By late last year, the alarm bells were just starting to ring. Researchers discovered that Russian spies had months earlier burrowed deep into the networks of several U.S. federal networks. The spies, working for Russia’s foreign intelligence service had first targeted SolarWinds, an IT company whose software helps to remotely manage the networks of thousands of businesses, Fortune 500 organizations, and federal government agencies. By breaking into SolarWinds’ network and pushing a tainted software update to its customers, the Russian spies delivered digital backdoors directly to the heart of the U.S. federal government.
It was, and by some accounts continues to be, one of the most intricate acts of cyber-espionage in recent years to become public. But it was the delivery mechanism that sparked fear: How could companies trust that the software on their networks hadn’t been tampered with?
That’s one of the problems that five ex-Google employees are trying to solve. Dan Lorenc, Matt Moore, Scott Nichols, Ville Aikas, and Kim Lewandowski founded Chainguard in October after working together on building open source tools at Google. Before founding Chainguard, the five most recently worked on two open source security projects, Sigstore, a new standard for digitally signing and verifying software, and SLSA (delightfully pronounced “salsa”), a framework for maintaining end-to-end integrity of a software supply chain.
Just like a product made on a factory assembly line, software can be made up of different components, and can sometimes depend on code written by others and released as open source for anyone to use. These software “dependencies” sometimes have bugs that go unnoticed but are incorporated into larger software projects. Attackers also intentionally try to introduce subtle flaws that can be later exploited, sometimes at scale, if the flaws are embedded in widely used software.
“A lot of companies are relying more and more and open source software, and actually not realizing the risks that they’re setting themselves up for when they go and find some random package on the internet and install it in their production systems,” Lewandowski told TechCrunch. “We want to make it possible for companies to have confidence in some of these critical open source packages; they can go back and trace to the source and understand the pieces that go into creating that software package and having an audit trail to go back and track to see where it came from, if there does happen to be a breach.”
The co-founding team plans to work on open source projects to help companies understand and manage the risks they face from the software supply chains.
Chainguard announced Wednesday that it has raised $5 million in seed funding, led by Amplify Partners and several angel investors. Lewandowski said the team plans to use the funding to scale the company beyond the five new employees, and continuing to build out the products it wants to take to market. “We’re probably going to be pretty split down the middle of focusing on open source and then building with a product,” said Lewandowski.
Though early days, the company said it plans to bring an early version of its product offering next year, with a focus on helping companies harden their own software supply chains.