Enterprise

Kubernetes and sigstore founders raise $17.5M to launch software supply chain startup Stacklok

Comment

Digital background security systems and data protection
Image Credits: Olemedia (opens in a new window) / Getty Images

After being instrumental in launching the Kubernetes open source project, Kubernetes co-founders Craig McLuckie and Joe Beda left Google to launch Heptio in 2016. They then sold the company to VMware in 2018. Both left VMware in 2022 and McLuckie went on to found a stealth startup after a short stint as an entrepreneur in residence at Accel. Now we know this stealth startup is Stacklok, which aims to build tools and services that focus on software supply chain security.

To build Stacklok, McLuckie teamed up with Luke Hinds as the company’s CTO. Hinds is the founder of the sigstore project, which has become the default open source project that sits at the core of many supply chain stacks. As Hinds told me, sigstore took shape during the early days of the pandemic lockdowns of 2020, while he was working at Red Hat.

Image Credits: Stacklok

“I’ve had the idea in my head for quite a while, but with open source ecosystems, there’s a lot of dark matter out there — such a huge spaghetti beast of dependencies that are intricately combined but not being able to see a clear pattern,” Hinds told me. “So I had this idea of building this sort of supply chain ledger to have observability and transparency into the supply chain. So start with a really good foundation where everything that’s in there has non-repudiation and a cryptographic signature. So you know it’s tied to an identity, whether that be a machine or a human. So if we start with a really good trust foundation — a fabric of trust — then we can start to layer on top of that stack.”

Today, sigstore is part of the Linux Foundation’s Open Source Security Foundation (OpenSSF). With software supply chain security being a priority across software ecosystems, a tool like sigstore that helps developers sign and verify their own project and the libraries they use, it’s become a core tool for building more secure software. And while the two co-founders wouldn’t say too much about their product plans for Stacklok just yet, sigstore will obviously be at the core of this project as well.

McLuckie told me that he, too, had been thinking about supply chain security for a while now — and he also missed building things. “There’s nothing more fun than building a company,” he said. “I’ve been thinking about supply chain security problems for a long time. I’ve been talking about this since well before the SolarWinds incident happened. In my mind, it seemed like something that was an obvious vector for [attackers]. If you think about enterprise organizations, one of their primary differentiators is their ability to produce and consume technology to solve the business problem and when you see the world becoming increasingly dark — a little bit more dangerous — with this weird sort of merging of nation-state actors and commercial hackers so they become almost distinguishable. It seemed logical that the place that person starts to pay attention to is the supply chain: How can you insert something into a supply chain that enterprises consume?

In many ways, the open source supply chain security ecosystem is at a similar point as the early Kubernetes ecosystem. Some of the fundamental building blocks are available, but a lot of work in making the technology more accessible to a wide range of potential users remains to be done. Most developers, as much as they want to write secure code and only work with trustworthy packages, aren’t cryptography experts, after all. Meanwhile, the security landscape continues to shift, all while Executive Order 14028 has now made this a national priority in the U.S.

“The vision that Luke and I have is really starting with developers and providing them a very clear and precise set of insight into what they need to be doing to start producing software better — a better understanding about the dependencies that they’re taking, better understanding about their operating preferences — and in so doing, they start producing data that can then be written into a ledger, so they can effectively show their work. ‘Hey, I was behaving well when I produced this.’”

So early on, Stacklok expects to build tools that surface a lot of this provenance data to developers directly and do so in a way that makes this technology more transparent and accessible to them. McLuckie hinted that the team will likely start building an integration with GitHub first, but the team is keeping most of its plans under wraps until it is ready to launch a beta.

“We want to create this virtuous cycle. This flywheel of engagement,” McLuckie said. “But when you start to look at what teams need, that’s where the more interesting commercial side of things comes into it for us. Once the developers are starting to consume this and use this and generate project information, the obvious logical next question is where is that homed and how do I make policy decisions on the face of that? That’s where our commercial product line will come in.”

Stacklok today announced that it has raised a $17.5 million Series A round. You did not miss the company’s seed round. Stacklok simply decided to forgo this step and call its first funding round a Series A (and given its size, that makes sense). Given McLuckie’s former role as an entrepreneur in residence at Accel, it doesn’t come as a shock that the firm would also invest in Stacklok, together with Madrona, another early Heptio investor.

“The software supply chain security market is fragmented, with many point solution providers but no clear platform leader,” Madrona’s Tim Porter and Sabrina Wu write in their announcement today. “We believe Stacklok is uniquely positioned to win given the team’s unique background and ability to create a novel platform solution that is both proactive and remediative across the entire DevSecOps process, providing an elegant and effective approach to CodeSec and naturally expanding over time to AppSec scenarios. For instance, we envision Stacklok will be able to force remediation for a production package when a new day zero vulnerability is discovered and improve visibility into the supply chain by making contextual information useful.”

Heptio sold rather quickly — before the team was even able to fully build out the product portfolio it had envisioned. Indeed, when I asked McLuckie about this, he said that he may have sold too early. “It was too quick. It was too early. It was the best job,” he said. He argues that the Stacklok team is in it for the long haul, though.

Sigstore launches free software signing and verification service for open source projects

VMware acquires Heptio, the startup founded by 2 co-founders of Kubernetes

More TechCrunch

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

1 day ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

1 day ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo

Sony Music Group has sent letters to more than 700 tech companies and music streaming services to warn them not to use its music to train AI without explicit permission.…

Sony Music warns tech companies over ‘unauthorized’ use of its content to train AI

Winston Chi, Butter’s founder and CEO, told TechCrunch that “most parties, including our investors and us, are making money” from the exit.

GrubMarket buys Butter to give its food distribution tech an AI boost

The investor lawsuit is related to Bolt securing a $30 million personal loan to Ryan Breslow, which was later defaulted on.

Bolt founder Ryan Breslow wants to settle an investor lawsuit by returning $37 million worth of shares