Editor’s note: Saïd Ziouani is the Founder and CEO of Anchore, a Santa Barbara-based leader in software supply chain security. In 2022, Espresso Capital provided Anchore with a $10 million credit facility. In this interview, Saïd provides an overview of Anchore and shares his views on the roles that AI and open source are having on software supply chain security.
Can you tell us about Anchore and the problem that it solves?
Companies began adopting cloud native technologies less than a decade ago in an effort to become more flexible and efficient. As my co-founder Daniel Nurmi and I thought about the potential implications of that shift, we realized that significant security and compliance challenges would arise. In 2016, that insight led us to create Anchore, an SBOM-powered (software bills of materials) software composition analysis platform that simplifies software supply chain management by identifying security threats early on in the software development lifecycle.
Anchore gives developers and DevOps teams greater visibility into, and inspection capabilities for, their software development pipelines, while also providing remediation recommendations when issues arise. Our platform helps teams find every piece of software in their applications so that they can block and fix security issues as quickly and efficiently as possible. It also empowers teams to implement secure processes and to harden their software supply chains while automatically enforcing compliance standards.
Who are Anchore’s customers?
We work with Fortune 500 companies like Google, Amazon, Microsoft, Nvidia, Cisco, and eBay as well as with federal agencies. In fact, one of our earliest customers was the Department of Defense. Back when we first started working with them in 2019, the DoD was looking to build a cloud native DevSecOps platform. We got involved in helping them create more secure deployments.
The success we had with the DoD created a halo effect that eventually led to opportunities with the Army, the Air Force, and the Navy, as well as the intelligence community. Based on those experiences, we’re also seeing growing interest in our platform overseas. Just last quarter we were delighted to welcome NATO to our growing roster of customers.
There’s obviously a lot of hype about AI right now. What do you see as AI’s biggest implications for software supply chain security?
Like many technologies, AI is creating huge challenges and opportunities. In the short term, the major challenge is that it’s giving attackers the tools to devise new and ever more sophisticated ways of breaching the software supply chain. It’s going to take some time to overcome that issue and will be critical to educate developers and DevOps about the potential risks they face in the meantime. The good news is that looking a little further ahead, AI represents a giant opportunity to increase security for everyone. For Anchore specifically, it will allow us to further enhance our software inspection capabilities and strengthen our customers’ overall security posture.
Of course the real end game with AI is creating efficiency. That’s why there are so many vendors out there now building AI solutions for specific business applications like sales, marketing, product, and engineering. Take GitHub Copilot, for example, which uses AI to autocomplete code allowing developers to accelerate their development processes by up to 40%. We’ll continue to see more and more tools emerge that are designed to drive similar types of efficiencies across every aspect of business, including supply chain security.
At a time when every company is adopting AI, what will it take to come out on top in the race to adopt the technology?
Every business should be using AI to drive greater efficiency, so I don’t see it as a question of coming out on top but rather ensuring that you’re in the game. But that doesn’t mean you have to develop your own AI. As I mentioned before, there are already plenty of tools out there that you can use to take advantage of the power of AI across your business to operate more efficiently and better serve your customers. In my view, leveraging those tools effectively will be the key to remaining competitive.
Within our industry specifically, a lot of the work being done is around using AI to continuously inspect SBOMs over time, which is a critical component of software supply chain security. We also see opportunities to improve the quality of software inspection and categorization in the form of SBOMs, by adding AI techniques to the technology stack.
How has the tech industry’s growing reliance on open source affected software supply chain security?
Over the last seven or eight years, we’ve seen a 10x increase in the use of open source software in software development, meaning that the applications the developers produce, more often than not, include a great deal of open-source software. Ultimately, it is this explosive growth in the presence of open-source software in applications across every industry that has given supply chain security tools a seat at the table.
We built Anchore to bring continuous security and compliance to the software development process. It enables developers to leverage open-source projects within the applications they are building while allowing for ongoing inspection so that no vulnerabilities, malware, or misconfigurations make their way into the application that gets deployed.
The past couple of years have been incredibly challenging for everyone and yet Anchore has continued to grow every quarter. What do you attribute that growth to?
Prior to the current economic downturn, we were growing really quickly — by about 150% between 2020 and 2021. And while that has slowed down to below 50% these past two years because of the current macroeconomic environment, I’m still very pleased with our progress and thankful for our entire team and their efforts.
One of the things we’ve been focused on since the beginning is making our customers happy and giving them great experiences. Doing so achieves two things: It not only ensures that our customers continue to buy from us, but also that they become our best references. Focusing on our customers has also allowed us to build better products. We’ve effectively become a customer-driven innovation company, which is an approach that has allowed us to expand our business throughout the public and private sectors.
Another key to our success is that we’re one of the top 10 open-source stories out there. We commonly see companies like Amazon, Google, Microsoft and other industry leaders promoting solutions based on Anchore’s OSS and Enterprise offerings. To be a company with less than 100 employees and have that level of adoption and exposure within the tech community has really helped put us in a great position. I’m confident we’ll see very strong growth in 2024 and beyond.
What role has venture debt played in Anchore’s growth?
We’re a strong, capital-efficient company that’s poised to reach profitability in 2024. That said, there are times when we need to go faster, say by capitalizing on a particular go-to-market strategy or building a new feature. For us, that is exactly the scenario where using venture debt makes sense. It’s been a great complement to the capital we already raised from SignalFire and our other equity investors, that has allowed us to accelerate our growth initiatives without having to go out and actually do another equity raise. And, with so much uncertainty in the world today, I sleep well at night knowing we have money in the bank and are ready for whatever comes.
What’s your vision for Anchore going forward?
We’re still in the first inning of what’s going to be a very long game. The idea of adopting cloud native technologies is still in the early stages and the idea of supply chain security is just beginning to take shape. Our open-source story is opening huge doors for us and it’s allowing prospects to gain experience with advanced supply chain security techniques through the use of our open-source technology, before bringing that experience to their entire organization via our products and services.
Our goal looking forward is to continue to provide customers with the best software inspection and security technologies the industry has to offer, all within a threat landscape that will never stop evolving. We’ll stay close to our customers and help them with their challenges as they adopt new technology and practices, to ensure that our offerings continue to adapt accordingly. Ultimately, we aim to provide the de facto standard for both producers and consumers of software to solve their software supply chain management needs. We already have a major lead in the category and I truly believe that it will only continue to grow in the years to come.