A percentage of the code that companies use to develop software is open source. In the year In 2018, according to TideLift, a software supply chain management platform, 92% of professional software developers said their applications contained an open source library. While that’s a positive trend – open source offers many benefits, not least of which is transparency – but it also carries vulnerabilities such as low visibility of its code.
Several vendors are addressing the issue of open source security by providing tools that scan the metadata and package descriptors for known exploits. Varun Badwar, however, argues that they won’t go too far. He is the co-founder of Indoor Labs, a startup with more than 30 employees that uses graph analysis technology to learn how dependencies are used in an organization and create risk indicators.
To demonstrate investor interest, Indore — which today went private and launched in private beta — has attracted $25 million to date from Lightspeed Venture Partners, Dell Technologies Capital, Sierra Ventures and angel investors, including Palo Alto Networks CEO Nikesh Arora. Badwar tells TechCrunch that the previously undisclosed funding is being used to support the continued growth of Indore’s R&D expansion.
“If threats to the software supply chain are not already a boardroom priority, they will be soon,” Badwar told TechCrunch in an email interview. “Open source software provides a rich resource for speed of development, but the proliferation of large-scale dependencies hinders development and increases the attack surface. The numbers are truly staggering: a typical large organization—for example, with more than 10,000 employees—has more than two million total dependents. As a result, developers struggle to maintain, troubleshoot, and update dependencies and lose hours of active fatigue from false positives. Meanwhile, security teams lack real visibility… While the issue may seem technical, in this application-driven age, it affects all areas of operations.
A recent US Department of Homeland Security report on Badwar shows that a US government cabinet agency spent months responding to a vulnerability in Apache’s Log4j2 library, a Java-based logging tool. Identify where vulnerable packages reside in their software environment. The White House has signaled its commitment to issuing an executive order aimed at addressing the broader software supply chain security problem, clearly declaring it a national security concern and establishing mitigation standards.
Prior to founding Indore, Badwar led cloud infrastructure security startup RedLock, which was acquired by Palo Alto Networks in 2018. He served as SVP and GM of Prisma Cloud at Palo Alto Networks post-discovery, alongside CTO Dimitri Stiliadis. He came to Palo Alto with the purchase of the company His Launch, Aporeto. Stiliadis was previously CTO at Alcatel-Lucent Ventures arm and Nuage Networks, a technology company developing software-defined networking solutions.
Badwar says that following the 2020 SolarWinds breach, they were inspired to develop a service to better analyze the impact of software updates and code patches. Both felt existing tools missed “a whole class” of supply chain attacks and lulled companies into a false positive view of vulnerabilities — such as bugs in well-meaning developers’ code — without providing a way to prioritize remediation.
Image Credits: Endor Labs
“In modern applications, 80% of the code is not written by in-house developers but is taken from open source packages on the Internet without any verification. We determined that on average enterprises often rely on more than 40,000 open source packages. Each one introduces an average of 77 additional dependencies,” Badhawar said, citing surveys by security groups. It shows that they are overwhelmed and overwhelmed by alarms. “This leads to a huge and uncontrolled expansion, which increases the appearance of the attack and slows down its development.”
To try to solve this, Endor applies what Badwar calls “deep programming analysis” to build dependency graphs for enterprise software. The graph shows how dependencies are used in an organization – specifically which dependencies are being called from code, which are not being used, and which vulnerable packages are being used. Each dependency gets a score based on quality, security, standby activity, popularity and reference CI/CD data.
Indor provides tools to measure security and operational risk, as well as to remove unused or unexpected dependencies. Badhawar explains that the graph can be used to create software inventories, a source of truth for a company’s software inventory.
“Our dependency lifecycle management platform provides comprehensive and in-depth visibility across the entire dependency graph, providing multi-dimensional signaling that both identifies and prioritizes risk and helps customers select, maintain, track and maintain dependencies at scale,” said Badwar. “What we’ve built, and are developing further, is a platform that enables smarter decision making and development faster and faster, making software faster, easier and much, much more secure.”
While Badwar maintains that the indoor arena is more inclusive than most, new competitors in the space are constantly emerging. Just in September, Ox Security, a provider of services to strengthen the enterprise software supply chain, came out of hiding with $34 million in funding. Another competitor, ChainGuard, has raised several million dollars to build security tools for open source software. There are also Cycode and Dustico, the latter of which Checkmarks acquired in August 2021 for an undisclosed sum.
Palo Alto-based Endor isn’t just a toe-tapping startup. In May, an industry group including Google, Amazon, Ericsson, Intel, Microsoft and VMware pledged $30 million to work with the Linux Foundation and the Open Source Security Foundation to improve the security of open source software. But Badwar — who declined to disclose any metrics around Endor’s customer base or revenue — doesn’t see these as business threats.
It’s not necessarily a stupid idea. VC funding remains strong in cyber, with VCs investing $12.5 billion in 531 deals in the first half of 2022, according to Momentum Cyber — a comparable amount to the first half of 2021 ($12.6 billion).
“We have big ambitions to solve difficult technical problems in a very large market…Endor has been working in stealth for the past year and has attracted significant customers and prospects in that time,” Badwar said. “The timing has turned out to be very good as open source software security has received national, if not global, attention… Last year, more than 75 organizations commented that we were involved in the product. And they’re currently in private beta with between 200 and 35,000 employees.
