Logo

dev-resources.site

for different kinds of informations.

Contributing Minder to the OpenSSF, out of a deep belief in the power of the open source community

Published at
11/4/2024
Categories
devsecops
cybersecurity
softwaresupplychain
development
Author
lukehinds
Author
9 person written this
lukehinds
open
Contributing Minder to the OpenSSF, out of a deep belief in the power of the open source community

I’m excited to announce that Stacklok is contributing our Minder open source project to the Open Source Security Foundation (OpenSSF). Minder makes it simpler for developers and security teams to adopt a policy-based approach to open source software security; it reduces noise, alerts to risk only when necessary, auto-remediates inconsistencies and spans the entire software development lifecycle.

The OpenSSF is the perfect home for Minder, since the Foundation’s goal is to sustainably secure open source software. The community already includes a number of powerful projects. We created and contributed Minder to make those projects—all that innovation—easier to integrate and operate. In talking with organizations from across industries, we know there’s a strong interest in an open source software security platform that is actually open source. Leaders understand that the best way to strengthen their posture is by working more closely with the open source community. We’re convinced that Minder can bridge that gap.

“We believe organizations that adopt a policy-based approach to security are best positioned to stay steps ahead of threat actors,” said Bob Callaway, Head of Google's Open Source Security Team. “To that end, Minder brings a complementary set of capabilities to the OpenSSF Security Tools Working Group.”

Contributing Minder to an open source foundation is a crucial commitment from us. This commitment ensures that the community can not only adopt Minder, but also trust that it’s being developed under an open governance model, inside a foundation. We have always wanted OpenSSF to be that foundation, since we’re aligned on values, and also see the need for a community-centric platform capable of securing the software development lifecycle (SDLC)

Commitment to a Minder community
We conceived Minder as an open source project from the beginning; but we also conceived of it as a platform, not just a project. My co-founder at Stacklok, Craig McLuckie, co-created Kubernetes, and just as Kubernetes proved an anchor point for cloud native computing, we recognized a similar need in open source software security.

Let me give you a concrete example: we use Minder as the platform that powers our Stacklok Cloud product. It ingests data from multiple integration sources, such as the OSV vulnerability databases, or our own open source dependency security intelligence service. It then uses a GitHub provider integration to use that data to gate pull requests that introduce new dependencies, and ensure they do not introduce risks such as vulnerabilities or malicious packages

But Stacklok Cloud is merely the product that we wanted to build with Minder. As we talked to different people in the community who were interested in using Minder within their organization, we saw that they had their own unique goals. But there were common trends: everyone wanted a platform capable of integrating different tools and services in the SDLC, so that they could evaluate different policies, and ultimately produce different remediations.

We designed Minder as a platform precisely to provide a “big tent” so that people could build their own tools and services on top of Minder, and address their specific security concerns as it relates to their SDLC. This means that you can take a vested interest in Minder, and have a say in its direction and evolution. An open governance model ensures that your voice is heard and you can help shape the future of Minder.

Commitment to the Open Source Security Foundation
Our connection and commitment to the OpenSSF runs deep. First, Minder integrates with a number of OpenSSF projects. Minder uses the OSV data sources to provide vulnerability data about dependencies, and Sigstore to validate artifact signatures. We also provide a Minder profile – a set of policy rules – to help you understand and improve your OpenSSF Scorecard score.

Of course, working in the open source community means always contributing back. This is especially important to me, as my experience with the OpenSSF goes back to when I first contributed Sigstore to the Linux Foundation and later to the OpenSSF. After that, I served as a member of the OpenSSF Technical Advisory Council (TAC), and then as a Governing Board Member of the OpenSSF.

It’s not just me, though; this is a deep part of Stacklok’s culture. Many of us are involved in open source, and especially in open source security projects that are supported by OpenSSF. The Stacklok team consists of contributors and maintainers of projects like Sigstore, OpenVEX, Protobom and TUF.

Commitment to Stacklok’s Virtues
When Craig and I started Stacklok, one of the first things that we did was to define our culture. When we did that, we defined our virtues, not our values. The difference is that a virtue is something that you live and demonstrate every day.

One of our virtues is that we “stand together”. This is true within the company – each individual has a superpower and bringing them together means that the team is more than the sum of its parts. But that’s also true of open source communities. The community is more than the sum of the projects within it.

We believe that if Minder is to succeed as an integration platform for other security tools, it must be a part of an openly governed organization. Minder needs to stand together with the other security tools. And to demonstrate that, we simply must contribute Minder to the OpenSSF. It wouldn’t be consistent with our company culture to do anything else.

We’re proud that OpenSSF has admitted Minder as a sandbox project, and allowed us to honor these commitments. I encourage you to start exploring Minder now—to use it or to contribute to it, visit https://github.com/mindersec/minder.

devsecops Article's
30 articles in total
Favicon
Instalação do RKE2 em HA
Favicon
DevSecops Tools in CICD Pipeline
Favicon
10 Docker Security Best Practices
Favicon
Revolutionizing Code Security: How Amazon Q Developer Safeguards Modern Applications
Favicon
Ultralytics AI Pwn Request Supply Chain Attack
Favicon
S3 Storage For DevOps Backups
Favicon
From SDLC to CI/CD: A Beginner’s Guide
Favicon
DevSecOps Maturity Model: Benchmarking AWS Security Practices
Favicon
Top 5 Software Composition Analysis Tools for 2025
Favicon
CyberSecurity with ZAP Checkmarx
Favicon
Applying DevSecOps within Databricks
Favicon
Deconstructing DevSecOps
Favicon
DevOps vs. DevSecOps: What’s the Difference and Why It Matters?
Favicon
Understanding DevSecOps Principles
Favicon
How to Build a Cloud Security Policy for Your Organization
Favicon
From Paper to Code: Why Security is Now a Business Imperative for Developers
Favicon
Ensuring Security and Compliance with a DevSecOps Pipeline
Favicon
Threat Modeling for Non-Security Experts
Favicon
KUBERNETICS
Favicon
Top 10 Challenges of DevSecOps Implementation in 2024
Favicon
Tricentis Tosca: A Powerful Tool for Continuous Testing
Favicon
Cloud Security And Privacy: Best Practices To Mitigate The Risks
Favicon
Vulnerability-Free C and C++ Development in Automotive Manufacturing and Software Defined Vehicles (SDV)
Favicon
Day 02 of learning DevOps: OSI Model
Favicon
The Importance Of Verifying Your GitHub Environment’s Security Controls
Favicon
How to Become a DevSecOps from Zero: A Practical Guide
Favicon
Reimagining cybersecurity for developers
Favicon
Understanding command injection vulnerabilities in Go
Favicon
Implementing Blue-Green Deployment in Kubernetes with TLS Encryption Using Cert-Manager and Nginx Ingress
Favicon
Contributing Minder to the OpenSSF, out of a deep belief in the power of the open source community

Featured ones: