Endor Labs vs. Traditional SCA
What's the difference between Dependency Lifecycle Management and Software Composition Analysis?
Software Composition Analysis (SCA) tools were originally developed to tackle license management in Open Source Software (OSS). However, over the years they have been adopted as the de facto standard for OSS security as well, mostly by scanning metadata and comparing the results to known vulnerability databases. This has led the industry to confuse compliance with security.
This issue can be broken down into a few major areas:
Known vulnerabilities are a lagging indicator for risk - Most of today’s OSS supply chain attacks are confusion attacks that target the method in which code is consumed. For more information about OSS supply chain attacks see the Risk Explorer. Known vulnerabilities typically represent mistakes by well-intentioned developers, rather than malicious actors. Relying on CVEs alone leaves organizations largely exposed.
Operational risk - Not every risk is a CVE. Much of the risk in relying on open source code is operational. What’s the impact of an update? Who will be affected? What happens when an OSS dependency is no longer maintained? These considerations eat up thousands of engineering hours and are largely ignored by SCA tools, which do not have full visibility into how software dependencies are used in the organization.
Security noise - Since SCA tools ultimately have the sole purpose of surfacing known vulnerabilities, they tend to surface a lot of them. In many programming languages, it turns out that over 80% of vulnerabilities identified by SCA tools are in parts of the code that developers aren’t even using in their applications. Based on these findings, security teams are often thrown into a back and forth with engineering that wastes thousands of hours.
The cost of noise
One customer reported 8,568 developer hours saved by prioritizing vulnerabilities with Endor Labs: developers reported it takes upwards of 8 hours to investigate a single instance of a vulnerability. Critical vulnerabilities tend to get pushed to the top of the list, but engineering investigations will often show that the vulnerable function isn’t actually in use. With Endor Labs, security was able to surface that insight in seconds.
The Endor Labs approach
Endor Labs takes a different approach to software supply chain management and open source security, Dependency Lifecycle Management. Endor Labs considers both security and operational risks. Quality, popularity, use of best practices, supportability, and other metrics go into a holistic risk score that helps developers select better dependencies, and security teams set policies that reduce long-term risk.
Improve response time by pinpointing where vulnerable packages are being used
Get a clear map of direct and transitive dependants for each package
Find opportunities to reduce overall amount of dependencies
Find which dependency versions are most used in your organization
Ready to learn more?
Book a demo with one of our specialists and learn how Endor Labs can help you scale your OSS usage.