Cloudsmith Raises $23M to Enhance Software Supply Chain Security

The Vulnerability of Modern Software Supply Chains

The security of the software supply chain is frequently compromised. Statistics indicate that a substantial 81% of codebases incorporate open source components with high or critical-level vulnerabilities.

A single weakness can propagate throughout the entire software supply chain. The Log4Shell vulnerability serves as a prime example, exposing millions of applications to potential remote code execution attacks through the widely used Log4j logging library.

Cloudsmith: A New Approach to Artifact Management

Cloudsmith, a startup based in Northern Ireland, is focused on addressing this critical issue. They offer a cloud-native artifact management platform designed as a contemporary alternative to established solutions like JFrog and Sonatype.

This platform aims to provide enhanced security and control over software components throughout their lifecycle.

Recent Funding and Growth Plans

To facilitate its continued expansion, Cloudsmith announced on Monday the successful completion of a $23 million Series B funding round.

This funding round was spearheaded by TCV, with additional investment from Insight Partners and existing investors.

The capital raised will be instrumental in driving the next stage of Cloudsmith’s development and market penetration.

Key benefits of a robust artifact management platform include:

• Enhanced security through vulnerability scanning.
• Improved control over software dependencies.
• Streamlined software release processes.
• Reduced risk of supply chain attacks.

Artifact Management in Software Development

Within the software industry, particularly at Cloudsmith, an “artifact” denotes any software package, binary file, or component generated and distributed during the software development lifecycle. This encompasses items like libraries, their associated dependencies, configuration files, and fully compiled applications.

Although organizations commonly develop their own codebases, they frequently depend on third-party packages sourced from public, open-source registries. These packages are essential during the build process – when source code is transformed into executable software – but their availability isn't guaranteed.

Package versions can change, or the packages themselves may become inaccessible. Cloudsmith addresses this challenge by providing “mirrors” of these essential packages, ensuring continuous access.

Ensuring Build Reliability and Visibility

“Cloudsmith functions as a private registry for these binary artifacts, guaranteeing their availability for subsequent builds, even if they are altered or removed from their original locations,” explained Glenn Weinstein, CEO of Cloudsmith, in a TechCrunch interview.

“This ensures builds are consistently repeatable and reliable, and it equips DevOps and platform engineering teams with comprehensive visibility into the components integrated into their production software.”

Security Scanning and Vulnerability Management

Even when packages remain available in open-source repositories, they can become susceptible to security vulnerabilities over time, either due to insufficient maintenance or malicious intent. Cloudsmith proactively mitigates this risk.

The platform scans dependencies for potential vulnerabilities, licensing conflicts, and the presence of malware before making them accessible to developers within their coding environments.

Supporting Both Internal and External Packages

It’s important to recognize that Cloudsmith supports packages developed internally by its customers, however, the majority of artifacts hosted on the platform originate from established open-source indexes.

These include popular repositories such as PyPI, Docker Hub, Maven Central, and Npmjs.

A Central Security Checkpoint

“Because all data and software transit through Cloudsmith, the platform serves as a crucial security checkpoint for open-source dependencies,” Weinstein stated. “It scans, curates, and blocks potentially harmful artifacts before they can impact production systems.”

“Cloudsmith also resolves a common oversight within many enterprises – a lack of clear understanding regarding the artifacts they utilize, whether they are proprietary, public, or open source.”

Financial Developments at Cloudsmith

Established in Belfast in 2016 by Alan Carson and Chief Technology Officer Lee Skillen, Cloudsmith had secured $26 million in a prior Series A funding round. This initial investment was distributed in phases, beginning with $15 million in 2021 and concluding with an additional $11 million in 2023.

The second funding installment followed closely after Alan Carson assumed the position of chief strategy officer and Glenn Weinstein, formerly of Twilio as chief customer officer, joined as CEO.

As Carson explained, the appointment of a seasoned entrepreneur with experience in scaling businesses allowed the co-founders to concentrate more intently on the product’s “vision, roadmap and architecture.” This also facilitated access to a broader range of enterprise clients and investors within the U.S., notably TCV and Insight Partners.

Carson communicated to TechCrunch via email that these investments represent a clear indication of Cloudsmith’s emergence as a leader in its category. He further stated that, under Weinstein’s direction, the company has strategically focused on addressing the complex needs of large enterprises regarding software supply chain security and stringent compliance requirements.

The majority of Cloudsmith’s workforce, numbering around 100 employees including both founders, is located in Belfast. However, Weinstein indicated that approximately 75% of the company’s revenue is now generated from customers based in the United States.

The newly acquired funding will be allocated towards expanding the sales, marketing, and customer success teams. Furthermore, investment will be directed into research and development, specifically exploring new applications of artificial intelligence.

Weinstein highlighted a “unique opportunity” to leverage the extensive data related to software package usage and convert it into “actionable insights” for developers.

“Our goal is to empower developers to select more secure and reliable open-source packages,” Weinstein stated. “We aim to achieve this by assisting cybersecurity teams in establishing curated internal registries, simplifying the process for developers to obtain packages from trusted internal repositories rather than public registries.”

This initiative will likely involve providing recommendations, such as suggesting alternatives to infrequently updated or declining packages with similar functionality that have gained traction among other Cloudsmith users.

“We are essentially formalizing the informal advice developers currently rely on – ‘I’ve heard good things about this package’ – and delivering it instantly through the Cloudsmith platform,” Weinstein elaborated.