Relativity Blocks Risks with Endor Labs
Relativity is the leading legal technology vendor in the legal data intelligence field, also providing services including breach response and contract review. They use Endor Labs for SCA and improved their ability to identify and prioritize open source while complementing the developer experience.
Relativity is the leading legal technology vendor in the legal data intelligence field, also providing services including breach response and contract review. They use Endor Labs for SCA and improved their ability to identify and prioritize open source while complementing the developer experience.
Relativity is the leading legal technology vendor in the legal data intelligence field, also providing services including breach response and contract review. They use Endor Labs for SCA and improved their ability to identify and prioritize open source while complementing the developer experience.
- #1 on G2 for e-discovery
- 300K+ customers in 40 countries
Relativity is the leading legal technology vendor in the legal data intelligence field, also providing services including breach response and contract review. They use Endor Labs for SCA and improved their ability to identify and prioritize open source while complementing the developer experience.
Relativity is the leading legal technology vendor in the legal data intelligence field, also providing services including breach response and contract review. They use Endor Labs for SCA and improved their ability to identify and prioritize open source while complementing the developer experience.
![Blocking with Confidence: Relativity's Dev[eloper] Experience Journey](https://cdn.prod.website-files.com/6574c9e538a34feac8cec013/66f2d5fd7db4439100c15525_Relativity%20-%20Customer%20Blog.png)
Relativity is the leading legal technology company in the legal data intelligence field, also providing services including breach response and contract review. As a SaaS provider, Relativity already has a focus on enabling developer productivity. And as a security organization within this environment, the Relativity security team sees developer productivity as the quick secure delivery of software. Their “Blocking with Confidence” initiative enables developers to identify and resolve security risks before code gets shipped to production. This is accomplished by democratizing security tools, like software composition analysis (SCA), so that developers have all the information necessary to ship secure code.
But their incumbent SCA tool was preventing the program from achieving true success. It didn’t fit into developer workflows and the findings couldn’t be trusted. It caused three problems that required it to be replaced:
- Problem #1: Questionable inventory and risk correlation
Couldn’t get sufficient data on what was exploitable, and it lacked transparency with how it came to conclusions. - Problem #2: Noise without context
The tool “found” a lot of risk, but didn’t tell the team which were exploitable. Because they remediate 100% of exploitable risks, they had to manually research findings or fix issues that might have been false positives. - Problem #3: Not automation-friendlyIt was hard to integrate into developer workflows because the tool’s policy management was limited and the API was missing a majority of capabilities that the UI could do.
The Relativity security team scoped an SCA replacement from a developer-first perspective. The main question they wanted answered was How is this tool going to help our Blocking with Confidence program?
To achieve this, they identified three requirements:
- Requirement #1: Automated, trustworthy prioritization of vulnerability alerts
Be able to “block builds with confidence” with clear, systematic evidence for why an issue is severe enough to block. Developers and AppSec engineers have data they can use to understand/adjust severity ratings. - Requirement #2: Increase developer self-sufficiency
Manage policies centrally to reduce the number of tickets that require security personnel to be in the loop and the number of tickets that go “silently unaddressed.” Developers can identify and remediate within SLAs. - Requirement #3: Gain visibility to application makeup
Clearly identify all open source libraries and provide visibility into the risks those dependencies bring into our applications. AppSec engineers are confident that all risk is being discovered.
Endor Labs is the best at showing exploitability in the application itself.
- Joni Musa, Head of Security and Deputy CSO at Relativity
With Endor Labs for SCA, Relativity’s developers are preventing open source risks from entering production without a productivity tax.
- Impact #1: 80% fewer vulnerabilities to remediate
In the first week after turning on the tool, they saw an 80% reduction in risks they had to remediate, all due to function-level reachability analysis. For an organization that has to fix 100% of exploitable risks, getting an 80% reduction of their workload was huge. Without the tedium and minutia of tracking down individual items that might not matter, they can focus on the remaining vulnerabilities that would impact customers and FedRAMP compliance.
In just the first week we saw an 80% reduction in risks we had to remediate, all due to reachability analysis — and we continue to see that number climb.
- Raphael Theberge, Director of Security Enablement at Relativity
- Impact #2: Developers prevent new security risks
The security team rarely has to interface with the tool because it’s seamlessly automated into developer workflows using APIs. When a developer submits a pull request (PR), the tool identifies whether their open source dependencies have an unacceptable level of risk. The developer is notified in GitHub and can swap out the risky dependency on the spot. They identify and resolve security risks before code gets shipped to production.
Because of Endor Labs, any Relativity developer can fix a security risk without us worrying whether we will miss an SLA.
- Raphael Theberge, Director of Security Enablement at Relativity
- Impact #3: All developers can remediate vulnerabilitiesBefore using Endor Labs, only the most experienced developers could upgrade dependencies because they had the skills and knowledge to do it correctly the first time. This was necessary to stay within SLAs expected by customers and FedRAMP. But with fewer overall vulnerabilities to address — due to reachability analysis and pre-production scanning — the time spent fixing each vulnerability can increase while staying within SLAs. Now anyone can be responsible for remediation, which means everyone — even junior developers — gets that crucial skill development and exposure to security as a routine part of their job.
The security team rarely has to interface with Endor Labs because it’s so automated, and that’s a good thing.
- Raphael Theberge, Director of Security Enablement at Relativity