"Securing the Software Supply Chain"

Justin Cappos, NYU

Monday, April 24, 2017 at 10:30 A.M.

Room 506 (CIT 5th Floor)

Time and time again, hackers have broken into software distributed by major companies and tampered with their software. This does not happen at a single point in the company's infrastructure, but instead could happen due to tampering in the version control system, build system, testing process, software repository or anywhere in between.

This talk introduces in-toto, an early stage research project to ensure the integrity of the supply chain as a whole. In-toto grants the end user the ability to verify the integrity of the project from inception to the installation in their device. In-toto is being used in production by several open source projects. This talk will include a live demonstration.

Justin Cappos is a tenure-track assistant professor in the Computer Science and Engineering department at New York University. Justin's research philosophy focuses on improving real world systems, often by addressing issues that arise in practical deployments.

His dissertation work was on Stork, the first package manager designed for environments that use operating system virtualization, such as cloud computing. Improvements in Stork, particularly relating to security, have been widely adopted and are used on the majority of Linux systems. His research advances are used in production use in a variety of other widely used software including git, Python, and Docker. Due to the practical impact of his research, Justin has received several awards including being named to Popular Science's Brilliant 10 list in 2013. More information is available at

Host: Rodrigo Fonseca