When organizations deploy commercial software, they typically trust that the vendor has done its due diligence on security, licensing, and code quality. But what happens when a closed-source binary ships with embedded open-source components that carry known vulnerabilities, restrictive licenses, or outdated dependencies? A new tool from database middleware company Quesma aims to shine a light on exactly that problem — and the implications for enterprise software procurement could be significant.
Quesma, a company primarily known for building middleware that helps organizations transition between database backends, recently announced BinaryAudit, a free online tool designed to analyze closed-source software binaries and reveal the open-source components hidden inside them. The tool performs Software Composition Analysis (SCA) on compiled binaries without requiring access to source code, producing detailed reports on embedded dependencies, their known vulnerabilities, and their license obligations.
The Problem With Black-Box Software
The modern software supply chain is built on open-source foundations. According to multiple industry studies, the vast majority of commercial software products incorporate open-source libraries and components. This is neither unusual nor inherently problematic — open-source code accelerates development and provides battle-tested functionality. The issue arises when those embedded components carry known security vulnerabilities (CVEs) or license terms that create legal exposure for the end user, and the vendor either fails to disclose them or is unaware of their presence.
For enterprises running mission-critical workloads, this opacity represents a material risk. A vulnerability in an embedded logging library or a copyleft license buried three layers deep in a dependency tree can create security incidents or legal complications that the purchasing organization never anticipated. Software Bills of Materials (SBOMs) — standardized inventories of components within a software product — have emerged as one answer to this transparency gap. The U.S. government, through Executive Order 14028 on cybersecurity, has pushed for SBOM adoption, and major regulatory frameworks in the EU are following suit. But vendor-supplied SBOMs are only as good as the vendor’s willingness and ability to produce them accurately.
How BinaryAudit Works Under the Hood
BinaryAudit takes a different approach from traditional SCA tools, which typically operate on source code repositories. As described by Quesma on its blog, the tool accepts compiled binaries — the actual artifacts that organizations deploy in production — and analyzes them to identify embedded open-source components. Users upload a binary file through a web interface, and the tool generates a report listing detected components, their versions, associated CVEs from public vulnerability databases, and the licenses governing each component.
The approach addresses a fundamental asymmetry in the software market. Buyers of commercial software rarely have access to the source code. They receive compiled binaries and must trust the vendor’s representations about what is inside. BinaryAudit effectively allows a buyer to independently verify those representations, or to discover information the vendor never disclosed in the first place. Quesma positions the tool as particularly useful for procurement teams, security auditors, and compliance officers who need to assess risk before deploying third-party software in regulated environments.
Why a Database Middleware Company Built a Binary Analysis Tool
Quesma’s core business involves helping organizations migrate between database technologies — for example, enabling applications written for Elasticsearch to run against ClickHouse or other backends without code changes. The company’s decision to build BinaryAudit may seem tangential, but it reflects a pattern common among infrastructure-focused startups: the problems you encounter while building your primary product often reveal adjacent opportunities.
According to the company’s blog post, the motivation for BinaryAudit grew out of Quesma’s own experience evaluating software components and dependencies. The team recognized that while open-source projects benefit from community scrutiny and tools like GitHub’s Dependabot or Snyk for vulnerability scanning, closed-source commercial products exist in a relative blind spot. The tool is offered for free, which suggests it serves a strategic purpose for Quesma — likely as a brand-building exercise and a way to establish credibility with the enterprise security and compliance community that overlaps with its target customer base for database middleware.
The Broader Push for Software Supply Chain Transparency
BinaryAudit arrives at a moment when software supply chain security is receiving unprecedented attention from regulators, industry groups, and enterprises themselves. The SolarWinds breach in 2020, the Log4Shell vulnerability in late 2021, and the XZ Utils backdoor discovered in early 2024 have all underscored the risks embedded in software dependencies — whether open-source or commercial. Each incident demonstrated that a single compromised or vulnerable component can propagate risk across thousands of organizations.
The regulatory response has been substantial. In the United States, NIST has published updated guidance on SBOM formats and minimum elements. The Cybersecurity and Infrastructure Security Agency (CISA) has been actively promoting SBOM adoption across federal agencies and critical infrastructure operators. In Europe, the Cyber Resilience Act (CRA), which is moving toward implementation, will impose new requirements on software vendors to document and disclose the components in their products. These regulatory trends create demand for tools that can independently verify vendor claims about software composition — precisely the function BinaryAudit is designed to serve.
Limitations and the State of Binary Analysis
Binary analysis is inherently more challenging than source-code analysis. When code is compiled, much of the metadata that makes component identification straightforward — package names, version strings, dependency manifests — can be stripped away or obfuscated. Binary SCA tools must rely on techniques such as string matching, function signature detection, and binary fingerprinting to identify embedded components. The accuracy of these methods varies depending on the compilation toolchain, optimization settings, and whether the binary has been stripped or packed.
Quesma’s blog post does not provide extensive technical detail on the detection methodology BinaryAudit employs, which leaves open questions about false positive and false negative rates. Enterprise users evaluating the tool will want to understand how it performs against binaries compiled with different toolchains (GCC vs. Clang vs. MSVC), how it handles statically linked versus dynamically linked libraries, and how frequently its component signature database is updated. These are not criticisms unique to BinaryAudit — they apply to the entire category of binary SCA tools, including commercial offerings from companies like Black Duck (Synopsys), FOSSA, and Finite State.
Competitive Context and Market Positioning
The binary analysis and SCA market is not new. Synopsys’ Black Duck product has offered binary analysis capabilities for years, primarily targeting large enterprises with complex compliance requirements. FOSSA, Snyk, and Sonatype all provide SCA functionality, though most focus on source-code-level analysis integrated into CI/CD pipelines. Finite State has carved out a niche in firmware and binary analysis for IoT and embedded devices. What distinguishes BinaryAudit, at least at launch, is its accessibility: it is free, web-based, and does not require integration into a development workflow. This positions it as a lightweight, ad-hoc tool rather than a comprehensive enterprise platform.
For procurement and security teams that need a quick assessment of a vendor’s binary before making a purchasing decision or deploying an update, this low-friction approach has clear appeal. It lowers the barrier to performing due diligence that many organizations currently skip entirely. However, organizations with mature software supply chain security programs will likely continue to rely on more comprehensive commercial tools that offer continuous monitoring, policy enforcement, and integration with vulnerability management workflows.
What This Means for Enterprise Software Buyers
The existence of tools like BinaryAudit shifts the dynamic between software vendors and their customers. When buyers can independently inspect what is inside a compiled binary, vendors face greater accountability for the components they ship. A procurement team that discovers a critical CVE in an embedded library — or a GPL-licensed component in a product sold under a proprietary license — has concrete evidence to bring to the negotiating table or to a legal review.
This transparency pressure is likely to accelerate the trend toward vendor-provided SBOMs. Vendors who proactively disclose their software composition will be better positioned than those who are caught shipping undisclosed vulnerable or improperly licensed components. For the enterprise software market as a whole, tools that enable independent verification represent a maturation of software supply chain practices — moving from trust-based relationships to evidence-based assurance.
Quesma’s BinaryAudit may be a small tool from a relatively small company, but it represents a broader shift in how organizations think about the software they buy and deploy. The question is no longer whether enterprises should inspect the components inside their commercial software — it is how quickly the tooling and processes to do so will become standard practice.