Keynotes

How to trust code we run

Speaker: Nicole Bates

Abstract

This talk examines the urgent challenges facing today’s supply chains, centering on the fundamental question: why should we trust the code we run? Through a demonstration of an end-to-end supply chain model workflow—including signing and transparently publishing an AI model manifest—the talk illustrates how transparency mechanisms can strengthen trust, accountability, integrity and security across the supply chain.

The session also highlights emerging industry standards that underpin traceability, interoperability, and compliance, which are essential for effective risk management. Attendees will gain practical insights into how these evolving frameworks are shaping the future of secure supply chain practices.

About Nicole Bates

Nicole Bates works in Microsoft’s Azure Office of the CTO where she focuses on supply chain security. She is actively involved in the OpenSSF’s Supply Chain Integrity and ORBIT Working Groups and contributes to standards development through the IETF’s Supply Chain Integrity, Transparency and Trust and COSE working groups. She is currently working on an AIBOM tool. Her experience spans over 20 years working in computer security at UC Berkeley, General Dynamics, and Microsoft. While at UC Berkeley’s intrusion detection team, she specialized in computer forensics, analyzing compromised computers and investigating major threats including the Code Red and Nimda worms, building foundational expertise in threat detection and digital investigation that informs her current efforts in supply chain security.

A perspective on the history of software supply chain security and how we should shape the future

Speaker: Justin Cappos

Abstract

Software supply chain security has gone from a niche concern which few understood to a critical need for most organizations. This talk presents lessons learned from two decades of experience from the perspective of a software supply chain tool builder with a variety of successes and failures in the space. Working in this space is a constant battle to understand adopter problems and motivations, find the maximally secure solutions that are deployable, and work to have tooling ready (and battle tested) when the next big attack hits. The talk closes with a call to action to help address some of the most pressing issues today, including how our community can grow over the coming decades while protecting itself from the failure modes seen in other academic communities.

About Justin Cappos

Justin Cappos is a professor in the Computer Science and Engineering Department at New York University. He is a creator of a variety of widely used software supply chain technologies, including TUF, Uptane, gittuf, SBOMit, and in-toto. Working with his collaborators, he has also contributed to Git, Reproducible Builds, major Linux package managers, popular programming language ecosystems, legal repositories, automobiles, and more. Due to the depth and breadth of these contributions—along with, perhaps, a few gray hairs—he is, to his surprise, sometimes given the moniker “father of software supply chain security.”