Kairo de Araujo - Securing the Software Supply Chain: Open Source for the SDLC

Abstract

With the complexity of Software Development, securing the software supply chain has never been more critical and it becomes crucial with the Cyber Resilience Act (CRA).

This talk introduces Open Source solutions that integrate into the Software Development Life Cycle (SDLC). We’ll explore key projects under CNCF and OpenSSF that tackle this challenge:

  • in-toto: A framework that provides provenance attestation allowing traceability and verification of your software’s journey from development to deployment, augmented by tools like Witness and Archivista for enhanced artifact provenance and monitoring.

  • The Update Framework (TUF) and Repository for TUF (RSTUF): Powerful frameworks for secure software distribution that ensure the integrity and authenticity of distributed software, attestations and SBOMs

These project are been adopted by private organizations (Datadog, LockHeed Martin, GitHub, etc) and open source projects (PyPI, NPM, RubyGems, etc).

As a maintainer of these projects, I want to share how to apply these projects to protect your software supply chain, mitigate risks, and improve the SDLC trust. Expect insights, practical examples, and a roadmap for adopting these tools in your workflows.

Biography

Kairo de Araujo is an Open Source Software Engineer specializing in the Secure Software Supply Chain, dedicated to advancing security standards and tools for open-source ecosystems.

He has made significant contributions to the open-source community, particularly through his active involvement with the Cloud Native Computing Foundation (CNCF) and the Open Source Security Foundation (OpenSSF). Kairo serves as a maintainer for The Update Framework (TUF) and its Python implementation, python-tuf (https://theupdateframework.io), as well as for in-toto (https://in-toto.io), a framework for securing the integrity of software supply chains. Additionally, he is the author and core engineer behind the Repository Service for TUF (RSTUF) (https://rstuf.org), a tool designed to simplify and enhance TUF adoption for organizations by providing a seamless and efficient implementation platform.

Kairo’s professional experience spans several leading technology companies. He has held prominent roles such as Senior Open Source Software Engineer at TestifySec, where he focuses on supply chain security innovations, Senior Open Source Engineer at VMware, where he contributed to scaling open-source initiatives, and Senior Software Engineer positions at IBM, ING, and Forescout, where he developed expertise in designing and implementing containerized and microservice-based solutions for distributed systems.

Spreker

Foto van Kairo de Araujo
Kairo de Araujo