Sequoia invests in Coana for advanced vulnerability management through ‘code aware’ software analysis.

Silicon Valley venture capital (VC) juggernaut Sequoia is backing a fledgling Danish startup to build a next-gen software composition analysis (SCA) tool, one that promises to help companies filter through the noise and identify vulnerabilities that are a genuine threat. For context, most software contains at least some open source components, many of which are out-of-date and irregularly — if at all — maintained. In turn, this is leading to an array of fresh regulation, designed to strong-arm businesses into running a tighter software supply chain. The problem is, with millions of components permeating the software supply chain, it’s not always easy to know whether a given application is using a particular component. And this is where Danish cybersecurity startup Coana is setting out to make a difference, using “code aware” SCA to help its users separate out irrelevant alerts and focus only on those that matter.

The Silicon Valley venture capital (VC) firm Sequoia has announced its backing of a Danish startup aiming to develop a state-of-the-art software composition analysis (SCA) tool. This tool is designed to help companies sift through the clutter and identify genuine threats posed by vulnerabilities.

It is common for most software to include open source components that are outdated or inadequately maintained. This has resulted in many security breaches, such as the recent Log4Shell vulnerability that affected the Log4j Java logging framework and led to breaches in high-profile organizations, including a U.S. Federal agency. As a result, there is a growing trend of regulations pushing businesses to ensure tighter security in their software supply chain.

The challenge lies in the fact that there are millions of components in the software supply chain, making it difficult to determine whether a specific application is using a particular component. While there are various SCA tools on the market, such as Snyk and Synopsis, which alert companies of known vulnerabilities in their technology stack, this can often lead to a lot of unnecessary noise. This makes it challenging for security teams to prioritize and address the critical vulnerabilities.

This is where Danish cybersecurity startup Coana comes in, offering a “code aware” SCA tool that helps users filter out irrelevant alerts and focus only on those that truly matter.

Coana was founded in 2021 by computer science professor Anders Møller and two PhDs, Martin Torp and Benjamin Barslev Nielsen. The three had a “technical breakthrough” while working as part of a research group at Denmark’s Aarhus University, where they discovered a new method for analyzing and understanding large JavaScript-based applications. In 2022, CEO Anders Søndergaard joined the team as a co-founder, having previously founded a biometrics tech startup called Resilio.

To support the early stages of the company and bring its product to full commercialization, Coana recently announced that it has raised $1.6 million through a pre-seed round of funding led by Sequoia Capital. Other participants include Essence VC and several angel investors, including current and former executives from Google, Red Hat, and GitHub.

Third-party

A typical application can consist of up to 90% third-party libraries, the majority of which are open source and maintained (or not) by a number of volunteer developers.

When building software, a company may create its own application layer that utilizes these various libraries, creating a long chain of dependencies connected by functions. Traditionally, an SCA tool would match the version number of a dependency against a database of known vulnerabilities and report back to developers if a match is found. However, in many cases, an application may only use a small portion of a library, making it irrelevant if a vulnerability exists in an unused part of the library.

This is where Coana comes in, utilizing a “call graph” to map out the entire application, including application code and dependencies. This allows the tool to understand the data flow paths and eliminate false positives.

“The amount of packages being used and the lines of code can be extremely high volume, so it requires some really sophisticated static analysis,” Søndergaard told TechCrunch. “The call graph enables us to do a huge analysis on all the possible paths between different dependencies. So, imagine an application consisting of hundreds or thousands of dependencies, we can identify all paths and determine which ones are truly vulnerable – and which ones are not.”

While Coana is still in its early stages, it was able to launch its first iteration in October for its initial paying customers, which include a mix of Series B and Series C-stage startups and scaleups. The company is also working to expand its support beyond JavaScript and into Java and Python this year, in hopes of reaching a wider customer base.

“As our product and company continue to grow, we plan to move into the enterprise market, but this will take some time as we continue to develop language support and reach that level of sophistication,” Søndergaard added.

For those interested in trying out Coana, early access is now available for companies to apply.

Avatar photo
Zara Khan

Zara Khan is a seasoned investigative journalist with a focus on social justice issues. She has won numerous awards for her groundbreaking reporting and has a reputation for fearlessly exposing wrongdoing.

Articles: 806

Leave a Reply

Your email address will not be published. Required fields are marked *