Introducing Coana: The Code-Aware SCA Backed by Sequoia

For software development teams that heavily rely on open source software, the task of remediating vulnerabilities can often be overwhelming. Today, we are excited to introduce Coana - a new approach to vulnerability scanning or Software Composition Analysis (SCA) specifically designed to address this challenge. With the backing of industry leaders such as Sequoia Capital and Essence VC, Coana is setting a new standard in managing vulnerabilities in open-source dependencies.

Rethinking Vulnerability Scanning for Real-World Applications

Coana emerged from a simple yet disturbing fact: traditional SCA tools produce up to 95% false alerts. This inefficiency stems from a lack of contextual understanding in vulnerability scanning. Traditional SCAs, despite being well-intentioned, often leave security teams sifting through a haystack of alerts to find the actual needles. Coana is here to change that.

The Coana Difference: Precision with Context

Coana’s new approach centers on the concept of ‘reachability analysis’. This means, instead of merely flagging every vulnerability present in your open source dependencies, Coana discerns which parts of these dependencies you're actually using. For instance, if a vulnerability is detected in a JavaScript library, Coana determines whether your codebase actually invokes the compromised section. If it doesn't, you're spared the hassle of unnecessary remediation, focusing only on what truly matters.

How Coana Works

1. Traditional SCA Scan: Coana begins with a standard SCA scan of your dependencies.
2. Reachability Analysis: Next, for any identified vulnerabilities, Coana performs a static control-flow analysis to determine if the vulnerable part of a dependency is actually being used in your application.
3. Targeted Alerts: You receive alerts only for the vulnerabilities that are truly reachable and relevant, dramatically reducing the noise and allowing you to focus on genuine threats.

Benefits for Security Teams

• Time Efficiency: Coana dramatically reduces the volume of alerts, decreasing the vulnerability management burden by between 80% and 95%.
• Improved Developer Experience: Beyond minimizing false alarms, Coana offers detailed insights on the specific locations in your code where a reachable vulnerability may be triggered, facilitating prompt and informed decision-making.

Technical Precision Built on Years of Academic Research

Coana’s static analysis technique, honed through extensive academic research, delivers nuanced insights into your code's execution paths and potential vulnerabilities. Originally developed for JavaScript/TypeScript by leading researchers from Aarhus University in Denmark, including Professor Anders Møller and PhDs Benjamin Barslev Nielsen and Martin Torp, Coana is now evolving, extending its capabilities to new programming languages.

Leading Tech Companies Streamlines Their Security Efforts with Coana

Our beta launch in October 2023 has already demonstrated significant impacts for companies like GAN Integrity (see case study) and Maze (see case study) focusing their application security efforts significantly.

Backed by Sequoia Capital, Essence VC, and other industry pioneers, Coana is dedicated to spreading this more intelligent, efficient approach to vulnerability management far and wide.

Join Us

If the challenge of managing vulnerabilities in open source dependencies is overwhelming your security workflow, Coana offers a new way forward. Reach out to us to learn more about how Coana can streamline your security processes, or schedule a demo below to see Coana in action.

The Coana Team - Anders, Anders, Benjamin, and Martin