By Luke Hinds, CTO and Co-founder, Stacklok
Today, I’m excited to announce that Stacklok is contributing our Minder open source project to the Open Source Security Foundation (OpenSSF). Minder makes it simpler for developers and security teams to adopt a policy-based approach to open source software security; it reduces noise, alerts to risk only when necessary, auto-remediates inconsistencies and spans the entire software development lifecycle.Â
The OpenSSF is the perfect home for Minder, since the Foundation’s goal is to sustainably secure open source software. The community already includes a number of powerful projects. We created and contributed Minder to make those projects—all that innovation—easier to integrate and operate. In talking with organizations from across industries, we know there’s a strong interest in an open source software security platform that is actually open source. Leaders understand that the best way to strengthen their posture is by working more closely with the open source community. We’re convinced that Minder can bridge that gap. Â
“We believe organizations that adopt a policy-based approach to security are best positioned to stay steps ahead of threat actors,” said Bob Callaway, Head of Google’s Open Source Security Team. “To that end, Minder brings a complementary set of capabilities to the OpenSSF Security Tools Working Group.”
Contributing Minder to an open source foundation is a crucial commitment from us. This commitment ensures that the community can not only adopt Minder, but also trust that it’s under the governance of a vendor neutral foundation. We have always wanted OpenSSF to be that foundation, since we’re not just aligned on values, but also on the importance of a community-centric platform capable of the scope of Minder. The moment that Craig and I founded Stacklok, we realized that this donation wasn’t even a question. Our virtues required us to make this donation.
Commitment to a Minder Community
We conceived Minder as an open source project from the beginning; but we also conceived of it as a platform, not just a project. My co-founder at Stacklok, Craig McLuckie, co-created Kubernetes, and just as Kubernetes proved an anchor point for cloud native computing, we recognized a similar need in open source software security.Â
Let me give you a concrete example: we use Minder to power our Stacklok Cloud product. It ingests data from multiple integration sources, such as the OSV vulnerability databases, or our own open source dependency security intelligence service. It then uses a GitHub provider integration to use that data to gate pull requests that introduce new dependencies, and ensure they do not introduces risks such as vulnerabilities or malicious packages
But Stacklok Cloud is just the product that we wanted to build with Minder. As we talked to different people in the community who were interested in using Minder within their organization, we saw that they had their own unique goals. But there were common trends: everyone wanted a platform capable of integrating different tools and services in the software development lifecycle so that they could evaluate different policies, and produce different remediations.
We designed Minder as a platform precisely to provide a ‘big tent’ so that people could build their own tools and services on top of Minder, and address their specific security concerns as it relates to their SDLC. This means that if you have a vested interest in the direction and evolution of Minder and want to ensure your voice is heard and your input valued, you have the guarantee of equal partnership in shaping the future of Minder
Commitment to the Open Source Security Foundation
Our connection and commitment to the OpenSSF runs deep. First, Minder integrates with a number of OpenSSF projects. Minder uses the OSV data sources to provide vulnerability data about dependencies, and Sigstore to validate artifact signatures. We also provide a Minder profile – a set of policy rules – to help you understand and improve your OpenSSF Scorecard score.Â
Of course, working in the open source community means always contributing back. This is especially important to me, as my experience with the OpenSSF goes back to when I first contributed Sigstore to the Linux Foundation and later to the OpenSSF. Sigstore is now an OpenSSF Graduated Project. After I helped contribute Sigstore to the OpenSSF, I served as a member of the OpenSSF Technical Advisory Council (TAC), and then as a Governing Board Member of the OpenSSF.
It’s not just me, though; this is a deep part of Stacklok’s culture. Many of us are involved in open source, and especially in open source security projects that are supported by OpenSSF. The Stacklok team consists of contributors and maintainers of projects like Sigstore, OpenVEX, Protobom and TUF.
Commitment to Stacklok’s Virtues
When Craig and I started Stacklok, one of the first things that we did was to define our culture. When we did that, we defined our virtues, not our values. The difference is that a virtue is something that you live and demonstrate every day.
One of our virtues is that we “stand together”. This is true within the company – each individual has a superpower and bringing them together means that the team is more than the sum of its parts. But that’s also true of open source communities. The community is more than the sum of the projects within it.
We believe that if Minder is to succeed as an integration platform for other security tools, it must be a part of an openly governed organization. Minder needs to stand together with the other security tools. And to demonstrate that, we simply must contribute Minder to the OpenSSF. It wouldn’t be consistent with our company culture to do anything else.
We’re proud that OpenSSF has admitted Minder as a sandbox project, and allowed us to honor these commitments. I encourage you to start exploring Minder now—to use it or to contribute to it, visit https://github.com/mindersec/minder.
About the Author
Luke Hinds is the CTO of Stacklok. He is the creator of the open source project sigstore, which makes it easier for developers to sign and verify software artifacts. Prior to Stacklok, Luke was a distinguished engineer at Red Hat.