Endor Labs, a startup that came out of stealth mode to help development and security teams maximize open source software reuse, recently received additional funding from the Silicon Valley CISO Investments (SVCI) group, an angel syndicate powered by GGV Capital, a $9.2B global multi-stage VC firm, and one of the most highly regarded investment collectives in cybersecurity. Security executives from Robert Half, Ross Stores, Chime, Adobe, BlackHawk, ICE, HashiCorp, Flexport and more, have all chosen to take a personal stake in the new company. We sat down with Endor Labs CEO and co-founder Varun Badhwar to talk about the challenges of open-source security, how Endor looks to solve those challenges for companies, and what makes the newly formed company so unique in the market.
What makes open-source security such a challenge?
The first decade of open source adoption has been mostly about productivity. OSS is a massive productivity boost, as it allows developers to reuse and build on the work of thousands of other developers. We're now at a point where reliance on OSS at the enterprise level makes one thing very clear - OSS is not going anywhere. OSS communities will continue to grow and thrive, and will of course continue to be prime targets for supply chain attacks. In 2023, developers will face the challenge of increasing productivity - shipping products even faster with the help of OSS, while mitigating the looming threat of supply chain attacks. Today, about 80% of code in modern applications is open source code. Most of that 80% are software dependencies that are automatically pulled into the codebase by other open source projects. This means that developers have very little visibility into most of the code they use today. And once you understand that, it makes sense that the majority of vulnerabilities are found in transitive dependencies (those dependencies that are brought in automatically, and are not directly used by the application).
What are some of the fundamental flaws in how open-source software is currently secured?
This challenge can be split into three main buckets:
Security noise - Today, the industry is very much focused on known vulnerabilities (CVEs) as an indicator of security. This has led software composition analysis (SCA) tools to drown developers in an endless stream of security alerts. After getting these alerts from security teams, developers must evaluate whether or not vulnerable code is actually reachable, or if the vulnerability has any impact on their organization. This slows down development considerably, as developers spend up to 50% of their time investigating and fixing vulnerabilities, and not writing value-adding code.
Next-gen supply chain attacks - Most of the major supply chain attacks that have used OSS as their vector, or target, would not have been caught by looking at CVEs. Attacks like typosquatting and dependency confusion target the maintainer, or the method in which OSS packages are consumed. In these cases, the focus on known vulnerabilities, while important, is not helping enhance security.
Maintenance is a nightmare - As mentioned above, 80% of code in modern applications is open source code, and most vulnerabilities are found in transitive dependencies. Why is this so important? Most of the code in that 80% isn’t selected by developers. It's code from the "indirect" or transitive dependencies that those packages rely on. In other words, each OSS package brings in a bunch of others. Most security threats, including known vulnerabilities, lurk within that sea of transitive dependencies. The challenge is that developers rarely have visibility into their dependency tree, or how deep it goes.
How does Endor Labs see their approach to open-source security working differently? What is your vision for the company?
Endor Labs takes a unique approach called Dependency Lifecycle Management. We leverage program analysis and call graphs to gain an unprecedented understanding of how code is actually being used in the organization. This allows security and development teams to get the context they need to make better decisions, instead of drowning in security alerts. What versions can be consolidated? What dependencies can be removed? What vulnerabilities can be deprioritized because they are not reachable? How can we generate accurate SBOMs with reachability data (VEX)? All these questions become easy to answer once you have a full understanding of the dependency graph, which can only be done by investing in program analysis. That’s why Endor Labs sought out the brilliant minds in academia who research these topics, so they may bring these concepts into the real world. Our engineering team includes some of the world’s leading static analysis experts, including 7 PhDs and senior engineers from Meta, Uber, Amazon, and Microsoft.
Can you speak to your stellar lineup of investors and supporters - what makes this team so special?
The unique thing about our investors – which include over 30 CISOs, CEOs, and CTOs from companies like Palo Alto Networks, Zoom, Snowflake, Zscaler, Netskope, Rubrik, Databricks, Microsoft, Instacart and more – is they are builders and operators. These are the people who’ve had to deal with these issues firsthand for years and have recognized that Endor Labs is building the platform to meet these challenges. Beyond contributing capital, their counsel is invaluable and is rooted in the real-world issues their teams face every day, which makes our offering stronger, and perfectly suited to solve problems for our customers, not just make lofty promises.
###