Kubernetes and sigstore founders raise $17.5M to launch software supply chain startup Stacklok

Hoje, às 15:00


6 min de leitura


0 leituras

After being instrumental in launching the Kubernetes open source project, Kubernetes co-founders Craig McLuckie and Joe Beda left Google to launch Heptio in 2016. They then sold the company to VMware in 2018....
Kubernetes and sigstore founders raise $17.5M to launch software supply chain startup Stacklok

After being instrumental in launching the Kubernetes open source project, Kubernetes co-founders Craig McLuckie and Joe Beda left Google to launch Heptio in 2016. They then sold the company to VMware in 2018. Both left VMware in 2022 and McLuckie went on to found a stealth startup after a short stint as an entrepreneur in residence at Accel. Now we know this stealth startup is Stacklok, which aims to build tools and services that focus on software supply chain security.

To build Stacklok, McLuckie teamed up with Luke Hinds as the company’s CTO. Hinds is the founder of the sigstore project, which has become the default open source project that sits at the core of many supply chain stacks. As Hinds told me, sigstore took shape during the early days of the pandemic lockdowns of 2020, while he was working at Red Hat.

Image Credits: Stacklok

“I’ve had the idea in my head for quite a while, but with open source ecosystems, there’s a lot of dark matter out there — such a huge spaghetti beast of dependencies that are intricately combined but not being able to see a clear pattern,” Hinds told me. “So I had this idea of building this sort of supply chain ledger to have observability and transparency into the supply chain. So start with a really good foundation where everything that’s in there has non-repudiation and a cryptographic signature. So you know it’s tied to an identity, whether that be a machine or a human. So if we start with a really good trust foundation — a fabric of trust — then we can start to layer on top of that stack.”

Today, sigstore is part of the Linux Foundation’s Open Source Security Foundation (OpenSSF). With software supply chain security being a priority across software ecosystems, a tool like sigstore that helps developers sign and verify their own project and the libraries they use, it’s become a core tool for building more secure software. And while the two co-founders wouldn’t say too much about their product plans for Stacklok just yet, sigstore will obviously be at the core of this project as well.

McLuckie told me that he, too, had been thinking about supply chain security for a while now — and he also missed building things. “There’s nothing more fun than building a company,” he said. “I’ve been thinking about supply chain security problems for a long time. I’ve been talking about this since well before the SolarWinds incident happened. In my mind, it seemed like something that was an obvious vector for [attackers]. If you think about enterprise organizations, one of their primary differentiators is their ability to produce and consume technology to solve the business problem and when you see the world becoming increasingly dark — a little bit more dangerous — with this weird sort of merging of nation-state actors and commercial hackers so they become almost distinguishable. It seemed logical that the place that person starts to pay attention to is the supply chain: How can you insert something into a supply chain that enterprises consume?

In many ways, the open source supply chain security ecosystem is at a similar point as the early Kubernetes ecosystem. Some of the fundamental building blocks are available, but a lot of work in making the technology more accessible to a wide range of potential users remains to be done. Most developers, as much as they want to write secure code and only work with trustworthy packages, aren’t cryptography experts, after all. Meanwhile, the security landscape continues to shift, all while Executive Order 14028 has now made this a national priority in the U.S.

“The vision that Luke and I have is really starting with developers and providing them a very clear and precise set of insight into what they need to be doing to start producing software better — a better understanding about the dependencies that they’re taking, better understanding about their operating preferences — and in so doing, they start producing data that can then be written into a ledger, so they can effectively show their work. ‘Hey, I was behaving well when I produced this.'”

So early on, Stacklok expects to build tools that surface a lot of this provenance data to developers directly and do so in a way that makes this technology more transparent and accessible to them. McLuckie hinted that the team will likely start building an integration with GitHub first, but the team is keeping most of its plans under wraps until it is ready to launch a beta.

“We want to create this virtuous cycle. This flywheel of engagement,” McLuckie said. “But when you start to look at what teams need, that’s where the more interesting commercial side of things comes into it for us. Once the developers are starting to consume this and use this and generate project information, the obvious logical next question is where is that homed and how do I make policy decisions on the face of that? That’s where our commercial product line will come in.”

Stacklok today announced that it has raised a $17.5 million Series A round. You did not miss the company’s seed round. Stacklok simply decided to forgo this step and call its first funding round a Series A (and given its size, that makes sense). Given McLuckie’s former role as an entrepreneur in residence at Accel, it doesn’t come as a shock that the firm would also invest in Stacklok, together with Madrona, another early Heptio investor.

“The software supply chain security market is fragmented, with many point solution providers but no clear platform leader,” Madrona’s Tim Porter and Sabrina Wu write in their announcement today. “We believe Stacklok is uniquely positioned to win given the team’s unique background and ability to create a novel platform solution that is both proactive and remediative across the entire DevSecOps process, providing an elegant and effective approach to CodeSec and naturally expanding over time to AppSec scenarios. For instance, we envision Stacklok will be able to force remediation for a production package when a new day zero vulnerability is discovered and improve visibility into the supply chain by making contextual information useful.”

Heptio sold rather quickly — before the team was even able to fully build out the product portfolio it had envisioned. Indeed, when I asked McLuckie about this, he said that he may have sold too early. “It was too quick. It was too early. It was the best job. I wanted to keep doing it, but the money was too good to say no,” he said. He argues that the Stacklok team is in it for the long haul, though.

Continue lendo

AI | Techcrunch

Your first look at Alliance DAO’s latest cohort of web3 startups
AI, ZK proofs, crypto wallets and dApp support among major themes at demo day The crypto industry continues to face myriad headwinds, but there’s no shortage of startups and founders diving into...

Hoje, às 19:17


Build a Blog using Next.JS and
In this article you will learn how to build a Next.JS blog by fetching your Posts directly from I received an incredible feedback from my Post Use Notion as a database for your Next.JS Blog thanks...

Hoje, às 18:04

AI | Techcrunch

Ask Sophie: Which visas are best for U.S. startup accelerators?
Sophie Alcorn is the founder of Alcorn Immigration Law in Silicon Valley and 2019 Global Law Experts Awards’ “Law Firm of the Year in California for Entrepreneur Immigration Services.” She connects people...

Hoje, às 18:00


Create Switch Case Kind Widget in Flutter
Welcome back guys,Today we are going to learn some new quick technique by which we can enhance our flutter code readability. We are going to create own Switch-Case like conditional widgets or same like bloc...

Hoje, às 17:15


NVIDIA lança plataforma para criar AIs generativas para setor de TI
Em parceria com a ServiceNow, a NVIDIA deu mais um passo para que cada vez mais empresas consigam ter um dia a dia mais dinâmico com o uso de inteligências artificiais. A empresa, por meio de dados de seus...

Hoje, às 17:00

Tech Crunch

From root to crown, Mast Reforestation is regrowing the tree economy for the 21st century
Here’s the problem: The planet is burning, and there’s not much we can do about it. Forests are in peril not just because of the ravages of climate change, but because the industries that support them remain...

Hoje, às 16:05


Best Practices for Writing on DEV: Topics
Hey devs! Time for another installment in our Best Practices for Writing on DEV series. Today I'll share some guidelines for choosing and framing your topic. Topics We created DEV because we wanted to...

Hoje, às 16:01

AI | Techcrunch

Traefik Labs launches Traefik Hub, a Kubernetes-native API management service
Traefik today announced the general availability of Traefik Hub, its cloud-native API management solution for publishing, securing and managing APIs. Founded in 2016 by Emile Vauge, Traefik Labs had an early...

Hoje, às 16:00

AI | Techcrunch

AI touches everything, everywhere all at once at Disrupt
Like it or not, AI is part of our lives from here on out — for better or worse. In the past six months alone, TechCrunch has written nearly 600 articles focused on the impact of AI technology in our lives...

Hoje, às 16:00

AI | Techcrunch

Union AI raises $19.1M Series A to simplify AI and data workflows with Flyte
Union AI, a Bellevue, Washington–based open source startup that helps businesses build and orchestrate their AI and data workflows with the help of a cloud-native automation platform, today announced that it...

Hoje, às 16:00