Chainguard | Making Supply Chain Secure | Matthew Moore

networks of thousands of businesses, Fortune 500 organizations and federal government agencies. By breaking into SolarWinds’ network and pushing a tainted software update to its customers, the Russian spies delivered digital backdoors directly to the heart of the U.S. federal government.

It was, and by some accounts continues to be, one of the most intricate acts of cyber-espionage in recent years to become public. But it was the delivery mechanism that sparked fear: How could companies trust that the software on their networks hadn’t been tampered with?

That’s one of the problems that five ex-Google employees are trying to solve. Dan Lorenc, Matt Moore, Scott Nichols, Ville Aikas and Kim Lewandowski founded Chainguard in October after working together on building open source tools at Google. Before founding Chainguard, the five most recently worked on two open source security projects, Sigstore, a new standard for digitally signing and verifying software, and SLSA (delightfully pronounced “salsa”), a framework for maintaining end-to-end integrity of a software supply chain.

Just like a product made on a factory assembly line, software can be made up of different components, and can sometimes depend on code written by others and released as open source for anyone to use. These software “dependencies” sometimes have bugs that go unnoticed but are incorporated into larger software projects. Attackers also intentionally try to introduce subtle flaws that can be later exploited, sometimes at scale, if the flaws are embedded in widely used software.

“A lot of companies are relying more and more on open source software, and actually not realizing the risks that they’re setting themselves up for when they go and find some random package on the internet and install it in their production systems,” Lewandowski told TechCrunch. “We want to make it possible for companies to have confidence in some of these critical open source packages; they can go back and trace to the source and understand the pieces that go into creating that software package and having an audit trail to go back and track to see where it came from, if there does happen to be a breach.”

The co-founding team plans to work on open source projects to help companies understand and manage the risks they face from the software supply chains.

Replicated Speeds Up CVE Patches and Reclaims Engineering Resources with Chainguard

‍Replicated, a leading provider of cloud-native application tools and solutions, offers a platform to help software vendors distribute commercial applications to their own customers’ self-managed Kubernetes environments.

Vulnerability sprawl is the rate at which CVEs accumulate in software or popular container images and applications and how quickly engineering teams are able to realistically update and mitigate known CVEs in a required or expected period of time. Our research found popular container images, when not updated, accumulate one known vulnerability per day. This doesn’t account for the countless false positives that are also being flagged daily to engineering teams by the scanners they use.

When you combine the reality of vulnerability sprawl and the high rate of false positives, you end up with a lot of time spent mitigating risk when you could be building or innovating the next project.

Replicated recognized the importance of maintaining a secure and robust environment for their vendors’ applications running on Kubernetes. Because Replicated and its vendors leverage a wide range of open source and proprietary tools, it became clear there was a need to proactively address CVEs and enhance the processes to mitigate them. Replicated’s engineering team were spending precious time and resources patching and triaging CVEs to keep vendor environments for their customers secure. The team needed a solution to help cut down this time spent patching vulnerabilities, but one that also presented an opportunity to use only hardened images with secure-by-default capabilities.

To alleviate these concerns and proactively address potential security risks in its software, Replicated sought a solution that would help mitigate CVEs at the source. This led to their adoption of Chainguard Images.

Chainguard Images offered a more efficient solution to address the time spent patching CVEs, and will help Replicated to more quickly triage any future vulnerabilities from false positives. By addressing the vulnerabilities at the earliest stage of the image creation process, Chainguard Images will significantly reduce the chance of CVEs impacting Replicated’s software vendor customers who are using the Replicated platform to provide products and solutions to their own customers. This proactive approach by Replicated to adopt Chainguard Images provided added assurance to Replicated’s software vendors and their own enterprise customers, enabling them to deploy and manage their applications on Kubernetes with greater confidence in image security and hygiene. Additionally, with the extra time spent not patching low severity CVEs, Replicated’s engineering team was able to focus on other software supply chain security priorities like Software Bill of Materials (SBOMs), software provenance and Vulnerability Exploitability eXchange (VEX).

Selling an engineering team on a security solution is not as easy as it may seem. As a company rooted in engineering, at Chainguard we know what it is like when we hear about a new security tool or solution that is going to help us be more secure without hindering our workflow. There is often a hesitation and frustration that yet another step is going to be added that may impact our productivity. We expected to run into this exact scenario when we started talking to companies about Chainguard and our products. With Replicated, we had proven our value to the security team by showing them how we could solve their vulnerability sprawl problem, but faced some hesitation from the platform engineering team that using our base images wouldn’t hinder their day-to-day work.

‍Working hand in hand with Replicated’s platform engineering team to quell these concerns, Chainguard was able to address the team’s feedback and prove that we weren’t going to be another security tool that gets in their way. Instead, we enhanced this foundational engineering work by offering a solution in our Chainguard Images that is both secure and designed with a developer-first mindset based on the tools they know and love. As a team of builders, our mission is to give other builders the tools they need to do their jobs right from the start.

Replicated’s collaboration with Chainguard Images proved to be instrumental in enhancing the security and reliability of the Replicated platform. By mitigating the CVEs associated with external dependencies, Chainguard Images played a pivotal role in ensuring that Replicated’s customers could operate their applications in Kubernetes environments with minimal security risks.

“In May 2023, in our KOTS repo, we bumped versions of third party software 568 times due to vulnerabilities. I’m certain there were lower severity vulnerabilities that just didn’t get addressed because it wasn’t worth the effort to go after every vulnerability. This morning, I saw our latest KOTS Chainguard Image and found zero vulnerabilities.” – Andrew Storms, Replicated CISO

‍The proactive approach adopted by Chainguard Images aligned perfectly with Replicated’s commitment to delivering robust and trustworthy solutions. By addressing vulnerabilities at the source, Replicated could reduce its attack surface, offering customers peace of mind and an increased level of confidence in their deployment processes.

Furthermore, the partnership with Chainguard Images enabled Replicated to maintain a strong reputation as a provider of secure and reliable cloud-native application management tools.

As the industry continues to evolve, Replicated’s investment in proactively managing CVEs through their partnership with Chainguard Images positions them as a trusted partner for software vendors and enterprises alike. The enhanced security measures contribute to the overall stability and resilience of vendors’ applications running on Kubernetes clusters.

Chainguard raises $50M to guard supply chains

Chainguard announced that it has raised a $50 million Series A funding round led by Sequoia Capital. Amplify, the Chainsmokers’ Mantis VC, LiveOak Venture Partners, Banana Capital, K5/JPMC and CISOs from Google and Square, among others, also participated in this round.

In addition to the new funding, the company, which is only 8 months old at this point, also launched its first set of container base images today, which Chainguard promises to have zero known vulnerabilities and which will be continuously updated. These images will be fully signed and will feature a software bill of materials (SBOM).

“Security engineers are used to reasoning with roots of trust by using two-factor authentication and identification systems and establishing trust with hardware by using encryption keys. But we don’t have that for source code and software artifacts today,” said Dan Lorenc, co-founder and CEO at Chainguard. “Our vision is to connect these roots of trust throughout the development lifecycle and across the software supply chain and give developers and CISOs alike confidence in the code they’re running in production and the integrity of their systems.”

In addition to these new base images, Chainguard already offered its Enforce service for containerized workloads. Built on top of the sigstore, the open source tools for cryptographically signing code, verifying those signatures and making all of this data auditable, as well as other open source tools like Knative and other cloud-native services, Enforce allows businesses to enforce their supply chain policies based on the SLSA framework and NIST’s Secure Software Development Framework. With this they can, for example, enforce which code can run where and ensure that developers and security teams know what’s being used to build software inside a company.

Since few developers want to add more tools to their repertoire (you can only shift so far left, after all), the team aimed to make installing its service as easy as running a single command and also offers support for automation systems like CloudFormation and Terraform.

The fact that Chainguard puts an emphasis on protecting cloud-native technologies is no surprise. Among its co-founders are Ville Aikas, Kim Lewandowski, Matt Moore (CTO) and Scott Nichol, who were all previously at Google and heavily involved in the open source community.

“I met with Aikas, who was part of the early Kubernetes team at Google and the tech lead for Knative Eventing, at the KubeCon/CloudNativeCon event in Spain last month. He noted that Enforce is very much the first piece of the puzzle for Chainguard.”

“Enforce comes with the mindset that we understand that the chain is long and we are going to start tackling it, not with the mindset of ‘oh yeah, cool, here’s the ‘secure-my-shit flag.’ We don’t build snake oil. The idea is that we build a solid technology platform that we can then use and come in and add features and start plugging holes in different chains. Enforce is the first piece of this and the second is the images.”

He also noted that Chainguard’s overall mission is to improve the developer experience — all while securing software supply chains.

Unsurprisingly, the company plans to use the new funding to accelerate its product development. But in addition to that, Chainguard also plans to invest heavily in open source projects like Sigstore, SLSA and OpenSSF, as well as a new developer education program that focuses on supply chain security.

“High profile software supply chain attacks like Log4j have flashed a spotlight on the need to establish a foundation of trust in the software that companies put in production,” said Bogomil Balkansky, partner at Sequoia Capital. “Chainguard gives companies confidence in the critical open source software they deploy by providing a low-friction, developer-friendly way of signing and verifying software artifacts so they have a trail to trace if a breach does occur. The Chainguard team are the thought leaders in this space, and it is the right team at the right time in history to tackle this problem.”