Chainguard, a startup that focuses on securing software program provide chains, introduced at present that it has raised a $50 million Collection A funding spherical led by Sequoia Capital. Amplify, the Chainsmokers’ Mantis VC, LiveOak Enterprise Companions, Banana Capital, K5/JPMC and CISOs from Google and Sq., amongst others, additionally participated on this spherical.
Along with the brand new funding, the corporate, which is just 8 months previous at this level, additionally launched its first set of container base photos at present, which Chainguard guarantees to have zero recognized vulnerabilities and which shall be constantly up to date. These photos shall be absolutely signed and can characteristic a software program invoice of supplies (SBOM).
“Safety engineers are used to reasoning with roots of belief through the use of two-factor authentication and identification techniques and establishing belief with {hardware} through the use of encryption keys. However we don’t have that for supply code and software program artifacts at present,” stated Dan Lorenc, co-founder and CEO at Chainguard. “Our imaginative and prescient is to attach these roots of belief all through the event lifecycle and throughout the software program provide chain and provides builders and CISOs alike confidence within the code they’re working in manufacturing and the integrity of their techniques.”
Along with these new base photos, Chainguard already provided its Implement service for containerized workloads. Constructed on high of the sigstore, the open supply instruments for cryptographically signing code, verifying these signatures and making all of this information auditable, in addition to different open supply instruments like Knative and different cloud-native companies, Implement permits companies to implement their provide chain insurance policies based mostly on the SLSA framework and NIST’s Safe Software program Improvement Framework. With this they will, for instance, implement which code can run the place and make sure that builders and safety groups know what’s getting used to construct software program inside an organization.
Since few builders need to add extra instruments to their repertoire (you’ll be able to solely shift to date left, in spite of everything), the group aimed to make putting in its service as straightforward as working a single command and likewise provides assist for automation techniques like CloudFormation and Terraform.
The truth that Chainguard places an emphasis on defending cloud-native applied sciences isn’t any shock. Amongst its co-founders are Ville Aikas, Kim Lewandowski, Matt Moore (CTO) and Scott Nichol, who have been all beforehand at Google and closely concerned within the open supply group.
I met with Aikas, who was a part of the early Kubernetes group at Google and the tech lead for Knative Eventing, on the KubeCon/CloudNativeCon occasion in Spain final month. He famous that Implement may be very a lot the primary piece of the puzzle for Chainguard.
“Implement comes with the mindset that we perceive that the chain is lengthy and we’re going to begin tackling it, not with the mindset of ‘oh yeah, cool, right here’s the ‘secure-my-shit flag.’ We don’t construct snake oil. The thought is that we construct a strong expertise platform that we are able to then use and are available and add options and begin plugging holes in numerous chains. Implement is the primary piece of this and the second is the photographs.”
He additionally famous that Chainguard’s total mission is to enhance the developer expertise — all whereas securing software program provide chains.
Unsurprisingly, the corporate plans to make use of the brand new funding to speed up its product improvement. However along with that, Chainguard additionally plans to speculate closely in open supply initiatives like Sigstore, SLSA and OpenSSF, in addition to a brand new developer training program that focuses on provide chain safety.
“Excessive profile software program provide chain assaults like Log4j have flashed a highlight on the necessity to set up a basis of belief within the software program that corporations put in manufacturing,” stated Bogomil Balkansky, companion at Sequoia Capital. “Chainguard offers corporations confidence within the crucial open supply software program they deploy by offering a low-friction, developer-friendly approach of signing and verifying software program artifacts in order that they have a path to hint if a breach does happen. The Chainguard group are the thought leaders on this area, and it’s the proper group on the proper time in historical past to deal with this drawback.”
Leave a Reply