Startup Spotlight: Endor Labs Focuses on Reachability

As the Log4j vulnerability demonstrated in a visceral way, open source code is inextricable from modern software. Developers incorporate components, snippets, and libraries from sources like GitHub when writing their own programs so they don't have to reinvent the wheel every time they build a cart. But that means most software has dependencies even its developers don't know about, which can lead to not realizing when a vulnerability report applies to their mission-critical applications — or to scrambling to fix a severe vulnerability that is completely cut off from any source code and thus harmless.

"With 90% of code in modern applications being open source and 95% of vulnerabilities being found in transitive dependencies [the software packages automatically brought in by OSS], security teams struggle to prioritize the right risks for engineering to work on," says Endor Labs CEO and co-founder Varun Badhwar. And that's the company's focus: prioritizing risk across open source software, CI/CD pipelines, and secrets.

Endor does this using dependency life cycle management, which takes into account a variety of metrics to calculate an overall risk score that a company can use to set security policies. It emphasizes how a dependency is used in the organization rather than the severity of a vulnerability. Even the worst vuln, the thinking goes, doesn't matters if an attacker can't actually get to it.

Why Reachability Analysis?

The company calls its approach "reachability analysis." By building a complete inventory of software and then tracing every path to a vulnerability, Endor says it can determine which vulnerabilities need to be fixed right away and which can be set aside. Users can query the Endor Labs platform using DroidGPT, a chatbot that is now in beta, to figure out which open source package they can use in place of a more vulnerable one.

Where Endor really stands out, Badhwar says, is with its staff: A third of the R&D team have earned doctorates. The focus on specialization carries through to the company's "decision to tackle one problem at a time to solve it in the right way," he says.

DroidGPT search results for cryptographic packages in Go. (Source: Endor Labs)

That first problem was open source dependencies. "We made the decision to start there and invest heavily in reachability analysis before we move forward into other solutions," Badhwar says.

The next focus areas will be prioritized secret scanning and supply chain management/configuration posture management, he adds.

Return of the Contest

The four finalists in the Black Hat Startup Spotlight — Endor Labs, Gomboc, Binarly, and Mobb — will present their business models to a panel of judges at the Mandalay Bay in Las Vegas on Wednesday, Aug. 9. (Of the finalists, Endor Labs is the only one that also made the finals at the 2023 RSAC Innovation Sandbox.) Dark Reading's editor-in-chief, Kelly Jackson Higgins, will host the event, which begin at 4:30 p.m. PT.

If you're attending Black Hat in person, Endor Labs hopes to attract you to its booth with a platform demo, a cute mascot, and Star Wars keychain/bottle openers. You might also get an invite to Endor Labs' event at the Topgolf driving range and sports bar.

Speaking of Endor, the swag is a clue to the inspiration for the company's name. No, it doesn't refer to the Canaanite village where the biblical Saul consulted a witch. In this case, Endor is the forest moon in the Star Wars universe where Ewoks live. The company's security research team is even named "Station 9" after a research station on Endor.

As Badhwar says, "The story behind the name is simple — we're just huge nerds."

Speed Round

Website: https://www.endorlabs.com/
Founded: 2022
Funding stage: Seed
Total funding raised so far: $25M
Number of employees: 50
If the company were a band, what would its band name be, and what kind of band would it be: "We would simply be named The Ewoks and play futuristic synth-rock."
Pineapple on pizza, yea or nay?: "We posted this question to the company Slack, and it almost sparked a civil war, but the result was an exact 50/50 split, which our marketing team will break and decide YES on pineapple on pizza." — Thuy Nguyen, director of demand generation at Endor Labs