Partnering with Chainguard: A Foundation of Trust for the Software Supply Chain
Dan, Matt, Scott, Ville and Kim are making open-source artifacts secure by default.
By Bogomil Balkansky
Published June 2, 2022
Digital signatures are to software what nutrition labels are to packaged food: a way to see who produced it and what’s inside. Just as knowing the origin of ingredients is important to trusting that what you eat is safe, you want to know where each software component came from. But it may come as a surprise but the overwhelming majority of software running today is unsigned, meaning there is no easy way to trace who really made it and how.
Instead, we are left blindly trusting that software is doing what we expect it to do—and nothing more. As recent debacles like the SolarWinds exploit have shown, however, such blind trust is naïve and misplaced. Bad actors have figured out that one of the best ways to attack software systems is to sneak their malicious code inside a legitimate program—while that program is being written, packaged or distributed. In the case of SolarWinds, attackers compromised the SolarWinds software build platform, managed to injected a backdoor into the company’s Orion product, and distributed the compromised software to unsuspecting SolarWinds customers under the guise of a regular update, allowing the attackers access to the systems of those customers. One of the most important vectors of cybersecurity today is securing the process of developing and distributing software, so similar attacks can be thwarted.
It took this major breach for the world to start waking up to the problem, but it is now waking up fast, with software supply chain security quickly gaining immense mindshare—all the way to the White House! President Biden last year issued Executive Order 14028, which mandates enhancements to address the problem and directs federal agencies to establish new standards and guidelines. And earlier this year, the administration summoned representatives of government and the private sector to work together on a roadmap for better software supply chain security.
The Presidential communique of that meeting explicitly mentions code signatures as a best practice, but thus far the industry doesn’t seem to need much encouragement from the White House—thanks in part to the team at Chainguard and their contributions to the Sigstore open source project. Sigstore is the simplest, most developer-friendly way to digitally sign any kind of software artifact—a binary, a package or a container image—and, crucially, to verify that signature. Think of it as a notary for the digital world: an attestation that the software is what you think it is and will do what you expect it to. It is quickly becoming the de-facto standard for software signing, with early adopters ranging from major open source projects such as Kubernetes (v1.24) to financial services infrastructure such as Citi (which is building the secure software factory with Sigstore and Tekton).
While Chainguard and Sigstore will, like all great innovations, seem obvious in hindsight, this problem is complex and multifaceted. But co-founders Dan Lorenc, Matt Moore, Scott Nichols, Ville Aikas and Kim Lewandowski are uniquely positioned to solve it, having built the respected supply chain security framework SLSA when they worked together at Google. They defined the scope of the problem in their original blog post introducing SLSA, and the principles from that post laid the foundation for what is today the most comprehensive industry consortium framework for supply chain security. SLSA offers a simple approach to assess an organization’s maturity in securing its software supply chain, and a pragmatic roadmap to improve.
Now, Chainguard is continuing to build on those principles, and on the momentum of Sigstore, with two products that allow companies to make substantial progress in their supply chain security journey. Chainguard Enforce protects containerized environments from supply chain threats by inventorying which containers are running and where they came from, integrating with CI/CD systems to trace how containers are built, and allowing teams to set policies for which containers can run in the cluster. Chainguard Images, which was announced today, offers a set of hardened Linux container images with SLSA Level 3 provenance and software bill of materials (SBOM).
Of course, even a founding team as experienced as Dan, Matt, Scott, Ville and Kim can’t solve such a global and existential problem alone. That’s why they’ve built a team of original thinkers and thought leaders in supply chain security, including highly experienced open source developers. Now 40 people strong and growing fast, Chainguard has become a magnet for talent—as the conversation on Twitter shows.
In short, Chainguard is in the right place at the right time to lead the way toward better supply chain security—and they have the right team to do it. We at Sequoia are thrilled to lead their Series A and be a part of their journey!