Over fifteen years ago, while working at EMC Corporation, amidst a mostly proprietary technological landscape, I stumbled upon something that would change my perspective on software development forever. It was an encounter with the open source Java framework, Spring. The framework removed much of the routine boilerplate code and nicely integrated with many popular OSS libraries (e.g., Log4J - a popular Java logging framework), drastically improving my productivity. As a consumer of open source software, it captivated my imagination, empowering me with the freedom to explore, create, and contribute to a global community, solving similar problems. I wasn’t the only person that thought Spring and open source were valuable; in 2009, VMware acquired SpringSource, the company behind the framework, for $420 million.
Years later, the relationships I built collaborating with the Spring community created an incredible opportunity for me to lead the Spring Engineering team at VMware. Working alongside these world-class engineers, I witnessed firsthand the operational challenges of managing an open source project at scale as Spring was used and trusted by more than 65% of Java developers. It was also the type of high-profile open source project that malicious actors love to target. As a producer of open source libraries, the team worked tirelessly and passionately to patch vulnerabilities, and understand, harmonize, and upgrade third-party dependencies.
On December 9, 2021, security researchers discovered a vulnerability in the popular open source logging framework, Log4j, estimated to be used in over 100 million environments. On December 10, 2021, NIST’s National Vulnerability Database (NVD) categorized the vulnerability as a 10.0 on their Common Vulnerability Scoring System (CVSS), signaling the highest severity vulnerability. The Log4j open source community showcased their dedication and expertise when faced with this critical vulnerability and responded swiftly. They worked to identify and patch the security bugs, ensuring the continued reliability and integrity of the framework. A number of Spring users relied on Log4j as their logging subsystem and would eventually need to upgrade to patched versions of the library. This incident grabbed global headlines, but the real story was the fantastic community collaboration happening worldwide to secure the software supply chain.
Through my experience consuming and producing open source software, I’ve observed at the heart of the most successful projects and communities, trust. Open source trust is built upon transparency, collaboration, security, and a track record of reliability. Malicious actors have many paths to disrupt confidence in the software supply chain beyond application dependencies. Developer tooling, publishing infrastructure, build systems, and signing infrastructure are a few of the other attack vectors.
Therefore, I am thrilled to join Stacklok, a company dedicated to being part of this global community focused on securing the software supply chain for developers. The increasing prevalence of software supply chain attacks imposes an additional burden on developers, intensifying their cognitive load and necessitating heightened vigilance in ensuring the security and integrity of software components. Stacklok's mission to alleviate this cognitive load across the software development life cycle is both ambitious and motivating, and it is with great enthusiasm that I take on the role of Director of OSS and Platform Engineering.
I’m most excited about the team at Stacklok. Craig McLuckie’s (CEO) track record of building products with industry impact at Google, Heptio, and VMware is impressive, and Luke Hinds (CTO), who is a thought leader in the secure software supply chain space, founder of Sigstore and industry-recognized security expert. The team they are assembling is impressive, and I’m humbled to work beside them. If you love open source, developer communities and want to help safeguard trust in the software supply chain, check out our careers page to learn more.
