Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

As security for software development climbs higher on the list of corporate priorities, one of the pioneers in the space, Sonatype, aims to seize on the opportunity by going public as early as this year.

Sonatype coined the term “software supply chain management,” said CEO Wayne Jackson, for technology that enables the open source code used by developers to meet quality and security requirements. Now, the fast-growing company aims to be one of the first in software supply chain security to complete an initial public offering. The Sonatype IPO could come “as soon as late this year,” though it’s more likely to arrive in 2023, Jackson told VentureBeat.

Naturally, the vendor has begun laying the foundation for an IPO, he said — including with a major executive hire announced today. Alex Berry has joined Sonatype as its first-ever president, coming to the company from Vector Solutions, where he’d served as chief revenue officer.

The disclosure of the IPO aspirations follows a December report from Bloomberg that one of Sonatype’s top competitors, Snyk, is preparing to go public as soon as the middle of this year.

Growth surge

Other signs that an IPO could be on the horizon: Sonatype surpassed $100 million in annual recurring revenue during the fourth quarter of 2021, up 30% from the same period the year before, Jackson said. And the growth pace is actually expected to accelerate this year, to between 35% and 40%, he said.

In 2021, the company also added more than 350 customers and hired aggressively, expanding its staff by 80% with the addition of 200 employees. Sonatype aims to add another 250 people in 2022 and reach a headcount of 700 by year’s end.

Yet as much as the company has been growing, “we’re just at the beginning of this market expansion and market awareness,” Berry said in an interview.

While software vulnerabilities have long ranked as a concern for businesses, the issue is “much more in the mainstream now” on account of widespread critical flaws such as the vulnerability in Apache Log4j, he said. The vulnerability, revealed in December, is believed to have affected the majority of companies since it’s found in a widely used open source logging library.

Meanwhile, high-profile compromises in the software supply chain, such as the attacks on SolarWinds and Kaseya, have also led to greater awareness of the problem. And according to data from Aqua Security, overall attacks involving the software supply chain surged by more than 300% overall in 2021.

While software supply chain security has turned into a red-hot market over the past few years, Sonatype has been “thinking about the software development process in supply chain terms” for the last decade, Jackson said.

And that early start — combined with the company’s ongoing innovation — have positioned the company to capitalize in this current environment, the Sonatype executives said.

Other players in software supply chain security “don’t have our track record. They don’t have our scale. And they certainly aren’t putting forth the effort that we are [in terms of] growth and the hiring and attacking the market,” Berry said.

Analyzing code

While Sonatype offers a number of different capabilities within application security, its core offering is around software composition analysis (SCA). The company’s Nexus Lifecycle product, which generates two-thirds of its revenue, enables customers to automatically discover open source vulnerabilities — and then fix them — throughout the software development process.

Nexus Lifecycle does this by leveraging a massive dataset that describes the attributes of most of the open-source components in existence, Jackson said. The platform then combines that data with a “rich” policy infrastructure that allows organizations to define what’s acceptable to them, “and what they want to encourage their developers to use,” he said.

Ultimately, bringing these capabilities together “allows for the automation of how you optimize your software supply chain,” Jackson said.

A newer Sonatype product, also in the realm of SCA, is Nexus Firewall — which “does for open source what traditional firewalls do for packets,” he said. The product looks at the software components that are being requested by a development function, then decides whether the components should be allowed into an organization’s development pipeline.

Nexus Firewall helps to prevent vulnerabilities because it intercepts malicious components before they can be downloaded during software development, Jackson said.

Crowded market

The SCA market contains a number of other major vendors, including Checkmarx, Contrast Security, JFrog, Snyk, Synopsys, Veracode, WhiteHat (owned by NTT), and WhiteSource. GitHub (owned by Microsoft) and GitLab also offer SCA capabilities as part of their offerings.

But there’s still plenty of room for growth in the market: Fewer than 50% of companies have already adopted tools for SCA, and interest in the tools is climbing, according to a report from Gartner last fall.

Compared to some competitors, however, Sonatype’s focus “has always been on solving problems at enterprise scale, as opposed to just being a helpful utility for developers,” Jackson said.

Sonatype’s customer list includes BNP Paribas, American Express, Comcast, Red Hat, TD Bank, BJ’s Wholesale Club, Equifax, BNY Mellon, Discover, and Liberty Mutual. The company continuously monitors 34,000 applications in all, according to Jackson.

Fulton, Maryland-based Sonatype was founded in 2008 by Brian Fox, who is currently chief technology officer of the company, and Jason van Zyl, who previously served as CTO and is no longer with the company.

Vista Equity Partners has been the majority owner of Sonatype since November 2019. Last March, the company made an acquisition of its own, picking up code analysis platform MuseDev to expand its Nexus platform.

Along with potentially following Snyk into public ownership, Sonatype also aims to join JFrog, which went public in 2020, and GitLab, which completed its IPO last fall.

Raising the profile

The arrival of Berry at Sonatype coincides with the company’s next big growth push, the executives said. Berry said he brings experience in scaling companies with major growth potential, which he’s done previously in executive roles at Vector Solutions, Syniti, and Neustar.

“I’ve framed my career on seeking out companies that have great product innovation and market opportunity, but need a little help and injection of energy around the go-to-market,” he said.

Over the years, Sonatype has been a “quiet, consistent grower,” Jackson said — expanding its revenue by 30% to 40% every year since he joined, in 2010.

“We haven’t made a ton of noise while growing to our current scale,” he said. “But we’re looking to change that, and really raise our profile — to the level that I think the company has earned.”