In a year of shifting market dynamics for open source software and SecOps, one company sat at the intersection of key trends in open product business models, software supply chain security and industry governance.
That company is Chainguard Inc., and co-founder and CEO Dan Lorenc also has a resume that reflects experience in these areas. While working at Google, Lorenc originally developed the tooling that would become the Sigstore project, which helps to verify the provenance of open source code packages. Sigstore is now governed by the Open Source Security Foundation, where Lorenc is a member of the Technical Advisory Council. Chainguard is an open product company that pivoted in 2024 to focus primarily on hardened container images rather than software bills of materials (SBOMs).
In this episode of Informa TechTarget's IT Ops Query podcast, Lorenc said Chainguard's shift in focus resulted from changing customer demands.
"What we're selling is just a secure supply chain that happens to be in an images format," he said. "Containers … are finally … making their way into the most regulated and security-conscious orgs that are typically slowest to adopt, and there's a huge set of security concerns that are just sitting there, inside these massive container images that everyone is downloading and grabbing from the internet."
Dan Lorenc
At the same time, other forms of software supply chain security management, namely SBOMs, began to fade into the background as the Cybersecurity and Infrastructure Security Agency omitted them from its self-attestation form for federal software suppliers.
"I've seen the government regulation continue, but it's a slow-moving ship," Lorenc said. "I'd say it's still moving in the right direction, but it hasn't really changed the way anyone is thinking about software development yet."
The change in emphasis for Chainguard also reflects the challenges of building a sustainable business on free and open source software, the theme of IT Ops Query's Season 1, where Lorenc also appeared as a guest. During this year-in-review episode, Lorenc also praised the work another Season 1 guest, System Initiative's Adam Jacob, did to advocate for new approaches to open product business models this year.
I don't think there are quite as many companies getting started without real sustainable paths forward.
Dan LorencCo-founder and CEO, Chainguard
"[Jacob has] written amazing blogs explaining how to do open source and how to make it work," Lorenc said. "I don't think people are listening yet to folks like Adam that understand where the pitfalls are, but I do think we've seen a pullback in some areas, and venture funding and the economy over the last couple years hasn't been quite as bubbly. … So, I don't think there are quite as many companies getting started without real sustainable paths forward."
Going forward, Lorenc said he expects software supply chain security regulations to become more rigorous and specific, beginning with the EU's Cyber Resilience Act, which went into preliminary effect Dec 11.
"People that are selling software directly to the government, the [U.S. Department of Defense], [are] going to start requiring it for their vendors," he said. "It's a supply chain where everybody's in business with somebody that's in business with somebody that's in business with the government. You can't get too many hops away, so it will spread."
On the tech front, AI for SecOps has faced limitations in its effectiveness to generate vulnerability reports for defenders, while enabling bad actors to flood some projects with bogus vulnerability reports, according to Lorenc.
"These attacks are on the build system and the package repository, and yeah, if you're following the [Secure Software Design Framework] from NIST, hopefully that's all hardened for you," he said. "But you can't go require that for every one of the thousands of tens of thousands of open source projects and maintainers out there that you're using."
As a result, Lorenc predicted that AI-based malicious code will remain a top concern for open source software in 2025.
"There are good efforts, and people are raising the bar, but they're going to be behind the pace, because you can't just go force open source maintainers to do things securely," he said.
Beth Pariseau, senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
Dan Lorenc
