Socket, a startup that provides a scanning tool to detect security vulnerabilities in open source code, today announced that it raised $20 million in a Series A round led by Andreessen Horowitz (a16z).
The tranche had participation from Abstract Ventures, Wndrco, Unusual Ventures and an impressively high-profile list of angel investors, including the co-founders of Box (Aaron Levie), Figma (Dylan Field), Okta (Frederic Kerrest), Vercel (Guillermo Rauch) and Eventbrite (Julia and Kevin Hartz).
CEO Feross Aboukhadijeh said that the new cash -- along with Socket's previous $4.6 million seed investment, which brings the company's total raised to $24.6 million -- will be put toward growing Socket's team and expanding its support for more programming languages and integrations.
"Over the past decade, it's become clear that open source software has won," Aboukhadijeh told TechCrunch in an email interview. "Sharing code freely has made it drastically cheaper and faster to build software -- and tech innovation has accelerated as a result. But security has often been an afterthought. New technology spreads because it's useful, not because it's safe. Criminals are exploiting the trust in open source software to carry out brazen attacks that spread destructive malware."
It's hard to argue with that point of view. According to a recent Tidelift survey, only 15% of organizations are extremely confident in their open source management practices. (Granted, Tidelift's a Socket rival and therefore not the most objective source.) The majority, the survey implies, have some concerns about keeping open source software up-to-date, secure and well-maintained.
Those organizations have reason to be concerned. Security firm Synopsys found in its 2023 trend study that 89% of companies' codebases contained open source that was more than four years out of date. Meanwhile, 91% used open software components that weren't the latest available version.
"The rate of software supply chain attacks continues to increase at an astronomical rate," Aboukhadijeh said. "Coupled with stricter regulatory penalties for breaches, mandatory reporting rules, as well as an explosion in the usage of open source within organizations, the risks -- and the awareness of those risks -- have never been greater."
Aboukhadijeh -- a prolific open source maintainer and a web security lecturer at Stanford -- makes the case that Socket is the solution to these open source software security woes. That's quite the assertion, considering the raft of other startups and incumbents claiming the same.
Oligo, a company that focuses on runtime app security and observability to detect and prevent open source vulnerabilities, came out of stealth in February backed by $28 million in venture capital. Endor emerged from stealth with $25 million last October, following Chainguard's $50 million raise in early June. Elsewhere, there's Stacklok, Arnica and Ox Security, which combined have raised over $50 million.
Google also delivers a service, Assured Open Source Software, that's designed to help developers defend against supply chain security attacks by regularly scanning and analyzing for vulnerabilities in some of the world’s most popular software libraries.
Aboukhadijeh says that what makes Socket different is that it doesn't merely look up software that a customer's using to see if the vulnerabilities have been reported to public databases. Instead, it goes deeper, attempting to cut down on noise that might crop up when analyzing thousands of lines of third-party code.
"Unlike a traditional security scanner, Socket can actually detect an active supply chain attack and help you to block it," Aboukhadijeh explained. "And unlike a traditional static analysis tool, Socket provides actionable feedback about dependency risk instead of hundreds of meaningless alerts."
Specifically, Socket looks for high-level red flags in software, such as malware, typo-squatting (registering commonly misspelled domain names for malicious purposes), misleading packages and unmaintained code in addition to unknown maintainers and excessive permissions. The platform offers a search function that allows users to dive into a codebase to find and track changes in dependencies, plus a free extension for web browsers that tries to determine whether an open source package is secure and trustworthy.
On trend with the rush to generative AI, Socket recently introduced a connector to ChatGPT, OpenAI's AI-powered chatbot, that summarizes potential issues in software packages, particularly "uncommon" code patterns.
"Most security software is typically sold to executives, so it tends to suck to actually use it," Aboukhadijeh said. "We’ve taken a different approach -- building a product that developers actually love. And for that reason, we’ve seen that security teams are actually excited to roll out Socket to their developers, something that’s unfortunately quite rare in the industry."
But is it all bluster? I was tempted to think so, cynical journalist I am -- but perhaps not. Since its founding in 2020, San Francisco–based Socket has attracted household-name customers, including Brave, Figma and Vercel (note that the co-founders of the latter two ended up investing in Socket). And if the company maintains its current trajectory, Aboukhadijeh expects that it will double in size, at least in terms of its workforce, within the next few months. The focus is on growing Socket's engineering, security, operations, sales and marketing teams.
"Security, more so than other industries, thrives on word-of-mouth," Aboukhadijeh added. "We’re proud to say that our users love Socket, and that’s driving our strong demand."