Coana’s Background: From Academic Breakthrough to Next-Generation SCA Tool

At Coana, we are building an SCA (Software Composition Analysis) with built-in reachability analysis. Unlike conventional SCAs, Coana's SCA lets you focus on the actual reachable vulnerabilities in your dependency code and ignore the unreachable vulnerabilities. Since most vulnerabilities are unreachable in most applications, the burden of managing vulnerabilities is typically reduced 80-95% when using Coana. The reachability analysis used by Coana is based on static call graph analysis (learn more about it in the blog post what is SCA with reachability). It's no coincidence that the founders of Coana ended up building a company with static analysis at its core. In this post, we'll dive into the background of the Coana team and look at the history that led to the formation of the company.

Researchers at Aarhus University

Before founding Coana, three of the founders were full-time static analysis researchers. Professor Anders Møller, who headed and still heads the programming languages research group at Aarhus University, has primarily focused his research for over a decade on developing novel techniques for static analysis of the JavaScript programming language. Together with the rest of his research group, Anders has been developing the TAJS static analysis, which remains one of the most advanced static analyses for JavaScript.

Two of Anders' most recent PhD graduates, Benjamin Barslev and Martin Torp, are also founders of Coana. Benjamin and Martin worked with Anders on multiple research projects where static analysis was used to solve real-world issues facing developers and security professionals. In one of their publications, "Modular Call Graph Construction for Security Scanning of Node.js Applications" the first prototype of a reachability-based SCA for JavaScript is presented.

Early Days

JavaScript remains one of the fundamentally hardest programming languages to statically analyze. The language is dynamically typed, and the use of pre-compiled and minified third-party packages is common. Additionally, reflective features such as dynamic property reads and writes are extensively used, all of which are particularly challenging for a static analysis. However, the team behind Coana has been developing several novel techniques in the years prior to founding Coana, which makes it possible to analyze large JavaScript programs with high precision.

JavaScript's popularity has been on the rise. This trend is often attributed to its high degree of versatility through TypeScript, the Node.js runtime, the npm package management system, and the abundance of frontend frameworks. Concurrently, there has been an explosion in the number of vulnerabilities discovered in JavaScript packages, and it’s increasingly challenging for companies to keep them out of their applications. This trend convinced the early Coana team, consisting of Anders, Benjamin, and Martin, to begin implementing a new and powerful SCA for JavaScript that uses static analysis to prioritize vulnerability alerts.

Founding of Coana

To complement the deep technical knowledge of the three academic co-founders, a fourth co-founder, Anders Søndergaard, joined Coana as CEO when the company was formally founded. As an experienced founder and previous CEO of a technical startup, Søndergaard is particularly well-suited to lead Coana.

Today, Coana remains well-connected to its academic roots, with Møller's position as head of one of the world's leading static analysis research groups and two of Coana's first hires coming from either Møller's research group or one of its sister groups. This strong connection to academia is fundamental to building a company like Coana. Static analysis remains an unusually challenging type of technology to develop, making this close connection to the world's leading talent essential.

We believe that Coana is exceptionally well-positioned, and our academic connection will ensure that Coana remains a technological leader not only in JavaScript analysis but also in other programming languages that we are gradually adding support for in our SCA solution.

If you want to learn more book a demo below.