Starburst Gets 98.3% Noise Reduction with Endor Labs
Starburst is an open data lakehouse built on Trino with industry-leading price-performance for cloud and on-premises. They replaced Rezillion with Endor Labs for SCA and improved their ability to identify and prioritize open source while complementing the developer experience.
Starburst is an open data lakehouse built on Trino with industry-leading price-performance for cloud and on-premises. They replaced Rezillion with Endor Labs for SCA and improved their ability to identify and prioritize open source while complementing the developer experience.
Starburst is an open data lakehouse built on Trino with industry-leading price-performance for cloud and on-premises. They replaced Rezillion with Endor Labs for SCA and improved their ability to identify and prioritize open source while complementing the developer experience.
- Best-of-breed data lakehouse
- Category leader on G2
Starburst is an open data lakehouse built on Trino with industry-leading price-performance for cloud and on-premises. They replaced Rezillion with Endor Labs for SCA and improved their ability to identify and prioritize open source while complementing the developer experience.
Starburst is an open data lakehouse built on Trino with industry-leading price-performance for cloud and on-premises. They replaced Rezillion with Endor Labs for SCA and improved their ability to identify and prioritize open source while complementing the developer experience.
Starburst is a data lakehouse that is solving a painful problem: Organizations have tons of data that’s not easily usable by employees. With Starburst, teams can self-serve using their preferred analytics tools to query the datalake, no need to wait for a central team to unlock it! And whether using Starburst on-prem or in the cloud, a secure product is of utmost importance when it concerns data. Customers regularly scan Starburst for risks, at which point they engage with the Security Engineering and GRC team to understand findings. When it came to open source dependencies, customers wanted to understand the rationale behind false positives and be assured that Starburst had evaluated risk on all dependencies— both direct and transitive.
Unfortunately, the team’s software composition analysis (SCA) tool, Rezillion, wasn’t meeting expectations and made it difficult to have conversations with customers. The team encountered three problems:
- No data to support false positive determinations: The tool flagged findings as false positives, but didn’t provide the rationale so the team had to do manual research or waste time remediating vulnerabilities that might not matter.
- Insufficient support for transitive dependencies: The tool wasn’t providing a full inventory of transitive dependencies (those not explicitly chosen by the developers) so customers could discover vulnerabilities in dependencies the team didn’t know existed.
- No pre-deployment scanning: When problems were discovered, it was always after the application deployed, making it more difficult and time-consuming to trace vulnerabilities back to the source.
Endor Labs is doing reachability analysis on transitive dependencies, which is really important to us and a huge deciding factor in our comparison to another vendor that didn't have it.
- Alex Olea, DevSecOps Engineer at Starburst
The Starburst team sought an SCA tool that could find and prioritize risks accurately while fitting into their existing workflows.
They had three main requirements:
- Developer experience: One good thing about Rezillion was it was easy to use, so it trained our developers to have a good attitude towards an SCA tool, and therefore use it! Our new SCA tool needed to continue prioritizing developer experience to ensure adoption and effectiveness.
- Function-level reachability analysis: This type of reachability is the most accurate way to determine whether a vulnerability is exploitable. We would use this to deprioritize false positives, giving us confidence that the tool is giving accurate and justifiable results. The tool we selected had to support reachability for all types of dependencies (direct and transitive) and also support our main languages (Java, Typescript, and C#).
- Pre-deployment scanning and preventative controls: Being able to scan at pre-deployment will let us catch problems at the time of build, before they get into production and cost us even more time. And with preventative controls, we can block really risky dependencies from ever being selected.
The team chose Endor Labs because all their requirements were satisfied and the team was a pleasure to work with.
Implementing Endor Labs is easy. I had exactly what I needed between the docs, CLI tool, a GitHub Action, and a GitHub app— all readily available.
- Alex Olea, DevSecOps Engineer at Starburst
Today, Starburst can focus on evolving their product and platform. With Endor Labs, they get:
- Best-of-Breed Reachability: Endor Labs performs function-level reachability analysis, so we now have confidence in the accuracy of findings: No more manual research. This resulted in a 98.3% noise reduction and faster turnaround times on customer queries.
- Transitive Dependencies: This is a subset of reachability, but because most SCA tools can’t perform reachability analysis on transitive dependencies, this gets called out separately. Endor Labs offers it at the same level as direct dependencies, and for our required languages, ensuring we get accurate dependency inventories and risk assessment.
- Expertise and Support: The team takes pride in what they do and can talk extensively about SCA. This is also evident in Endor Labs’s blog posts and published articles. They’re always willing to answer questions and help me understand how to get the most out of the product.
Endor Labs is providing a 98.3% noise reduction on our SCA findings.
- Alex Olea, DevSecOps Engineer at Starburst