GitHub Advanced Security Integrates Endor Labs Software Composition Analysis for End-to-End Application Security

GitHub Advanced Security now integrates Endor Labs Software Composition Analysis (SCA); Development teams can dismiss up to 92% of low-risk dependency security alerts, and focus on greatest threats and new capabilities

Endor Labs, the leader in open source software security, announced a critical partnership with GitHub, the platform for software developers to create and share code, that makes it easier than ever for application security teams and developers to accurately identify and remediate the most serious security vulnerabilities-all without leaving GitHub. In an environment where the number of Common Vulnerabilities and Exposures (CVEs) has spiked by 500% in just the past decade, the enhanced ease and precision enabled by the partnership will deliver major benefits to organizations.

"While a few supply chain attacks, like last year's XZ Utils episode, get wide attention, they represent only a fraction of the overall threat landscape," said Varun Badhwar, co-founder and CEO of Endor Labs. "The greatest risks instead come from unpatched vulnerabilities embedded in lesser-known open source dependencies. Effectively responding to all of those devours developer time and resources. Endor Labs technology makes it significantly easier to identify and prioritize the most serious threats, and developers can now derive those benefits while working within GitHub. We're proud to enter into this partnership with GitHub, and we look forward to jointly delivering many more technology advances."

The complications associated with hidden CVEs are buried deep inside the software development lifecycle. While the typical application development project has just 10 direct dependencies, each of those might have hundreds of indirect, or transitive, dependencies. It's estimated that up to 95% of all dangers can be found within these subsets. Developers do indeed get security alerts, but there are so many that the task of dealing with each one is overwhelming. Meanwhile, these efforts represent a massive distraction from the goal of delivering new applications and related technologies.

Endor Labs and GitHub bring significant advantages to this partnership. Endor Labs' SCA technology helps identify and prioritize dependency vulnerabilities by their potential impact, based on factors such as reachability, exploitability and more. For example, Endor Labs checks if the vulnerable function of a given dependency is actually reachable by a given application, or is just sitting in an unused corner of a transitive dependency. Similarly, GitHub Advanced Security (GHAS) - the developer-first application security suite that brings GitHub's world-class security capabilities to public and private repositories - integrates crucial security practices directly into the workflow, offering developers a streamlined way to secure their code. It enables code scanning, secret scanning, AI autofixes, and more.

Now, with Endor Labs SCA integrated into GitHub Advanced Security, development teams can dismiss up to 92% of low-risk dependency security alerts. That allows them to focus on the vulnerabilities that matter most, and the new capabilities they seek to deliver to users.

Just three months earlier, Microsoft - GitHub's parent company, natively integrated the Endor Labs advanced SCA capabilities within Microsoft Defender for Cloud, a leading Cloud-Native Application Protection Platform (CNAPP) to empower organizations to consolidate their application security and cloud security programs into a single platform, securing cloud workloads and code seamlessly in one place. The partnership now allows organizations to deploy SCA and CNAPP solutions from a unified dashboard, achieving comprehensive security coverage from code to runtime.

Read more about the partnership at https://github.blog/security/from-finding-to-fixing-github-advanced-security-integrates-endor-labs-sca/

444 High St Ste 300, Palo Alto, CA 94301

The pace and complexity of software development is rapidly intensifying. Developers are trying to keep up by maximizing reuse of code (internally developed as well as open source), adopting microservices architectures, and relying on a vast array of third party tools and services to automate bits and pieces of the CI-CD process. However, this can quickly sprawl and become untenable, only causing more headaches for development and security teams in the long term. Our mission is to deliver the impossible - create secure software supply chains that actually make developers more productive, rather than drowning in useless alerts. For more information, visit https://www.endorlabs.com.

This release was published on openPR.