By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
18px_cookie
e-remove

Backstage and Endor Labs: AppSec in a Dev’s Dream Workspace

The Endor Labs plugins for Backstage create an application security experience that doesn’t require developers to leave Backstage.

The Endor Labs plugins for Backstage create an application security experience that doesn’t require developers to leave Backstage.

The Endor Labs plugins for Backstage create an application security experience that doesn’t require developers to leave Backstage.

Written by
David Archer
David Archer
Published on
June 18, 2024

The Endor Labs plugins for Backstage create an application security experience that doesn’t require developers to leave Backstage.

The Endor Labs plugins for Backstage create an application security experience that doesn’t require developers to leave Backstage.

We’re excited to share that Endor Labs has developed a set of Backstage plugins that bring Software Supply Chain Security risk management to this thriving ecosystem!

Similar to our integration with GitHub Advanced Security, our Backstage plugins make it possible to address risks from within the developer workflow, eliminating painful context switching and security noise. With the plugin, you can create an application security experience that doesn’t require developers to leave Backstage.

From the Backstage dashboard, users can get a comprehensive scorecard of all supply chain risks associated with your projects, including:

  • Project Summary Integration: Fetch and display a summary of vulnerability findings related to your project from Endor Labs.
  • Interactive Charts: View vulnerability levels (Critical, High, Medium, Low) and interact with them to see detailed filtered results.
  • Status Accordions: See detailed panels for various categories like CI/CD, Malware, License Risk, Operational Risk, Secrets, and RSPM (Repository Security Posture Management). The plugin summarises findings by categories, but it's useful to know that a finding can be in multiple categories.
  • Dynamic Link Generation: Generate URLs dynamically to access detailed vulnerability reports based on the filters applied.

Three Use Cases for Endor Labs Backstage Plugins

By integrating Endor Labs into Backstage, teams can proactively identify and mitigate risks, ensuring that their codebase remains secure and compliant across three key use cases:

  • Open source dependencies and reachability analysis
  • Potential malware and misconfigurations
  • CI/CD security and operational risk

Open Source Dependencies and Reachability

One of the most significant risks in modern software development is the use of OSS application and container image dependencies. While these dependencies accelerate development, they can also introduce vulnerabilities. The Endor Labs Template Plugin surfaces data from Endor Labs that alerts you to OSS vulnerabilities in direct or transitive dependencies which are actually reachable from your code. This reachability analysis helps prioritize vulnerabilities that could have the most impact, allowing teams to focus their remediation efforts more effectively.

Potential Malware and Misconfigurations

The plugin also scans for potential malware embedded within your dependencies. With the rise of supply chain attacks, ensuring that your dependencies are free from malicious code is more critical than ever. Additionally, it checks for misconfigurations in your SCM tools, which can lead to security breaches if left unaddressed. By highlighting these issues, the plugin helps maintain a robust security posture.

CI/CD Security and Operational Risks

CI/CD pipelines are often targets for attackers due to their critical role in the development process. The Endor Labs Template Plugin identifies security risks within your Github workflows and actions, ensuring that your pipelines are secure from end-to-end. Furthermore, it evaluates operational risks such as unmaintained dependencies and license issues, providing a comprehensive overview of potential legal and maintenance challenges.

A Primer on Backstage

Backstage is well-known in development circles but if you’re in AppSec, it might not be familiar. In this section we’ll give you a quick primer on the value of Backstage so you can understand why your developers love it.

In the fast-paced world of software development, having all your tools and information in one centralized location can make a world of difference. Enter Backstage, a popular open source (OSS) platform created by Spotify that is revolutionizing the way development teams operate. Backstage provides a unified portal where developers can find everything they need, from component relationships and performance metrics to comprehensive documentation, all in one place. This centralized approach not only enhances productivity but also ensures that everyone on the team is on the same page, fostering better collaboration and more efficient workflows. Developers love it so much that it has even had the effect of reducing attrition at Spotify! 

Backstage Solves the Information Overload Problem

Modern teams struggle with information overload, having to juggle multiple tools, repositories, and documents. Backstage addresses this issue head-on by consolidating all relevant information into a single, easy-to-navigate interface. Imagine having instant access to the relationships between various components of your application, detailed performance analytics, and all the necessary documentation right at your fingertips. This level of integration ensures that developers spend less time searching for information and more time writing code.

Backstage Visualises Security and Reduces Context Switching

One of the standout features of Backstage is its ability to integrate security seamlessly into the development process. Traditionally, security checks and audits have been siloed in other systems, leading to frequent context switching and disruptions. Backstage mitigates this by enabling security issues to be directly visible within the platform, allowing developers to stay in their flow. By reducing the need to switch between different applications, Backstage helps maintain a smooth and uninterrupted workflow, ultimately enhancing productivity and code quality.

Backstage is a Pluggable Platform: Customization at Its Best

Backstage’s pluggable architecture is another key advantage, offering unparalleled flexibility and customization. Teams can tailor the platform to meet their specific needs by adding backend and frontend plugins. Backend plugins typically handle data processing and integrations with external systems, while frontend plugins focus on enhancing the user interface and user experience. This modular approach means that Backstage can grow and evolve alongside your team, adapting to new requirements and technologies as they emerge.

Backstage’s plugin ecosystem is vast and diverse, supporting a wide array of integrations that enhance its functionality. 

Here are three notable examples:

  • Kubernetes Plugin: Allows developers to manage and monitor Kubernetes clusters directly from Backstage. The plugin provides insights into cluster health, resource utilization, and can even trigger deployments.
  • GitHub Plugin: For teams using GitHub for version control, the GitHub plugin is a must-have. It provides an interface to view repository information, pull requests, issues, and more, all within Backstage. This integration reduces the need to switch between Backstage and GitHub, streamlining the development workflow.
  • PagerDuty Plugin: Incident management is crucial for maintaining service reliability. The PagerDuty plugin allows teams to manage on-call schedules, alerts, and incidents directly from Backstage. This integration ensures that incident response is swift and well-coordinated, minimizing downtime and impact on users.

Try Endor Labs with Backstage

New to Backstage? We encourage you to explore Backstage and experience firsthand how it can transform your development workflow. Visit the Backstage Github repository to get started.

Already a Backstage Shop? Find instructions on how to use the Endor Labs plugin over at our repo. Try it out and let us know what you think. We’re eager to hear your feedback and continue improving the plugin to meet your needs!

Endor Labs is available for a full-featured, 30-day trial — no credit card required!

The Challenge

The Solution

The Impact

Get a Demo

Get a Demo

Get a Demo

Welcome to the resistance
Oops! Something went wrong while submitting the form.

Get a Demo

Get a Demo

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a Demo