Stocks went into a tailspin over the last couple weeks retracing levels not seen since January… 2021 (except for Gamestop who is up 100% since our last newsletter). Although this trend had a smaller impact on the broader indices (~9% from all-time high), it had a major impact on the COSS index (~40% from all-time high) and has nearly flipped the script on the COSS vs Emerging Cloud value premium (more below).
In this edition, we’ll examine how enterprise software communities are securing their environments to mitigate the new threats that have emerged from COSS adoption.
Private Markets
Plume, a smart home service provider, closes $270M Series E at $1.35B valuation led by Insight Partners.
Tigergraph, provider of the leading graph analytics platform, announced it had raised $105 million in Series C funding led by Tiger Global.
Sentry, providing an application monitoring solution, announces $60M Series D led by Accel.
KatanaGraph, a high-performance scale-out graph processing/AI/analytics company, announces $28.5M Series A led by Intel Capital.
Replit, makers of a multiplayer computing environment to learn how to code, build, and share apps with other people, announces $20M Series A led by A.Capital.
Platform9, the leading SaaS Managed Kubernetes provider, announces $12.5M Series D-expansion to a total Series D round of $37.5M led by WRVI Capital.
NearForm, a global software consultancy known for large enterprise clients and COVID app development, reported to receive multi-million dollar investment led by Columbia Capital.
Public Markets
To track the performance of COSS companies, we’ve created an equal-weighted index comprised of public names including: MongoDB, Elastic, Talend, Cloudera, Rapid7, Fastly and Jfrog (Datadog removed).
Over the last year, the COSS Index significantly outperformed the benchmarks:
COSS Index +107%
NASDAQ +47%
S&P 500 +23%
Over the last three years, the COSS Index continues to outperform:
COSS Index +252%
NASDAQ +81%
S&P 500 +40%
COSS companies sold off sharply in the last two weeks and while they stayed above their emerging cloud peers, the gap narrowed significantly from a premium of 7.3x multiple turns (two weeks ago) to 1.3x multiple turns today. Of note, all three indices still trade at nearly twice their five-year average reflecting continued strength across the public markets.
COSS Index: Current Multiple 15.5x | Five-Year Mean: 6.5x
Emerging Cloud Index: Current Multiple 14.2x | Five-Year Mean: 8.5x
NASDAQ Composite: Current Multiple 4.4x | Five-Year Mean: 2.9x
Security for Open Source
You probably would not be reading this newsletter if you didn't believe open source products were leading the enterprise software revolution today. As companies shift to more open source products in their environments, security issues will continue to present unique and challenging vulnerabilities. The expanding threat surface has evolved in novel ways resulting in the development of a new market segment focused on OSS security and risk. This market has grown in importance as prominent security breaches have leveraged open source vulnerabilities, like the 2017 hack of Equifax which revealed 148 million Americans private data via an unpatched Apache Struts update as well as Heartbleed which compromised millions of personal data files. As enterprises look to empower developers while balancing security threats and enabling them to truly 'shift left', the market opportunity around OSS security will continue to blossom.
This emerging technology category has driven significant interest from venture, private equity and strategic communities and includes Snyk ($455mm raised), White Source Security ($47mm raised), FOSSA ($35mm raised), Black Duck (part of Synopsys), Revenera (part of Flexera), Veracode (Thoma Bravo) and JFrog's X-Ray. Many of the open source vulnerability capabilities come packaged with other capabilities under the term Software Composition Analysis (thanks Gartner) including license management, workflow automation, and other aspects of managing software components.
Open source security has also drawn support from the Linux foundation (OpenSSF and Core Infrastructure Initiative) who has worked with both large corporate partners and smaller startups to build a more cohesive community through targeted initiatives around tooling, best practices, developer identity validation and vulnerability disclosures.
A few years ago, JFrog's leadership team described to me in a more apt way than we ever could outline (which they have outlined in a book, of course) describing the future of software - "...in which developers code high-quality applications that securely flow to end-users with zero downtime" - something that we mutually would argue requires stringent and useful security mechanisms.
We believe the expansion of open source security products will continue as these products become more central to accelerating the development cycle around the shift from closed-source to open-source. It will revolve around culture, process, and technology - while the first two are mostly internal challenges, the third is where we focus our energy and the market is certainly responding.
Extra
Netflix is at it again open sourcing more internally developer tech with Domain Graph Service framework to enable GraphQL in SpringBoot apps
Microsoft continues its shift towards developer friendly OSS projects with V1.0 of Dapr now available to help users utilize microservices
Palo Alto picks up a COSS Crew.
Zuck. Bezos. Moving on to the next hill.
Github stats are fire.
Shaq Cap and the Google pre-IPO round.