Reducing FedRAMP Compliance Costs with Endor Labs
Vulnerability Management for FedRAMP compliance is expensive; your SCA tool should help you make it cheaper and easier.
Vulnerability Management for FedRAMP compliance is expensive; your SCA tool should help you make it cheaper and easier.
Vulnerability Management for FedRAMP compliance is expensive; your SCA tool should help you make it cheaper and easier.
Vulnerability Management for FedRAMP compliance is expensive; your SCA tool should help you make it cheaper and easier.
Vulnerability Management for FedRAMP compliance is expensive; your SCA tool should help you make it cheaper and easier.
Vulnerability management is a hard requirement for FedRAMP Cloud Service Providers (CSPs); among other things, you have to scan all your applications – both code and container – to identify vulnerabilities. Any vulnerabilities that have been reported to the NVD (National Vulnerability Database) – that is, any that have a CVE identifier – have to be fixed based on severity. The scans must be accurate and complete, and the fixes must be completed in a timely manner (30, 90, or 180 days for Critical/High, Medium, and Low severities respectively).
That is an expensive proposition for organizations seeking to establish or maintain their FedRAMP authorization. And it’s time your SCA tool helped you get those costs under control.
Complete, accurate, and correlated SCA and container scanning in one solution
Ben Scudera is a Senior Director at Fortreum, a Third Party Assessment Organization (3PAO) that provides cloud and cybersecurity services, including assessments and advisory services for FedRAMP. In Controlling FedRAMP Vulnerability Management Costs: An Auditor’s Analysis, he said:
"Tools used for [FedRAMP] monitoring must meet specific requirements to ensure that they’re accurate, complete, and produce results that are consumable by the various parties involved in FedRAMP oversight."
FedRAMPs vulnerability scanning requirements require you to be accurate and complete in your reporting. On the application security side, two big tent poles to this are SCA (which finds vulnerabilities in open source libraries you bundle with your applications) and container scanning (which finds vulnerabilities in components you pack into your application containers).
Endor Labs’ leading SCA solution does more than others to ensure a complete and accurate picture of which libraries are actually in use, and which vulnerabilities really affect them. We do this by following two key strategies:
- We enrich the NVD and other data sources with our own security research, letting us correct errors relating to affected and fixed versions and similar data quality issues
- We analyze much more than just your dependency manifest files, instead taking all kinds of context about your build-and-deploy environment into consideration
This approach results in an accurate software inventory, and accurate data about which vulnerabilities are present in your systems (and as a side effect, this means your SBOM and VEX documents are accurate, too!).
And rather than have to choose a second product for container scanning, we apply our same rigorous analysis approach to give you clear, accurate container scanning that natively correlates container and SCA results to simplify your POA&M tracking.
And we do this all in a way that helps you dramatically reduce the cost of tracking and fixing vulnerabilities in your FedRAMP scope – and everywhere else.
Reduce your FedRAMP workload with “False Positive” identification and tracking
3PAOs like Fortreum consult with clients on specific approaches and methods for classifying a finding as a "false positive." Reachability analysis is one such technique, about which Scudera says:
"Reachability analysis is used to identify vulnerabilities that have no reachable path for exploitation, meaning anything deemed “unreachable” is a false positive… Given that less than 9.5% of vulnerabilities are exploitable at the function level, reachability analysis can greatly reduce ConMon burdens."
Endor Labs doesn’t just stop at being incredibly accurate and complete – we also use our deep awareness of how dependencies are used in your application to identify which findings FedRAMP assessors will accept as false positives. And our policy system helps you easily meet the tracking requirements for these.
The end result is a system that can reduce your FedRAMP remediation workload by an average of 20% – up to 75% in some cases – while giving you confidence that you’ll be alerted if a false positive becomes a true positive.
Our key to this starts with state-of-the-art, granular function-level reachability analysis. Our scanner not only understands which dependencies are being used by your application, but which parts of those dependencies are in use. Right down to which functions are being called. This gives us a high-quality map of how your application interacts with the open source code in your dependencies. Combining this analysis with our proprietary research to identify which functions in a dependency are actually vulnerable allows us to accurately identify which vulnerabilities are unexploitable, and therefore false positives for FedRAMP. (see also: Prioritizing SCA Findings With Reachability [video])
And, uniquely, we make clear the difference between “this is definitely risk” (reachable), “this poses no risk” (unreachable - and what FedRAMP’s PMO needs to accept a false positive), and “we couldn’t determine if it does” (potentially reachable). This high-confidence approach to marking items as unreachable is key to meeting the high bar set by FedRAMP for false positive classification.
Of course, tracking also means reassessing, and we’ve got your back there too: our automatic reassessment capabilities mean you get prompt updates should code changes in your application result in a vulnerability becoming reachable. And optional (but included) daily monitoring – without the need to re-scan! – alerts you to risk changes in existing findings.
Save time and money on fixes
Fixing a vulnerability requires time and effort, both from your security teams and from your development and ops teams. And while identifying and tracking false positives saves a ton of work, it’s also important to speed up fixing the rest. This not only saves you money directly, but puts developer time back into delivering new features.
And Endor Labs offers advanced solutions to help you speed up your fixes:
- Intelligent, policy-driven routing of findings to the places where your teams are already working
- Upgrade Impact Analysis that helps you select the best upgrades and plan work effectively
- Endor Patches to fix critical and high severity vulnerabilities faster, and without the risk of breaking changes introduced by a full upgrade
Get the work where you need it to be
Intelligent, policy-driven routing of findings to the places where your teams are already working is a key accelerator. No more spending hours clicking around a UI! Instead, set your policies on criteria you’ve established and let our policy engine (built around Open Policy Agent) route findings to the places you need them to be – Jira, Slack, GitHub, your GRC tool, whatever.
Our flexible UI allows you to apply policies to different organizational groups, sets of projects that are in different compliance scopes, and so on. And because the policy engine follows open standards, you can express more complex policy needs in the open Rego policy language.
No more dumping reports and getting someone to do data entry – automate it in seconds.
Find the best upgrade paths to take
Upgrade Impact Analysis that helps you select the best upgrades and plan work effectively. Identify the upgrades that have the biggest impact on your open risks, and quickly understand how difficult the upgrade will be so your development teams can effectively plan work. No more panics 3 days before your fix SLA expires!
Upgrade Impact Analysis uses what we understand about your specific applications and the way they use dependencies to identify the best version to upgrade to. Not only identifying which upgrade paths have the highest value to your FedRAMP objectives, but also helping you identify the risks of performing those upgrades in your environment.
Having this information readily available saves your teams a ton of research time, lowers the risk of missing SLAs, and helps them prioritize complex work. For example, instead of taking on a high-complexity upgrade project a week before the fix is due, your teams can start that work right away. And they can wait a bit to start on things with lower upgrade risk.
Avoid the riskiest updates
Endor Patches remove the risk of breaking changes that can slow down remediations, letting you work much faster to remove the Critical and High vulnerabilities in your organization. Often, open source projects only release fixes that are forward-looking; that is, you have to accept an update that might have new features, remove features your applications rely on, or have other changes that can break your code.
That means upgrading is risky for developers – if they take on a high-risk upgrade for a dependency, it’ll fix security problems but also might require a lot of code changes to accommodate how the dependency has changed since the version you’re currently on.
Endor Labs addresses high-risk updates by identifying the official fix and backporting it to the version you’re already using. This changes the high-risk update into a low-risk update, while still fixing all the critical and high vulnerabilities – the ones that FedRAMP requires you to fix in 30 days. This buys you precious time to plan and execute the higher-risk update (if you even still need to).
Our changes, test logs, and build configuration are all transparently available to you – you don’t have to trust us, you can easily verify and validate our work on your own.
Ease FedRAMP ConMon with Endor Labs
We think you should expect more from your SCA. Secure your open source with:
- Reachability Analysis pinpoints the most critical vulnerabilities.
- Upgrade Impact Analysis prioritizes which risks to address first.
- Endor Patches secure those tricky, hard-to-upgrade packages.
Book a demo to see how Endor Labs can secure everything your code depends on.