Stacklok, the open source software supply chain company founded by Kubernetes co-creator Craig McLuckie and Sigstore creator Luke Hinds, is donating Minder, one of its key projects, to the Open Source Security Foundation (OpenSSF). Minder helps development teams set up a system of proactive checks and policies to minimize supply chain risks by enforcing best practices and, using Sigstore, ensures that all packages built by developers that use the project are cryptographically signed.
One of the key features of Minder is that it is extensible and as McLuckie told me, the Stacklok team hopes that Minder can become a platform for other OpenSSF projects to build on and integrate with.
“Just as Kubernetes served as a point of integration for CNCF projects, Minder has the potential to serve as a platform for OpenSSF projects: a common integration framework for a rich ecosystem of open source security capabilities,” he told me. Minder, he hopes, will become something akin to being a community anchor that can form the basis for integrating a variety of security tools and make them easier to operationalize.
As McLuckie noted, most of the time when developers use an open source library in their projects, it’s akin to “an act of faith.”
“The thing that has been just sort of borderline shocking to me is this idea that open source, for all intents and purposes, is mostly just written by random people on the internet,” he said. “For me, it’s been this journey of how to increase the awareness of developers that are consuming open source, and helping communities that are building open source do it in a way that’s safer and more sustainable.”
While software supply chain wasn’t always top of mind for developers — and maybe not even most security professionals — SolarWinds and other recent attacks have definitely brought it to the forefront. McLuckie cited a recent example that Stacklok discovered. A hacking group affiliated with North Korea staged fake job interviews with developers who were all working in the Web 3.0/crypto space and had them install an NPM package as part of their programming tests. That package, of course, was infected with malware, and the attackers used that as a way to get into the supply chain.
“We see some of the most sophisticated stuff coming out of these nation-state actors,” McLuckie explained. “Their patterns of attack are different to anything we’ve seen historically. They do things like they’ll publish a package for four hours, and they know that most software composition analysis tools aren’t going to catch it in four hours. They’ll publish it and take it down.”
This means that tools like Minder have to intercept these attacks at the IDE, in the inner development loop. “By the time it hits the [pull request], it’s too late,” McLuckie said.
Minder is meant to be a system that can apply controls across the entire application life cycle, starting at the IDE and with the developer’s local package manager, all the way to the production environment. It can ingest signals from a variety of sources — and Stacklok, as a commercial entity, has built its own. But it can also start enforcing policies to, for example, ensure that developers start using quantum-resistant encryption libraries.
McLuckie pointed out that Google, his old employer, has also taken some interest in this project and is supporting it by, among other things, helping Stacklok drive some integrations with services like the open source vulnerability database. He also noted that while Stacklok has built integrations with GitHub, he’d love to see other communities build integrations with GitLab, BitBucket, and similar tools.”
Of course, for Stacklok as a company, the more successful Minder is as an open source project, the more likely it is that enterprises will come to Stacklok to look for support or subscribe to its hosted service. Yet McLuckie noted that given his experience in the open source ecosystem as a whole, it was important for him to not just make the code available under an open source license, but to ensure that the project will be community-driven.
“We want to make sure that we’re signaling unequivocally and irrevocably to the community that Minder is a community-centric platform that is not owned by us. It’s actually going to be owned by the community,” McLuckie said when I asked him about the motivation to bring Minder under a foundation’s umbrella. “We will continue to support it, but we obviously have a plan to operationalize and commercialize. And I think, having lived this journey with Kubernetes, I feel very positive about the outcomes we were able to generate on the back of Kubernetes. It became a half of the world’s workloads are running on Kubernetes, give or take, at this point. And so, you know, I would like to get to a point where half the world’s workloads are being secured by Minder — and I would feel very good about that.”