Endor Labs today at the Black Hat USA 2024 conference revealed it has added an ability to determine how challenging it might prove to be to upgrade an open source software package, including its potential to break an application, to its platform for securing software supply chains.
Additionally, the company is adding Endor Magic Patches to enable DevSecOps teams to apply patches created in a later release to a previous version of the module if they determine upgrading that module would be too difficult.
Jenn Gile, director of product marketing at Endor Labs, said these analytics capabilities will provide DevSecOps teams with the context needed to determine when to upgrade a module based on the potential level of disruption that a new module might introduce to an IT environment.
While existing software composition analysis (SCA) tools are capable of identifying vulnerabilities, they lack the critical remediation advice organizations need to make a decision to upgrade, she added. Endor Labs, in contrast, is making use of analytics applied at the time a build is created to determine exactly which third-party dependencies are used and how they interact with the application code, noted Gile.
As a result, most organizations will opt to not upgrade a module on the assumption the risk level to the business is too high, she added.
Conversely, DevSecOps teams might decide to go forward with an upgrade only to discover the effort required was much greater than anticipated. It’s not uncommon for DevSecOps teams to roll back an upgrade after that level of difficulty is determined.
The latest capabilities added to the Endor Labs platform provide the actionable intelligence that DevSecOps teams working in collaboration with their cybersecurity colleagues need to make more informed upgrade decisions, said Gile.
If it is determined that upgrading a module is too challenging, DevSecOps teams then have the option to deploy source code and associated patches, including test, build and deploy steps, using Endor Magic Patches.
Open-source software security has become a major issue because organizations that rely on these applications that include open-source code can’t easily develop a patch any time a new vulnerability is discovered. In many cases, as in the case of the infamous Log4J shell vulnerability that impacted Java applications, IT teams will discover that the code impacted is being maintained by a small team of unpaid volunteers who lack the time or motivation to quickly develop a patch.
While the open source community is pooling resources to address that type of challenge going forward, many enterprise IT organizations are reevaluating their applications intending to become less dependent on open source software that isn’t being maintained by a large team of developers that are actively contributing to the project.
One way or another, however, there will most certainly come a time when a new zero-day vulnerability will be discovered that DevSecOps teams will need to instantly fix before cybercriminals exploit it. That’s especially critical in an era where the time between when a vulnerability is disclosed and the first attacks that exploit it is now measured in hours.