Application Security , Application Security & Online Fraud , Fraud Management & Cybercrime

Socket Accelerates Open-Source Security With $40M Series B

Socket Plans to Triple Headcount After Big Growth, Deliver Open-Source Tools Faster
Socket Accelerates Open-Source Security With $40M Series B
Feross Aboukhadijeh, founder and CEO, Socket

A startup led by a former Stanford University lecturer raised $40 million to address customer needs around open-source security and the software bill of materials.

See Also: OnDemand: Mobile Apps are the New Endpoint

Series B funding will allow San Francisco-based Socket to add more enterprise features, expand programming language support, enhance the developer enterprise and add more application security capabilities, said founder and CEO Feross Aboukhadijeh. The proceeds will allow Socket to strengthen security around AI-generated code, with the CEO vowing to take on competitor Snyk - and win.

"It just seems like the right time to raise, to go faster, because we're doing well," Aboukhadijeh told Information Security Media Group. "Why not seize the opportunity and just use the funds to go faster? We're going to use the funds to hire engineers, product people, designers, salespeople, and just try to deliver our roadmap faster for our customers."

What Sets Socket's Approach to Supply Chain Security Apart

Socket was founded in 2020, employs 32 people, with plans to grow headcount to 100 workers within the next year. It completed a $20 million Series A funding round in August 2023 led by Andreessen Horowitz. The company has been led since inception by Aboukhadijeh, who spent several years as a visiting lecturer at Stanford and was an open source developer at WebTorrent and Standard JS.

"There's been a slowdown in the tech industry and some tightened security budgets, and so investors have expected companies to be doing less well right now," Aboukhadijeh said. "But we've been experiencing the best growth in our whole company history. We're on track to grow revenue 400% this year."

Aboukhadijeh said Andreessen Horowitz and Abstract Ventures - which led the Series B funding - can help Socket grow more efficiently thanks to their networking capabilities and hands-on operational advice. Socket hasn't touched its Series A money and hasn't even finished spending its seed round investment, which Aboukhadijeh said will allow the company to pursue aggressive expansion without financial strain.

"A lot of these things could go faster if we had more people on the team," Aboukhadijeh said. "When we raised our Series A, we were just five employees. So very, very small team. And so, we're looking at that and just saying, 'Why don't we grow and why don't we just build out the team and go faster and deliver our product to more people more quickly?'"

Socket is focused on delivering enterprise features such as SBOMs, expanding programming language support, and improving application security. Their SBOM tools aim to go beyond compliance, offering deeper insights into software dependencies and open-source risks. Expansion into more programming languages will allow larger enterprises with diverse environments to fully adopt Socket's security tools (see: CISA Aiming to Improve SBOM Implementation With New Guidance).

"Probably the most useful thing today that you see people doing without Socket is maybe they'll look at any vulnerabilities that are present in the dependencies, and they'll look at maybe licenses," he said. "That's pretty much it. With Socket, you can do way more. You can detect zero-day software supply chain attacks. We're doing a deep analysis into each of the components that are present in that SBOM."

How Open-Source Software Jeopardizes Supply Chain Protection

Aboukhadijeh is concerned about the security risks introduced by AI-generated code, which often brings in outdated or vulnerable open-source dependencies. He sees an opportunity to offer security assurance tools to ensure code generated by AI assistants like GitHub Copilot is safe and not debuting unnecessary risks. Vulnerabilities must be caught preemptively before they enter production environments, he said.

"When Copilots are generating code, we see that oftentimes, they'll generate dependencies on third-party code," Aboukhadijeh said. "And so whenever we see that, we get really worried, because those AIs are trained on - a lot of times - outdated blog posts and outdated Stack Overflow answers, and so they're often inducing developers to add really poor quality, low quality, open source dependencies."

He said Socket differentiates itself from competitors like Snyk by offering a more developer-focused experience and deeper insights into open-source package vulnerabilities. The firm also integrates security at earlier stages of development, which helps mitigate risks from poorly maintained or malicious open-source dependencies. Socket's customer base includes major AI firms and financial institutions, he said.

"What I like about that is it's literally so early that, like, when we tell customers, they're like, 'No one's ever tried to get that far ahead of it,'" Aboukhadijeh said. "And so we have customers that have rolled us out to all their developers through the Google workspace integration, where literally all developers just get this preinstalled on their Chrome."


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.