Endor Labs is integrating with GitHub Advanced Security to make life easier for developers, delivering efficiency and security throughout the SDLC, without ever having to leave GitHub.
Developers invest a lot of time and effort into their code, making sure it safely delivers innovation and value to users. Unfortunately, a lot of that effort is wasted investigating security findings that ultimately represent no risk to the application. With the GitHub Advanced Security integration, Endor Labs enables development teams to establish efficient, automated processes to deliver software while eliminating 80% of the security noise that wastes developer time.
AppSec: A Complex Business Problem
Wasted productivity forces professional software organizations into perverse incentive structures by creating tension between the goals of delivering software and securing it. The fundamentals of securing applications have been known for years, yet organizations can’t simply implement them – introducing security tooling may improve risk management but also impacts developer productivity and morale.
Approximately 80% of security findings are ultimately determined to be false positives, and developers have voted lack of knowledge and context about security issues as their top AppSec challenge. Rather than deploying noisy security tools, we need improved tools that deliver more useful information with less noise.
AppSec Without a Productivity Tax
Endor Labs’ integration with GitHub Advanced Security does exactly that: eliminate the noise that results in wasted effort. Instead of relying primarily on manual triage, our automated analysis and sophisticated machine learning fills in contextual gaps and prioritizes findings according to the risk they represent to the application. For example, not all CVEs in dependencies are reachable through the application code; Endor Labs can correlate findings with an application’s call graph to automatically weed out findings that are not reachable. This ensures that developers focus on the highest impact findings rather than false positives.
Modern application supply chains present a broad attack surface distributed across different phases and activities in the software development life cycle (SDLC). Endor Labs integration with GitHub Advanced Security provides a compelling solution that addresses security throughout the SDLC without imposing a productivity tax on your team.
Addressing Security with GitHub Advanced Security and Endor Labs Across the SDLC
The SDLC is a model often used to describe the process through which software is built, including phases such as design, development, testing and maintenance. The GitHub platform provides a great foundation for software organizations to manage their SDLC, including tools such as code repositories, requirement and issue tracking, and pipeline automation in the form of GitHub Actions. Simply by choosing GitHub, organizations gain huge benefits in developer productivity and collaboration.
The GitHub platform provides the foundation for developer workflows upon which the SDLC is built, such as managing repositories and branches, committing code, pull requests, code review and approvals, and more. Endor Labs works within the familiar GitHub flow used by the development team, ensuring that security and productivity are baked into the standard process.
Securing the Development Environment
The GitHub platform is very powerful, flexible, and secure, but organizations are responsible for the configuration of their environment. They must define who can access the environment, what they are authorized to do, whether pull requests need approvals, who can approve them, and so forth.
Endor Labs helps to establish and enforce policies that ensure repositories and pipelines are configured securely and hardened against attacks.
Selecting Open Source Components
Modern applications are often composed of a 90/10% split of open source software (OSS) and custom code, respectively. During the design and development phases, developers spend a significant portion of their time evaluating and selecting open source components to use in the application. This includes verifying the component is fit for purpose, documented, secure, and supportable.
Endor Labs evaluates and scores thousands of open source packages using criteria such as activity, security, quality and popularity, greatly reducing the effort required to select OSS components that will deliver value over the long term.
Securing and Governing OSS components
Once OSS components are selected, they need to be integrated into the application, deployed and managed appropriately. Software Composition Analysis (SCA) tools such as GitHub Advanced Security’s dependency review identify which components are included in an application, and whether they contain security or licensing risks. This is an important start, but it can be noisy – a vulnerability with a high CVSS score may not represent a significant risk if the application never exposes the vulnerability or executes the code associated with it. Developers spend a huge amount of time (in many cases, 50% of their time) investigating findings that are ultimately considered false positive alerts.
Endor Labs leverages deep call graph analysis of the application and OSS components to understand which modules and functions are actually used by the application. It works in the GitHub platform to correlate that information with SCA data about component vulnerabilities and understand the risk they present to the application. With this integration, users can immediately improve developer productivity by excluding SCA findings that are not reachable by the application and cannot be exploited.
GitHub Actions make it easy for developers to add Endor Labs into automated pipelines where it works for them.
Endor Labs can be used at multiple points in the pipeline to establish and enforce OSS governance. For example, automated pipelines may prevent deployment if severe, reachable vulnerabilities are present. Or development builds may enforce review/replacement of components that are no longer receiving security updates or that have recently announced CVEs.
Securing Custom Code
Selecting and using secure OSS components is important, but you also need to secure your custom code. GitHub Advanced Security’s code scanning enables you to effortlessly find and prevent vulnerabilities while you write code, while staying in your workflow. It offers a wide range of customizable security policies, integrations with popular CI/CD pipelines and open source tools, and surfaces results in the Pull Request for easy collaboration, prevention, and remediation.
It provides clear and actionable feedback on vulnerabilities and remediation guidance, so you can view and triage issues directly in your code. Code scanning supports most popular languages and thousands of frameworks. It also provides advanced vulnerability analysis and variant analysis, and has detailed reporting capabilities for compliance and regulatory requirements.
With the proliferation of distributed architectures and cloud services, secrets are pervasive in modern software development. Ensuring that secrets are managed securely and not exposed to unauthorized users is critical. Secrets, especially those used in the development process, provide access to resources that attackers could use to compromise or take over data, systems, or the applications themselves.
GitHub's secret scanning is a tool integrated within the GitHub UI designed to prevent secrets leaks in development processes. It scans for over 200 token types, and is supported by a partner program of more than 150 service providers to detect leaked secrets at scale. With push protection, you can also prevent secrets from being committed to code in the first place.
Software Inventory and Compliance
Once software has been built, it may be necessary to document the contents of the software in the form of a Software Bill of Materials (SBOM) for compliance with regulatory or contractual requirements. Endor Labs facilitates compliance with a comprehensive SBOM solution that documents exactly which components are used in your application along with metadata such as CVEs.
Because Endor Labs understands the call graph of the application and OSS components, it can also produce VEX reports that provide context for the SBOM such as which vulnerabilities are reachable.
Endor Labs Integration with GitHub Advanced Security: Security Throughout the Software Supply Chain
To eliminate the productivity tax, security tools need to deliver accurate findings in established developer workflows, with contextual details that eliminate the need for manual research and triage.
Endor Labs’ integration with GitHub Advanced Security enables developers to accurately identify and remediate dependency risks that are exposed in their applications, within comfortable and familiar GitHub workflows. Deep call graph analysis gives developers immediate insight into how vulnerable dependencies are introduced to the application and whether the vulnerable code is actually used by the application.