Photo of a chain-link fence
Photo: Nick Fewings/Unsplash

Guarding the supply chain

Protocol Enterprise

Hello, and welcome to Protocol Enterprise! Today: how Chainguard is trying to tackle the thorny problem of software supply chain security, Microsoft and Google Cloud report earnings, and TSMC halts work with a Chinese AI chip startup.

Weakest links: Goodbye

In an industry focused on solving complicated problems, a team of former Googlers is trying to fix what might be the most complex cybersecurity issue of all: preventing the next SolarWinds-style attack.

Their startup, Chainguard, is aiming to secure every stage of the software development process, in the wake of the widely felt SolarWinds breach and a growing number of other software supply chain attacks. But while many vendors are now trying to prevent the “next SolarWinds,” Chainguard is taking a different approach from the rest.

  • The goal “is really to try to make the software development life cycle and software supply chain secure by default,” Chainguard co-founder and CEO Dan Lorenc told me, “because that's the only way it will actually get secure.”
  • The year-old startup also stands out thanks to its strong appeal among developers, industry experts told me.
  • Chainguard allows development teams to “start with a clean slate, which is way easier than having to go back and fix a bunch of stuff,” said IDC senior research analyst Katie Norton.

Specifically, Chainguard stands apart by offering its own container base images — files that serve as the building blocks of a cloud-native application — which come with zero known vulnerabilities.

  • This is an advantage because many of the open-source options that are popular with developers come with a large number of bugs from the start.
  • The company recently took the additional step of creating its own flavor of Linux, dubbed “Wolfi,” which is now supporting its secure-by-default container images. Customers of Chainguard get container base images with enterprise-friendly features.
  • Meanwhile, with its Enforce product, Chainguard provides visibility into code that’s being deployed to “production” environments, which is the final step that makes the software available to users.

It’s no accident that Chainguard has begun with securing “the first and last links” in the software supply chain, said co-founder and CTO Matthew Moore. The goal is for the two products to serve as a strong foundation before the company sets out to work its way through the rest of the supply chain, he said.

  • Chainguard has focused on working closely with a small number of customers so far, including Hewlett Packard Enterprise and Block, and will be more aggressive about looking to expand its customer base in 2023, said co-founder and head of product Kim Lewandowski.
  • Ultimately, while Chainguard doesn’t yet address the whole problem of software supply chain security, IDC’s Norton said, “they’re solving a really big chunk of it.”

Read the full story here.

— Kyle Alspach (email | twitter)


Many business leaders aren’t sure where to begin when it comes to migrating to the cloud. To help organizations adapt to this revolution, Capital One launched Capital One Software, a new enterprise B2B software business focused on providing cloud and data management solutions.

Learn more

Winds of change

Microsoft and Google Cloud continued to report healthy growth despite the effects of a strengthening U.S. dollar on foreign exchange rates and the challenging macroeconomic climate, but Microsoft’s guidance for the upcoming quarter raised concerns about the health of the enterprise market.

Microsoft Cloud revenue exceeded $25 billion for the second consecutive quarter. That revenue – which includes sales of Microsoft Azure and other cloud services, Office 365 Commercial, the commercial portion of LinkedIn, Dynamics 365, and other commercial cloud properties – climbed 24% to $25.7 billion in Microsoft’s first quarter of the 2023 fiscal year compared to the prior-year period.

But revenue growth from Microsoft Azure and other cloud services slowed in the quarter to 35%, down from the 50% growth reported in the same quarter last year and 40% growth reported in the previous quarter. And CFO Amy Hood’s projections for next quarter’s growth came in well below expectations, sending the company’s stock down sharply in after-hours trading.

Meanwhile, Google Cloud’s third-quarter revenue beat Wall Street estimates.

“The long-term trends that are driving cloud adoption continue to play an even stronger role during uncertain macroeconomic times,” Alphabet and Google CEO Sundar Pichai said during an earnings call with analysts on Tuesday.

Google Cloud revenue, which includes Google Cloud Platform services, Google Workspace collaboration tools, and other enterprise services, hit $6.9 billion, up 37.6% from $4.99 billion in the same quarter last year and 9.4% from this year’s second quarter, when Google Cloud revenue eclipsed $6 billion for the first time.

Google Cloud remains in the red with a net loss of $699 million, up from $644 million in last year’s third quarter, but down from the $858 million of the last quarter that ended in June.

— Donna Goodison (email | twitter)

It’s not privacy vs. security anymore

In the last few years, the roles of privacy and security executives — and the budgets they control — have grown significantly as organizations have worked to stymie the growing threat of cyberattacks and navigate the ever-changing landscape of data regulation. But good privacy and security strategies are often as much about people as they are policy, and the push and pull between the two remits can sometimes create friction within an organization.

Join Protocol Enterprise’s Kyle Alspach for an event recorded live at KubeCon North America at 11 a.m. PDT on Thursday, Oct. 27. Kyle will be joined in discussion by Chris Burrows, chief information security officer, Rocket Companies; Jacob DePriest, vice president and deputy chief security officer, GitHub; Elise Houlik, chief privacy officer, Intuit; and Deepak Goel, chief technology officer, D2iQ. RSVP here.

TSMC cuts off a Chinese chip design company

TSMC has halted production of an advanced AI chip made by a closely watched Chinese chip design company, Biren, while evaluating whether the Biren chips are covered by a sweeping set of new export controls, a person familiar with the matter told Protocol.

Biren unveiled one of its flagship AI chips, the BR100, over the summer at the Hot Chips conference. At the time it claimed it could significantly outperform Nvidia’s A100 chip, which is one of the processors designated by the Biden administration for export restrictions to China.

There has been confusion over whether Biren’s chips are covered by the export controls, but SemiAnalysis chief analyst Dylan Patel maintained that the chips in question are “well above” the performance threshold set by the Commerce Department.

The potential loss of Biren’s business — and other Chinese advanced AI chip designers — would be a drop in the bucket for TSMC, however.

During the company’s earnings call earlier this month, executives said the impact on the just-announced restrictions would be minimal in the near term. Bernstein estimated TSMC could lose 0.4% of revenue, which would amount to roughly $200 million in 2021.

Through the use of a foreign direct product rule, the U.S. has prevented TSMC from manufacturing chips that exceeded the thresholds established by the Commerce Department even if they are designed by Chinese companies.

The advanced GPUs now blocked by the new Biden rules are already used by 30% to 40% of the top 50 companies working on AI in China — companies such as Alibaba, Tencent, and Baidu have previously bought systems powered by the Nvidia A100 chips, according to a Bernstein analysis published Tuesday. Chinese companies typically use the advanced systems for large-scale AI tasks such as smart city operation control, credit scoring and loan authorization, and autonomous driving, among other uses.

The majority of Chinese companies working on AI applications use older hardware, many of which are unlikely to use more advanced chips in the first place, according to Bernstein.

— Max A. Cherney (email | twitter)

Around the enterprise

Snyk laid off nearly 200 employees, or about 14% of its workers, showing that while cybersecurity spending is unlikely to fall off a cliff as the economy gets more challenging, it’s going to be harder for unicorn startups to fly quite as high.

Oracle is also laying off staff, cutting an unspecified number of workers in its core cloud database and applications division, according to Insider.


The flexibility of the cloud helps companies like Capital One unlock access to their data with performance that can scale instantly. But this flexibility and scale can also create a unique challenge for organizations and users who are not proficient in cloud optimization.

Learn more

Thanks for reading — see you tomorrow!

Clarification: Yesterday’s Protocol Enterprise reported that a September executive order from President Biden directing the Committee on Foreign Investment in the United States to consider reviewing foreign investments with possible national security risks might not have a major impact on venture capital flows between the two countries. However, while Aimen Mir, partner at international law firm Freshfields, said the order “is not likely to cause bilateral investment flows in VCs to dry up” and “is not likely to cause a significant change,” he also said, “Any eventual outbound investment rules could have a significant impact on U.S. investment in China, depending on how it is scoped.”

Recent Issues