Keynotes

A perspective on the history of software supply chain security and how we should shape the future

Speaker: Justin Cappos

Abstract

Software supply chain security has gone from a niche concern which few understood to a critical need for most organizations. This talk presents lessons learned from two decades of experience from the perspective of a software supply chain tool builder with a variety of successes and failures in the space. Working in this space is a constant battle to understand adopter problems and motivations, find the maximally secure solutions that are deployable, and work to have tooling ready (and battle tested) when the next big attack hits. The talk closes with a call to action to help address some of the most pressing issues today, including how our community can grow over the coming decades while protecting itself from the failure modes seen in other academic communities.

About Justin Cappos

Justin Cappos is a professor in the Computer Science and Engineering Department at New York University. He is a creator of a variety of widely used software supply chain technologies, including TUF, Uptane, gittuf, SBOMit, and in-toto. Working with his collaborators, he has also contributed to Git, Reproducible Builds, major Linux package managers, popular programming language ecosystems, legal repositories, automobiles, and more. Due to the depth and breadth of these contributions—along with, perhaps, a few gray hairs—he is, to his surprise, sometimes given the moniker “father of software supply chain security.”