It is with great pleasure that I get to announce the founding of Stacklok with Luke Hinds (the founder of Sigstore). Our mission is to make it easier to securely develop software. We will help developers better understand how their practices and choices impact the security of the software they produce and how the software they depend on is built, and we will enable companies to implement and insist on practices that lead to safer software delivery and better production security posture.
During my work on the Kubernetes and Cloud Native journey I had the privilege of working with some incredibly talented people and bringing some fun and exciting products to market. From the incubation of Google Compute Engine, to starting Kubernetes, to the Cloud Native Computing Foundation, to some of the exciting projects my team at VMware came up with; it has been really exciting. As I was thinking about what to do next, I kept coming back in my mind to something I had been stewing on for years, but had never been able to truly throw myself into. What will it take to secure the enterprise software supply chain?
The mission itself is important to me. I have long felt drawn to technologies that make the life of an IT professional easier, or if easy isn’t on the table to at least reduce toil and misery. ’Playing the movie forwards’ a little it seems clear to me that software may very well have eaten the world, but unless we collectively, as an industry come together to address the challenges Advanced Persistent Threats (APTs) represent to the software industry at large and the Open Source community particularly, we will see those hostile actors eat the software industry. The world is getting more dangerous in many ways, and it behooves us as an industry to rally behind technologies and initiatives that support supply chain security.
Okay, great - supply chain security matters, but what is to be done about it?
As I tried to answer that I stepped way back and looked at the space holistically. Forgive me if this sounds a bit simplistic, but a lot of this starts (and turns out also ends) with cryptography. Cryptography is a keystone technology in the world of software security. It does two fundamental things for us. First, it lets us lock up information so people who shouldn’t be able to see it can’t see it (encryption). Second, it provides a way for us to know that something that is being said to us, or given to us is indeed being said or given by an entity we trust (signing or non-repudiation). So we have a pretty good way to lock away our information, and know in broad terms who is shipping us information (of which code is one specific type of information), but how can we get more context or information about something to know whether it is indeed trustworthy? (At least for now, until quantum computing becomes mainstream and technologies like RSA fall, but that is the topic of a future post).
Knowing whether someone is trustworthy is challenging. Look at the Solarwinds incident which represents perhaps one of the most sophisticated demonstrated exploitations and perhaps one of the more devastating ones that we are aware of. There was an implicit assumption that customers should trust the package they were being given (it was after all signed by a reputable company), but the practical implications of ‘inspecting’ or ‘verifying’ for trust just aren’t there. Certainly you can scan something to understand its composition, but knowing what is in something doesn’t tell you very much about how it got there. From simple questions like “did the people who built this have appropriate branch protections in place?” To very complicated questions like “did they use a build system that had a rooted chain of trust to the silicon?”
This is where the sigstore project comes in. Sigstore was started by my co-founder Luke Hinds and has been subsequently adopted and supported by many organizations like Google, Red Hat, Github, Chainguard, Sonatype and a great many others, and supported through direct community efforts like OpenSSF. It represents an elegant way to capture important provenance that is generated during the construction of a piece of software, and write it deterministically to a tamper resistant ledger. So you can think of it as a way to expand the boundaries of non-repudiation that signing represents, but create some substantially more powerful opportunities to add increasingly rich provenance information. It basically provides a way to start to ‘open up’ and contextualize what is being done in a production environment. This information will allow organizations to both ‘show their work’ and hold the line with policy as needs be. At Stacklok we aim to engage, support and foster innovation in and around this critical project area.
It is my belief that it is truly going to ‘take a village’ to address the deep challenges that are emerging to the Open Source technologies that power the world, and the proprietary technologies that power our industries. It is also my belief that the only way to make substantial, sustained progress against some of the deepest challenges in this space are through open source collaboration. Having been involved in bootstrapping things like the Kubernetes community, and CNCF I am very much drawn to this area and will work to ensure that Stacklok is an effective and constructive contributor from day one.
Luke and I are committed to building a company that drives innovation in the open source community, and enables enterprise organizations and developers alike to access, and draw benefits from that innovation. If you are interested in following our news or getting in touch with us, please register using the form submission below, we would love the opportunity to get and stay in touch.
Craig McLuckie is Stacklok's CEO and the co-creator of the open source project Kubernetes.
