Sign up now
Schedule
Want to stay in the loop?
Sign up for our newsletter.
Get key insights from the 2024 Dependency Management webinar with Darren Meyer and Henrik Plate. We discuss how to prioritize vulnerabilities, navigate breaking changes, and leverage public vulnerability databases effectively.
Click to read
This blog covers key steps to simplify FedRAMP vulnerability management, helping you reduce risks and meet compliance timelines. It also provides practical tips to empower developers and streamline fixes for a smoother FedRAMP process.
Click to read
GitHub Actions are open source dependencies - secure them accordingly! Learn how to effectively manage the security risks associated with GitHub Actions with a proactive approach focusing on three key areas: visibility, hardening, and dependency management.
Click to read
Explore the five key categories of reachability and their practical applications in AppSec and development. Learn the differences between SCA and container scanning, and understand how various tools like Function-Level Reachability, Package Baselining, and Internet Reachability play crucial roles in identifying and prioritizing security risks.
Click to read
Explore the challenges of modern vulnerability management and the efficiency of the Vulnerability Exploitability eXchange (VEX) in our latest blog post. Learn how VEX helps identify and communicate the true exploitability of vulnerabilities, streamlining cybersecurity efforts in the face of overwhelming scanner findings.
Click to read
If you’ve been watching the software supply chain security space evolve, you likely know that a lot of the momentum and effort is coming out of the U.S. Federal government. This may seem surprising at first, but it shouldn’t be, when you account for the fact that the Federal government is one of the single largest procurers of technology and software in the world.
Click to read
Phantom dependencies are dependencies used by your code that are not declared in the manifest. If you miss them, they can sneak reachable risks into your application, lead to false positives, or inaccurate SBOMs. All very spooky. This article breaks down how phantom dependencies happen, and how to catch them.
Click to read
SINET, an organization with the mission to accelerate Cybersecurity innovation through public-private partnerships, announced today that Endor Labs is one of the winners of its annual SINET16 Innovator Award. Endor Labs and 15 other emerging companies are identified as the most innovative and compelling technologies in their fields to address Cybersecurity threats and vulnerabilities.
Click to read
Exploit Prediction Scoring Systems (EPSS) is a data set that helps you understand the likelihood that a CVE will be exploited. Learn what the EPSS includes and how to use it to prioritize vulnerability remediation.
Click to read
What’s the best of the best when it comes to open source security tools?We’ve previously talked about the OpenSSF Scorecard, which gives developers a high-level snapshot of the security of any given open source project. But in this post, we’ll talk about a related project, the Open Source Security Index (OSSI), which does something slightly different and complementary.
Click to read
As projects grow larger and more complex, developers face challenges in maintaining a clean and efficient development workflow. Fortunately, npm workspaces offer an essential solution to streamline JavaScript development. In this blog post, we will explore the concept of npm/yarn workspaces, its importance, and how Endor Labs works with them.
Click to read
Location: FinTrU (Porto)R. de Santa Catarina 1232 · Porto
In this talk, we will dive into the shortcomings of traditional dependency analysis methods, which usually focus on looking at build manifests and metadata, to spot security or performance vulnerabilities in Java projects. While tools like Maven Dependency Checker and Gradle's dependency-analysis plugin are invaluable for their ability to manage dependencies, they often fall short when we need quick and precise answers, forcing developers to lean on time-consuming tests and manual code reviews. We believe that a thorough look at how dependencies are actually used in the code—with the help of static and reachability analyses—can be a more effective way to pinpoint real threats in Java dependencies.
We'll use real-world examples to show how static analysis, and in particular reachability analysis, offers deeper insights into potential vulnerabilities by moving beyond simple metadata. By sharing examples where static analysis has been a game-changer, and pointing out where it might not be enough, we aim to shed light on the challenges and opportunities this method brings to improving security and performance in software projects.
Our goal is to provide attendees with practical strategies for using static and reachability analyses, promoting a more detailed method for managing dependencies and finding vulnerabilities in software applications.
Sign up for our newsletter.