Why Open Source Security?
Throughout my IT and Cybersecurity career, I, like others, have watched the tremendous growth and adoption of Open Source Software (OSS). It now powers everything from our consumer goods to critical infrastructure and national security systems.
Studies find that roughly 60-80% of modern codebases are composed of OSS, however those same codebases have challenges around the security of their OSS usage and components. 81% have at least one vulnerability, 88% have components that have had no new development in two years and 85% contain components that are more than four years out of date.
During this same period of OSS growth we’ve now seen an increased focus by malicious attackers on the vulnerable OSS ecosystem and the countless organizations utilizing its rich resources. From exploiting known vulnerabilities, taking advantage of outdated components or compromising legitimate packages and looking to have a massive downstream impact across the entire digital ecosystem.
That said, despite these risks and realities, the answer isn’t to shun away from OSS and its use in our modern digital environments. It is however a call for innovative solutions and platforms to empower developers and engineers to make more secure use of OSS, understand the hygiene of their current OSS usage and do so in a manner that doesn’t introduce friction, causing them to shy away from engaging security, or turn a blind eye to these risks entirely. There’s a demand for innovative capabilities and rich context, such as reachability, known exploitation, probability of exploitation and business criticality.
While we can openly acknowledge that OSS components comprise a large portion of modern code bases and that many OSS components contain vulnerabilities, one thing most security tools struggle with, that causes friction and imposes a productivity tax on developers is the ability to provide accurate context to drive vulnerability prioritization and remediation activities. Knowing a component is vulnerable isn’t enough, and that’s why Endor Labs robust reachability analysis capabilities position them as a leader heading into the future where DevSecOps environments demand high-fidelity context rich findings and the need to cut down noise that saps productivity of development and engineering teams and further bolsters silos between Development and Security. In an environment where teams and organizations are already dealing with cybersecurity workforce challenges, coupled with competing demands on developers such as speed to market and product development, it's imperative to have context-rich security findings that empower teams to tackle the most pressing risks to their organizations and stakeholders.
Why Endor Labs?
Endor Labs reachability analysis positions them ahead of legacy SCA vendors, helping eliminate 80% of false positives that typically drown teams and leave them struggling with understanding what risks to prioritize. Endor provides this capability for not only direct but also transitive dependencies, which is especially critical given 6 out 7 vulnerabilities belong to transitive dependencies. Endor Labs also is keeping pace with the evolving software supply chain landscape and bring support for emerging artifacts such as Software Bill of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX) documents, enabling teams to understand their software asset inventory and facilitate communication between software suppliers and consumers in industry standardized formats.
To me, when I look out across the current security innovation landscape, Endor Labs stands tall among the crowd, focusing on a problem that faces the entire IT and Cybersecurity industry and impacts organizations of all shapes, sizes and verticals. With a strong leadership team who’s been there and done that, to a passionate team of problem solvers looking to help enable a more secure digitally driven society. I’m proud to be working closer with this team of innovators and to help enable a more secure future for all of us.
As Endor Lab’s Chief Security Advisor, I’ll be working with the team in a variety of ways, including developing and contributing to content, product feedback and strategy, industry outreach and evangelism and more. If you’re interested in learning more about Endor Labs and what the team is up to, feel free to reach out to me!
Chris brings nearly 20 years of IT and cybersecurity experience to his role as Chief Security Advisor at Endor Labs as well as a Cyber Innovation Fellow (CIF) at the Cybersecurity Infrastructure and Security Agency (CISA) where he focuses on software supply chain security. As a United States Air Force veteran and former civil servant in the U.S. Navy and the General Services Administration’s FedRAMP program, Chris is passionate about making a lasting impact on his country and our global cyber community at large. Chris is co-author of the book, “Software Transparency: Supply Chain Security in an Era of a Software-Driven Society”, published by Wiley. He has also contributed many other thought leadership pieces on software supply chain security and has presented on the topic at a variety of industry conferences.