OSS overview

Visualize complete software security posture of your organization.

Use the widgets in OSS overview dashboard to understand various aspects of your codebase, dependencies, vulnerabilities, and overall software security posture.

Scanned by Endor Labs

Displays information on the following scan statistics across all ecosystems in the given tenant:

  • Total number of dependencies, categorized into direct and transitive dependencies
  • Total number of vulnerabilities, categorized into unreachable and other vulnerabilities
  • Total number of projects
  • total number of packages
  • Total number of scans
  • Total number of configured notifications

Vulnerability prioritization funnel

Endor Labs’ vulnerability prioritization funnel systematically assesses and categorizes vulnerabilities based on their severity and category. The vulnerabilities are prioritized in the following order:

  • Total open vulnerabilities - Indicates the complete list of vulnerabilities detected in all the scanned projects in this tenant.
  • Not in test - Indicates the list of vulnerabilities that are present in the production code and not in the test code.
  • Fix available - Indicates the list of vulnerabilities in the production code, for which a fix is available.
  • Reachable - Indicates the list of vulnerabilities in production code, with a fix, that can be accessed or exploited. Customize the reachable findings for your organization. You choose to see the data for reachable functions or potentially reachable functions, or for both. See Customize finding reachability.
  • Exploitable likelihood - Indicates the list of vulnerabilities in production code, with a fix, that are reachable, and with an EPSS score greater than the specified value. See Configure baseline for EPSS score.

By applying this funnel approach, organizations can prioritize addressing the most critical, exploitable, and actionable vulnerabilities first, maximizing their security efforts.

Configure baseline for EPSS score

The EPSS scoring system assesses the probability of a vulnerability and indicates how likely it is to be exploited by attackers. Customize the likelihood of exploitability by setting a baseline EPSS score.

  1. Sign in to Endor Labs and click Dashboard.
  2. Navigate to the Vulnerability Prioritization Funnel and click EPSS at the end of the funnel.
  3. In EPSS PROBABILITY, set a score that is recommended by the application security program of your organization. For example, set it to 8. You can now efficiently prioritize your time by focusing on vulnerabilities that have an EPSS score of more than 8% and remediate them.
  4. Click Save.

Customize finding reachability

Customize finding reachability for your organization. The data in the Vulnerability Prioritization Funnel

  1. Sign in to Endor Labs and click Dashboard.
  2. Navigate to the Vulnerability Prioritization Funnel and click Reachability.
  3. In Dashboard Configuration, select a value for FINDING REACHABILITY. You can choose Reachable Function and Potentially Reachable Function.
  4. Click Save.

Development hours and cost saved

Visualize the hours and cost saved metrics information on the dashboard.

  • Dev Hours Saved - Development hours saved is an estimate that is calculated after reducing the number of vulnerabilities that developers must prioritize. See Customize development hours.
  • Cost Saved - Cost savings is an estimate that is made by multiplying the saved developer hours with the full-time equivalent (FTE) hourly cost for triaging vulnerabilities. See Customize cost baseline.

Customize baseline for development hours

Adjust the development baseline to meet your organization’s specific needs.

  1. Sign in to Endor Labs and click Dashboard.
  2. Navigate to the Dev Hours Saved and click the vertical ellipsis.
  3. Choose BASELINE and set DEV HOURS for a record on the Vulnerability Prioritization Funnel,
    • Total Open Vulnerabilities - Provide approximate development hours required to triage all open vulnerabilities. By default, the development hours saved are calculated based on this baseline and displayed on the Vulnerability Prioritization Funnel.
    • Not In Test - Provide approximate development hours required to triage vulnerabilities in production code.
    • Reachable - Provide approximate development hours required to triage accessible and most exploitable vulnerabilities.
    • Fix Available - Provide approximate development hours required to triage vulnerabilities that can be addressed with a patch or an upgrade.
  4. Click Save.

Customize baseline for cost

Tailor the cost baseline to reflect the Full-Time Equivalent cost of your organization.

  1. Sign in to Endor Labs and click Dashboard.
  2. Navigate to Cost Saved and click the vertical ellipsis.
  3. Enter an HOURLY COST and CURRENCY that applies to one full-time employee following your organization’s application security program.
  4. Click Save.

Top projects metrics

View the top project data by all findings, all vulnerabilities, reachable vulnerabilities, outdated dependencies, and unmaintained dependencies. You can identify the numbers for critical, high, medium, and low risk severity findings. Click the bar graph to view complete details.

Top packages metrics

View package data by all findings, all vulnerabilities, reachable vulnerabilities, outdated dependencies, and unmaintained dependencies. You can identify the numbers for critical, high, medium, and low risk severity findings. Click the bar graph to view complete details.

Top dependencies metrics

View dependency data by all findings, all vulnerabilities, and reachable vulnerabilities. You can identify the numbers for critical, high, medium, and low risk severity findings. Click the bar graph to view complete details.