Today, I'm excited to announce our funding round led by Amplify Partners and the start of Chainguard Services, the pilot of our program to work closely with organizations to address software supply chain attacks and insider risks. We’re also ready to share our plans to make the software lifecycle secure by default, and we have a few exciting open source updates!
We’ve been discussing these plans with Lenny, Mike, and Renee at Amplify for several months now, and are thrilled they share our vision of securing the supply chain through open source and developer-friendly tooling. We’re excited to continue working with them and the rest of our angel investors, and want to thank them for their support!
Meaningful security improvements require solutions for entire classes of bugs. We believe the best way to do that is to first learn by fixing a lot of them, one at a time. This is why we’re launching Chainguard Services. If you’re using Kubernetes or other container technologies and looking to make improvements quickly - please reach out to us. We’ll also be contributing time and resources to several OSS communities to support and improve their release infrastructure. If you're a maintainer of an open source project and interested in working with us, please also reach out!
Addressing supply-chain risk holistically requires us to change the way we build and deliver software. Fortunately, we believe that the easy way can be the secure way, and that a secure software development lifecycle can actually be easier, faster, and more fun.
Strategy
Our strategy to get there is built on a few core pillars:
Integrity is the largest problem facing supply chain and open source security today, and Sigstore is the project best suited to solve this. Sigstore aims to be the Let’s Encrypt of Code Signing, which is a perfect metaphor to the missing building blocks required for open source supply chain integrity. Sigstore’s transparent design, community governance, and developer-friendly tooling provide the best hope we have to fix software package distribution.
Build systems must be run like production systems, because they are. Attacks continue to show that neglecting the systems responsible for building and distributing artifacts can have far-reaching consequences. We believe that the SLSA framework currently provides the best systematic approach for organizations to improve their security posture incrementally. We’re committed to drive the standardization and usage of SLSA across the industry, and to reach the highest SLSA levels ourselves by the end of 2022.
The solution must be rooted in open source, standards, and communities! Supply chain attacks target the gaps between organizations, so the answers also need to be interoperable and ubiquitous in a way that only open source can provide. We’re excited to announce that we’re joining the Open Container Initiative (OCI) to help strengthen and support the next-generation of container interoperability. Look out for more details in 2022!
This is a huge challenge, so t-shirt sales can’t pay all the bills.
This funding from Amplify Partners will be critical to helping us grow the team throughout 2022. On that topic - we have quite a few team members joining soon, so stay tuned for some exciting announcements from some familiar faces. This seed round is just the start of our journey at Chainguard, and we’re deeply thankful for all the support we’ve received from the community and our partners.
Thanks,
Dan Lorenc
