The software supply chain, which consists of the components and processes used to develop software, is becoming unstable. According to a recent study, 88% of companies believe that a poorly secured software supply chain poses an “enterprise-wide risk” to their organization.
Open source supply chain components are particularly challenging due to the logistical hurdles of properly maintaining each component. Security firm Synopsys found in a 2023 report that 89% of companies' codebases contain open source tools that are more than four years old. A 2024 report by Ponemon Institute found that more than half of organizations have experienced a software supply chain attack. Juniper Research estimates that these attacks could cost the economy approximately $81 billion in lost revenue and damage by 2026.
Socket, a startup that provides tools to detect security vulnerabilities in open source code, has raised $40 million to help address this problem.
CEO Feroz Aboukadige founded Socket in 2020. A prolific open source maintainer and lecturer on web security at Stanford University, Aboukadige says he has come to believe that traditional security tools are inadequate to meet the challenges of modern software development. .
“The extensive network of dependencies (thousands in number) poses significant security risks that cannot be mitigated with traditional tools,” Abukadige told TechCrunch. A dependency is a piece of software or library that your app depends on to function. “Even with rigorous reviews of internal code, external dependencies pose a risk of software supply chain attacks that are difficult to detect and manage,” continued Abukadige.
Socket's solution is a scanner that searches for malicious activity, such as backdoors and obfuscated code, within open source components and alerts developers when dependencies or packages are updated or added.
Through integration with Anthropic and OpenAI's Generated AI API, Socket can also generate vulnerability summaries (with expected hallucinations to be kept to a minimum). Additionally, the platform can optionally check whether reuse of open source code is properly licensed and therefore legal.
“Socket is designed for engineering and application security teams that rely heavily on open source software,” said Abukadige. “It integrates seamlessly into developer workflows and provides real-time insights during code reviews and dependency updates without overwhelming users with false positives.”
More software companies than ever are relying on open source. In a 2023 report published in collaboration with the Open Source Initiative and Eclipse Foundation, 95% of respondents said their organization's open source usage increased or at least remained the same in the past year .
The software supply chain security platform market is expected to grow to up to $3.5 billion by 2027, so it's no surprise that Socket has competitors.
Oligo, a company focused on runtime app security and observability, came out of stealth in February with $28 million in backing. Endor emerged from stealth with $25 million in funding last October, following Chainguard's $50 million raise in early June.
A unique feature of Socket is its ability to catch harmful code that other tools might miss, especially code that extracts sensitive data, Abukadige claims. He claims that Socket detects more than 100 zero-day software supply chain attacks every week.
Identify app dependencies using Sockets. Image credit: socket
Socket's impressive list of backers and clients would suggest that there is some credence to these claims.
Entrepreneurs Elad Gil and Andreessen Horowitz, Yahoo co-founder Jerry Yang (disclosure: Yahoo is TechCrunch's parent company), OpenAI Chairman Brett Taylor, Twilio co-founder Jeff Lawson, Participated in Socket's Series B with Shopify co-founder and CEO Tobias. Lütke.
Meanwhile, Socket's customers include Anthropic, one of the four largest U.S. banks, Harvey, Figma, and Vercel, making it “the largest and best-known AI company.” (Please feel free to interpret the last part as you wish.)
Abukadige claimed that Socket had not yet used the Series A funding it raised last August, and described the new Series B round as “preemptive.”
“We plan to increase our revenue by 400% in 2024,” Abukadige told TechCrunch. “Socket currently has over 100 customers, securing over 7,500 organizations, safeguarding 300,000 code repositories, and supporting over 1 million developers worldwide.”
The new cash brings Socket's total raised to $65 million, during what Abukadige described as a pivotal moment in open source history. He noted that AI is increasingly being used to write code, creating the potential for security holes.
“Now was the perfect time to raise these funds,” Abukadige said. “New AI attack vectors create a pressing need for Socket to bring security guarantees to the code generated by these AI-powered tools. Socket’s technology addresses this critical gap in the market. and the additional funding will help expand that impact.”
Socket, which currently has 32 employees, plans to grow its team to 50 people by the end of the year, with a focus on the engineering, product, design and sales aspects of the Stamford-based company.