Enhancing Open Source Software Integrity
Securing the Open Source Ecosystem
At Open Source Summit Seattle 2024, Mikhail Swift, CTO and Co-founder of TestifySec, delivered an insightful interview on the critical need for software integrity in the open source ecosystem. As supply chain attacks increasingly target open source dependencies, Mikhail explains how attestations and policy enforcement can provide the security guarantees that modern software development demands.
This interview goes beyond theoretical security concepts to address practical challenges that developers face every day. How do you sign software without disrupting workflows? How do you manage keys across distributed teams? How do you verify the integrity of dependencies without slowing down builds? Mikhail provides answers based on real-world implementations at scale.
From Witness to Enterprise Solutions
As the creator of Witness, an open source implementation of the in-toto specification, Mikhail brings unique insights into both the technical and cultural challenges of securing software supply chains. He discusses how TestifySec bridges the gap between open source tools and enterprise needs, making advanced security practices accessible to organizations of all sizes.
The conversation covers the evolution of software supply chain security, from early signing efforts to modern attestation frameworks, and looks ahead to emerging standards and practices that will shape the future of secure software development.
Key Takeaways
Open source software requires the same integrity guarantees as proprietary code - transparency alone is not security
Attestations provide cryptographic proof of software provenance throughout the development lifecycle
Key management remains one of the biggest challenges in implementing software signing at scale
Policy engines allow organizations to enforce security requirements without slowing down development
The open source community is converging on standards like in-toto and SLSA for supply chain security
Integration with existing development workflows is crucial for adoption of security tools
Watch the Full Presentation
30 minutes of insights on open source
About the Speaker
Mikhail Swift
Staff Engineer, Replicated
Mikhail Swift is the creator of Witness, an open source framework for software attestation, and continues to advance supply chain security at Replicated. With deep expertise in software supply chain security, CI/CD systems, and cryptographic verification, Mikhail has been instrumental in advancing the adoption of attestation-based security practices.
Mikhail has held senior engineering positions where he architected secure build and deployment systems for large-scale applications. His contributions to open source projects include Witness, in-toto, and various CNCF initiatives focused on supply chain security.
Mikhail is a regular speaker at conferences worldwide and contributes actively to security standards bodies. He holds a degree in Computer Science and is passionate about making security tools that developers actually want to use.