There exists a widespread misperception that making your software supply chain secure is hard, that few companies can achieve SLSA level 4. We call bullshit. For instance, signing artifacts with Sigstore is easy. Making your software supply chain ultra insecure, on the other hand, is hard work. That’s why…
Version 1.1 of The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities from NIST (NIST 800-218) was just published on February 3rd, 2022. The document was first released in September of 2021, but the SSDF program first started in May 2021 after Executive Order…
Kubernetes 1.23 was just released and is full of security improvements. The most exciting improvement to us is the release engineering work to bring the Kubernetes build process up to SLSA1 for hardened supply chain integrity!…
Today, I'm excited to announce our funding round led by Amplify Partners and the start of Chainguard Services, the pilot of our program to work closely with organizations to address software supply chain attacks and insider risks.…
In this post we’ll clarify 5 common misconceptions we’ve heard about the Sigstore project.…
In this post, you will learn about the Fulcio certificate authority of Project Sigstore, in depth!…
This blog post covers how to get started using the cosigned admission controller on Amazon EKS as a proof of concept for preventing unverified containers in your Kubernetes cluster.…
I am thrilled to announce our new company: Chainguard, Inc. on behalf of our founders: Matt Moore, Scott Nichols, Ville Aikas, Kim Lewandoswki, and myself - Dan Lorenc. We are making software supply chains secure by default. The rapid rise of software supply chain attacks in the last three years…