Endor Labs, which offers a platform developers can use to manage and secure their open source dependencies, today closed a $70 million Series A round led by Lightspeed Venture Partners with participation from Coatue, Dell Technologies Capital, Section 32 and a number of angel investors.
The new financing — quite large for a Series A, and coming only 10 months after the company’s launch — brings Endor’s total raised to $95 million. Co-founder and CEO Varun Badhwar says that it’ll be put toward expanding the startup’s 55-person workforce and “deepening” Endor’s existing technical capabilities while expanding its go-to-market initiatives.
“We’re proud to have raised a significant Series A round at a time when funding has been tight, and investors are spending a lot more time doing deeper due diligence,” Badhwar told TechCrunch in an email interview. “The current economic climate and the pandemic have been contributing factors to the situation many security teams find themselves in today, and the problems Endor Labs has made its mission to solve.”
Endor Labs was founded in 2021 by Badhwar and Dimitri Stiliadis, who previously started RedLock and Aporeto, respectively. While managing a team of developers at Palo Alto Networks, the pair say they struggled to balance engineering productivity with software supply chain security.
“Developers regularly went on the company chat to find out which of the open source software components in their packages were safe to update without impacting others,” Badhwar said. “Otherwise, they had no way of knowing.”
Badhwar points out that open source has become part and parcel of how software companies do business — and, at the same time, a growing security threat.
According to GitHub’s 2022 Octoverse report, 97% of apps leverage open source software, and 90% of companies are applying or using it in some way. While that’s encouraging for the open source ecosystem — more enterprises are creating open source software communities than in years past, the Octoverse report found — it’s also opening up organizations to exploits.
Companies today tap thousands of open source packages, and each of these packages have dozens upon dozens of “transitive” dependencies — i.e. relationships with other open source code. Most vulnerabilities — as many as 95%, Endor estimates (so take that stat with a grain of salt) — are found in these transitive dependencies.
Since 2019, high-risk vulnerabilities have increased by at least 42% across businesses using open source packages, as per a Synopsys study. The study, which audited over 1,700 codebases from companies in edtech, automotive, Internet of Things and other related industries, identified that 89% of open source packages in the codebases were more than four years out of date.
High-profile hacks have spurred policymakers to act, leading to legislation like the U.S. Securing Open Source Software Act and Executive Order 14028.
“Today’s reality is that much of the code in modern applications relies on open source repositories,” Badhwar said. “Most of that code wasn’t actually selected by the developers; they’re indirect dependencies automatically brought into their codebase. As a result, developers spend too much time investigating alerts, integrating security tools and negotiating priorities. At the same time, app security teams can’t do their jobs without imposing a massive ‘productivity tax’ on developers.”
Endor, then, was launched as a platform to surface “reachable” and “exploitable” risks in open source code, Badhwar says. It’s since expanded to become a code and software dev pipeline governance service, focusing on building robust app security programs.
Using Endor, companies can monitor the security posture of their dev pipelines, manage developer access to code and keep a watchful eye over the secrets — e.g. passwords — hardcoded in their codebases.
Recently, Endor launched “DroidGPT,” an AI tool that assists in open source selection by combining OpenAI’s AI-powered chatbot, ChatGPT, with Endor’ risk data. Users can get answers to questions like “What are the best logging packages for Java?” that include risk scores revealing the quality, popularity, trustworthiness and security of each package.
“Within large enterprises, there are often hundreds if not thousands of developers for each app security engineer,” Badhwar said. “C-suite executives understand that security is a crucial part of any software product, but also remain conscious of operating budgets. Endor Labs helps balance this equation: App security teams can surface only the risks that matter, and gather the evidence they need to communicate why those risks must be addressed.”
Endor has some competition in the open source security management space — Badhwar names Snyk as one of the biggest rivals. But he asserts that Endor doesn’t have a direct competitor.
“Existing solutions are largely incomplete and inaccurate — even the most advanced SCA tools and approaches, which focus mainly on licensing and vulnerability compliance, come up short,” Badhwar said. “At best, they track a single risk vector that is itself lagging — known vulnerabilities, usually bugs in well-meaning developers’ code.”
Vendors might disagree. But any bombast aside, Endor’s managed to attract customers within its first two quarters of selling, including Five9, RocketLawyer, MileIQ, Cowbell and Navan.
Badhwar expects Endor to achieve profitability in two years.
“There’s no question our unique approach has resonated in the market,” he said. “The technology addresses a critical but largely neglected problem — as demand for the next generation of customized applications continues to rise, and attacks on the infrastructure become more sophisticated, this vital category will keep gaining prominence. Since emerging from stealth mode in the fall of 2022, we’ve drawn a wide range of customers, investors and accolades. The company is clearly meeting an urgent need and attracting top talent. With the new funding, it’s time to go bigger and broader.”
Comment