Five9 faced increasing challenges in managing the risks of third-party library vulnerabilities within its applications. As the company evaluated the strengths and gaps of its existing tools, it became clear that its current SCA solution (Black Duck) was not reducing risk in a meaningful way. While it met certain regulatory compliance requirements, the overwhelming volume of alerts made it difficult to identify which findings represented true risks. With thousands of issues in the backlog, the pace of remediation fell short of the company’s high standards, creating potential exposure to what matters most for Five9’s credibility: uptime.

The team recognized that replacing the SCA would require significant change management. Developers were not accustomed to acting on alerts, and modifying third-party libraries required extensive regression testing to avoid breaking changes that could disrupt services and cause financial loss. Naturally, no one wanted to upgrade a dependency unless it was certain the change was necessary. These realities made improving the program as much about people and processes as about technology.

Five9 ran a competitive evaluation to find an AppSec platform, looking at startups and established tools (including Snyk), to find one that could deliver on four key requirements:

• High Accuracy and Verifiability: Five9's paramount requirement was the verifiability of findings. The findings had to be justifiable and for the tool to definitively show how a vulnerability could be reached within their applications.
• Comprehensive Coverage and CI/CD Integration: The new solution needed to support their primary coding languages, specifically Java. They valued the continuous expansion of language support (e.g., JavaScript) and the ability to integrate with their existing source code management systems like GitLab and Azure DevOps for 100% scanning coverage of their codebase.
• Strong Partnership and Responsiveness: Five9 deliberately sought a vendor that was "hungry" and willing to listen to feedback. They valued deep technical conversations and a high degree of customer service, where their enhancement requests and bug reports were taken to heart. This partnership was crucial for the continuous maturation of their software supply chain security program.
• Operational Efficiency for a Lean Team: As a one-person team managing two security programs for over 250 developers, they required a high degree of automation to maintain efficiency. The ability of the new SCA tool to reduce noise and provide actionable, verifiable findings was paramount to enabling a single individual to effectively manage the software supply chain security program.

Why Endor Labs Won

Five9 chose Endor Labs to be their SCA for the future for two key reasons:

• Reachability-Based Prioritization: Endor Labs accurately showed which vulnerabilities were exploitable in Five9’s code, reducing false positives dramatically. While other tools classified findings based on aggregate scores, CVEs, or in-the-wild exploits, Endor Labs could demonstrate how the vulnerable function was being called.

• Willingness to Listen and Partner: At the time of the evaluation, Endor Labs was a stealth startup. Five9 was impressed with the team’s technical acumen and readiness to embrace Five9 as a design partner. This commitment gave them the confidence that the product would mature and meet their needs long-term.