The software supply chain, which includes the components and processes used to develop software, has become precarious. According to a recent survey, 88% of companies believe that poor software supply chain security poses an “enterprise-wide risk” to their organizations.
Open source supply chain components are especially tricky, thanks to the logistical hurdles of properly maintaining each component. Security firm Synopsys found in its 2023 report that 89% of enterprise codebases contained open source tools that were more than four years out of date. A 2024 report from the Ponemon Institute found that more than half of organizations have suffered a software supply chain attack. These attacks could cost the economy nearly $81 billion in lost revenue and damage by 2026, Juniper Research estimates.
Socket, a startup that provides tools to detect security vulnerabilities in open source code, has raised $40 million to tackle the problem.
CEO Feross Aboukhadijeh founded Socket in 2020. Aboukhadijeh, a prolific open source maintainer and web security lecturer at Stanford, says he came to believe that traditional security tools were insufficient to address the challenges of modern software development.
“The extensive network of dependencies – which number in the thousands – poses significant security risks that traditional tools cannot mitigate,” Aboukhadijeh told TechCrunch. Dependencies are pieces of software or libraries that an app depends on to function. “Even with rigorous internal code controls, external dependencies introduce the risk of software supply chain attacks that are difficult to detect and manage,” Aboukhadijeh continues.
Socket’s solution is a scanner that looks for malicious activity, such as backdoors and obfuscated code, in open source components, and alerts developers when dependencies and packages are updated or added.
Through integrations with generative AI APIs from Anthropic and OpenAI, Socket can also generate vulnerability summaries (with minimal hallucinations, one hopes). In addition, the platform can optionally check whether the open source code is properly licensed (and therefore legal) for reuse.
“Socket is designed for engineering and application security teams that rely heavily on open source software,” said Aboukhadijeh. “It integrates seamlessly into developer workflows and provides real-time insights during code reviews and dependency updates without overwhelming users with false positives.”
More software companies rely on open source than ever before. In a 2023 report published in partnership with the Open Source Initiative and the Eclipse Foundation, 95% of respondents said their organizations increased — or at least maintained — their use of open source in the past year.
With the market for software supply chain security platforms expected to grow to as much as $3.5 billion by 2027, it’s not surprising that Socket has rivals.
Oligo, a company focused on security and surveillance of runtime apps, emerged from stealth in February with $28 million. Endor emerged from stealth last October with $25 million, following Chainguard’s $50 million raise in early June.
What sets Socket apart, Aboukhadijeh argues, is its ability to intercept potentially malicious code that other tools miss, especially code to exfiltrate sensitive data. Socket detects more than 100 zero-day attacks on the software supply chain every week, he claims.
Socket’s impressive list of sponsors (and customers) might indicate that these claims have some credibility.
Entrepreneur Elad Gil and Andreessen Horowitz participated in Socket’s Series B, along with Yahoo co-founder Jerry Yang (disclosure: Yahoo is the parent company of TechCrunch), OpenAI chairman Bret Taylor, Twilio co-founder Jef Lawson and Shopify co-founder and CEO Tobias Lutke.
Socket’s customers include Anthropic, Harvey, Figma, Vercel, one of the four largest banks in the US, and “the largest and most recognized AI company.” (Interpret the latter as you wish.)
Aboukhadijeh described the new Series B round as “preemptive” and claimed that Socket still has not spent the Series A money it raised last August.
“We are on track to grow revenue by 400% by 2024,” Aboukhadijeh told TechCrunch. “Socket currently has more than 100 customers and protects more than 7,500 organizations, defends 300,000 code repositories, and supports more than 1 million developers worldwide.”
The new funding brings Socket’s total funding to $65 million at what Aboukhadijeh described as a pivotal moment in open source history. He emphasized that AI is being used to write more and more code, which brings the potential for security breaches.
“This was the right time to raise these funds,” Aboukhadijeh said. “New AI attack vectors have created an urgent need for Socket to provide security guarantees to the code generated by these AI-powered tools. Socket’s technology addresses this critical gap in the market, and the additional funding will help scale its impact.”
Socket, which has 32 employees today, plans to grow its team to 50 people by the end of the year, with a focus on the engineering, product, design and sales sides of the Stanford-based company.
This article originally appeared on TechCrunch at https://techcrunch.com/2024/10/22/socket-lands-a-fresh-40m-to-scan-software-for-security-flaws/
