Cloudsmith Secures $23M Investment to Revolutionize Software Supply Chain Security
The software supply chain is facing significant challenges, with an alarming 81% of codebases reportedly harboring high- or critical-risk open-source vulnerabilities. A single exploit can jeopardize the entire software ecosystem, as demonstrated by the infamous Log4Shell vulnerability that exposed millions of applications to potential remote code execution attacks through the Log4j logging library. To address these pressing issues, Northern Irish startup Cloudsmith has introduced a cutting-edge cloud-native artifact management platform, positioning itself as a modern alternative to traditional software supply chain solutions like JFrog and Sonatype.
Cloudsmith Secures $23 Million Series B Funding
In a major step towards its next growth phase, Cloudsmith announced on Monday that it has successfully raised $23 million in a Series B financing round led by TCV, with participation from Insight Partners and several returning investors.
Understanding Artifacts in Software Development
In the realm of software development, an “artifact” refers to any software package, binary file, or component that is created or distributed. This includes:
- Libraries and their dependencies
- Configuration files
- Compiled applications
- Other software components
While companies often write their own code, they frequently rely on third-party packages stored in public open-source registries. These packages are essential during the build-time process, but they can change versions or become unavailable. This is where Cloudsmith comes into play, providing “mirrors” of these packages to ensure consistent availability.
Cloudsmith’s Role in Secure Software Supply Chains
According to Glenn Weinstein, CEO of Cloudsmith, “Cloudsmith serves as a private registry for these binary artifacts, ensuring they are always accessible for future builds, regardless of changes or removals from their original sources.” This functionality guarantees that builds are both repeatable and reliable, while offering centralized visibility for DevOps and platform engineering teams into their production software.
Even if a package is available in an open-source repository, it can develop security vulnerabilities over time due to various factors, including lack of maintenance. Cloudsmith proactively scans dependencies for:
- Vulnerabilities
- Licensing issues
- Malware
“All data and software flow through Cloudsmith, acting as a security checkpoint for open-source dependencies,” Weinstein explained. “We scan, curate, and block problematic artifacts before they reach production.”
Cloudsmith’s Growth and Future Plans
Founded in 2016 in Belfast by Alan Carson and Lee Skillen, Cloudsmith previously raised $26 million in a Series A round, which began in 2021. The latest funding will allow the company to expand its workforce in sales, marketing, and customer success, while also investing in research and development for new AI applications.
Weinstein noted, “We have a unique opportunity to transform extensive software package consumption data into actionable insights for developers, helping them choose safer open-source packages.” This could involve creating curated internal registries for cybersecurity teams, making it easier for developers to source packages from trusted repositories.
With approximately 75% of its revenue coming from U.S. customers, Cloudsmith is poised to enhance its offerings and solidify its status as a leader in software supply chain security. For more information about Cloudsmith and its innovative solutions, visit their official website: Cloudsmith.
