Endor Labs Unveils New Research on Impact of Open Source Software on Supply Chain Security
Endor Labs, the startup dedicated to securing open source software reuse in application development, today released "The State Of Dependency Management," which offers an unprecedented view into the rampant but often unmonitored use of existing open source software in application development, and the dangers arising from this common practice. As just one example, the research reveals that a staggering 95% of all vulnerabilities are found in transitive dependencies - open source code packages that are not selected by developers, but indirectly pulled into projects. This is the first report from Station 9, a unique research capability developed by Endor Labs that brings together researchers, academics and thought leaders from around the world. Dedicated to identifying vulnerabilities in the software supply chain and identifying potential solutions, Station 9 includes Georgios Gousios, who oversees software analysis, and Henrik Plate, who leads security research.
"In this environment, open source software is the backbone of our critical infrastructure-but even veteran developers and executives are often surprised to learn 80% of the code in modern applications comes from existing OSS," said Varun Badhwar, co-founder and CEO of Endor Labs. "This is a huge arena, yet it's been largely overlooked. This first report from Station 9 makes clear the depth of the problems in this area, and the need for substantive solutions. If the reuse of open source code is to live up to its potential, then security needs to move to the top of the priority list."
The new report from Station 9 offers a comprehensive analysis of the complexities underlying the reliance on open source software, and reveals how traditional methods of vulnerability remediation require far greater examination. The problem isn't necessarily the widespread use of existing open source code in new applications; it is that only a small sampling of these software dependencies are actually selected by the developers involved. The rest are "transitive" or indirect dependencies automatically pulled into the codebase. This sets the stage fr significant vulnerabilities, potential and identifiable, affecting both the worlds of security and development in equal measure.
Among other findings, the report reveals:
Station 9-the name comes from the research facility on Endor in the Star Wars universe-has been created to explore the complexities of supply chain security and the use of open source software at the enterprise, and provide guidelines and best practices on selecting, securing, and maintaining OSS. The team will continue to release more research in the near future, through reports, trade show presentations and more.
Read the full report here.
Henrik Plate will also be walking through all of these findings and more on a webinar on December 14th, 2022.
You can learn more about supply chain risks, attacks and mitigation tactics with the Risk Explorer.
About Endor Labs
Endor Labs helps developers spend less time dealing with security issues and more time accelerating development through safe Open Source Software (OSS) adoption. Our Dependency Lifecycle Management™ Solution helps organizations maximize software reuse by enabling security and development teams to select, secure, and maintain OSS at scale. The Endor Labs engineering team includes some of the world's leading static analysis experts, including 7 PhDs and senior engineers from Meta, Uber, Amazon, and Microsoft. Endor Labs was founded by industry veterans Varun Badhwar and Dimitri Stiliadis, and is backed by Lightspeed & Dell Technologies Capital, as well as executives at companies like Palo Alto Networks, Zscaler, Zoom, Google, and more.
Session Details TBA
ITEXPO, MSP Expo, The Blockchain Event, Future of Work Conference Sessions
Coverage is Critical in IoT Deployments