StackloK’s founders say that security software designed to help with open source issues should also be open source.
Stacklok, the security startup focused on securing the software supply chain, on Monday announced that they’ve donated their flagship platform, Minder, to the Open Souce Software Foundation, a Linux Foundation project. Like any software project entering the Linux Foundation ecosystem, Minder will begin as a sandboxed project for a minimum of three months before it’s elevated to be an incubating project.
The announcement was made by both Stacklok’s co-founter and CEO Craig McLuckie in a keynote address at All Things Open, and its co-founder and CTO Luke Hinds and in a blog.
“Minder makes it simpler for developers and security teams to adopt a policy-based approach to open source software security; it reduces noise, alerts to risk only when necessary, auto-remediates inconsistencies, and spans the entire software development lifecycle,” Hinds wrote.
Before teaming with McLuckie to create Stacklok, Hinds was the founder of Sigstore, which is now an OpenSSF project. He pointed out that OpenSSF should be a good fit for Minder,since the platform was created to make it possible to integrate supply chain tools, such as those that are already part of the OpenSSF ecosystem, so that they can be used in tandem.
McLuckie is in agreement with that.
“Minder isn’t just about being able to assert policies,” he recently told me. “It’s about being able to tap into the the full richness of the open source security ecosystem and set up policies using all these wonderful tools like Trivy, Bandit, and other open source tools. We want to make sure that we provide a framework that unlocks those tools for communities and then for enterprises at scale.”
In a nutshell, Minder is a way for developers and security teams to find and do away with security risks that might be hiding in open source code before it’s merged into a project. It draws on OpenSSF Scorecard, Sigstore and other best practices, and integrates them into a single platform that can be a part of, say, a DevOps practice.
Not surprisingly, McLuckie compares the platform to Kubernetes.
“Our ambition with this platform is to create something that has that kind of Kubernetes like ethos, where it enables you to look across your organization and organize everything into resources, and then map policies to resources by selectors and then run reconciliation,” he said. “It’s got a very strong kind of Kubernetes flavor to it.”
He added that open source is built into the project by design, which is especially important because the issues Minder is designed to solve are specifically open source problems.
“We believe that as this world gets darker and more complicated, communities need access to world class tooling that can help them operate in a sustainable and safe way,” he said. “We believe that tooling should be open source tooling. If you want open source communities to embrace something, it should be open source technology. We also believe that there’s this incredible richness to the world of open source security capabilities. There are so many great technologies out there that we use ourselves to make sure that what we produce is safe.”
As a sandbox project, Minder will benefit from OpenSSF’s governance models and resources. The Security Tools Working Group will help the project grow and improve as well has help it broaden it’s team ofmaintainers and contributors. Those who’s like to take Minder for a test drive can visit the project’s GitHub page.
“We believe organizations that adopt a policy-based approach to security are best positioned to stay steps ahead of threat actors,” said Bob Callaway, who heads Google’s open source security team and is a members of OpenSSF’s technical advisory council. “To that end, Minder brings a complementary set of capabilities to the OpenSSF security tools working group.”
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment