Kubernetes co-founders Craig McLuckie and Joe Beda departed Google in 2016 to create Heptio. VMware bought it in 2018. After a brief Accel residency, McLuckie founded a stealth firm. This stealth firm, Stacklok, builds software supply chain security solutions and services.
McLuckie and CTO Luke Hinds built Stacklok. The sig store project, founded by Hinds, is the default open-source project in many supply chain stacks. While working at Red Hat, Hinds told me that Sigstore began during the 2020 pandemic lockdowns.
There is such a large spaghetti beast of dependencies that are tightly connected but unable to detect a clear pattern,” Hinds told me. “I wanted to build a supply chain ledger for transparency and observability. Start with a solid foundation that has cryptographic signatures and non-repudiation. Thus, it has a human or machine identity. So if we start with an excellent trust foundation—a fabric of trust—we can add on top of that stack.”
Today, OpenSSH includes a sig store. Software ecosystems prioritize software supply chain security, making tools like sig store, which helps developers sign and authenticate their projects and libraries, essential for producing more secure software. The two co-founders wouldn’t reveal Stacklok’s product ambitions, but Sigstore will be central to it.
McLuckie said he had been thinking about supply chain security and missed constructing things. “Building a company is the most fun,” he remarked. However, supply chain security has been on my mind for a while. This was discussed before the SolarWinds event. It felt like a natural vector for [attackers]. One of their main differentiators is enterprise organizations’ ability to produce and consume technology to solve business problems. As the world becomes darker and more dangerous, nation-state actors and commercial hackers merge to the point where they are almost indistinguishable. How do you insert something into a supply chain that corporations consume?”
Open-source supply chain security resembles early Kubernetes. Some basic building blocks are available, but more effort is needed to make the technology accessible to many potential consumers. Despite their desire to produce secure code and use trustworthy packages, most developers are not cryptography specialists. While Executive Order 14028 makes this a U.S. priority, the security landscape changes.
“The vision that Luke and I have is starting with developers and providing them a very clear and precise set of insight into what they need to be doing to start producing software better—a better understanding about their dependencies, better understanding about their operating preferences—and in so doing, they start producing data that can then be written into a ledger, so they can effectively show their work. “Hey, I behaved well when I produced this.”
Early on, Stacklok hopes to offer tools that directly disclose much provenance data to developers, making this technology more transparent and accessible. McLuckie revealed that the company would first integrate with GitHub, but the team keeps most of its ideas under wraps until it launches a beta.
“We want this virtuous cycle. This engagement flywheel,” McLuckie said. “But when you start to look at what teams need, that’s where the more interesting commercial side comes in for us. Once developers start using this and generating project information, the next concern is where is that housed and how can I make policy decisions based on that? Our commercial product line addresses that.”
Stacklok announced a $17.5 million Series A investment today. You caught the company’s seed round. Given its size, Stacklok skipped this phase and called its initial investment round a Series A. Accel and Madrona, another early Heptio investor, invested in Stacklok because McLuckie was an entrepreneur in residence at Accel.
“The software supply chain security market is fragmented, with many point solution providers but no clear platform leader,” Madrona’s Tim Porter and Sabrina Wu wrote in their release today. “Stacklok is uniquely positioned to win given the team’s unique background and ability to create a novel platform solution that is proactive and remediation across the entire DevSecOps process, providing an elegant and effective approach to CodeSec and naturally expanding to AppSec scenarios. In addition, we expect Stacklok to require production package remediation when a new day zero vulnerability is found and increase supply chain visibility by making contextual information helpful.
Heptio sold before the team could complete its product portfolio. When I queried McLuckie, he replied he may have sold too early. “Too fast. Too early. “Best job,” he said. However, he claims the Stacklok crew is committed.