RALEIGH, N.C. — In what could prove a major move forward for open source software development security, Stacklok, the open source security company, has announced the donation of its Minder project to the Open Source Security Foundation (OpenSSF).
Craig McLuckie, CEO and co-founder of Stacklok and best known as one of the co-founders of Kubernetes, revealed the news at the All Things Open conference Monday.
For those of you who haven’t met Minder yet, it’s an open source supply chain security program that seeks, as McLuckie said in his keynote, “to provide a common control plane for today’s numerous open source security tools.”
With more developer security tools than I can shake at and more appearing all the time, there appears to be a clear need for such a program.
“90% of the code that’s being delivered into a production environment is written by random people on the internet. And those random people are increasingly using generative AI models”—@cmcluck, on Stacklok donating its Minder #security supply chain platform to @openssf #ATO2024 pic.twitter.com/sQd2QUal6g
— Joab Jackson (@Joab_Jackson) October 28, 2024
Minder helps project managers and developers do this by enabling them to proactively manage their security posture by providing a set of checks and policies to minimize risk along the software supply chain. Minder allows users to enroll repositories and define policies to ensure repositories and artifacts are configured consistently and securely. Policies can be set to alert only or auto-remediate. Minder provides a predefined set of rules and can be configured to apply custom rules. It’s also extensible, so you can integrate it with your existing tooling and processes.
You can deploy Minder as a Helm chart, and it comes with a command-line interface (CLI). Stacklok also offers a free-to-use hosted version of Minder (for public repositories only) and a commercial Software as a Service (SaaS) version.
Why Stacklok Is Donating Minder
Why is Stacklok donating the project? McLuckie explained, “We truly believe that the most powerful platforms are authentically community-centric. We want other organizations like Google to feel as much ownership of this platform as we do.”
McLuckie drew parallels between Minder and his experience with Kubernetes, stating, “I got to see up close and personal just how powerful and effective a community-centric platform can be in shaping an ecosystem.” He envisions Minder becoming a central platform for integrating various open source security capabilities, similar to how Kubernetes serves as an integration point for CNCF projects.
The move to OpenSSF positions Minder as a sandbox project within the foundation’s Security Tooling Working Group. This transition brings several benefits, including access to OpenSSF governance models and resources and guidance from the Security Tools Working Group on project growth and improvement.
McLuckie highlighted the current challenges in the security landscape, noting, “We’re seeing this world where persistent hackers, advanced persistent threats, APTs, are increasingly state-sponsored.” He emphasized that Minder aims to counteract these pressures by enabling people to choose their own open source security tools.
One of Minder’s key advantages is its ability to simplify the integration of multiple security tools. McLuckie explained, “Our ambition is to have one common control plane that supports all of these communities. So you can integrate that, specify which policies you want to have applied, and then rely on Minder to do the onerous work of deploying, managing, and operating some of these systems.”
While Stacklok will continue to offer a commercial, hosted version of Minder, the core platform will remain open source and free for community use. McLuckie emphasized, “We’re not going to try to commercialize the work of open source communities.”
The donation of Minder to OpenSSF comes at a crucial time when the intersection of generative AI and open source is raising new security concerns. McLuckie noted, “90% of the code that’s being delivered into a production environment is written by random people on the internet”, highlighting the need for robust security measures in the age of AI-generated code.
As Minder integrates with the OpenSSF ecosystem, it can potentially become a cornerstone of open source security efforts.
The post Stacklok Donates Minder Security Project to OpenSSF appeared first on The New Stack.
Leave a Reply