Want open source security? Focus on app dependencies

When it comes to building apps, most developers have a secret weapon for innovating fast: open source software. To research shows that open source libraries and components make up more than 75% of the code in an average software application, with the average software application depending on more than 500 components.

While these open-source dependencies are handy, they also introduce new vulnerabilities that hackers can exploit. For example, injecting malware into a popular open source project can affect thousands of downstream users.

In an attempt to increase the company’s visibility into open source software components, today Endor Laboratories sneaked out with a dependency lifecycle management platform and $25 million in seed funding.

The new solution provides developers with a tool to assess, maintain and update the dependencies used for the environment.

Switch from software composition analysis

The announcement comes as more organizations commit to securing the software supply chain following President Biden’s announcement. Executive Order on Improving the Nation’s Cybersecurity.

The order required software vendors selling solutions to the government to maintain a software bill of materials (SBOM) and automated vulnerability scanning. Basically, the order recognized that the increasing complexity of open source components needed to be addressed to master the threat landscape.

“80% of the code in modern apps is code that your developers didn’t write but depend on through open source packages. When our founding team was leading the Prisma Cloud engineering group at Palo Alto Networks, we realized the true magnitude of this problem,” said Endor Labs Co-Founder and CEO Varun Badhwar.

“Having previously created the Cloud Security Posture Management (CSPM) category, this team knows how to tackle next-generation threats. Our mission is to enable the OSS [open-source software] live up to its true potential without introducing unnecessary risks. It’s exciting to take a new approach to the market again, and we believe these solutions will radically improve app development everywhere,” said Badhwar.

At a time when the US government is calling on companies to produce SBOMs and increase open source security maturity, Endor Labs offers a solution to monitor dependencies and increase transparency on how they are used across organization to create an accurate SBOM.

Instead of just flagging insecure dependencies, Endor Labs also allows users to choose dependencies that are less vulnerable to compromise.

How Endor Labs Compete in the SCA Market

Traditionally, organizations use Software Composition Analysis (SCA) tools to analyze applications and detect open source software. SCA tools can verify the security of code used in critical applications. The researchers estimated the Software Composition Analysis Market would reach $398.4 million by 2022.

One of the main suppliers in this market is Snykwith Snyk Open Source, an automatic process and code monitoring tool for vulnerabilities using open source vulnerability intelligence, while providing real-time reporting capabilities to support GRC teams.

Snyk recently raised $530 million in a Series F round funding cycle in 2021, bringing its total valuation to $8.5 billion.

Another major competitor is Synopsis with Black Duck, which combines open source, multi-factor detection and a knowledge base of over 4 million components to increase transparency across applications and containers to deliver automated vulnerability notifications, reports that detail severity, and more.

Synopsys recently announced a $1.25 billion fundraising revenue for the third quarter of fiscal year 2022.

However, Badhwar contends that Endor Labs differentiates itself from SCA tools based on its ability to help select secure, high-quality dependencies. Traditional SCA tools provide limited context on how dependencies are used and potential alternatives.