With open source code making up about 80% of the average application, application security professionals are urging developers to create pipelines that put software supply chain security front and center.

The push for more clarity about the security of open source components is driving the introduction of tools that go beyond software composition analysis (SCA) and static analysis to give companies better visibility into the makeup of their programs. One area to pay more attention to is the dependencies used to create applications. On Oct. 10, a group of application security specialists took the wraps off Endor Labs, a startup that aims to provide a variety of capabilities that focus on managing dependencies and help reduce the attack surface posed by the vast web of components that make up the typical application.

Current approaches can return tens of thousands of potential security issues, many of which are false positives and only 10% or 20% of which may actually be used by the application, says Varun Badhwar, co-founder and CEO of Endor Labs.

"It turns out that 80 to 90% of those reported vulnerabilities, while they exist in the package version itself, they do not apply to you because your developers are not using that code," he says. "You might have some component with 10,000 lines of code, and your developers are only calling 200 lines because they are using a single function."

Some research has put the estimate of attackable bugs at merely 3%.

The Problem of Software Supply Chain

Endor Labs is the latest company to tackle the security of the software supply chain. In March, Sonatype, a provider of software supply chain security tools, introduced more capabilities for the visualization of dependency trees to trace vulnerabilities back to the components that introduced them. And a year ago, a group of former Google employees started Chainguard, which focuses on the entire software supply chain, including asset management, vulnerability management, and software integrity. Other companies — Anchore, Snyk, Synopsys, and Veracode, to name a few — have made recent moves to better address the software supply chain as well.

The goal is for developers to adopt processes and tools that enumerate the dependencies in their applications, detect vulnerabilities in those components, and gain insight into the trustworthiness of the maintainers and projects, says Dan Lorenc, CEO and co-founder at Chainguard.

"We have attacks happening at each and every point along the software supply chain, from the way code gets built, to its deployment, to how it’s run and then packaged and shipped to end users," he says. "Because software supply chain security covers the entire development life cycle, it isn’t like other areas in security where point solutions can solve it."

At present, developers tend to create their code and then scan for vulnerabilities, only discovering poorly coded components long after they made the decision to use the code. Open source software typically makes up anywhere from 70% to 90% of the code included in Web and cloud applications, and the average application requires scores of dependencies, while JavaScript applications average more than 500 dependencies.

Adding Visibility

Current tools provide little value or input into the developer's selection process, so development teams need more visibility into the components making up their supply chains, Endor Lab's Badhwar says.

"Let's be honest — a developer's best friend today is Google," Badhwar says. "If a product manager comes to a developer and says, 'Build me feature X,' one of the first things the developer does is go to Google and search for a package or a dependency that accelerates their development."

Some developers may go as far as looking at the number of GitHub stars — using the package's popularity as a proxy for trustworthiness — and may even read about the software on the discussion forums of HackerNews, Reddit, or StackOverflow, he says.

Endor Labs expands the dependency management process into companies' DevOps pipeline and even down to the developer's IDE, giving developers and application security teams information on the security of the components. The platform also allows application security teams to set policies that will be enforced during the selection process, Badhwar says.

The approach helps push companies beyond their focus on software bills of material (SBOMs). Because government agencies require the information, the software manifests have taken off as software makers comply with regulations.

Yet while SBOMs are a helpful step along the path to more security software, they are generated at the end of the application release cycle, so they don’t actually help manage the risk, says Brian Fox, co-founder and chief technology officer at Sonatype.

Organizations instead need capabilities to effectively manage the life cycle of dependencies, starting from the far left side where developers select new dependencies, he says.

"It is only with a deep organizational understanding of your overall bill of materials that you can better arm your software for the next zero-day disclosure," Fox says. "Our data shows that organizations who actively manage their supply chains have dramatically better outcomes and response times than those who do not."