Endor Labs Announces Upgrade Impact Analysis and Endor Magic Patches
August 07, 2024

Endor Labs unveiled two capabilities, Upgrade Impact Analysis and Endor Magic Patches.

AppSec teams now get intel about how difficult a given upgrade can be, including what could break. This makes it easy to have conversations with Engineering about scoping security fixes and setting service-level agreements (SLAs). And when the evidence indicates the cost of upgrading will be too high, such as in the case of a foundational package that could take months or years to upgrade, teams can choose to immediately mitigate the vulnerability with a backported security patch maintained by Endor Labs.

Marcelo Oliveira, VP of Product Management at Endor Labs, said: “One of the best characteristics of OSS is the degree of constant improvement—there’s a regular flow of upgrades to just about every package. However, the merits can often be outweighed by the dangers. With these new capabilities, teams can clear this hurdle by sharply reducing the work required to understand the impact of dependency upgrades, and stay safe when the risk of upgrades is too high. It’s always been our mission to make security less of a burden on software engineers, and with this launch we continue to help security teams become better partners.”

Endor Labs uses program analysis at the time of build to see exactly which third-party dependencies are used and how they interact with the application code. A deep understanding of the application is what makes it possible to get an accurate software inventory, eliminate noise based on reachability, and accurately predict breaking changes.

Upgrade Impact Analysis: By extending the program analysis engine to identify unintended consequences such as breaking changes to an application, AppSec teams can manage risk in the context of difficulty. Because they understand how various fix options will impact the application, they can:

- Improve Return on Investment of Remediation Efforts: Identify which upgrades can have the highest security impact in conjunction with the effort it takes

- Give Time Back to Developers: Reduce the need for manual research by providing developers with a prioritized list of upgrades ranked by complexity and impact

- Address Risks Faster: Make informed estimations of fix efforts with standardized research so they can quickly implement low effort/low risk fixes and make prioritization decisions for complex fixes.

Endor Magic Patches eliminate the hassle of hard-to-perform upgrades by providing security patches that are backported to the vulnerable version. The source code, patches, test, build and deploy steps are available to inspect, and the builds are completely reproducible and hermetic. AppSec teams can:

- Respond to Emerging Threats: Be ready for the next Spring4Shell with peace of mind that they can obtain a patch to ensure the organization stays safe while the team works to upgrade dependencies

- Balance Developer Workloads: Reduce the urgency of upgrading so developers can focus on releasing their planned features without unexpected delays

- Support FedRAMP Compliance: Mitigate vulnerability risk to protect sensitive information in alignment with government requirements.

Share this

Industry News

May 28, 2025

Check Point® Software Technologies Ltd.(link is external) announced the launch of its next generation Quantum(link is external) Smart-1 Management Appliances, delivering 2X increase in managed gateways and up to 70% higher log rate, with AI-powered security tools designed to meet the demands of hybrid enterprises.

May 28, 2025

Salesforce and Informatica have entered into an agreement for Salesforce to acquire Informatica.

May 28, 2025

Red Hat and Google Cloud announced an expanded collaboration to advance AI for enterprise applications by uniting Red Hat’s open source technologies with Google Cloud’s purpose-built infrastructure and Google’s family of open models, Gemma.

May 28, 2025

Mirantis announced Mirantis k0rdent Enterprise and Mirantis k0rdent Virtualization, unifying infrastructure for AI, containerized, and VM-based workloads through a Kubernetes-native model, streamlining operations for high-performance AI pipelines, modern microservices, and legacy applications alike.

May 28, 2025

Snyk launched the Snyk AI Trust Platform, an AI-native agentic platform specifically built to secure and govern software development in the AI Era.

May 28, 2025

Bit Cloud announced the general availability of Hope AI, its new AI-powered development agent that enables professional developers and organizations to build, share, deploy, and maintain complex applications using natural language prompts, specifications and design files.

May 27, 2025

AI-fueled attacks and hyperconnected IT environments have made threat exposure one of the most urgent cybersecurity challenges facing enterprises today. In response, Check Point® Software Technologies Ltd.(link is external) announced a definitive agreement to acquire Veriti Cybersecurity, the first fully automated, multi-vendor pre-emptive threat exposure and mitigation platform.

May 27, 2025

LambdaTest announced the launch of its Automation MCP Server, a solution designed to simplify and accelerate the process of triaging test failures.

May 27, 2025

DefectDojo announced the launch of their next-gen Security Operations Center (SOC) capabilities for DefectDojo Pro, which provides both SOC and AppSec professionals a unified platform for noise reduction and prioritization of SOC alerts and AppSec findings.

May 22, 2025

Red Hat announced enhanced features to manage Red Hat Enterprise Linux.

May 22, 2025

StackHawk has taken on $12 Million in additional funding from Sapphire and Costanoa Ventures to help security teams keep up with the pace of AI-driven development.

May 21, 2025

Red Hat announced jointly-engineered, integrated and supported images for Red Hat Enterprise Linux across Amazon Web Services (AWS), Google Cloud and Microsoft Azure.

May 21, 2025

Komodor announced the integration of the Komodor platform with Internal Developer Portals (IDPs), starting with built-in support for Backstage and Port.

May 21, 2025

Operant AI announced Woodpecker, an open-source, automated red teaming engine, that will make advanced security testing accessible to organizations of all sizes.