Enterprise security affects all of us. If hackers break into a company you do business with, your personal data, your identity, and even your livelihood is at risk. This is why tens of billions of dollars are spent every year keeping the bad guys out.
Historically, the thinking has gone that if bad guys can’t get into a network or access a company’s storage, then the data is safe. So, while a ton of money is spent on securing devices, endpoints, servers, or the network, not a lot of money has been spent on securing applications.
But over the last couple of years, the industry got several critical wakeup calls (Log4Shell, SolarWinds) when they woke up to some very sophisticated attacks not on enterprise infrastructure, but on the applications themselves. Even more concerning, the attacks weren’t directly on a specific application vulnerability, but rather on the widely used 3rd party components of the applications…which meant the blast radius of the attacks was wide, broad, and affected all of us.
Thanks to the rise of open source software as well as the adoption of APIs and microservice-based architecture, modern software is no longer controlled by the folks who write it. In fact, we estimate that over 80% of code in a modern application is code written by others — whether it’s code from open source projects, remote call-outs to third-party services, or libraries acquired from third party vendors.
Consequently, hackers have now started to target the Software Supply Chain — the ingredients that make up modern software.
We believe that securing the Software Supply Chain is one of the highest priority issues that enterprises must immediately address. In fact, the US government agrees with this assessment, having recently declared open source software security to be a national security issue.
Without visibility into what 3rd party or external software components make up your application, how secure those components are, or who within your organization has used those components and in what way, enterprises are completely blind and vulnerable to these new and sophisticated attacks.
This is why we are so excited to partner with Varun Badhwar and Dimitri Stiliadis, co-founders of Endor Labs. Varun and Dmitri are repeat entrepreneurs and security veterans who each sold their previous companies to Palo Alto Networks, where they met. At Palo Alto Networks, they experienced, first hand, the pain that a software supply chain attack could inflict…as they rushed to identify vulnerabilities within their applications that could be related to an attack like Log4Shell or SolarWinds.
Endor Labs launches today with the first Dependency Lifecycle Management Platform, designed to address the weakest link in the software supply chain security — the ungoverned sprawl of open source software in the enterprise.
The company’s goal is to help developers spend less time dealing with security issues and more time accelerating their development through safe code reuse. With Endor Labs, development and security teams are able to maximize software reuse by safely evaluating, maintaining, and updating dependencies at scale.
Endor Labs achieves this by going beyond the traditional methods of metadata and vulnerability scanning, and using program analysis and call graphs to gain a deep understanding of how dependencies are being used across the organization.
With Endor Labs, development and security teams are now able to reduce supply chain risk, while safely accelerating development with OSS:
- Select — Each dependency gets a score based on quality, security, maintainer activity, and popularity. Development and security teams now have the information they need to select better dependencies, consolidate versions, and set governance policies.
- Secure — Endor Labs goes beyond known vulnerabilities and gives security teams a way to measure both security and operational risk. Thanks to a deep understanding of dependency usage across repositories, security teams are able to prioritize vulnerabilities that are actually reachable and exploitable, detect next-gen supply chain attacks, and reduce false positives by up to 80%.
- Maintain — By eliminating unused and unmaintained dependencies, organizations are able to both reduce their overall attack surface and optimize application performance.
Today, Endor Labs is also announcing a $25M Seed financing, from Lightspeed, Dell Technologies Capital, along with personal investments from over 30 world class business leaders including Nikesh Arora, CEO of Palo Alto Networks; Jay Chaudhary, CEO of Zscaler; Sanjay Beri, CEO of Netskope; Bipul Sinha, CEO of Rubrik; Aparna Bawa, COO of Zoom; and Sri Viswanathan, Former CTO of Atlassian.
We are thrilled to partner with Varun and Dmitri on their mission to secure the Software Supply Chain.
Arif Janmohamed is a Partner at Lightspeed Venture Partners. He focuses on investments in enterprise IT, AI and Security and sits on the boards of a number of rapidly scaling companies, including TripActions, Netskope, Moveworks, and Cycognito. In his free time, Arif plays ice hockey with his wife, who yells at him for never passing the puck to her.
Lightspeed is a multi-stage VC firm focused on accelerating disruptive innovations and trends in the enterprise, consumer, and health sectors. Lightspeed has backed 600+ companies globally in the past two decades including Nutanix, Affirm, AppDynamics, MuleSoft, Snap and Nest.
Authors