Jellyfish Enables Data-Driven AppSec with Endor Labs
Jellyfish, the leading engineering management platform, replaced Snyk with Endor Labs to improve their ability to identify, prioritize, address, and predict open source risk. Before, they wasted time manually researching reachability, sometimes just doing an upgrade even if they didn’t know it was reachable. Now they’re able to save time and raise confidence in their AppSec program.
Jellyfish, the leading engineering management platform, replaced Snyk with Endor Labs to improve their ability to identify, prioritize, address, and predict open source risk. Before, they wasted time manually researching reachability, sometimes just doing an upgrade even if they didn’t know it was reachable. Now they’re able to save time and raise confidence in their AppSec program.
Jellyfish, the leading engineering management platform, replaced Snyk with Endor Labs to improve their ability to identify, prioritize, address, and predict open source risk. Before, they wasted time manually researching reachability, sometimes just doing an upgrade even if they didn’t know it was reachable. Now they’re able to save time and raise confidence in their AppSec program.
- Top engineering management platform
- Leader in G2’s Software Development Analytics Tools
- 4.5 stars on G2
Jellyfish, the leading engineering management platform, replaced Snyk with Endor Labs to improve their ability to identify, prioritize, address, and predict open source risk. Before, they wasted time manually researching reachability, sometimes just doing an upgrade even if they didn’t know it was reachable. Now they’re able to save time and raise confidence in their AppSec program.
Jellyfish, the leading engineering management platform, replaced Snyk with Endor Labs to improve their ability to identify, prioritize, address, and predict open source risk. Before, they wasted time manually researching reachability, sometimes just doing an upgrade even if they didn’t know it was reachable. Now they’re able to save time and raise confidence in their AppSec program.
Jellyfish is an engineering management platform that aims to rewrite the way the industry thinks about software engineering and the impact it can have on a business. This is accomplished by enabling engineering leaders to measure, improve, and communicate the investment and effectiveness of their team's efforts. Their Security and Privacy team embraces this data-driven approach, with their biggest demonstrator of success being an appropriate level of risk that matches both their expectations and their customers’ expectations. In addition to delivering a secure product, their primary goal is to ensure nothing they do makes a developer’s job harder.
They look to their SCA tool to be an important part of their programs, both in the traditional sense of discovering and prioritizing risk, as well as a data input to their company risk predictions. Unfortunately, they realized the incumbent SCA tool (Snyk Open Source) wasn’t helping us meet those goals. Areas of concern included:
- Inaccurate Risk Modeling: Snyk's reachability analysis wasn't robust. Jellyfish couldn't determine which vulnerabilities could truly threaten their business, so they either manually researched reachability or performed upgrades without knowing if they mattered. Their risk models were overly aggressive to compensate, which they knew was harmful to their credibility but were left with no alternative.
- Operational Inefficiency: Snyk didn't handle edge cases well. Certain languages and package managers malfunctioned without tweaks, or weren’t supported for reachability, and often there were deviations between findings in the CI versus the UI.
Overall, the tool wasn't aligned with Jellyfish's data-driven approach to security, creating inefficiencies and hindering accurate risk assessment.
Other tooling we’ve used has a lot of noise in the dashboard and reporting, and it’s hard to figure out how we’re trending.
- James Kirk, Head of Security and Privacy at Jellyfish
The Jellyfish team sought an SCA tool that would lead to better risk prioritization and resource allocation while integrating seamlessly into their workflows and avoiding operational complexities. In looking for a new tool, they had four main requirements:
- Risk prioritization: Functional-level reachability and EPSS with coverage for Python and Typescript/JavaScript
- Implementation experience: Easy to integrate anywhere, including locally and in CI, with support for CircleCI
- Governance and policy: Ability to warn or break based on specific parameters such as an EPSS probability or age of dependency
- SBOM support: Capable of generating SBOMs in standard formats (e.g. CycloneDX) and producing a VEX companion document
The team chose Endor Labs because all their requirements were satisfied and the team was a pleasure to work with.
Endor Labs is, in a good way, simplistic. The data I care about is quickly available to me.
- James Kirk, Headof Security and Privacy at Jellyfish
We have been pleasantly surprised about the lack of friction when trying new features outside, like container scanning, that are outside the traditional SCA scope. It took us just five minutes to set up a CircleCI job and give it a container from our registry, and we were immediately seeing results.
- Josiah Bruner, Sr Security Engineer at Jellyfish
Today, Jellyfish can focus on evolving their product and platform. With Endor Labs, they:
- Accurately Identify, Prioritize, and Remediate Risks
With an accurate SBOM and function-level reachability analysis, Jellyfish confidently prioritizes remediations, eliminating time wasted researching findings or fixing unreachable vulnerabilities. - Improve Confidence in Risk Models
With an accurate risk assessment, Jellyfish can create more reliable risk models. They can confidently present this data to executives and the board, knowing it reflects a true picture of their security posture. - Streamline Workflows and Prevent Bad OSS Selection
The team uses policies integrated with existing CI/CD pipelines (CircleCI) to warn developers about risky open source dependencies. They automatically prevent dependencies from entering production if they have a significant criticality and EPSS probability. They can flag leading indicators of potential risk, like newly created dependencies, which could introduce a supply chain attack.