- Open Source Watch
- Posts
- Endor Labs makes open-source software security patches easier
Endor Labs makes open-source software security patches easier
Endor’s new features are helping ease the burden of managing security vulnerabilities in open-source software.
Patching up open-source software made easier.
Endor’s new features are helping ease the burden of managing security vulnerabilities in open-source software.
Endor Labs, a software supply chain security leader, announced the launch of two new, innovative capabilities, "Upgrade Impact Analysis" and "Endor Magic Patches," at Black Hat in Las Vegas. These two features aim to streamline the process of upgrading software versions and mitigating security vulnerabilities in open-source software (OSS) dependencies.
We must often upgrade software versions to fix critical vulnerabilities in OSS. However, such upgrades can be challenging and risk causing breaking existing applications. Fear of this and the complexity of determining what effect a patch will have on programs can deter administrators from implementing necessary upgrades. That's a mistake.
Endor quotes a Director of AppSec Operations at a major Fintech company, explaining, “Developers fear upgrades because of breaking changes. Imagine if the product could emulate an upgrade to show which upgrade could impact which packages. With this information, I could prioritize fixes based on how hard the upgrade will be and how many other packages will be affected.”
In response, Endor Labs has released its new Upgrade Impact Analysis feature. This tool provides detailed insights into the potential difficulties and consequences of a given upgrade, enabling AppSec teams to have informed discussions with engineering teams about the scope of security fixes and set service-level agreements (SLAs). When an upgrade is deemed too costly or complex, teams can opt to mitigate the vulnerability with a backported security patch maintained by Endor Labs.
This feature extends Endor Labs' program analysis engine to identify unintended consequences, such as breaking changes to an application. AppSec teams can now manage risk in the context of upgrade difficulty, improving the return on investment of remediation efforts, reducing developer manual research, and enabling IT teams to address risks more swiftly. In short, it reduces the pain.
In addition, Endor Magic Patches enables security patches to be backported to the vulnerable version of the software, eliminating the need for difficult upgrades. These patches include source code, tests, build, and deployment steps, ensuring reproducibility and security. This capability allows AppSec teams to respond quickly to emerging threats, balance developer workloads, and support FedRAMP compliance.
Marcelo Oliveira, VP of Product Management at Endor Labs, emphasized the significance of these new tools: “One of the best characteristics of OSS is the degree of constant improvement—there’s a regular flow of upgrades to just about every package. However, the merits can often be outweighed by the dangers. With these new capabilities, teams can clear this hurdle by sharply reducing the work required to understand the impact of dependency upgrades and stay safe when the risk of upgrades is too high. It’s always been our mission to make security less of a burden on software engineers, and with this launch, we continue to help security teams become better partners”.
I wouldn't go that far. The merits almost always outweigh the dangers. That said, there's no question that upgrading code always comes with some measure of menace. Yes, I'm looking at you CrowdStrike. So, tools like these certainly have their place for any DevOpsSec team.
Other noteworthy Linux and open-source stories:
We put your money to work
Betterment’s financial experts and automated investing technology are working behind the scenes to make your money hustle while you do whatever you want.