The original version of the CNCF Security TAG’s Supply Chain Security Best Practices was published in May 2021. To say “a lot has changed” since then would be a dramatic understatement—software supply chain attacks cost over $45 billion in 2023, with projections exceeding $80 billion by 2026.

In this talk, we'll take a whirlwind tour of the latest updates to the newly released second version of the Supply Chain Best Practices guide. One of the most significant changes is the increased adoption and maturity of SBOMs and attestations, supported by a rapidly growing ecosystem of tools for generating, verifying, and consuming this metadata.

We’ll explore how the open source community has responded to rising threats with a surge of new tools, improved standards, and broader best practice adoption—and how to chain these tools together for maximum impact.

We’ll showcase key open source projects from across the CNCF and OpenSSF ecosystems, including in-toto, TUF, SLSA, Guac, bomctl, SBOMit, and protobom.