Episode #29 - Tackling the biggest problem affecting code … dependency lifecycle management

As it turns out, managing Open Source Software (OSS) dependencies is extremely difficult.  Not all vulnerabilities are in runtime and/or reachable, not all exploits focus on high/critical CVSS, there is a time delay with patches when they are made available, and Semantic Versioning (SerVer) can make prioritization challenging when thinking through backward compatibility, upgrade paths, version pinning in supply chain, etc.Though estimates vary based on source, some 80% of deployed code is now ...

As it turns out, managing Open Source Software (OSS) dependencies is extremely difficult.  Not all vulnerabilities are in runtime and/or reachable, not all exploits focus on high/critical CVSS, there is a time delay with patches when they are made available, and Semantic Versioning (SerVer) can make prioritization challenging when thinking through backward compatibility, upgrade paths, version pinning in supply chain, etc.

Though estimates vary based on source, some 80% of deployed code is now OSS with 95% of vulnerabilities taking place in transitive dependencies.  What’s more, when looking at the Census II report () approximately 50% of all packages tracked did NOT have a release in 2022.  This is an intractable problem and a reason why Endor Labs started development back in 2021. 

As they so eloquently state, “Software ages like milk, not like wine”. 

In this podcast episode, Satbir and Darren explore the Software Composition Analysis (SCA) domain with Varun Badhwar, CEO/Founder of Endor Labs, regarding how to focus teams on the most relevant vulnerabilities associated with their OSS code and how many AppSec programs are starting to focus efforts in this area.