BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.coscup.org//coscup-2026//talk//KWJXTJ
BEGIN:VTIMEZONE
TZID:CST
BEGIN:STANDARD
DTSTART:20000101T000000
RRULE:FREQ=YEARLY;BYMONTH=1
TZNAME:CST
TZOFFSETFROM:+0800
TZOFFSETTO:+0800
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-coscup-2026-KWJXTJ@pretalx.coscup.org
DTSTART;TZID=CST:20260808T142000
DTEND;TZID=CST:20260808T145000
DESCRIPTION:You probably heard that SBOMs are helpful\, but did you know th
 at an SBOM only addresses a fraction of what can go wrong in your software
  supply chain? The SLSA (Supply Chain Levels for Software Artifacts) speci
 fication identifies 9 distinct threat areas\, spanning from source code\, 
 all the way to package distribution. Most development teams address one or
  two of these and call it a day\, leaving gaps that real-world attacks lik
 e SolarWinds and Log4J have already exploited. We understand that it is di
 fficult to cover all aspects when it comes to the software supply chain.\n
 \nHow about we make this much easier? In this talk\, we will present an ov
 erview of the modern software supply chain threat model\, and show how you
  can provide integrity throughout the whole process of your software devel
 opment life cycle. We will introduce an easy-to-setup\, end-to-end open so
 urce stack\, built from frameworks and tools within the CNCF/OpenSSF ecosy
 stem.\n\nWe will cover:\n- gittuf - A security layer for Git repositories\
 n- in-toto - Cryptographically verifiable attestations that capture what a
 ctually happens during your build process\n- SBOMit - Generate verifiable 
 and accurate SBOMs that embed in-toto attestations\n- TUF - A framework fo
 r securing package updates\n\nThis talk aims to demystify software supply 
 chain security beyond SBOMs\, and provide a more holistic view. Our live d
 emo will show a pragmatic way to get started\, aiming to lower the entry b
 arrier for open source maintainers and adopters alike.
DTSTAMP:20260713T142757Z
LOCATION:TR513
SUMMARY:SBOMs Aren't Enough. Secure Your Software Supply Chain End-To-End -
  Yongjae Chung\, Justin Cappos
URL:https://pretalx.coscup.org/coscup-2026/talk/KWJXTJ/
END:VEVENT
END:VCALENDAR
