top of page

Endor Labs Delivers the Impossible, Creating Secure Software SupplyChains That Make Developers More

What Endor Labs does

Endor Labs gives DevSecOps teams the context they need to prioritize open source software (OSS) risk, secure CI/CD pipelines, and meet compliance objectives like Software Bills of Materials (SBOMs). It gives security leaders the visibility they currently don’t have while utilizing third-party and open source software so organizations can select, secure, and maintain OSS at scale.

The Current Landscape

Open source software is a treasure trove for developers because it enables ongoing innovation—we all benefit from the latest advances, while the nonstop collaboration between dispersed and talented professionals keeps it free.

However, 80% of code in modern applications is not written by developers within a company, but, rather, pulled in from open source packages on the internet without any validation. Enterprises are often relying on over 40,000 open source packages (direct dependencies) on average; and each of those, in turn, brings in an average of 77 additional (transitive) dependencies. When all this happens without the developers knowing what code is being pulled into each project, where it’s being used, and if it’s truly safe, security concerns get in the way of productivity. This causes ungoverned sprawl, which slows development while increasing the attack surface. In fact, 95% of OSS vulnerabilities are found in transitive dependencies. The SolarWinds debacle happened because of exactly these vulnerabilities.

The White House & US Government have indicated their commitment in addressing the issues. They’ve openly declared open source software security to be a national security issue and the Executive Order update and subsequent legislation introduced by the Senate continue to validate the severity of the problem.

The Log4j incident, ruining countless Christmas holidays, hammered home the point that this is a big, ugly problem that needed fixing.

Endor Labs was founded for these purposes, and it’s on a mission to solve these problems and more. Before Endor Labs, solutions did not exist to solve them (as the U.S. Cybersecurity and Infrastructure Security Agency’s Cyber Safety Review Board CSRB even points out here on page 13). This innovator provides a platform that enables intelligent decisioning and development at speed and velocity, including the reuse of software at scale faster, easier, and much, much safer. These developments will positively impact businesses at many levels, including increasing performance, competitiveness, and value generation.

Company Birth Story

Endor Labs CEO and co-founder, Varun Badhwar was leading a 400- person engineering team at Palo Alto Networks, and yet there was at least one old-school stumbling block. He found that it was common for developers to go on Slack to ask questions like: “Who’s using this open source dependency? I plan to update it and you might be affected.” These were highly sophisticated technologists building advanced solutions with valuable code, yet they lacked even basic visibility into the software dependency graph.

He couldn't help but wonder, was this just his team, or was it a bigger challenge across the whole industry? He knew some influential leaders in the cybersecurity and tech world, so he started asking questions. The answers were surprisingly consistent. Most of them were simply crossing their fingers and hoping for the best when dealing with open source software, trusting the ecosystem implicitly.

That’s when the idea for Endor Labs was born. Along with his longtime colleagues and business partners, Varun understood the need to secure the software supply chain by enhancing and speeding open source reuse—a goal that has always proved elusive. That is Endor Labs’ mission: It’s dedicated to creating secure software supply chains to make developers more productive, rather than drowning in endless (and often false) security alerts.

The Solution

The Endor Labs solution sets and services are designed to match the top priorities and broader needs of IT and security teams, and developers at the heart of those efforts. The Endor Labs Code Governance Platform, which lies at the core of both supply chain security and developer productivity, is geared toward both security and engineering teams.

The solutions are organized so as to help each organization secure its software supply chain (with comprehensive software inventory, better dependency selection and OSS governance); maintain its assets (with vulnerability prioritization, SBOM management and detection/response); and maintain its infrastructure (with a reduced attack surface, detection of unmaintained dependencies and prioritization of operational risk).

Existing solutions have proved fundamentally inadequate—even the most advanced Software Composition Analysis (SCA) tools and approaches, which focus mainly on licensing and vulnerability compliance, come up short. They can’t help developers select secure and high-quality dependencies, which has major consequences down the road; they only track a single risk vector that is itself lagging—known vulnerabilities, usually bugs in well-meaning developers’ code; and they feature vulnerability-oriented alerts that are prone to false positives.

Endor Labs applies deep program analysis that has had a respected place in academia but never before been seen in production at scale. The technology can build a detailed dependency graph without requiring any agents or proxies in runtime. This makes the implementation easy and fast, offering unprecedented visibility into just how developers are using these dependencies; which dependencies are being called from their code; which are unused; and of course, which vulnerabilities are exploitable. There’s much more, but here’s the real takeaway: The next time there’s a Log4j- like episode, every organization can get the most important information in minutes, not weeks.

Endor Labs has launched a market-leading research competency named Station 9. The team, which brings together specialists from around the world and is led by famed researcher Henrik Plate, has already made waves with groundbreaking reports examining “The State of Dependency Management” and “The Top 10 Open Source Software Risks of 2023.”

The company has demonstrated its 100% commitment to the channel with Hyperdrive, a global partner program designed to create powerful technology combinations for supply chain security, dependency selection and lifecycle management. It successfully completed a System and Organization Controls (SOC) 2 Type I audit and has been SOC 2 Type II certified. The company also received a strategic investment from members of the Silicon Valley CISO Investments (SVCI), a group of Chief Information Security Officers (CISOs) who operate as an angel investor syndicate. Security executives from Robert Half, Ross Stores, Chime, Adobe, BlackHawk, NYSE, HashiCorp, Flexport and more all chose to make a personal investment in Endor Labs. It has integrated with GitHub Advanced Security to make developers’ lives easier by helping them manage what they build and how they build it. It launched in private beta DroidGPT, an artificial intelligence to help developers select better OSS. And the company was awarded the Intellyx Digital Innovation Award, which recognizes technology providers who make it through the analyst firm’s rigorous briefing selection process – leading-edge vendors driving enterprise digital transformation.

A Customer Story

One of Endor Labs’ customers is a large financial institution. Their developers were losing countless hours chasing down vulnerabilities surfaced by the security teams on their open source packages. The security team was not able to efficiently prioritize these vulnerabilities. With Endor Labs, they were able to reduce false positive alerts by 76% by prioritizing reachable dependencies.

The Team Culture

Currently, Endor Labs employs over 45 people – mostly engineers with a stellar track record at companies such as Meta, Uber, GitHub, Sonatype, Amazon and Microsoft. It has a lot of smart people on board–a third of its engineers even have PhDs in Computer Science or related fields–and it’s solving some very complex issues. The company was recognized as a San Francisco Bay Area Best Place to Work for creating an exceptional workplace that its employees value highly.

A founder quote

Varun Badhwar, CEO and co-founder, said: “Eighty percent of the code in modern applications is code your developers didn’t write but depend on through open source packages. When our founding team was leading the Prisma Cloud engineering group at Palo Alto Networks, we realized the true magnitude of this issue. Having previously created the Cloud Security Posture Management (CSPM) category, this team knows how to take on next generation threats. Our mission now is to enable OSS to live up to its true potential without introducing unnecessary risk. It’s exciting to once again take a new approach to the market, and we believe these solutions will radically enhance application development everywhere.”

Follow on social:



Company logo:


CEO photo:



Post Your Remote Job for Free

Reach our global audience of exceptional talent.
(If you're looking for a job, you can find one here too!)

bottom of page