Endor Labs has released DroidGPT, a software extension for risk assessment of open source code. DroidGPT integrates the ChatGPT-generated artificial intelligence (AI) platform to make it easy to find the safest versions of open source packages.
This feature allows developers to launch natural language queries from within the Endor Labs platform to ask ChatGPT to identify the safest logging module for Java applications, for example.
Varun Badhwar, CEO of Endor Labs, says the goal is to make it easier to apply guardrails to application development processes that rely heavily on reusing open source packages today. Developers end up using outdated versions of packages that are insecure due to unfixed known vulnerabilities.
Endor Labs’ dependency lifecycle management platform applies graph analysis to identify the depth of dependencies that exist within an application. This feature makes it easy to identify where vulnerable components are actually used in your application. DroidGPT will extend that functionality to allow developers to identify the most secure versions of components they should use, Badhwar said.
A complete understanding of the dependency graph also enables customers to generate and analyze accurate software bills of materials (SBOMs) as their applications are dynamically updated, Badhwar said. increase.
The reliance on open source software packages to create applications has increased exponentially over the last few years. An analysis of nearly 2,000 software packages published by Endor Labs found that 95% of all application vulnerabilities can be traced to transitive dependencies created when developers use open source components. can. Every time a developer downloads a third-party component, it creates functional dependencies, so it’s important to assess the level of risk created by these dependencies.
Fortunately, following a series of high-profile breaches, protecting the software supply chain has become even more important. An ongoing challenge is that most developers have little cybersecurity expertise. As a result, contributing to open source projects is relatively error-prone. The simple truth is that many applications deployed in production have many known vulnerabilities that have not yet been addressed. DroidGPT is designed to make it easy to start the process of fixing software vulnerabilities during application build and after deployment.
It will undoubtedly be many years before organizations implement a truly mature set of DevSecOps best practices to teach developers how to build more secure applications. But that journey must begin with tools that can address the underlying problems that dependencies inevitably create. Ultimately, the best way to combat application vulnerabilities is to prevent them from appearing in your code in the first place. Being able to easily update your applications with outdated versions of open source modules is critical now that cybercriminals are adept at exploiting them.
