A startup called Hopper Inc. says it wants to transform the way enterprises deal with open-source software security risks after raising $7.6 million in seed funding today.

The round was co-led by Meron Capital and New Era, and saw participation from numerous other backers, including Sequoia Scout Fund, M-Fund and a number of entrepreneurs who previously sold their startups to the likes of Google LLC, Oracle Corp. and Intel Corp.

Hopper is trying to address the problems associated with modern software composition analysis tools or SCA, which have become the de facto standard for enterprises to analyze open-source software.

These days, the vast majority of business and consumer applications rely on open-source software. But the SCA tools that developers use to ensure this software is secure have not kept up with this pace of adoption, Hopper says. SCA platforms have a tendency to overwhelm developer teams with false positives, leading to high costs, complexity and a drag on productivity.

One of the main reasons for this excessive “noise” is that the Common Vulnerabilities and Exposures system purposely omits the “function-level detail” of vulnerabilities to prevent bad actors from exploiting them.

Hopper argues that omissions such as these come at a big cost to developer teams, which may know that a piece of software is vulnerable, but cannot do anything about it because they lack visibility into the exact nature of that threat.

For instance, the widely used open-source Log4j library for Java-based systems and applications made headlines back in 2021 when a critical flaw was discovered in its codebase, but the exact location of the vulnerability was not disclosed. Hopper argues that omissions like these come at a big cost to developer teams, forcing them to comb through more than 60,000 lines of code and more than 7,000 functions, even though the Log4j flaw only affected a single lookup function called JndiManager.

That’s why Hopper believes there’s room for an alternative. Unlike existing SCA tools, its platform boasts “function-level reachability” that allows developers to find exactly where vulnerabilities are, and understand the exact nature of the threat they pose.

Hopper analyzes open-source code in a completely different way to most SCA tools, which generally just inventory the manifest files. Instead of doing that, Hopper simulates how applications are built and how the code is executed to provide deeper visibility into how everything works. It automatically discovers all assets related to any application, uncovering internal and shadow dependencies.

This method allows it to provide insights into how code functions across direct, transitive and internal dependencies, Hopper says. It goes further, too, offering contextual remediation advice to help teams eliminate the risks posed by any vulnerability. Its software supports complex web frameworks, and runs without agents.

The company says its software is already being used by several Fortune 500 enterprises and numerous startups, where it’s rapidly legacy SCA tools.

“Hopper doesn’t just tell you that a vulnerability exists,” the company quoted the chief information security officer of an unnamed large enterprise. “It shows you the line of code, the function, the evidence, and why it matters. That’s what finally gets developers to act.”

According to Hopper, its early adopters used to spend up to 8% of their total development time on addressing security alerts. Now, they waste hardly any time at all, it claims.

“We didn’t start Hopper because the world needs another SCA tool,” said co-founder and Chief Executive Roy Gottlieb. “We started it because existing solutions overwhelm teams and slow down development. Hopper is built to cut through the clutter, surface real risks and make open-source security fast, accurate and developer-friendly.“

Photo: Hopper