 Everyone, welcome back to theCUBE's coverage of KubeCon, CloudNativeCon 2021. We're here in person at a real event. I'm John Furrier, host of theCUBE, with Dave Nicholson, my co, has got great guests here. Two founders of brand new startup, one week old, Kim Lonowski and Dave Lawrence, with ChainGuard, former Google employees, open source community members, decided to start a company with five other people. Five total. Five total, congratulations. Welcome to theCUBE. Thank you, thank you for having us. So, tell us about your product now, you know what I'm trying to tell you. We know you don't have a product, so take us through the story, because this is one of those rare moments. We got great chance to chat with you guys just a week into the new formed company and the team. What's the focus? What's the vision? How far back do you want to go with this story? Go into why you left Google. So, you know, we're at Gin and Tonics, a couple beers. I can do that, we can do that. Let's take over the world. Sure. Yeah, so we've both been at Google for a while. The last couple of years we've been really worried about and focused on open source security risk and supply chain security in general and software. It's been a really interesting time as you probably noticed to be in that space, but it wasn't that interesting two years ago or even a year and a half ago. So, we were doing a bunch of this work at Google in the open source. Nobody really understood it, people kind of looked at us funny at talks and conferences. And then, beginning of this year, a bunch of attacks started happening. Things in the headlines like solar winds, the solar winds attack, like you say, an attack, all these different ransomware things happening. Companies and governments are getting hit with supply chain attacks. So, overnight people kind of started caring and being really worried about the stuff that we've been doing for a while. So, it was a pretty cool thing to be a part of and it seemed like a good time to start a company. Kim, your reaction to the startup, how do you honestly feel? I'm just feeling so excited. Yeah, I'm really excited. I was in Stars before Google, so then I went to Google, we were there for, I guess, Dan a little bit longer, I was there for seven years on the product side. And then, yeah, we, the open source stuff, we were really there for protecting Google and we both came from cloud before that, working on enterprise products. So, then sort of just saw the opportunity, while these companies trying to scramble and sort of figure out how to better secure them. So, it seemed like a perfect start up. The startup bug and you back in the startup, but it's a timing's perfect. I got to say, this is a big conversation supply chain from whether it's components and software now, huge attack vector. People are taking advantage of it. Super important, so I'm really glad you're doing it. But first, explain to the folks watching what is supply chain software? What's the challenge? What is the supply chain security challenge or problem? Sure, yeah, it's the metaphor of software supply chain. It's just like physical supply chain, that's where the name came from. And it really comes down to how the code gets from your team's keyboard, your team's fingers on those keyboards into your production environment. And that's just the first level of it, because nobody writes all of the code they use themselves. We're here at CloudNativeCon. It's hundreds of open source vendors, hundreds of open source libraries that people are reusing. So your trust radius and your attack radius extends to not just your own companies, your own developers, but to everyone at this conference and then everyone that they rely on all the way out. It's quite terrifying. It's a surface area, as they would say. It's a large surface area. The surface area explodes pretty quickly. And people are, and the targeting too, because everyone's touching the code, it's open. There's a lot of action going on. How do you solve the problem? What is the approach? What's the mindset? What's the vision on the problem's solution? Yeah, it's a great question. I mean, I think, like you said, the first step is awareness. Like Dan's been laughing. He's been, he felt like a crazy guy in the corner, saying, you know, stop building stuff or underneath your desk and, you know, getting companies. Now he's a rock star. Hey, we need you. Why don't you tell them? I was telling them for five years. Yeah, yeah, yeah. But I think one of his, you know, go-to lines was like, would you pick up a thumb drive off the side of the street and plug it into your computer? Probably not. But when you download, you know, an open source package or something, that actually can give you more privileges in production environments. And so it's pretty scary. So I think, you know, for the last few years, we've been working on a number of open source projects in this space. And so I think that's where we're gonna start is we're gonna look at those and try to grow out the community. And we're watching companies, even like SolarWinds, trying to piece these parts together and really come up with a better solution for themselves. Are there existing community initiatives or open source efforts that are underway that you plan to participate in? Or are you thinking of charting a new path? What's that look like? Tons, yeah. The SIG Store project, we kicked off back in March. You've covered that or familiar with that at all. We kicked that off back in March of 2021, kind of officially. We had been working on code for a while before then. The idea there is to kind of do what Let's Encrypt did for browsers and web security, but for code signing and open source security. So we've always been able to get code signing certificates, but nobody's really using them because they're expensive, they're complicated. Just like Let's Encrypt did for CAs. They made a free one that was automated and easy to use for developers. And now people do it without thinking about it. In SIG Store, we try to do the same thing for open source. And just because of the headlines that were happening and all of the attacks, the momentum has just been incredible. Is it a problem that people just have to just get on board with a certain platform or tool or people have too many tools, they abandon them, their focus shifts. Why, what's the main problem right now? Well, I think part of the problem is just having the tools easy enough for developers are going to want to use them and it's not going to get in our way. I think that's going to be a core piece of our company is really nailing down the developer experience and these toolings and the co-sign part of SIG Store that he was explaining. It's literally one command line to sign a package, sign a container, and then one line to verify it on the other side. And then these organizations can put together sort of policies around who they trust in their system. Like today it's completely black box. They have no idea what they're running and yeah. You have to re-think and redo everything pretty much. If they want to do it right, if they're just kind of fixing the old Europe's next solar with basically. Yeah. And that's why we're here at CloudNativeCon when people are, you know, the timing is perfect because people are already re-thinking how their software gets built as they move it into containers and as they move it into Kubernetes. So it's a perfect opportunity to not just shift to Kubernetes but to fix the way you build software from the start. What would you say is the most prevalent change, mindset change of developers now? If you had to kind of look at it and say, okay current state of the art mindset of a developer versus say a few years ago, is it just that they're doing things modally with more people? Or is it more new approaches? Is there a pattern? I think it's just paying attention to your building release process and taking it seriously. This has been a theme since I've been in software but you have these very fancy production data centers with physical security and all these levels of trust and prevention and making sure you can't get in there. But then you've got a Jenkins machine that's three years old under somebody's desk building the code that goes into there. He gets social engineer, he gets tag. Exactly, yeah. It's like the movies where they, instead of breaking into jail, they hide in the food delivery truck. It's that, that's the metaphor that I like perfectly. Defense doesn't work if you're just opening- The cleaning truck. Yeah, if you open the door once a week, it doesn't matter how big defense is. Yeah, that's good to know, that's funny. And I think too, like when I used to be an engineer before I joined Google, just like how easy it is to bring in a third party package or something. You need like an image editing software, like just go find one off the internet. And I think developers are slowly doing a mind ship there. Like, hey, if I introduce a new dependency, you know, there's going to be, I'm going to have to maintain this thing and understand it. It's a little bit of a decentralized view too. Also you got a little bit of that, hey, if you sign it, you own it, if it tracks back to you, okay, you are your fingerprinter if you will or on. The chain of custody. Chain of custody. Exactly, I was going to say, when I saw chain guarded first, of course I thought about my pant leg, riding a bike, but then of course the supply chain, things coming in, like on a conveyor belt, conveyor belt, but that whole question of chain of custody, it isn't as simple as a process where someone grabs some code, embeds it in what's going on, pushes it out somewhere else. That's not the final step typically. So. Somebody else grabs that one and does it again in 35 more times. Right, so who's responsible on that? How do you verify that? It seems like an obvious issue that needs to be addressed, and yet apparently from what you're telling us for quite a while, people thought you were a little bit nutty. And it's not just me, I mean, so Ken Thompson of Bell Labs, and he wrote the book. He wrote the book that I grew up on. In the 80s he gave a famous lecture called Reflections on Trusting Trust, where he pranked all of his colleagues at Bell Labs by putting a back door in a compiler, and that put back doors into every program it compiled. And he was so clever, he even put it in, he made that compiler put a back door into the disassembler to hide the back door and his colleagues looked for it. He was a genius. Yeah, so he spent weeks, and people just kind of gave up, and I think at that point, they were just like, wow, we can't trust any software ever and just forgot about it and kept going on and living their lives. So this is a 40 year old problem, and we only care about it now. That's totally true. A lot of these old, sacred cows saw it in life cycles, not really relevant anymore because the workflows are changing, it's complete, DevOps has taken over. Let's just admit it, right? So DevOps has taken over, now cloud native apps are hitting the scene. This is where I think there's a structural industry change, not just the community. So with that in mind, how do you guys vector into that in terms of market entry? What's just thinking around product? Obviously, you got a higher. Yeah, I got a higher. Did you guys raise some capital? In process. A little bit of a capital A, so there's probably no problem with hot market. But product-wise, you got to come in, get a beach head. Yeah, I mean, we're casting a wide net right now and talking to as many customers, like we've met a lot of these customer, potential customers through the communities that we've been building, and we did a supply chain security con helped with that event this Monday, negative one event, and SolarWinds and Citibank were there and talking about their solutions. And so I think, and then we'll narrow it down to people that would make good partners to work with and figure out how they think they're solving the problem today and really sit closer to them. How do you guys feel? Good? You feel good? Excited. Well, we've got Jerry Chen coming on from Greylock next. Oh, awesome. So if you hang around, you can get a term sheet and say, Jerry, these guys got some action on them. Get in there. I probably didn't reply to him on LinkedIn or something. He's coming out with Chronosphere. He just invested $200 million in Chronosphere. Awesome. You guys should have a great time. Congratulations on the leap. I know it's comfortable to be in Google. A lot of things that work on and it's doing startups are super fun too, but not easy. Not for the female. You guys done it before, so great. Roller coaster. Cool. What do you think about today? Did the event here a little bit smaller, more like a VIP event? What's your take on playing on this? I mean, I think it's good to be back in person. Obviously, we're meeting, we've been associating with folks over Zoom and Google Meets for a while now and meeting them in person is like, oh, hey. Hard to recognize behind the mask. But yeah, we're just glad to sort of be back out and a little bit of normalish, I guess. How's everything in Austin? Everyone's safe and good over there? It's been pretty good. Yeah, it's been a long, long pandemic. Lots of ups and downs, but yeah. Dan's hair has an identity. You got to get the music scene back. Once the music comes back in Austin, everything's all back to normal. Yeah, my hair doesn't normally look like this. I just haven't gotten a haircut since this all started. That's good, you're going to do well on this, Mark. You're going to turn a sheet like that, keep the haircut, until you get the money. I think I saw your LinkedIn profile and I was wondering, it's like, which version are we going to get to? Yeah, we'll see. Wow, super relevant, super great topic. Congratulations. Thanks for coming on and sharing the story here on theCUBE. Yeah, thanks for having us. Thanks for having us. Thanks for being here. Dave Nicholson here on theCUBE. Day one of three days. We're back in person. Of course, hybrid event because theCUBE.net for all more footage and highlights and remote interviews. So stay tuned, more coverage after this short break.