The software supply chain is well known for being porous. 81% of the reported codebases contain high- or critical-risk open-source vulnerabilities. A single vulnerability could have wider impact on the broader software supply chain, as evidenced by something like the log4shell exploit, where millions of applications are seen exposed to potential remote code execution hacks through the log4J logging library.
Northern Ireland's startup Cloudsmith is set out to solve this exact problem with its cloud-native “Artifact Management Platform.” It promotes it as a more modern alternative to legacy software supply chain platforms such as JFrog and Sonatype.
To drive the next phase of growth, the startup on Monday said it raised $23 million in the Series B round led by TCV, with participation from Insight partners and some returning investors.
New Build
“Artifacts” in the Cloudsmith industry context refer to software packages, binary files, or components that are created or distributed throughout the software development process. This can be a library and its dependencies, configuration files, compiled applications, and more.
Companies usually write their own code, but they usually rely on third-party packages stored in public open source registry. These packages are required for build time (if the code is compiled into an executable format), but at that point the package may have changed versions or simply not available. This is where CloudSmith enters the fight and offers the “mirror” of these packages.
“CloudSmith acts as a private registry for these binary facts, so it will always be available in future builds, even if it changes or disappears from the original source,” Cloudsmith CEO Glenn Weinstein told TechCrunch. “CloudSmith ensures that your builds are repeatable and reliable, and offers centralized things
DevOps or Platform Engineering Teams will visualize what appears in production software. ”
However, even if the package is still available in open source repositories, security issues can be developed over time due to lack of maintenance or more difficult reasons. This is why CloudSmith scans vulnerabilities, licensing issues, and malware dependencies before publishing these packages to developers in a coding environment.
CloudSmith can support packages developed by customers in-house, but most of the artifacts stored on the platform are open source packages from regular indexes such as Pypi, Docker Hub, Maven Central, and NPMJS.
“As all data and software flows through CloudSmith, CloudSmith is an open source dependency security checkpoint. It scans, curates and blocks problematic artifacts before reaching production,” Weinstein said. “Cloudsmith clears the blind spots that many companies have in that they clearly monitor artifacts they use, whether private, public or open source.”
CloudSmithImageCredit: CloudSmith
Money is important
Founded in Belfast by Alan Carson and CTO Lee Skirne in 2016, Cloudsmith had previously raised $26 million in the Series A round, which began with $15 million in 2021 and ended with another $11 million in 2023.
Carson said introducing experienced startups and scale-up entrepreneurs allowed the two co-founders to focus more on their products, “vision, roadmap, architecture,” and a wide array of US companies and investors, including TCV and Insight Partner.
“These investors are a strong signal that Cloudsmith has shifted to category leadership,” Carson told TechCrunch in an email. “Under Glenn's leadership, Cloudsmith relies on us straight to the challenges of controlling and protecting large companies and software supply chains, and meeting strict compliance standards.”
Most of the 100 employees, including the two founders of Cloudsmith, are based in Belfast, but Weinstein says about three-quarters of its revenue comes from US customers.
CloudSmith plans to invest in new AI applications in R&D, hiring through sales, marketing and customer success with new funding. In fact, Weinstein said there is a “unique opportunity” to turn the vast banks of software package consumption data into “practical insights” for developers.
“We want to help developers choose better, safer open source packages,” Weinstein said. “We do this by helping our cybersecurity team create an internal curated registry, where it makes it easier for developers to source packages from internal curated repositories than from public registry.”
This includes making recommendations for similar packages that other Cloudsmith customers have accepted, such as switching from rarely updated or popular packages.
“This is the advice that developers rely on today, unofficial, but unofficial, “I've heard about this package,” and it turns it into advice that is available immediately through the Cloudsmith platform,” says Weinstein.