Socket, a startup that provides a scanning tool to detect security vulnerabilities in open source code, today announced that it raised $20 million in a Series A round led by Andreessen Horowitz (a16z).

The tranche had participation from Abstract Ventures, Wndrco, Unusual Ventures and an impressively high-profile list of angel investors, including the co-founders of Box (Aaron Levie), Figma (Dylan Field), Okta (Frederic Kerrest), Vercel (Guillermo Rauch) and Eventbrite (Julia and Kevin Hartz).

CEO Feross Aboukhadijeh said that the new cash — along with Socket’s previous $4.6 million seed investment, which brings the company’s total raised to $24.6 million — will be put toward growing Socket’s team and expanding its support for more programming languages and integrations.“Over the past decade, it’s become clear that open source software has won,” Aboukhadijeh told TechCrunch in an email interview. “Sharing code freely has made it drastically cheaper and faster to build software — and tech innovation has accelerated as a result. But security has often been an afterthought. New technology spreads because it’s useful, not because it’s safe. Criminals are exploiting the trust in open source software to carry out brazen attacks that spread destructive malware.”

It’s hard to argue with that point of view. According to a recent Tidelift survey, only 15% of organizations are extremely confident in their open source management practices. (Granted, Tidelift’s a Socket rival and therefore not the most objective source.) The majority, the survey implies, have some concerns about keeping open source software up-to-date, secure and well-maintained.

Those organizations have reason to be concerned. Security firm Synopsys found in its 2023 trend study that 89% of companies’ codebases contained open source that was more than four years out of date. Meanwhile, 91% used open software components that weren’t the latest available version.“The rate of software supply chain attacks continues to increase at an astronomical rate,” Aboukhadijeh said. “Coupled with stricter regulatory penalties for breaches, mandatory reporting rules, as well as an explosion in the usage of open source within organizations, the risks — and the awareness of those risks — have never been greater.”

Aboukhadijeh — a prolific open source maintainer and a web security lecturer at Stanford — makes the case that Socket is the solution to these open source software security woes. That’s quite the assertion, considering the raft of other startups and incumbents claiming the same.

Oligo, a company that focuses on runtime app security and observability to detect and prevent open source vulnerabilities, came out of stealth in February backed by $28 million in venture capital. Endor emerged from stealth with $25 million last October, following Chainguard’s $50 million raise in early June. Elsewhere, there’s Stacklok, Arnica and Ox Security, which combined have raised over $50 million.