Endor Labs on Monday came out of stealth with $25 million in seed financing to tackle open source software (OSS) sprawl.
In a press release, the company said the average enterprise has more than 40,000 open source software dependencies directly downloaded by developers, each of which carries an average of 77 other dependencies. This process creates a massive, uncontrollable sprawl that can slow down development and increase the attack surface.
Endor Labs co-founder and CEO Varun Badhwar said creating the cloud security posture management (CSPM) category while at Palo Alto Networks, has helped hone his team's ability to take on next-generation threats.
“Our mission now is to enable [open source security] to live up to its true potential without introducing unnecessary risk,” said Badhwar. “It’s exciting to once again take a new approach to the market, and we believe these solutions will radically enhance application development everywhere.”
Open source offers a wonderful way for parties to collaborate, but the developer owns the outcome, said Frank Dickson, who covers security and trust at technology market intelligence firm IDC. Thus, management tools become paramount as open source finds itself in the most intimate and unknown places.
“Tools that analyze vulnerabilities, deliver visibility, map dependencies, and automate remediation are critical for effective DevSecOps,” said Dickson. “Endor Labs is among a growing number of startups looking to address the space in innovative ways.”
Threat actors have increasingly focused on open source software code, and for good reason: organizations are highly-dependent on these pieces of code and lack the tools and time to ensure they are being deployed with adequate security when they are reused, according to Bud Broomhead, chief executive officer at Viakoo.
“Reuse of open source software has a unique problem – each new implementation brings a completely new and unique set of dependencies and possible vulnerabilities,” Broomhead said. “Making software reuse faster and safer eases a major roadblock for developers.”
Sanjay Raja, vice president of product marketing and solutions at Gurucul, said nested dependencies in open source software has become a major challenge for security teams when it comes to identifying unusual activity or exploits that target these software modules. The vulnerabilities in Log4J an open source Apache tool that lets developers track changes in the applications they build, is a chief example.
“Outside of evaluating these applications and testing them, security teams need more advanced threat modeling and even behavioral analytics that work together to surface anomalous activity that can actually be malicious when compromised code is used for nefarious purposes,” Raja said. “Unfortunately most SIEM and XDR solutions do not really combine multiple analytics and piece them together in a meaningful way to identify many of these exploits.”