in-toto project moves to the CNCF Incubator

The in-toto project was recently promoted to the incubator of the Cloud Native Computing Foundation. The announcement was made in a press release issued March 10, 2022. The CNCF is a Linux Foundation program that supports development of promising new open source technologies.

in-toto was developed in the Secure Systems Laboratory at NYU’s Tandon School of Engineering in 2015, under the guidance of lab director Dr. Justin Cappos. The CNCF promotion is an indication of the project’s growing maturity. It marks fulfillment of a number of criteria, including adoption by other projects and active participation from multiple organizations. 

“I am very excited to see in-toto grow into CNCF incubation. Not only because of what it means for the project, but for all the doors that it opens for new contributors, synergies with other CNCF projects and the ability to tackle new and open questions with regards to supply chain security, in the cloud or otherwise,” states Dr. Santiago Torres Arias, who served as a lead developer on in-toto while completing his doctorate at New York University. Now an assistant professor at Purdue University, Torres Arias continues, “On a personal level, I can’t overstate the uniqueness of in-toto’s case, for it is not only an open source project, but one of the few that come from the academic world into the broader public with fresh ideas and a bold proposition to solve the problem at an ecosystem level. I can’t wait to see what’s to come for in-toto in the coming years.”

Since its inception, in-toto has been adopted or integrated into a number of major open source software projects. These include several within the CNCF and the Open Source Security Foundation and also in Grafeas, Kubesec, rebuilderd,  and Sigstore’s Cosign. It is part of crucial security projects, such as Reproducible Builds. The project has been adopted in production by Datadog, which has used it to secure its pipelines since 2019, and SolarWinds, which redesigned its build pipelines after the SUNBURST attack came to light.

The in-toto development team also includes NYU Tandon alumnus Dr. Trishank Karthik Kuppusamy, now Engineering Manager at Datadog; developer Lukas Pühringer, and current Ph.D. candidate Aditya Sirish A Yelgundhalli. 

A longer article about the promotion, which provides additional information on in-toto, its development team, and the significance of the CNCF promotion, will be available shortly on the Secure Systems Laboratory website.