Starburst is a data lakehouse that is solving a painful problem: Organizations have tons of data that’s not easily usable by employees. With Starburst, teams can self-serve using their preferred analytics tools to query the datalake, no need to wait for a central team to unlock it! And whether using Starburst on-prem or in the cloud, a secure product is of utmost importance when it concerns data. Customers regularly scan Starburst for risks, at which point they engage with the Security Engineering and GRC team to understand findings. When it came to open source dependencies, customers wanted to understand the rationale behind false positives and be assured that Starburst had evaluated risk on all dependencies— both direct and transitive.

Unfortunately, the team’s software composition analysis (SCA) tool, Rezillion, wasn’t meeting expectations and made it difficult to have conversations with customers. The team encountered three problems:

• No data to support false positive determinations: The tool flagged findings as false positives, but didn’t provide the rationale so the team had to do manual research or waste time remediating vulnerabilities that might not matter.
• Insufficient support for transitive dependencies: The tool wasn’t providing a full inventory of transitive dependencies (those not explicitly chosen by the developers) so customers could discover vulnerabilities in dependencies the team didn’t know existed. 
• No pre-deployment scanning: When problems were discovered, it was always after the application deployed, making it more difficult and time-consuming to trace vulnerabilities back to the source.

Endor Labs is doing reachability analysis on transitive dependencies, which is really important to us and a huge deciding factor in our comparison to another vendor that didn't have it. 
- Alex Olea, DevSecOps Engineer at Starburst

The Starburst team sought an SCA tool that could find and prioritize risks accurately while fitting into their existing workflows.

They had three main requirements:

• Developer experience: One good thing about Rezillion was it was easy to use, so it trained our developers to have a good attitude towards an SCA tool, and therefore use it! Our new SCA tool needed to continue prioritizing developer experience to ensure adoption and effectiveness.
• Function-level reachability analysis: This type of reachability is the most accurate way to determine whether a vulnerability is exploitable. We would use this to deprioritize false positives, giving us confidence that the tool is giving accurate and justifiable results. The tool we selected had to support reachability for all types of dependencies (direct and transitive) and also support our main languages (Java, Typescript, and C#).
• Pre-deployment scanning and preventative controls: Being able to scan at pre-deployment will let us catch problems at the time of build, before they get into production and cost us even more time. And with preventative controls, we can block really risky dependencies from ever being selected. 

The team chose Endor Labs because all their requirements were satisfied and the team was a pleasure to work with.

Implementing Endor Labs is easy. I had exactly what I needed between the docs, CLI tool, a GitHub Action, and a GitHub app— all readily available.
- Alex Olea, DevSecOps Engineer at Starburst