Chain protection, a software supply chain security startup, announced today that it has raised a $50 million Series A funding round led by Sequoia Capital. Amplify, Mantis VC, LiveOak Venture Partners, Banana Capital, K5/JPMC, and Chief Information Security Officers from Google and Square also participated in this round.
In addition to the new funding, the company, currently only 8 months old, also today launched its first set of container base images, which Chainguard promises are free of known vulnerabilities and will be continually updated. These images will be fully signed and will contain the Software Specification (SBOM).
“Security engineers are accustomed to talking about the roots of trust, using two-factor authentication and identification systems, and establishing trust in equipment using encryption keys. But today we don’t have that for source code and software artifacts,” said Dan Lorenz, co-founder and CEO of Chainguard. “Our vision is to connect these roots of trust throughout the development lifecycle and the entire software supply chain, and give developers and CSOs confidence in the code they use in production and the integrity of their systems.” .
In addition to these new base images, Chainguard already offers its Enforce service for containerized workloads. Built on top scoreopen source tools for cryptographically signing code, verifying those signatures and ensuring that all that data is audited, and other open source tools like Knative and other cloud services, Enforce allows businesses to enforce their supply chain policies based on SLSA structure and the NIST Secure Software Development Platform. This allows them to, for example, determine what code can run where and ensure that developers and security teams know what is used to build software internally.
Since few developers want to add more instruments to their repertoire (after all, you can only move so far to the left), the team aimed to make installing their service as easy as running a single command, while also offering support for automation systems such as CloudFormation and Terraform. .
The fact that Chainguard pays special attention to the protection of cloud computing is not surprising. Its co-founders include Ville Aikas, Kim Lewandowski, Matt Moore (CTO), and Scott Nichol, who previously worked at Google and were active in the open source community.
I met with Aikas, who was part of the early Kubernetes team at Google and the tech lead for Native triathlon, at the KubeCon/CloudNativeCon event in Spain last month. He noted that Enforce is the first piece of the puzzle for Chainguard.
“Enforce comes with the thought that we understand the chain is long and we’re going to start tackling it, not with the thought, ‘Oh yeah, cool, that’s ‘protect my shit.’ We don’t build snake oil. The idea is that we create a solid technology platform that we can then use, add features and start plugging holes in various chains. Enforce is the first part of that and the second is the images.”
He also noted that Chainguard’s overall mission is to improve the developer experience – all while securing software supply chains.
Not surprisingly, the company plans to use the new funding to accelerate its product development. But in addition to that, Chainguard also plans to invest heavily in open source projects like Sigstore, SLSA, and OpenSSF, as well as a new developer education program that focuses on supply chain security.
“Notorious attacks on software supply chains such as Log4j have highlighted the need to build a foundation of trust in the software that companies put into production,” said Bogomil Balkansky, a partner at Sequoia Capital. “Chainguard gives companies confidence in the critical open source software they deploy by providing an easy and convenient way for developers to sign and verify software artifacts so they have a trail to follow if a breach does occur. The Chainguard team are thought leaders in this area and are the right team at the right time in history to solve this problem.”
Credit: techcrunch.com /