Stacklok announced recently a $17.5 million Series A funding round to bring enterprise-grade security solutions to developers actively working with open-source software. These barriers to entry in terms of accessing, integrating, and ultimately consuming open-source software technologies are being lowered every day. And from the burgeoning ecosystem of open-source libraries that contribute between 70% and 90% of deployed code today (per Linux Foundation) to the emergence of large language models (LLMs) as a force for productivity (contributing to well over 40% of new code being submitted according to GitHub), the explosion in the volume of code being built, and deployed by enterprise companies is continuing to increase dramatically.
Plus at the same time, the software security landscape continues to evolve. And the last few years have seen the emergence of exploits developed by sophisticated hostile actors that directly target the software supply chain (i.e. the environments in which developers are innovating and building new capabilities). When left unchecked we could see a situation where software has indeed eaten the world, only to see sophisticated hostile actors devour the software industry.
Stacklok is utilizing the power of open-source projects such as sigstore to deliver enterprise-grade solutions to address these urgent problems. And Stacklok’s open-source platform will integrate within common development environments to:
— Help developers understand and mitigate risks in the day-to-day work in both their tool choices and their code dependencies
— Integrate a tamper-proof ledger for development teams, which enables them to generate ‘proof’ of their best practices
— Enable operations teams for making policy decisions on what software may be deployed to a production environment based on an understanding of how it was produced, and communicate those needs clearly back to developers who are building the software
Considering an increasing number of high-profile cyber-attacks targeting software supply chains, the need for robust security measures has never been more urgent.
By pursuing a robust Developer Security Posture Management (DSPM) offering, enterprises are able to gain end-to-end provenance and insight into their software supply chain, enabling them to mitigate risks, protect against attacks, and ensure the integrity of their digital assets. And as software supply chain threats continue to evolve, DSPM is going to play an increasingly vital role in safeguarding the software ecosystem and the organizations that rely on it.
Co-Founder/CEO – Craig McLuckie
Craig McLuckie was the founder and CEO of Heptio, which is an Accel and Madrona portfolio company. And after the acquisition of Heptio by VMware he served as VP R&D at VMware for 3.5 years supporting the growth of the Tanzu business. Before Heptio, McLuckie was a co-founder of the Kubernetes project, bootstrapped and chaired the Cloud Native Computing Foundation and along with Joe Beda created and drove the delivery of Google Compute Engine which emerged as the anchor for Google’s cloud strategy.
Co-Founder/CTO – Luke Hinds
Luke Hinds is known as a highly regarded and industry-recognized open-source security leader and a former Distinguished Engineer from the Red Hat CTO office. And Hinds founded project sigstore and drove the adoption of the project into the Linux Foundation. Hinds currently acts as the chair of Sigstores Technical Steering Committee. And he is one of the small group of individuals who helped bootstrap the OpenSSF, where he now resides on the governing board as an elected representative of the community. Hinds has close to 20 years of experience developing open-source security software. He led the Development of Keylime, a CNCF based security trust system used to protect cloud-based workloads at scale, along with numerous other open-source projects.
KEY QUOTES:
“Our mission is to safeguard the integrity of the software supply chain, by leveraging open-source technologies such as sigstore, to enable developers to operate with confidence, and focus on their core objective of writing code. Stacklok will bring much needed end-to-end provenance and insight to the software supply chain.”
— Luke Hinds, CTO and co-founder of Stacklok
“Software is eating the world, and hostile, sophisticated actors will ultimately eat the software industry if left unchecked. We see tremendous innovation being driven by open-source communities that will offer a critical line of defense against these threats, ensuring that organizations can continue to innovate and thrive.”
— Craig McLuckie, CEO and co-founder of Stacklok
