Stacklok Company Profile

Background

Stacklok, founded in 2023, is dedicated to enhancing the security of open-source software by developing tools and services focused on software supply chain security. The company's mission is to empower developers and open-source communities with resources to build and consume safer software. Operating within the network security and open-source software industries, Stacklok aims to make the innovative power of open source more naturally accessible to developers who prioritize security.

Key Strategic Focus

Stacklok's strategic focus centers on Developer Security Posture Management (DSPM), assisting developers in operating securely throughout the software development lifecycle. The company specializes in providing end-to-end visibility into the software supply chain, evaluating code repositories and dependencies, recommending security enhancements, and enforcing policies during the continuous integration and continuous deployment (CI/CD) process. By leveraging open-source projects like Sigstore, Stacklok offers tools that integrate seamlessly into developer workflows, ensuring the integrity and security of software artifacts.

Financials and Funding

In May 2023, Stacklok secured a $17.5 million Series A funding round led by Madrona Venture Group and Accel. This capital is intended to accelerate product development and expand the company's market presence.

Pipeline Development

Stacklok offers two primary products:

Trusty: Assesses open-source package risk factors, such as author and repository activity, to help developers make safer dependency choices.

Minder: An open-source platform that automates and enforces security practices, including artifact signing and verification, across multiple repositories.

These tools are designed to integrate seamlessly into developer workflows, promoting continuous security throughout the software development lifecycle.

Technological Platform and Innovation

Stacklok's innovation is rooted in its utilization of open-source projects and proprietary technologies:

Sigstore: An open-source project founded by Stacklok's CTO, Luke Hinds, Sigstore provides a secure, cryptographic ledger for verifying and protecting software artifacts. It enables developers to sign and verify software components, ensuring their integrity and provenance.

Stacklok Insight: A service that helps developers and security teams assess open-source package and dependency risk by evaluating security signals such as proof of origin, known vulnerabilities, and activity levels. It supports multiple open-source package ecosystems, including Go, JavaScript/TypeScript, Python, Rust, and Java.

Leadership Team

Craig McLuckie: Co-founder and Chief Executive Officer. Previously co-founded Heptio and was instrumental in launching the Kubernetes open-source project at Google. Heptio was acquired by VMware in 2018 for $600 million.

Luke Hinds: Co-founder and Chief Technology Officer. Founder of the Sigstore project and former distinguished engineer at Red Hat. He has extensive experience in security and open-source communities.

Shanis Windland: Chief Operating Officer. Former Vice President of Diversity, Equity, and Inclusion at VMware and CFO of Heptio. She brings a wealth of experience in operations and finance.

Leadership Changes

In January 2024, Stacklok appointed Shanis Windland as Chief Operating Officer. Windland previously served as Vice President of Diversity, Equity, and Inclusion at VMware and was the CFO of Heptio.

Competitor Profile

Market Insights and Dynamics

The software supply chain security market is experiencing significant growth due to the increasing reliance on open-source software and the rising number of supply chain attacks. Enterprises are prioritizing solutions that provide end-to-end visibility and security throughout the software development lifecycle.

Competitor Analysis

Key competitors in the software supply chain security space include:

Snyk: Focuses on identifying and fixing vulnerabilities in open-source dependencies and container images.

Sonatype: Provides tools for managing open-source components and detecting vulnerabilities.

JFrog: Offers a platform for artifact management and security, including vulnerability detection.

These companies primarily focus on vulnerability scanning and management, whereas Stacklok differentiates itself by emphasizing developer security posture management and integrating security practices seamlessly into developer workflows.

Strategic Collaborations and Partnerships

Stacklok collaborates closely with the open-source community, particularly through its involvement with the Sigstore project. By supporting and integrating Sigstore, Stacklok enhances its platform's capabilities in verifying and protecting software artifacts.

Operational Insights

Stacklok's strategic considerations include:

Developer-Centric Approach: Focusing on tools that integrate seamlessly into developer workflows to promote security without disrupting productivity.

Open-Source Commitment: Leveraging and contributing to open-source projects to build trust and foster community engagement.

Comprehensive Security: Providing end-to-end visibility and control over the software supply chain, addressing risks beyond traditional vulnerability scanning.

Strategic Opportunities and Future Directions

Stacklok aims to:

Expand Product Offerings: Develop additional tools and services that address emerging security challenges in the software supply chain.

Enhance AI Integration: Incorporate artificial intelligence and machine learning to improve risk assessment and threat detection capabilities.

Strengthen Market Position: Leverage its leadership team's expertise and open-source community involvement to establish itself as a leader in software supply chain security.