Security

How CycloneDX VEX Makes Your SBOM Useful

Explore the challenges of modern vulnerability management and the efficiency of the Vulnerability Exploitability eXchange (VEX) in our latest blog post. Learn how VEX helps identify and communicate the true exploitability of vulnerabilities, streamlining cybersecurity efforts in the face of overwhelming scanner findings.

SBOM Requirements for Medical Devices

Learn about the 2023 FDA rule for medical devices, including requirements for SBOMs, a mitigation plan, and secure software development practices.

CISA and NCSC's Take on Secure AI Development

A breakdown of the "Guidelines for Secure AI System Development document from CISA and NCSC.

Open Source Security 101: How to Evaluate Your Open Source Security Posture

Static SCA vs. Dynamic SCA: Which is Better (and Why it’s Neither)

Software composition analysis (SCA) tools take a static or dynamic approach. Learn the pros and cons of each option and see how the results differ.

How To Evaluate Secret Detection Tools

An overview of 3 requirements for a secret detection program, and how to do it with Endor Labs.

Why SCA tools can't agree if something is a CVE

One scanner says this is a CVE, and the other says it's not, who's right?

5 Federal Software Supply Chain Requirements You Should Be Aware Of

You found vulnerabilities in your dependencies, now what?

Endor Labs Named 2023 SINET16 Innovator Award Winner

Introducing SCA reachability analysis for Python, Go, and C#

90% of code in modern application is open source, yet only 12% of that code is actually used. Reachability analysis lets us prioritize the risks that can actually impact our applications.

The Open Source Security Index Top 5

What’s the best of the best when it comes to open source security tools?We’ve previously talked about the OpenSSF Scorecard, which gives developers a high-level snapshot of the security of any given open source project. But in this post, we’ll talk about a related project, the Open Source Security Index (OSSI), which does something slightly different and complementary.

Faster SCA with Endor Labs and npm workspaces

As projects grow larger and more complex, developers face challenges in maintaining a clean and efficient development workflow. Fortunately, npm workspaces offer an essential solution to streamline JavaScript development. In this blog post, we will explore the concept of npm/yarn workspaces, its importance, and how Endor Labs works with them.

Key questions for your SBOM program

All the questions (and some of the answers) you need before kicking off your SBOM program.

Endor Labs & Github Advanced Security: AppSec Without The Productivity Tax

How should I prioritize software vulnerabilities?

Like any source of risk, the key is to manage them cost-effectively rather than attempting to eliminate them completely. Resources - especially when it comes to development teams - are always limited. So focusing on the biggest issues first is crucial to delivering products but still doing so securely.In this post we’ll go into the key methods for evaluating known vulnerabilities in software. And provide you with the tools to make smart prioritization decisions.

Visualizing the Impact of Call Graphs on Open Source Security

Call graph visualizations can support developers in the assessment and mitigation of open source vulnerabilities. This blog post demonstrates this use-case by drilling down into a voluminous call graph until we clearly see the invocation of vulnerable open source methods by a given client. Understanding this invocation context helps developers understand the relevancy and impact of open source vulnerabilities and how to mitigate them.

Why Different SCA Tools Produce Different Results

Like anything in computer science and programming, there’s more than one way to solve a problem or get a result. SCA (software composition analysis) is no different.

Strengthening Security in .NET Development with packages.lock.json

Reviewing Malware with LLMs: OpenAI vs. Vertex AI

At Endor Labs, we continue evaluating the use of large language models (LLMs) for all kinds of use-cases related to application security. And we continue to be amazed about high-quality responses … until we’re amused about the next laughably wrong answer.

Endor Labs is SOC 2 Type II Certified!

Proving once again open source governance doesn’t have to SOC, yes I made that joke again and I’m not sorry. We’re excited to announce we have received a clean audit result on our SOC2 Type II certification.

Make Developers' Lives Easier with Endor Labs & GitHub Advanced Security

Developers are bombarded with information every day. Constant context switching and information overload are among the biggest barriers to productivity. There are simply too many demands for their attention. One day the sales team will understand. Right?

LLM-assisted Malware Review: AI and Humans Join Forces to Combat Malware

Experiments with GPT-3.5 suggest that LLM-based malware reviews can complement, but not yet substitute human reviews. 1800 binary classifications performed with GPT-3.5 included false-positives and false-negatives.

Introducing The Top 10 Open Source Software (OSS) Risks

The Endor Labs Station 9 research team teamed up with over 20 CISOs and CTOs to identify the top 10 security and operational risks introduced through reliance on open source code.

How to quickly measure SBOM accuracy for Maven projects (for free)

SBOM-Lab is an open source tool that lets you quickly compare SBOM generation methods for Maven projects and find the right one for you.

SBOM vs. SBOM: Comparing SBOMs from different tools and lifecycle stages

Software bills of materials (SBOM) are becoming a key building block of software security and software supply chain risk management. Software vendors active in certain verticals will soon be required to provide customers with SBOMs for their products. But how and when should an SBOM for a given piece of software be produced?

What breaking changes teach us about security

GitHub rolled out a release that had some breaking changes to Git. Here's what we learned from it.

What is VEX and why should I care?

An SBOM without VEX is like peanut butter without jelly. SBOM has been the top buzzword in cyber-security lately, but important to understand why VEX (Vulnerability Exploitability eXchange) is such a critical companion document

Exploring Risk: Understanding Software Supply Chain Attacks

Naming and understanding the attack vectors at the disposal of our adversaries.

SBOMs are just a means to an end

Software has eaten the world. Modern society is dependent on software for everything from communicating with family to the medical devices keeping our loved ones alive. But do you know what goes into that software? If your answer was sticky tape and glue you clearly work in technology. Congratulations, this article is for you.

Introducing the OpenSSF Scorecard API

The Scorecard API makes it easier to automate and enforce your dependency policies. Naveen is one of the key contributors to the Scorecard projects, in this article, he walks through how it works!

What security teams need to know about software development

This article is meant to help security teams begin their threat models and make more informed risk management decisions regarding their software development practices.