Startup Spotlight: Endor Labs Focuses on Reachability

Startup Spotlight: Endor Labs Focuses on Reachability

As the Log4j vulnerability demonstrated in a visceral way, open source code is inextricable from modern software. Developers incorporate components, snippets, and libraries from sources like GitHub when writing their own programs in order to keep from reinventing the wheel every time they build a cart. But that means that most software has dependencies even its developers don’t know about, which can lead to not realizing when a vulnerability report applies to your mission-critical application — or to scrambling to fix a severe vulnerability that is completely cut off from any source code and thus harmless.

“With 90% of code in modern applications being open source, and 95% of vulnerabilities being found in transitive dependencies (the software packages automatically brought in by OSS), security teams struggle to prioritize the right risks for engineering to work on,” says Thuy Nguyen, Endor Labs director of demand generation. And that’s the focus of the company: prioritizing risk across open source software, CI/CD pipelines, and secrets.

Endor does this using dependency lifecycle management, which takes into account a variety of metrics to calculate an overall risk score that a company can use to set security policies. It emphasizes how a dependency is used in the organization rather than the severity of a vulnerability. Even the worst vuln, the thinking goes, only matters if an attacker can actually get to it.

Why Reachability Analysis?

The company calls its approach reachability analysis. By building a complete inventory of software and then tracing every path to a vulnerability, Endor says it can determine which vulnerabilities need to be fixed right away and which can be set aside. Users can query the Endor Labs platform using DroidGPT, a chatbot that is now in beta, to figure out which open source package they can use in place of a more vulnerable one.

Nguyen says that where Endor really stands out is in its staff, with a third of the R&D team having earned doctorates. The focus on specialization carries through to the company’s “decision to tackle one problem at a time to solve it in the right way,” as she puts it.

That first problem was open source dependencies. “We made the decision to start there and invest heavily in reachability analysis before we move forward into other solutions,” Nguyen says. The next focus areas, she says, will be prioritized secret scanning and supply chain management/configuration posture management.

Return of the Contest

The four finalists in the Black Hat Startup Spotlight — Endor Labs, Gomboc, Binarly, and Mobb — will present their business models to a panel of judges at the Mandalay Bay in Las Vegas. (Of the finalists, Endor Labs is the only one that also made the finals at the 2023 RSAC Innovation Sandbox.) Dark Reading’s editor-in-chief, Kelly Jackson Higgins, will host the awards on Wednesday, Aug. 9, at 4:30 pm.

If you’re attending Black Hat in person, Endor Labs wants to lure you to its booth with a platform demo, a cute mascot, and Star Wars keychain/bottle-openers. You might also get an invite to Endor Labs’ event at the Topgolf driving range and sports bar.

Speaking of Endor, the swag is a clue to the inspiration for the company’s name. No, it doesn’t refer to the Canaanite village where the biblical Saul consulted a witch; in this case, Endor is the forest moon in the Star Wars universe where Ewoks live. The company’s security research team is even named “Station 9” after a research station on Endor. As Nguyen says, “The story behind the name is simple — we’re just huge nerds.”

Speed Round

Website: https://www.endorlabs.com/
Founded: 2022
Funding stage: Seed
Total funding raised so far: $25M
Number of employees: 50
If the company were a band, what would its band name be, and what kind of band would it be: “We would simply be named The Ewoks and play futuristic synth-rock.”
Pineapple on pizza, yea or nay?: “We posted this question to the company Slack and it almost sparked a civil war, but the result was an exact 50/50 split, which our marketing team will break and decide YES on pineapple on pizza.”