Today I’m excited to share I’m embarking on a new journey with the Chainguard team. I’m beyond thrilled and want to share part of the journey getting here.

Start ups are great for self awareness

Once upon a time, back in 2012, I woke up one day and decided I wanted to found a startup. Maybe because I’d just finished reading about rapid growth in ‘Lean Startup’ or perhaps it was just all the extra energy I had since I was no longer breastfeeding insatiable babies. Whatever the reason I set about immersing myself in the startup ecosystem by:

• reading VentureBeat everyday
• joining online communities such as YCombinator’s Female Founders Group (before YC washed their hands of it)
• attending meetups in the London startup scene

I also lined up a couple of mentors (mostly ex-bosses) who I would send my random startup ideas to – e.g. pizzas shaped like Peppa pig characters – and they would send short replies telling me the most challenging part of that business idea e.g. logistics/shipping.

When I ran out of terrible ideas to throw at them I tried co-founder dating. This is exactly what it sounds like – ‘dating’ founders (and their ideas!) to see if you can build a lasting partnership. Here’s how that went:

• Sebastian D was building helpmefaq.it, an intelligent FAQs for mobile sites – I liked the idea but after meeting, things didn’t really go anywhere
• Jill Hodges was getting started building FireTechCamp and I went along to help run workshops on Minecraft and WearableTech, as well as wrote their Advanced Python curriculum. I learnt I was not as into working with kids as I had initially thought. (Sidenote: congrats to FireTechCamp on their acquisition this week!)
• Claudia A & I stared EventLobster – “the Airbnb for catering services” and made it as far as a minimum-viable product before I learnt building a marketplace is twice as much work and the margins in the catering & entertainment industry are terrible.

In the end I realized I really really missed open source especially the communities and innovation. But I no longer wanted to program, but instead tackle the harder, bigger challenges that lie beyond code. It was time to pivot.

Security is stressful

After an open job hunt I landed an amazing role at CloudBees, working for Kohsuke Kawaguchi with the Jenkins community. The team that reported to me included the Jenkins Security Officer, Daniel Beck. Being such a widely adopted technology, Jenkins has seen it all: phishing attacks, remote-code execution vulnerabilities, DDoS and even million-dollar crypto mining exploits. I got a crash course in security from Daniel and the community around the same time as co-ordinated disclosure deadlines had become de-facto. My main role was helping with the communications, from trying to steer media away from sensational reporting to trying to find good answers to questions such as ‘Why did the fix for the CVE introduce a new CVE?’

Even from the periphery I found it pretty stressful.  I have a huge amount of empathy and respect for open source security teams who tackle these challenges regularly and are up against so many challenges. Jenkins had a strong, experienced security team but I learned with most projects this wasn’t always the case.

When I was invited to share my experiences at a security panel at GitHub Satellite I wrapped things up by saying: “I think we have to acknowledge that the way, as an industry, we’ve dealt with security has been a trashfire – it’s just horrendous”.  I feel strongly that as an industry we have not set up open source security teams for success. On a more positive note, the solutions have to address the cross-cutting issues and bring everyone together to take responsibility – and I felt the Continuous Delivery Foundation was one way to tackle that.

Continuous delivery, continuous fun

At that time, I was also driving bringing the Continuous Delivery Foundation to life. At a DevOps World conference I met Kim Lewandowski and Dan Lorenc (both then at Google). I barely remember the conversations because they both bought into the vision for the foundation very quickly. They spearheaded the efforts to have Google contribute the Tekton project (then Knative build) to the CDF (which in hindsight was no small feat!), plus helped with launching CDF in a big way.

After the successful launch of CDF, with Kim taking on the first board chair role, one of the first working groups launched was the software-supply-chain sig. Dan would later go on to succeed Kohsuke Kawaguchi as the technical oversight committee chair. Throughout the first year we worked closely together including on the early CD Summits at Kubecon – it was always a blast.

Along with other folks, Kim & Dan went on to help found the OpenSSF (so in some ways I like to think of it as a CDF spin off show) while I doubled down on CDF, taking on the executive director role.  Rapid growth is not just for start ups and the CNCF was a phenomenal example of open source ecosystem growth driven by a non-profit, the Linux Foundation. I was keen to learn more about the inner workings of OSS foundations.

Right team, right topic, right timing

In 2021, the industry’s poor security posture came home to roost with a host of supply chain attacks, the first US presidential cybersecurity executive order (which mentioned open source 4 times!) and the massive Log4J vulnerability. Dan and Kim (and friends) left Google to found a new start up to address the problem space. From the moment they launched I was in love with their philosophy of “the easy way must be the secure way!“.

I was pretty happy building the CDF when I got the chance to join Chainguard. Chainguard, as an open source start up was looking to tackle the extremely difficult challenge of making the software lifecycle secure by default. A very tough job, but with a very fun team at a time the industry badly needs really good folks tackling this problem space. Nevertheless it was still a very difficult decision to leave CDF, but in life you don’t get to choose the timing of opportunities – just whether you grab hold of them or not.  

So I’d be lying if I said I wasn’t nervous about helping build a start up from the ground up – especially given everything it takes for mothers to keep working in tech. The key is that Chainguard gets that the solution here must be rooted in open source, standards, and communities. And every member of the team has an amazing track record in open source ecosystems. So I have the grand belief that leading with community will mean that despite the intensity, you can have fun in a start up career that does not destroy your life but rather makes it fulfilling. So here’s hoping I get to work with all of you out there in open source communities. Let’s go secure all the things!

^{Credits: OpenSSF Operation SLSA https://www.youtube.com/watch?v=S_MXbt0p_pg&t=82}s