Supply chain security framework in-toto hits a milestone; releases v.1.0.0

Releasing V.1.0.0 of a software project marks a significant milestone in its development. It’s an indication that it has reached a level of maturity where its developers can ensure its quality, and guarantee its security to potential adopters. On November 23, in-toto, a software framework developed at NYU Tandon in collaboration with researchers at New Jersey Institute of Technology, reached that milestone. Following five years of research and development, and adoption or integration into several major open source software projects, V.1.0.0 has been released.

Initiated in 2016 by then Ph.D. student Santiago Torres-Arias (now an assistant professor of Electrical and Computer Engineering at Purdue University) and Dr. Justin Cappos, an associate professor and director of the Secure Systems Laboratory at Tandon, in-toto provides transparency as to what steps are performed on a piece of software throughout its design and development lifecycle. This information is crucial to security as it addresses an inherent problem in software development processes: their decentralized nature. As Torres-Arias puts it, “By requiring that each step in this chain conform to the layout specified by the developer, it confirms to the end-user that the product has not been altered for malicious purposes, such as by adding backdoors in the source code.” 

You can read more about the in-toto framework, its adopters, and the significance of the major release here. The story has also appeared in TexPlore.