Investing in next-gen software supply chain security with Endor Labs
As developers work to ship software products faster than ever before, they are increasingly using open-source software (OSS) and other third-party dependencies to expedite development. According to a 2022 GitHub report, 97% of all applications now leverage open-source code. However, using OSS brings risks such as code vulnerabilities, cybersecurity threats and licensing issues into the software development lifecycle (SDLC), and reduces development and security teams’ visibility into the composition and integrity of the software build. And these risks have far-ranging implications, with even the U.S. government considering OSS security an issue of national import.
As a result of this growing concern, numerous tools have hit the market that help security teams “shift left” in the SDLC to catch security issues before the code is deployed. However, many of these tools lack the ability to contextualize and prioritize the vulnerabilities they discover, which are usually either in unused code dependencies or result in little to no security risk due to where they are located within the application. This issue becomes a huge pain point for security and development teams: lacking the context of what’s most critical to fix, security teams have to rely on the vulnerability scanner’s prioritization, often leading development teams to push back on the relevance of fixes assigned to them.
That's where Endor Labs comes in. Founded in 2021, the company offers a full suite of software composition analysis (SCA) and code governance tools that both provide 360º clarity into an enterprise's software supply chain and surface meaningful, exploitable risks across dependencies in the SDLC — helping teams quickly understand and fix the issues that matter most.
We're especially excited by Endor Labs’ use of reachability analysis. Typical SCA tools scan application manifest files and report every known vulnerability associated with the versions declared on the manifest. This approach leads SCA tools to report hundreds of thousands of vulnerabilities, overlooking the fact that only 12% of the code within these OSS dependencies is typically used (and is thereby exploitable). The company’s breakthrough in reachability analysis empowers organizations to eliminate or de-prioritize over 80% of alerts-related work by providing reliable insights into the vulnerable code that is ‘reachable’ at the function level. This is a game-changer, as it allows security teams to focus on the risks that matter and saves Endor Labs’ customers millions of dollars via developer productivity.
Our immense confidence in Endor Labs stems not only from the company’s innovative, effective and cost-saving solution, however — it also comes from the expertise of Endor Labs’ founding team, who have deep experience both in the cybersecurity space and in launching successful startups. CEO Varun Badhwar is a three-time founder, having also launched cloud security startups RedLock and CipherCloud, while CTO Dimitri Stiliadis founded microservices security firm Aporeto and Nuage Networks, an automatic networking company.
Given its industry-leading ability to surface and prioritize critical software supply chain vulnerabilities, and the technical and business acumen of its founding team, we're pleased to announce our investment in Endor Labs. We join existing investors Lightspeed Venture Partners, Coatue, Dell Technologies Capital and Section 32. We look forward to supporting Varun, Dmitri and the whole Endor Labs team in their mission to secure software supply chains and eliminate unnecessary drags on developer productivity.
For more information, email Matt Carbonara at matt.carbonara@citi.com or Nick Sands at nick.sands@citi.com.
To see Citi Ventures’ full portfolio of companies, click here.