A team of former Google employees have launched a new startup, Chainguard Inc., to focus on improving software supply chain security.
Supply chain attacks have increased 650% so far this year, according to Sonatype data, said ChainGuard founder Dan Lorenc in a blog post on the launch. Security experts believe the trend is poised to increase; the recent US executive order on cybersecurity includes a section on enhancing software supply chain security.
"The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors," government officials wrote. "There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended."
This increases pressure on an industry already struggling to fill open source and security roles, Lorenc noted, but the ChainGuard team sees an opportunity in the rapid rise of cloud adoption. As the industry changes how code is run, it must also change how the code is built and operated, he said. ChainGuard believes the answer is in open source, standards, and communities.
"The software that companies ship is increasingly dominated by the open source libraries, frameworks, and runtimes they consume," Lorenc said in the post. "Efforts like Let's Encrypt to secure internet communication have shown that open standards, formats, tooling, and community, are extremely effective ways to drive industry-wide changes."
The ChainGuard founding team consists of Lorenc and fellow former Google employees Kim Lewandowski, Matt Moore, Scott Nichols, and Ville Aikas. Combined, the team has led the creation of technologies including GCS, gcr.io, Minikube, Distroless, Skaffold, Knative, Tekton, Kaniko, ko, and most recently Sigstore and SLSA.
Read more details here.