Sonatype, which secures open supply code, lays groundwork for IPO

As safety for software program improvement rises up the record of company priorities, one of many pioneers within the area, Sonatype, goals to grab on the chance by going public as early as this yr.

Sonatype coined the time period “software program provide chain administration,” mentioned CEO Wayne Jackson, for know-how that permits the open supply code utilized by builders to fulfill high quality and safety necessities. Now, the fast-growing firm goals to be one of many first in software program provide chain safety to finish an preliminary public providing. The Sonatype IPO may come “as quickly as late this yr,” although it’s extra more likely to arrive in 2023, Jackson instructed VentureBeat.

Naturally, the seller has begun laying the inspiration for an IPO, he mentioned—together with with a significant govt rent introduced in the present day. Alex Berry has joined Sonatype as its first-ever president, coming to the corporate from Vector Options, the place he’d served as chief income officer.

The disclosure of the IPO aspirations follows a December report from Bloomberg that considered one of Sonatype’s high opponents, Snyk, is getting ready to go public as quickly as the center of this yr.

Progress surge

Different indicators that an IPO could possibly be on the horizon: Sonatype surpassed $100 million in annual recurring income through the fourth quarter of 2021, up 30% from the identical interval the yr earlier than, Jackson mentioned. And the expansion tempo is definitely anticipated to speed up this yr, to between 35% and 40%, he mentioned.

In 2021, the corporate additionally added greater than 350 prospects and employed aggressively, increasing its employees by 80% with the addition of 200 workers. Sonatype goals so as to add one other 250 individuals in 2022 and attain a headcount of 700 by yr’s finish.

But as a lot as the corporate has been rising, “we’re simply in the beginning of this market enlargement and market consciousness,” Berry mentioned in an interview.

Whereas software program vulnerabilities have lengthy ranked as a priority for companies, the difficulty is “far more within the mainstream now” on account of widespread important flaws such because the vulnerability in Apache Log4j, he mentioned. The vulnerability, revealed in December, is believed to have affected the vast majority of firms because it’s present in a broadly used open supply logging library.

In the meantime, high-profile compromises within the software program provide chain, such because the assaults on SolarWinds and Kaseya, have additionally led to larger consciousness of the issue. And in line with information from Aqua Safety, total assaults involving the software program provide chain surged by greater than 300% total in 2021.

Whereas software program provide chain safety has changed into a red-hot market over the previous few years, Sonatype has been “interested by the software program improvement course of in provide chain phrases” for the final decade, Jackson mentioned.

And that early begin—mixed with different firm’s ongoing innovation—have positioned the corporate to capitalize on this present atmosphere, the Sonatype executives mentioned.

Different gamers in software program provide chain safety “don’t have our observe file. They don’t have our scale. And so they definitely aren’t placing forth the hassle that we’re [in terms of] progress and the hiring and attacking the market,” Berry mentioned.

Analyzing code

Whereas Sonatype presents various completely different capabilities inside software safety, its core providing is round software program composition evaluation (SCA). The corporate’s Nexus Lifecycle product, which generates two-thirds of its income, allows prospects to robotically uncover open supply vulnerabilities—after which repair them—all through the software program improvement course of.

Nexus Lifecycle does this by leveraging an enormous dataset that describes the attributes of a lot of the open-source elements in existence, Jackson mentioned. The platform then combines that information with a “wealthy” coverage infrastructure that enables organizations to outline what’s acceptable to them, “and what they need to encourage their builders to make use of,” he mentioned.

In the end, bringing these capabilities collectively “permits for the automation of the way you optimize your software program provide chain,” Jackson mentioned.

A more recent Sonatype product, additionally within the realm of SCA, is Nexus Firewall—which “does for open supply what conventional firewalls do for packets,” he mentioned. The product appears to be like on the software program elements which might be being requested by a improvement perform, then decides about whether or not the elements needs to be allowed into a company’s improvement pipeline.

Nexus Firewall helps to stop vulnerabilities as a result of it intercepts malicious content material earlier than it may be downloaded throughout software program improvement, Jackson mentioned.

Crowded market

The SCA market incorporates various different main distributors, together with Checkmarx, Distinction Safety, JFrog, Snyk, Synopsys, Veracode, WhiteHat (owned by NTT), and WhiteSource. GitHub (owned by Microsoft) and GitLab additionally supply SCA capabilities as a part of their choices.

However there’s nonetheless loads of room for progress available in the market: Fewer than 50% of firms have already adopted instruments for SCA, and curiosity within the instruments is climbing, in line with a report from Gartner final fall.

In comparison with some opponents, nevertheless, Sonatype’s focus “has at all times been on fixing issues at enterprise scale, versus simply being a useful utility for builders,” Jackson mentioned.

Sonatype’s buyer record consists of BNP Paribas, American Categorical, Comcast, Crimson Hat, TD Financial institution, BJ’s Wholesale Membership, Equifax, BNY Mellon, Uncover, and Liberty Mutual. The corporate constantly displays 34,000 functions in all, in line with Jackson.

Fulton, Maryland-based Sonatype was based in 2008 by Brian Fox, who’s at the moment chief know-how officer of the corporate, and Jason van Zyl, who beforehand served as CTO and is now not with the corporate.

Vista Fairness Companions has been the bulk proprietor of Sonatype since November 2019. Final March, the corporate made an acquisition of its personal, selecting up code evaluation platform MuseDev to broaden its Nexus platform.

Together with doubtlessly following Snyk into public possession, Sonatype additionally goals to affix JFrog, which went public in 2020, and GitLab, which accomplished its IPO final fall.

Elevating the profile

The arrival of Berry at Sonatype coincides with the corporate’s subsequent massive progress push, the executives mentioned. Berry mentioned he brings expertise in scaling firms with main progress potential, which he’s performed beforehand in govt roles at Vector Options, Syniti, and Neustar.

“I’ve framed my profession on in search of out firms which have nice product innovation and market alternative, however want somewhat assist and injection of power across the go-to-market,” he mentioned.

Through the years, Sonatype has been a “quiet, constant grower,” Jackson mentioned—increasing its income by 30% to 40% yearly since he joined, in 2010.

“We haven’t made a ton of noise whereas rising to our present scale,” he mentioned. “However we’re seeking to change that, and actually increase our profile—to the extent that I feel the corporate has earned.”