Endor Labs has allied with GitHub to integrate its software composition analysis (SCA) tools directly within DevOps workflows.
In addition, two companies are now making it possible for DevOps teams to acquire the Endor Labs SCA tools via their GitHub Advanced Security and Dependabot software dependency management subscriptions.
Endor Labs CEO Varun Badhwar said this integration will make it simpler for application development teams to discover and remediate vulnerabilities within the context of a GitHub Actions workflow.
At the same time, that level of integration will also streamline vulnerability management by, for example, making it simpler to determine whether a vulnerable function can actually be reached by a cyberattack, said Badhwar. That’s critical because too many application developers today are wasting time tracking down vulnerabilities discovered by a cybersecurity team that doesn’t represent an actual threat to the organization, he added.
As more applications are developed using artificial intelligence (AI) tools, that volume of code that might contain vulnerabilities will overwhelm DevSecOps teams unless an effort is made to prevent them from ever being created, noted Badhwar.
Previously, Microsoft, the parent company of GitHub, integrated the SCA tools from Endor Labs into Microsoft Cloud Defender, a cloud-native application protection platform (CNAPP). The alliance with GitHub extends the reach of the SCA tools further left, to enable DevOps teams to eliminate vulnerable code before it ever finds its way into a production environment. That approach should make it simpler for application developers to discover and remediate vulnerabilities as they are writing code.
While a lot of DevSecOps progress has been made of late, there is clearly still a long way to go before software supply chains can be considered secure. In general, developers still don’t allocate enough time to creating patches for applications that have already been deployed and the time that is allocated is often spent fixing the simplest vulnerabilities rather than ones that are potentially the most lethal.
At the same time, cybersecurity teams tend to create lists of vulnerabilities without providing any context. Application developers then have to spend time determining whether the vulnerability being highlighted by the cybersecurity team is present in the application environment. As the number of times that investigation turns out to be fruitless, the more inured to vulnerability remediation requests the DevOps team tends to become.
Unfortunately, that lack of cohesion too often results in a known vulnerability not being addressed in a timely enough fashion. The truth is that cybercriminals are counting on the fact that organizational inertia will create plenty of opportunities for them to exploit.
The one certain thing is the application security expectations of organizations that consume are rising. As such, application development teams are being held accountable for the number of vulnerabilities that for one reason or another still find their way into a production environment. The challenge and opportunity now is to leverage SCA tools to eliminate as many vulnerabilities as possible from ever being created in the first place.
