Endor Labs unveils tools to enhance OSS security efforts

Endor Labs has announced two significant capabilities aimed at addressing application and open source software (OSS) security risks. These capabilities, introduced at the Black Hat hacker conference, seek to tackle an enduring industry issue by accelerating the remediation of vulnerabilities.

The first of these capabilities is Upgrade Impact Analysis, which enhances the company’s program analysis engine. This tool assists developers in identifying unintended consequences of software upgrades, such as breaking changes that could affect an application. With this information, teams can better understand how various fix options will impact the application and determine whether a full upgrade is feasible.

The second capability is known as Endor Magic Patches. This tool provides a solution for situations where the cost of upgrading is prohibitively high, such as when dealing with foundational software packages that could take extensive time to update. Endor Magic Patches allows teams to mitigate vulnerabilities immediately with a backported security patch maintained by Endor Labs.

This approach helps organisations remain prepared for substantial OSS security flaws, ensuring they can obtain patches to keep their systems secure while open source dependencies are updated. Such capabilities address the common problem where software version upgrades, although necessary for fixing critical vulnerabilities, can result in breaking changes that make it difficult to reduce risk effectively.

The Director of AppSec Operations for a major fintech company commented on the issue, saying, "Developers fear upgrades because of breaking changes. Imagine if the product could emulate an upgrade to show which upgrade could impact which packages. With this information, I could prioritise fixes based on how hard the upgrade will be, and how many other packages will be affected."

Marcelo Oliveira, Vice President of Product Management at Endor Labs, said, "One of the best characteristics of OSS is the degree of constant improvement—there’s a regular flow of upgrades to just about every package. However, the merits can often be outweighed by the dangers. With these new capabilities, teams can clear this hurdle by sharply reducing the work required to understand the impact of dependency upgrades, and stay safe when the risk of upgrades is too high. It’s always been our mission to make security less of a burden on software engineers, and with this launch we continue to help security teams become better partners."

Endor Labs’ Software Composition Analysis (SCA) offerings differ by providing remediation advice grounded in the unique context of each application. Using program analysis at build time, the company examines exactly which third-party dependencies are used and how they interact with application code. This deep understanding allows for an accurate software inventory, the elimination of noise based on reachability, and precise prediction of breaking changes.

With the introduction of these new capabilities, Endor Labs users gain access to detailed insights through Upgrade Impact Analysis, which helps in understanding the ramifications of potential upgrades. This tool aims to improve the return on investment for remediation efforts, gives developers more time by reducing manual research, and allows for quicker addressing of risks through informed estimations of fix efforts.

Endor Magic Patches offers a practical solution when upgrades are cumbersome. It provides security patches backported to the vulnerable version with steps that are transparent and reproducible. This capability ensures organisations can respond to emerging threats promptly, balance developer workloads effectively, and support compliance with government requirements, including FedRAMP.