Sonatype, which secures open source code, prepares its IPO


Missed a Future of Work Summit session? Head over to our Future of Work Summit on-demand library to stream.

Leave him OSS Enterprise Newsletter guide your open source journey! register here.

As security for software development climbs higher on the company’s priority list, one of the pioneers in the field, Sonatypeaims to seize the opportunity by going public this year.

Sonatype coined the term “software supply chain management,” said CEO Wayne Jackson, for technology that enables open-source code used by developers to meet quality and security requirements. Today, the fast-growing company aims to be one of the first in the software supply chain security space to complete an initial public offering. Sonatype’s IPO could happen “as early as the end of this year,” though it’s more likely to happen in 2023, Jackson told VentureBeat.

Naturally, the vendor has started laying the groundwork for an IPO, he said, including with a major executive hire announced today. Alex Berry joined Sonatype as its first-ever president, coming from Vector Solutions, where he served as chief revenue officer.

The disclosure of IPO aspirations follows a report from Bloomberg that one of Sonatype’s main competitors, Snyk, is set to go public as early as the middle of this year.

Growth acceleration

Other signs that an IPO could be on the horizon: Sonatype surpassed $100 million in annual recurring revenue during the fourth quarter of 2021, up 30% from the same period a year earlier, Jackson said. And the pace of growth should actually pick up this year, to between 35% and 40%, he said.

In 2021, the company also added more than 350 customers and hired aggressively, growing its staff by 80% with the addition of 200 employees. Sonatype aims to add an additional 250 people in 2022 and reach a headcount of 700 by the end of the year.

Yet despite the company’s growth, “we’re only at the beginning of this market expansion and market awareness,” Berry said in an interview.

While software vulnerabilities have long been a concern for businesses, the problem is “much more common now” due to widespread critical flaws such as the Apache Log4j vulnerability, he said. The vulnerability, disclosed in December, would have affected the majority of companies since it is in a widely used open-source logging library.

Meanwhile, high-profile compromises in the software supply chain, such as the attacks on SolarWinds and Kaseya, have also led to greater awareness of the problem. And according to Data from Aqua Security, global attacks involving the software supply chain increased by more than 300% in 2021.

While software supply chain security has become a hot market in recent years, Sonatype has been “thinking about the software development process in terms of supply chain” over the past decade, said Jackson.

And that early start — combined with the company’s continued innovation — has positioned the company to capitalize in this current environment, Sonatype executives said.

Other software supply chain security players “don’t have our track record. They don’t have our scale. And they sure don’t make the effort that we do [in terms of] growth and hiring and market attack,” Berry said.

Analyze the code

Although Sonatype offers a number of different features within the scope of application security, its core offering is Software Composition Analysis (SCA). The company’s Nexus Lifecycle product, which generates two-thirds of its revenue, enables customers to automatically discover open source vulnerabilities and then fix them, throughout the software development process.

To do this, Nexus Lifecycle leverages a massive dataset that describes the attributes of most existing open-source components, Jackson said. The platform then combines that data with a “rich” policy infrastructure that lets organizations define what’s acceptable to them, “and what they want to encourage their developers to use,” he said.

Ultimately, bringing these capabilities together “automates how you optimize your software supply chain,” Jackson said.

A new Sonatype product, also in the SCA realm, is Nexus Firewall – which “does for open source what traditional firewalls do for packets,” he said. The product examines software components that are requested by a development function and then decides whether the components should be allowed into an organization’s development pipeline.

Nexus Firewall helps prevent vulnerabilities because it intercepts malicious components before they can be downloaded during software development, Jackson said.

crowded market

The SCA marketplace contains a number of other major vendors, including Checkmarx, Contrast Security, JFrog, Snyk, Synopsys, Veracode, WhiteHat (owned by NTT), and WhiteSource. GitHub (owned by Microsoft) and GitLab also offer SCA features as part of their offerings.

But there’s still plenty of room for growth in the market: Less than 50% of companies have already adopted tools for SCA, and interest in these tools is growing, according to a report from Gartner last fall.

Compared to some competitors, however, Sonatype’s goal “has always been to solve enterprise-wide problems, rather than just being a useful utility for developers,” Jackson said.

Sonatype customer the list includes BNP Paribas, American Express, Comcast, Red Hat, TD Bank, BJ’s Wholesale Club, Equifax, BNY Mellon, Discover and Liberty Mutual. The company continuously monitors 34,000 apps in total, according to Jackson.

Sonatype, based in Fulton, Maryland, was founded in 2008 by Brian Fox, who is currently the company’s chief technology officer, and Jason van Zyl, who previously served as chief technology officer and is no longer with the company. company.

Vista Equity Partners has been the majority owner of Sonatype since November 2019. Last March, the company made its own acquisition, taking over code analysis platform MuseDev to expand its Nexus platform.

In addition to potentially following Snyk into public ownership, Sonatype is also aiming to join JFrog, which went public in 2020, and GitLab, which completed its IPO last fall.

Raise profile

Berry’s arrival at Sonatype coincides with the company’s next big growth spurt, executives said. Berry said he brings experience scaling high-growth businesses, which he has done in leadership roles at Vector Solutions, Syniti and Neustar.

“I’ve focused my career on finding companies that have great product innovation and market opportunity, but need a little help and injection of energy around marketing. market,” he said.

Over the years, Sonatype has been a “silent, consistent producer,” Jackson said, growing revenue 30% to 40% each year since joining in 2010.

“We haven’t made a ton of noise growing to our current scale,” he said. “But we’re looking to change that and really raise our profile – to the level that I think the company has earned.”

VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Learn more


Comments are closed.