Raising the Bar: How Drata Fortified Supply Chain Security with Socket

About Drata#

Drata is a security compliance automation company, with a mission to build trust across the cloud. Thousands of companies across the globe streamline over 20 compliance frameworks—such as SOC 2, ISO 27001, GDPR, and more—through Drata's continuous, automated control monitoring and evidence collection, resulting in a strong security posture, lower costs, and less time spent preparing for audits.

Under the company’s Chief Information Security Officer Matt Hillary, Joshua Stuts serves as Senior Manager of Security Engineering, responsible for the company's security programs, including application security, cloud security, IT security, and security operations. Drata leverages a modern, cloud-native tech stack, utilizing JavaScript and Node for application development, with AWS as the backbone of its backend infrastructure.

Manual Workflows and the Limitations of Traditional Tools#

Stuts manages a team of six security engineers, embedded within a much larger engineering team. Drata's security team champions an automation-led approach with its tools and tech stack to solve problems and maintain high standards of application security.

While Drata had existing security measures in place prior to partnering with Socket, they recognized the limitations in visibility.

"Our previous tools had a long way to go for automation," Stuts said. "We had SCA tools running, but they provided a surface-level view. These tools focused primarily on known vulnerabilities (CVEs) and didn't address the broader spectrum of supply chain security risks."

Drata quickly saw how this lack of visibility would leave them vulnerable. "Our previous approach relied heavily on manual processes," Stuts said. "Before we implemented formal policies, developers held a weekly 'swarm' to manage package upgrades, a process which created bottlenecks and slowed down development."

These manual workflows were not only inefficient, but also ineffective. "Our previous tools lacked usable automation capabilities," Stuts said. "Automatic PRs sounded good in theory, but they lacked accountability. An unattended PR with a version bump doesn't guarantee thorough quality assurance, which is crucial to avoid introducing breaking changes."

Socket Addresses the Full Spectrum of Software Supply Chain Risks#

For Drata, Socket's ability to detect and prevent software supply chain risks was the biggest differentiator from other tools they company was using, as it goes beyond what conventional Software Composition Analysis (SCA) tools can detect.

The decision to adopt Socket wasn't driven by a direct need for another security tool. "We weren't actively seeking a new solution in this space," Stuts said. "However, Socket resolved a gap in our application security posture and keeps both our security and developer team more informed. As Matt always says, it's about having 'more lead bullets' in our security arsenal, not relying on a single silver bullet to solve the supply chain security issue."

Seamless Integration into Drata's Developer Workflow#

One of the critical factors for any new security tool's success is its ease of integration into existing developer workflows.

"Integrating Socket was remarkably straightforward, especially with its GitHub app," Stuts said. "It aligns seamlessly with our developers' current workflows, providing vital information exactly when decisions need to be made."

Some of the most practical advantages of this integration are when Socket suggests a better alternative without requiring back and forth communication from the security team.

Drata Embraces Socket's AI-Powered Approach to Mitigate Supply Chain Risk#

As new application security threats emerge with increasing complexity, the role of a security team leader goes beyond compliance.

Stuts said he operates based on a clear mission as Drata's head of security engineering: to protect the company's most valuable data, its "crown jewels." Just as the company reiterates with its own customers, he emphasized that compliance with standards is one of the most important steps in addressing the multifaceted risks associated with the supply chain ecosystem, but there are also additional steps to take.

"Compliance is a fundamental part of any strong security program, and it should be integrated with other functions to maintain a healthy security posture and capture the entirety of your organization’s risks, particularly those beyond the scope of CVE’s.

"My job is to reduce risk as much as we can without introducing developer friction and slowing down the business. Socket is a great tool for helping us do that," Stuts said.

The complexity and volume of data involved in modern security landscapes have turned risk management into a complex problem that cannot be tackled with static rules or manual analyses alone.

"In today's security landscape, there are far too many risks to just set static rules for everything, especially with the proliferation of AI," Stuts said. "I'm excited about where Socket is headed with AI-detected threats and how it will empower my growing team of security engineers."