Today, that group of former Googlers is better known as the founding team of Chainguard. But true to its billing, the startup is on a daunting mission, aiming to make a big dent in one of the most intractable areas of cybersecurity today.
Over the course of its first year, Chainguard has emerged as one of the most promising players in the effort to curtail the massive security risks of the software supply chain, industry experts told Protocol.
It’s an issue of some urgency: A growing number of attacks seek to use the software development process itself as a vehicle for delivering malicious code into a commercial application, in order to compromise the organizations that use the software, as occurred in the widely felt SolarWinds breach of 2020.
Chainguard stands out thanks to a unique product strategy and strong appeal among developers, as well as the deep experience of the founding team in open-source software and security. That included a combined 35 years at Google working on initiatives such as Kubernetes, the dominant system used in container-based software development, and related open-source projects.
Chainguard's goal "is really to try to make the software development life cycle and software supply chain secure by default," said co-founder and CEO Dan Lorenc, "because that's the only way it will actually get secure."
Chainguard’s products can be used to secure the software supply chain for cloud-native applications in Kubernetes at a more fundamental level than other vendors, according to third-party experts and the company’s founders.
While Chainguard doesn't yet address the whole problem of software supply chain security, "they're solving a really big chunk of it," said Katie Norton, a senior research analyst at IDC.
Still, the company's ultimate goal is to secure the entire software development process, Chainguard's four founders told Protocol in recent interviews.
Supply chain insecurity
Shah, a partner at Amplify Partners, was destined to get an early glimpse of the plans for Chainguard.
Even before getting the “Justice League” tip, Shah had coincidentally just set up a meeting with Lorenc, then a Google engineer, who was a leader of a fast-growing open-source project called Sigstore that would become part of the basis for Chainguard’s products. Amplify went on to lead the startup’s seed round of funding, and Chainguard has now raised $55 million in total funding and has 52 people on staff.
Not only do the Chainguard founders bring uncommon expertise on software supply chain security, but "they are so great at building products that developers really want," Shah said.
If there's such a thing as a superpower in cybersecurity, getting developers to care about a security tool is probably it. For most developers, security is "last on their list," according to Lorenc.
Once a largely obscure concern, the security of the software supply chain became a top priority across the U.S. government and C-suite in the fallout from the SolarWinds breach. The Russia-linked attack, which poisoned a SolarWinds application with malicious code that was then widely distributed across its customer base, was discovered in December 2020.
In response, a deluge of security tools has come to market, many of them geared toward scanning software for vulnerable components.
Such tools do have their uses in reducing software supply chain risk. Chainguard comes at the problem from a different angle, however.
"We're starting all the way back to square one," said Kim Lewandowski, co-founder and head of product at Chainguard. That has included taking the unorthodox step of providing secure building blocks for software, endowing applications with the most secure baseline possible without creating extra work for developers.
Specifically, Chainguard offers its own container base images — files that serve as the foundation of a cloud-native application — which the company says will ship without any known vulnerabilities. This is an advantage because many of the open-source options that are popular with developers come with a large number of bugs from the start.
The company recently took the additional step of creating its own flavor of Linux, dubbed "Wolfi," that is now supporting its secure-by-default container images. Customers of Chainguard get container base images with enterprise-friendly features such as a service-level agreement, which promises any future vulnerabilities that are found will be patched in an agreed-upon timeframe.
Underpinning Chainguard’s products is Sigstore, which Lorenc had co-created while at Google and had generated strong interest from developers as an open-source project. The tool makes it easier for software makers to do what's known as "code signing," a way of proving the authenticity of a piece of software.
The Chainguard images are all digitally signed and include a software bill of materials, which provides transparency into the software's components. Chainguard has also begun manually curating a feed of vulnerability information for customers to help with vulnerability management.
Deploying secure software
At the other end of the chain, the company provides greater transparency into application code, while automatically ensuring that only trusted software is being deployed out to customers.
With its Enforce product, Chainguard provides visibility into code that's being deployed to "production" Kubernetes environments, which is the final step that makes the software available to users.
Having this greater transparency can provide an understanding of the security posture of code that's being deployed. For instance, Enforce can determine what code has been signed (such as through using Sigstore) and can therefore be trusted for deployment to users.
The tool can also determine which software packages included in the code feature a software bill of materials, which can offer further specifics around whether any vulnerable components are being used. Enforce ultimately enables better asset management for software teams, since it "gives you a real-time view of what's running in your production systems," Lewandowski said.
"And so once you get a picture of how scary things might be, then you can start enforcing different types of policies on it," she said.
For instance, a customer could prevent an untrusted container image from getting deployed into a production environment. Or, Enforce could be used to block deployment of a software component with a newly discovered vulnerability — a capability that would prove very handy after the discovery of a critical vulnerability such as last year's flaw in the widely used Apache Log4j component.
An expanding threat
With supply chain attacks, the opportunity to "compromise one, compromise many," by implanting malicious code in a single piece of software destined for a large customer base, has proven highly appealing for hackers.
While the SolarWinds breach affected numerous U.S. federal agencies and thousands of companies, overall attacks against the software supply chain are up as well, surging 300% in 2021 from the prior year, according to a report from Aqua Security.
At the same time, more businesses now have their own internal software supply chains to worry about, as companies of all stripes have begun developing their own software. The widespread use of vulnerability-prone open-source software has only compounded the risks.
Securing the software supply chain is very different from securing employee accounts, or protecting an organization's data. Even calling it the supply chain security “problem” is almost a misnomer, Lorenc said, because in reality “it’s like 37 problems, all rolled into one.”
It's going to take real change from developers, and lots of them, to cause a shift here.
"It's not something a CISO can just buy and bolt on at the end of the [development process], and somehow secure all the steps before that," he said. "It's going to take real change from developers, and lots of them, to cause a shift here."
Google, of course, is a good place to gain expertise on open-source software, developer tools, and cybersecurity. Or to be a pioneer in those areas, as has been the case with Chainguard's four co-founders, who’ve had a hand in many of the notable projects at Google over the past decade.
A sampling of their work at Google: Lorenc launched a popular tool for running Kubernetes container orchestration locally (Minikube), while Lewandowski co-created a trailblazing supply chain security framework, known as SLSA.
CTO Matthew Moore, meanwhile, co-founded the Google Container Registry and led an open-source project to enable serverless containers in Kubernetes environments (Knative), while co-founder Ville Aikas was an early member on the Kubernetes project itself.
With the focus on Sigstore, following the tech industry playbook of building enterprise products on top of open source is one part of the equation for Chainguard. And “having the main authors of open-source projects, on the team that's commercializing that open source, is extremely important,” Shah said.
But the Chainguard founding team also realized that when it comes to the software supply chain problem, the group is well positioned overall, Lewandowski said: "We know this space. We can help people here."
Fixing the foundation
Years before the SolarWinds breach, Santiago Torres-Arias had already been researching the issue of software supply chain security.
Torres-Arias was among the academic researchers who helped to develop in-toto, a federally backed framework for securing software supply chains that likely would have made a difference in mitigating the SolarWinds attack, had it been implemented.
Now that the world is paying attention to software supply chain security, Torres-Arias, an assistant professor at Purdue University, told Protocol he sees a different problem cropping up: There are a huge number of vendors claiming to have the answer, and they really don't.
"It's a complex and nuanced problem. You can't just install this one thing" and secure the software supply chain, he said.
Instead, the solution needs to be built into the supply chain itself, "from the ground up," Torres-Arias said. Chainguard’s container base images make it one of the very few vendors that gets that, he said.
Vendor claims about "shifting left" to bring security earlier in the software development process have been abundant lately. But releasing a new flavor of Linux to make software as secure as possible from the get-go? That's "not something you'll find other companies trying to do," Torres-Arias said.
While many vendors enable remediation of security issues that've been discovered, it's often difficult for developers to actually make the fixes, IDC's Norton said.
Chainguard, she said, stands apart by allowing development teams to "start with a clean slate, which is way easier than having to go back and fix a bunch of stuff."
The rest of the chain
It's no accident that Chainguard has begun with securing "the first and last links" in the software supply chain, said Moore, the company's CTO and co-founder. The goal is for the two products to serve as a strong foundation before the company sets out to work its way through the rest of the supply chain, he said.
The vision is to cover the entire chain over time, and the company is still determining where to go next, both in terms of covering new areas and expanding its existing products, the Chainguard founders said.
"This is going to be a long process of chipping away and fixing things," Moore said. "There's a lot of links in the chain, and they all need to be strong."
For example, midway through the chain, code is converted into an executable program, in what's known as the "build" phase. Investigators believe the initial compromise of SolarWinds was during this phase.
The running theme for Chainguard, however, will be on making it easier for development teams to do the right things in security and harder to do the wrong things, the founders said.
Still, while the development of new software has largely shifted to cloud-native technologies such as containers, many existing applications continue to rely on older technologies such as mainframes, Norton noted.
"There are so many legacy applications that exist, which these newer applications are often built on top of, or connected to," she said. "In the big picture, [legacy applications] also need to be addressed in terms of security."
Focus on developers
But for the development of new software, or updates to existing software in Kubernetes environments, Chainguard has a lot to offer, particularly since the startup is so developer-oriented, Norton said. IDC research has shown that catering to developer needs is "incredibly important" for addressing this issue, she said. Today, to really get supply chain security tools adopted within an organization, "they need to be designed with the developer in mind."
Chainguard's founders say they've modeled the company itself as a developer tools provider, with its products meant to blend into the existing software development process. It's an approach that has been hugely successful for another developer security vendor, Snyk, which ranks at No. 2 among the top-valued private cybersecurity vendors with a valuation of $8.6 billion, according to CB Insights.
For Chainguard, the founders say the aim is to make developers more productive, not less. For instance, Enforce automatically monitors running applications and can notify developers if an app falls out of compliance, sparing them from manual analysis.
Going forward, some accountability for securing software may also end up falling on developers, whether they like it or not. The much-discussed idea of merging DevOps with security — to form a "DevSecOps" approach, where security is a shared responsibility across functions — is one indicator of this trend.
Still, most developers are not security experts, don't want to be, and are mainly under pressure to push out new software. And so for the developer, Aikas said, "security is something that you shouldn't really have to worry about. That's something we should be able to handle for you."
Chainguard has focused on working closely with a small number of customers so far, and will be more aggressive about looking to expand its customer base in 2023, Lewandowski said.
Hewlett Packard Enterprise and Block (the parent company of Square) are among Chainguard's customers. Block has adopted Enforce in place of several homegrown and open-source software supply chain security tools it had been using, according to a customer case study released Monday by Chainguard.
Ultimately, Chainguard is committed to making good on its goal of securing the whole software supply chain, and is not looking for a quick exit, the founders told Protocol. "We'll be here for a while," Lorenc said.
Without a doubt, the company's strategy of trying to fix the software supply chain down to its core, rather than with a "bolt-on" solution, is a “harder road to take," he said. "But if you're going to do this, you might as well do it right."
This story was updated to clarify how Chainguard ships its container base images.
FAQs
Is it safe to connect wallet Crypto? ›
Is WalletConnect safe? It's safe in the sense that it establishes a secure (encrypted) connection, with your approval, between your Bitcoin.com Wallet and the DApps of your choosing. It also requests your approval for any transactions and never gives DApps access to your private keys.
Why are crypto wallets secure? ›Every wallet contains a set of private keys without which the bitcoin owner cannot access the currency. The biggest danger in bitcoin security is the individual user perhaps losing the private key or having the private key stolen. Without the private key, the user will never see her bitcoins again.
How do I improve Crypto Wallet security? ›- Store your cryptocurrency in a “cold” wallet.
- Use a reputable exchange to buy/sell.
- Change your password regularly and use a password manager.
- Use MFA.
- Beware of phishing.
- Separate cryptocurrency and personal/work.
- Avoid public WiFi.
- Install updates automatically.
Connecting your wallet doesn't really do much: it doesn't send any transactions. About all it does it gives your wallet's public address to the website and the possibility for the website to request actions from the wallet - actions which you, as a user, need to accept manually.
Can a crypto wallet be hacked? ›The concepts behind blockchain technology make it nearly impossible to hack into a blockchain. However, there are weaknesses outside of the blockchain that create opportunities for thieves. Hackers can gain access to cryptocurrency owners' cryptocurrency wallets and exchange accounts to steal crypto.
What is the safest crypto wallet? ›- Coinbase Wallet. Best for beginners. See at Coinbase.
- Trezor Model T. Best security features. $255 at Trezor.
- Ledger Nano X. Good balance between accessibility and security. $149 at Ledger.
- Exodus. Best for desktop users. See at Exodus.
- Mycelium. Best for mobile users.
It is an easy, secure, regulated on-ramp to crypto using US dollars or other local fiat currencies. You can safely store crypto on Coinbase so you don't have to worry about managing your own private keys. Coinbase.com and the mobile apps are available in more than 100 countries.
What happens if your crypto gets hacked? ›Once you know your device is malware-free, it's paramount that you transfer any existing funds from your compromised wallet to another wallet. Hackers will often wipe your account of funds immediately, but if you're lucky and they have not done this yet, it's time to take immediate action.
Can Coinbase wallet be hacked? ›Can Coinbase Wallet Be Hacked? Yes, the only way someone could access your funds would be if they had access to your Coinbase account, or in the case of a non-hosted wallet, your private key. For this reason, you mustn't share any login information with anyone else and choose a secure password.
What can someone do with my wallet address? ›These addresses are just like bank account numbers where other parties can see and deposit, but they cannot withdraw or send money from that account. Only the owner of the address has the power to send money if he/she has other private keys.
Is it risky to connect MetaMask wallet? ›
Being an online wallet, your browser will collect information about how and when you use MetaMask. This can be a potential privacy concern for cryptocurrency users. MetaMask also holds private keys in your browser. While this makes the app easier to use, it presents serious risks if your browser is hacked.
Can MetaMask be hacked by connecting wallet? ›Metamask wallets are often kept locally and protected with a complicated password. As a result, without your private key (seed phrase), hackers have no other means to crack you. MetaMask saves your private key in your browser's data cache so you can quickly access your wallet.
How do I remove my address from my wallet contract? ›Visual Guide — How to Disconnect Your Wallet
(1) Click the “three dots” menu icon and (2) click “Connected sites” from the menu. (3) Click the trash can icon for the relevant site and (4) click “Disconnect” to complete the action.
Yes, it is safe! Wallet addresses can be shared safely with anyone from whom you want to receive cryptocurrency of a certain type. No one can steal your digital assets by knowing only your wallet's public address.
What is a cold wallet? ›Cold storage is offline cryptocurrency storage. Any crypto wallet that's not connected to the internet is considered cold storage and is referred to as a cold wallet. The most common type of cold wallet is a hardware wallet, which is typically a small device that connects to a computer.
How do I protect my Coinbase wallet? ›If you are using the Coinbase mobile app to access your Coinbase account, we highly recommend enabling a security passcode in the app's security settings. You can enable the passcode for both accessing the app and sending funds with the app.
What crypto is most likely to explode? ›With massive amounts of utility, a strong community, and an excellent team, it's likely that Lucky Block will be the next crypto to explode in 2022. Cryptoassets are a highly volatile unregulated investment product.
What is a hot wallet? ›A hot wallet is connected to the internet and could be vulnerable to online attacks — which could lead to stolen funds — but it's faster and makes it easier to trade or spend crypto. A cold wallet is typically not connected to the internet, so while it may be more secure, it's less convenient.
What is the most used crypto wallet? ›- Coinbase Wallet.
- Metamask.
- ZenGo.
- Exodus.
- Trust Wallet.
- Ambire Wallet.
- Trezor Wallet.
- BitGo Cryptocurrency Wallet.
Thieves armed with scanning devices could indeed read your card information by intercepting its RFID signal, stealing your information as long as they were close to you. Thieves could steal information even if your RFID-emitting card was tucked into your wallet, purse or pocket.
Where is the best place to carry your wallet? ›
Putting your wallet in the front pocket may be better, but that does not mean it doesn't come with drawbacks. It's safer. If you're worried about your wallet being stolen, transfer it to your front pocket. Pickpockets won't stand a chance.
Where should I keep my wallet? ›“It's better to keep your wallet safe in a coat pocket or inside a secure bag or briefcase, but if you really can't get out of the pants pocket habit, it's better to keep it in your front pocket.”
Is Coinbase safe to link bank account? ›At Coinbase we go to great lengths to keep all of your sensitive information safe. Account numbers and routing numbers are stored using bank level AES-256 encryption on our servers. In addition, all traffic goes over SSL to prevent third parties from eavesdropping on your connection.
Do I own my crypto on Coinbase? ›Coinbase.com stores your crypto for you after you buy it. You do not need a Coinbase.com account to use Coinbase Wallet. Coinbase Wallet is a self-custody wallet. The private keys (that represent ownership of the crypto) are stored directly on your device and not within a centralized exchange like Coinbase.com.
Should I keep my crypto in Coinbase or Coinbase wallet? ›It is safer to keep it in a Coinbase Wallet. The coinbase wallet is more closer to a private wallet where you keep your private keys. Keeping it on Coinbase (pro) leaves the Cryptocurrency within Coinbase holding.
Can I get my crypto back from scammer? ›The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
Can someone steal my Bitcoins if I give them my wallet address? ›Can someone steal my Bitcoin wallet? No. You give your wallet address for that person to make a deposit. To steal Bitcoins, a person needs the private key/password which, of course, you don't reveal to anyone.
Do I have to pay taxes on lost crypto? ›You report your crypto losses with the Form 8949 and 1040 Schedule D. Each sale of crypto during the tax year is reported on the 8949. If you had non-crypto investments, they need to be reported on separate Form 8949s when you file your taxes. The example below shows a completed crypto Form 8949, including a loss.
How many Coinbase accounts have been hacked? ›“At least 6,000 Coinbase customers had funds removed from their accounts, including you,” the notice says. BleepingComputer was first to report(Opens in a new window) the news. The account breaches occurred between March 2021 and May 20, 2021.
Is it safe to connect my Coinbase wallet to Coinbase? ›When you use Coinbase Wallet, your crypto is sent to a decentralized exchange that is not controlled by Coinbase. In Coinbase Wallet, your crypto is held by you and you are responsible for keeping your assets secure.
Can I transfer money from my Coinbase wallet to my bank account? ›
To transfer cash from Coinbase to your linked debit card, bank account, or PayPal account, you first need to sell cryptocurrency to your USD balance. After this, you can cash out the funds.
Can someone find out who you are based on your crypto wallet address? ›A Bitcoin address by itself is not traceable, as there is no identifying information stored directly on the blockchain. But there are ways that the identity of an individual can be linked to specific wallets they own and transactions they have made. This is why Bitcoin is not anonymous — it's pseudonymous.
Can someone steal your crypto? ›Security flaws can make a Bitcoin wallet vulnerable to theft through hack attacks. In some cases, service providers keep private keys inside virtual wallets to enhance convenience. Unfortunately, hackers can exploit a wallet's vulnerability to steal both the access and funds in a single fell swoop.
How do I trace crypto transactions? ›...
They include:
- Amount of cryptocurrency sent;
- Sender's address;
- Receiver's address;
- Date of transfer.
Being an online wallet, your browser will collect information about how and when you use MetaMask. This can be a potential privacy concern for cryptocurrency users. MetaMask also holds private keys in your browser. While this makes the app easier to use, it presents serious risks if your browser is hacked.
Why should I use WalletConnect? ›With cryptocurrency wallets becoming increasingly popular and complex, WalletConnect offers a one-stop solution for users to carry out crypto transactions securely, and to strike an interaction between any DApp and any wallet.
Can MetaMask be hacked by connecting wallet? ›Metamask wallets are often kept locally and protected with a complicated password. As a result, without your private key (seed phrase), hackers have no other means to crack you. MetaMask saves your private key in your browser's data cache so you can quickly access your wallet.
Is it safe to connect my wallet to Uniswap? ›Some of the potential advantages of decentralized exchanges like Uniswap include: Safe: Funds are never transferred to any third party or generally subject to counterparty risk (i.e. trusting your assets with a custodian) because both parties are trading directly from their own wallets.
Should you disconnect MetaMask? ›This is why it is important to disconnect your MetaMask wallet from most — if not all — websites right after use. If the website is a scam and is looking to steal your funds, then disconnecting quickly may not provide enough time to steal the contents of the wallet.
Is it safe to leave crypto in MetaMask? ›MetaMask does not control any of your personal or private data on our servers. Everything is encrypted in your browser and protected via your MetaMask password.
What is the safest crypto wallet? ›
- Coinbase Wallet. Best for beginners. See at Coinbase.
- Trezor Model T. Best security features. $255 at Trezor.
- Ledger Nano X. Good balance between accessibility and security. $149 at Ledger.
- Exodus. Best for desktop users. See at Exodus.
- Mycelium. Best for mobile users.
Overview. Pedro Gomes is the founder of Walletconnect.
Which crypto wallet is best? ›- Coinbase Wallet - Best for Beginners.
- MetaMask - Best for Ethereum.
- TrustWallet - Best for Mobile.
- Ledger Nano S Plus - Best Crypto Hardware Wallet.
- Electrum - Best Desktop Bitcoin Wallet.
- BlueWallet - Best Mobile Bitcoin Wallet.
- Exodus - Best for Desktop.
From 2 wallets and 2 dapps at its inception in 2018 to over 200 dapps and over 100 wallets today. The 5 most popular crypto wallets on Android devices alone (Trust, Metamask, Crypto.com, imToken, and bitpay) all integrate WalletConnect, and cumulatively have over 20 million installs.
How do hackers access MetaMask? ›Here's what MetaMask support has to say about it: If you were hacked, this would most likely be due to a few possible reasons: Your computer has been compromised with (malware/spyware) and you stored your private information on your computer. You have visited a malicious phishing website that stole your information.
How did my MetaMask wallet get hacked? ›The main reason for this is the device you were using at the time of the hack may have malware that resulted in your account being compromised. If you keep using that device to access MetaMask, your future accounts can still be at risk.
How do I protect my MetaMask wallet? ›- Create a secure password! ...
- Make your password unique, do not reuse an old password.
- Consider using a passphrase instead, a sequence of 4 or more random words.
- Consider using a password generator and manager, like Bitwarden.
- Setup a time frame to rotate to a new password.
At this time, the majority of decentralized protocols like Uniswap do not report to the IRS.
Why do people use Uniswap? ›Uniswap is one of the largest decentralized crypto exchanges. It allows you to swap cryptocurrency tokens conveniently, and you don't have to sign up for an account. You can also earn interest on your crypto holdings through Uniswap's liquidity pools.
Who uses Uniswap? ›The Uniswap ecosystem is primarily comprised of three types of users: liquidity providers, traders, and developers.