The CNCF Security TAG’s Supply Chain Security Best Practices Guide first launched in 2021, just as high-profile supply chain attacks were beginning to shake public and private sector software systems alike. In 2025, the importance of supply chain security has escalated significantly: in 2023, supply chain breaches resulted in damage exceeding $45 billion, and projections indicate that this damage could reach over $80 billion by 2026 (Juniper Research).
At Open Source Summit Europe this August in Amsterdam, CNCF TAG Security co-chair John Kjell (ControlPlane) will present a fresh perspective on the updated guide in his session:
🕒 Monday, August 25, 14:25–15:05 CEST
📍 Emerald Room
📚 Session: Chain Reaction: Remixing CNCF’s Supply Chain Security Guide for 2025
Why It Matters Now
Since 2021, the ecosystem around software supply chain security has exploded. SBOMs, attestations, and software integrity tooling have matured fast, and open source communities have kept pace, building standards, frameworks, and pipelines to detect and defend against tampering, dependency confusion, and unauthorized changes.
John’s talk dives into the most impactful updates in the second edition of CNCF’s guide, focusing on:
- The role of SBOMs and attestations, now mainstream and backed by robust tooling
- Best practices for chaining together tools across the dev, build, and deploy lifecycle
- Concrete integrations between CNCF and OpenSSF projects that teams can use today
Projects You’ll Hear About
John will highlight key projects from the CNCF and OpenSSF ecosystem, including:
- Bomctl—a format-agnostic Software Bill of Materials (SBOM) tooling
- Graph for Understanding Artifact Composition (GUAC)—an open source supply chain security project that provides dependency management and actionable insights into the security of software supply chains
- in-toto—a framework to secure the integrity of software supply chains
- protobom—a format-neutral SBOM data representation and I/O library
- SBOMit—an SBOM format-independent method for attesting components with additional verification information.
- Supply-chain Levels for Software Artifacts (SLSA)—a set of incrementally adoptable guidelines for supply chain security, established by industry consensus
- The Update Framework (TUF)—a framework for securing software update systems
These tools help organizations automate and verify trust throughout their software lifecycle, protecting both proprietary infrastructure and shared open source components.
Also Catch: A Deep Dive into Public Sector Software Security
Immediately after this session, John will return to the stage to explore supply chain security from a public sector perspective:
🕒 Monday, August 25, 15:35–16:15 CEST
📍 Room G105
📚 Session: The Chain of Command: Building Trust Across Public Sector Software Pipelines
Drawing on the work of CNCF’s Public Sector User Group, this session looks at the real-world challenges facing government and regulated sector teams. From air-gapped environments to trust frameworks that span agencies and suppliers, John will unpack:
- Current challenges in public sector supply chain security
- Emerging needs for trust, attestations, and integration
- Ideas for equitable, scalable solutions across supplier sizes
This talk builds on recent publications from the user group and aims to foster dialogue around scalable, equitable security strategies for public infrastructure.
About the CNCF Security TAG
CNCF’s Technical Advisory Group for Security (TAG Security) works to improve the security of cloud native applications, platforms, and supply chains. TAG Security produces best practices and threat modeling resources and collaborates across open source projects to elevate the state of secure infrastructure. Their work has led to essential guides, working groups, and contributions across the CNCF and OpenSSF ecosystems.
About the Speaker
John Kjell is principal consultant at ControlPlane, co-chair of CNCF’s TAG Security, and a maintainer of the in-toto subprojects Witness and Archivista. He’s also a familiar face in OpenSSF circles and formerly led open source at TestifySec. With years of hands-on experience building secure pipelines, John brings clarity and pragmatism to an often complex landscape.
Join the Conversation
Want to contribute to future work on supply chain security? You can get involved with CNCF TAG Security by joining a working group, attending an open meeting, or contributing to one of our guides or project assessments.
If you’re attending OSS EU, don’t miss this opportunity to engage with one of the lead contributors behind CNCF’s refreshed guidance on supply chain security. Mark your calendar for August 25!
🛡️ Security is a shared responsibility. Let’s build better chains together.
