From Integrity to Trust: Rethinking Software Supply Chain Security
This presentation explains why software supply chain security must evolve beyond hashes, code signing, SBOMs, and compliance artifacts toward continuous, evidence-based trust. The slides cover where supply chain risks enter the SDLC, why integrity alone does not prove software is trustworthy, and how correlated trust signals—such as SBOMs, testing, vulnerabilities, provenance, and attestations—can support real operational decisions like deployment, blocking, runtime enforcement, and monitoring.