Home
Customers
Case Study

Chainguard’s technology lightens the SOC 2 lift

At Chainguard, we hold ourselves to the highest standards of security, but as a start up, unlimited resources to devote to certifications like SOC 2 are unrealistic. However, we saw a unique opportunity to practice what we preach by using our own product for our SOC 2 certification — Chainguard Images, which cut common vulnerabilities and exposures (CVEs) on average by 97.6%. By dogfooding (i.e. using our own technology in the process) in this way, SOC 2 requirements were easier to meet, helping ease the burden of the certification process.


Challenge


Founded in 2021, Chainguard is both a startup and a group of seasoned security veterans keen to pursue the best ideas in open source security. Since our inception, SOC 2 compliance has been extremely important to our business growth and maturity. More than a security certification, SOC 2 is an indicator of trustworthiness, because a SOC 2-compliant organization is secure in both its data and business practices. Companies must carefully consider and demonstrate their dedication to maintaining a strong security position over an extended period. Whereas working with non-compliant companies is increasingly seen as a risk, becoming compliant not only positions us as more reliable partners in terms of information security and compliance, but also demonstrates our holistic commitment to best practices when it comes to all things cybersecurity.


But preparing for a SOC 2 audit is a lot of work, and being Type II certified requires tracking and addressing all the company’s vulnerabilities over a six-month period. This meant tracking access to company systems, vulnerabilities we saw, and how we addressed those vulnerabilities. At a typical company with 70 services in production, that would easily total 14,000 vulnerabilities, which — needless to say — is a lot of work. This would require at least one more person on the team whose sole responsibility is to track and remediate those CVEs.


Lucky for us, Chainguard’s philosophy of minimal computing and, by extension, our Chainguard Images solution, made addressing vulnerabilities fast and easy.‍


“Vulnerability management is a huge source of toil in security engineering. As a one-person team, I can’t look at thousands of vulnerabilities and do everything else in my job. I’m lucky that I use our own products like Chainguard Images. Because we have so few CVEs in our production fleet, the vulnerability management part of my role takes so little time.”

Thomas Strömberg, Director of Security at Chainguard

Solution


Chainguard Images drastically reduce vulnerabilities in open source software and shrink container image attack surface by nearly 80% thanks to three guiding principles.


  1. Chainguard Images are designed to be minimal, containing only what is required to build or run an application and its runtime dependencies. This means that developers only need to focus on fixing the vulnerabilities that an application explicitly uses.

  2. We engage in reproducible builds, making it easier to track changes from one build to the next.

  3. Chainguard Images are always up-to-date because Chainguard rebuilds them every night — unlike slower iteration cycles that can produce vulnerability creep for users.


Because Chainguard Images are always built on the most recent, secure software, there are very few recent vulnerabilities to address on any given day, which smoothed the way for SOC 2 certification. Not only do our customers trust Chainguard products because Chainguard is now SOC 2 certified, but using Chainguard solutions will lighten the lift for our customers’ SOC 2 certification processes, too, by minimizing the time, effort, and resources that would otherwise be sunk into vulnerability management.


You can download and view and download Chainguard’s SOC 2 certification here.



Share
  • If I were to describe Chainguard's value in one word, I would say — efficiency.

  • What was very interesting for us about Chainguard was it was founded and built by people who have lived and gone through the pain as we had. One thing that resonated really well with us about that product was how they were focusing on solving the problem at the right place.

    Anoosh Saboori

    Head of Product Security

    Read More
  • For years, our team struggled with minimizing and triaging CVEs in one of our most critical customer-facing images. By switching to Chainguard Images, we almost immediately achieved zero-known CVEs in our customer image for the first time in two years, which significantly helped free up engineering and technical success resources to focus on customer innovation and removed the daily headache of vulnerability maintenance associated with that image.

  • Security is in the DNA of GitGuardian. And Chainguard really made sense when we started to look at how to streamline and make sure we don't ship our software with any vulnerabilities because that is a really big part of our story.

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started