply chain policies and attestations using in-toto in this 35-minute conference talk presented by Alan Chung Ma and Santiago Torres-Arias from Purdue University. Delve into the importance of capturing metadata to demonstrate supply chain integrity in light of cybersecurity regulations and high-profile attacks like SUNBURST. Learn how CNCF projects such as in-toto and Witness generate machine-verifiable attestations, and understand the role of frameworks like SLSA in guiding attestation generation. Discover specific policies that can defend against notable supply chain attacks, and gain insights into configuring in-toto to mitigate such threats. Examine the TAG-Security catalog of supply chain attacks and their relevance to SLSA specifications and US/EU regulations. Gain valuable knowledge to enhance your organization's software supply chain security and compliance efforts.

Enforceable Software Supply Chain Policies and Attestations Using in-Toto