Cybersecurity startup Socket Inc. today disclosed that it has raised $60 million in funding at a $1 billion valuation. 

Thrive Capital led the Series C round with participation from Andreessen Horowitz, Capital One Ventures and others. The investment brings Socket’s total outside funding to $125 million.

Developers often incorporate open-source components, or packages, into their software projects. They usually download such modules using a program called a package manager that speeds up installation-related tasks. In recent years, package managers have emerged as a major target of cyberattacks. Hackers inject malicious code into legitimate open-source projects to compromise developer machines.

“A lot of what AI produces reaches for open source dependencies developers have never read,” founder and Chief Executive Officer Feross Aboukhadijeh wrote in a blog post. “The volume of third-party code entering production keeps going up, the time anyone spends reviewing it keeps going down, and security tools from the previous era can’t keep up.”

Socket provides a platform that blocks malicious packages before developers download them. According to the company, it scans open-source modules for not only malware but also known vulnerabilities and license restrictions. Socket says that it blocks more than 1,000 supply chain attacks per week for users.

Customers can customize how the platform responds to risky downloads. For example, a software team could configure Socket to display a warning when a developer installs a package that doesn’t receive regular updates. A feature called Monitor enables administrators to have the platform monitor potentially risky components over time.

Besides blocking malicious downloads, Socket’s platform also helps developers fix vulnerabilities in the open-source code they’ve already installed. A built-in scanner can check an application for malicious packages in a few seconds. From there, a tool called Socket Reachability filters vulnerabilities that don’t have to be urgently fixed because they can’t be exploited by hackers. Socket says the tool reduces false positives by up to 90%.

Patching a vulnerable component can involve a significant amount of work. Developers must check whether the update may cause issues in the application that uses the open-source code being modified. Furthermore, installing patches is often a complicated process that requires configuration changes and specialized tools. 

Socket provides a service called Socket Certified Patches that streamlines the workflow. According to the company, it checks patches for reliability issues using artificial intelligence to spare developers the hassle. Updates can be installed with a single command, which avoids the manual steps usually involved in the process.

Another Socket tool promises to help developers reduce the number of transitive dependencies in their applications. A transitive dependency is an open-source package that includes other open-source packages. The more components there are in a code bundle, the higher the chance that it contains vulnerabilities. Socket also provides a collection of 130 optimized packages that contain few or no dependencies.

The company will use the proceeds from its funding round to hire more employees and enhance its platform. In particular, it plans to add new integrations with third-party developer tools such as code editors. Socket also intends to release several new products.

Photo: Socket