At the end of last year, the alarm bells were just starting to ring. Researchers found that Russian spies had buried themselves months earlier in the networks of several US federal networks. The spies, working for Russia’s Foreign Intelligence Service, initially targeted SolarWinds, an IT company whose software enables the networks of thousands of businesses, Fortune 500 organizations and government agencies to be remotely managed. federal. By breaking into SolarWinds’ network and offering a corrupted software update to its clients, Russian spies have delivered digital backdoors directly into the heart of the US federal government.
It was, and according to some accounts continue to be, one of the most complex cyber-espionage acts to come to the public in recent years. But it was the delivery mechanism that sparked the fear: How could companies trust that the software on their networks had not been tampered with?
It’s one of the problems five former Google employees are trying to solve. Dan Lorenc, Matt Moore, Scott Nichols, Ville Aikas and Kim Lewandowski founded Chain guard in October after working together on creating open source tools at Google. Prior to founding Chainguard, the most recent five worked on two open source security projects, Sigstore, a new standard for digital signing and software verification, and SLSA (deliciously pronounced “salsa”), a framework for maintaining the end-to-end integrity of a software supply chain.
Much like a product that is produced on a factory assembly line, software can be made up of different components and can sometimes depend on code written by others and released as open source for anyone to use. These software “dependencies” sometimes have bugs that go unnoticed but are built into larger software projects. Attackers also intentionally attempt to introduce subtle vulnerabilities that can be exploited later, sometimes on a large scale, if the vulnerabilities are embedded in widely used software.
“A lot of companies are relying more and more on open source software and in fact don’t realize the risks they face when they search for a random package on the Internet and install it in their production systems,” Lewandowski says TechCrunch. âWe want to empower businesses to have confidence in some of these critical open source packages; they can go back to the source and understand the elements that go into creating that software package and have an audit trail to go back and see where it came from, if there is a violation.
The co-founding team plans to work on open source projects to help companies understand and manage the risks they face in software supply chains.
Chainguard said on Wednesday it had raised $ 5 million in seed funding, led by Amplify Partners and several angel investors. Lewandowski said the team plans to use the funding to scale the company beyond the five new employees and continue to develop the products they want to market. âWe’re probably going to be pretty divided between focusing on open source and then building with a product,â Lewandowski said.
Although in its early days, the company said it plans to deliver an early version of its product offering next year, with a focus on helping companies strengthen their own supply chains in software.