Secure Release Processes with in-toto Policy Verification
Beyond Basic Security Gates
At KubeCon North America 2024, John Kjell and Aditya Sirish A Yelgundhalli presented a comprehensive approach to securing software releases using in-toto policy verification. This talk goes beyond traditional security gates and manual reviews to demonstrate how cryptographic attestations can create an unbreakable chain of trust from code commit to production deployment.
The presentation showcases real-world implementations where organizations have transformed their release processes from hours of manual verification to minutes of automated policy checks, all while improving security posture. John and Aditya demonstrate how in-toto's flexible policy language allows teams to encode complex security requirements that would be impossible to verify manually.
The Power of Policy-as-Code
What makes this approach revolutionary is its treatment of security policies as code. Just as infrastructure-as-code transformed operations, policy-as-code is transforming security. Teams can version control their security requirements, review changes through pull requests, and automatically enforce policies across all releases.
The talk includes live demonstrations of policy verification in action, showing how attestations from different tools and stages of the development process can be combined to provide comprehensive security guarantees.
Key Takeaways
in-toto policies enable cryptographic verification of every step in your release process
Flexible policy definitions allow organizations to encode their specific security requirements
Attestations for code reviews, testing, and scanning can be chained together for end-to-end verification
SBOM integrity verification prevents supply chain attacks through dependency manipulation
Policy-as-code approaches enable version control and auditing of security requirements
Real-world implementations show 90%+ reduction in security review time
Watch the Full Presentation
35 minutes of insights on in toto
About the Speaker
John Kjell
Principal Consultant, ControlPlane
John is a maintainer for the Witness and Archivista sub-projects under in-toto. Additionally, John is an active contributor to CNCF's TAG Security and multiple projects within the OpenSSF. Before joining ControlPlane, John was an engineering leader at VMware, helping to bring supply chain security practices to enterprise environments.
Aditya Sirish A Yelgundhalli
Senior Software Engineer, Bloomberg
Aditya is a senior software engineer at Bloomberg. Previously, he was a Ph.D. candidate at New York University where he researched software supply chain security. He is a maintainer of in-toto, which is incubated at the CNCF. He is also a contributor to TUF, another CNCF project.