Chainguard Raises $5 Million From Amplify Partners to Fix Software Supply-Chain Security

Chainguard, Inc., a supply chain security startup, today announced it raised $5 million in a Seed Funding round led by Amplify Partners and a number of angels including, Eric Brewer, VP at Google; Maya Kaczorowski, Product at Tailscale; Brandon Phillips, former CTO at CoreOS; Stephen Augustus, Head of Open Source at Cisco; Joe Duffy, CEO of Pulumi; Solomon Boulos, former Google exec and founder of Google’s OCTO; and Gordon Chaffee, former Google exec, also participated.
The founding team of five open-source veterans is Dan Lorenc, Matt Moore, Scott Nichols, Ville Aikas, and Kim Lewandowski. The team worked together at Google on many of the foundational container projects, including: Minikube, Distroless, Skaffold, Knative, Tekton, Kaniko, ko, and, most recently, the open source security projects Sigstore and SLSA. The team believes that the solution to securing software supply chains must be rooted in open source, standards, and communities as the software that companies ship is increasingly dominated by the open source libraries, frameworks, and runtimes they consume.
The industry has been hit hard with a wrath of software supply chain attacks over the past few years, especially attacks targeting open source software. According to the latest Sonatype report, supply chain attacks have increased by 650% in 2021. The European Union predicted this trend will continue with another 4x rise this year. It is hard to see this trend slowing – Accenture estimated that there is a combined $5.2 trillion at risk to cybercrime today. The recent cybersecurity US Executive Order recognizes supply chain security as a threat to national infrastructure, but it places significant burdens on an already-taxed industry, with 92% of hiring managers unable to fill open source and cybersecurity-related positions.
Chainguard is tackling this challenge head-on, which is one of the biggest problem spaces of the decade. Nearly every piece of software has “dependencies,” often other open-source libraries that the project is built on. Attackers have been injecting malicious code into dependencies of common open-source projects. These attacks are hard to identify because they aren’t always picked up by traditional scanning, and more so, the dependencies can suddenly change at any time. Chainguard plans to give companies confidence in the software they’re relying on and will have the data and tools necessary to understand their risks and mitigate potential threats.
With this investment, the company is tripling in size over the coming months with offers accepted from 12 new hires, and will focus on bringing solutions to market.
Lenny Pruss, General Partner at Amplify, commented: “In the last 12 months, we’ve witnessed software supply chain security become the top priority for security practitioners and buyers. We believe this massive, multi-stakeholder problem is going to be solved with open tools and open standards and Sigstore has emerged, in our minds, as the project to take on this challenge.”
Source: Chainguard