Bro, Do You Even Supply Chain? How to Actually Secure Your Software Supply Chain

The software supply chain security market is exploding. Vendors are raising hundreds of millions of dollars to sell dashboards, agents, and continuous scanning.
But here’s the uncomfortable truth: almost none of these tools solve the core problem.

Despite massive investment, most organizations still cannot answer a basic question:

Can my customers independently prove that this binary came from the source code I claim it came from?

This talk addresses the elephant in the room that the industry largely avoids. We’ll cut through vendor hype and show how to implement real, end-to-end software supply chain security using 100% free and open source tools.

We’ll walk through how to use SLSA and in-toto to generate and verify attestations at every stage of the pipeline, from source commit, through build, to customer delivery. The focus is on verifiable provenance, not marketing claims: no subscriptions, no lock-in, and no reliance on vendor-controlled platforms.

Attendees will see a complete, practical workflow for producing artifacts that customers can independently verify, using open standards and tools that are available today.