Microsoft has tapped Endor Labs to incorporate a software composition analysis (SCA) tool into its cloud-native application protection platform (CNAPP).
Lara Goldstein, a security product manager for Microsoft, said after evaluating multiple SCA tools the decision to partner with Endor Labs to add an SCA tool to the Microsoft Cloud Defender platform was made because that approach provided deeper insights into the actual reachability of any vulnerability discovered. That’s critical because it reduces the number of potential issues that application development teams would have to investigate, she said.
Endor Labs earlier this year added analytic capabilities to its SCA tool that makes it possible to determine, for example, how challenging it might prove to upgrade an open-source software package, including its potential to break an application.
Additionally, the company added an Endor Magic Patches capability to enable DevSecOps teams to apply patches created in a later release to a previous version of the module, if they determine upgrading that module would be too difficult.
Jenn Gile, director of product marketing for Endor Labs, said that approach increases the empowerment of the DevSecops teams to address issues without having to shift all responsibility for applications left toward developers, who either lack the required expertise or simply don’t have the time available to apply a patch.
The alliance with Microsoft further advances that capability by now providing native integration with a CNAPP that enables DevSecOps teams to address both application and infrastructure security issues within a single platform, she added. In effect, Endor Labs in collaboration with Microsoft is now addressing application security from code to runtime, in a way that makes it simpler for DevSecOps teams to visualize the actual attack path that cybercriminals might exploit to compromise an application environment, she added.
In the long term, the alliance also set the stage for Endor Labs to integrate its SCA tool with GitHub Copilot, to enable that generative artificial intelligence (AI) tool to surface additional remediation guidance.
While a lot of progress has been made in terms of adopting best DevSecOps practices there is still much work to be done. A Techstrong Research survey finds less than half (47%) of respondents work for organizations that regularly employ best DevSecOps practices. Slightly more (54%) regularly scan code for vulnerabilities during development.
A full 59% of respondents did note that their organization is making further investments in application security, with 19% describing their investment level as high. Specifically, 64% of respondents are investing in a code scanning tool, with 24% describing those investments as being at a high level.
On the plus side, DevOps, in general, has already had either a high (34%) or medium (43%) impact on improving software security for more than three quarters (77%) of organizations, the survey finds.
Of course, as regulations become more stringent, it’s only a matter of time before more organizations are forced to improve the security of their software supply chains. The only issue left to determine now is at what cost will that goal be achieved.