We’re excited to announce today that Stacklok is one of the newest members of the Open Source Security Foundation, or OpenSSF!
As a company led by founders of open source and community projects including Kubernetes, the Cloud Native Computing Foundation, and Sigstore, Stacklok has a deep appreciation for the power of community-centric open source. We share in OpenSSF’s commitment to working both upstream and with existing communities to advance open source security.
To that end, we’re grateful for the opportunity to have our co-founder, Luke Hinds, serve as an elected community representative on the OpenSSF Governing Board. Additionally, Stacklok engineers participate in a number of OpenSSF projects and initiatives, most notably Sigstore, the AI / ML Security Group, and OpenSSF Scorecard.
Sigstore: Making it easier to generate provenance for open source packages
Stacklok is committed to working with the upstream Sigstore community and OpenSSF to make it easier for maintainers to generate provenance for their open source packages.
Developers importing unsigned and unverified open source packages and libraries into their code can be introducing hard-to-spot risks to the integrity of their services. Yet despite that risk, provenance remains one of the least adopted supply chain security practices. One recent survey from the OpenSSF estimates that less than 25% of respondents consistently sign their artifacts and make provenance available—likely because it’s a time-consuming and tedious process.
Sigstore makes it easier to digitally sign and check components, for a safer chain of custody tracing software back to the source. It provides a way for maintainers to sign off on what they build, without needing to know tricky security protocols or handle additional sensitive signing material. And it provides a way for developers using those builds to verify the signatures against a tamper-proof log.
Stacklok engineers serve as contributors and maintainers of the Sigstore project (founded by Stacklok co-founder Luke Hinds), and participate in maintenance and on-call for the shared Sigstore public good instance.
AI / ML Security Group: Addressing risks of AI / ML on open source software adoption
As AI and ML technologies become more and more embedded in development practices, we see significant risks for individuals and organizations. For example, an AI coding assistant could suggest importing a package or a library that contains vulnerabilities, or comes from an unknown source. That’s why Stacklok has participated in forming the OpenSSF’s AI / ML Security Group, which is focused on researching the possible security impacts of AI / ML technologies on open source software, maintainers, communities, and their adopters.
This group also seeks to identify ways that open source projects can safely use Large Language Models (LLMs) to improve their security posture.
OpenSSF Scorecard: Assessing open source projects for risky practices
Even though the majority of all codebases have at least one vulnerability, with an average of 158 per codebase (source), the process of reviewing code for vulnerabilities is tedious and can fall down the list of priorities for many companies. OpenSSF Scorecard helps developers understand the security posture of a project and assess the risks that dependencies introduce.
OpenSSF Scorecard was created by open source developers to improve the health of open source projects. Maintainers can use Scorecard to analyze their repos and identify ways to make their projects more secure. Stacklok looks forward to continuing to participate in discussions about how to improve and build on this project.
*****
As new members of OpenSSF, we’re excited to continue these projects and our work with open source security communities to help make open source safer for everyone. Read more about this announcement and about OpenSSF’s newest members here.
P.S. We’re participating in OpenSSF Day today in Bilbao, Spain! Stacklok Principal Engineer Evan Anderson will be speaking about public good instances and becoming a Sigstore contributor. We hope to see you there!
