The software supply chain, which includes the components and processes used to develop software, has become precarious. According to a recent survey, 88% of companies believe that poor software supply chain security poses an “enterprise-wide risk” to their organizations.
Open source supply chain components are especially tricky, thanks to the logistical hurdles of properly maintaining each component. Security firm Synopsys found in its 2023 report that 89% of enterprise codebases contained open source tools that were more than four years out of date. A 2024 report from the Ponemon Institute found that more than half of organizations have suffered a software supply chain attack. These attacks could cost the economy nearly $81 billion in lost revenue and damage by 2026, Juniper Research estimates.
Socket, a startup that provides tools to detect security vulnerabilities in open source code, has raised $40 million to tackle the problem.
CEO Feross Aboukhadijeh founded Socket in 2020. Aboukhadijeh, a prolific open source maintainer and web security lecturer at Stanford, says he came to believe that traditional security tools were insufficient to address the challenges of modern software development.
“The extensive network of dependencies – which number in the thousands – poses significant security risks that traditional tools cannot mitigate,” Aboukhadijeh told TechCrunch. Dependencies are pieces of software or libraries that an app depends on to function. “Even with rigorous internal code controls, external dependencies introduce the risk of software supply chain attacks that are difficult to detect and manage,” Aboukhadijeh continues.
Socket’s solution is a scanner that looks for malicious activity, such as backdoors and obfuscated code, in open source components, and alerts developers when dependencies and packages are updated or added.
Through integrations with generative AI APIs from Anthropic and OpenAI, Socket can also generate vulnerability summaries (with minimal hallucinations, one hopes). In addition, the platform can optionally check whether the open source code is properly licensed (and therefore legal) for reuse.
“Socket is designed for engineering and application security teams that rely heavily on open source software,” said Aboukhadijeh. “It integrates seamlessly into developer workflows and provides real-time insights during code reviews and dependency updates without overwhelming users with false positives.”
More software companies rely on open source than ever before. In a 2023 report published in partnership with the Open Source Initiative and the Eclipse Foundation, 95% of respondents said their organizations increased — or at least maintained — their use of open source in the past year.
