Software supply chain security company Socket has acquired Coana, a static analysis and reachability engine built by security researchers from Aarhus University. This acquisition significantly strengthens Socket’s platform and positions the company as the clear market leader in modern software composition analysis.
Coana brings static control-flow and call graph analysis to Socket’s platform, allowing teams to prioritise vulnerabilities based on whether they’re actually exploitable in a given codebase.
Flooding developers with endless security alerts can often subject security teams to alert fatigue, meaning real issues don’t get addressed, a common phenomenon with traditional vulnerability scanners.
Key to managing this workload is reachability analysis, which enables security teams to prioritise vulnerabilities that need to be addressed rapidly above those that cannot be practically exploited.
Coana’s reachability analysis engine solves this problem, eliminating up to 80% of false positives and allowing AppSec teams to cut through the noise and dramatically accelerating time to remediation for the most critical vulnerabilities.
“For every team buried under thousands of vulnerability alerts, Coana’s reachability analysis offers a better way forward,” said Socket CEO Feross Aboukhadijeh. “They’ve built the most scalable and accurate reachability engine we’ve seen, and we’re excited to bring it into Socket to give developers precise, actionable vulnerability insights without the noise. Joining forces with Coana turbocharges our ability to deliver actionable, noise-free security alerts. This is a big win for our customers.”
The team behind Coana have now joined Socket. Coana was founded by static analysis experts from Aarhus University. Led by Professor Anders Møller, a pioneer in JavaScript analysis, Martin Torp, Benjamin Barslev, and CEO Anders Søndergaard, the team has spent years advancing the state of the art in static and control-flow analysis.
“Joining Socket means we can scale our impact immediately,” said Coana CEO Anders Søndergaard. “Together, we’ll help organisations drastically reduce their vulnerability management burden.”
Teams using Coana’s reachability analysis tool have seen up to 10 times faster remediation times of critical security vulnerabilities as a result.
With this acquisition, Socket now delivers the most complete and mature software composition analysis platform on the market. The company currently protects over 8,500 organisations and 750,000 plus code repositories, scanning every commit in real-time.
Socket detects and blocks more than 500 software supply chain attacks per week, and has identified over 100,000 malicious artifacts across open-source ecosystems like npm, PyPI, Maven, and Go.
“Great technology is built by great people,” said Aboukhadijeh. “The Coana team shares our values and brings world-class engineering talent to Socket. Together, we’re going to redefine what secure software development looks like.”
