Earlier this year, the world came within a few weeks of a disastrous cyber security failure that would have enabled bad actors to penetrate the IT systems of millions of organisations worldwide. The XZ vulnerability was uncovered almost by accident - and has left cyber security professionals such as Feross Aboukhadijeh, the founder and CEO of San Francisco start-up Socket, badly shaken. "It is almost impossible to overstate how catastrophic this nearly was," Aboukhadijeh says. "We got incredibly lucky - the thought of it still gives me sleepless nights."

The incident hardened Aboukhadijeh's belief that new solutions are now needed in a world where the use of open-source software has become ubiquitous. Socket, which is today announcing a $40 million Series B funding round, is at the forefront of companies developing such solutions.

Once upon a time, developers wrote all new code for applications and software products from scratch; this code became proprietary information, owned and restricted by the company. Today, by contrast, developers make heavy use of open-source code - publicly-available code that anyone can use to do a specific job in an application. This makes perfect sense, meaning software developers everywhere no longer have to constantly write their own code to do jobs other people have already solved for - saving time and money.

By some estimates, open-source code now accounts for more than 90% of all code in a modern software application. It's largely been a positive development, says Aboukhadijeh, but does cause problems. "Developers are using thousands or tens of thousands of open-source components, and they don't fully understand what they're pulling in," he says. "They're effectively taking huge amounts of code on trust."

It's exactly this issue that attackers such as those behind the XZ threat now seek to exploit. Open-source code is hugely attractive to bad actors - get your attack into a popular piece of code and it will provide you with a means to target every organisation that uses it in an application. It's cyber attack on an industrial scale.

There is no shortage of security products supposedly designed to mitigate this risk. But Aboukhadijeh argue most of them aren't fit for purpose. Software composition analysis tools merely identify what open-source components an application is using; vulnerability scanning tools largely rely on public databases of known bugs and problems, and aren't really aimed at malicious attackers. Supply chain attacks, as attacks delivered through open-source code are known, continue to proliferate.

That's where Socket comes in. Its tools proactively monitor apps and other software built with open-source, scanning them for malicious behaviours and features such as backdoors, typo-squatting and obfuscated code. The idea is that companies test new apps using Socket's technology before installing them on their servers, ensuring any vulnerabilities or attacks can be identified and eliminated before they can cause problems.

"Our customers don't let new components through until they've passed the Socket test," says Aboukhadijeh. "We also report anything we find so that everyone is warned about new threats."

Socket's sales have grown quickly since the business's full-scale commercial launch around 18 months ago, with revenues up 450% over the past 12 months. Customers come from both the technology sector - including the likes of artificial intelligence giant Anthropic - and verticals such as financial services and consumer.

Guillermo Rauch, CEO of Vercel, one of those customers, says Socket has helped its developers to continue building new products quickly while managing risk more effectively. "Socket is one of the rare companies that enables security without compromising developer experience," he says. "Customers can adopt the latest open-source tools without second-guessing every dependency."

Yan Zhu, chief information security officer at Brave, another customer, adds: "Socket is like an X-ray into open-source dependencies, going above and beyond to detect issues that aren't yet known vulnerabilities within the security community."

Such testimonials and the company's rapid growth have attracted investors keen to support an acceleration of growth at Socket, which is now keen to significantly increase its headcount.

Today's $40 million Series B round is led by Abstract Ventures, with participation from Elad Gil, Andreessen Horowitz, and a large group of angel investors. The round takes the total amount of cash raised by the company to $61 million since its launch in 2022.

Zane Lackey, general partner at Andreessen Horowitz, says: "This team knows how to build products that developers love, they understand security, and they're tackling an urgent problem for a community they've been part of for more than two decades."