Want open-source security? Focus on app dependencies

Learn how your company can create applications to automate tasks and generate further efficiencies through low-code/no-code tools on November 9 at the virtual Low-Code/No-Code Summit. Register here.


When it comes to creating applications, most developers have a secret weapon to innovate at pace: open-source software. Research shows that open-source libraries and components make up more than 75% of the code in the average software application, with the average software application depending on more than 500 components. 

While these open-source dependencies are convenient, they also present new vulnerabilities that threat actors can exploit. For instance, injecting malware into a popular open-source project has the potential to affect thousands of downstream users. 

In an attempt to increase enterprise visibility over open-source software components, today Endor Labs came out of stealth with a Dependency Lifecycle Management Platform and $25 million in seed funding.

The new solution provides developers with a tool to evaluate, maintain and update dependencies used for the environment. 

Event

Low-Code/No-Code Summit

Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.

Register Here

Moving on from software composition analysis 

The announcement comes as more and more organizations are committing to securing the software supply chain following President Biden’s Executive Order On Improving the Nation’s Cybersecurity. 

The order called for software vendors selling solutions to the government to maintain a software bill of materials (SBOM) and automated vulnerability scanning. Fundamentally, the order recognized that the spiraling complexity of open-source components needed to be addressed to get the threat landscape under control. 

“Eighty percent of the code in modern applications is code your developers didn’t write but depend on through open-source packages. When our founding team was leading the Prisma Cloud engineering group at Palo Alto Networks, we realized the true magnitude of this issue,” said cofounder and CEO, Endor Labs, Varun Badhwar. 

“Having previously created the cloud security posture management (CSPM) category, this team knows how to take on next-generation threats. Our mission is to enable OSS [open-source software] to live up to its true potential without introducing unnecessary risk. It’s exciting to once again take a new approach to the market, and we believe these solutions will radically enhance application development everywhere,” Badhwar said. 

In an era where the U.S. government is calling on enterprises to produce SBOMs and increase the maturity of open-source security, Endor Labs offers a solution to monitor dependencies and increase transparency over how they’re used throughout the organization to build an accurate SBOM. 

Instead of just pointing out insecure dependencies, Endor Labs also enables users to pick dependencies that are less vulnerable to compromise. 

How Endor Labs is competing against the SCA market 

Traditionally, organizations use software composition analysis (SCA) tools to analyze applications and detect open-source software. SCA tools can check the security of the code used in critical applications. Researchers estimated the software composition analysis market would reach $398.4 million by 2022. 

One of the main vendors in this market is Snyk, with Snyk Open Source, a tool for automatically monitoring process and code for vulnerabilities with the assistance of open source vulnerability intelligence, while offering real-time reporting capabilities to support GRC teams. 

Snyk most recently raised $530 million as part of a series F funding round in 2021, bringing its total valuation to $8.5 billion. 

Another significant competitor is Synopsys with Black Duck, which combines multifactor open-source detection and a KnowledgeBase of over 4 million components to increase transparency over applications and containers to offer automated vulnerability notifications, reports that detail severity, and more. 

Synopsys recently announced raising $1.25 billion in revenue for Q3 FY 2022. 

However, Badhwar argues that Endor Labs differentiates itself from SCA tools based on its ability to help select secure and high-quality dependencies. Traditional SCA tools offer limited context on how dependencies are used and potential alternatives.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.