Attestations 101: Compliance as Code for Supply Chain

This session will detail how attestations are used to prove software is being built as intended. Joseph Yankel from Software Engineering Institute at Carnegie Mellon University will present the topic using open-source tools, real code examples, and use-cases along with the techniques of how this is implemented with CI pipelines. There are plenty of code examples and products that give information about supply chain security or fulfill a particular need, but this session will discuss the cultural and organizational adjustments that are necessary to implement attestations that are not being discussed. This session will demonstrate clear use-cases and solutions on how attestations are implemented, and discuss how developer, infrastructure/ops, and cyber personnel must work together to create the artifacts that are used in the attestation generation process. You will leave this presentation with a clearer understanding of how powerful attestations can be, but also come to realize how your own roles may need to change if they are part of the process.