The software supply chain, which comprises the components and processes used to develop software, has become precarious. According to one recent survey, 88% of companies believe poor software supply chain security presents an “enterprise-wide risk” to their organizations.

Open source supply chain components are especially fraught, thanks to the logistical hurdles in keeping each component well-maintained. Security firm Synopsys found in its 2023 report that 89% of businesses’ codebases contained open source tools over four years out of date. A 2024 report by the Ponemon Institute found that over half of organizations have experienced a software supply chain attack. These attacks could cost the economy almost $81 billion in lost revenue and damages by 2026, estimates Juniper Research.

Socket, a startup that provides tools to detect security vulnerabilities in open source code, has raised $40 million to help address the problem.

CEO Feross Aboukhadijeh founded Socket in 2020. A prolific open-source maintainer and web security lecturer at Stanford, Aboukhadijeh says he came to believe that traditional security tools were insufficient to address the challenges of modern software development.

“The extensive network of dependencies — numbering in the thousands — pose significant security risks that traditional tools fail to mitigate,” Aboukhadijeh told TechCrunch. Dependencies are pieces of software or libraries that an app relies on to function. “Even with rigorous internal code reviews, external dependencies introduce the risk of software supply chain attacks that are hard to detect and manage,” Aboukhadijeh continued.

Socket’s solution is a scanner that looks for malicious activity, like backdoors and obfuscated code, in open source components, and alerts developers when dependencies and packages are updated or added.

Through integrations with generative AI APIs from Anthropic and OpenAI, Socket can also generate summaries of vulnerabilities (with minimal hallucinations, one hopes). In addition, the platform can optionally check to see that open source code is properly licensed — and therefore legal — for re-use.

“Socket is designed for engineering teams and application security teams who rely heavily on open-source software,” Aboukhadijeh said. “It integrates seamlessly into the developer workflow, providing real-time insights during code reviews and dependency updates without overwhelming users with false positives.”

More software companies are relying on open source than ever before. In a 2023 report published in collaboration with the Open Source Initiative and the Eclipse Foundation, 95% of respondents said that their organizations increased — or at least maintained — their open-source usage in the past year.

With the software supply chain security platform market expected to grow to as much as $3.5 billion by 2027, it’s not surprising that Socket has rivals.

Oligo, a company that focuses on runtime app security and observability, came out of stealth in February backed by $28 million. Endor emerged from stealth with $25 million last October, following Chainguard’s $50 million raise in early June. 

What sets Socket apart, Aboukhadijeh argues, is its ability to catch possibly harmful code other tools miss — in particular code to exfiltrate sensitive data. Socket is detecting over 100 zero-day software supply chain attacks every week, he claims.

Socket’s impressive list of backers — and clients — would suggest that there’s some credence to those assertions.

Entrepreneur Elad Gil and Andreessen Horowitz participated in Socket’s Series B, along with Yahoo co-founder Jerry Yang (disclosure: Yahoo is TechCrunch’s corporate parent), OpenAI chairman Bret Taylor, Twilio co-founder Jef Lawson, and Shopify co-founder and CEO Tobias Lütke.

Socket’s customers, meanwhile, include Anthropic, Harvey, Figma, Vercel, one of the four biggest banks in the U.S., and “the largest and most well-recognized AI company.” (Interpret the last one as you will.)

Aboukhadijeh described the new Series B round as “pre-emptive,” claiming that Socket still hasn’t spent the Series A cash that it raised last August.

“We are on track to grow revenue by 400% in 2024,” Aboukhadijeh told TechCrunch. “Socket currently has over 100 customers and protects more than 7,500 organizations, defending 300,000 code repositories and supporting over 1 million developers worldwide.”

The new cash brings Socket’s total raised to $65 million during what Aboukhadijeh described as a pivotal moment in open source history. AI, he pointed out, is being used to write more and more code, which is introducing the potential for security holes.

“Now was the right time to raise these funds,” Aboukhadijeh said. “New AI attack vectors have created a pressing need for Socket to bring security assurances to the code generated by these AI-powered tools. Socket’s technology addresses this critical gap in the market, and the additional funding will help scale its impact.”

Socket, which has 32 employees today, plans to grow its team to 50 people by the end of the year with a focus on the engineering, product, design, and sales sides of the Stanford-based company.