This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Dashboards

Discover Endor Labs reporting and analytics dashboards.

Dashboards offer a concise and visual way to monitor the security posture of the projects in your organization. They are interactive and help you visualize how you use your projects, packages, and dependencies.

Dashboards provide the following capabilities to monitor potential threats:

  • Gain real-time insights across your code inventory through a range of system widgets that display information in the form of bar graphs.

  • Aggregate and analyze findings, vulnerabilities, and dependencies using visual metrics for a clearer understanding.

  • Monitor most used or least used dependencies through real-time visibility and updates

Endor Labs comes with several out-of-the-box widgets to enable teams to understand potential risks and take preventive measures.

Widgets in the Endor Labs dashboards consolidate related data of a single type, providing valuable information.

  • To visualize consolidated information on OSS vulnerabilities, see OSS overview.
  • To visualize real-time insights into key performance indicators and metrics, see Analytics.

1 - OSS overview

Visualize complete software security posture of your organization.

Use the widgets in OSS overview dashboard to understand various aspects of your codebase, dependencies, vulnerabilities, and overall software security posture.

Scanned by Endor Labs

Displays information on the following scan statistics across all ecosystems in the given tenant:

  • Total number of dependencies, categorized into direct and transitive dependencies
  • Total number of vulnerabilities, categorized into unreachable and other vulnerabilities
  • Total number of projects
  • total number of packages
  • Total number of scans
  • Total number of configured notifications

Vulnerability prioritization funnel

Endor Labs’ vulnerability prioritization funnel systematically assesses and categorizes vulnerabilities based on their severity and category. The vulnerabilities are prioritized in the following order:

  • Total open vulnerabilities - Indicates the complete list of vulnerabilities detected in all the scanned projects in this tenant.
  • Not in test - Indicates the list of vulnerabilities that are present in the production code and not in the test code.
  • Fix available - Indicates the list of vulnerabilities in the production code, for which a fix is available.
  • Reachable - Indicates the list of vulnerabilities in production code, with a fix, that can be accessed or exploited. Customize the reachable findings for your organization. You choose to see the data for reachable functions or potentially reachable functions, or for both. See Customize finding reachability.
  • Exploitable likelihood - Indicates the list of vulnerabilities in production code, with a fix, that are reachable, and with an EPSS score greater than the specified value. See Configure baseline for EPSS score.

By applying this funnel approach, organizations can prioritize addressing the most critical, exploitable, and actionable vulnerabilities first, maximizing their security efforts.

Configure baseline for EPSS score

The EPSS scoring system assesses the probability of a vulnerability and indicates how likely it is to be exploited by attackers. Customize the likelihood of exploitability by setting a baseline EPSS score.

  1. Sign in to Endor Labs and click Dashboard.
  2. Navigate to the Vulnerability Prioritization Funnel and click EPSS at the end of the funnel.
  3. In EPSS PROBABILITY, set a score that is recommended by the application security program of your organization. For example, set it to 8. You can now efficiently prioritize your time by focusing on vulnerabilities that have an EPSS score of more than 8% and remediate them.
  4. Click Save.

Customize finding reachability

Customize finding reachability for your organization. The data in the Vulnerability Prioritization Funnel

  1. Sign in to Endor Labs and click Dashboard.
  2. Navigate to the Vulnerability Prioritization Funnel and click Reachability.
  3. In Dashboard Configuration, select a value for FINDING REACHABILITY. You can choose Reachable Function and Potentially Reachable Function.
  4. Click Save.

Development hours and cost saved

Visualize the hours and cost saved metrics information on the dashboard.

  • Dev Hours Saved - Development hours saved is an estimate that is calculated after reducing the number of vulnerabilities that developers must prioritize. See Customize development hours.
  • Cost Saved - Cost savings is an estimate that is made by multiplying the saved developer hours with the full-time equivalent (FTE) hourly cost for triaging vulnerabilities. See Customize cost baseline.

Customize baseline for development hours

Adjust the development baseline to meet your organization’s specific needs.

  1. Sign in to Endor Labs and click Dashboard.
  2. Navigate to the Dev Hours Saved and click the vertical ellipsis.
  3. Choose BASELINE and set DEV HOURS for a record on the Vulnerability Prioritization Funnel,
    • Total Open Vulnerabilities - Provide approximate development hours required to triage all open vulnerabilities. By default, the development hours saved are calculated based on this baseline and displayed on the Vulnerability Prioritization Funnel.
    • Not In Test - Provide approximate development hours required to triage vulnerabilities in production code.
    • Reachable - Provide approximate development hours required to triage accessible and most exploitable vulnerabilities.
    • Fix Available - Provide approximate development hours required to triage vulnerabilities that can be addressed with a patch or an upgrade.
  4. Click Save.

Customize baseline for cost

Tailor the cost baseline to reflect the Full-Time Equivalent cost of your organization.

  1. Sign in to Endor Labs and click Dashboard.
  2. Navigate to Cost Saved and click the vertical ellipsis.
  3. Enter an HOURLY COST and CURRENCY that applies to one full-time employee following your organization’s application security program.
  4. Click Save.

Top projects metrics

View the top project data by all findings, all vulnerabilities, reachable vulnerabilities, outdated dependencies, and unmaintained dependencies. You can identify the numbers for critical, high, medium, and low risk severity findings. Click the bar graph to view complete details.

Top packages metrics

View package data by all findings, all vulnerabilities, reachable vulnerabilities, outdated dependencies, and unmaintained dependencies. You can identify the numbers for critical, high, medium, and low risk severity findings. Click the bar graph to view complete details.

Top dependencies metrics

View dependency data by all findings, all vulnerabilities, and reachable vulnerabilities. You can identify the numbers for critical, high, medium, and low risk severity findings. Click the bar graph to view complete details.

2 - Analytics

Visualize metrics on volume and efficiency of issue resolution.

Analytics dashboard offers a comprehensive view of your security metrics, tracking vulnerability trends and resolution times across projects. Use it to quickly assess risk levels, monitor progress, and identify areas needing improvement in your security posture.

Set the filters

Customize the data displayed on the Analytics dashboard by applying specific filters to focus on the most relevant information, enabling better analysis and decision-making. Adjusting the filters ensures that you can track progress and identify trends that are critical to your security and development goals. These are global filters and apply to all widgets on this dashboard.

  • Severity - Filter the data based on vulnerability severity such as Critical (C), High (H), Medium (L), or Low (L).

  • Attributes - Narrow down the list based on a range of factors such as, if a fix is available, if the vulnerable function is reachable, if the dependency is reachable, if the dependency originates from a current repository or a current tenant, is a test dependency, is a phantom dependency, or if the finding originates from itself, direct, or a transitive dependency. See Finding attributes.

  • When was the Finding first scanned - Select a time period from the available options to filter the analytics data based on when the finding was first scanned. By default, the data from the last 90 days is displayed.

Vulnerabilities snapshot

Get a quick overview of key vulnerability metrics in your projects, helping you monitor newly identified and resolved vulnerabilities, as well as the time it takes to address them. Here’s what each metric represents:

  • Newly Discovered: The number of vulnerabilities recently identified across your projects. This count indicates areas that may need attention or remediation.
  • Resolved: The number of vulnerabilities that have been fixed or mitigated recently, reflecting progress in securing your projects.
  • Average Time to Resolve: The average time, in days, it takes to resolve a vulnerability once discovered. Lowering this number can indicate faster responses to security issues.
  • Minimum Time to Resolve: The shortest time it took to resolve a vulnerability in the current tracking period, providing insight into how quickly issues can be addressed.
  • Maximum Time to Resolve: The longest time it took to resolve a vulnerability, showing the upper range for resolution times and highlighting areas where responses might need improvement.

These metrics help track security effectiveness over time and identify trends in vulnerability resolution within your projects.

Vulnerabilities over time

Track the number of detected vulnerabilities across your projects over a specified period. This view helps you analyze trends in vulnerability discovery and resolution, showing whether security issues are increasing, decreasing, or remaining steady over time.

Average time for issues resolved

The Average Time for Issues Resolved chart displays the average number of days taken to resolve issues over a given period. This metric helps assess response efficiency, highlighting how quickly security and other issues are addressed on average, and can indicate improvements or delays in issue resolution processes.

New open vulnerabilities approaching SLA

The New Open Vulnerabilities Approaching SLA chart shows vulnerabilities that are close to missing their resolution deadlines, with less than 24 hours remaining. This allows you to prioritize issues and take immediate action to resolve them before the SLA is missed. To define or adjust SLA for different vulnerability severities, see Set SLA for vulnerabilities.

Set SLA for vulnerabilities

Follow these steps to define Service Level Agreements (SLA) for vulnerabilities based on severity levels—Critical, High, Medium, and Low:

  1. Sign in to Endor Labs and navigate to Dashboard on the left sidebar.
  2. Select ANALYTICS.
  3. Scroll down to the New Open Vulnerabilities Approaching SLA and select a severity level to set the SLA for it. The default SLA for severities are:
    • Critical - 30 Days
    • High - 30 Days
    • Medium - 90 Days
    • Low - 180 Days
  4. In SLA DURATION, set a duration in days for the selected severity level.
  5. Click Reset to restore the SLA to its default duration.
  6. Click Save.

Outdated dependencies trend

This chart tracks the number of outdated dependencies in your projects over time. It helps you monitor the progress of updating libraries and frameworks, providing insights into how many dependencies are no longer up-to-date. By identifying trends, you can prioritize updating critical dependencies, reduce security risks, and ensure your projects remain current with the latest versions.

Unmaintained dependencies trend

This chart shows the number of dependencies in your projects that are no longer actively maintained over time. This helps you track the accumulation of unsupported libraries and frameworks, which may pose security and compatibility risks. By monitoring this trend, you can take proactive steps to replace or update unmaintained dependencies, ensuring the stability and security of your projects.

Unused dependencies trend

This chart tracks the number of dependencies in your projects that are no longer in use over time. This helps identify redundant libraries or packages that can be safely removed, reducing the overall project size and improving performance. By monitoring this trend, you can streamline your codebase and reduce potential security risks from unnecessary dependencies.