The CNCF Security TAG’s Supply Chain Security Best Practices Guide first launched in 2021, just as high-profile supply chain attacks were beginning to shake public and private sector software systems alike. In 2025, the importance of supply chain security has escalated significantly: in 2023, supply chain breaches resulted in damage exceeding $45 billion, and projections indicate that this damage could reach over $80 billion by 2026 (Juniper Research).

Open Source Summit EU will take place in Amsterdam from 25-27 August, 2025.

At Open Source Summit Europe this August in Amsterdam, CNCF TAG Security co-chair John Kjell (ControlPlane) will present a fresh perspective on the updated guide in his session:

🕒 Monday, August 25, 14:25–15:05 CEST
📍 Emerald Room
📚 Session: Chain Reaction: Remixing CNCF’s Supply Chain Security Guide for 2025

Why It Matters Now
Since 2021, the ecosystem around software supply chain security has exploded. SBOMs, attestations, and software integrity tooling have matured fast, and open source communities have kept pace, building standards, frameworks, and pipelines to detect and defend against tampering, dependency confusion, and unauthorized changes.

John’s talk dives into the most impactful updates in the second edition of CNCF’s guide, focusing on:

Projects You’ll Hear About
John will highlight key projects from the CNCF and OpenSSF ecosystem, including:

At the event you’ll hear from projects such as Bomctl, GUAC, in-toto, Protobom, SBOMit, SLSA, and TUF.

These tools help organizations automate and verify trust throughout their software lifecycle, protecting both proprietary infrastructure and shared open source components.

Also Catch: A Deep Dive into Public Sector Software Security
Immediately after this session, John will return to the stage to explore supply chain security from a public sector perspective:

🕒 Monday, August 25, 15:35–16:15 CEST
📍 Room G105
📚 Session: The Chain of Command: Building Trust Across Public Sector Software Pipelines

Drawing on the work of CNCF’s Public Sector User Group, this session looks at the real-world challenges facing government and regulated sector teams. From air-gapped environments to trust frameworks that span agencies and suppliers, John will unpack:

This talk builds on recent publications from the user group and aims to foster dialogue around scalable, equitable security strategies for public infrastructure.

About the CNCF Security TAG
CNCF’s Technical Advisory Group for Security (TAG Security) works to improve the security of cloud native applications, platforms, and supply chains. TAG Security produces best practices and threat modeling resources and collaborates across open source projects to elevate the state of secure infrastructure. Their work has led to essential guides, working groups, and contributions across the CNCF and OpenSSF ecosystems.

About the Speaker
John Kjell is principal consultant at ControlPlane, co-chair of CNCF’s TAG Security, and a maintainer of the in-toto subprojects Witness and Archivista. He’s also a familiar face in OpenSSF circles and formerly led open source at TestifySec. With years of hands-on experience building secure pipelines, John brings clarity and pragmatism to an often complex landscape.

Join the Conversation

Want to contribute to future work on supply chain security? You can get involved with CNCF TAG Security by joining a working group, attending an open meeting, or contributing to one of our guides or project assessments.

If you’re attending OSS EU, don’t miss this opportunity to engage with one of the lead contributors behind CNCF’s refreshed guidance on supply chain security. Mark your calendar for August 25!

🛡️ Security is a shared responsibility. Let’s build better chains together.

KubeCon + CloudNativeCon EU heads to Amsterdam 23-26, March 2026.