Deep Dive: TUF
When VCS systems, build pipelines, or signing servers are are compromised, attackers get to distribute malicious versions to millions of unsuspecting users. We present how Datadog used TUF and in-toto …
Talk Title | Deep Dive: TUF |
Speakers | Justin Cappos (Professor, NYU), Trishank Kuppusamy (Chief Security Solutions Engineer, Datadog) |
Conference | KubeCon + CloudNativeCon North America |
Conf Tag | |
Location | Seattle, WA, USA |
Date | Dec 9-14, 2018 |
URL | Talk Page |
Slides | Talk Slides |
Video | |
When VCS systems, build pipelines, or signing servers are are compromised, attackers get to distribute malicious versions to millions of unsuspecting users. We present how Datadog used TUF and in-toto to develop, to the best of our knowledge, the industry’s first end-to-end verified pipeline that automatically builds integrations for the Datadog agent. That is, even if this pipeline is compromised, users should not be able to install malware. We will show a demonstration of our pipeline in production being used to protect users of the Datadog agent, and describe how you can use TUF + in-toto secure your own pipeline.