POPULARITY
Dan Lorenc is the Co-founder and CEO of Chainguard, the safe source for open source.The internet runs on free, open source software. But as its risen in popularity, its become the latest attack point targeted by hackers and nation states.This conversation with Dan gets into the history of open source software, cloud computing, Linux, the software supply chain, how AI will impact it, and what the next big cyber attack will look like.Dan is an engineer, but he also loves sales and go-to-market. We unpack how Chainguard went from zero to 150 customers and a $40m ARR in two years.Chainguard just announced a $350 million Series D led by Kleiner and IVP, and Dan unpacks the round, plus shares his secret methodology for valuing the company.A big thank you to Dan's Co-founder Kim Lewandowski, to Clay Fischer @ Spark, Bogomil Balkansky & Andrew Reed @ Sequoia, and Tom Loverro @ IVP for their help brainstorming topics for Dan.Thanks to Numeral for supporting this episode, the end-to-end platform for sales tax and compliance. Try it here: https://bit.ly/NumeralThePeelTimestamps:(3:26) A safe source for open source(4:57) The software supply chain(7:19) Can you trust open source code with contributors in Russia?(9:43) Malware attack that almost took down the entire internet(12:40) What the next big cyber attack will look like(15:12) How will AI impact the software supply chain(17:53) The history of cloud computing(21:42) Why all cloud computing runs on Linux(23:16) How Linux + Linux distros work(29:28) Automating open source security(32:43) Chainguard roadmap: Libraries and VMs(36:40) Focusing on FedRAMP(42:44) Impact of DOGE(44:06) Zero to $40m ARR in two years(45:40) Learning to love sales as a technical founder(47:24) Lessons from Frank Slootman(51:15) How to create urgency in sales(53:16) How to build a sales team(58:23) Hiring Ryan Carlson from Wiz & Okta(1:01:45) Inside Chainguard's $350m Series D(1:07:41) Vibe coding + Dan's software stack(1:09:51) Cutting his hair in front of the entire company(1:10:27) Wearing a different suit to each board meeting(1:12:32) Bogomil, world's best SDRReferencedCheck out Chainguard: https://www.chainguard.dev/Jobs at Chainguard: https://www.chainguard.dev/careersPrior episode with Dan: https://www.youtube.com/watch?v=AC4cOJ9n_Z8Linux Origin Email: https://www.reddit.com/r/linux/comments/mmmlh3/linux_has_a_interested_history_this_is_one_of/The Qualified Sales Leader: https://www.amazon.com/Qualified-Sales-Leader-Proven-Lessons/dp/0578895064Julius, AI data analysis: https://julius.ai/Claude Code: https://www.anthropic.com/claude-codeWorld's best SDR: https://x.com/BogieBalkansky/status/19132697148828143502025 Chainguard Assemble Keynote: https://www.youtube.com/watch?v=adfU9LJg3I0Follow DanTwitter: https://x.com/lorenc_danLinkedIn: https://www.linkedin.com/in/danlorenc/Follow TurnerTwitter: https://twitter.com/TurnerNovakLinkedIn: https://www.linkedin.com/in/turnernovakSubscribe to my newsletter to get every episode + the transcript in your inbox every week: https://www.thespl.it/
This week we're taking you backstage at TechCrunch Disrupt. Becca Szkutak had the chance to talk with Dan Lorenc, the CEO and co-founder of cybersecurity startup Chainguard following their conversation on stage with prominent investors, The Chainsmokers. They discuss how the EDM duo's venture fund MANTIS went from being viewed skeptically by traditional VCs to becoming a highly sought-after investment partner in the B2B space, how Lorenc scaled the company in a difficult time for cybersecurity, and what value celebrity investors can add to a startup.Check out the full onstage conversation here.00:00 - Introduction02:27 - Chainguard: Company Overview and Open Source Security 05:27 - Google Background and Solar Winds Impact 08:02 - Building Chain Guard: Product Evolution 11:44 - Early Fundraising and Timing 12:53 - The Legendary Alex Pall Cold Emails 15:01 - MANTIS Investment Impact 16:11 - Company Growth and Future Plans 16:51 - Learning from Early Mistakes Found posts every Tuesday. Subscribe on Apple, Spotify or wherever you listen to podcasts to be alerted when new episodes drop. Check out the other TechCrunch podcast: Equity . Subscribe to Found to hear more stories from founders each Connect with us:On TwitterOn InstagramVia email: found@techcrunch.com
This episode is going to piss you off. Most founders struggle to raise their first few million. Many have to bootstrap for years. Even once there's revenue, many get rejected because they're "too early". Dan had dozens of VCs asking to invest before he even quit his job. He raised his first $5M with no deck, no story, and no product idea. All it took was two founders who wanted to build something in the security space. To add fuel to the fire, 6 months after he incorporated, he raised a $50M round from Sequoia... with no revenue!He didn't pitch dozens of VCs. He didn't create a deck. He just spoke to a partner at Sequoia and had a term sheet in 3 days. The reasons are part macro, part team, part market... and part just the insanity that sometimes happens in Startup Land.It's hard to beleive and makes little sense from the outside. But it often works. Chainguard just closed $140M Series C, has 100s of customers and does 8 figures in ARR. Here's how it happened.Why you should listen:Why launching multiple products at once worked for Dan.How to raise from a position of strength to get favourable terms.Why identifying the right markets can be such an important step. Why time to value and leads to fast growth and high close rates.Keywordsstartup, fundraising, product market fit, Sequoia, security, open source, venture capital, entrepreneurship, growth strategies, technology, innovationSend me a message to let me know what you think!
In this episode, Rich speaks with Adolfo García Veytia from Stacklok.Topics include: Writing Kubernetes in PHP, contributing to the Linux kernel, joining SIG Release, improving the supply chain security of the Kubernetes releases, the issue of CVEs in software, and release engineering.Show notesAdolfo's LinkedIn | X | GitHub | Rich's LinkedIn | Bluesky | LinktreeKubernetes SIG ReleaseSigstoreBob Callaway and Dan Lorenc's Sigstore talk from KubeCon LAWhat is an SBOMAdolfo and Carlos's KubeCon talkSLSAWolfiEpisode TranscriptLogo by the amazing Emily Griffin.Music by Monplaisir.Thanks for listening. ★ Support this podcast on Patreon ★
Bret and Nirmal are joined by Dan Lorenc from Chainguard to walk them through Chainguard's approach to building secure, minimal container images for popular open source software.They discuss why it is important to have secure and minimal container images. Dan explains how Chainguard helps remove the pain of CVEs, laggy software updates and patches and much more. Chainguard is now available also on Docker Hub.They spend the first part of the show talking about the week's big news: the XZ supply chain attack, and Dan was the best man to explain it. They also touch on CVEs, things you can do to reduce the attack surface, SLSA, and more during this jam-packed show.Be sure to check out the live recording of the complete show from April 4, 2024 on YouTube (Ep. 261).★Topics★Chainguard Website Vulnerability Management Certification course True Cost of Vulnerability Management Chainguard Images Chainguard on Docker Hub AnnouncementCreators & Guests Cristi Cotovan - Editor Beth Fisher - Producer Bret Fisher - Host Nirmal Mehta - Host Dan Lorenc - Guest (00:00) - Intro (05:14) - Dan's Take on the XZ Hack (14:59) - Chainguard Distro Creation (21:21) - Chainguard in Docker Hub Announcement (24:26) - Free Images vs Private Images (26:27) - Zero CVE Approach (28:33) - Ways to Reduce Attack Surfaces (39:56) - Chainguard Academy (41:08) - Real Time Antivirus Malware Scanner (43:52) - Google Distro Lists Worth Using (45:56) - Chainguard for Buildpacks (46:20) - SLSA (56:08) - What's Next for Chainguard? (56:52) - Getting Started with Chainguard You can also support my free material by subscribing to my YouTube channel and my weekly newsletter at bret.news!Grab the best coupons for my Docker and Kubernetes courses.Join my cloud native DevOps community on Discord.Grab some merch at Bret's Loot BoxHomepage bretfisher.com
Dan Lorenc, co-founder and CEO of Chainguard, joins Dennis Fisher to dig into the recent XZ Utils backdoor incident, the implications for the open source ecosystem, and what can be done to avoid similar incidents in the future. Then they discuss the problems facing NIST's National Vulnerability Database and the CVE ecosystem.
- First off, for folks that don't know you can you give them a brief overview of your background/organizations?- Josh, let's start with you. Can you explain some of what is going on with the drama around NVD and what happened that caught everyone's attention?- Dan - I know you've raised concerns around the implications for the community when it comes to the lack of CVE enrichment, how do you see this impacting the vulnerability management ecosystem?- Josh - Your team has started providing some accompanying resources to try and address the gap, can you tell us a bit about that?Dan - You've spun up an open letter to congress and have kicked off a bit of a grass roots effort to raise awareness around the problem. How is it going so far and what are you hoping to accomplish with the letter?- Why do you both think this is such a big deal, and how can something so critical to the entire software ecosystem be so underfunded, overlooked and taken for granted?- What are some things you all hope to see in the future to resolve this, both from NIST/NVD and the Government but also from industry as well?
Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Dan Lorenc is CEO and co-founder of Chainguard, a company that raised $116 million in less than two years to tackle open source supply chain security problems. In this episode, Dan joins Ryan to chat about the demands of building a "growth mode" startup, massive funding rounds and VC expectations, fixing the "crappy" CVE and CVSS ecosystems, managing expectations around SBOMs, and how politicians and lobbyists are framing cybersecurity issues in strange ways.
Dan Lorenc is the Co-founder and CEO of Chainguard, the best way to secure your open source software. Dan and his co-founders Kim, Matt, and Ville started the company in 2021 after spending a decade working together at Google on all things open source and software security. They've since raised $116 million from investors including Spark (led Series B), Sequoia (led Series A), Amplify (led Seed), The Chainsmoker's Mantis VC, Banana Capital, and dozens of angels in the cyber security and open source communities. — Topics discussed: What is the “software supply chain”? How the SolarWinds breach created the software supply chain security market The history of open source software Why open source software makes software supply chains even less secure The moment Dan and his co-founders decided to start Chainguard Why they started selling consulting services before even building a product The reason their first two products solved completely different problems (top-down and bottoms-up), and why the one that didn't work at first is now their main business Why Chainguard decided to focus on a broad communications and marketing strategy so early on How Dan gets quoted in major media publications as an early stage startup founder Why Chainguard uses memes for marketing Why Dan thinks startups should “make content optimized for the group chat” How they raised their Seed round from Amplify a week after leaving Google Raising a Series A from Sequoia as the market started collapsing in Spring of 2022 Dan's advice for founders on dealing with investor inbound when not fundraising Why he wish he hired sales reps sooner Raising a Series B from Spark Capital to accelerate their enterprise sales process — Referenced: https://www.chainguard.dev https://www.sigstore.dev/ Battling the Trojan Horse in Open Source: https://www.sequoiacap.com/article/dan-lorenc-chainguard-spotlight/ Chainguard Series B Announcement: https://www.chainguard.dev/unchained/series-b-funding Dan's favorite open source project: https://github.com/jqlang/jq Reflections on Trusting Trust: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf — Where to find Dan: Twitter: https://twitter.com/lorenc_dan LinkedIn: https://www.linkedin.com/in/danlorenc — Where to find Turner: Newsletter: https://www.thespl.it Twitter: https://twitter.com/TurnerNovak Banana Capital: https://bananacapital.vc — Production and distribution by: https://www.supermix.io — Want to sponsor the show? https://docs.google.com/forms/d/e/1FAIpQLSebvhBlDDfHJyQdQWs8RwpFxWg-UbG0H-VFey05QSHvLxkZPQ/viewform
Guests Daniel Stenberg | Dan Lorenc Panelist Richard Littauer Show Notes Today, we are switching things up and doing something new for this episode of Sustain, where we'll be talking about current events, specifically security challenges. Richard welcomes guest, Daniel Stenberg, founder, and lead developer of the cURL project. Richard and Daniel dive into the complexities of Common Vulnerabilities and Exposures (CVEs), discussing issues with how they are reported, scored, and the potential impact on open source maintainers. They also explore the difficulty of fixing the CVE system, propose short-term solutions, and address concerns about CVE-related DDOS attacks. Dan Lorenc, co-founder, and CEO of Chainguard, also joins us and offers insights into the National Vulnerability Database (NVD) and suggests ways to improve CVE quality. NDS's response is examined, and Daniel shares his frustrations and uncertainties regarding the CVE system's future. Hit download now to hear more! [00:01:00] Richard explains that they will discuss Common Vulnerabilities and Exposures (CVEs) and mentions that CVEs were launched in September 1999, briefly highlighting their purpose. He mentions receiving an email about a CVE related to the cURL project, which wasn't acknowledged by the cURL team. [00:01:50] Daniel explains that the email about the CVE was sent to the cURL library mailing list by a contributor who noticed the issue. He describes the confusion about the old bug being registered as a new CVE. discusses the process of requesting a CVE. He also mentions the National Vulnerability Database (NVD) and how it consumes and assigns severity scores to CVEs. [00:03:54] Daniel discusses the process of requesting a CVE which involves organizations like MITRE, and he mentions the National Vulnerability Database (NVD) and how it consumes and assigns severity scores to CVEs. [00:06:21] Richard asks about how NVD assigns severity scores to CVEs and specifically in the case of CVE 2020, and Daniel describes the actual bug in curl, which was a minor issue involving retry delays and not a severe security threat. [00:09:57] Richard questions who at NVD determines these scores and whether they are policy makers or coders, to which Daniel admits he has no idea and discusses his efforts to address the issue. He expresses frustration with NVD's scoring system and their lack of communication. [00:11:18] Daniel and Richard discuss their concerns about the accuracy and relevance of CVE ratings, especially in cases where those assigning scores may not fully understand the technical details of vulnerabilities. [00:14:37] We now welcome Dan Lorenc to get his point of view on this issue. Dan introduces himself and talks about his experience with the NVD, highlighting some of the issues with CVE scoring and the varying quality of CVE reports. [00:16:11] Dan mentions the problems with the CVSS scoring and the incentives for individuals to report vulnerabilities with higher scores for personal gain, leading to score inflation. Dan suggests that NVD could improve the quality of CVEs by applying more scrutiny to high-severity and widely used libraries like cURL, which could reduce the noise and waste of resources in the industry. [00:18:23] Richard presents NVD's response to their inquiry. Then, Daniel and Richard discuss NVD's response and the discrepancy between their assessment and that of open source maintainers like Daniel who believe that some CVEs are not valid security issues. [00:20:44] Richard asks if anyone offered to fund the work to fix vulnerabilities in important open source projects like cURL when a CVE is reported. Daniel replies that no such offers have been made, as most involved in the project recognize that some CVEs are not actual security problems, but rather meta problems caused by the CVE rating system. [00:21:40] Daniel explains his short-term solution of registering his own CNA (CVE Numbering Authority) to manage CVEs for his products and prevent anonymous users from filing CVEs. [00:23:04] Richard raises concerns about the potential for a CVE DDOS attack on open source, overwhelming them with a flood of CVE reports. [00:24:20] Daniel comments on the growing problem of both legitimate and invalid CVEs being reported, as security scanners increasingly scan for them. Richard reflects on the global nature of the problem, and Daniel emphasizes the importance of having a unique ID for security problems like CVEs. Links SustainOSS (https://sustainoss.org/) SustainOSS Twitter (https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) SustainOSS Discourse (https://discourse.sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) SustainOSS Mastodon (https://mastodon.social/tags/sustainoss) Open Collective-SustainOSS (Contribute) (https://opencollective.com/sustainoss) Richard Littauer Twitter (https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Richard Littauer Mastodon (https://mastodon.social/@richlitt) Daniel Stenberg Twitter (https://twitter.com/bagder?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Daniel Stenberg Mastodon (https://mastodon.social/@bagder) Daniel Stenberg Website (https://daniel.haxx.se/) Dan Lorenc Twitter (https://twitter.com/lorenc_dan?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) National Vulnerability Database (https://nvd.nist.gov/) CVE (https://www.cve.org/) cURL (https://curl.se/) Chainguard (https://www.chainguard.dev/) Sustain Podcast-Episode 185: Daniel Stenberg on the cURL project (https://podcast.sustainoss.org/guests/stenberg) Sustain Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at Google (https://podcast.sustainoss.org/93) Credits Produced by Justin Dorfman (https://www.justindorfman.com) & Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/) Special Guests: Daniel Stenberg and Dan Lorenc.
Guest Aaron Crawfis Panelists Richard Littauer | Justin Dorfman Show Notes Hello and welcome to Sustain! The podcast where we talk about sustaining open source for the long haul. Richard and Justin are excited to have as their guest today, Aaron Crawfis, who works in the cloud space as a Senior Product Manager on the Azure Open Source Incubations team, which develops and launches new open source projects to advance the industry of cloud native computing and applications. He's done a lot of work on Dapr, which is a distributed application runtime where he helped define, launch, and market it to microservice developers currently working on incubations, and more open source stuff across Azure and Microsoft. Today, we're going to find out more about Dapr, Azure, and working in the cloud space. Aaron tells us about some great projects and cool technologies coming out of the incubation space at Azure, and he shares some awesome advice if you're a project looking to get into this space. Press download to hear more! [00:01:52] We start with learning more about Dapr. [00:04:39] What's the difference between cloud native and working in the cloud? [00:07:35] Justin mentions Dapr is mature and there are several companies that use it and wonders what's keeping Dapr in an incubation state rather than graduating. Aaron also tells us that since the release of Dapr v.1.10, they found that the majority of contributors are now non-Microsoft developers. [00:09:31] We hear if Sarah Novotny and Stormy Peters are involved in Dapr or if they've worked on any projects with Aaron. [00:11:59] Aaron gives us his take on why so many people in the cloud space feel the need to gravitate towards large corporations. [00:16:33] We hear about a small business startup Diagrid, and the Founders are building their entire business model around Dapr. [00:18:13] Besides wearing a Dapr hat, Aaron runs the Open Source Incubations at Azure, so he fills us in on what that is, and their most recent incubation they launched called, Project Copacetic. Justin wonders if this project has any similarities to Chainguard's images or a different approach to tackling vulnerabilities. [00:24:08] Aaron shares how the Azure Open Source Incubations team, as well as Microsoft is giving back more than it takes. He gives a shout-out to the Hugo Project and Doxy, which are his two go-to projects. [00:27:3] We hear about if there's been a discussion around governance for Dapr and how to make the governance be independent from a single large funding body. [00:29:40] If you're a project looking to get into this space, Aaron shares some advice. [00:30:57] Find out where you can follow Aaron on the web. Quotes [00:16:26] “Developers and customers will go where the best place to run that software is and I don't think it has to necessarily be a large corporation.” [00:30:39] “You can make the best piece of software out there, but if it's undocumented or if you're doing the getting started guide and you a hit a bug on the first line, that's where everyone will drop off.” [00:30:48] “Biggest piece of advice, make sure that things are well documented, the value props are there, and the customers will flock right to you.” Spotlight [00:31:39] Justin's spotlight is a series he's doing called, tncc-newsletter.com. [00:32:02] Richard's spotlight is Hugo. [00:32:20] Aaron's spotlight is Doxy. Links SustainOSS (https://sustainoss.org/) SustainOSS Twitter (https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) SustainOSS Discourse (https://discourse.sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) SustainOSS Hachyderm (https://mastodon.social/@sustainoss@hachyderm.io) Richard Littauer Twitter (https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Justin Dorfman Twitter (https://twitter.com/jdorfman?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Aaron Crawfis Twitter (https://twitter.com/AaronCrawfis) Aaron Crawfis LinkedIn (https://www.linkedin.com/in/acrawfis) Dapr (https://dapr.io/) Azure (https://azure.microsoft.com/en-us/) Sustain Podcast-Episode 78: Stormy Peters: Sustaining FLOSS at Microsoft's Open Source Programs Office (https://podcast.sustainoss.org/78) Sustain Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at Google (https://podcast.sustainoss.org/93) Sustain Podcast-Episode 80: Emma Irwin and the Foss Fund Program (https://podcast.sustainoss.org/80) Diagrid (https://www.diagrid.io/) Project Copacetic (https://github.com/project-copacetic) Hugo (https://gohugo.io/) Doxy (https://pypi.org/project/doxy/) The Non-Code Contributor newsletter (https://tncc-newsletter.com/) Credits Produced by Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/) Special Guest: Aaron Crawfis.
Join this episode of In the Nic of Time with Dan Lorenc, CEO, ChainGuard as they discuss the challenges and struggles around software supply chain and take a deep dive on Dan's incredible contributions to the open source community with his projects like Minikube, Sigstore, Distroless and Wolfi.
Show host: Jordi Mon Companys Guest: Dan Lorenc The post Software Supply Chain with Dan Lorenc appeared first on Software Engineering Daily.
Bret is joined by two Chainguard co-founders, CEO Dan Lorenc and Head of Product, Kim Lewandowski, to break down the ins and outs of supply chain security and talk about Chainguard's approach to securing it. We dive into tools, including their new Wolfi Linux distro.We first talk about what that even is, because it's a buzzword right now, and not everyone's on the same page on what securing your supply chain even means in the world of software. Then we jump into base images for containers, and their project Wolfi. We talk a lot about Wolfi in this episode, because it has the potential to change how we build our containers.Streamed live on YouTube on October 13, 2022.Unedited live recording of this show on YouTube (Ep #188)★Topics★Chainguard WebsiteChainguard TwitterChainguard AcademyWolfiWolfi-based imagesSigstore★Dan Lorenc★Dan Lorenc on TwitterDan Lorenc on Linkedin★Kim Lewandowski★Kim Lewandowski on TwitterKim Lewandowski on Linkedin★Join my Community★New live course on CI automation and gitops deploymentsBest coupons for my Docker and Kubernetes coursesChat with us and fellow students on our Discord Server DevOps FansHomepage bretfisher.com ★ Support this podcast on Patreon ★
Guest Dustin Ingram Panelists Richard Littauer | Justin Dorfman Show Notes Hello and welcome to Sustain! The podcast where we talk about sustaining open source for the long haul. Joining us today is Dustin Ingram, who's a Staff Software Engineer on Google's Open Source Security Team, where he works on improving the security of open source software that Google and the rest of the world relies on. He's also the director of the Python Software Foundation and maintainer of the Python Package Index. Today, we'll learn about the Open Source Security Team at Google, what they do, the bill they've contributed to for Securing Open Source Software Act of 2022, a rewards program they have to pay maintainers called SOS rewards, and Google's role in the Sigstore project. Also, Dustin talks about the Python Package Index, he shares his opinion on the difference between security and sustainability, and what he's most excited about with work going on in the next year or two. Download this episode now to find out more! [00:01:10] Dustin fills us in on the Open Source Security Team at Google, what they do there, how they prioritize which packages to work on, and which security bugs to work on. [00:03:25] We hear about the team at Google working on the bill 4913 Securing Open Source Software Act of 2022. [00:04:18] Justin brings up Dan Lorenc and Sigstore, and we learn Google's role in this project and making sure it's adopted more heavily in the supply chain. [00:06:05] Dustin explains the model on how Google is working to make sure these projects stick together, and he tells us how an open source maintainer can make their code more reliable by going to Sigstore and other sites to talk to people. [00:09:26] How does Google prioritize and choose which projects are the most important and where they're going to dedicate developer time to do that work? [00:11:02] Dustin works on the Python Package Index, and he explains what it is, and with the PSF, how many directors they have, and how much he interfaces with other people there. [00:12:17] We hear how Dustin dealt with the fallout from the backlash that happened during the mandatory multifactor authentication for the critical projects. [00:16:52] When it comes to security, Richard wonders if Dustin has put a lot of thought into different grades of where it exists and who it's for, as well as if there's a ten to fifty year plan for the maintainers who move on to do other things and people are not going to be developing at all. [00:19:13] Are there plans around educations for maintainers and communities on how to onboard new maintainers and how to increase security without increasing load time for the maintainers working on their projects? [00:20:21] We hear what the Securing Open Source Software Act is all about. [00:22:21] Now that open source is the dominant distribution, Dustin shares his thoughts on if open source will stop working and explains the real strength of open source. [00:24:09] Richard brings up the US government trying to secure their supply chain, working with future maintainers, code packages, working with foundations to figure out how we secure the ecosystem at a large, and wonders if Dustin sees a way for the government to try and secure open source and not regulate it, but try to figure how to manage it without the help of foundations or package managers. [00:26:56] Dustin shares his opinion on the difference between security and sustainability and what he thinks about that and what he's most excited about with work going on in the next year or two. [00:30:28] Find out where you can follow Dustin and his work on the web. Quotes [00:03:34] “After Log4j, the government got really spooked because they really didn't know what software they were consuming, and President Biden did an executive order on securing a nation's cybersecurity, which was about setting a policy for how the government should consume open source.” [00:08:11] “We also do some other things to make that a little easier for open source maintainers to adopt these technologies.” [00:08:17] “One thing we have is a rewards program called SOS.dev, and that's a way that maintainers can get paid for doing what we feel is relevant security work.” [00:21:01] “The US government consumes a lot of open source software. They have a dependency on a lot more than most large companies that you can think of.” [00:21:11] “The answer to Log4j is not to stop using open source, it's to get better practices around determining what you have and just do industry best practices for finding and fixing vulnerabilities.” Spotlight [00:31:17] Justin's spotlight is some awesome software called Rewind.ai. [00:32:32] Richard's spotlight is Geoff Huntley. [00:33:36] Dustin's spotlight is the Mozilla Open Source Support Program. Links SustainOSS (https://sustainoss.org/) SustainOSS Twitter (https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) SustainOSS Discourse (https://discourse.sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) Richard Littauer Twitter (https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Justin Dorfman Twitter (https://twitter.com/jdorfman?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Dustin Ingram Twitter (https://twitter.com/di_codes) Dustin Ingram LinkedIn (https://www.linkedin.com/authwall?trk=gf&trkInfo=AQFx--arUWM32wAAAYVVP7pwcaKJmtv_xwAO_dyvHEdFxj0JMheal1V_PnvzCU1Fo_b5mai0jP51x2cucIULaN2C_6Hw_WNXexVVFtrbaamCLoGTNV3KU0oNc8E_cJD2AWGXUZA=&original_referer=https://www.google.com/&sessionRedirect=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fdustingram%2F) Dustin Ingram Website (https://dustingram.com/) Open Source Vulnerability (OSV) (https://osv.dev/) Sustain Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at Google (https://podcast.sustainoss.org/guests/dan-lorenc) Sigstore (https://www.sigstore.dev/) SOS Rewards (https://sos.dev/) Python Package Index (PyPI) (https://pypi.org/) Sustain Podcast-Episode 75: Deb Nicholson on the OSI, the future of open source, and SeaGL (https://podcast.sustainoss.org/75) Open Technology Fund (https://www.opentech.fund/) Rewind (https://www.rewind.ai/) Geoff Huntley Twitter (https://twitter.com/GeoffreyHuntley) Explaining NFTs: Geoffrey Huntley interviewed by Coffeezilla about his NFT Bay Heist (YouTube) (https://www.youtube.com/watch?v=iLDOSnqN9-I) Mozilla Open Source Support Program (https://www.mozilla.org/en-US/moss/) Credits Produced by Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/) Special Guest: Dustin Ingram.
Show host: Jordi Mon Companys Guest: Dan Lorenc The post Software Supply Chain with Dan Lorenc appeared first on Software Engineering Daily.
Dan Lorenc of Sigstore and Chainguard joins Doc Searls and Katherine Druckman on FLOSS Weekly to discuss the software supply chain.The open source software supply chains are increasingly vulnerable attack surfaces. Nobody knows more, or is doing more, to secure those surfaces than Dan Lorenc. Hosts: Doc Searls and Katherine Druckman Guest: Dan Lorenc Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsor: Code Comments
Dan Lorenc of Sigstore and Chainguard joins Doc Searls and Katherine Druckman on FLOSS Weekly to discuss the software supply chain.The open source software supply chains are increasingly vulnerable attack surfaces. Nobody knows more, or is doing more, to secure those surfaces than Dan Lorenc. Hosts: Doc Searls and Katherine Druckman Guest: Dan Lorenc Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsor: Code Comments
Dan Lorenc of Sigstore and Chainguard joins Doc Searls and Katherine Druckman on FLOSS Weekly to discuss the software supply chain.The open source software supply chains are increasingly vulnerable attack surfaces. Nobody knows more, or is doing more, to secure those surfaces than Dan Lorenc. Hosts: Doc Searls and Katherine Druckman Guest: Dan Lorenc Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsor: Code Comments
Dan Lorenc of Sigstore and Chainguard joins Doc Searls and Katherine Druckman on FLOSS Weekly to discuss the software supply chain.The open source software supply chains are increasingly vulnerable attack surfaces. Nobody knows more, or is doing more, to secure those surfaces than Dan Lorenc. Hosts: Doc Searls and Katherine Druckman Guest: Dan Lorenc Download or subscribe to this show at https://twit.tv/shows/floss-weekly Think your open source project should be on FLOSS Weekly? Email floss@twit.tv. Thanks to Lullabot's Jeff Robbins, web designer and musician, for our theme music. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsor: Code Comments
Dan Lorenc, CEO and founder of Chainguard, joins Dennis Fisher to talk about supply chain security, asset inventory, Sigstore, and the challenges of helping developers write more secure code.
Software Engineering Radio - The Podcast for Professional Software Developers
Dan Lorenc, CEO of Chainguard, a software supply chain security company, joins SE Radio editor Robert Blumen to talk about software supply chain attacks. They start with a review of software supply chain basics; how outputs become inputs of someone...
Episode sponsors: Binarly (https://binarly.io/) and FwHunt (https://fwhunt.run/) - Protecting devices from emerging firmware and hardware threats using modern artificial intelligence. Dan Lorenc and a team or ex-Googlers raised $55 million in early-stage funding to build technology to secure software supply chains. On this episode of the show, Dan joins Ryan to talk about the different faces of the supply chain problem, the security gaps that will never go away, the decision to raise an unusually large early-stage funding round, and how the U.S. government's efforts will speed up technology innovation.
Dan Lorenc is Founder & CEO of Chainguard, the platform to secure your software supply chain. Chainguard supports many popular open source projects such as Sigstore, SLSA, and Tekton. Chainguard has raised $55M from investors including Sequoia and Amplify Partners. In this episode, we discuss the importance of market education when creating a new category of software, assessing market timing when launching your company, some of Chainguard's unique content strategies, and more!
On this week's episode of Reimagining Cyber, hosts Stan Wisseman and Rob Aragao welcomed guest Dan Lorenc, founder and CEO of Chainguard Inc., to talk about SLSA, software supply chain security risks, and his opinions on Software Bill of Materials (SBOMs).
Dan Lorenc (@lorenc_dan, Founder/CEO @chainguard_dev) talks about modern software-supply chains, Sigstore and SBOM.SHOW: 655CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotwCHECK OUT OUR NEW PODCAST - "CLOUDCAST BASICS"SHOW SPONSORS:Datadog Application Monitoring: Modern Application Performance MonitoringGet started monitoring service dependencies to eliminate latency and errors and enhance your users app experience with a free 14 day Datadog trial. Listeners of The Cloudcast will also receive a free Datadog T-shirt.CDN77 - Content Delivery Network Optimized for Video85% of users stop watching a video because of stalling and rebuffering. Rely on CDN77 to deliver a seamless online experience to your audience. Ask for a free trial with no duration or traffic limits.SHOW NOTES:Chainguard (homepage)Sigstore - standard for signing, verifying and protecting softwareCISA SBOM (Software Bill of Materials)Topic 1 - Welcome to the show. Let's talk about your background, and led you to found Chainguard. Topic 2 - Over the last couple years, we've seen several high-profile hacks where malicious code was a big part of the problem. As an industry, where are we in terms of managing the security around software? Topic 3 - Now that we're building software much faster, and software is coming from so many different (and often unknown/untrusted) places, what are some of the technology shifts that are happening to address these new environments?Topic 4 - Chainguard is focused on both secure container images and now secure supply-chain solutions. Walk us through how your offers fit into today's software challenges.Topic 5 - There is a new term we're hearing quite a bit, SBOM (Secure Bill of Materials). How does SBOM fit into this bigger picture? What are the technologies behind the scenes that make it possible?Topic 6 - For anyone focusing on this area, what are some good ways to get involved with the new technologies and way of thinking about software security?FEEDBACK?Email: show at the cloudcast dot netTwitter: @thecloudcastnet
People tend to trust the software they buy, or download, just because it's available online, that doesn't make it safe. Join Dan Lorenc, the co-founder and CEO of Chainguard, as he explains the importance of a good software supply chain and what happens when you trust software that has vulnerabilities. Lorenc, an expert in his field, is a graduate of MIT, Massachusetts Institute of Technology, and came up at companies like Microsoft and Google, while he was chasing his passion for creating software you can trust. You can find and connect with Dan on LinkedIn.
Dan Lorenc got into tech in a roundabout way. Most of his time in school was dedicated to the study of Mechanical Engineering, building in the world of atoms in machine shops and with 3d printers. He learned how to program through Matlab, and he got hooked. He lives in Austin, enjoys taking in the live music scene, and likes to get outdoors - when it's not 108 degrees, like it was when we did this recording.While Dan was at Google, the well known Solarwinds attack happened, illustrating the gaps and holes in the software supply chain space. Given he had experience in this space, paired with the Biden Administration's executive order to secure this space, led Dan and his co-founders to give this startup a try.This is the creation story of Chainguard.SponsorsAirbyteDopplerHost.ioIPInfomablLinksWebsite: https://www.chainguard.dev/LinkedIn: https://www.linkedin.com/in/danlorenc/Support this podcast at — https://redcircle.com/code-story/donationsAdvertising Inquiries: https://redcircle.com/brandsPrivacy & Opt-Out: https://redcircle.com/privacy
Ask a developer about how they got into programming, and you learn so much about them. In this week's episode of The New Stack Makers, Chainguard founder Dan Lorenc said he got into programming halfway through college while studying mechanical engineering. "I got into programming because we had to do simulations and stuff in MATLAB," Lorenc said. And then I switched over to Python because it was similar. And we didn't need those licenses or whatever that we needed. And then I was like, Oh, this is much faster than you know, ordering parts and going to the machine shop and reserving time, so I got into it that way." It was three or four years ago that Lorenc got into the field of open source security. "Open source security and supply chain security weren't buzzwords back then," Lorenc said. "Nobody was talking about it. And I kind of got paranoid about it." Lorenc worked on the Minikube open source project at Google where he first saw how insecure it could be to work on open source projects. In the interview, he talks about the threats he saw in that work. It was so odd for Lorenc. State of art for open source security was not state of the art at all. It was the stone age. Lorenc said it felt weird for him to build the first release in MiniKube that did not raise questions about security. "But I mean, this is like a 200 megabyte Go binary that people were just running as root on their laptops across the Kubernetes community," Lorenc said. "And nobody had any idea what I put in there if it matched the source on GitHub or anything. So that was pretty terrifying. And that got me paranoid about the space and kind of went down this long rabbit hole that eventually resulted in starting Chainguard. Today, the world is burning down, and that's good for a security startup like Chainguard. "Yeah, we've got a mess of an industry to tackle here," Lorenc said. "If you've been following the news at all, it might seem like the software industry is burning on fire or falling down or anything because of all of these security problems. It's bad news for a lot of folks, but it's good news if you're in the security space." Good news, yes ,but how does it fit into a larger story? "Right now, one of our big focuses is figuring out how do we explain where we fit into the bigger landscape," Lorenc. said. "Because the security market is massive and confusing and full of vendors, putting buzzwords on their websites, like zero trust and stuff like that. And it's pretty easy to get lost in that mess. And so figuring out how we position ourselves, how we handle the branding, the marketing, and making it clear to prospective customers and community members, everything exactly what it is we do and what threats our products mitigate, to make sure we're being accurate there. And conveying that to our customers. That's my big focus right now."
A short podcast updating listeners on the security news of the last few days, as prepared and presented by Catalin Cimpanu. You can find the newsletter version of this podcast here. Today's podcast features appearances from Dan Lorenc, CEO and Founder of Chainguard, and Pearce Barry, principal security researcher at Rumble Network Discovery, this episode's sponsor. Show notes Risky Biz News: FIRST releases TLP v2.0
Chris: We're undoubtedly seeing a growing discussion around Software Supply Chain, with several notable events and also now evolving guidance/legislation such as the Cyber EO, NIST guidance etc. Any thoughts on why this is just now becoming such a focused concern?Nikki: When a lot of people discuss software supply chain security, it can quickly turn into a discussion about SBOM or Log4j and SolarWinds. I think about software supply chain security as being part of a really good threat detection and response program - what are your thoughts on that?Nikki: I also wanted to address, expanding on the topic of threat detection and moving into threat modeling - do you think that with the attack surface expanding through the software supply chain that there are threat modeling techniques that can be used to understand and account for that growing attack surface?Chris: You've been pretty involved in efforts around software supply chain and DevSecOps, most notably sigstore - can you tell us what that is and why it is important or useful? Nikki: In the last couple of years ' technical debt' has become a bigger concern for organizations, but this includes software supply chain, dependencies, EOL or outdated software, etc. How do you think organizations can account for their software inventory better and more efficiently?Chris: As we look to the future of Software Supply Chain, with efforts such as SBOM, VEX, Sigstore, SLSA and more, where do you think we're headed? What does the state of software supply chain look like in say 3 years?
In the second set of interviews from KubeCon North America 2021, Gerhard and Liz Rice talk about eBPF superpowers - Cilium + Hubble - and what's it like to work with Duffie Cooley. Jared Watts shares the story behind Crossplane reaching incubating status, and Dan Mangum tells us what it was like to be at this KubeCon in person. Dan's new COO role (read Click Ops Officer) comes up. David Ansari from VMware speaks about his first KubeCon experience both as an attendee and as a speaker. The RabbitMQ Deep Dive talk that he gave will be a nice surprise if you watch it - link in the show notes. Dan Lorenc brings his unique perspective on supply chain security, and tells us about the new company that he co-founded, Chainguard. How to secure container images gets covered, as well as one of the easter eggs that Scott Nichols put in chainguard.dev.
In the second set of interviews from KubeCon North America 2021, Gerhard and Liz Rice talk about eBPF superpowers - Cilium + Hubble - and what's it like to work with Duffie Cooley. Jared Watts shares the story behind Crossplane reaching incubating status, and Dan Mangum tells us what it was like to be at this KubeCon in person. Dan's new COO role (read Click Ops Officer) comes up. David Ansari from VMware speaks about his first KubeCon experience both as an attendee and as a speaker. The RabbitMQ Deep Dive talk that he gave will be a nice surprise if you watch it - link in the show notes. Dan Lorenc brings his unique perspective on supply chain security, and tells us about the new company that he co-founded, Chainguard. How to secure container images gets covered, as well as one of the easter eggs that Scott Nichols put in chainguard.dev.
Guest Dan Lorenc Panelists Eric Berry | Justin Dorfman | Richard Littauer Show Notes Hello and welcome to Sustain! The podcast where we talk about sustaining open source for the long haul. Today, we have a very special guest, Dan Lorenc, who is a Staff Software Engineer and the lead for Google's Open Source Security Team. Dan founded projects like Minikube, Skaffold, TektonCD, and Sigstore. He blogs regularly about supply chain security and serves on the TAC for the Open SSF. Dan fill us in on how Docker fits into what he's doing at Google, he tells us about who's running the Open Standards that Docker is depending on, and what he's most excited for with Docker with standardization and in the future. We also learn a little more about a blog post he did recently and what he means by “package managers should become boring,” and he tells us how package managers can help pay maintainers to support their libraries. We learn more about his project Sigstore, and his perspective on the long-term growth of the software industry towards security and how that will change in the next five to ten years. Go ahead and download this episode now to find out much more! [00:01:09] Dan tells us his background and how he got to where he is today. [00:03:08] Eric wonders how Docker fits into what Dan is doing at Google and if he can compare Minicube and his work with what the Docker team is trying to drive. He also compares Kubernetes to Docker and how they relate. [00:06:13] Dan talks about if he sees a shift of adoption in the sphere of what he's seeing, and Eric asks if he feels that local development with Docker is devalued a little bit if you don't use the same Docker configuration for your production deploy. [00:08:49] Richard wonders in the long-term, if Dan thinks we're going to continually keep making Dockers, better Kubernetes, or at some point are we going to decide that tooling is enough. [00:10:35] We learn who's currently running the Open Standards that Docker is depending on and Dan talks about the different standards. [00:12:13] Dan shares how he thinks the shift towards open standards in particular with Docker, influences open source developers who are in more smaller companies, in SMEs, in medium-sized companies, or solo developers out there who may not have the time to get involved in open standards. [00:13:45] Find out what Dan is really excited about in terms of Docker, with standardization or in the future that will lead to a more sustainable ecosystem. [00:15:17] Justin brings up Dan's blog and a recent post he just did called, “In Defense of Package Managers,” and in it he mentions package managers should become boring, so he explains what he means by that. [00:18:01] Dan discusses how package managers can help pay maintainers to support their libraries. [00:22:03] Richard asks Dan if he has any thoughts on getting other ways of recognition to maintainers down the stack than just paying them. He mentions things that he loves that GitHub's been doing recently showing people their contribution history. [00:23:46] Find out about Dan's project Sigstore and what his adoption looks like so far. [00:26:35] Richard wonders if Dan thinks it's a good idea to have that ecosystem depend upon a few brilliant people like him doing this work or if there's a larger community of people working on security supply chain issues. Also, who are his colleagues that he bounces these ideas off of and how do we eliminate the bus factor here. Dan tells us they have a slack for Sigstore [00:30:03] We learn Dan's perspective on the long-term growth of the software industry towards security in general, how will that change over the next five to ten years, and how his role and the role of people like him will change. [00:31:35] Find out all the places you can follow Dan on the internet. Quotes [00:10:14] “You kind of move past that single point of failure and single tool shame that's actually used to manage everything.” [00:12:44] “So, they kind of helped contribute to the standardization process by proving stuff out by getting to try all the new exciting stuff.” [00:16:33] The “bullseye” release actually just went on a couple of days ago which was awesome.” [00:17:04] “It's a problem because there's nobody maintaining, which is a really good topic for sustainability.” [00:24:46] “But nobody's doing it for open source, nobody's signing their code on PyPy or Ruby Gems even though you can.” [00:29:50] “These are not the Kim Kardashians of the coding community.” [00:30:25] “Something that we've been constantly reminding, you know, the policy makers wherever we can, is that 80 to 90% of software in use today is open source.” [00:30:51] “And even if companies can do this work for the software that they produce if we don't think of, and don't take care of, and don't remember that these same requirements are going to hit opensource at the very bottom of the stack, and we're kind of placing unfunded mandates and burdens on these repositories and maintainers that they didn't sign up for it.” [00:31:11] “So we're really trying to remind everyone that as we increase these security standards, which we should do and we need to do, because software is serious, and people's lives depend on it.” Spotlight [00:32:32] Eric's spotlight is a game called Incremancer by James Gittins. [00:33:35] Justin's spotlight is Visual Studio Live Share. [00:34:04] Richard's spotlight is the BibTeX Community. [00:35:03] Dan's spotlight is the Debian maintainers. Links SustainOSS (https://sustainoss.org/) SustainOSS Twitter (https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) SustainOSS Discourse (https://discourse.sustainoss.org/) Dan Lorenc Twitter (https://twitter.com/lorenc_dan?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Dan Lorenc Linkedin (https://www.linkedin.com/in/danlorenc) Dan Lorenc Blog (https://dlorenc.medium.com/) Tekton (https://tekton.dev/) Minikube (https://minikube.sigs.k8s.io/docs/) Skaffold (https://skaffold.dev/) Open SSF (https://openssf.org/) Open Container Initiative (https://opencontainers.org/) Committing to Cloud Native podcast-Episode 20-Taking Open Source Supply Chain Security Seriously with Dan Lorenc (https://podcast.curiefense.io/20) “In Defense of Package Managers” by Dan Lorenc (https://dlorenc.medium.com/in-defense-of-package-managers-31792111d7b1?) Open Source Insights (https://deps.dev/) GitHub repositories Nebraska users (https://github.com/search?q=location%3Anebraska&type=users) CHAOSScast podcast (https://podcast.chaoss.community/) Sigstore (https://www.sigstore.dev/) RyotaK Twitter (https://twitter.com/ryotkak) Dustin Ingram Twitter (https://twitter.com/di_codes?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Incremancer (https://incremancer.gti.nz/) Visual Studio Live Share (https://visualstudio.microsoft.com/services/live-share/) Enhanced support for citations on GitHub-Arfon Smith (https://github.blog/2021-08-19-enhanced-support-citations-github/) Debian (https://www.debian.org/) Debian “bullseye” Release (https://www.debian.org/releases/bullseye/) Credits Produced by Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr at Peachtree Sound (https://www.peachtreesound.com/) Special Guest: Dan Lorenc.
Josh and Kurt talk to Dan Lorenc from Google about supply chain security. What's currently going on in this space and what sort of new thing scan we look forward to? We discuss Google's open source use, Project Sigstore, the SLSA framework and more. Show Notes Dan's Twitter Sigstore SLSA Framework
In episode 20 of The Kubelist Podcast, Marc and Benjie are joined by Dan Lorenc of Google. They discuss supply chain security and the Sigstore project, a new standard for signing, verifying and protecting software.
In episode 20 of The Kubelist Podcast, Marc and Benjie are joined by Dan Lorenc of Google. They discuss supply chain security and the Sigstore project, a new standard for signing, verifying and protecting software. The post Ep. #20, Sigstore with Dan Lorenc of Google appeared first on Heavybit.
In episode 20 of The Kubelist Podcast, Marc and Benjie are joined by Dan Lorenc of Google. They discuss supply chain security and the Sigstore project, a new standard for signing, verifying and protecting software.
The idea of software supply chain security rocketed into the public consciousness in the last year, with the news that US government agencies had been breached. Priya Wadhwa is a software engineer at Google working on open source security, including projects to secure and verify container deployments. She outlines what is being done to make sure this doesn’t happen to you. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Virgin Galactic launch NBC News BBC News Blue Origin launch NBC News BBC News Rocket scene from Austin Powers: The Spy Who Shagged Me The memes News of the week Google Cloud Container Security webinar Register for Google Cloud Next 2021 Google Cloud IDS Windows Server support for Anthos on-prem Multi-Cluster Ingress for GKE CVE-2021-22555: Kernel code execution through Netfilter bug CVE-2021-25740: Endpoint & EndpointSlice permissions allow cross-Namespace forwarding CVE-2021-32690: Helm repository credentials passed to alternate domain Attacks on Argo Workflows discovered by Intezer Sysdig acquires Apolicy; Apolicy acquired by Sysdig CockroachDB Operator for Kubernetes Automatic remediation of Kubernetes nodes at Cloudflare Sciuro Kured CNCF App Delivery TAG publishes operator whitepaper Links from the interview Software supply chain Know, Prevent, Fix Reproducible builds Debian Project SolarWinds hack US Executive Order on Improving the Nation’s Cybersecurity Binary Authorization Provenance, in art and software in-toto “Farm to table” sigstore Announcement blog cosign Announcement blog Dan Lorenc’s blog Connaisseur Rekor Fulcio Key signing ceremony: Dan Lorenc on Episode 152 Announcement blog Video Tekton Tekton Chains Announcement blog, by Priya & Dan SBOM (Software Bill of Materials) Open Source Insights Announcement blog Nine Inch Nails' Year Zero ARG Scorecards Announcement blog v2 blog SLSA Announcement blog GitHub SupplyChainSecurityCon sigstore Slack channel Priya Wadhwa on Twitter
The Pipeline: All Things CD & DevOps Podcast by The CD Foundation
Dan Lorenc, Christie Wilson & Jason Hall from Google talk through and define the different terms in software delivery, including Continuous Integration, Deployment and Delivery.Support the show (https://cd.foundation/podcast/podcast-submission-form/)
The Continuous Delivery Foundation (CDF) was created to help introduce processes, standards and other support and stewardship for DevOps teams that now face what some say is the Wild West of open source tools and platforms for deployments on Jenkins and coud native platforms. While there have been concerns expressed about potential overlap with the Cloud Native Computing Foundation (CNCF) — a sibling Linux Foundation-managed project — the concept is certainly attractive, especially for those teams that plan to or already rely on Jenkins, Jenkins X, Spinnaker and Tekton for their production pipelines. However, there is one catch: the CDF has yet to release any specifications and primitives after the initiative was announced a few months ago. During a podcast hosted by Alex Williams, The New Stack founder and editor in chief, questions were put to Dan Lorenc, a software engineer for Google and Kohsuke Kawaguchi, the CDF's technical oversight committee (TOC) chair and CTO for CloudBees, about the CDF's immediate plans, as well as what the oversight committee hopes to achieve.