3rd Party Risk Management , Application Security , Governance & Risk Management
Chainguard Raises $61M to Protect More Open-Source Software
Startup Can Secure 80% of Open-Source Software Existing Customers Run in EnterpriseA software supply chain security startup led by a longtime Google Cloud engineer closed a Series B round to help protect more open-source software.
See Also: InfoSec: Applying AI to Third-Party Risk Management to Achieve Consistency
Kirkland, Washington-based Chainguard said it can secure approximately 80% of the open-source software existing customers run in their enterprise today, or between 12,000 and 15,000 packages, said co-founder and CEO Dan Lorenc. But 20% of the open-source software Chainguard clients run remains unprotected, and Lorenc wants to use artificial intelligence and machine learning to better defend that (see: Proof of Concept: Overcoming Open-Source Code Security Risks).
"Eighty percent of the stuff across enterprises is the same," Lorenc told Information Security Media Group. "We validated that, and now we need to prove that we can scale the model out to that long tail."
Taming the Long Tail
Chainguard, founded in 2021, employs more than 90 people and has raised $116 million across three rounds of outside funding. Prior to founding Chainguard, Lorenc spent nearly nine years working on the infrastructure behind the Google Cloud platform. The firm brought in ex-Okta and Wiz Chief Marketing Officer Ryan Carlson to spearhead sales, marketing and customer success as Chainguard's president.
"He's seen firsthand how to scale a fast-growing startup like this on that go-to-market side," Lorenc said. "And that's where we're really doubling down our efforts in getting repeatable and getting large right now."
Lorenc said the open-source code that organizations run in production environments doesn't come with any security guarantees, support, service-level agreements or promises of patches when vulnerabilities are found. That's why Chainguard has built its own secure version of the open-source software that organizations most commonly use, to boost trust in the supply chain and roll out patches for vulnerabilities as needed.
"We need to prove that we can scale the model out."
– Dan Lorenc, co-founder and CEO, Chainguard
Chainguard can automatically patch vulnerabilities for all its customers, ranging from the Log4Shell issue last year to the Rapid Reset vulnerability discovered just a couple of weeks ago, according to Lorenc. The company said its hardened, secure container image technology is used by Fortune 500 and technology companies including GitGuardian, Hewlett Packard Enterprise, Sourcegraph, Snowflake and Replicated.
"What we're building up here is a safe, secure, usable foundation of open source that companies can start to build on. From there, there's a huge amount of potential and other directions that we can go in," Lorenc said. "By focusing there, we're able to address a lot more problems in a holistic way."
Optimizing Open Source for the US Government
Lorenc said Chainguard's business today is split pretty evenly between financial services organizations migrating from mainframes to the public cloud and cloud service providers going through FedRAMP authorization to sell to the U.S. government. Chainguard serves both companies with more than 5,000 employees in regulated industries as well as smaller security firms looking to harden their infrastructure.
Chainguard competes primarily with homegrown tools that organizations use to assess the security of their open-source code, according to Lorenc. Going forward, he said, Chainguard would like to sell directly to the U.S. government as well as do more with channels and partnerships.
Although it has gotten easier in recent years, Lorenc said, the budgeting and buying process for federal agencies remains completely different than for its private sector counterparts, including organizations that sell to the U.S. government. Chainguard recently posted a job opening for a director of federal sales, and Lorenc said he will tap that person to build out a team and go-to-market motion for the U.S. government.
From a metrics standpoint, Lorenc said, Chainguard closely tracks annual recurring revenue, which has tripled in the first half of 2023 even though the company only began selling in the fourth quarter of 2022. The firm also monitors the amount of repeat business with existing customers as well as the rate at which new customers are being brought on, according to Lorenc.
"We've built a product that lets CISOs meet these regulations and requirements and reduce their vulnerability footprint in a way that's developer-friendly and, actually, developer-preferred in a lot of cases," Lorenc said.