Silicon Valley venture capital (VC) giant Sequoia is backing a Danish startup to build a next-generation Software Configuration Analysis (SCA) tool that promises to help companies filter through the noise and identify vulnerabilities that pose a real threat.
For context, most software has at least some open source components, Many of them are outdated They are maintained infrequently – if at all. This has led to all sorts of security flaws, such as Log4Shell affecting the open source Java logging framework Log4j This led to breaches affecting high-level organizations such as the US federal agency that failed to correct the error. This in turn leads to a set of New organizationdesigned to aggressively push companies to manage a tighter software supply chain.
The problem is that with millions of components permeating the software supply chain, it’s not always easy to tell if a particular application uses a particular component. There are, of course, many Software Configuration Analysis (SCA) tools, from Snyk to Synopsis, that alert companies about known vulnerabilities in their technology stack – but this can create a lot of noise, especially if the application is not actively using that component, which It makes it difficult for security teams to prioritize vulnerabilities that really matter.
And this is where the Danish cybersecurity company started Quana It makes a difference, using “code-aware” SCA to help its users isolate irrelevant alerts and focus only on the ones that matter.
![Quana: Example of alerts](https://techcrunch.com/wp-content/uploads/2024/01/Coana-Visual-5-e1705574824763.jpg)
Quana: Example of alerts
Founded in Denmark in 2021, Quana is the creation of a computer science professor (Anders Mueller(and Ph.D.)Martin Torp And Benjamin Barslev Nielsen) who say they came up with a “technical breakthrough” while they were part of a research group at Aarhus University in Denmark, where they discovered a new technique for analyzing and understanding large JavaScript-based applications. CEO Anders Sondergaard He joined the trio as co-founder in 2022 It came out of a previous biometric technology startup called Resilio The previous year.
To help fund their company through the early access phase to full commercialization, Coana today announced that it has raised $1.6 million in a pre-seed funding round led by Sequoia Capital, with participation from Essence VC and a large number of angel investors including current and past. Executives from Google, Red Hat, and GitHub.
third party
A typical application can consist of up to 90% third-party libraries, most of which are open source and maintained (or not) by any number of volunteer developers.
So a software building company might build its own application layer that relies on these countless libraries, creating a long chain of dependencies tied to functionality. Traditionally, an SCA tool examines the version number of a given dependency, compares it to a database of known vulnerabilities and then reports back to developers if it finds a match. However, in many cases, an application may only use one or two functions from a library of perhaps 50 functions – so if there is a vulnerability in a part of the library that the application never calls, it shouldn’t really affect that application.
Businesses can use Coana to build what it calls a “call graph” of the entire application, which includes the application code and its dependencies, to understand data flow paths, and then use it to weed out false positives.
“The amount of packages used and lines of code can be very large, so it requires some really complex static analysis,” Sondergaard told TechCrunch. “The connection graph enables us to do a huge analysis of all the possible paths between different dependencies. So, imagine an application consisting of hundreds or thousands of dependencies, we can identify all the paths between those dependencies to understand which ones are truly vulnerable – and which ones are not.”
It’s still very early, of course, as Coana introduced the first version of its product in October to its first paying customers — a mix of B- and C-stage startups and startups. However, the company is expanding its support beyond JavaScript and into Java and Python this year, which will help it target a broader customer base.
“As our product matures and our company matures, we are moving up the market, eventually targeting larger enterprises, but it will take some time before we have the sophistication in language support to get to that level,” Sondergaard said.
Businesses looking to check out Coana today can Apply for early access now.