Kusari announces SaaS platform for software supply chain security

Bart: The host is Bart Farrell . The speaker is Tim Miller (works for Kusari).

Tim: I'm Tim Miller, CEO and co-founder of Kusari, a software supply chain security company. What I do is everything else that my great engineers don't have time for. I try to make their lives easier and listen to people who talk to us.

Bart: What do you want to share with us today?

Tim: We recently announced our SaaS platform to manage software supply chain security, which helps folks understand what's in their software environment. This includes all those annoying dependencies, their origins, and vulnerabilities. In the first 10 minutes of an incident, the focus is on finding out what happened. You're looking for how it got there and where it came from, whether through a middle-level dependency or some platform. We can answer these questions fairly immediately, making it easier to respond when someone notifies you of a vulnerability while you're in the middle of something else. You don't have to panic; we can tell you exactly where to look.

Bart: And does the platform have a name?

Tim: We named the open source project Guac, which is a backronym that stands for graph for understanding artifact composition. We were fairly hungry when we named it, but that's the core of it - an open core model. Guac runs in the middle of our platform, and we put analysis, prioritization, and pretty UIs on top of it.

Bart: And what problem does Guac solve other than getting rid of hunger?

Tim: Guac solves the problem of connecting different software dependencies by building links between them, similar to an API for your supply chain. It puts these links together in the form of a graph and exposes a GraphQL API for querying. This is where the open source aspect of Guac stops, with no hosted model available, making it a self-managed solution. Kusari builds upon Guac by handling the complexities of running such a system at scale. Running a graph database becomes challenging after a few days as it grows rapidly. Kusari also prioritizes the data in Guac, addressing the initial questions that led to using Guac, such as what dependencies are present, their location, current concerns, and necessary actions. The Kusari platform provides answers to these questions on top of Guac, utilizing its open-source engine.

Bart: And can you share a bit about the before and after of this announcement?

Tim: Before, we were focused on getting open-source Guac to work, ensuring the community was engaged, and gathering feedback from users. We wanted to understand if the open-source tool was solving a real problem in a way that was approachable. Our goal was to help users be successful and understand the issues they encountered. We tried to discern who would use the open-source tool versus those looking for a more out-of-the-box solution. Initially, our approach was to listen and gather feedback. Now, we are focused on ensuring that we listen properly, address the concerns of our users, and provide a more turnkey solution for those who need it. Our objective is to continue doing this effectively as part of Kusari.

Bart: Is Guac open source and part of the CNCF landscape?

Tim: Guac is a CNCF incubating project. It's got maintainers from Kusari, Google, Purdue University, Microsoft, and it has a lot of great contributors. It is on the CNCF Slack. There's a Guac website to check out if people are curious. I'd love a star on the Guac GitHub if you have a minute.

Bart: What's Kusari's business model?

Tim: We are a SaaS platform primarily. One of the things we need to address, based on feedback from KubeFM, is that we are getting a lot of questions about air gap networks, which we currently do not support, and we will have to figure that out. Primarily, our service is SaaS, where we run everything for our users and aim to make it seamless. However, we hear that many are looking for this kind of solution in more regulated areas, and this is likely to be a key takeaway from KubeFM, as the speaker, Tim Miller, works for Kusari.

Bart: And who are your main competitors?

Tim: Folks like Manifest, Lineage, and StackLock are probably the biggest ones or the closest to what we're doing. I think we all just do it a little bit differently. We're a little bit more open source and open standard-focused, and we externalize the problem a little bit more, versus what some of the other folks are doing. But they're all fairly similar to our approach.

Bart: What would you expect next from Guac and Kusari?

Tim: From Guac next, we're going to look at things like Guac Lite. One of the things complicated with Guac is that it requires a Kubernetes environment. Many initial questions about using Guac are complicated to answer immediately. We are considering Guac Lite and would appreciate feedback on a more food-related name. We're running out of Guac-themed names. A version that allows for quick execution and answers is needed. On the Kusari platform, we've got a lot going on. We are working on hardening, friction reduction, and enterprise features, particularly for air gap networks and regulated areas. Then, we're making sure that we can make this as efficient as possible. Managing a large supply chain involves a significant amount of data, and we are trying to ensure we can handle it efficiently to meet the demands.

Bart: Anything you want to share about the shirts?

Tim: We have a lot of them. Jennifer made all these, so thank you, Jennifer. And now there are also avocados, which are our most popular piece of swag.

Bart: I believe it. Thank you very much. Cheers. Thank you.

Tim: Everybody.