Endor Labs is a company that helps developers spend less time dealing with security issues and more time accelerating development through safe Open Source Software (OSS) adoption. The company’s Code Governance Platform helps organizations maximize software reuse by enabling security and development teams to select, secure, and maintain OSS at scale. It also enables organizations to prioritize risk across CI/CD pipelines, and meet compliance objectives such as SBOMs. Pulse 2.0 interviewed Endor Labs co-founder and CEO Varun Badhwar.
Varun Badhwar’s Background
What is Varun Badhwar’s background? “I’m a creature of the industry—I live and breathe technologies that enhance the way things are done, and enable new things to get done. I’ve been at startups and conglomerates and served on small teams, big divisions, and corporate boards. Perhaps most importantly, I’ve been privileged to launch disruptive companies that made a distinctive mark in their specific fields. Most recently I launched and led RedLock, which blazed a trail in securing cloud infrastructure environments. The company’s strengths and prospects were quickly noticed: RedLock was acquired by Palo Alto Networks in barely three years. I joined Palo Alto Network myself, and while there I built the Prima Cloud business from scratch. It recorded $300 million in ARR from 2,700 customers, including 77% of the Fortune 100, in only three years,” said Badhwar. “I believe that’s still the fastest growth rate ever recorded by an enterprise SaaS provider. And it was during this period of market success that the next frontier emerged.”
Formation Of Endor Labs
How did the idea for Endor Labs come together? “So there I was, leading a 400-person engineering team at Palo Alto Networks—amazing people doing cutting-edge work—and yet there was at least one old-school stumbling block. I found that it was common for developers to go on Slack to ask questions like: ‘Who’s using this open source dependency? I plan to update it and you might be affected.’ Again, these were highly sophisticated technologists building advanced solutions with valuable code, yet they lacked even basic visibility into the software dependency graph. That’s when the idea started to be born,” Badhwar reflected. “A little bit of context here: Even the most skilled developers creating the most vital applications don’t actually write all the code. In fact, more than 80% of the code in new apps comes from existing repositories, mostly open source. For the record, open source software (OSS) is a treasure trove for developers because it enables ongoing innovation—we all benefit from the latest advances, while the nonstop collaboration between dispersed and talented professionals keeps it free. However, when all this happens without the developers knowing what code is being pulled into each project, where it’s being used, and if it’s truly safe, security concerns get in the way of productivity. These are ‘indirect’ or ‘transitive’ dependencies–software components that your software relies on indirectly. On average, each direct open-source package brings with it 77 transitive dependencies, and most organizations use thousands of such packages. That’s why it’s no surprise that 95% of vulnerabilities are found in transitive dependencies.”
This was the breakthrough moment for Badhwar.
“Along with my longtime colleagues and business partners, I understood the need to secure the software supply chain by enhancing and speeding open source reuse—a goal that has always proved elusive. That is Endor Labs’ mission: We’re dedicated to creating secure software supply chains to make developers more productive, rather than drowning in endless (and often false) security alerts,” Badhwar added.
Growing Into A Full-Fledged Business
What was the process of taking the idea for Endor Labs to a full-fledged business? Badhwar replied:
When I first faced these huge challenges at Palo Alto Networks, I couldn’t help but wonder, is this just us, or is it a bigger challenge across the whole industry? Luckily, I knew some influential leaders in the cybersecurity and tech world, so I started asking questions. The answers were surprisingly consistent. Most of them were simply crossing their fingers and hoping for the best when dealing with open-source software, trusting the ecosystem implicitly.
But trust took a massive hit when incidents like log4j happened. And just as we were getting our heads around how big of a deal this was, the White House chimed in with an executive order. Suddenly, open-source software was a national security issue. That’s when we started seeing folks calling for software bills and materials (SBOMs).
The Log4j incident, ruining countless Christmas holidays, really hammered home the point that we were dealing with a big, ugly problem that needed fixing. So in our first year as a company, we got busy. We talked to over a hundred different companies, trying to understand the ins and outs of how they handle software engineering and how they deal with the risks of open-source software.
We took all those chats and insights and cooked up something special – what we now call Endor Lab’s product capabilities. It’s been a heck of a ride, but we’re stoked to tackle this huge issue head-on.
After getting the initial team together and proving out the problem, we got in touch with trusted investors and ended up raising a $25 million seed round, where over 40 CISOs, CEOs, and CTOs personally invested, including C-Level executives from Palo Alto Networks, Zscaler, Netskope, Rubrik, and Zoom, among others.
Core Products
What are Endor Labs’ core products and features? “Endor Labs’ solution sets and services are designed to match the top priorities and broader needs of IT and security teams, and developers at the heart of those efforts. The company’s core offering is the Endor Labs Code Governance Platform, which lies at the core of both supply chain security and developer productivity. The technology is geared toward both security and engineering teams,” Badhwar explained. “The solutions are organized so as to help each organization secure its software supply chain (with comprehensive software inventory, better dependency selection, and OSS governance); maintain its assets (with vulnerability prioritization, SBOM management, and detection/response); and maintain its infrastructure (with a reduced attack surface, detection of unmaintained dependencies and prioritization of operational risk).”
Evolution Of Endor Labs’ Technology
How has Endor Labs’ technology evolved since launching? “As we started to roll out support for several programming languages, it quickly became apparent that this was met with considerable enthusiasm. The users expressed a strong desire for us to expand these capabilities to a wide range of popular programming languages. Initially, our main focus was on the governance of open-source software,” Badhwar pointed out. “However, as we delved deeper, we discovered that the challenge of code governance was much broader in scope. It was not just about managing open-source software but also about ensuring the security of the pipelines. As we found ourselves actively involved in the build process, analyzing and scanning source code, we realized we had the capacity to offer more sophisticated solutions. This allowed us to explore exciting opportunities, such as scanning for secrets, ensuring repositories were configured correctly, and verifying that access and permissions were appropriately assigned. Through this process, we recognized a broader range of needs that we could address.”
Significant Milestones
What have been some of Endor Labs’ biggest milestones? Badhwar highlighted the following:
As any entrepreneur can attest, the first priority is to put together a great team, and that’s exactly what we’ve got at Endor Labs. The 45 professionals include engineers with a stellar track record at companies such as Meta, Uber, GitHub, Sonatype, Amazon and Microsoft; in fact, a third of the engineers have PhDs in Computer Science or related fields.
Endor Labs has launched a market-leading research competency named Station 9 (yes, sticking with the Star Wars theme.) The team, which brings together specialists from around the world and is led by famed researcher Henrik Plate, has already made waves with groundbreaking reports examining “The State of Dependency Management” and “The Top 10 Open Source Software Risks of 2023.”
We have demonstrated our 100% commitment to the channel with Hyperdrive, a global partner program designed to create powerful technology combinations for supply chain security, dependency selection and lifecycle management.
The company successfully completed a System and Organization Controls (SOC) 2 Type I audit and has been SOC 2 Type II certified.
Endor Labs has been named a Gartner Cool Vendor in Platform Engineering for Scaling Application Security Practices.
We were named a finalist in the RSA Conference Innovation Sandbox, which highlights cybersecurity’s boldest new innovators and their potentially game-changing ideas, marking the third company I’ve founded to receive the honor.
Endor Labs has integrated with GitHub Advanced Security to make developers’ lives easier by helping them manage what they build and how they build it.
We launched in private beta DroidGPT, an artificial intelligence to help developers select better OSS.
We’ve been recognized as a San Francisco Bay Area Best Place to Work.
And the company was awarded the Intellyx Digital Innovation Award, which recognizes technology providers who make it through the analyst firm’s rigorous briefing selection process – leading-edge vendors driving enterprise digital transformation.
Customer Success Story
When I asked Badhwar about a customer success story, he replied: “One of our customers is a large financial institution. Their developers were losing countless hours chasing down vulnerabilities surfaced by the security teams on their open-source packages. The security team was not able to efficiently prioritize these vulnerabilities. With Endor Labs, they were able to reduce false positive alerts by 76% by prioritizing reachable dependencies.”
Customer Feedback
What has been some of the customer feedback that Endor Labs received so far? “More than 30 CISOs have invested in Endor Labs because, as one put it, we’re ‘tackling one of the most painful problems security and engineering teams face today.’ They also have confidence in the world-class team we’ve put together, and the innovative approach and technology we’re delivering. Customers have been telling us the same: Vulnerability prioritization and helping engineering teams adopt open source at security and at scale is a massive, unsolved problem – until now,” Badhwar shared.
“Top 10 Open Source Software Risks of 2023” Report
Earlier this year, the Endor Labs Station 9 research team teamed up with more than 20 CISOs and CTOs to identify the top 10 security and operational risks introduced through reliance on open-source code.
“Endor Labs’ ‘Top 10 Open Source Software Risks of 2023’ highlights the greatest threats to the software supply chain and the software development lifecycle overall. Reflecting the kind of collaboration found in open source communities, the report—produced by the company’s Station 9 research team—features contributions from CISOs and digital security innovators at 20 other companies, including such respected brands as HashiCorp, Adobe, Palo Alto Networks, and Discord. It also encompasses operational risks alongside the more recognizable security threats,” Badhwar emphasized. “Among other critical areas, the report covers Compromise of Legitimate Package: Attacks may occur on resources in existing projects, or of the distribution infrastructure, in order to inject malicious code. This can be done, for example, by hijacking the accounts of legitimate project maintainers, or exploiting vulnerabilities in package repositories; Untracked Dependencies: Project developers may not know all the dependencies on a component, perhaps because it’s not part of an upstream component’s SBOM, SCA tools are not run or don’t detect it, or the dependency is not established using a package manager; and Name Confusion Attacks: An attack may feature components with names similar to legitimate open source or system components (called typo-squatting), suggest trustworthy authors (that’s brand-jacking) or play with common naming patterns in different languages or ecosystems (combo-squatting).”
Funding
Endor Labs launched with $25 million in seed financing from Lightspeed Venture Partners, Dell Technology Capital, and Sierra Ventures, along with financial support from several industry luminaries who recognized the problem solved by the Endor Labs approach. And these include CEOs and executives from Palo Alto Networks, Zoom, Snowflake, Zscaler, Netskope, Rubrik, Databricks, and Microsoft.
The company also received a strategic investment from members of the Silicon Valley CISO Investments (SVCI), a group of Chief Information Security Officers (CISOs) who operate as an angel investor syndicate. Security executives from Robert Half, Ross Stores, Chime, Adobe, BlackHawk, NYSE, HashiCorp, Flexport, and more all chose to make a personal investment in Endor Labs.
Differentiation From The Competition
What distinguishes Endor Labs from its competition? “Existing solutions have proved fundamentally inadequate—even the most advanced Software Composition Analysis (SCA) tools and approaches, which focus mainly on licensing and vulnerability compliance, come up short. They can’t help developers select secure and high-quality dependencies, which has major consequences down the road; they only track a single risk vector that is itself lagging—known vulnerabilities, usually bugs in well-meaning developers’ code; and they feature vulnerability-oriented alerts that are prone to false positives,” Badhwar pointed out. “Endor Labs applies deep program analysis that has had a respected place in academia but never before been seen in production at scale. The technology can build a detailed dependency graph without requiring any agents or proxies in runtime. This makes the implementation easy and fast, offering unprecedented visibility into just how developers are using these dependencies; which dependencies are being called from their code; which are unused; and of course, which vulnerabilities are exploitable. There’s much more, but here’s the real takeaway: The next time there’s a Log4j-like episode, every organization can get the most important information in minutes, not weeks.”
Future Company Goals
What are some of Endor Labs’ future company goals? “We’re passionate about solving big problems for the security industry, especially where emerging technologies so desperately need leadership and innovation. In this case, software supply chain and open source security were not being addressed adequately at all, relying on reactive SCA tools that left security teams drowning in false positives. That left a huge need, and we want to help organizations address that, and not just partially–we sought, from the start, to provide the most comprehensive approach as well as the most advanced one. It’s also important to us to work with other industry leaders to address areas of concern and inform the market,” Badhwar concluded.