in-toto moves to the CNCF Incubator

The in-toto project, a supply chain security solution which provides protection by collecting and verifying relevant data at each step of a software product’s lifecycle, was recently promoted to the incubator of the Cloud Native Computing Foundation. CNCF, a Linux Foundation-supported program designed to “assist the growth and development of promising new open source technologies applicable to cloud applications,” announced the promotion in a press release issued March 10, 2022.

“Born” in the Secure Systems Laboratory at NYU’s Tandon School of Engineering in 2015, under the guidance of lab director Dr. Justin Cappos, the move to the CNCF “incubator” is an indication of in-toto’s growing maturity. It marks fulfillment of a number of criteria, including adoption by other projects and active participation from multiple organizations. Incubating projects must also adopt the CNCF Code of Conduct and achieve and maintain the Core Infrastructure Initiative Best Practices Badge.

“I am very excited to see in-toto grow into CNCF incubation. Not only because of what it means for the project, but for all the doors that it opens for new contributors, synergies with other CNCF projects and the ability to tackle new and open questions with regards to supply chain security, in the cloud or otherwise,” states Dr. Santiago Torres Arias, an assistant professor at Purdue University and a lead developer on in-toto while completing his doctorate at New York University. “On a personal level, I can’t overstate the uniqueness of in-toto’s case, for it is not only an open source project, but one of the few that come from the academic world into the broader public with fresh ideas and a bold proposition to solve the problem at an ecosystem level. I can’t wait to see what’s to come for in-toto in the coming years.”

The CNCF promotion, and the increased visibility in the open source world that comes with it, arrives at a time when the need for reliable software supply chain security has never been greater. Chris Aniszczyk, CNCF chief technical officer, is quoted in a press release from the Foundation acknowledging this point. “We’re excited to have a project offering innovation in the supply chain security space,” he says, adding, “We look forward to seeing collaboration among the community to continue to make the cloud native ecosystem more secure.” Justin Cormack, who served as a CNCF project sponsor, concurs, noting, “in-toto …provides secure and trustworthy ways to represent and attest all the operations within the cloud native pipeline.”

in-toto works as follows: For every piece of software it protects, it provides a layout that defines for each individual step what actions are to be taken and by who. This data is captured in metadata, as are all the artifacts involved. The designated functionary at each step also affixes a cryptographic signature on the metadata. When the end-user receives the finished product, he or she has a complete record of the product’s journey, and can verify if the software was created according to the designer’s original plans. If there is any divergence from the original layout, a user can pinpoint where the divergence occurred and who is responsible for it.

The in-toto development team also includes NYU Tandon alumnus Dr. Trishank Karthik Kuppusamy, now Engineering Manager at Datadog; developer Lukas Pühringer, and current Ph.D. candidate Aditya Sirish A Yelgundhalli, all from the Secure Systems Laboratory at NYU Tandon; and Hammad Afzali Nanize, Anil Kumar Ammul, Sangat Vaidya, and Professor, and co-director of the Cybersecurity Research Center Reza Curtmola, all from the New Jersey Institute of Technology. The project has participated in various initiatives that have attracted other contributors, such as Christian Rebischke of Arch Linux and Qijia “Joy” Liu, a student at the University of Pennsylvania, through Google Summer of Code (GSoC), and several undergraduate students—Alan Chung Ma of Purdue University; Yuanrui Chen, Isha Vipul Dave, Kristel Fung, Cindy Kim, and Benjamin Wu, all from NYU—through various research programs at both universities. Finally, due to in-toto’s relevance and impact in the industry, it has received contributions from employees at various companies through their open source contribution teams. Some significant contributors from this group are Mark Lodato, Tom Hennen, and Sergio Felix of Google, and Joshua Lock, Jussi Kukkonen, Martin Vrachev, and Teodora Sechkova of VMWare.

Since its inception, in-toto has been adopted or integrated into a number of major open source software projects, including several within the CNCF and the Open Source Security Foundation, and in Grafeas, Kubesec, rebuilderd, and Sigstore’s cosign. It has been implemented in different languages like Python, Golang, Java, and Rust, and is part of crucial security projects, such as Reproducible Builds and SLSA. The project has been adopted in production by Datadog, which has used it to secure its pipelines since 2019, and SolarWinds, who redesigned their build pipelines after the SUNBURST attack came to light. In its three years under the umbrella of the CNCF, in-toto has attracted more than 132 contributors from 16 plus different organizations.