forked from in-toto/in-toto.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
152 lines (116 loc) · 5.74 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8' />
<meta http-equiv="X-UA-Compatible" content="chrome=1" />
<meta name="description" content="in-toto: A framework to secure the integrity of software supply chains" />
<LINK REL="icon" HREF="favicon.ico" type="image/x-icon">
<link rel="stylesheet" type="text/css" media="screen" href="stylesheets/stylesheet.css">
<title>in-toto</title>
</head>
<body>
<!-- HEADER -->
<div id="header_wrap" class="outer">
<header class="inner">
<a id="forkme_banner" href="https://github.com/in-toto/in-toto">View on GitHub</a>
<h1 id="project_title">in-toto</h1>
<h2 id="project_tagline">A framework to secure the integrity of software supply chains</h2>
<section id="downloads">
<a class="zip_download_link" href="https://github.com/in-toto/in-toto/zipball/master">Download this project as a .zip file</a>
<a class="tar_download_link" href="https://github.com/in-toto/in-toto/tarball/master">Download this project as a tar.gz file</a>
</section>
</header>
</div>
<!-- MAIN CONTENT -->
<div id="main_content_wrap" class="outer">
<section id="main_content" class="inner">
<p>
A software supply chain is the series of steps performed when writing,
testing, packaging, and distributing software. A typical software
supply chain is composed of multiple steps "chained" together that
transform (e.g., compilation) or verify the state (e.g., linting) of
the project in order to drive it to a final product.
</p>
<p>
Supply chain security is crucial to the overall security of a software
product. An attacker who is able to control a step in the supply chain
can alter the product for malicious intents that range from introducing
backdoors in the source code to including vulnerable libraries in the
final product. As a result, supply chain breaches are an impactful
means for an attacker to affect multiple users at once.
<p>
<p>
Although many frameworks exist to ensure security in the "last mile"
(e.g., software updaters), they may be providing integrity and
authentication to a product that is already vulnerable; it is possible
that, by the time the package makes it to a software update repository,
it has already been compromised.
</p>
<p>
in-toto is designed to ensure the integrity of a software product from
initiation to end-user installation. It does so by making it
transparent to the user what steps were performed, by whom and in what
order. As a result, with some guidance from the group creating the
software, in-toto allows the user to verify if a step in the supply chain
was intended to be performed, and if the step was performed by the
right actor.
</p>
<p>
You can read more about in-toto's internals in our <a href="https://github.com/in-toto/docs/raw/master/in-toto-spec.pdf">latest</a>
or <a href="https://github.com/in-toto/docs/blob/v0.9/in-toto-spec.pdf">stable</a> specification.
</p>
</section>
<section id="faq" class="inner">
<h3>Frequently Asked Questions</h3>
<strong>Where can I read more about in-toto?</strong></br>
You can read more about how in-toto works by taking a look at our <a
href="https://github.com/in-toto/docs/blob/v0.9/in-toto-spec.pdf">specification</a>
<br/>
<br/>
<strong>Where can I try in-toto?</strong></br>
We have an open-source reference implementation, which is still
under heavy development. You can also try our demo application <a
href="https://github.com/in-toto/in-toto/tree/develop/demo">here</a>
</br></br>
</section>
<section id="news" class="inner">
<h3>News</h3>
<table>
<tr>
<td> 14/10/16 </td>
<td>
We presented a demo of in-toto in the <a href="https://blog.docker.com/2016/10/docker-distributed-system-summit-videos-podcast-episodes/">Docker Distributed System Summit</a>. You can watch the video <a href="https://youtu.be/Aryr0O6H_2U?t=25m58s">here</a>.
</td>
</tr>
<tr>
<td> 07/10/16 </td>
<td>
We are live! please check back soon for more updates.
</td>
</tr>
</table>
</section>
</div>
<!-- FOOTER -->
<div id="footer_wrap" class="outer">
<footer class="inner">
<p class="copyright">
in-toto is maintained by <a
href="https://github.com/in-toto/">The in-toto
team</a>, a group of researchers and developers from <a
href="https://engineering.nyu.edu">New York University</a> and <a
href="https://njit.edu">New Jersey Institute of Technology</a>
</p>
<p class="acknowledgements">
This research was supported by the Defense Advanced Research
Projects Agency (DARPA) and the Air Force Research Laboratory
(AFRL). Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the authors and do not
necessarily reflect the views of DARPA and AFRL. The United States
Government is authorized to reproduce and distribute reprints
notwithstanding any copyright notice herein.
</p>
</footer>
</div>
</body>
</html>