Code and pipeline governance startup Endor Labs Inc. said today it has closed on a big funding round, reeling in $70 million in an early-stage round led by Lightspeed Venture Partners.

Coatue, Dell Technologies Capital, Section 32 and more than 30 industry-leading executives also took part in the Series A round, which comes just 10 months after the startup launched.

Endor Labs is focused on enabling better code security and making developers more productive. As the company explains, developers typically spend around half of their time investigating endless security alerts or integrating and maintaining security tools in their continuous integration and delivery or CI/CD pipelines. They’re also constantly having to negotiate priorities and exceptions with security teams.

Because more than 90% of the code used to build modern applications is derived from open-source software, Endor Labs decided it was best to build the foundation of its platform on OSS governance. Its focus is on helping teams choose and maintain secure, high-quality open-source software, and by doing so it says it can reduce the vulnerability noise by around 80%.

It does this by pinpointing only the most reachable and exploitable risks that would truly impact a company’s operations. The key to this is Endor Labs’ Dependency Lifecycle Management Platform, which performs deep analytics into every OSS dependency to help developers monitor and maintain them at large scale, aiding better decision-making.

Endor Labs founder and Chief Executive Varun Badhwar told SiliconANGLE that most organizations only use 12% of the open-source software they import, yet they continue to waste time looking for vulnerabilities in the entire code base, despite not using most of it. “This is why Endor Labs chose to build its foundation on prioritizing risks in the open source software supply chain,” he explained.

The company helps developers identify safer and more sustainable dependencies by examining metrics across security, quality, popularity and activity. The selection data is visually presented right in the IDE as developers pull in software packages, and enables security teams to automate governance policies and streamline the selection process even further.

“Our Code and Pipeline Governance Platform goes beyond known vulnerabilities to give security teams a way to measure both security and operational risk,” Badhwar said. “Thanks to a deep understanding of dependency usage across repositories, security professionals can prioritize vulnerabilities that are actually reachable and exploitable and detect next-generation supply chain attacks.”

Badhwar said that’s achieved through Endor Lab’s extensive efforts in program and reachability analysis, which is the process of understanding how application code behaves and creating a call graph, or a map of the various paths between parts of the application.

“We use these call graphs, which are generated without any runtime agents, to show customers whether or not a vulnerability is actually reachable,” the CEO explained. “This way they can prioritize not only based on severity, but also based on the real impact of the risk. A critical vulnerability that can’t be invoked can perhaps be de-prioritized compared to a high severity vulnerability that can be exploited.”

Endor says this unique approach helps to reduce the cognitive load on developers that comes from implementing disparate security controls. It helps them to focus on the issues that matter, and this helps to explain why its platform is proving so popular with developers. Without citing any numbers, the company said it has witnessed strong growth since its launch 10 months ago. In addition, its recognition as a “Cool Vendor” by Gartner Inc. is a strong validation of its security model, the company said.

Badhwar said the funds from today’s round will help it to build on its current momentum and expand into other areas of code and software pipeline security. “It will go toward deepening our existing capabilities and extending to other areas of the software development lifecycle, where AppSec can help developers ship secure code without a productivity tax,” he explained. “We will also be continuing our investment in the channel and expanding our go-to-market initiatives globally.”

Lightspeed partner Arif Janmohamed hailed the startup’s founding team as “outstanding entrepreneurs” and said he’s ready to back them at every step. “Varun and team are not only addressing a massive, unmet need in the application security world, but are laying the foundation for an enduring company in a fast-growing market,” he said.

Image: Freepik