In this episode Kim Lewandowski talks about her journey, the secret origin of Chainguard.dev, and an EXCLUSIVE ANNOUNCEMENT! Kim is an engineer turned product manager. She started her career in the security space working for Lawrence Livermore Labs, and most recently worked for Google. She launched a number of Cloud enterprise products and created popular open source projects (many with Dan Lorence) including Tekton, Security Scorecards, and SLSA. Kim also sits on the boards of the Continuous Delivery Foundation and Open Source Security Foundation.
In this episode Kim Lewandowski talks about her journey, the secret origin of Chainguard.dev, and an EXCLUSIVE ANNOUNCEMENT!
Kim is an engineer turned product manager. She started her career in the security space working for Lawrence Livermore Labs, and most recently worked for Google. She launched a number of Cloud enterprise products and created popular open source projects (many with Dan Lorence) including Tekton, Security Scorecards, and SLSA. Kim also sits on the boards of the Continuous Delivery Foundation and Open Source Security Foundation.
Timeline/Topic
00:00 - Opening
00:14 - Introduction to Kim Lewandowski aka Agent Pico (Chainguard.dev)
00:54 - Kim's Journey from the finger lakes (Upstate NY) to Google and Upstate NY Trivia!
13:35 - Working at Google
15:34 - What is Product Management done right?
19:57 - Software Supply Chain Security - Why is it such a hot topic ?
25:53 - The Secret Origin of Chainguard.dev and the Porsche story
30:46 - Chainguard.dev's BIG ANNOUNCEMENT!
31:54 - Behind the scenes of Operation SLSA
36:08 - Where do you see Chainguard.dev in the future?
37:29 - What work is Kim most proud of
Episode Links
Trevor's talk from software supply chain con (Kubecon LA) https://youtu.be/1-tMRxqMwTQ
Operation SLSA - https://youtu.be/S\_MXbt0p\_pg
Craig McLuckie on Product Management - https://www.youtube.com/watch?v=BdziTqhrGeo&t=451s
POPCAST SHOW DETAILS (SUBSCRIBE!)
YouTube: https://bit.ly/3xgmmCj
Audio Podcast (Apple, Spotify, and others): http://bit.ly/35MXfte
Follow us on (Twitter): https://twitter.com/PopcastPop
Follow us on (Linkedin): https://www.linkedin.com/company/the-popcast-with-danpop
Support the show by checking out our sponsors below!
***Teleport***
Teleport allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. You can download Teleport at https://goteleport.com/popcast
***SUSE Rancher Government Services***
SUSE Rancher Government Solutions (RGS) is a leader in Linux and Kubernetes management for federal and U.S. government entities. RGS leverages SUSE’s Linux expertise and Rancher’s Kubernetes excellence to provide secure open source solutions that adhere to federal compliance regulations supporting SAP HANA, HPC, cloud, edge computing and container management
***Styra***
Learn how to operationalize Open Policy Agent at scale with Styra: https://hubs.ly/H0Pnkm20
***COCKROACH LABS***
What if you could build like Big Tech? Use the same powerful infrastructure that they spent engineering centuries building...It’s actually possible now with CockroachDB.
The founders have spent the last eight years creating a cloud-native, distributed SQL database that provides the consistency, ultra-resilience, data locality, and massive scale for modern cloud applications - tech that was once only available to the likes of Google, Facebook and Netflix.
Check them out and get started for free at https://cockroachlabs.com/popcast
***GITLAB***
GitLab is The DevOps Platform. Deliver software faster with better security and collaboration in a single platform. Try GitLab today. https://about.gitlab.com/free-trial/
***Cisco***
Check out Cisco's super informative blog https://ciscotechblog.com/
***CIVO***
Civo is an alternative to the big hyperscale cloud providers.
They've launched world's first managed Kubernetes service powered by K3s. With sub 90 second cluster launch times, a simplified Kubernetes experience,and predictable billing, Civo is on a mission to create a better developer experience.
Get $250 free credit to get started. Sign up today at https://civo.com/popcast
- [Announcer] This episode of The POPCAST is brought to you by these sponsors.
- Hello, everyone and welcome to POPCAST. Look, look. Software supply chain, the hottest topic, the hottest topic this year, and we have one of the best people in the space, bar none. This is Kim Lewandowski, founder and product at Chain Guard, but most importantly starred as Agent Pico in "Operation SLSA". Welcome to the POPCAST, Kim.
- Thank you. Wow, I love your energy. Chainguard.dev
- Chainguard.dev, okay. Because Chainguard.com is an industrial lubricant, apparently. All right. So let's go here. So Kim, I wanna know about you, right? Let's talk about your journey. I know you're from upstate New York. We have some alumni, little Dan Lawrence over there, who also is from the upstate New York area. So let's talk about the first, growing up on computer and going forward.
- Yeah. So wait, what's your definition of upstate New York? I'm not sure if we agreed on that one. Anyway, I'm from the Finger Lakes.
- Are we going here? Did you guys rehearse this beforehand? Like, okay.
- No!
- All right.
- So yeah, I'm from the Finger Lakes area. Tiny, tiny little town, graduated with 48 kids in my public school. So when I say New York, everyone obviously automatically assumes I'm from the city. So, wow. If we're gonna go way back, in high school, I actually didn't do any programming. I was gonna go, do you know Alfred University? You heard of that school? So I got a full scholarship for ceramic engineering to go to Alfred University.
- Whoa, whoa, whoa, whoa. Ceramic, well can you explain what, to our listeners and viewers, what ceramic engineering is?
- Exactly, I don't even know. They were just offering me money to go. So maybe I'll get to that. On my graduation night in my high school, I was like, "Wait a minute. I don't want to go build toilets for the rest of my life." Little did I know everything that a ceramic engineer does, and already had sort of accepted the offer at the university. So anyway, backed out of that, went to a school, a small school in New York, learned about computer programming. I was always good at math and kind of just got hooked instantly. And then went to RIT for a couple of years, Rochester Institute of Technology, studying computer science. I remember...
- Are you familiar with the garbage plate in Rochester?
- Yes, absolutely.
- Shout out the Seth out there, from Rochester. Okay. Sorry, go ahead.
- Yeah. So I remember walking to a final in the middle of winter, freezing my butt off, and I said, "That's it. I am done. I am done with upstate New York. I'm done with this negative 30 degree wind chill." Is it snowing there, by the way? It probably is.
- Not yet. I've got the snowblower. I've already got the snowblower ready, so we're all set.
- So yeah, so I said, "What's the biggest party school I can go to that's warm?" Somehow I found Florida State University, down in Tallahassee, Florida, and finished up my undergrad, computer science, and then actually got a government security scholarship for my Master's program. And so this was my first taste into computer science security world, which is pretty funny because then the story goes around circle now where I'm back building a security company. And one of the things I had to do since I won that scholarship, was I had to work for a federal agency for two years after graduation. It was like "Scholarship for Service" or something. I think it still exists today. And I was like, "Where do I want to go?" And my now husband said, "Hey, there's a nuclear research lab out where I'm from in the Bay Area in California." I said, "Cool, I'm gonna check it out and I'm going to move to California." And so that's where I did two years of my government service work for that scholarship and worked for Lawrence Livermore National Laboratory. And I've got some pretty funny stories that I was trying to tee up, which I've told before, but they're just hilarious. Like, I don't know if you worked with government, had experience with government, but I remember some of these, of course, I don't remember the day to day of the Java code I was writing for the world's most powerful laser, but I remember the all-team meeting, super important meeting at 9:00 AM, coming in. And we had to learn about hallway safety training. I'm not even lying. And so just in case, you know, you walk too quickly around a corner in a building, this was a hot topic and we wanted to prevent accidents and make sure people were safe. And there's another one with goose. Did you hear that story? I think I tweeted about it a few times.
- No, let's do it. By the way, we'll have links to the tweets in the liner notes of the episode, everybody. So go ahead, Kim.
- So, like, the goose one is pretty funny too, and they even handed out a pamphlet. I saved it, as one should. It's Lawrence Livermore, if anyone knows about or familiar with it. It's, I think, I don't know. It's a large plot of land where the campus is. And Canadian geese would frequent the campus. And so we had training similar to the hallway safety training about these Canadian geese and how they could be vicious and make sure that you could protect yourself in case of a Canadian goose attack. And now I don't doubt that this training was super important, but luckily I never was attacked or approached by a Canadian goose trying to peck my head off. So, yeah, all right. Where are we now? I can't even remember.
- No, that's good though So let's go. We got more at Livermore stories. Let's go. Tales from Livermore!
- Yeah, let's keep going! I think we could start like, a series on "Tales from the Livermore Labs".
- So no, actually like this, so let's get this. It's more related to my current job, too. It was actually at Livermore Labs where I first got introduced into the open source world. And I started working with the Hadoop project way back in the day. And it was just fascinating to sort of see this community take off. And I remember going to the first meetup group and there were, you know, 20 people in the room or something. And then fast forward a year, and there was 300 people, like, sold out crowd at one of these meetups. And it was just amazing to sort of see firsthand all these people coming together, and working on a project together. So, that was cool. I do have one last government story. I think it was, you know, there were budget cuts, as it happens. And I remember our office was pretty messy. There's four of us that shared an office in there, and they didn't clean. The staff didn't clean the floors as frequently as they used to. And so it was like a month and our floor was just, you know, crumbs and everything. And it's like, "Man, we need a vacuum." Like, "Let's go get the vacuum." So we did, we found the vacuum in the closet and we vacuumed our office. And then, I shit you not, the next day they deadlocked the vacuum to the wall. We were no longer allowed to use it because we hadn't gone through proper vacuum safety training.
- Folks listening, if you're ever in this world, all right, someday, let's just say, remember vacuums verboten. No good.
- But other than that, it was a great, you know, it was a great place to work. Those are just some of the funny stories that I remember over the years. My husband, now my husband, he went to digg. Remember digg.com? And that's when I just got super jealous. And I said, "I want to go join a startup." "I want to go have all this fun that you're having." And that's when I bounced and I was in startups for a while. Tried my own, it was fun.
- Can we pause for a second?
- Yeah. I'm going to ask you something, right?
- Yeah.
- Before we continue, let's do some upstate New York trivia, shall we?
- Oh, no.
- Okay, so when I say, "Ithaca is Gorges," how do you spell gorgeous?
- G-O-R-G-E-S.
- Okay. Let's continue with the story, please? Go ahead.
- It's a green shirt, by the way. I've never seen it in another color. I think it is gorgeous.
- Sure is.
- So, yeah, so let's see. So still an engineer, I was doing big data stuff, playing around with Hadoop. Tried my own startup. It was similar to actually Rover.com or Dogvacay.com. Where you're going out of town, and you're like, "What the hell am I gonna do with my dog?" So it was around that. It was similar to that. And then that's kind of when I...
- Have you always... I'm gonna ask you this question. Have you always had that entrepreneurial spirit?
- I, probably. My dad was in real estate and it's kind of, not quite an entrepreneur, but always like looking at ways to, you know, think outside the box and do different things with property and stuff. So maybe a little bit of that, but I, you know, I always enjoyed sort of building stuff and problem solving. I think that's why I resonated so much with computer science, even at a much smaller level. I was like, "Holy shit. I can like change one, you know, one thing in code, And it does exactly what I say." It's none of those kind of, when I think back sort of English and in the history classes, when I was in high school, it was like, "Which answer do you think is most correct? You know, A, B, C, or D, all of the above?" And then three answers were correct, or whatever. And computer science is like, "Nope, you make one mistake, your stuff's not going to compile." And it's done. And so, yeah, I don't know, maybe. But I definitely feel like I'm more resonating to the entrepreneurial spirit now, as I've left Google to start a company again.
- We're gonna get to that. But before that, let's have some more upstate New York trivia, shall we?
- Oh boy, here we go. Hang on.
- I set the questions, so I'm throwing a little couple of things here. So riddle me this. Why are they called the Finger Lakes, Kim?
- Because if you look at them, they're shaped, there's, I think, five big ones. And they're kind of shaped like fingers, I guess. They were formed by glaciers way back when, and they're gorgeous in the summer. The other gorgeous!
- The other gorgeous!
- Okay. Can I ask you another question? Could you name one of those Finger Lakes, Kim?
- Yeah. There's Seneca, Keuka, Cayuga. I grew up on Keuka. It's amazing in the summer. I recommend it in the summer, but that's it. Not in the middle of winter.
- [Announcer] GitLab is the DevOps platform. Deliver software faster with better security and collaboration in a single platform. Try and GitLab today at about.getlab.com/free-trial. That's A-B-O-U-T dot G-I-T-L-A-B dot com slash F R double E hyphen T-R-I-A-L.
- [Announcer 2] Civo was an alternative to the big, hyper scale cloud providers. They've launched the world's first managed Kubernetes service powered exclusively by K3s with sub-90 second cluster launch times, a simplified Kubernetes experience, and predictable billing, Civo's on a mission to create a better developer experience. Get $250 free credit to get started. Sign up today at civocloud.com/popcast. That's C-I-V-O dot C-O-M slash P-O-P-C-A-S-T. Go check them out.
- Finger Lakes Chamber of Commerce, give us a call. We'll get some sponsorship stuff going. Alright, moving forward. So we're at Rover, we just started our start-up. We're like, okay. Talk to me about Google.
- Yeah, so it wasn't Rover. Rover actually acquired my little startup, so the domain and everything. But I went to another media company, Brit.co, Brit Morin, and was there for a few years. And that's really where I kind of started being more of a product manager, I guess. We were doing a lot of things. And then kind of took a step back and said like, "Man, I gotta see how one of these big companies do things." And it's funny. So I had an offer from Google and I also had one from Slack as their first product manager. Everyone's got those stories, now. I emailed Stewart, like, three years later after I turned down the offer. And this was when there was rumors about, I think, Amazon acquiring them. Like, "Stewart, you know, it took me three years to think about this, but I think I'm gonna finally accept." And he got a kick out of that, that email. So anyway, I landed at Google as my product management job. And I was so excited. I was working for Google Cloud. That was most of my career at Google. And I was like, "I'm going to learn how to be a product manager, how these big companies do it." And I don't remember, it was like my second or third day, and I'm like, "How many users do we have?" And people are like, "Uh..." Like, wait a minute! You know? And this is when Google Cloud was really app engine and super early days. And so, you know, fast forward I was there for seven and a half years, like, learned so much.
- We're not fast forwarding. We're gonna talk about this, okay? We'll get to the Chainguard stuff. Dot dev! Okay. So I'm gonna ask you this. Look, I mean, working at Google, everybody I've had that worked at Google just are like, you can do so much there. You click up your instances. You're ready to go. You have all these amazing tools at your disposal. Talk to me about working at Google, like the feeling of working there. And so for people out there who, I'm assuming, don't know about it.
- Sure, sure. So, like I said, I was, you know, in Google Cloud for most of my career there. And so Google's a huge place. So I can really only speak to my experience in Cloud. My husband actually works at YouTube. So I think that even his experience is a little bit different, you know, being in a different part of Google. But yeah, I think, like, I was just floored by the people that I was working with and, you know, I joke and it's like, yeah, a small company. You chat with your coworkers and you feel like you have a really good plan to move forward. You've been chatting with all these smart people, you're ready to go. And at Google, you go into a meeting and it's like, you know, you're listening to all these smart people, you're having this great conversation where like, "Yeah, let's do this." And everyone's pumped. They're like, "Let's go," you know, "let's do it this way." And then not only like 30 minutes later, you go into another meeting and they're like, "No, we should do it this way." They've convinced you completely, you know, completely different directions. So just so full of like smart people, and people looking out for one another, and just trying to help. So, you know, I had an amazing, amazing experience there. As a product manager, it's a lot on your plate. Sometimes it's hard to take a step back. And you're like, "What the hell do I even do here?" There's, as you probably know, a lot of meetings, a lot of email, a lot of trying to build relationships with engineering teams and other cross-functional teams. And so I worked on several products there, a couple that didn't see the light of day, but got pretty close. So that was exciting. What else, what else? Yeah, so that's where...
- Can we talk about, I mean, I'm sorry to interrupt you.
- No, no. But I want to talk about just product management in general. Like, what is product management done right? Like I had Craig McLuckie down here. He's like pretty much the godfather Kubernetes and stuff like that. He honestly gave one of the most brilliant responses, there'll be links to it in the liner notes of the episode, y'all, about product management. I just want to know, like, what's your take? Like, what is a good product manager?
- I'm not gonna be able to top what Craig said, but one thing that I was thinking about, and so product management or product management, one of the things that stood out a while ago and it does still resonate with me, but I know there's some people that have mixed feelings about it. It was like, it's really like the small CEO of an individual product or a problem space. And trying to figure out how the heck we're gonna fix that. How are we gonna tackle that? And so I think, you know, a lot of the jobs of product managers is to just really understand what the heck problem, you know, people are trying to solve, and what's the best way for doing that. And it's not just, you know, individual features, and maybe even an individual product, but really zooming out and looking, like, at a huge kind of space. Supply chain security, for example, and kind of figuring out how to best tackle it. One of the things I was gonna say recently, is I saw this discussion on Twitter, and it was like, "What should we rename soft skills?" I'm not sure why this was a topic of debate, like we want a new word for soft skills. And I'm like, "How about just skills?" You know? And that's what I believe. And I think, like everyone, product managers have certain skills, too, that shine, and they bring to the table. Like I mentioned, building relationships, kind of seeing the, what the hell is the expression? Seeing the forest between the trees, whatever.
- The forest for the trees, right?
- Yeah, yeah, yeah. So what did Craig say? Well, you'll link it. I'll read it later, yeah.
- Yeah, I mean, look, it's honestly, your interpretation, or your mantras for product manager. I want people to know your take on it. You know what I mean? Like, Craig's is documented, but you've done this for years. You know what's successful and what's not. Like, do you think product managers that interact with customers are better off are the ones that are just siloed? Like, is it really dependent on the product? Like that kind of thing.
- Yeah, yeah. Yeah, I mean, I think it probably depends on the product, but definitely not working in silo, I would strongly recommend, and spending time with customers. And one of the things I'm sort of realizing that I did at Google, is I would talk to a lot of customers, and take a lot of notes and I'm like, "Oh, I'm gonna go back and clean up these notes." And then famous last words like, you know, never really cleaned up a lot of the notes and went back. And that's something I'm really trying to do in my new role at Chainguard is just to make sure that you are sort of spreading, and communicating, and making sure that you're sharing sort of the wealth of knowledge that you're learning on all these things. And I think, to your silo point, and I think communication is huge. Even written notes and making sure that you're sharing and especially bubbling up the important bits for people to read and to ingest.
- Cool.
- [Announcer 2] What if you could build like big tech ? Use the same powerful infrastructure that they spent engineering centuries building? It's actually possible now with Cockroach DB. The founders have spent the last eight years creating a cloud-native distributed SQL database that provides the consistency, ultra resilience, data locality, and a massive scale for modern cloud applications. Tech that was once only available to the likes of Google, Facebook, and Netflix. Check them out and get started for free at cockroachlabs.com/popcast. That's C-O-C-K-R-O-A-C-H-L-A-B-S dot C-O-M slash P-O-P-C-A-S-T. Check them out.
- [Announcer] Learn how to operationalize open policy agent at scale with Styra. To get started, go to the link at https://hubs.ly/H0Pnkm20
- So again, software supply chain and you've heard it.
- I was right.
- You ready? You ready for this?
- I was ready for another trivia question, but...
- No, no, no. I was gonna ask the cookie question, but you already poo-pooed that one. We're gonna move off. You don't even know what Freihofer cookies are, so...
- I mean, they look familiar.
- So, all right. So software supply chain, I mean, there was Software Supply Chain Con at KubeCon. You know, it's a hot topic. Like, why is it such a hot topic? I had Dan and he explained it in his as fuzzy head, but like, I want the Kim, the real. I want the real from you.
- Yeah, I mean, it is a hot topic. And I do think it's like, the software supply chain wasn't really a buzz word as of a few years ago. Like, people knew about it and just, I think now it's really picking up steam and that's how we're all talking about it, which I think is the correct word to use, because it's exactly what we're talking about. We're talking about all the bits of code, and where they came from, and how they ended up in your production systems. But yeah, like you said, it's sort of been crazy over the last few years of seeing the number of attacks that are happening in this space. And it's almost hard to keep up. I think the term really got coined more so when the SolarWinds Sunburst attack happened, and that's when everyone's eyes started opening up a bit more like, "Oh, wow. You know, none of us are safe from this." And then tying that back to open source is, you know, the stats are out there that the majority of code that companies are relying on is the open source software. They're taking something off of Github, putting in their production systems, relying on it because that's what engineers do, right? No need to reinvent the wheel if this package right over here is doing exactly what I want it to do. And so we're seeing, you know, tons of increase in these attacks. And, you know, Dan probably mentioned this when he was on the call, is like one of the theories of why now it's an uptick in these types of attacks. And it's because we think we've gotten better at preventing other styles of attacks. And I think the targets are a bit bigger, so attackers can go in and, similar to the Sunburst SolarWinds attack, they got into the build system, but then were able to push out malicious code to all of their customers. So it was kind of like these two-fold, two-phase attacks, which, you know, is able to to impact a wide range of people on the other side, unfortunately. So those are...
- And again, we hear these terms, provenance and you hear SBOM and all these fun things. You want to kind of just like, again, just like in your own kind of way, just talk about provenance and talk about SBOM, and executive orders. Why are they so important?
- Oh yeah. Yeah, I mean, so that was one of the things that we saw from the sol-, from the sun-. I keep skipping on SolarWinds Sunburst because SolarWinds is the company and Sunburst, I think, is the name of what the thing was actually attacked. And a lot of people referred to it as SolarWinds, but I want to be cautious, very conscious, because we had Trevor come speak at that Supply Chain Security Con from SolarWinds, and gave an amazing presentation.
- We're gonna have it in the liner notes of the episode, Kim.
- Awesome. Awesome talk. I just thought that he did such a good job talking about it.
- Shout out, Trevor.
- And so, where was I going with that? Wow, I totally lost my train of thought. So, provenance, like where the heck is this software coming from, and how do I know where it's coming from? And that's something that's really lacking today for people that are running software in production systems to understand, you know, what is the actual software that I'm running in my systems? And so provenance is data that you can then verify, that kind of can show the origin, if that's the data you're collecting, show the origin of where the actual software, the bits, the code, came from. So it's like he can build this link now to see like, you know, all the way back like that. Anyway, that's as it applies to supply chain security, the provenance there. Oh, that's where I was going with the SolarWinds thing, was, you know, after that we saw this huge executive order come out about cyber security, and President Biden's office saying like, "Hey, this is a serious problem. It's putting us at risk. We all need to do a bit better here." And so there's been a lot of, follow-up and discussions, and workshops and things, and how this executive order plays out, and potentially new regulation that's coming that companies and likely government vendors and stuff will have to follow. And so this is where you hear a lot about SBOMS, and I don't love the term, but it is what it is, which stands for like software bill of materials. And the way it's described is very similar to a nutrition label, is like what are all the ingredients in this piece of software that I'm using? And then again, the provenance piece is like, "Well, how can I actually verify and see it, and know kind of where it came from?" And stuff.
- Shout out to Dr. Allen Friedman out there.
- Yeah. We met Alan at, well, I think you've met him a few times, but yeah, it's great to. Alan's been driving the SBOM thing for awhile. And so it's been fun to watch.
- Wonderful, dude.
- [Announcer 2] Teleport allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. You can download Teleport right now at goteleport.com. That's G-O-T-E-L-E-P-O-R-T.com.
- All right. So let's get that Chainguard.dev.
- Chainguard.dev.
- I want you to, okay, listen. I want you to tell the poor story, okay? Because it's such a great story. So go ahead.
- So, okay. I mean, I didn't really want to go into it, but it's totally fine. I've had this thing for Porsches, Porsche 911, since I was in high school. Maybe cause, I don't know, my brother had like some Matchbox cars.
- Can we time out on this? Kim, I wanna tell you. You are a successful, amazing woman in tech. I don't wanna like, you know, you are. Like, why wouldn't you want to call out that you wanted a Porsche and you wanted to go get one? Why would you not? Don't be humble on the POPCAST. There's no humility on the POPCAST Go ahead. Go ahead.
- Well, yeah. So I wanted a Porsche 911. So I finally, you know, got to a place in my life and career, my two young kids, perfect family car, right? So the way Porsches work is you build one, right? You can build kind of exactly what you want and start adding options and stuff. And I think they've got their pricing down to a T. It's just like, "Oh, just for a little bit more, you get this cooler paint color," or whatever. And so I finally convinced my husband that I needed this car finally in my life, and went through and built it. And then they've got a tracker. So you can see exactly where it is in their supply chain and see when it gets built. And then they put it on a ship and then you can watch the container ship kind of go around from Germany. And then I think the ship was like right around, you know, was it going through the Panama Canal? I don't know, but it was close.
- I'm gonna have my animators like put in the whole trek of your Porsche on the screen here.
- I probably still have screenshots. So, and then I, you know, I don't know how these things start, but probably just got one ping from Dan Lawrence. "We're starting a company, send the Porsche back." Because that was it. I was like, "All right, we're gonna do this." And as folks probably know, when you start a company, you're not making money on day one. So the Porsche is on hold. They did let me drive it at the dealership. So I took it for a little spin and they sold it, like, immediately. Like right when I was there, they already had a buyer ready. It was ridiculous. So one day I'll get back to that.
- I know you will. I know you'll get there. It'll be awesome.
- Thanks. So let's talk about Chainguard.dev. Okay. So like, you know, again, I mean, this is literally the Justice League. This is the greatest assemblage of people, just people in general, that I had ever seen.
- Yeah, thank you.
- I've been in this biz a while, not no spring chicken, Kim. So let's, I mean, let's talk about, like, kind of the goals of the company. We don't have to get in depth. I'm sure we'll have you all back next year and we'll figure it out where we are.
- Yeah, yeah. So five of us came together. We had all crossed paths at Google before. You know, Dan Lawrence and I had been working together for the last five years. He's, basically in meetings, you know, in conversations with Dan nonstop. And I don't have enough good things to say about Dan. Like, he's just out of this world and I was joking the other... Not joking, cause it's true. But on a call the other day and saying, "I know it's kind of cheesy, but I love qualities of a good CEO, you know, a good entrepreneur." He hits every single one of 'em. And it's just like, it's just out of this world. And I feel so lucky that I've got a chance to work with him at Google. And this is where we started on software supply chain issues. We were trying to protect Google. And we started a bunch of open source projects in this space. And then Matt Moore is another founder and he was barbecuing for eight months trying to figure out what to do next. And then we all sort of came together. We said, you know, "This is the time that we should go and try to build something on our own and have a huge impact in this space." And so that's what we did. So Dan and I, our last day at Google was October 1st, and there's three others, Matt Moore, Ville Laikas, and Scott Nichols, they had already left Google. They were at VMware for a brief bit. And then we started, we got incorporated October 2nd of this year, and we've just been hitting the ground running, trying to build this company up.
- Fantastic. And again, I mean, the buzz like at KubeCon was huge. I even donned the wig to try to support you all. There are pictures of this. But again, nothing but the best, you know, we have now four alumni of the POPCAST, now. We have one more. Nichols, I'm coming for you. So that'll be everybody. And again, all the best. And now you have an announcement, don't you? Only exclusive to the POPCAST today. What would you like to announce, Kim?
- Yeah, so we're excited. We did land some seed funding. Unfortunately it didn't come with a Porsche 911
- Why the hell not? Let's talk about that CEO there, negotiating. Why didn't you get her a Porsche, dude? Right? I'm looking at you, Dan Lawrence.
- I want to earn that one again. So we did, we raised seed funding. The venture capitalist market right now is kind of crazy. So we didn't really realize how crazy it was, and super excited that we landed a partnership with Amplify Partners. They're amazing people we've been working with Lenny Pruss.
- Another POPCAST alumni. Hi Lenny, how are you?
- Oh, really?
- Oh wow, I need to go watch that one. And Mike Dauber, and been working with Renee a lot over there. And excited that we've raised five million for our seed investment. And we're gonna use that money to go hire a bunch of folks and start building out solutions in this space.
- Fantastic. Looking forward to all you all do. And we'll have you on next year to talk more about how the year was. All right, so let's talk more, way more important than Chainguard.dev, way more important. There's no trivia anymore, kids. We've moved on.
- I got to think of a trivia question for you. There's probably a good one.
- Okay, we'll figure it out. All right, so listen. There's an amazing thing we all did together this summer. So I directed and also co-wrote something called "Operation SLSA", there'll be a link here to this. You're part of the SLSA Squad. Do you want to tell me what your code name is?
- Yeah, so I am Agent Pico, and how I landed in this film...
- Oh, what is your full name? No, your full name is Agent...Pico De Gallo.
- Oh yeah. Pico De Gallo. Yes. Yes. We shortened it.
- Go ahead, go ahead. Sorry to interrupt you.
- So rewind a little bit. I mentioned open source projects at Google. We started one called SLSA, supply-chain levels for software artifacts, which is a framework to help you kind of understand where you are on the supply-chain integrity parts of it. And try to make sure that artifacts, how they've got built, and really understand that integrity piece of software artifacts. Anyway, someone had a crazy idea to make a video series. And so that's what we did. We made a super fun series of videos called "Operation SLSA", that's like all Hollywood production style with car chases. I wasn't originally gonna be part of this crew but I sort of got...
- Oh, but you know what? Oh, you had one of the best one-liners in this thing. And I can't reveal, but there's like, a free one-liner is like, well it was something about picante and I'm already forgetting it.
- Yeah it was... Oh, I don't know.
- Settle down, Picante. He said, "Is this a dip for chips?" Or something. And that's in the first episode. But man, super fun. I've never done anything like that before, but working with you all and putting this together, and just trying to help. I mean, that was the one thing we really realized that Google and a lot of this stuff is, it's about awareness first. You know, people don't really understand the risks that they're putting themselves up for. They just, you know, engineers don't want to think about security. They just want to push their code out, and they want to do it as quickly as possible. Like I said, the code reuse. They'll just go find a package on the internet, "Who the heck knows who wrote the code in this thing that I found on GitHub, but it's solving my problems. So let's just put it in there." And so that was kind of the motivation, I think for all of us behind the "Operation SLSA" videos is to help sort of drive awareness to like, "Hey, you may actually want to think about how that piece of software came to be, and before you kind of take a dependency on it."
- Yeah, I wanted to make it entertaining as well, right? So when we're doing this, and I love the fact we had a lot of ad-libs in there. We had a really fun time. We had our little green room where we apparently tried to consume over a thousand chicken nuggets. That's another story altogether behind the scenes of "Operation SLSA". I mean, just Ezra, Priya. Priya was incredible. Like, you know, she nailed every one of her lines. And episode two will probably be out by the time you all see this. It will be out before and you'll be able to see it. We'll add a link to it as well. And now, Kim, like, again, I think everybody brought it, but exactly, like you said, it's making awareness of this, but doing it in a way that's entertaining. It's like, it's a story. There's vignettes in each of the thing, that explain each of the SLSA levels. And there's gonna be a big reveal. We can't say right now in it, but it's just, we had so much fun during it, right? So, yeah.
- Yeah. You know, the only part that if we do this, if we ever do this again, let's just not pick Austin, Texas in the middle of summer, wearing suits.
- We're going to Miami in the dead of winter. So we'll figure it out for the prequel or sequel. We'll figure it out. So keep on watching if you want to see more "Operation SLSA". But more importantly, by the way, is talking about the Austin piece. Remember there was a point where I was like, okay, cause we're all staying at the same hotel, right? And I'm like, Kim, three o'clock. Pool time.
- Yep.
- And it was fun. And the funny things is we're all near the pool hanging out, and then there's somebody from Google.
- Yeah, yeah.
- Like, there's somebody from Google.
- Hanging out.
- That's pretty crazy.
- It was a lot of fun. A lot of fun. So get back to Chainguard real quick, in terms of like, where do you see it in two years? Where do you see it in five?
- Yeah. So great question. I mean, in two years we'll have a product that we're selling, or multiple products that we're selling to help organizations. You know, help fix their software supply chains. And yeah, I think a lot of what we're focusing on early too is the open source projects that I mentioned. So we feel like the key to solving a lot of these software supply chains are rooted in these open source systems as that's where most of the code is coming from today. So, you know, pushing and adopt, and having people adopt these open source projects. I'm sure Dan talked about Sigstore and I had mentioned SLSA. And I think focusing on the communities there, and again, you know, on the product side, spending a lot of time building the right product, finding product market fit. And so, you know, two years, I think we'll find that. We'll figure out what we're selling. We'll iterate. And then, five years, hopefully, you know, a lot more of that. We've got some big ideas around the richness of the data, and the software supply chains, and things that could become more interesting five years from now.
- Hopefully within that time, we'll have another Porsche 911.
- Of course.
- Cross my fingers for you, Kim, So last question for you, Kim, and again, appreciate you being on the show. You've become a dear friend of mine. I'll tell you that at the end of this. But what work are you most proud of?
- Oh, wow. Work I'm the most proud of. This is tough. Maybe it's that one time I got on front page of digg.com. That was like a whole thing. I don't know. I think, you know, just kind of looking back on my career, I think not a single thing, but just being really happy, with the career that I chose and what I'm doing. I feel like I'm just lucky that I found a career that I really enjoy and I like doing. And waking up in the morning and going to work is not like one of those ugh kind of moments. So I just feel very fortunate that I've landed where I've landed. So I think kind of all of it wrapped up in to where I am now.
- So, Kim, we did it. There's the POPCAST for you. So again, I respect the ever living soul of you. You're one of the, literally one of the more smarter people I've ever met in my life. And I appreciate you and I appreciate what you've done for a software supply chain, but also in general. You're an amazing person. I can't wait to see what you all do at Chainguard. It's gonna be amazing. And thank you so much for being on the podcast.
- Yeah. Thank you for having me. This wasn't as bad as I thought. Talking about myself can be weird.
- Thanks for being on the show.