After being instrumental in launching the Kubernetes open source project, Kubernetes co-founders Craig McLuckie and Joe Beda left Google to launch Heptio in 2016. They then sold the company to VMware in 2018. Both left VMware in 2022 and McLuckie went on to found a stealth startup after a short stint as an entrepreneur in residence at Accel. Now we know this stealth startup is Stacklok, which aims to build tools and services that focus on software supply chain security.
To build Stacklok, McLuckie teamed up with Luke Hinds as the company’s CTO. Hinds is the founder of the sigstore project, which has become the default open source project that sits at the core of many supply chain stacks. As Hinds told me, sigstore took shape during the early days of the pandemic lockdowns of 2020, while he was working at Red Hat.
“I’ve had the idea in my head for quite a while, but with open source ecosystems, there’s a lot of dark matter out there — such a huge spaghetti beast of dependencies that are intricately combined but not being able to see a clear pattern,” Hinds told me. “So I had this idea of building this sort of supply chain ledger to have observability and transparency into the supply chain. So start with a really good foundation where everything that’s in there has non-repudiation and a cryptographic signature. So you know it’s tied to an identity, whether that be a machine or a human. So if we start with a really good trust foundation — a fabric of trust — then we can start to layer on top of that stack.”
Today, sigstore is part of the Linux Foundation’s Open Source Security Foundation (OpenSSF). With software supply chain security being a priority across software ecosystems, a tool like sigstore that helps developers sign and verify their own project and the libraries they use, it’s become a core tool for building more secure software. And while the two co-founders wouldn’t say too much about their product plans for Stacklok just yet, sigstore will obviously be at the core of this project as well.
McLuckie told me that he, too, had been thinking about supply chain security for a while now — and he also missed building things. “There’s nothing more fun than building a company,” he said. “I’ve been thinking about supply chain security problems for a long time. I’ve been talking about this since well before the SolarWinds incident happened. In my mind, it seemed like something that was an obvious vector for [attackers]. If you think about enterprise organizations, one of their primary differentiators is their ability to produce and consume technology to solve the business problem and when you see the world becoming increasingly dark — a little bit more dangerous — with this weird sort of merging of nation-state actors and commercial hackers so they become almost distinguishable. It seemed logical that the place that person starts to pay attention to is the supply chain: How can you insert something into a supply chain that enterprises consume?”
In many ways, the open source supply chain security ecosystem is at a similar point as the early Kubernetes ecosystem. Some of the fundamental building blocks are available, but a lot of work in making the technology more accessible to a wide range of potential users remains to be done. Most developers, as much as they want to write secure code and only work with trustworthy packages, aren’t cryptography experts, after all. Meanwhile, the security landscape continues to shift, all while Executive Order 14028 has now made this a national priority in the U.S.
“The vision that Luke and I have is really starting with developers and providing them a very clear and precise set of insight into what they need to be doing to start producing software better — a better understanding about the dependencies that they’re taking, better understanding about their operating preferences — and in so doing, they start producing data that can then be written into a ledger, so they can effectively show their work. ‘Hey, I was behaving well when I produced this.'”
So early on, Stacklok expects to build tools that surface a lot of this provenance data to developers directly and do so in a way that makes this technology more transparent and accessible to them. McLuckie hinted that the team will likely start building an integration with GitHub first, but the team is keeping most of its plans under wraps until it is ready to launch a beta.
“We want to create this virtuous cycle. This flywheel of engagement,” McLuckie said. “But when you start to look at what teams need, that’s where the more interesting commercial side of things comes into it for us. Once the developers are starting to consume this and use this and generate project information, the obvious logical next question is where is that homed and how do I make policy decisions on the face of that? That’s where our commercial product line will come in.”
Stacklok today announced that it has raised a $17.5 million Series A round. You did not miss the company’s seed round. Stacklok simply decided to forgo this step and call its first funding round a Series A (and given its size, that makes sense). Given McLuckie’s former role as an entrepreneur in residence at Accel, it doesn’t come as a shock that the firm would also invest in Stacklok, together with Madrona, another early Heptio investor.
“The software supply chain security market is fragmented, with many point solution providers but no clear platform leader,” Madrona’s Tim Porter and Sabrina Wu write in their announcement today. “We believe Stacklok is uniquely positioned to win given the team’s unique background and ability to create a novel platform solution that is both proactive and remediative across the entire DevSecOps process, providing an elegant and effective approach to CodeSec and naturally expanding over time to AppSec scenarios. For instance, we envision Stacklok will be able to force remediation for a production package when a new day zero vulnerability is discovered and improve visibility into the supply chain by making contextual information useful.”
Heptio sold rather quickly — before the team was even able to fully build out the product portfolio it had envisioned. Indeed, when I asked McLuckie about this, he said that he may have sold too early. “It was too quick. It was too early. It was the best job,” he said. He argues that the Stacklok team is in it for the long haul, though.