Chainguard Secures $5M to Enhance Software Supply Chain Security

Russian Cyber Espionage and the Rise of Chainguard

Concerns began to surface towards the end of the previous year when researchers uncovered a significant security breach. Russian intelligence operatives had infiltrated the networks of multiple U.S. federal agencies months prior. These operatives, associated with Russia’s foreign intelligence service, initially targeted SolarWinds, a technology firm specializing in remote network management solutions for a vast clientele.

The SolarWinds Breach

By compromising SolarWinds’ network and distributing a compromised software update, the Russian spies effectively established covert access points within the U.S. federal government’s infrastructure. This act represents a remarkably complex instance of cyber-espionage in recent history.

The method of intrusion, however, proved particularly alarming. It raised questions about the reliability of software and the potential for undetected tampering.

Introducing Chainguard

Five former Google employees are now addressing this challenge. Dan Lorenc, Matt Moore, Scott Nichols, Ville Aikas, and Kim Lewandowski established Chainguard in October, building upon their collaborative work on open-source tools at Google.

Prior to founding Chainguard, the team concentrated on two key open-source security initiatives: Sigstore, a novel standard for digitally signing and verifying software, and SLSA (pronounced “salsa”), a framework designed to ensure the integrity of the entire software supply chain.

The Software Supply Chain Problem

Software development often involves integrating various components, including code sourced from others and released as open-source. These software “dependencies” can inadvertently contain undetected vulnerabilities.

Malicious actors may also intentionally introduce subtle flaws into widely used software, creating opportunities for large-scale exploitation.

Chainguard’s Approach

“Many organizations are increasingly reliant on open-source software without fully recognizing the associated risks,” explained Lewandowski to TechCrunch. “Our goal is to empower companies to confidently utilize critical open-source packages by providing the ability to trace their origins and understand their constituent parts.”

Chainguard aims to establish a comprehensive audit trail, enabling organizations to track the provenance of software components and identify potential breaches.

Funding and Future Plans

The company intends to contribute to open-source projects that enhance understanding and management of software supply chain risks.

Chainguard announced on Wednesday a $5 million seed funding round, spearheaded by Amplify Partners and a group of angel investors. Lewandowski stated that these funds will be used to expand the team and further develop their product offerings.

“We anticipate a fairly even distribution of effort between open-source contributions and product development,” Lewandowski added.

Product Roadmap

Chainguard plans to release an initial version of its product next year, focusing on assisting companies in strengthening their software supply chains.