Endor Labs came out of stealth mode on Monday, launching its Dependency Lifecycle Management Platform, designed to ensure end-to-end security for open source software (OSS). The software addresses three key things—helping engineers select better dependencies, helping organizations optimize their engineering, and helping them reduce vulnerability noise.
The platform scans the source code and offers feedback to developers and security teams on what is potentially good and bad about the libraries. Based on this, developers can make better decisions on which dependencies or libraries to use, where to use them, and who should use them.
“This allows them to select the best dependency for the job based on security and operational risk. It is like giving a credit scoring for consumers,” Endor Labs co-founder and CEO Varun Badhwar said.
As an organization moves along its software development process and uses a particular library, if it face a Log4j-type vulnerability for instance, the Endor Labs system automatically analyzes where in the code the vulnerability is and where it is being used in a manner that makes the organization vulnerable.
“In addition, it gives the organization feedback on whether it is a fixable vulnerability, which part of the code needs to be fixed and gives the entire remediation recommendation in a click of a button,” Badhwar said.
New platform helps remove unused code
The Dependency Lifecycle Management Platform also works on removing dependencies that are no longer needed and helps remove the unused code.
“The reason for this is that people bring in a lot of code over the years,” Badhwar said. “However, there is never an initiative to remove the unused code. When this is not done, the application is exposed to the higher risk that is lingering in your environment.”
The platform also looks at vulnerability noise reduction. While vulnerability scanners report vulnerabilities, only 20% of those matter to an organization and their usage of the code, the rest 80% is noise. To figure out whether a particular vulnerability applies to them or not, the engineers need to manually review the code. Endor Labs claims with their new platform this can be done in an automated manner and reduce the vulnerability noise by 80%.
Endor integrates with third party source code repositories
The Dependency Lifecycle Management Platform runs on the cloud as a SaaS offering and connects to the customer’s source code repositories. If an enterprise’s source code repositories are on GitHub Cloud or GitLab Cloud, then it is integrated with Endor Labs through an app.
If a source code is stored on premises, then Endor Labs provides the organization with a code analysis tool that runs in their local environment, and every time a developer is trying to push through new code, it analyzes the code that and gives them feedback.
The platform is offered as a subscription-based pricing model and is targeted at organizations that have anywhere between 30 and 30,000 developers.
End-to-end visibility for CSOs
“The platform aims to help the CSOs with an end-to-end visibility to help them understand and catalogue everything the developers are using from the internet,” Badhwar said.
CSOs will also be able to evaluate their risk earlier and determine which of them are acceptable risks for the enterprise. On an ongoing basis when the organizations have 100 and 1000s of these packages and libraries, it can help CSOs uphold security but in a very targeted and actionable way while having a strong partnership with the development team.
“With the visibility provided the CSOs can see how they can be a partner to the engineering team and help them not just to find problems but remediate and fix these problems early,” Badhwar said.
Log4j puts OSS security on the radar
Incidents like Log4j have put the use of OSS on the security community’s radar. “Over 80% of the modern application code is code that developers don’t write but borrow from the internet, making it a massive attack vector,” Bandhwar said.
Currently, the only answer the industry has for OSS security is software composition analysis tools (SCA). These tools offer license compliance and vulnerability scanning.
“The challenge is that at the scale and magnitude at which OSS is being adopted today, these tools are drowning engineers and security in false positives. Also, these tools only look at one vector of risk and that is the known vulnerability on an OSS package or dependency,” Badhwar said.
Even federal governments are paying attention to open source software security. As the aftermath of the Log4j, the US last month introduced the Securing Open Source Software Act to ensure the US government anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data. The bill directs the Cybersecurity and Infrastructure Security Agency to develop a risk framework to evaluate how open source code is used by the federal government.
The Act will require CISA to identify ways to mitigate open source software risk, for which it will have to hire open source developers to address the security issues. It further proposes to start open source program offices that will be funded by the office of management and fund.