SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Supply Chain & Logistics
#
Cybersecurity
#
Software Development

in-toto reaches CNCF graduation, boosting software supply chain

Today
Author image
By Catherine Knowles, Journalist

The Cloud Native Computing Foundation has announced that the in-toto software security framework has graduated to its highest level of maturity within the foundation's project lifecycle.

in-toto, developed at the NYU Tandon School of Engineering, is designed to help verify the integrity and security of every step in the software development lifecycle, addressing the growing concerns surrounding software supply chain attacks and increasing regulatory scrutiny on software transparency.

Linux Foundation Research's 2024 report, Strengthening License Compliance and Software Security with SBOM Adoption, has identified the use of software bills of materials (SBOMs) as an effective means for organisations to pinpoint vulnerabilities early and improve traceability. The report draws attention to heightened regulatory demands and the increased need for transparency, which aligns with the capabilities that in-toto aims to provide.

Chris Aniszczyk, Chief Technology Officer at CNCF, said, "We're pleased to welcome in-toto as our next CNCF graduated project. in-toto addresses a critical and growing need in our ecosystem - ensuring trust and integrity in how software is built and delivered. As software supply chain threats grow in scale and complexity, in-toto enables organisations to confidently verify their development workflows, reducing risk, enabling compliance, and ultimately accelerating secure innovation."

in-toto works by creating a verifiable record of events throughout the software development process, from initial code to final installation, enabling organisations to ensure that every step is conducted by authorised parties and in the correct sequence. The system is already implemented by companies including SolarWinds and Autodesk, and is integrated with established industry standards such as OpenVEX and Supply-chain Levels for Software Artifacts (SLSA). Implementation has been made easier by tools like Witness and Archivista, which help reduce the operational burden for developers.

Jesse Sanford, Software Architect at Autodesk, stated, "The fact that Witness and Archivista have reduced developer friction so significantly has really set the in-toto framework apart for us. This tooling makes the process incredibly smooth and means we can now run securely by default. We don't have to ask our software development teams to go through any hurdles to get to the point where proof is generated. Instead, we can leverage toolchains in the critical path of software being promoted to production, to generate enough trust."

Since joining CNCF as a Sandbox project in 2019, in-toto has progressed through key milestones, moving to incubation status in March 2022, and issuing its version 1.0 specification in June 2023. The framework's development has been supported by significant funding from organisations such as the National Science Foundation, the Defense Advanced Research Projects Agency, and the Air Force Research Laboratory.

Justin Cappos, faculty member in NYU Tandon School of Engineering's Department of Computer Science and Engineering and a member of the NYU Center for Cybersecurity, said, "in-toto's graduation validates our lab's pioneering work in software security. Through the support of our amazing community of in-toto contributors, maintainers, and adopters, what began as an academic research project has evolved into an industry standard, demonstrating how university research can directly address critical real-world cybersecurity challenges."

Santiago Torres-Arias, faculty member at the Purdue University Elmore Family School of Electrical and Computer Engineering, added, "With the increasing frequency and sophistication of software supply chain attacks, in-toto's graduation validates its essential role in protecting organisations."

The original development of in-toto was overseen by Cappos and driven by then-student Torres-Arias, with contributions from researchers at the New Jersey Institute of Technology. This graduation marks the second time Cappos has led a CNCF project to this status, following The Update Framework (TUF), which protects software update systems and achieved graduation in 2019.

To reach graduation, in-toto underwent a comprehensive CNCF review process, which included publishing real-world user case studies and advancing its governance and onboarding strategies. The project's forthcoming roadmap includes plans to expand support for policy language features, enabling organisations to better define and enforce security requirements across their supply chains.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Datadog acquires Metaplane to boost AI & data observability
Veeam partners with CrowdStrike to boost data resilience & security
Armis offers free access to real-time cyber threat database
Devo and Detecteam unite to automate detection for cyber teams
Mandiant report finds rise in financially motivated cyber attacks
Top stories
Chinese APT group linked to cyber attack on US defence firm
Zenity secures ChatGPT Enterprise use with expanded AI oversight
Cybercrime losses soar to USD $16.6 billion in 2024, outpacing US box office
AI use in enterprises soars but brings surge in cyber risks
Yubico & Solvatten boost digital security & clean water