 Hi, this is your host Abhinav Bhartiya and welcome to another episode of TFI Newsroom. And today we have with us Kim Lewandowski, co-founder and chief broad officer at ChainGuard. Kim, it's great to have you on the show. Thank you, thank you for having me. Yeah, and you folks announced the availability of new as bomb vulnerability analysis and software signing capability in Enforce. Before we talk about Enforce ChainGuard, since we have covered ChainGuard in past, so our audience, they do know about the company, but let's just, you know, do a quick recap. What is ChainGuard all about in today's modern clouds and the cloud with word? Yeah, so ChainGuard is almost two years old now. It's a software supply chain security company, which means we're trying to help companies gain more confidence in the software they're running in their production systems. So we help them understand what they're running, what the security posture is, how to take remediation tasks to make their things more secure. And then give them tools for continuous compliance to make sure that they're not outside of compliance for the things that they've set internally. As you were like talking with the company, and if you look at today's world once again, it's not just the cloud and the cloud-centric, Kubernetes-centric, it's also software-driven and mostly it's open source. So talk also a bit about the importance of whole software supply chain, not just from the prospect of what's going in your pipeline, just like automotive industry, you know, you need to know what's on the assembly line. And then we can also talk about the whole S-bomb two or three years ago, even Biden's vision, they came up with the executive order. So talk about some of the changes that you're seeing are happening in this space when it comes to, you know, the whole software supply chain. Yeah, great question. I think the whole topic in general has just kind of taken off over the last few years. So it is a bit of a buzzword now. So we see a lot of software supply chain things in the news and other companies and vendors in the space. But the response from the US government has been kind of incredible. Like I guess this is my closest kind of interaction with at least watching things at the federal level, but the amount of work that's been putting into helping, you know, providing frameworks for companies to follow to new regulations that are coming down the path has kind of been really, really exciting to see. And then as your point about open source software, there's a lot of risk in using open source software. So we're seeing immense strides in like the open source community for folks trying to do the right thing and trying to make their things more secure and make it easier for downstream consumers of the open source software to have more confidence in what they're pulling. Yeah, and let's talk about the rule that chain gardens playing in and making things easier. And then we can also talk about enforce here. So wow, where do we start? I think the way that I like to frame this is the customer journey is really around what I mentioned before is kind of knowing what you're running and your production systems, where the software came from, it still seems to be a bit of a black box for a lot of organizations. You know, developers are still building things on their laptops is what we like to say a lot, you know, under their desktops and not knowing, you know, what dependencies are going into that and then it's being shipped out into production. Folks aren't even aware that it's sitting in there running and there could be a new vulnerability that creeps up. So, you know, unless you're scanning things continuously in your production environments, it's just hard to have that complete picture of what's going on. So I think that's part of the problem that we're trying to tackle is just more awareness about what's running where and what its security posture is. And then the next step is, you know, making changes, fixing some of those problems. So we do have one product, I'm not sure we talked about on this show before called Chingard Images, which we've gone all the way down to the Linux distro. And so we call it our Linux undistribution. That's name is Wolfie. And so we are building everything like from source. We are controlling all the packages that go into this on distribution. It's got, it's baked in all these software security features. So making like reproducible builds, we're signing everything, we produce S-bombs for it. And so that's one way to kind of shift really far left and give developers kind of a strong secure footing to start with through secure based images and even application images. So we're helping on the remediation piece and for some of the enforced features we'll get to in a minute. But then the next step is that if you sort of made all these changes as a company, like how do you ensure that you're staying in compliance with those? How are you ensuring that you're still in compliance with those federal mandates that are coming down? So that's the part where enforce our control plane kind of comes into practice and lets you define those security controls at organizational level and then make sure you're always in compliance. So I like to frame things as like, know what you're running, fix what's wrong and then enforce to make sure you don't kind of go backwards in time and don't reap the benefits that you put into fixing things. And since we're talking also about some news announcements, so talk a bit about some new features that you folks added to a chain garden force. Yeah, so I'm really excited about these features that are coming out this week. So chain garden force is our risk management platform. So almost our security control plane, if you will, for your cloud native environments. And so by enabling enforce in your environments, we connect to AWS, GCP, anywhere like you have containers running. And then the features that we are announcing this week, the first one is called just S-bombs, like as a service basically. So these mandates now like federal contractors all have to produce S-bombs, I think by the end of the year, I don't know, don't quote me on that. And so kind of inherit to chain garden CNA is we're trying to do security the easy way or let you do it the right way and basically do things by default, if you will. So developers don't really have to think about a lot of things. So anyway, so the S-bombs feature is we connect to your workloads. We try to see if you already have an S-bomb. If you don't have an S-bomb attached to the containers that you're running, we're gonna go ahead and produce one for you so you don't even have to lift a finger. So we will generate all the S-bombs and then that gives us valuable insights into the dependencies running in your environments and from there, we can then start doing interesting things with like vulnerabilities. So that's kind of the next piece of what we're announcing this week is similar to the auto S-bomb generation as we're doing auto vulnerability scan generation. And so if you're not already scanning things in your environment, we will again try to see if there's a scan available and if there is, we'll ingest that data and then use it later on or if there's not, we will automatically produce a vulnerability scan for things that you're running. And then the vulnerability scan is cool because of like I mentioned before, we are continually running that scan like every, I think 24 hours in production right now. So a lot of times we see companies that will kind of run a scan once before something hits production, but then that's it. And so they're not continuously scanning kind of what's going on in the environment. And so that's one added kind of feature that we're putting into the platform. And so a lot of it is just to make things easier on people, you know, we've seen S-bombs coming down. So just, yeah, again, just trying to do that the easy way and do it automatically for you. So enforced signing is built on just the concept of signing kind of code and signing different things so you can ensure that it hasn't been tampered with like when you're consuming it. And so enforced signing is our feature on top of the platform, which lets you sign on behalf of like your private company and we're using it internally. So you can sign like a container image, for example, you can sign it out of the build system. So then the consumer of that image could then go back and verify the signature. And then you can trust that that image hasn't been tampered with from the time you pulled it to the time that you start using it. So we use this internally, we've also baked it into the product. We were also using it for Git commits. And so how do you know the developer is the one that really wrote the commit. And so we use it for Git commits where we sign against our own trust through all chain guard developers have to sign our commits and then we verify that signature before we pull the code in. So it's, the signing piece is just a huge part of the software supply chain challenges in general. So we're really excited to build on some of our knowledge with the SIG store and cosine project and the open source where companies need their own kind of private version of that system. And that's what we're here building and launching. How much awareness you're seeing of as bombs is there. So when you, like, of course you folks two or three years old that when we look at this challenge, you're like, hey, you know what? We have moved to advanced phase where everybody knows about it. Education is not a challenge. The challenges, their workload, how to help them where they are in the journey are. You're like, they're still at early phase. They still have to tell folks you do need these practices in place. Yeah, I think that's a great question. I think it's still pretty early days where we're seeing where the S-bomb thing, it's, you know, there's a whole community around a lot of discussions around it, but folks kind of seeing it as more of a checkbox right now because there's a lot of open questions and some skepticism and S-bombs in general when they're created, for example, whether it's at build time where you know exactly what's going into the software, which is what we do for our chain guard images as opposed to trying to create the S-bomb after the fact. So a lot of discussion, a lot of healthy conversations happening within the community, but I think it's still pretty early days where folks are with their general understanding and where they see the value of making these things more useful. What kind of challenges are organizations mostly run into when it comes to embracing some of these S-bombs? And also, they're different, it's not a standard necessarily, but they're different projects, PDX is there and then a couple of other projects are there when it does come to helping through open source and then of course, they're a lot of proprietary. Talk about some of the challenges that developers or teams or DevOps, DevSecOps, they face when they do try to embrace where you're seeing the patterns and you're like, hey, this is where chain guard is going to help them to lower the barrier of entry for them. Yeah, so I think, you know, some of the challenges that you pointed to is just there's a bit of a format game going on right now. There's a few different formats and so I think picking a format would probably be the first step in the process. And then, I mean, another challenge is just security in general. So there's always this kind of push and tug around security teams wanting to do the secure thing and then developer teams wanting to move fast. So I think anytime security teams try to, not inadvertently try to introduce new friction into developer flows or like, hey, now we got to produce an S-bomb, you're naturally going to see like, hey, this is going to slow us down. So, you know, that's why we're building a lot of tooling and things around it to abstract that away and make things like easy for developers and organizations. I think other challenges are, I think some of the skepticism around, like I was pointing, I was saying before, is like, what are they getting out of those S-bombs? What's the real utility? Tooling is still very early days. How do we make sure that we're using, what do we do when a company gives us an S-bomb? So if another vendor kind of gives them an S-bomb, like what do you do with that data? Like how do you make it useful for you? So I think there's just a lot of open questions now that we're kind of figuring out as we go. Can you also talk about, or give us a glimpse, what are the things that you folks are working on? What are you next to change this year? Oh wow, we got a lot of things in the pipeline. So, you know, one of the pieces, yeah, pun intended, one of the pieces to build on like the enforced features is again, making remediation even easier. So like what do you do when you have that data? What do you do when you see critical vulnerabilities that have been scanned or you have an S-bomb that shows that you're depending on something with critical vulnerability. So making it really easy to address those concerns. I think, you know, the chain guard, the enforced signing piece has a lot of interesting use cases, like I said, companies are trying to kind of stand some of this stuff up internally to have better confidence in the code, even first party code that they're producing. But then I think on the near term horizon, we've got a lot of interesting things coming with our chain guard images, product which we didn't touch on much today, but we have customers asking for different kind of bundled kind of features. So I have this particular stack that we're running and the vulnerabilities are just causing us a ton of pain, like can you just kind of provide that bundle for us so we just don't have to think about these things anymore and we can use you as the throat to choke as the terminology that people use. So a lot of interesting things coming on chain guard and force. FIPS is a big thing for customers. And again, just a lot of the regulatory compliance. Oh, that's what I was gonna say about the enforced signing thing is the government has mandates around self attestations. And so I can't never keep these things straight that is basically saying you have to attest to certain things or else you could be liable. And so this is a big place where the enforced signing thing can come in and help companies along. Again, thank you so much for taking time out today and of course talk about chain guard and also as bumps in general software supply in general thanks for all those insights and I would love to chat with you again. Thank you. Awesome. Thanks for having me.