Endor Labs

You know that tiny robot in every sci-fi movie that repairs spaceships mid-battle? Sadly, in real life, your SCA tool just tells you what’s broken...and then wishes you luck. But what if it could actually help you fix things? At Endor Labs, we’re not in the business of just finding problems—we help fix them faster. We simulate your whole app, show you what’ll break when upgrading, and even provide low-risk fixes (or backported patches when upgrades are risky) Learn more: https://lnkd.in/gyzWcqW3 #SCA #AppSec #Cybersecurity

Heading to OWASP® Foundation San Antonio this Friday? Don’t miss this session with Nate Michalov from Endor Labs. Join Nate for a conversation that goes beyond the GenAI hype. He’ll explore how AI-generated code introduces both familiar and brand-new risks for AppSec teams, and what fundamentals still hold strong in this new landscape. He'll talk inventory, risk posture, non-human agents, and how to maintain trust when the developer is… a model. 🗓️ Friday, April 11 🕚 11:00 AM – 2:30 PM CDT https://lnkd.in/g6wXFiAS #AppSec #OWASP #GenAI #SecureCoding #AIinAppSec #EndorLabs

Not all #RSAC events are created equal. Some are all about business cards, pitches, and standing around awkwardly clutching a drink. This one is not that. We’re partnering with the amazing folks at Oasis Security and Island to create a different kind of experience, just for women in security. Hosted at the Endor Labs Base at TRACE, this is your mid-RSAC safe haven. A space to breathe, connect, and just be. We’ll have LEGO. Board games. Creative corners. And zero expectations. Come as you are. Leave feeling recharged. 🗓️ April 30 | 🕕 6–9 PM 📍 TRACE at the W Hotel, San Francisco Register here: https://lnkd.in/g3JR2Ydy #RSAC2025 #WomenInCyber #BirdsOfAFeather #EndorLabs #AppSec

AI-generated code is fast, but is it secure? Vibe coding tools like Base44, Cursor, and Vercel are making it easier than ever to churn out code, but what happens when that code hits a security scanner? Join Dimitri Stiliadis & Anand Sawant as they take AI-generated code for a security test drive. Live coding, real vulnerabilities, and some hard truths about securing AI-generated apps. 📅 April 23, 2025  ⏰ 10:00 AM PT Register now! #vibecoding #AppSec #DevSecOps #cybersecurity

“Just upgrade the dependency” Rarely that simple. Almost never that fast. Fix Faster is a hands-on workshop for AppSec and Product Security practitioners who want to understand what devs are really dealing with- Legacy codebases, transitive dependencies, breaking changes. We'll work through live Java and Python projects to see how remediation actually plays out. No product pitch. Just code, context, and a better way to partner with dev teams. 🗓️ April 28 | San Francisco | Seats limited https://lnkd.in/g7RcjfkY #AppSec #ProdSec #DevSecOps #RSAC2025 #AppSecWorkshop

Code is actually more predictable than natural language. That’s what makes AI-generated code so convincing. Even when it’s wrong. The structure of programming languages is repeatable. The token space is smaller. It looks like good code. But behind that clean syntax? Bugs, unvetted packages, and silent security risks. On April 23 at 10 AM PT, Dimitri Stiliadis and Anand Sawant will walk through, live, just how convincing and risky AI-generated code can be. And more importantly, what AppSec teams can do about it. Register here: https://lnkd.in/gFVShNzW #AppSec #VibeCoding #SecureCode #LLMcode #AIcode

Critical RCE vulnerability in Apache Parquet (CVE-2025-30065) If you're using the Apache Parquet Java library (≤ 1.15.0), especially with parquet-avro, stop and read this. 👉 CVSS 10.0 👉 Unauthenticated remote code execution 👉 Exploitable via malicious Parquet files 👉 Root cause: unsafe class loading during Avro schema parsing (CWE-502) An attacker can craft a Parquet file that executes code when parsed. No user interaction. No auth. Just deserialization gone wrong. Fix: Upgrade to 1.15.1 No public exploit (yet), but now’s the time to patch. If you run Spark, Flink, or any custom Java data pipeline using Parquet/Avro , you're likely exposed. Full writeup here: https://lnkd.in/g4j8Zw-H #CVE202530065 #ApacheParquet #JavaLibrary #AppSec

🚨 BIG NEWS: Remitech + Endor Labs = Next-Level App Security 🚨 Let’s be honest—modern software is built on open-source, but managing its security? That’s a nightmare. Bloated SBOMs, endless alerts, and who’s actually tracking what’s running in production? That’s why we’re teaming up with Endor Labs. They don’t just scan for vulnerabilities—they cut through the noise, prioritise real risks, and help teams ship secure code without slowing down. Endor Labs is changing the game for dependency management, SBOM security, and OSS governance, and we’re excited to bring their magic to our customers. If your security team is drowning in false positives or your devs are ignoring alerts (we see you 👀), it’s time to talk. Let’s make security work for your business. 💬 DM us or drop a comment—let’s build something secure without the security theatre. #Remitech #EndorLabs #AppSecurity #DevSecOps #SBOM #OSS #SecurityWithoutTheNoise #SaaSReseller

When most people think of open source risks, they think of known vulnerabilities. But what happens when a package you already trust gets compromised? That’s OSS-RISK-2: Compromise of Legitimate Package. It's what happened in the recent tj-actions/changed-files supply chain attack that is used by over 23,000 repositories. Attackers didn’t need to create a malicious lookalike or find a known CVE. They took over trusted accounts, pushed malicious code, and used Git tags to quietly spread it. If the response hadn’t been so quick, the blast radius could’ve been massive. In our latest blog, Camilla Odlund breaks down: 👉 How legitimate packages get compromised 👉Real-world examples like the XZ backdoor and tj-actions 👉Practical ways to reduce your exposure (yes, pin your SHAs, but also a lot more) https://lnkd.in/g-MAcsQF #AppSec #OpenSourceSecurity #SupplyChainSecurity #OWASP #SoftwareSecurity #tjactions

Endor Labs lightsabers in the wild. Shoutout to Brendan Hufford’s kids for reminding us what they’re really for: living room battles and lightsaber intensity we can’t teach. Got photos of your own lightsaber chaos? Send them our way! We’re logging incidents (for research purposes, of course.)