Summary: The software development process, or software supply chain, is quite complex and involves a number of independent actors. Due to this ever-growing complexity has led to various software supply chain compromises: from XCodeGhost injecting malware on millions of apps, to the highly-publicized SolarWinds Compromise. In this talk, Santiago will introduce various research challenges, as well as attempts from both Open Source and Industry --- such as SigStore, CoSign and in-toto --- to protect millions of users across the globe. About the speaker: Dr. Torres-Arias' current research focuses on securing the software development life-cycle. Previously, his research focused on secure password storage mechanisms and update systems. He is the team lead of in-toto, a framework to secure the software development life-cycle, as well as PolyPasswordHasher, a password storage mechanism that's incredibly resilient to offline password cracking. He also contributes to The Update Framework (TUF), which is the software update system being integrated on a variety of projects like Docker, CPAN, and others.
