Version 1.0 of in-toto Adds Security to Software Supply Chain

Researchers from NYU Tandon School of Engineering have released the first major version of in-toto, an open source tool that provides developers with a way to verify integrity at each step of software development and deployment.

According to the announcement, in-toto is a free, easy-to-use framework that “cryptographically ensures the integrity of the software supply chain.” It was originally developed in 2016 by Justin Cappos and Santiago Torres-Arias. Since then, in-toto has been integrated into several major open source software projects, including those hosted by the Cloud Native Computing Foundation (CNCF). 

With in-toto, organizations can establish rules and protocols that must be followed during each step of software development. “By requiring that each step in this chain conforms to the layout specified by the developer, it confirms to the end user that the product has not been altered for malicious purposes, such as by adding backdoors in the source code,” said Torres-Arias.

With the release of version 1.0, “in-toto has reached a level of maturity where its developers can ensure its quality and guarantee its security to potential adopters,” the announcement said.