We are excited to announce our investment in Kusari, a company building a comprehensive system of record to secure software supply chains with an open-source project called GUAC. Today Kusari announced $8M in funding and early successes with companies such as Guidewire, Yahoo!, Google, and others using GUAC to gain visibility into and ensure compliance with new industry standards. We first partnered with Kusari’s founders more than a year ago, leading a pre-seed investment when they were just starting their journey to build a new company tackling one of the biggest challenges in security today.

‍

In the past several years, headline events such as the SolarWinds attack and the Log4Shell vulnerability in the open-source Java logging library, Apache Log4j, have driven widespread attention to the major risks lurking in what companies use to produce their software products. To us, this was the inevitable result of several major trends:

1. Developers are both software producers and software consumers, and the broad usage of open-source software has created new opportunities for bad actors. Security tooling has historically relied on identifying known vulnerabilities, which is insufficient to determine whether software is trustworthy.
2. Compromising a component of the software supply chain gives attackers significant “leverage” to impact a very large number of organizations.
3. Cloud-native architectures and cloud-scale footprints have increased complexity for engineering and security teams to identify where and how substantial risks exist. 

In the last couple years, we’ve seen a number of efforts converge to shape new standards for securing software supply chains: an Executive Order on Cybersecurity, guidance from NIST, best practices from CISA, and frameworks such as SLSA and S2C2F. Many new tools have emerged to generate Software Bill of Materials (SBOMs) and enumerate software being used, which is analogous and complementary to scanning tools that list vulnerabilities. But figuring out what to do with all that information to generate more secure outcomes is still too hard.

‍

Enter GUAC. GUAC aggregates data across the software supply chain into a graph representation, enabling anyone to understand relationships across software packages, dependencies, attestations, vulnerabilities, and more. This makes it easy for teams to visualize the current state of their software supply chain, collate relevant data in one place, and understand gaps in controls or provenance.

‍

We highly value founders who bring deep authenticity to the problems they are solving. We first met Tim Miller, Mike Lieberman, and Parth Patel through their leadership work in the Open Source Security Foundation, the SLSA steering committee, and the CNCF. They were uniquely qualified to tackle this space given their work on software supply chain security for years at several of the most security-conscious organizations in the world, including Citi, Bridgewater, and MUFG.

‍

We are excited to have J2 Ventures and Glasswing Ventures co-lead Kusari’s seed round and team up with us to support the company’s mission to safeguard software development.