The software supply chain-the components and practices that make up a software product-is rapidly becoming fraught. In one recent survey, 88% of respondents believe poor software supply chain security poses an "enterprise-wide risk" to their organizations.
Supply Chain Security for Open Source Components
==========================================
Open source supply chain components are especially fraught, given the logistical challenges in keeping each component well-maintained. According to Synopsys, the security firm, its 2023 report detected that 89% of the codebases held by the businesses contained open source tools and had aged more than four years. According to a 2024 report by the Ponemon Institute, it has also indicated that nearly more than half of the organizations have experienced software supply chain attack. According to estimates by Juniper Research, by 2026, such attacks would be causing losses to the economy nearly worth $81 billion in terms of lost revenue and damage.
Socket, a startup whose tools help to detect security vulnerabilities in open source code, has raised $40 million to try and solve the problem.
Its CEO, Feross Aboukhadijeh, began Socket in 2020. An open source maintainer who works on hundreds of projects, and a lecturer on web security at Stanford, Aboukhadijeh says he came to believe that old-fashioned security tools were not up to the challenge of modern software development.
"The tens of thousands of dependencies create significant security risks that traditional solutions cannot address," Aboukhadijeh told TechCrunch. Dependencies refer to bits of code or libraries that an application depends upon to work. "Even with very strict internal code reviews, external dependencies introduce the risk of hard-to-detect and manage software supply chain attacks," Aboukhadijeh continued.
Socket's response is in the form of a scanner that detects malicious activities, backdoors, and obfuscated code in open source components, alerting developers of new dependencies and packages added and updated.
Socket can also produce a summary of vulnerabilities, integrations with generative AI APIs from Anthropic and OpenAI notwithstanding — minimal hallucinations, one hopes. The platform can further, optionally check that open source code is properly licensed — and thus legal — for re-use.
Socket is for engineering teams and application security teams that use a tremendous amount of open source software," Aboukhadijeh said. "It integrates really well into the developer workflow and provides real-time insights during code reviews and dependency updates without overwhelming the user with false positives.".
More companies than ever rely on open source software. A 2023 report by K2 intuit in partnership with the Open Source Initiative and the Eclipse Foundation noted that 95 percent of respondents said their organizations increased-or at least maintained-their open source usage in the past year.
Given that the market for software supply chain security platforms will be that big by 2027, with as much as $3.5 billion dollars in it, and growing at such a fast rate, it would be quite surprising to me if Socket had no competitors.
"There was another, Oligo, which came out of stealth in February with $28 million in backing, and Endor, which emerged from stealth last October with $25 million. Meanwhile, Chainguard raised its $50 million in early June.
What sets Socket apart, Aboukhadijeh argues, is the ability to catch code that other tools miss: namely, code to exfiltrate sensitive data. According to him, Socket detects more than 100 zero-day software supply chain attacks every week.
What else can you say about this than that Socket's impressive list of backers—and clients—would suggest there's some credence to those claims?.
Entrepreneur Elad Gil and Andreessen Horowitz also co-led Socket's Series B, along with Yahoo co-founder Jerry Yang (disclosure: Yahoo is TechCrunch's corporate parent), OpenAI chairman Bret Taylor, Twilio co-founder Jeff Lawson, and Shopify co-founder and CEO Tobias Lütke.
The company's customers, meanwhile include Anthropic, Harvey, Figma, Vercel and one of the four biggest banks in the U.S. and "the largest and most well-recognized AI company." Interpret the last one how you will.
According to Aboukhadijeh, the new round Series B was "pre-emptive" because Socket hasn't used any of the Series A cash that was raised in last August.
"We're on track to grow revenue by 400% in 2024," Aboukhadijeh said in an interview with TechCrunch. "Socket now has more than 100 customers, protecting more than 7,500 organizations, defending 300,000 code repositories, and supporting more than 1 million developers worldwide.".
The new cash brings Socket's total raised to $65 million during what Aboukhadijeh described as a pivotal moment in open source history. AI, he pointed out, is being used to write more and more code, which is introducing the potential for security holes.
Now was the time to raise this money, and new AI attack vectors have created a pressing need for Socket to bring security assurances to the code generated by these AI-powered tools. Socket's technology addresses this gap in the marketplace, and additional funding will help scale its impact.
Socket, a 32-person company, now intends to scale up its team by the end of the year to 50 employees-by engineering, product, design, and sales segments of the company based in Stanford.