Securing Everything from 40-Year-Old C++ to GenAI Code with Varun Badhwar, CEO of Endor Labs - Modern CTO Recap

Podcast: Modern CTO

Published: 2025-10-13

Duration: 49 min

Summary

In this episode, Varun Badhwar discusses the founding of Endor Labs, driven by the need to address vulnerabilities in software supply chains highlighted by incidents like SolarWinds. He shares insights into how traditional code scanning methods fail and how Endor's innovative approach leverages a call graph mechanism to enhance software security.

What Happened

Varun Badhwar, CEO of Endor Labs, reflects on his experience leading a large engineering team during the SolarWinds incident in 2021, which spurred concerns about software supply chain security. He emphasizes that software development often resembles assembly rather than creation, with 80-90% of code originating from open source, much of which remains unvetted. This reality led to a backlog of alerts from traditional scanning tools, many of which are inaccurate, causing inefficiencies in developer workflows and increasing the so-called 'developer productivity tax.'

Badhwar highlights the need for a new approach to software security that focuses on the actual code being used within applications rather than relying solely on manifest files. He explains that traditional vulnerability scanning tools assume all declared libraries in a manifest affect the application, which is often not the case. By employing a new mechanism that builds a call graph of the application, Endor Labs can provide insights into which lines of code are actually used and impacted by vulnerabilities, significantly reducing false positives and improving developer efficiency.

To solve these issues, Badhwar and his co-founder assembled a team of experts in program analysis to create a technology that allows for rapid analysis of code and vulnerabilities. They developed a method to quickly connect first-party code with pre-computed call graphs of open source libraries, enabling customers to gain full visibility of their applications. The episode concludes with Badhwar detailing the Herculean effort to annotate vulnerabilities down to specific lines of code, showcasing Endor Labs' commitment to providing actionable solutions in the complex landscape of software security.

Key Insights

• The SolarWinds incident highlighted critical vulnerabilities in software supply chains.
• Traditional vulnerability scanning tools generate a high volume of false alerts that overwhelm developers.
• Understanding actual code usage is essential for effective vulnerability management.
• Endor Labs employs advanced call graph technology to improve software security analysis.

Key Questions Answered

What triggered Varun Badhwar to found Endor Labs?

Varun Badhwar founded Endor Labs in response to the SolarWinds incident in 2021, which raised significant concerns about software supply chain security. As he was leading a large engineering team at the time, the incident prompted his board to question their existing security measures. This led to a realization that software development practices were flawed, as much of the code was sourced from unvetted open source libraries, resulting in a high number of false alerts from existing scanning tools.

How does Endor Labs differentiate itself from traditional security tools?

Endor Labs differentiates itself by focusing on the actual code being executed rather than solely relying on the manifest files that developers provide. Traditional tools assume that any declared library in a manifest affects the application, which is often incorrect. By constructing a call graph of applications, Endor Labs can identify which lines of code are truly in use and affected by vulnerabilities, thus filtering out unnecessary alerts and providing more accurate insights.

What is the significance of the term 'developer productivity tax'?

The term 'developer productivity tax' refers to the inefficiencies and frustrations developers face due to overwhelming alerts from traditional security scanning tools. Badhwar explains that developers are often held accountable for potential vulnerabilities, leading to a situation where they must prove their code's innocence. This not only hampers productivity but also distracts from addressing real security risks, highlighting the need for a more efficient and accurate approach to vulnerability management.

What are the challenges associated with code dependencies in software development?

Badhwar notes that modern software often includes numerous open source libraries, which in turn bring a complex web of transitive dependencies. On average, a single direct dependency can introduce 77 additional dependencies, many of which may go unused. This complexity makes it difficult for developers to manage vulnerabilities effectively, particularly when traditional tools fail to account for the actual usage of code within applications. Endor Labs aims to simplify this by providing clarity on what code is truly relevant.

How does Endor Labs utilize call graphs to enhance security?

Endor Labs utilizes call graphs to trace every path from first-party code into dependencies, rather than just cataloging which libraries are included. This allows them to determine precisely which methods and lines of code are used within those libraries. By overlaying this information with vulnerability databases, they can provide actionable insights, helping organizations understand not only which vulnerabilities exist but also how to address them effectively within the context of their applications.