Chainguard delivers the world’s most secure open source software with over 1,500 continuously rebuilt, minimal, and malware-resistant container images designed to eliminate vulnerabilities and reduce attack surfaces. By uniting engineering and security priorities, Chainguard frees developers from patching toil, simplifies compliance, and accelerates innovation to get products to market faster with confidence.
In this episode, we speak with Kim Lewandowski, Chief Product Officer and Co-Founder of Chainguard. The discussion centers around Chainguard’s innovative approach to software supply chain security, focusing on reducing vulnerabilities in open source and cloud-native software. Kim shares insights into the company’s founding, its unique solutions like hardened container images, and the significant impact these have had on reducing CVEs for clients. The conversation also touches on Kim’s career journey, the importance of balancing security with innovation, and the role of AI in the cybersecurity landscape.
Watch the podcast here:
Listen to audio only here:
Learn more about Chainguard.
Interested in appearing on the SourceForge Podcast? Contact us here.
Show Notes
Takeaways
- Chainguard offers a significant reduction in CVEs, with some customers experiencing up to a 98% decrease.
- The company provides a safer source for open-source code, likened to choosing clean water over dirty water.
- Chainguard’s products are designed to be developer-friendly, reducing toil and friction in security processes.
- The onboarding process for Chainguard is straightforward, often requiring just a single line of code change.
- AI is seen as a major emerging trend in cybersecurity, with potential security challenges and opportunities.
- Chainguard aims to balance security with speed and innovation, ensuring companies don’t have to sacrifice one for the other.
- The company works with a wide range of clients, from Fortune 500 companies to startups, emphasizing the importance of security across all sizes.
- Kim Lewandowski emphasizes the importance of curiosity and continuous learning in the tech industry.
Chapters
01:18 – Overview of Chainguard and its Mission
03:22 – Kim Lewandowski’s Background and Journey
07:41 – Unique Features of Chainguard’s Products
11:06 – The Impact of AI on Cybersecurity
14:57 – Onboarding and Implementation of Chainguard
16:15 – Customer Success Stories and Results
18:23 – The Importance of Security in Fast-Paced Environments
20:02 – Future Trends in Cybersecurity
22:17 – Closing Thoughts and Advice from Kim Lewandowski
Transcript
Beau Hamilton (00:00.75)
Hello everyone. And welcome to the SourceForge Podcast. Thank you for joining us today. I’m your host, Beau Hamilton, Senior Editor and Multimedia Producer here at SourceForge, the world’s most visited software comparison site where B2B software buyers compare and find business software solutions. Today I’m joined by Kim Lewandowski, Chief Product Officer and Co-Founder of Chainguard, a company founded in late 2021 that has quickly become a leading force in software supply chain security.
Kim and her co-founders set out to tackle a persistent problem in the cybersecurity space, and that is how do you protect open source and cloud native software without drowning in common vulnerabilities and exposures? That’s CVEs for the technical listeners out there. And also without slowing down innovation. And the answer they came up with is via a suite of hardened minimal container images, secure VMs or virtual machine images, and guarded open source libraries built from source, all designed to dramatically reduce vulnerabilities right from the start.
And I know that’s a lot of technical jargon, but bear with me. We’re not going to get too, too lost in the weeds with the technical details. I think the most important thing to know is that this answer or solution they came up with has resulted in up to a 98 % reduction in CVEs for some customers, as well as 80 % smaller attack services and many engineering hours saved for teams they work with. So I think they’re doing something right, and they just might be onto something here. So to talk more about the solution and just how the company got started, let me introduce Kim Lewandowski. Kim, welcome to the podcast. Glad you can join us.
Kim Lewandowski (01:34.648)
Awesome, thank you for having me.
Beau Hamilton (01:36.802)
Yeah, so I gave a somewhat long-winded descriptor of Chainguard, but I’d love to hear from you and just get your description of the company. What is Chainguard all about and how are you keeping teams secure in the software space?
Kim Lewandowski (01:50.31)
Awesome. So as you, as you said, we’ve been around for about four years now. We all used to work together at Google and various different open source projects and move to security and realize there’s an opportunity to just help companies better secure themselves against the risk of using open source software. And so most companies, I think the numbers are around 90, 90% of software.
in an organization is actually open source and it’s kind of, it can be difficult to sort of manage within a company. So we try to make it more secure.
Beau Hamilton (02:22.764)
Yeah, so I really enjoyed looking into your background prior to this interview. And specifically, I want to call out your LinkedIn bio because you mentioned your first job was writing code for the world’s most powerful laser trying to achieve nuclear fusion. I think that’s super cool to say the least. Your career started as an engineer. You went on to work for Google, as you mentioned, after a few startup stints, as you put it. And you actually say you swore off startups after being at Google, right?
Here you are, co-founding Chainguard. So how did, how did your background like ultimately lead you to start this company in the first place? And just how important would you say that experience was?
Kim Lewandowski (03:03.482)
Yeah, very important. Yeah, the government was very interesting place to work for anyone that’s never worked for a government agency, very cool projects. Nowhere else you can do things like that. But I was in Silicon Valley and sort of saw the whole startup scene back in the day, I think early 2010s and saw how much fun people were having in the culture and just kind of no strings attached. And I was like, I need to get into that scene. And so as an engineer and in my first few sort of startups, was, was still writing code and just saw this, this thing. think back then the mentality was more like, if we build it, they will come. but it’s actually not that easy to go build a very successful startup. And so I started taking on more of like a product role, if you will, and then did a couple more startups and then said, I’m going to learn how to do product the right way. got to go join a company like Google. And so that’s where I spent many years at Google, great company, loved it. And then this opportunity came up where my co-founders and I and Dan in particular, like, we’re going to go do a company or do a startup. was like, my gosh, no way. But because of what Dan and I had been working on together and the other co-founders and stuff, was like, well, this, certainly would be an opportunity where if I didn’t take it, I would regret it. So I was like, all right, let’s do this. And it’s paid off well, we built a successful company.
Beau Hamilton (04:19.438)
Nice. Yeah, you want to minimize regrets and I think that you’re doing the right thing. And think it’s just all, it’s just exciting to see you tackle a problem based on the experience that you had. I think that’s what it’s all about when it comes to starting a business, right? Just taking what you’ve, yeah, what you learned.
Kim Lewandowski (04:34.212)
Yeah, exactly. I was going to say you learn so much as you move from job to job and project to project and then you really want to take that all into practice in some way. And I felt like for me personally, this was the best way to take all those learnings and try it again.
Beau Hamilton (04:51.916)
Yeah, there’s so much I could talk to you about with your past experience with Google and the Livermore Labs experience there and just coding and where everything is going with Vibe coding and whatnot. But I want to try to focus in on specifically Chainguard here and we can get to some of these other trends and whatnot. But can you talk about some of the standout features or capabilities that make Chainguard really just stand out when it comes to things like secure containers or reducing the attack surface?
What’s your edge that really makes Chainguard kind of unique in this space?
Kim Lewandowski (05:25.316)
Yeah, I think the most unique thing is we’ve built a product that developers love or willing to use and they see the toil being reduced from their day to day. think that’s a really hard thing to do, especially in the security space and security. They’ve always just had this, you know, any security product or tooling that you sort of introduce could add friction. And that’s why some of you see sort of developers being allergic to, no, like I don’t want to go introduce that new tool or something.
And so with our Chainguard images product, feel like we sort of hit both of those issues really well. We have a more secure product that developers can just take and sort of run with. It’s just an alternative way to doing things that they were already doing before. And then at the end of the day really helps them move faster and focusing on the core features they want to do instead of worrying about the vulnerabilities in this code, this open source code that they have depended on, but actually aren’t the maintainers of themselves.
Beau Hamilton (06:24.278)
Right. I know many, many teams struggle with that CVE overload or CVE fatigue. Right. and as someone who combs tech headlines every day, my cover, headlines over on, stories over on Slashdot. And I just noticed there’s, there’s no shortage of, of new vulnerabilities being reported and it can just be exhausting for everyone. And especially the engineering teams just working to patch them. Right. So how does your low to zero CVE approach help shift teams away from just constantly chasing those patches?
Kim Lewandowski (06:56.408)
Yeah. So we basically give a safer source for the open source code that they’re relying on. So we take on the brunt and we call it internally our factory. We take on building all this open source code. we, we build it from source. is, we build it through hardened build systems. tell you exactly what’s in this code. And so that is, that is what we are just the safer source for all this code that people are depending on. And so one analogy is like, would you like to drink clean water or dirty water? We are the version of that clean water.
Beau Hamilton (07:28.576)
Yeah, yeah, there’s a clear choice there, clear answer. Yeah, I like just the general idea of kind of starting from the source and making it secure to begin with. I think that’s just going to set yourself up for success in the most simplistic way of phrasing it. I know I also know, you know, there’s so much competition. Startups and enterprises, they’re under more pressure than ever to move fast and just constantly ship out these updates as soon as possible to their products and services.
Beau Hamilton (07:58.198)
And I think it’s a by-product a lot of like with this AI efficiency era we’re in, you got to move faster and faster. But also I think it’s just comes with the competition and there’s no shortage of that these days. Right. So how would you say Chainguard helps engineering teams just specifically in like maybe the compliance sector? How would you say you help teams stay compliant and secure without really slowing down their velocity and pipeline efficiency?
Kim Lewandowski (08:27.694)
Yeah. So we, a lot of the compliance frameworks do have this vulnerabilities, compliance thing attached to them with any critical or high CVE, you have to respond to that thing within a certain matter of time. And it’s for good security hygiene. Like if there are known vulnerabilities in code, like why wouldn’t you do what you can to address them so they can’t be exploited. And so a lot of the compliance framework, some of them you can sort of squint and say, well, does that thing really make something more secure?
I do think the security vulnerabilities one is something that we can point to and say, yes, if there’s a known vulnerability, an attacker is gonna find the cheapest way to attack something and why wouldn’t I go after that known thing? And so I do think for organizations, it’s a little bit of like laziness or not, maybe laziness is not the best word, but like, just, irresponsibility from them to not sort of deal with these things if they’re, if they’re known, or at least not try to do a little bit of a better job. So again, that’s where Chainguard’s products really shine is folks that just want a more secure sort of foundation to start building their applications on top of, or the applications that they’re already using today. And so that’s where we, we believe that doing sort of the way that we’re building this open source and rebuilding and distributing this open source projects is the more secure way, which makes compliance then easier for the end users and customers of our products.
Beau Hamilton (10:05.218)
Yeah. Then broadly speaking, is your platform designed primarily for like the security experts out there or can smaller teams maybe without some of the deep security know how to get value from it as well.
Kim Lewandowski (10:20.326)
Yeah, so we’ve seen a wide range of customers all the way from top fortune 500 to government and clients to smaller startups that actually care about security. Really we are, our target market is anyone that is sort of using containers or these libraries in production, which is virtually any company and cares about security and wants to sort of do things right, set their engineers up on a good foundation, want to move fast themselves because the alternative is the company would have to do all this and manage all of it in-house. Like they would have to deal with all their vulnerabilities, which many try to, and then just as with many things they get deprioritized and not often picked up. So yeah.
Beau Hamilton (11:10.072)
Okay, so you work with a wide variety of organizations, various sizes. What about the onboarding process? If a company is just like starting out or just really starting to get serious about container security and software supply chain risks, what does like getting up and running with ChainGuard typically look like and how fast can they see results?
Kim Lewandowski (11:31.942)
So, yeah, so depending on the organization, usually the way that it’s played out is the organization will be running their own scanners and their scanners just light up with all these vulnerabilities. And so they have in their data, like some idea of these container images that are causing them the most pain or the most friction. And so usually they’ll sort of start with that. They’ll be like, okay, let’s tackle these first. And many of our container images that we provide are a drop-in replacement for images that they’re already using. So it’s literally like one line of code that they need to change to now point to a Chainguard image as opposed to the image they were using before.
And then, then they just kind of start like rolling out adoption across their entire sort of organization. And teams are now pointed to these images to either use as, as, or build on top of. We’ve got companies like Snowflake, as you’d said, they’re quickly, very quickly were able to see a reduction. Like the dashboards are sort of incredible after you now deploy Chainguard images and go re-scan again. And it’s like a 98 % reduction in vulnerabilities. And so you sort of get that immediate dopamine hit or whatever the value that you’re seeing that your dashboards just just go just go down and so we do have some other tools because some of the applications that are built, it’s a little bit harder to migrate. So now we have this Dockerfile converter tool, which helps an engineer take their Dockerfile and then shows what changes you’d have to make to use a Chainguard image. So we are continuing to make that onboarding and migration process as seamless as possible.
Beau Hamilton (13:14.37)
What’s like one of the biggest like, inhibitors of, guess, rolling out patches and some of the kind of like the hangup you see with clients. cause you mentioned like kind of prioritizing patches. Is it, is it sort of like the resources and the like manpower to kind of roll these fixes, these patches out or like, yeah, what’s the main hangup?
Kim Lewandowski (13:32.486)
Yeah, so part of it is you talk to these really large organizations and the reality is they just don’t even know what’s running where. Which is a little bit scary.
But that is one of the friction spots that we see. It’s like, my gosh, we love Chainguard images. We need to figure out how to adopt, how to get it adopted throughout more teams. And so if there’s not sort of a central team that’s overseeing how open source is consumed at these organizations, then that is a lot of the time that we see being spent inside an organization. A team has gotten instrumental value out of it and then they want to go convince and they kind of become their own internal champions for the rest of the organization. So I would say that’s one of the biggest areas we see and it’s more awareness of where all these things are running in their system so they can then go swap them out.
Beau Hamilton (14:29.42)
Yeah, that makes sense. Imagine too, just the bureaucracy of it all, trying to just communicate and prioritize the issues amongst an entire team. And it’s not just with the government entities, right? There’s bureaucracy in every major company. So I imagine that kind of is also a friction point as well, right?
Now I’m glad you mentioned Snowflake because I mentioned, I didn’t mention that name in the introduction, but you know, I mentioned the kind of end result they’ve seen with the 98% reduction in CVEs and 80% smaller attack services after partnering with your company get my question is like, are these, are those stats just like sensationalized headline grabbing stats, or is it like a legitimate result some customers can expect to see? Yeah.
Kim Lewandowski (15:15.064)
I think those are legitimate results. My favorite story is, as I talked about a little bit, like we compliment well with scanners, like scanners find the vulnerabilities, we’re a good natural solution to how you deal with those vulnerabilities. And one of the scanner companies we were trying to try to integrate with trying to partner with had to go file an issue because everyone thought their dashboard was broken because it literally showed zero vulnerabilities for an image. So they did not have the UI or the visual to be able to show that we’re didn’t look like there was a bug in the screen.
So yes, Snowflake has been a great partner with us there. As I run product, they continue to give us product feedback, help us shape our roadmap. But we’ve seen similar results from other companies as well just seeing, we invite customers to come talk to us at our all hands and seeing the success stories similar to that are just really testament to the hard work we’ve been doing and makes me super proud of the team.
Beau Hamilton (16:15.161)
OK, so now you mentioned the story with Snowflake and their end results and their success and outcome with partnering with you guys. But do you have another favorite success story that comes to mind where maybe you’ve helped a team make a big leap from insecure images or clunky tooling to something a lot more streamlined and secure?
Kim Lewandowski (16:28.518)
Yeah, I don’t have any favorite customers because I love them all, but my favorite customer stories are when a customer starts out with a small number of images and then want to expand, they see the value right away and they want more and they want to deploy it out to more of their engineering teams.
Well, Simple is another company that we’ve been working really closely with. So they’ve had similar success, with a 97% reduction in CVEs. And so I think, yeah, for me, it’s a lot of our customers and seeing the success they have out of the gate and then how we can keep sort of building on the products that we have today to make their lives even easier.
Beau Hamilton (17:10.796)
Nice. Yeah. Yeah. Now I don’t want to put you too much on the spot here with these next couple of questions, but I want to kind of get, pick your brain about like some of your past experience, and kind of get into some of the thought leadership side of things. But, you know, talk, summarizing some of the things we talked about, with Chainguard here. I’m curious if you have maybe one big message or takeaway, you’d like listeners to know, about Chainguard that like,
Maybe you can picture yourself shouting it from the rooftops. if hammered down one key message for potential customers listening, what might that be? What would you say?
Kim Lewandowski (17:36.634)
I think it’s, I think it’s a message that you don’t have to sacrifice security for moving fast and for execution and innovation. I think if it’s like AI is playing very well in this space, it’s all about removing toil and finding more ways to automate things. And if you have the opportunity to automate and use a different, better solution for toil that your teams and your companies are dealing with, I Chainguard is like right smack in the middle for making you still be able to move fast, but also giving you that confidence that you were doing what you can to protect your own organization.
Beau Hamilton (18:12.13)
I think that’s a good one. Yeah. think, cause again, it goes back to like, the, everything is so competitive. Now you feel like there’s so much pressure to move faster and faster and be more efficient and take on more responsibilities and roles, but it doesn’t have to come with the cost of security. Right. so you can, you can do both things be secure and also kind of move, move fast. but also I think generally speaking too, it’s like, don’t take shortcuts, right.
Kim Lewandowski (18:38.52)
Yeah, I mean, I think the other thing is like, listen, we have a product, we sell our product for money, but I think, you know, at the end of the day, our product is probably cheaper than dealing with a huge security breach at the end of the day. It’s like, you know, it’s folks that are trying to skimp on budgets and everything else. like, is this an area that you really want to withhold back to feel like that you’re not doing everything that you could be doing easily to protect your organization?
Beau Hamilton (19:07.064)
That’s also very true. Yeah. Cause I also feel like it’s not a matter of if, but when there’s some sort of security lapse, right? So, it could be of any various shape or size, but yeah. I mean, if you, if you really kind of put security off on the back burner, it’s gonna come back to haunt you and really cost the company a lot. So it’s good to prioritize that.
Now, first of all, hope listeners are taking notes. I think these are good insights. But obviously, I want to talk about some of your background some more. You obviously have an extensive engineering background. You mentioned you work at Google. You lead a startup in San Francisco called Chainguard, surprise, surprise. You have a pretty unique experience and perspective on the tech industry and where everything is headed.
I’m just curious, like what emerging trend maybe in the cybersecurity space in particular, do you believe will have the biggest impact on your industry in the next handful of years or so?
Kim Lewandowski (20:09.092)
I mean, I think it’s obvious. I mean, AI is here. It’s here to stay. I think it’s uncovering new areas that we didn’t think were uncoverable before we’re shedding light on. think it is another space where security needs to keep up. And I think people don’t quite understand the impact yet of this new world that we’re living in.
At the very least, people do understand that it’s producing a lot more code and code has a lot of bugs. And that is just the reality. So I do think the next couple of years are going to be really interesting for the industry as a whole.
Beau Hamilton (20:45.998)
Yeah, it’s, well, it’s, it’s producing a lot of code that people don’t even know. Like people don’t even know what it’s exactly producing or how some of the code works, I guess, some of the software, but also, um, you have these kinds of emergence of these AI agents that sort of automate a lot of the, you know, backend processes for engineering teams. Um, and I feel like that can do a lot of heavy lifting, but I, my kind of doomsday pessimistic mind, I always feel like there’s more vectors too for bad things to happen, right? Maybe these agents can go rogue. Do you see a security issue in some of these AI agents that are being rolled out?
Kim Lewandowski (21:26.019)
I think where we stand from the Chainguard side again is to make security the sort of default easy way. So if we have a place to play in this space right now, again, it’s giving all those developers a solid foundation from which they’re going to go build these applications on top of.
Beau Hamilton (21:43.51)
Yeah, yeah, start with the foundation, the supply chain. And then I think when it comes to AI agents, just have got to have a lot of kind of transparency and different kind of mechanisms or safeguards in place to make sure they don’t go off the rails.
Kim Lewandowski (21:57.7)
Yes. Yeah, exactly. A lot of feedback loops and testing and guardrails and all that good stuff.
Beau Hamilton (22:04.536)
Exactly. Yeah. Now on the flip side, looking back at your past experience, I know if one of the questions I always like to ask people like yourself is if you could go back to the start of your career, maybe that’s where you were at. You went to Florida State University, right? Or working as an engineer at Lawrence Livermore Labs, not to name names. What’s one piece of advice you would maybe give yourself that you wish you knew back then?
Kim Lewandowski (22:32.962)
Yeah, I think it’s ask a lot of questions. I still give myself this advice today. Be very curious.
Don’t assume anything. I mentioned I went to Google and I sort of assumed at that time, I’m going to go learn how Google does it. And I got in there and I was like, there’s a lot to be learned here. Like Google still doesn’t have it all figured out. And so I think my advice would be, everything with curiosity and try to learn as much as you can. Don’t assume that people have all the answers or know more than you.
Beau Hamilton (23:05.23)
I think that’s great advice. Yeah. Just keep, keep staying curious and keep learning. Keep broadening your skillset. Is it Ted Lasso that says that? Yeah. Yeah. Yeah. I mean, there’s gonna, I was gonna say too is like, there’s, I like cliches are cliches for a reason. And I think I always like to lean into like the cliche sakes and, um, and whatnot, because, again, yeah, they’re, they’re, they’re made popular for a reason. And I think, if you act on it, it’s almost like it makes me go to the New Year’s resolutions where if you set out New Year’s resolutions, some people will kind of scoff at the idea, but you don’t have to go crazy with resolutions.
But I think if you just set a few goals and stick to it, you’d be surprised at the results, you know? But anyway, that’s the last of the hard hitting questions I have for you. For anyone who wants to check out some of what, you know, Chainguard’s tools and platforms look like, they want to maybe schedule a demo or just get in touch with your team. Where should they go?
Kim Lewandowski (24:02.02)
Yeah, so I think there’s signup sheets right on Chainguard.dev and we have a ton of material. think one of the things, you didn’t get in too deep, which is awareness of software supply chain security space. What is it even that we’re talking about? And so we have an edu and Academy platform. have some courses. So if this is totally new to you and a lot of material on our site, you can just start learning more. And yeah, happy to give demos and all that good stuff whenever.
Beau Hamilton (24:26.798)
Awesome, yeah, I’ll check that out myself. Listeners, yeah, chainguard.dev is a great resource. Check it out. I think there’ll be links down below in the description as well. definitely give it a visit. But that’s Chief Product Officer and Co-Founder of Chainguard, Kim Lewandowski. Kim, thank you so much for joining us on the podcast. I really appreciate everything you’ve shared with us.
Kim Lewandowski (24:48.358)
Of course, thank you for having me.
Beau Hamilton (24:50.498)
Thank you all for listening to the SourceForge Podcast. I’m your host, Beau Hamilton. Make sure to subscribe to stay up to date with all of our upcoming B2B software related podcasts. I will talk to you in the next one.