Software security startup Sonatype lands $80M in new funding


After growing revenues 81 percent in the first half of 2018, fast-rising software security provider Sonatype Inc. today announced that it has secured a $80 million round led by private-equity heavyweight TPG LLC.

Maryland-based Sonatype sells a platform that enables companies to control what goes into their applications. The software, dubbed Nexus, focuses on mitigating the potential risk from open-source components that developers incorporate into projects.

The vast majority of organizations draw on the open-source ecosystem for software components and many of the most important enterprise technologies to have emerged in recent years, such as Kubernetes, are distributed under a free license. But there’s a risk involved as well. According to a study that Sonatype released last year, 1 in 18 open-source components downloaded by developers contained at least one known security vulnerability.

The startup’s Nexus platform provides features that enable software teams to catch insecure code before it’s released to production. The offering is built around a repository manager that acts as a centralized hub where developers can storing oft-used software components. On top of easing access, the fact that everything is kept in one place makes it possible to enforce security rules more effectively.

Nexus comes with a scanner that checks every open-source component for known vulnerabilities. According to Sonatype, the software prioritizes issues in order of severity and generates project-level statistics for a higher level view of security. In conjunction, the dashboard looks for licensing limitations that may make it difficult for a company to use an open-source component.

The scanning features are complemented by a firewall that automatically enforces an organization’s security policies. Companies can configure Nexus to block vulnerable open-source components before they’re even introduced into the development cycle.

Sonatype boasts more than 1,000 customers, including Aetna Inc, Intuit Inc., Delta Air Lines Inc. and other major enterprises. The startup has raised more than $154 million from investors to date.

Sonatype is one of the better-funded players in the crowded code security segment. Another venture-backed contender is Semmle Inc., a startup that’s trying to automate vulnerability detection. It has developed a platform that can learn how to identify multiple variations of the same programming mistake by applying principles from the fields of object-oriented programming and database design.