The last time Goldman Sachs put an attention-getting chunk of money into a D.C. start-up it worked out pretty well – the firm’s early investment in Applied Predictive Technologies paid off big-time last year when APT sold to Mastercard for $600 million.
This time the start-up is a Fulton, Md.-based cybersecurity company called Sonatype. The company is planning to announce Thursday it has raised $30 million from investors led by Goldman’s Principal Strategic Investments Group.
Chief Executive Wayne Jackson declined to discuss the company’s valuation but said it was less than $1 billion and “a nice step up” from the company’s last funding round.
That brings the company’s total investment pool to close to $75 million, with previous funding rounds led by venture funds Accel and New Enterprise Associates.
Jackson is best known as chief executive at Sourcefire, a Columbia, Md. cybersecurity company bought by Cisco Systems in 2013 for $2.7 billion. Sonatype has made its name by focusing on a particular problem in cybersecurity; finding and accounting for vulnerabilites that exist in software components.
Software programs can be so complex these days that developers rarely write entire programs from the ground up. To make things easier, some piece together little building blocks of pre-written code they take from online “open-sourced” libraries, which are free for anyone to use.
“What’s shocking to me still is just how much open source software is being used,” said Jackson.
The problem is developers often don’t have any way of telling which blocks of code have holes in them, and there can be few checks on their work.
Jackson likens the problem to quality control on an assembly line.
“Imagine a situation where Toyota let their line workers make all the decisions about which suppliers to use without any governance or oversight; imagine what cars would be like,” he said. “All the cars would be really hard to maintain and an orderly recall would be next to impossible.”
Sonatype builds its business around helping software developers figure out which building blocks have vulnerabilities in them and how best to account for them. The idea is to help build cybersecurity into the process of making systems and products.
One of the biggest libraries where programmers get open-sourced code is known as Maven Central, which happens to be owned by Sonatype. Having ownership of one of the most widely-used libraries gives Sonatype proprietary information about the vulnerabilities inherent in many of the most common software building blocks deposited there.
Sonatype is by no means the only one vetting software components. Numerous companies are getting in on what some say is becoming a broader trend in cybersecurity.
“It’s a lot more cost-effective to know about these things before you build them into the finished products than to have to go back later and fix them,” said Scott Crawford, research director for information security at 451 Research, a market research firm that has studied Sonatype’s business.
Private companies are starting to pay big money for these sorts of services – including Goldman Sachs, which has been a Sonatype customer since October 2013.
Jackson said helping Goldman with its own software infrastructure led to the financing announced Thursday. If the institution hadn’t been a customer, he says, “they probably never would have found us.”
Jackson says Sonatype has about 600 customers in a variety of industries, from media companies to manufacturers and especially banks. When you consider their prices, that’s tremendous revenue for a firm with less than 100 employees. Some of the company’s larger customers pay Sonatype hundreds of thousands of dollars annually, Jackson says, and a few pay close to $1 million.