podcast • 31MIN READ

What Hackers Know About Your Software Supply Chain (That You Don’t) w/ Chainguard's Kim Lewandowski

You’ve heard of the supply chain, but what about the software supply chain? 

Unlike the standard supply chain that you often hear about in the news, this week’s episode of Dev Interrupted dives into the supply chain responsible for holding together the systems that companies, orgs and governments depend upon. 

Kim Lewandowski, a software supply chain security expert, co-founded Chainguard in 2021 with a mission to make the software supply chains secure by default.

In our conversation, Kim discusses why hackers are way ahead of the game on the software supply chain, what companies can do about it and why excitement around open source may not align with the security threats of the future.

She also details why 5 founders may be better than 2, why you might find her Easter eggs in nuclear codes and why Google is an amazing pit-stop in anyone’s career.

Episode Highlights Include:

  • (5:50) Easter eggs in nuclear codes 
  • (7:00) The reason Google is a great career pit-stop 
  • (11:18) What is the software supply chain? 
  • (17:14) The risks with open source supply chains 
  • (19:51) Why 5 founders may be better than 2
  • (27:40) How to improve your software supply chain security

You're Invited to INTERACT on April 7th

Join engineering leaders from Netflix, Slack, Stack Overflow, American Express & more at LinearB's virtual engineering leadership conference, INTERACT on April 7th, 2022.

1 day, 20 speakers, 1,000s of engineering leaders - all driven by the Dev Interrupted community. If you are a team lead, engineering manager, VP or CTO looking to improve your team, this is the conference for you!

>Learn more here<

Transcription:

Dan Lines: Host

Kim Lewandowski: Co-founder of Chainguard

---

[Music plays]

Kim: [0:00] A lot of it is because of the big SolarWinds attacks that happened. The reality is the world is just getting pwned right now and these software supply chain attacks, like it's kind of terrifying.

Producer: [0:09] This episode is sponsored by LinearB. Accelerate your development pipeline with data-driven engineering metrics, continuous improvement automation, and project visibility while cutting your software development cycle time in half. Sign up for your free demo at linearb.io and mention the Dev Interrupted podcast discount for one month free when you sign up for an annual pro membership.

[Music fades out]

Dan: [0:29] Hey everyone, welcome to Dev Interrupted. I'm your host, Dan Lines and today I'm joined by Kim Lewandowski, founder, and head of product at Chainguard. Kim, thanks so much for joining us. And congrats on the just announced five million dollar in seed round funding.

Kim: [0:47] Yeah, we incorporated and then raised a round pretty quickly after. So that's exciting for us. Thanks for having me.

Dan: [0:54] That's so cool. We're definitely going to dive into that and how that came to be. But before we get there, I'd like to start by giving our audience the opportunity to get to know you a little bit better. I heard that you once had a scholarship to study ceramic engineering. Is that true?

Kim: [1:12] Yes, it's true. I grew up in western upstate New York near Corning Incorporated. So I was near Corning-sorry, grew up near Corning, the city, but Corning Incorporated was based there, which some listeners may have heard about. And they're famous for things like Gorilla Glass, like making glass for spacecraft, cookware, and fiber optics. And I did an internship there in high school, a couple of them, and I think that's where I got interested in like ceramic engineering, but then I ended up dropping out and not going through the program, last minute, I think I thought it was like a little bit too specific. And so yeah, so that was the end of that.

Dan: [1:51] That's actually really cool. I know all about that, in a way because I grew up in Rochester, New York,

Kim: [1:57] Okay!

Dan: [1:58] Which is in upstate New York and the Corning, I remember either giving or receiving gifts from the Corning Glass Company. So very cool. [crosstalk] [2:08] Small world there.

Kim: [2:08] Yeah. Yeah, the museum is awesome. If you're ever in the area [crosstalk] [2:12] and get the chance, go check it out.

Dan: [2:12] Yeah exactly.

Dan: [2:15] Now, you ultimately ended up studying comp sci right? You got a comp sci degree.

Kim: [2:22] I ended up with a Master's in Computer Science. I went to RIT for a brief stint in New York. And then I couldn't take the weather anymore and finished up at Florida State, so.

Dan: [2:31] The snow! Yeah, you went the exact-it was too snowy so you said I'm gonna go all the way down to Florida [crosstalk] [2:37] and make sure it’s sunny, most of the time.

[Laughing]

Kim: [2:37] That’s right. Yeah.

Dan: [2:41] What got you into computer science?

Kim: [2:44] Yeah, great question. You know, I was-I was always pretty good at math in high school, and I enjoyed it. And I was always looking for like the advanced class-math classes and everything. I remember helping my older brother out on math, it was pretty fun. And then I took my first C++ programming class, that was my first introduction to programming and it kind of stuck with me from then on. Like, I preferred that the solutions are either kind of right or wrong. So, if you're compiling a program you know, you don’t need-it either compiles and works, or you missed a space. So, I think I enjoyed that part of it more with less ambiguity. And my dad was always like, we had computers early on, and I can't even tell you how many hours I've logged on, like, Oregon Trail and SimCity and things so.

Dan: [3:30] Hell yeah!

Kim: [3:31] Yeah, I think-I think the combination of kind of those two things just got me intrigued by the field. And yeah, last thing I knew, I ended up with a masters and MCS,

Dan: [3:40] What I love about developing, when I was a developer, it's like, you get that little dopamine hit every time “Okay, yeah, my code is compiling. I finished a function. It's doing something.” [crosstalk] []All throughout the day.

Kim: [3:53] Exactly! Yeah, yep.

Dan: [3:55] So you get, like, a quick feedback loop on your work.

Kim: [3:58] Yep.

Dan: [3:59] And in addition to all of this, I also understand you spent two years working at a nuclear research lab in California. So how did you end up doing that?

Kim: [4:10] Yeah, so that's a-that's a fun story. So, my parents didn't really help out for-much for college, paying for the bills and everything. So, I was always on the lookout for scholarships and-and ways to get money. And I heard about this government scholarship, and I think it's still around today, it's like the Scholarship for Service. So, I applied and luckily, I received it. They covered grad school for me and a stipend. So, it was like the first time I didn't have to work as a college student, which was mind blowing. I was always holding like almost a full-time job down. But in return you-like the requirement was he had to go work for the federal government for a couple of years. And my boyfriend at the time, now he's my husband, he knew about Lawrence Livermore Labs out here in California. This is where he grew up. And so, he's like “Oh, you got to move to California. Like go to California, don't go off to DC” and I was like “All right.” And so-so yeah, I landed-landed a job at Lawrence Livermore National Labs.

Dan: [5:05] That's really cool. Is that a government style job, or?

Kim: [5:09] I guess? Yeah, I mean, it's through the-I think they're funded through the Department of Defense, I had to get like a top-secret security clearance to work there. And I think-I actually did an internship and then I ended up working there the full time for two years. So, I started working, it was pretty cool. Like, the projects I worked on are super cool. The first one was at the National Ignition Facility. So that's a huge project, like the most powerful laser in the world, and they're trying to simulate nuclear fusion reactions and I think they may have actually been successful recently. Not while-not while, I listened there was still kind of a much-very much of a work in progress.

Dan: [5:46] To take some time with these nuclear.

Kim: [5:49] Yeah. And I was writing Java GUI’s. back then. And I just remember, like always trying to think of ways to slip in like Easter eggs, like I wanted dancing sharks with laser beams.

Dan: [6:04] We got to lighten the mood on some of these government style products.

Kim: [6:08] Yeah, I mean, it was for energy research, too. So that's a good-that's a good part of it. So that was a fun project.

Dan: [6:15] Starting out on the projects like that, did that shape your career in anyway?

Kim: [6:20] Yeah, I think a bit like, I ended up moving over to a different team, like the lab is a pretty big place with a lot of different projects going on. And I started working with a team on some bio defense products or tools, whatever. And that's what I got exposure to more like open source like we were using Jenkins. And that's when I started using Hadoop for the first time. I think like that Hadoop experience early on was just showing me like the power of open source and a community and being able to work with people like outside of your core organization, on similar problems it’s like-it's sort of fascinating and special all in its own way, so I'd say for sure.

Dan: [7:02] Yeah, it's almost magical. The collaboration that you can do, people all over the world, it's like kind of limitless.

Kim: [7:08] Yeah. So that's, fun.

Dan: [7:10] That's great! Now, we're going to talk about Chainguard but prior to Chainguard, you are then a product manager at Google for seven years. Can you tell our listeners a little bit about your experience there?

Kim: [7:24] Yeah, yeah, sure. So yeah, after I left the lab, I-I spent a bunch of time at startups primarily as an engineer and started dabbling and a few different product things. I did my own startup, which I wasn't-it wasn't success-well, I shouldn't say it wasn't success-I wasn't successful in raising money for that one and ended up kind of selling it, what pieces were there to-to another company. But my first product manager job was at Google, and I was there for about seven and a half years. So, Google was a super fun place to work. Like I-you know, it's almost even sad to leave, like I was having a blast while I was still there. So even making the decision to start a company was a tough one. I met a lot of amazing people. I worked on a lot of cool projects. I think overall, like it was just an amazing place to work. I love the culture; I love all the people we were working with. And I got to work on some really cool projects while I was there.

Dan: [8:17] What is it like on a day to day there? Like, yeah, people usually talk about the culture, but can you explain what is the vibe, exactly?

Kim: [8:25] Yeah, I mean, I think one of the first things that really took me by surprise was like the transparency of kind of everything that goes on. And I thought that was amazing. Like, I felt like Google was even more transparent than some of the small startups I was at, which makes no sense at all. But you know, you kind of can get access to a lot of things just to help you do your job. And I think-I think that always kind of-that always surprised me. I think day to day, you know, as a product manager, it depends. Lots of meetings, of course, lots of emails, trying to-trying to fish through all the noise and focus and build things and meet with lots of people.

Dan: [9:03] What did you get to work on? Is it any kind of like public facing stuff that we would all know?

Kim: [9:09] Yeah. So I spent the majority of my time on Google Cloud. And I worked on a number of Google Cloud products. And I actually started on the App Engine team. And so it was kind of almost like before Google Cloud was really a big Google Cloud. And I worked on a number of App Engine services like a queuing service our cron, our scheduler service. I was working on some email stuff. And then after that, I switched over to continuous integration and continuous delivery team. And so that's when I really started to dabble in this software supply chain security space. And then it kind of-then I shifted to focus totally and completely on security for the last couple of years.

Dan: [9:52] What was it at Google that gave you a taste of that kind of stuff?

Kim: [9:56] So when I switched over to the CI/CD team building continuous integration, continuous delivery products, I started an open-source project with Dan, who's now the Chainguard CEO that I work with, and a few others, open-source project called Tecton, which is now part of the Continuous Delivery Foundation, which is under the Linux Foundation, so vendor neutral, big open-source project. And we also really created that Continuous Delivery Foundation while we were at Google, and Tecton lives under there. So, it was always-security was always top of mind for everyone in the community and that foundation, and it just kept coming up like because the CI/CD is kind of the actual, [Laughing] you know, supply chain bits or implementation of a lot of the supply chain bits. And so people would always ask, like, what, you know, “How does Google solve for this? Like, what are best practices?” And so, it started coming up in those conversations.

Dan: [10:55] Yeah, let's start by breaking down what is so I know what security is, in general, for any engineering. I hear about supply chain a lot, definitely during the COVID. Like, I can't get the thing to the end point, like I-my Christmas presents were all late because of supply chain. What is software supply chain security?

Kim: [11:17] Yeah, so it's a good question. And people do sort of sometimes still confuse it with physical supply chain. And there's probably a lot that overlaps.

Dan: [11:27] Yeah.

Kim: [11:28] You know, when I think of software supply chain, it's like, what is all the code and all the mechanics and the processes that went into kind of delivering that core piece of software at the end? Like software depends on a lot of other software, like, where does that software come from? How was it built? Like, how was it deployed? It's like all the, you know, all the bits and pieces that go into making these things. There's a good blog post that a couple of my former Google colleagues wrote that drew a good analogy to doing construction work on your house, if you're doing a remodeling project, and really tries to like paint a picture of where the risks are and how this gets so complicated. So, you kind of think of like you have a contractor, well they need keys, they have subcontractors, you give keys out to all their subcontractors like, who are they? Where are they from? What are they? What materials are they bringing into your house?

Dan: [12:21] So yeah, it seems like, like kind of the analogy, it starts spreading pretty rapidly, maybe the access and how many dependencies need to come together? And you know, I don't know, this third-party software uses these other five third-parties, the keys are all over the place.

Kim: [12:37] Exactly.

Dan: [12:38] Is that a good way to think about it?

Kim: [12:41] Yeah. Yeah, and I think the physical supply chain like similarly, how is your package [Laughing] getting to your house? Like where [crosstalk] [12:47] are all the things?

Dan: [12:47] Yeah, all the touch points and-

Kim: [12:50] Yeah, what-what trucks is it riding on? Who's driving those trucks? Yeah the same.

Dan: [12:54] Yeah, totally makes sense. I mean, the terminology like software supply chain security, it's become a little-little bit buzzy. It's like a trending word now. Why do you think that is?

Kim: [13:05] Yeah, I think-I think it's-a lot of it is because of the big SolarWinds attack that happened. I think a little over a year ago now is when we first started reading about it. I think, folks-security folks in the space have been talking about this for a while. I do think, though, that it's become pretty buzzy because of these large attacks. I mean, the reality is the world is just getting pwned right now and the software supply chain attacks, like it's kind of terrifying.

Dan: [13:30] So what happened with so-SolarWinds? Like, let's give a-I remember, like hearing “Oh, like this big thing’s happening.” I wasn't in the security space at the time when it-when it happened. But we had a software-we have an engineering team so. What actually happened there?

Kim: [13:44] Yeah, so attackers broke into the-the build system there, how they were building code, and then we're able to distribute malicious code to a bunch of SolarWinds customers. So, I think lots of people were affected, government agencies, other large companies, I think lots of Fortune 500 companies. Yeah, so that kind of got the whole world on edge. And we saw an executive order come out of that, from President Biden, that we needed to take a closer look at all of these things and people contracting for the government would have to-would have to follow some new guidelines for if they were going to sell code to the government basically,

Dan: [14:23] Was that like, kind of like the life changing-the SolarWinds attack that-was that like, the spark that kind of turned heads or like, you know what I mean?

Kim: [14:35] Yeah, I mean, I think so. I think you know; a lot of security experts have been talking about this stuff for a while but I think it definitely kind of shifted focus and have, you know, it's making me people take a real look at it like in their organization. Log4J thing is happening right now, which is terrifying as well and one of the biggest breaches of our time, but I think-I think any-any company that's producing, writing software, developing software and has customers, like, they need to be taking a serious look at these things. So, I think it did draw a lot of awareness to the issue.

Dan: [15:11] It's funny the way humans work. It's like you always have these, I don’t know, researchers or like more advanced people on the topic that are kind of trying to get their voice out and saying, “Hey, we have an issue here.” and then it takes like, a disaster for it to become top of mind.

[Laughing]

Kim: [15:28] I mean, I hate-I, like, it's almost kind of scary, like how many similarities it has to the pandemic, right? Like, we watched the old video of Bill Gates saying, there's gonna be a big pandemic, and we're not prepared, and yeah.

Dan: [15:43] Why do you think the software supply chain is getting pwned?

Kim: [15:49] Well, I think-

Dan: [15:50] Compared to other areas, I guess.

Kim: [15:51] Yeah, I mean, I talked about this a little bit and follow some awesome people at Google that I used to work with and get their thoughts on it. And I think some of it is like, there's a few different theories. One is like we've get-we've gotten better at protecting other-like against other types of attacks. So, this is like one of the big open gaps right now in all of our systems. I think, another is that the targets for attackers is actually more juicy, I guess, is the term that I've heard, like, just think about SolarWinds, it's like you weren't, these attackers aren't just attacking SolarWinds directly, but is able to get into their system and affect all of their customers. So, it's like, there's an initial attack, but then you have the ability to just kind of affect so many more companies and people.

Dan: [16:40] It kind of sounds like the supply chain is kind of like a sensitive area, in the sense that if you are an attacker, and you get in there, you're gonna get like a spread of access, or I guess the reward, if you're like an evil person and you want to call it, [crosstalk] [16:58] you can cause more damage, if you get in.

Kim: [16:58] Yeah exactly.

Kim: [17:01] Exactly.

Dan: [17:02] Maybe than, you know, I'm just hacking like one application and now I'm kind of stuck there. How does this relate to open source? What are like the ramifications for open source?

Kim: [17:13] Yeah, so that's a good question. So, my last role at Google was protecting Google from open-source software and, you know, open-source software is amazing. That's how we've gotten so much innovation today but it does come with some risk. I think the challenges are a little bit more unique when it comes to trying to protect kind of the supply chain of open-source software. As we've seen, like it's hard to know who's writing that software, there's no kind of standards in place right now, there's no easy way for a company to do sort of a risk analysis of the open-source software that they're using. And it just is difficult because a lot of open-source projects that-that people depend on, like they're not well funded. These are like volunteers is working in their free time. And like they maybe not-don't even have like the security expertise or the skills to think about some of these attack vectors. And-and so you know, it's been interesting last few years for to looking at this-at this problem.

Dan: [18:12] How do you know where your software is coming from? And what is provenance?

Kim: [18:19] Yeah, so I mean, that's, that touches on a big topic of open source. It's like it's-it's-it's really impossible and very difficult to trace, like the open-source software package, or all the way back to like its origin. So how do you trace it back to its origin? Like where, like, what developers are committing code to it? What processes were being followed? Like, how was the software package built? All those sorts of questions is kind of how I've been thinking about provenance in my head. And then the important part is like, okay, you sort of have that data and that info, how do you actually verify that data? How do you know that that's accurate? Like it's-it can be trusted and, and that's when we started this project called Sigstore, which is an open-source project, which the original goal was to help make it easier for developers to sign code and containers, and then you have that you have that cryptographic sort of guarantee is where you can verify at the other end? Yes. Like I can attest that I-you know, I wrote, I sign the software, and then you can verify and write policies on the other side of it.

Dan: [19:27] Wow. Yeah, this is cool. I mean, I actually didn't know too much about this coming into the pod. It's a pretty expansive, complicated problem. Now we're caught up to speed with some of the problems that are happening in the industry. Let's jump into your work at Chainguard. What's going on there? What's Chainguard doing?

Kim: [19:45] Sure, so me and four other founders started a company called Chainguard. The site is chainguard.dev. I think we incorporated in October. We all worked together at Google at one point, so we all knew each other and then kind of came together at the right time to go help companies tackle supply chain security.

Dan: [20:05] That's a lot of founders, like usually-like, the most I hear oftentimes is three-one to three is common.

Kim: [20:12] Yeah, yeah.

Dan: [20:13] How is that working out [crosstalk] [20:15] for you with that-that many people at the top?

Kim: [20:15] Yeah. It's-it's amazing. I mean, I think the big-the big difference is like we all had worked together before. I mentioned, I started a company before and like, I didn't really know my founder, it was just someone that had a similar idea to mine. We had never really worked together in a professional environment or anything. So, it's a much different experience. But like, they're all great. I love all of them. Dan, our CEO, and I have been working together closely at Google for the past five years or so, we worked on a lot of these open-source projects and tools together. And him and I would casually kind of talk about startups, but nothing really stuck. And the timing wasn't really right. And then we sort of like-like, all the chips just sort of aligned here. And it was like, wait a minute, this is, you know, a huge opportunity for us to go and have a big impact and just go big here and really help like we-we've been working in this space. Matt, Ville, and Scott, who are the other founders, they've been working with containers. Ville is one of the original Kubernetes engineers. So, we thought that all-all the pieces were lining up to go out to this.

Dan: [21:24] Yeah. What are the roles of each of the co-founders?

Kim: [21:27] Yeah, so Dan's our CEO, I'm focusing on product stuff, and Matt, Ville, and Scott, are our engineer, focus on engineer, Matt's our CTO. So that's our-that's our roles right now. I think it's been amazing to have a team right out of the gate, if you will, like I think we've got a lot done in just the two months we've been incorporated. Another awesome benefit is like if one of us can't make-can’t make a meeting, send someone else in. And so yeah, so far, it's been-it's been all positive for us, I think, you know, we've got a plan for decision making and talking about more process stuff like that. And, you know, who knows what the future holds, I'm sure, like all startups we’ll have a few bumps along the way. But so far has been nothing but amazing and fun.

Dan: [22:12] You mentioned you had the previous company that, probably like the way that you described it, had a combination of success and failures. How do you think starting that first company, whether you think it was successful or not, has impacted you being a founder the second time around?

Kim: [22:30] Yeah, great question. I mean, what I remember from them, lots of ups and downs, as any founder will tell you, it's kind of a roller coaster, you know, you'd get some great news one day, and then terrible news the next day, and just kind of riding the wave there, I think is super important. I think just doing what it takes to get a company off the ground. My startup experience definitely helped me prepare for doing this again. And of course, having the experience at Google, building cloud enterprise products, I think has helped me a lot.

Dan: [22:58] You have a great background and amazing career going and then it's kind of led up to Chainguard. In October, big news, you were incorporated. And then last week, you announced a five-million-dollar seed funding round. So, congratulations on that, that's awesome.

Kim: [23:15] Thank you.

Dan: [23:16] We have a lot of technical listeners here. And we have up-and-coming engineering leaders that someday want to be in your position, how were you able to, you know, get that round of funding?

Kim: [23:27] Yeah, great question. So, the-the market’s a little bit crazy right now, I don't think we realized how quite crazy it was until we decided to go venture off and build a company. So, a lot of VC money floating around out there. We ended up taking a seed round from the folks at Amplify Partners. And they've just been amazing. I think for us, it was really important to find partners that just we could, you know, see ourselves almost being in the same room with and working with every day, and they have not fell short of that. They're just an amazing group of people that have been helpful. I think they reached out to Dan initially, and it was like, hey, you know, he's thinking about starting-starting something in this space and then the conversation went on from there. I think for us, maybe a little bit different than some other people's experience, like raising money or building something is like I mentioned, we've been in this open-source space for a while, so our names are out there. The projects we, you know, started and worked on are out there. And that's what we're-we’re using a lot in Chainguard and building our products, like, on top of these open-source projects. So, it was like there was already something there that people could see in the open and see where this could go.

Dan: [24:41] It's kind of like gives you clout, your reputation’s out there a bit. You have a foundation to build off of its-it probably went a long ways in getting that seed round, like a seed round investment. they're banking on you for the future, they're really investing into you and your team.

Kim: [24:58] Yeah, yeah exactly.

Dan: [24:59] More so that and your revenue that you're generating or how many customers you have. It's really about you.

Kim: [25:05] Yeah and I think my advice to for other people is to get yourself out there, do podcasts like this, you know, tweet, our-Dan, our CEO again, he's amazing it just writing blog posts and-and tweeting and building up a following for himself and showing thought leadership here. And I think that goes a long way, when people are trying to, like, figure out who's in the space who might start a company one day.

Dan: [25:30] Right, you might be thinking to yourself, because I-actually when we founded LinearB, we started blogging, we have a Discord community now, thousands of members, we get this podcast going thousands and thousands of listeners, but when you're, you know, just starting out, you might be thinking to yourself, no one's gonna want to know, like what I have to say or like [crosstalk] [25:51] no one's gonna, you know, read this blog.

Kim: [25:51] Yeah.

Dan: [25:55] But actually, it's like the exact opposite. There's always a void of knowledge. And if you put yourself out there, I think, for our listeners, you'll be pleasantly surprised that there are people that want to follow your stuff if you know what you're talking about.

Kim: [26:10] Totally.

Dan: [26:11] And so now with Chainguard, what problems are you focusing on solving?

Kim: [26:16] Yeah, so we're, I mean, as you said, we're really early, we've been around for a couple months now. But we did launch-when we announced our seed funding, we did launch something called Chainguard Services. So, a lot-we're spending a lot of time talking with big companies and potential customers about what keeps them up at night. What supply-software supply chain things are terrifying them? How do they think they're gonna solve the problem? How are they approaching it? And so, a lot of these companies too, they found a number of these open-source projects and thinking about using them internally and need a little-need a little bit of help, or don't really understand their security posture today. So, we announced Chainguard services to work closely with a handful of companies to either help with like auditing or help with training. And we're also, like, building some integrations and things. So, we, you know, right now it's early and we're shaping, like, the ultimate products that we end up taking to market and just really trying to learn as much as we can. And so, a lot of that time is being spent talking to people right now.

Dan: [27:20] And for our listeners here, you know, not everyone is working at a large enterprise that maybe has a lot of funds, like, we get a lot of listeners from startups and scale ups and you know, people that are closing series A, B, C rounds, for leaders that are in kind of that position, they're listening and maybe saying “Oh shit, like, I got to-I got to be thinking about this stuff.”

Kim: [27:41] Yeah.

Dan: [27:42] Where do they start, regardless of Chainguard? Like, how do they even start about improving this?

Kim: [27:47] That's a great question. So, I mean, like I said, there's a lot of great stuff out there in the open now, SLSA.dev, “S-L-S-A.dev”, is another thing I launched while we were at Google. And it's now got a lot of community participation and it gives a framework for supply chain integrity. And so, it's-it's a really good kind of reference to use, as you're thinking about building, you know, how your software development processes look in your organization, how you're thinking about when you bring in open-source software or third-party software, and it's a leveling systems, so we go SLSA 1,2,3,4, and there's just different requirements at each level. So, it's really good kind of guideline to help start thinking about these things. The website lists out like a bunch of different attack vectors and attacks we've actually seen in a while then, like, here's how the framework can help you prevent against these types of attacks. So, I would definitely kind of start there as you're-as you're building out, like, your company and your organization, and then that's-that's like, the thing with Chainguard and where we saw an opportunity too, is like many-many of these companies, they don't have a team of security people focused on this day in and day out, or they don't want to hire a team, like, let me go focus on my core products and features for my customers and just let me buy something off the shelf to help us with this problem. So, definitely keep an eye out for where we're going if that sounds interesting.

Dan: [29:16] Yeah, absolutely. You know, thank you so much for giving that advice. It's been like a really awesome conversation with you and hearing about your background and catching us up on software supply chain security, and your founding of Chainguard. So, you know, thank you so much for coming on the pod today.

Kim: [29:34] Yeah, you're welcome. Thanks for having me.

Dan: [29:36] Yeah, absolutely. I want to give you an opportunity. So, you know, as you said, you're-you're launching Chainguard services. If someone is listening and wants to get involved, how could they do that?

Kim: [29:49] Yeah, so we have just a simple Google form, like learn more contact us form, just fill that out and I'm usually sending you an email like we'd love to hear about how you're thinking about the problem of supply chain, like what challenges you're running up against, see if there are opportunities for us to work together.

[Music fades in]

Dan: [30:06] Perfect. So, anyone, you know, that's listening, if you want to get in contact with Kim, we’ll include that form in the links. Also, a quick reminder for our listeners, if you haven't already rated and reviewed the show on your podcasting app of choice, particularly Apple pods, please do so. Reviews are a crucial way that our show gets discovered. Also, be sure to join the Dev Interrupted Discord community. That's where we keep this type of convo’ going all week long. I also want to say thank you to the more than 2000 of you who are now subscribed to our weekly interruption newsletter. We bring you articles from the community, inside information and weekly podcasts, and the first look at Interact 2.0 on April 7th, 2022. Kim, it's been a pleasure. Thank you.

Kim: [30:53] Yeah, yeah thank you.

[Music fades out]