Endor Labs has launched DroidGPT, an extension of its software for assessing risks in open source code. DroidGPT integrates the ChatGPT generative artificial intelligence (AI) platform to make it simpler to discover the most secure version of an open source package.
That capability makes it possible for developers to launch a natural language query from within the Endor Labs platform that asks ChatGPT to identify, for example, the most secure logging modules of Java applications.
Endor Labs CEO Varun Badhwar said the goal is to make it simpler to apply guardrails to application development processes that today rely heavily on reusing open source packages. Developers often wind up using an older version of those packages that are not as secure because a known vulnerability has not been remediated.
Endor Labs’ Dependency Lifecycle Management platform applies graph analysis to identify the depth of dependencies that exist within an application. That capability makes it simpler to identify where vulnerable components have actually been employed within an application. DroidGPT extends that capability to identify the most secure versions of those components that developers should be using, said Badhwar.
Having a full understanding of their dependency graph also lets customers generate and analyze accurate software bills of materials (SBOMs) as applications are dynamically updated, noted Badhwar.
The level of dependency on open source software packages to create applications has risen sharply over the years. An analysis of nearly 2,000 software packages published by Endor Labs found 95% of all application vulnerabilities can be traced back to a transitive dependency created when a developer used an open source component. Functional dependencies are created whenever developers download a third-party component, so it is crucial to assess the risk levels created by those dependencies.
Fortunately, in the wake of a series of high-profile breaches, there has been increased focus on securing software supply chains. The ongoing challenge is most developers don’t have a lot of cybersecurity expertise, so as contributions are made to open source projects it’s relatively easy for mistakes to be made. The simple truth is many applications deployed in production environments are riddled with known vulnerabilities that have yet to be addressed. DroidGPT is designed to make it simpler to begin the process of remediating software vulnerabilities in applications as they are built and after they are deployed.
There is no doubt that it will take years before organizations are able to implement a set of truly mature DevSecOps best practices to teach developers how to build more secure applications. That journey, however, needs to begin with tools that enable them to address fundamental issues that dependencies inevitably create. After all, the best way to combat application vulnerabilities is to make sure they don’t manifest themselves in code in the first place. Making it easier to update applications using older versions of open source modules is nothing less than critical at a time when cybercriminals are getting more adept at exploiting them.