Today marks the beginning of an exciting new chapter for both myself and my co-founder, Craig McLuckie, as we announce the genesis of our company, Stacklok.
My journey through the security world as a software engineer has spanned the breadth of two decades now. Tracing back to my formative days in the ‘noughties’, when I toiled to create bulwarks against hackers keen on exploiting the vulnerabilities of our then legacy telecommunications networks. Fast forward to today, and it’s building open source security software from prototype to enterprise grade platform.
During my time, the technological landscape has undeniably metamorphosed as have our approaches to securing software, but the threats we encounter have proven to be insidiously consistent and if anything hackers are becoming increasingly motivated and capable. Our adversaries have the liberty to make numerous errors, only needing to succeed once. We on the other hand can afford no missteps at all. A single lapse on our part can lead to a security breach and the damage of a company's brand and reputation.
The stakes in the game of cat and mouse between software and its adversaries have never been higher. With the advent of large language models (LLMs) and autonomous agents, adversaries will be able to orchestrate complex attacks via prompt-based engineering. They will be able to generate code, coupled with social engineering, and on-the-fly exploits that are tailored to specific systems, making it much more difficult to defend against.
As a result, it is likely that the security landscape will become increasingly dangerous in the years to come. The enterprise will need to find new and innovative ways to stay ahead of the curve, as we will see a significant increase in the number, complexity and severity of cyberattacks. I heart Craig's words here ‘Open source software is eating the world, and hostile, sophisticated actors will ultimately eat the software industry if left unchecked’.
Although Stacklok is a new company, our presence in this space is far from that. My co-founder and I have decades of experience founding large open source projects and doing our bit to evolve them into enterprise-grade platforms operating at scale.
Many mountains to climb, but the views will be worth it.
In June 2020, we found ourselves in the midst of the COVID lockdown and a pivotal point for the industry, as the world around us rapidly changed. Rather than slowing the adoption of cloud technologies and open source, we instead witnessed an accelerated push, as organizations moved to quickly deploy tools to support their now remote working staff.
At this time of disruption, I had the idea to develop a software supply chain ledger to bring much needed transparency and observability to the complex and vast ecosystem of open source software code and artifacts, and thus was born Sigstore. In just two short years, It has been incredible to witness the explosive growth of Sigstore, now a community with over 500 contributors, where companies such as Google, GitHub, Red Hat and Chainguard collaborate to solve a problem which impacts us all. We're excited about what the future holds for sigstore and we will continue to serve the community.
Sigstore has significantly bolstered the security posture of many notable open source projects like NPM. At Stacklok, we see Sigstore as a foundational element of trust, but furthermore as crucial is now the need for a vehicle that can effectively communicate this trust in meaningful ways to an enterprise, looking to leverage open source software. This is precisely what we aim to create at Stacklok, starting with what we know best, empowering developers to do the right thing by default, and allowing them to focus on what they do best, writing code.
We will also continue to support the combined efforts currently in progress within communities such as the Open Source Security Foundation (OpenSSF), where I serve on the governing board as the Security Community Individual Representative, a role I took on following my tenure on the Technical Advisory Council. And the CNCF, which was established by my co-founder Craig.
To keep track of our progress, follow our twitter account @stacklokHQ.
Luke Hinds is the CTO of Stacklok. He is the creator of the open source project sigstore, which makes it easier for developers to sign and verify software artifacts. Prior to Stacklok, Luke was a distinguished engineer at Red Hat.
