Five former Googlers recently started Chainguard, a newly minted supply chain security company focusing on Zero Trust principles. Their mission is to help support DevOps teams with their monumental struggles of securing application code across the development, deployment and management cycle.
“Supply chain security by default is our mission and making it really easy for developers to do the right thing,” Kim Lewandowski, founder and product, for Chainguard, said during a The New Stack Makers podcast recorded live at KubeCon + CloudNativeCon in October.
Alex Williams, founder and publisher of TNS, hosted the podcast.
Chainguard’s mission is also to help “companies to understand what they’re running in their clusters and how to secure that supply chain — the integrity piece of it — to make sure nothing is sort of tampered with as they’re pushing code and things to their production systems,” Lewandowski said. Chainguard’s Matt Moore, founder and chief technology officer and former Googler, was Lewandowski’s fellow guest.
A lack of insight into the security supply chain is something that many organizations and even software providers lack — and which Chainguard seeks to correct. In this way, Chainguard’s tools and processes are designed to ensure that software remains secure once distributed as well.
“It’s scary, but one of the things that we are trying to do is make it so that when you’re running software in production or distributing software and if you’re giving it to other people to run,” it remains secure,” Moore said. End users often don’t know what they’re running, he said.
Chainguard also seeks to address specific supply chain security holes organizations have. “A good place for us to start is talking to these companies that have already found some of the open source tooling that we’ve built and, and learning about their problems and trying to see if they’re a good fit for us. We have them come on as a design partner as we really figure out what we’re going to build as a product,” Lewandowski said. “I think we’ll cast a wide net initially…All these regulated industries, I think, are scrambling to try to make their supply chains more safe.”
Meeting developers’ security needs are especially important, Moore said “If you don’t win the hearts and minds of the developers, they’re going to want to find ways around what you’re doing… I think the most successful tools that we’ve seen really, in any space, make best practices and the right way of doing it the sort of the default, the easy path. We want to make it easy for developers to adopt this stuff.”