Silicon Valley venture capital firm Sequoia is backing a Danish startup to build a next-generation software composition analysis (SCA) tool that promises to help companies filter through the noise and identify vulnerabilities real threat.
For the environment, most software contains at least some open source components, many of which are outdated and irregularly — if at all — maintained. This has led to all sorts of security flaws, such as Log4Shell affecting the open source Java logging framework Log4j and led to breaches affecting high-profile organizations, such as a US federal agency that failed to patch the bug. In turn, this leads to a series of new regulationdesigned to empower businesses to operate a tighter software supply chain.
The problem is that with millions of components permeating the software supply chain, it’s not always easy to know if a given application uses a particular component. There are, of course, many software composition analysis (SCA) tools, from Snyk to Synopsis, that alert companies to known vulnerabilities in their technology stack — but this can create a lot of noise, particularly if an application isn’t actively using this element, thus making it difficult for security teams to prioritize the vulnerabilities that really matter.
And here’s Denmark’s cybersecurity startup Coana aims to make a difference, using “code-aware” SCA to help its users separate irrelevant alerts and focus only on those that matter.
Coana: Examples of notifications
Founded by Denmark in 2021, Coana is the brainchild of an IT professor (Anders Moller) and two PhDs (Martin Thorpe and Benjamin Barslev Nielsen) who say they achieved a “technical breakthrough” while part of a research group at Aarhus University in Denmark, discovering a new technique for analyzing and understanding large JavaScript-based applications. CEO Anders Sodergaard joined the trio as a co-founder in 2022, having spun off from a previous biometric technology company called Resilio the last year.
To help fund its company through the early access stage to full commercialization, Coana announced today that it has raised $1.6 million in a pre-seed funding round led by Sequoia Capital, with participation from Essence VC and a a number of angels, including current and former executives from Google, Red Hat and GitHub.
A typical application can consist of up to 90% third-party libraries, the majority of which are open source and maintained (or not) by any number of volunteer developers.
Thus, a company building software can build its own application layer based on these myriad libraries, creating a long chain of dependencies linked to functions. Traditionally, an SCA tool would look at the version number of a particular dependency and match it against a database of known vulnerabilities, then report back to developers if it finds a match. However, in many cases, an application may only use one or two functions from a library of perhaps 50 — so if there is a vulnerability in a part of the library that the application never calls, it should not really affect that application.
Companies can use Coana to create what it calls a “call graph” of the entire application, covering code and application dependencies, to understand data flow paths and then use it to eliminate false positives .
“The amount of packages used and lines of code can be extremely large, so it requires some really complex static analysis,” Søndergaard told TechCrunch. “The call graph enables us to do a huge analysis on all the possible paths between different dependencies. So imagine an application that consists of hundreds or thousands of dependencies, we can trace all the paths between those dependencies to understand which ones are really vulnerable — and which ones aren’t.”
It’s still early days, of course, with Coana unveiling the first iteration of its product in October to its first paying customers — a mix of startups and Series B and Series C scaleups. However, the company is working to expand its support beyond JavaScript and into Java and Python this year, which will help it target a wider customer base.
“As our product matures and our company matures, we are moving up the market, eventually targeting large enterprises, but it will take some time to have the sophistication in language support to get to that level,” Søndergaard said.
Companies that want to check out Coana today can apply for early access now.
