top | item 38256797

(no title)

colek42 | 2 years ago

I think if we can sufficiently isolate the build process we can solve this problem. Lot's of opportunity with our project Witness to add extra isolation. It is something we are working on. However, the real supply chain security "business problem" is just tracking everything in a standardized way. This is what the in-toto project helps with. I wrote about it here: https://www.cncf.io/blog/2023/08/17/unleashing-in-toto-the-a.... we also wrote Witness and Archivista to help solve this problem.. We have lots of work to do. https://github.com/in-toto/witness

Full disclosure, I am a member of the steering committee for in-toto and the CEO of TestifySec which is the main contributor to Witness.

discuss

fyokdrigd|2 years ago

how much experience you have with embed? from small iot white label like small business alarm systems to behemoths like Samsung... the only constant is they ship whatever and the lowest interns handle build

colek42|2 years ago

Step one is actually wanting to improve security. Those IoT companies have no motivator. Most of our business is with Federal/Defense and Finance. Those companies will only change if liability changes or the regulatory environment forces them to.