Enable javascript in your browser for better experience. Need to know to enable it? Go here.
Published : Nov 20, 2019
This blip is not on the current edition of the Radar. If it was on one of the last few editions, it is likely that it is still relevant. If the blip is older, it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the Radar. Understand more
Nov 2019
Assess ?

We're seeing increased use of Binary attestation for securing the software supply chain, particularly within regulated industries. The currently favored approaches seem to involve either building a custom system for implementing the binary verification or relying on a cloud vendor's service. We're encouraged to see the open-source in-toto enter this space. in-toto is a framework for cryptographically verifying every component and step along the path to production for a software artifact. The project includes a number of integrations into many widely used build, container auditing and deployment tools. A software supply chain tool can be a critical piece of an organization's security apparatus, so we like that as an open-source project, in-toto's behavior is transparent, and its own integrity and supply chain can be verified by the community. We'll have to wait and see if it'll gain a critical mass of users and contributors to compete in this space.

Download the PDF



English | Español | Português | 中文

Sign up for the Technology Radar newsletter


Subscribe now

Visit our archive to read previous volumes