Stacklok’s Open Source Software Trust Graph and Minder Cloud enhance the safety and transparency of open source projects, helping organizations tackle the growing security challenges. In this episode, Craig McLuckie, CEO and Founder at Stacklok, discusses the increasing complexity of securing open source software and how Stacklok is tackling these challenges. He says, “We have to fundamentally change the way we think about and approach security, and we have to make those tools accessible to developers in a very practical and realistic way.”

How Stacklok is addressing the increasing complexity of securing open-source software

• McLuckie discusses his new company, Stacklok, which aims to enhance the security and sustainability of open-source software by improving the transparency and protection of software supply chains.
• McLuckie explains that ongoing security concerns in tech, especially within open source communities, are driven by increasingly sophisticated state-sponsored attacks. Enhanced measures are necessary to address these advanced threats.
• When integrated effectively, modern security practices can enhance developer productivity by preventing issues early in the development process. This shift contrasts with past views where security was often seen as a hindrance.
• McLuckie describes the XZ vulnerability as a critical issue that exposes limitations in current security tools. He advocates for new approaches to better detect and address both known and unknown threats.

Stacklok’s approach to software supply chain security and the importance of culture and education

• McLuckie outlines Stacklok’s approach to improving open source security by creating an Open Source Software Trust Graph (OSS Trust Graph) to offer detailed insights and integrating this information into developers’ workflows.
• McLuckie emphasizes the need for high-quality open-source software intelligence that is easy to integrate into daily workflows.
• McLuckie is concerned about negative trends in open source, such as changing licenses and increased pressure on communities. He advocates for supporting open-source contributors and recognizing vendors who contribute positively to the ecosystem.
• McLuckie highlights OSS Trust Graph and Minder Cloud as tools to assess and enforce safety and sustainability in open-source projects.
• Beyond tools, a strong security culture and ongoing education are essential to address new challenges, particularly with the rise of generative AI. Effective practices and awareness are key to improving security outcomes.

Stacklok’s key focuses for the future include expanding their platform and collaboration.

• McLuckie explains that he is engaged in discussions with open-source organizations to align Stacklok’s efforts with community initiatives. He seeks to integrate and support broader open-source security and sustainability efforts.
• Stacklok’s long-term plans and 2024 expectations are to transform how software security is approached, expand its platform, and remain competitive while contributing significantly to the open-source space.
• McLuckie believes that the use of Common Vulnerabilities and Exposures (CVEs) is a flawed measure of security. He explains that Stacklok promotes a broader understanding of software sustainability and safety. He seeks to shift focus from binary security assessments to intrinsic sustainability and safety.
• McLuckie is concerned about potential overreach in government security regulations. Useful tools are needed to support new regulations, making Software Bill of Materials (SBOMs) effective for open-source security.

Guest: Craig McLuckie (LinkedIn)
Company: Stacklok (Twitter)
Show: Let’s Talk

This summary was written by Emily Nicholls.