Cloudsmith specializes in artifact management, offering developers a consistent way to manage a wide range of software repositories, both private and public. We sat down with Glenn Weinstein, CEO of Cloudsmith, to discuss the company's role as the software supply chain's "source of truth", the risks organizations face in software development, and how AI can enhance development productivity while addressing potential vulnerabilities.
You recently took over as CEO of Cloudsmith. What does Cloudsmith do? Why did you take the job?
Cloudsmith is the source of truth for the software supply chain. We provide artifact management, which allows developers across a wide variety of languages and package formats to build in a consistent way blending both private software repositories and upstream public software repositories, such as Maven Central. Cloudsmith distributes your software artifacts directly to your customers’ build pipelines. The platform provides proxying, caching, security scanning, entitlement management, analysis, and audit logging for every artifact that enters or exits the software supply chain. I came to Cloudsmith for the massive opportunity to change how every software organization in the world builds and distributes their products. We’re the only cloud-native SaaS solution for artifact management, so I expect to see a lot of shops migrating from their on-premise or hosted solutions over to Cloudsmith. What are some of the risks that organizations encounter developing software?
The thing is, you don’t write most of the code that you actually end up building and deploying. Modern software is 10% your code, 90% from third-party packages and containers. If you’re pulling packages directly from public sources, you don’t really know what’s in there, and you’re probably not keeping track of the exact sources of what gets deployed - what we call “provenance.” Bad actors are discovering that the web of dependencies in packages creates opportunities to slip in malicious code far down the software supply chain. Without solid artifact management practices, that malicious code could get pulled up through layers of dependencies and ultimately into your builds. The solution is to track what you’re building, by proxying artifacts from public indexes with known safe versions, and providing traceability that shows exactly what artifacts went into a particular build.
Explain the importance of protecting IP across your supply chain. What steps should organizations take to secure their supply chain, and - ultimately - their IP?
A lot of software teams start with language-specific tools for package management. As they grow, and as their broader organization takes on a variety of different formats, it gets harder to ensure that everything is getting built in a consistent, secure, performant manner. A heterogeneous solution like Cloudsmith can really help at the CISO or SRE level to provide enterprise-wide compliance and visibility into the software supply chain across all technologies in use. On the distribution side, Cloudsmith protects your IP by letting you issue entitlement tokens that authorize users to pull your packages into their own builds, using native package managers and CI/CD tools. This is a more modern, frictionless way to distribute software to other developers.
AI is rapidly becoming an incredibly powerful tool for developers, but are there vulnerabilities that bad actors can exploit within AI systems? If so, what should organizations do to mitigate these risks?
Cloudsmith doesn’t help developers write code, but once their code gets uploaded into a build pipeline, Cloudsmith helps make sure that malicious code gets flagged and quarantined. AI is wonderful in terms of making software developers more productive. That said, bad actors will find ways to exploit it, as with any new technology. We’re already past the point where humans can reasonably track all the dependencies that go into a modern software build. Platforms like Cloudsmith help organizations ensure the right automations and monitoring are in place to prevent exploits from making it through to production or to the next developers in the supply chain.