Trusty provides a free-to-use service with scoring and metrics about a package’s repo and author activity.
Minder is an open source platform that helps project owners build more secure software and prove that what they’ve built is secure.
Exploring a pivotal career shift from Heptio and VMware to Stacklok, our VP of Product shares an impassioned commitment to enhancing secure software development.
For the past eight years during my time at companies including Heptio and VMware, I have focused on enabling enterprise customers to adopt containers and Kubernetes. Across hundreds of conversations with these organizations in every industry vertical, it became abundantly clear that organizations are struggling with shipping software securely and putting open source technologies into production systems.
The aim of any business is of course to ship better software, faster, to compete in today’s digital world. Doing so almost always involves leveraging significant portions of open source code. And this puts three key constituencies in challenging positions. Development teams need to solve business problems quickly, and they often don’t have full understanding of the security risk of their choices. Security teams determine the guardrails required, but aren’t in a position to either ensure those guardrails are in place, or have the right information to act quickly when an exploit does occur. And operations teams are required to enforce gates across complex systems, leveraging many tools and processes that are new and often not well understood. This distributed concern for software supply chain security is at the heart of what makes the task challenging.
Stacklok was founded to make it easier to securely develop software. I see an incredible opportunity to enable companies to build software in a safe and responsible manner, and am excited to announce I am joining Stacklok as VP of Product to do just that.
There are a number of clear market forces that obviate the need for what we’re doing at Stacklok. First, the number and severity of software supply chain attacks has increased significantly (measured to be as much as 700%+ and as evidenced by recent well-known attacks including Log4j and Solarwinds). Second, the adoption of open source technologies has exploded, and the risk inherent in these dependencies is significant (by one measure 1.2 billion vulnerable dependencies are downloaded each month). Finally, recent executive mandates being issued by the Biden administration for sales of software into the public sector will require many companies to leverage new tools and practices. In response to these forces, there is a strong community focus on efforts including Sigstore and SLSA, which have seen significant adoption in a short period of time. However, adopting new technology and integrating it into existing practices is challenging, and many companies lag behind, putting themselves at serious risk.
At Stacklok, we will be focused on enabling development teams to understand best practices and make it easier for them to make good choices. We are focused on providing contextual awareness of vulnerabilities, which allows for much faster remediation versus point in time systems. We will enable operations teams to successfully put new technologies into production and provide policy-based controls to ensure developers can move quickly, with the right guardrails. And we will do all of this with extremely close ties and investments into the open source community.
There is an exciting opportunity ahead of us, but one of the critical points in my decision to join Stacklok was the team. I’ve had the opportunity to work with Craig McLuckie (CEO) over the past six years at Heptio and VMware; Craig has a relentless focus on making life easier for IT professionals and building diverse and inclusive teams. I am incredibly excited to work with Luke Hinds (CTO) who started the Sigstore project and is an expert in the space. We are backed by Accel and Madrona, two incredibly strong partners which I had the opportunity to work with during my time at Heptio. And one of the most exciting parts of this journey will be growing and enabling the team – we are focused on building a diverse and talented team with strong open source ties (and are fully remote). If any of this sounds interesting to you, check out our careers page to learn more.