Software Supply Chain Innovator Endor Labs Unveils A New Way To Remediate Application Security Risks
August 07 2024 - 8:59AM
Business Wire
Latest Advances Solve Critical Industry Problem
and Speed Up Vulnerability Remediation
Endor Labs, the leader in software supply chain security, today
unveiled two groundbreaking capabilities that fix an expensive and
time-consuming problem in the Software Composition Analysis (SCA)
market.
Software version upgrades are often required to fix critical
vulnerabilities in open source software (OSS) dependencies.
However, those upgrades can be difficult to implement without
causing breaking changes to applications, making it hard to
actually reduce risk. The Director of AppSec Operations for a major
Fintech company told the Endor Labs team: “Developers fear upgrades
because of breaking changes. Imagine if the product could emulate
an upgrade to show which upgrade could impact which packages. With
this information, I could prioritize fixes based on how hard the
upgrade will be, and how many other packages will be affected.”
Today, that’s exactly what Endor Labs is delivering. AppSec
teams now get intel about how difficult a given upgrade can be,
including what could break. This makes it easy to have
conversations with Engineering about scoping security fixes and
setting service-level agreements (SLAs). And when the evidence
indicates the cost of upgrading will be too high, such as in the
case of a foundational package that could take months or years to
upgrade, teams can choose to immediately mitigate the vulnerability
with a backported security patch maintained by Endor Labs.
Marcelo Oliveira, VP of Product Management at Endor Labs, said:
“One of the best characteristics of OSS is the degree of constant
improvement—there’s a regular flow of upgrades to just about every
package. However, the merits can often be outweighed by the
dangers. With these new capabilities, teams can clear this hurdle
by sharply reducing the work required to understand the impact of
dependency upgrades, and stay safe when the risk of upgrades is too
high. It’s always been our mission to make security less of a
burden on software engineers, and with this launch we continue to
help security teams become better partners.”
While SCA offerings typically provide information on
non-vulnerable versions, none include remediation advice that’s
grounded in the context unique to each application. By contrast,
Endor Labs uses program analysis at the time of build to see
exactly which third-party dependencies are used and how they
interact with the application code. A deep understanding of the
application is what makes it possible to get an accurate software
inventory, eliminate noise based on reachability, and accurately
predict breaking changes.
With this release, Endor Labs users unlock two capabilities:
Upgrade Impact Analysis and Endor Magic Patches.
Upgrade Impact Analysis: Know How Painful an Upgrade Will
Be
By extending the program analysis engine to identify unintended
consequences such as breaking changes to an application, AppSec
teams can manage risk in the context of difficulty. Because they
understand how various fix options will impact the application,
they can:
- Improve Return on Investment of Remediation Efforts:
Identify which upgrades can have the highest security impact in
conjunction with the effort it takes
- Give Time Back to Developers: Reduce the need for manual
research by providing developers with a prioritized list of
upgrades ranked by complexity and impact
- Address Risks Faster: Make informed estimations of fix
efforts with standardized research so they can quickly implement
low effort/low risk fixes and make prioritization decisions for
complex fixes.
Endor Magic Patches: Mitigate Vulnerabilities When Upgrading
is Too Painful
Endor Magic Patches eliminate the hassle of hard-to-perform
upgrades by providing security patches that are backported to the
vulnerable version. The source code, patches, test, build and
deploy steps are available to inspect, and the builds are
completely reproducible and hermetic. AppSec teams can:
- Respond to Emerging Threats: Be ready for the next
Spring4Shell with peace of mind that they can obtain a patch to
ensure the organization stays safe while the team works to upgrade
dependencies
- Balance Developer Workloads: Reduce the urgency of
upgrading so developers can focus on releasing their planned
features without unexpected delays
- Support FedRAMP Compliance: Mitigate vulnerability risk
to protect sensitive information in alignment with government
requirements.
Meet with us at Black Hat:
https://www.endorlabs.com/events/black-hat-usa-2024.
Try the Endor Labs Software Supply Chain Security Platform free
for 30 days.
And join the webinar on August 21 at 11am PT to learn how Endor
Labs’ newest capabilities help developers fix the application
security risks that matter, even when it’s difficult:
https://www.endorlabs.com/events/give-devs-the-confidence-to-fix-making-remediation-less-painful.
About Endor Labs
The pace and complexity of software development is rapidly
intensifying. Developers are trying to keep up by maximizing reuse
of code (internally developed as well as open source), adopting
microservices architectures, and relying on a vast array of third
party tools and services to automate bits and pieces of the CI-CD
process. However, this can quickly sprawl and become untenable,
only causing more headaches for development and security teams in
the long term. Our mission is to deliver the impossible - create
secure software supply chains that actually make developers more
productive, rather than drowning in useless alerts. For more
information, visit https://www.endorlabs.com.
View source
version on businesswire.com: https://www.businesswire.com/news/home/20240807272994/en/
CONTOS DUNNE COMMUNICATIONS for Endor Labs endorlabs@cdc.agency
+1 (408) 776 1400 +1 (408) 893 8750