Socket Accelerates Open Source Security with $40M Series B

The Series B funding will allow San Francisco-based Socket to add more enterprise features, expand programming language support, improve the developer business and add more application security features, said founder and CEO Feross Aboukhadijeh. The proceeds will allow Socket to strengthen security around AI-generated code, with the CEO promising to take on rival Snyk – and win.

“It just seems like the right time to step up, to move faster, because we are doing well,” Aboukhadijeh told Information Security Media Group. “Why don’t we take advantage of the opportunity and use the resources to move forward faster? We will use the funds to hire engineers, product people, designers and salespeople and simply try to execute our roadmap more quickly for our customers.”

What sets Socket’s approach to supply chain security apart

Founded in 2020, Socket employs 32 people and plans to increase headcount to 100 within the next year. In August 2023, the company closed a $20 million Series A financing round led by Andreessen Horowitz. The company has been led since its inception by Aboukhadijeh, who spent several years as a visiting professor at Stanford and was an open source developer at WebTorrent and Standard JS.

“There has been a slowdown in the technology industry and some have cut security budgets, and so investors expected that companies would be doing less well right now,” Aboukhadijeh said. “But we have experienced the best growth in our entire company history. We are on track to increase sales by 400% this year.”

Aboukhadijeh said Andreessen Horowitz and Abstract Ventures – which led the Series B funding – can help Socket grow more efficiently thanks to their networking capabilities and practical operational advice. Socket hasn’t touched its Series A money yet or even spent its seed investment, which Aboukhadijeh says will allow the company to expand aggressively without financial strain.

“A lot of these things could happen faster if we had more people on the team,” Aboukhadijeh said. “When we launched our Series A, we were only five employees. So a very, very small team. And so we look at it and just say, ‘Why don’t we grow and why don’t we just expand?’ “Improve the team and work faster and deliver our product to more people faster?’”

Socket focuses on providing enterprise features such as SBOMs, expanding programming language support, and improving application security. Their SBOM tools aim to go beyond compliance and provide deeper insights into software dependencies and open source risks. By expanding to additional programming languages, larger organizations with different environments can fully adopt Socket’s security tools (see: CISA aims to improve SBOM implementation with new guidance).

“Probably the most useful thing you see today when people go socketless is that they might look at all the vulnerabilities that exist in the dependencies, and they might look at licenses,” he said. “That’s pretty much it. You can do much more with Socket. You can detect zero-day attacks on the software supply chain. We are conducting a thorough analysis of every single component present in this SBOM.”

How open source software threatens supply chain protection

Aboukhadijeh is concerned about the security risks posed by AI-generated code, which often introduces outdated or vulnerable open source dependencies. He sees an opportunity to offer security assurance tools to ensure that the code generated by AI assistants like GitHub Copilot is secure and does not pose unnecessary risks. Vulnerabilities need to be identified preemptively before they reach production environments, he said.

“When copilots generate code, we often find that they create dependencies on third-party code,” Aboukhadijeh said. “And whenever we see that, we get really worried, because these AIs are – often – trained on outdated blog posts and outdated Stack Overflow answers, and so they often trick developers into adding really poor quality, Open- Source dependencies.”

He said Socket differs from competitors like Snyk by offering a more developer-focused experience and deeper insights into open source package vulnerabilities. The company also integrates security into earlier stages of development, which helps mitigate risks from poorly maintained or malicious open source dependencies. Socket’s customer base includes large AI companies and financial institutions, he said.

“What I like about it is that it’s literally so early that when we tell them, customers say, ‘Nobody has ever tried to advance this far,'” Aboukhadijeh said. “And so we have customers who have made us available to all of their developers through the Google Workspace integration, where literally all developers just get it pre-installed on their Chrome.”