At Endor Labs, we’ve seen firsthand how our approach to Software Composition Analysis (SCA) can significantly reduce open-source vulnerability noise - On average our customers see a 92% reduction!. This reduction is not just marketing buzz; it’s a testament to our engineering team’s incredible efforts and expertise (I mean, if you get some of the best computer scientists together in a room, something is going to happen!). 

After six months of working closely with our customers, I’ve seen the impact of our approach in solving real problems, moving beyond the limitations of previous SCA generations, and providing a common language between developers and security teams.In this post, I’ll dive into my personal experiences in the field, break down how we’ve evolved SCA and share some customer success stories.

My Experience in AppSec

Having spent the last decade focused on application security, I’ve witnessed the evolution of software development practices from traditional waterfall models to agile, DevOps-driven environments. During this time, I’ve collaborated with numerous development and security teams, observing their struggles with legacy SCA tools that often hindered more than helped.

My experience has shown me that effective SCA goes beyond simply identifying vulnerabilities; it involves providing actionable insights and integrating smoothly into modern development workflows, all within a well-structured program and process framework. Over time, I’ve watched SCA tools go from “helpful but clunky” to “indispensable and powerful.” But even now, there’s room for improvement, and Endor Labs is leading the charge.

SCA Evolution

(FYI - I cannot take credit for these categorizations; they are from a colleague) 

Here’s how SCA has evolved through three key generations:

Gen 1: These tools, built for a slower, waterfall-style development environment, were limited to basic scanning after release. Security and development teams operated separately, and these tools served as a rudimentary audit mechanism, with vulnerabilities addressed similarly to bugs in the next release cycle.

Gen 2: With the shift to DevOps, SCA tools were integrated into developer workflows. These tools would scan the manifest files of package managers and generate findings about every vulnerability associated with the dependencies declared there. This led to noisy results and missed dependencies due to the complexity of modern development environments. This was particularly problematic when new-age build tools like Gradle, Yarn, and Bazel were used, as these tools demanded a more nuanced approach to dependency management and security.

Gen 3: Endor Labs is leading the charge with a new generation of tools focusing on deep program analysis and accurate dependency resolution, grounded in proven computer science methods rather than manually maintained rules or scripts. Our tools provide precise SBOM generation, vulnerability scanning (with function-level reachability), and policy-driven insights, all tailored to the specific context of an application, and without any runtime agents. This approach ensures that only genuinely relevant vulnerabilities are flagged, allowing teams to focus on what matters most.

Customer Stories: Old Tools vs. Endor Labs

Multinational Financial Institution:

In my previous role, I worked closely with a large multinational financial institution transitioning to modern development tools like Gradle for their Java applications. They aimed to be thoughtful about the libraries they used, ensuring robust security and maintainability. However, they encountered significant friction with the Gen 1 and 2 SCA tools they were using. These tools struggle to integrate effectively with Gradle, especially within workflows involving multiple developer teams.

The complexity of these setups meant that the SCA tools often produced noisy, irrelevant results that were hard to assign to the correct developer teams. Moreover, the tools lacked any meaningful analysis of the health and practices of open-source dependencies, a critical aspect for this customer who wanted to ensure the quality of the libraries they used. This lack of actionable insights led to frustration and inefficiency, as the development teams found themselves drowning in a sea of unprioritized vulnerabilities and unclear guidance.

With Endor Labs: Contrast this with a similar financial services/insurance customer who adopted Endor Labs. Facing similar challenges with noise and lack of context in their SCA results, they achieved a comprehensive view of their codebase through our tools. Our advanced dependency resolution and precise vulnerability scanning allowed them to reduce noise by 90% to 99%, providing their teams with clear, actionable insights and fostering better collaboration between security and development.

Not only did Endor Labs seamlessly integrate with their existing tools like Gradle, but it also offered advanced scoring around the health and security practices of their dependencies. They hope to take advantage of this and signal open-source library risk before it becomes an issue. 

High-Tech Industry:

In my experience working with numerous customers in the high-tech space, I’ve noticed a unique challenge: many companies in this sector build products that their developers also use. These organizations have a high standard for what their security tools should deliver to their development teams. However, noise is often a significant issue. I’ve spoken to some of the best computer engineering minds who expressed frustration with the lack of application context provided by Gen 1 and Gen 2 tools. These tools failed to offer meaningful insights aligned with their developers’ workflows, resulting in inefficiencies and dissatisfaction.

With Endor Labs: Similarly, we have a customer in the developer productivity space who requires specific support for a unique ecosystem. Endor Labs easily accommodated their needs by providing a tailored experience for developer-centric organizations, which proved crucial for this customer.

What was most important to them was reducing noise to maximize developer productivity. Our reachability analysis became a game changer, allowing them to focus only on the vulnerabilities that truly mattered. Moreover, how Endor Labs is built aligns perfectly with developer workflows, from tracking repositories to managing packages.

This customer was also particularly interested in our container offering. We provide a robust solution that significantly reduces noise by integrating our container findings with application findings and reachability in a single view. This integration maximized their developers’ efficiency by enabling them to focus on the most critical issues, ultimately enhancing productivity.

SCA That Moves You Forward

The evolution of SCA tools reflects the changing landscape of software development, from the slow, segmented processes of the past to the agile, integrated environments of today. We’re moving into a new phase where customers expect more from SCA. It’s not just about finding vulnerabilities in open source packages, it’s about securing everything your code depends on. And doing so in a way that helps the company ship faster, not slower. 

Endor Labs is leading the next generation of SCA tools, designed to reduce noise, boost productivity, and improve collaboration between development and security teams. Our focus on innovation and putting customers first means we’re continuously evolving to meet the needs of modern software development. I’ll admit, I’m biased—I work here. But I joined from a company widely regarded as a market leader and because I can see where the industry is headed, I know Endor Labs is right on track.

Want to see for yourself? Sign up for our free trial and check out our demo library on YouTube.