[Presentation] in-toto presentation (feedback for graduation proposal)

[SantiagoTorres]

Title: in-toto project update
Speakers: @SantiagoTorres @JustinCappos

Description: in-toto is gearing for a graduation review. It's been 2 years since in-toto went up, so it's timely to also update the TAG Security community about the state of the project, its integrations, and overall progress.

Time: 30 minutes (or as much as it's usually required)

Availability: all meeting times should work (or somebody else in the in-toto steering comittee may be able to step in)

TO DO

• TAG Representative: @mnm678
• Schedule date: July 17
• By opening this issue, I, (@SantiagoTorres) acknowledge that the presentation topic and speaker will follow the presentation guidelines

[mnm678]

It looks like July 17 and 24 are both available. Do you have a preference?

[SantiagoTorres]

Not really! Let's do the 17th?

[linsun]

subscribe, will try to join

[06kellyjac]

@ The TAG Security Weekly Meeting [NA]
19:00 Central Europe
18:00 UK
13:00 NY
10:00 LA

[anvega]

TAG Security has conducted a thorough review of the in-toto project as part of its consideration for CNCF graduation. Based on our assessment, we find:

in-toto presents as a mature, well designed security project that has made significant strides toward graduation. Key points supporting this include:

• in-toto's value and reliability in real world applications is exhibited by its wide adoption across companies and projects, including Datadog, Solarwinds's Trebuchet, GitHub NPM Package Provenance, OpenVEX, SLSA, Sigstore, Tekton and many more. This demonstrates its value and reliability in real world applications.
• The project underwent a thorough security audit conducted by X41 D-sec, facilitated by OSTIF and funded by CNCF. This audit demonstrated: a) Scope: The audit covered both Python and Go implementations, reviewing all in-scope code. b) Methodology: Manual review was complemented by language-specific static code analyzers, ensuring a comprehensive approach. c) Findings: The audit identified 1 High, 4 Medium, and 3 Low severity vulnerabilities, indicating a thorough examination. d) Critical issue addressed: The most severe vulnerability, which could have compromised the entire security chain, was identified and addressed. e) Transparency: The full audit report is publicly available, demonstrating the project's commitment to openness. f) Proactive improvements: X41's team provided recommendations to enhance the overall security posture beyond just addressing vulnerabilities.
• in-toto has achieved gold status on the OpenSSF Best Practices badge, indicating adherence to security recommended practices.
• The project is very intentional about its design providing a flexible framework for securing software supply chains, allowing for various use cases and integrations. Its design enables detailed tracking and verification of software development processes.
• in-toto has updated its governance structure, formed a technical steering committee with defined roles and duties, and conducted elections, demonstrating a commitment to sustainable community management.
• The project has addressed concerns raised during the incubation review, including conducting a security audit, improving documentation, and enhancing governance.

Opportunities for further development:

• As in-toto subprojects under the larger in-toto organization umbrella continue mature, there may be value in conducting security audits for these components, particularly for newly donated subprojects.
• The project's role in important initiatives like SLSA could be further highlighted to demonstrate its impact on the broader security ecosystem.
• Encouraging and supporting further integrations with other tools and platforms could enhance in-toto's value prop.

In conclusion, in-toto demonstrates the characteristics of a graduated level CNCF project, particularly in terms of security. Its wide adoption, successful response to security audits, and overall mature security posture make it a strong candidate for graduation. The project serves as an exemplar of security design in the ecosystem.

[mnm678]

Thank you for the presentation!