close
close

Association-anemone

Bite-sized brilliance in every update

Stacklok is donating its Minder supply chain security project to OpenSSF
asane

Stacklok is donating its Minder supply chain security project to OpenSSF

Stacklockopen source software supply chain company founded by Kubernetes co-creator Craig McLuckie and Sigstore creator Luke Hinds, donate Minderone of its key projects, to the Open Source Security Foundation (OpenSSF). Minder helps development teams establish a system of proactive checks and policies to minimize supply chain risks by applying best practices and, using Sigstore, ensures that all packages created by developers using the project are cryptographically signed.

One of the key features of Minder is that it is extensible, and as McLuckie told me, the Stacklok team hopes that Minder can become a platform for other OpenSSF projects to build on and integrate with.

“Just as Kubernetes served as an integration point for CNCF projects, Minder has the potential to serve as a platform for OpenSSF projects: a common integration framework for a rich ecosystem of open source security capabilities,” he told me. Minder, he hopes, will become something like a community anchor that can form the basis for integrating a variety of security tools and making them easier to operationalize.

As McLuckie noted, most of the time when developers use an open-source library in their projects, it’s akin to “a leap of faith.”

Image credits:Stacklock

“The thing that was kind of shocking to me is the idea that open source, for all intents and purposes, is mostly written by random people on the Internet,” he said. “For me, it’s been this journey of how to raise awareness of developers who consume open source and help communities that build open source do it in a way that’s more secure and sustainable.”

While the software supply chain hasn’t always been front and center for developers—and perhaps not for most security professionals—SolarWinds and other recent attacks have certainly brought it to the fore. McLuckie cited a recent example that Stacklok discovered. A hacking group affiliated with North Korea organized fake job interviews with developers who were all working in the Web 3.0/crypto space and had them install an NPM package as part of their programming tests. That package, of course, was infected with malware, and the attackers used it as a way to get into the supply chain.

“We’re seeing some of the most sophisticated things coming out of these nation-state actors,” McLuckie explained. “Their attacking patterns are unlike anything we’ve seen in history. They do things like they publish a package for four hours, and they know that most software composition analysis tools won’t catch it in four hours. They will publish it and take it down.”

This means that tools like Minder must intercept these attacks at the IDE, in the inner development loop. “By the time it gets to (the pull request), it’s too late,” McLuckie said.

Minder is meant to be a system that can apply controls over the entire application lifecycle, starting with the IDE and the developer’s local package manager, all the way to the production environment. It can ingest signals from a variety of sources – and Stacklok, as a commercial entity, has built its own. But it can also start enforcing policies to, for example, ensure that developers start using quantum-resistant cryptographic libraries.

McLuckie pointed out that Google, his old employer, has shown some interest in the project and is supporting it, among other things, by helping Stacklok lead some integrations with services such as open source vulnerability database. He also mentioned that while Stacklok has built integrations with GitHub, he would like to see other communities build integrations with GitLab, BitBucket, and similar tools.”

Of course, for Stacklok as a company, the more successful Minder is as an open source project, the more likely businesses will come to Stacklok for support or subscribe to its hosted service. However, McLuckie noted that given his experience in the open source ecosystem as a whole, it was important to him to not only make the code available under an open source license, but to ensure that the project would be community driven .

“We want to make sure that we unequivocally and irrevocably signal to the community that Minder is a community-centric platform that is not owned by us. It will actually be owned by the community,” McLuckie said when I asked him about the motivation for bringing Minder under a foundation umbrella. “We will continue to support it, but obviously we have a plan for operationalization and commercialization. And I think that after experiencing this journey with Kubernetes, I feel very positive about the results that we were able to generate on the back of Kubernetes. It has become half of the world’s workloads running on Kubernetes, but or receiving, at this time. And so, you know, I’d like to get to a point where half the workload in the world is handled by Minder – and I’d feel really good about that.”