Security

Reviewing Malware with LLMs: OpenAI vs. Vertex AI

At Endor Labs, we continue evaluating the use of large language models (LLMs) for all kinds of use-cases related to application security. And we continue to be amazed about high-quality responses … until we’re amused about the next laughably wrong answer.

Endor Labs is SOC 2 Type II Certified!

Proving once again open source governance doesn’t have to SOC, yes I made that joke again and I’m not sorry. We’re excited to announce we have received a clean audit result on our SOC2 Type II certification.

Make Developers' Lives Easier with Endor Labs & GitHub Advanced Security

Developers are bombarded with information every day. Constant context switching and information overload are among the biggest barriers to productivity. There are simply too many demands for their attention. One day the sales team will understand. Right?

LLM-assisted Malware Review: AI and Humans Join Forces to Combat Malware

Experiments with GPT-3.5 suggest that LLM-based malware reviews can complement, but not yet substitute human reviews. 1800 binary classifications performed with GPT-3.5 included false-positives and false-negatives.

Introducing The Top 10 Open Source Software (OSS) Risks

The Endor Labs Station 9 research team teamed up with over 20 CISOs and CTOs to identify the top 10 security and operational risks introduced through reliance on open source code.

How to quickly measure SBOM accuracy for Maven projects (for free)

SBOM-Lab is an open source tool that lets you quickly compare SBOM generation methods for Maven projects and find the right one for you.

SBOM vs. SBOM: Comparing SBOMs from different tools and lifecycle stages

Software bills of materials (SBOM) are becoming a key building block of software security and software supply chain risk management. Software vendors active in certain verticals will soon be required to provide customers with SBOMs for their products. But how and when should an SBOM for a given piece of software be produced?

What breaking changes teach us about security

GitHub rolled out a release that had some breaking changes to Git. Here's what we learned from it.

What is VEX and why should I care?

An SBOM without VEX is like peanut butter without jelly. SBOM has been the top buzzword in cyber-security lately, but important to understand why VEX (Vulnerability Exploitability eXchange) is such a critical companion document

Exploring Risk: Understanding Software Supply Chain Attacks

Naming and understanding the attack vectors at the disposal of our adversaries.

SBOMs are just a means to an end

Software has eaten the world. Modern society is dependent on software for everything from communicating with family to the medical devices keeping our loved ones alive. But do you know what goes into that software? If your answer was sticky tape and glue you clearly work in technology. Congratulations, this article is for you.

Introducing the OpenSSF Scorecard API

The Scorecard API makes it easier to automate and enforce your dependency policies. Naveen is one of the key contributors to the Scorecard projects, in this article, he walks through how it works!

What security teams need to know about software development

This article is meant to help security teams begin their threat models and make more informed risk management decisions regarding their software development practices.

Announcements

Press

Developer Productivity

Developer Productivity