Trusty provides a free-to-use service with scoring and metrics about a package’s repo and author activity.
Minder is an open source platform that helps project owners build more secure software and prove that what they’ve built is secure.
We sat down with our new Principal Engineer, Pankaj Telang, to learn more about why he joined Stacklok, and what he’ll be doing in his new role leading our data science efforts.
A: As a data scientist, I mostly use the Python programming language. I like Python for two reasons. It is very intuitive and easy to use. Additionally, there is an extensive collection of open source Python packages such as pandas, numpy, scikit-learn, and others that can be readily used for data science tasks. Beyond Python, I have used other languages including C/C++, Go and Java, mainly for intensive data pre- or post-processing tasks.
Sure. I've had about 20 years of experience in AI, ML, computer vision, cybersecurity, and software development. Most recently, I worked as a Principal Staff Scientist for SAS, focused on cybersecurity and computer vision; I was at SAS for 8 years focusing in these areas. For cybersecurity, I developed ML algorithms for detecting suspicious user and device activities from network communications. For computer vision, I developed cloud-based image processing APIs, and trained ML models for various use cases. Prior to SAS, I worked at Cisco Systems for ~14 years as a software engineer and an architect in various areas, including B2B and cybersecurity.
A: I am naturally interested in mathematics, statistics and computer science. I became interested in data science since it combines all of these fields. As a data scientist, I get to solve complex real-world problems using data and scientific methods, which is highly satisfying. For example, detecting threats in cybersecurity is a needle in a haystack problem: analysts need to find threats from a large volume of data. In this field, data science and AI/ML models can save a lot of time for the analysts by narrowing down these threats, and also spot threats that are hard to find manually.
A: I was drawn to Stacklok for a lot of reasons. First, Stacklok is addressing an important problem of open source software supply chain security. The complexity and diversity of cybersecurity problems in this area are very fascinating. I am excited for the opportunity to apply advanced AI/ML techniques and develop innovative approaches in this field.
Second, Stacklok is developing open source projects for addressing the security problems. This will give me opportunity to contribute and shape cutting-edge technologies and make a meaningful impact on the industry. Third, I really admire Stacklok's founders: Craig McLuckie, inventor of Kubernetes, and Luke Hinds, inventor of Sigstore. Having the opportunity to work alongside such thought leaders is truly an honor.
A: Indeed, AI/ML safety and security has become a central concern across the governments and the industry worldwide. One specific aspect of AI/ML security that I worry about is trustworthiness of the foundation models that are available for download over the internet. As a developer, how can I be assured that a model is trustworthy and safe to use? Another aspect of AI/ML security I worry about is related to LLMs (large language models). These models are being used in AI coding assistants. How can we ensure that the code suggested by these models, including the packages referenced in them, are safe to use?
A: At Stacklok, I'll be working on Trusty. My goal will be to research and develop methods for computing trustworthiness of entities in the open source world, including authors and packages. We will consider multiple scoring dimensions for computing trustworthiness, including security and transitive dependencies.
A: I am truly excited to join Stacklok! I am looking forward to working with a world-class team to deliver next-gen capabilities to secure the open-source. I am confident that our efforts will produce solutions that will benefit a large population of developers across the world.
A: Of course! Here you go: