The barriers to entry in terms of accessing, integrating, and ultimately consuming open-source software technologies are being lowered every day. From the burgeoning ecosystem of open-source libraries that contribute between 70 and 90% of deployed code today (per Linux Foundation) to the emergence of large language models (LLMs) as a force for productivity (contributing well over 40% of new code being submitted according to GitHub), the explosion in the volume of code being built and deployed by enterprise companies is continuing to increase dramatically.
At the same time, the software security landscape continues to evolve. The last few years have seen the emergence of exploits developed by sophisticated hostile actors that directly target the software supply chain - i.e. the environments in which developers are innovating and building new capabilities. Left unchecked we may see a situation where software has indeed eaten the world, only to see sophisticated hostile actors devour the software industry.
Stacklok is harnessing the power of open-source projects like sigstore to deliver enterprise-grade solutions to address these urgent problems. Stacklok’s open-source platform will integrate within common development environments to:
1) Help developers understand and mitigate risks in their day-to-day work in both their tool choices and their code dependencies
2) Integrate a tamper-proof ledger for development teams that enables them to generate 'proof' of their best practices
3) Enable operations teams to make policy decisions on what software may be deployed to a production environment based on an understanding of how it was produced, and communicate those needs clearly back to developers who are building the software
With an increasing number of high-profile cyber-attacks targeting software supply chains, the need for robust security measures has never been more urgent.
"Our mission is to safeguard the integrity of the software supply chain, by leveraging open-source technologies such as sigstore, to enable developers to operate with confidence, and focus on their core objective of writing code," said Luke Hinds, CTO and co-founder of Stacklok. “Stacklok will bring much needed end-to-end provenance and insight to the software supply chain.”
Craig McLuckie, CEO and co-founder of Stacklok, emphasized the gravity of the situation faced by the software industry, saying, "Software is eating the world, and hostile, sophisticated actors will ultimately eat the software industry if left unchecked. We see tremendous innovation being driven by open-source communities that will offer a critical line of defense against these threats, ensuring that organizations can continue to innovate and thrive."
By embracing a robust Developer Security Posture Management (DSPM) offering, enterprises can gain end-to-end provenance and insight into their software supply chain, enabling them to mitigate risks, protect against attacks, and ensure the integrity of their digital assets. As software supply chain threats continue to evolve, DSPM will play an increasingly vital role in safeguarding the software ecosystem and the organizations that rely on it.
Craig McLuckie was the founder and CEO of Heptio, an Accel and Madrona portfolio company. After the acquisition of Heptio by VMware he served as VP R&D at VMware for 3.5 years supporting the growth of the Tanzu business. Prior to Heptio, Craig was a co-founder of the Kubernetes project, bootstrapped and chaired the Cloud Native Computing Foundation, and along with Joe Beda created and drove the delivery of Google Compute Engine which emerged as the anchor for Google’s cloud strategy.
Luke Hinds is a highly regarded and industry-recognized open-source security leader and a former Distinguished Engineer from the Red Hat CTO office. Luke founded project sigstore and drove the adoption of the project into the Linux Foundation. He currently acts as the chair of Sigstores Technical Steering Committee. He is one of the small group of individuals who helped bootstrap the OpenSSF, where he now resides on the governing board as an elected representative of the community. Luke has close to 20 years of experience developing open-source security software. He led the Development of Keylime, a CNCF based security trust system used to protect cloud-based workloads at scale, along with numerous other open-source projects.
For more information about Stacklok and its pioneering open-source software supply chain security solutions, visit www.stacklok.com or contact: