Summary: Socket, a startup focused on open-source security, has raised $40 million in Series B funding to enhance its enterprise features and expand its programming language support. The company aims to address security risks associated with AI-generated code and differentiate itself from competitors like Snyk through deeper insights and a developer-centric approach.
Threat Actor: Socket | Socket
Victim: Open-source software users | open-source software users
Key Point :
- Socket plans to grow its team from 32 to 100 employees to accelerate product delivery and enhance security features.
- The company aims to provide deeper insights into software dependencies and open-source risks through its SBOM tools.
- Socket focuses on preemptively catching vulnerabilities from AI-generated code to ensure safer production environments.
- It differentiates itself by integrating security earlier in the development process and offering a more developer-focused experience.
- Socket’s customer base includes major AI firms and financial institutions, highlighting its relevance in critical sectors.
A startup led by a former Stanford University lecturer raised $40 million to address customer needs around open-source security and the software bill of materials.
See Also: Mobile Apps are the New Endpoint
Series B funding will allow San Francisco-based Socket to add more enterprise features, expand programming language support, enhance the developer enterprise and add more application security capabilities, said founder and CEO Feross Aboukhadijeh. The proceeds will allow Socket to strengthen security around AI-generated code, with the CEO vowing to take on competitor Snyk – and win.
“It just seems like the right time to raise, to go faster, because we’re doing well,” Aboukhadijeh told Information Security Media Group. “Why not seize the opportunity and just use the funds to go faster? We’re going to use the funds to hire engineers, product people, designers, salespeople, and just try to deliver our roadmap faster for our customers.”
What Sets Socket’s Approach to Supply Chain Security Apart
Socket was founded in 2020, employs 32 people, with plans to grow headcount to 100 workers within the next year. It completed a $20 million Series A funding round in August 2023 led by Andreessen Horowitz. The company has been led since inception by Aboukhadijeh, who spent several years as a visiting lecturer at Stanford and was an open source developer at WebTorrent and Standard JS.
“There’s been a slowdown in the tech industry and some tightened security budgets, and so investors have expected companies to be doing less well right now,” Aboukhadijeh said. “But we’ve been experiencing the best growth in our whole company history. We’re on track to grow revenue 400% this year.”
Aboukhadijeh said Andreessen Horowitz and Abstract Ventures – which led the Series B funding – can help Socket grow more efficiently thanks to their networking capabilities and hands-on operational advice. Socket hasn’t touched its Series A money and hasn’t even finished spending its seed round investment, which Aboukhadijeh said will allow the company to pursue aggressive expansion without financial strain.
“A lot of these things could go faster if we had more people on the team,” Aboukhadijeh said. “When we raised our Series A, we were just five employees. So very, very small team. And so, we’re looking at that and just saying, ‘Why don’t we grow and why don’t we just build out the team and go faster and deliver our product to more people more quickly?'”
Socket is focused on delivering enterprise features such as SBOMs, expanding programming language support, and improving application security. Their SBOM tools aim to go beyond compliance, offering deeper insights into software dependencies and open-source risks. Expansion into more programming languages will allow larger enterprises with diverse environments to fully adopt Socket’s security tools (see: CISA Aiming to Improve SBOM Implementation With New Guidance).
“Probably the most useful thing today that you see people doing without Socket is maybe they’ll look at any vulnerabilities that are present in the dependencies, and they’ll look at maybe licenses,” he said. “That’s pretty much it. With Socket, you can do way more. You can detect zero-day software supply chain attacks. We’re doing a deep analysis into each of the components that are present in that SBOM.”
How Open-Source Software Jeopardizes Supply Chain Protection
Aboukhadijeh is concerned about the security risks introduced by AI-generated code, which often brings in outdated or vulnerable open-source dependencies. He sees an opportunity to offer security assurance tools to ensure code generated by AI assistants like GitHub Copilot is safe and not debuting unnecessary risks. Vulnerabilities must be caught preemptively before they enter production environments, he said.
“When Copilots are generating code, we see that oftentimes, they’ll generate dependencies on third-party code,” Aboukhadijeh said. “And so whenever we see that, we get really worried, because those AIs are trained on – a lot of times – outdated blog posts and outdated Stack Overflow answers, and so they’re often inducing developers to add really poor quality, low quality, open source dependencies.”
He said Socket differentiates itself from competitors like Snyk by offering a more developer-focused experience and deeper insights into open-source package vulnerabilities. The firm also integrates security at earlier stages of development, which helps mitigate risks from poorly maintained or malicious open-source dependencies. Socket’s customer base includes major AI firms and financial institutions, he said.
“What I like about that is it’s literally so early that, like, when we tell customers, they’re like, ‘No one’s ever tried to get that far ahead of it,'” Aboukhadijeh said. “And so we have customers that have rolled us out to all their developers through the Google workspace integration, where literally all developers just get this preinstalled on their Chrome.”
Source: https://www.healthcareinfosecurity.com/socket-accelerates-open-source-security-40m-series-b-a-26576