I’m incredibly proud and excited to announce that we’re launching Endor Labs today, with $25M in seed financing from Lightspeed Venture Partners, Dell Technologies Capital, and Sierra Ventures, along with personal investments from over 30 world class business leaders including Nikesh Arora, CEO of Palo Alto Networks; Jay Chaudhary, CEO of Zscaler; Sanjay Beri, CEO of Netskope; Bipul Sinha, CEO of Rubrik; Aparna Bawa, COO of Zoom; and Sri Viswanathan, Former CTO of Atlassian.
I’d like to take this opportunity to tell you a bit about our journey, and what we’re building.
There’s a myth in entrepreneurship about being first. In reality, most successful companies out there weren’t first to solve a problem. They solved it differently, in a way that made more sense, or in a way that made people’s lives easier.
Back when we started RedLock in 2015, we weren’t the first to think about cloud security, but we thought about it differently. We realized that compliance is getting conflated with security, and the two are not the same. That resonated with the industry, and helped usher in the Cloud Security Posture Management (CSPM) category.
It also led me to the incredible opportunity to build the product that would become Prisma Cloud by Palo Alto Networks. That was when my co-founder Dimitri and I started seeing the patterns of a new security challenge.
I was running a 400-person engineering team, and as you could imagine, security was paramount at Palo Alto Networks. We were defending some of the world’s largest organizations and customers trusted us to have the highest security standards.
This meant that developers were asked to prioritize fixing every vulnerability we identified. And as you’ve probably experienced, SCA tools were generating tens of thousands of alerts related to OSS dependencies. There was no good way to validate these reported vulnerabilities, besides developers performing manual code reviews.
Typically, what they found is that 80% of those vulnerabilities were not affecting us in any way, based on how we were actually using the dependency in our code. Even for the 20% that were relevant, updates were risky and unpredictable. It was common for developers to go on Slack and ask something like “who’s using this open source dependency? I plan to update it and you might be impacted”. We realized that in large organizations that rely on thousands of dependencies, visibility into how that code is actually being used was nonexistent.
This meant that analyzing the potential impact of something as common as an update, let alone a large-scale vulnerability, was next to impossible. This problem was so prevalent, and was shared by so many of our friends in the industry, that it drove us to start Endor Labs.
The code security space is a similar place to where cloud security was in 2016. There are many compliance driven OSS companies out there, and we’ve started confusing compliance with security again. This industry started with license compliance, and then evolved into vulnerability compliance (checking for CVEs). But with rapidly evolving supply chain threats, it’s time for a more holistic approach.
Why focus on code?
There are three main factors that should drive the industry to focus on code security in general, and OSS security specifically.
- Speed to market is everything - The demand for increased development velocity has never been higher. This is why open source has won. It’s an integral part of how we do business and it’s not going anywhere - nor should we want it to. OSS let’s us move faster and focus on developing our unique values.
- Infrastructure is being abstracted by CSPs - Your CSP largely owns the security and compliance of your underlying infrastructure and networking, and abstracts them away from you. This is amazing for the speed of app delivery, but means that the only layers you own and control are application and data.
- You didn’t write 80% of the code you use - The result of the two points above, is that code is your most significant and most sensitive asset, and most of it is actually open source dependencies you didn’t write, and most likely have little governance over.
As we continue building in this space, I can’t help but notice the similarities to early cloud security:
- Rapidly increasing sprawl with limited visibility and governance - then it was S3 buckets, EC2 instances, and EBS volumes. Now it’s direct and transitive open source dependencies.
- Essential resources for innovation - the advancements in cloud abstractions were a huge boost to innovation. As an industry, we had to find a safe way to support cloud usage. Now, we must support the adoption of OSS and promote safe software reuse.
- Security is reactive - Since Log4j made headlines, we’re hearing about a weekly supply chain attack, typically targeting OSS consumers or even the maintainers themselves. Similar to how we heard of S3 breaches every week in 2016.
SolarWinds and Log4j put the spotlight on software supply chain security. We identified the same serious issues that we also had to deal with firsthand as we tried to answer the board’s questions on supply chain resiliency.
After interviewing dozens of CTOs and CISOs from companies with over 10,000 employees, we learned that on average, enterprises rely on over 40,000 direct open source packages; and each of those, in turn, bring in an average of 77 additional (transitive) dependencies. This causes massive and uncontrollable sprawl, which slows development while increasing the attack surface.
The White House & US Government have recently indicated their commitment in addressing the issues. They’ve openly declared open source software security to be a national security issue and the recent Executive Order update and subsequent legislation introduced by the Senate continue to validate the severity of the problem.
Endor Labs was founded for these purposes, and we’re on a mission to solve these problems and more. Solutions currently do not exist to solve them (as the CSRB even points out here on page 13). Over the past year, over 75 companies ranging from 200 to 35,000 employees have provided feedback that was incorporated into what is now the Endor Labs platform.
Introducing Endor Labs
Endor Labs launches today with the first Dependency Lifecycle Management Platform, designed to address the weakest link in the software supply chain security - the ungoverned sprawl of open source software in the enterprise.
Our mission at Endor Labs is to help developers spend less time dealing with security issues and more time accelerating their development through safe code reuse. With Endor Labs, development and security teams are able to maximize software reuse by safely evaluating, maintaining, and updating dependencies at scale.
Endor Labs achieves this by going beyond the traditional methods of metadata and vulnerability scanning, and using program analysis and call graphs to gain a deep understanding of how dependencies are being used across the organization.
With Endor Labs, development and security teams are now able to reduce supply chain risk, while safely accelerating development with OSS:
- Select - Each dependency gets a score based on quality, security, maintainer activity, and popularity. Development and security teams now have the information they need to select better dependencies, consolidate versions, and set governance policies.
- Secure - Endor Labs goes beyond known vulnerabilities and gives security teams a way to measure both security and operational risk. Thanks to a deep understanding of dependency usage across repositories, security teams are able to prioritize vulnerabilities that are actually reachable and exploitable, detect next-gen supply chain attacks, and reduce false positives by up to 80%.
- Maintain - By eliminating unused and unmaintained dependencies, organizations are able to both reduce their overall attack surface and optimize application performance.
The benefits of the lifecycle approach:
Contain dependency sprawl - Reduce the overall amount of dependencies with a better selection process, and elimination of unused dependencies. Result - Reduced attack surface and operational costs.
Reduce false positives by 80% - Go beyond known vulnerabilities and measure security and operational risk across the software supply chain. Result - Reduced technical debt through better vulnerability prioritization
Rapid detection and response - Quickly respond to vulnerable or malicious packages by pinpointing where and how code is being used. Result - Increased supply chain security and reduced MTTR
Complete software inventory - Get a comprehensive view of software components, where and how they’re being used. Result - Accurate and complete SBOMs with vulnerability and exploitability information.
By maximizing software reuse, minimizing false positives, and making it easier for security and development teams to select, secure and maintain dependencies, Endor Labs helps organizations focus on shipping value-adding code.
Who are we?
Endor Labs is founded by myself (Varun Badhwar, CEO) with Dimitri Stiliadis, CTO, both of us serial entrepreneurs whose prior products have created billions of dollars in market cap, and whose most recent startups (RedLock and Aporeto) were acquired by Palo Alto Networks.
Currently, Endor Labs employs over 30 people– mostly engineers with a stellar track record at companies such as Uber, Meta, GitHub, Sonatype, Amazon and Microsoft. A third of our engineers even have PhD’s in Computer Science or related fields–big minds for big issues.
Rather than taking the easy approach of hiring lots of engineers from our past lives who thought and acted like us, we committed to ourselves that no more than 2 engineers would be from the same company in our first 15 hires. It made recruiting hard and slow, but those diversity of skills and experiences will help us deliver a better product in the long run.
To make sure we’re going about this the right way, we needed subject matter experts in the dependency management space. We read tons of research and academic articles on topics related to open source security, and went after the world-renowned experts in the space like Georgios Gousios, Herman Venter, and Henrik Plate.
We have a long road ahead of us, but we’re already working with some of the world’s largest companies in private beta. And we’d love to work with you too! If you want to have an early look at what we’re building, book a demo with us.
Additionally, if you’re interested in joining our mission, we’re hiring world-class engineers across the US and India. Feel free to check out our current openings.