3 min Security

Tidelift shields organizations from the risks of open source

Tidelift shields organizations from the risks of open source

Tidelift has added new capabilities to its Tidelift Subscription. The newly expanded package allows organizations to assess the security of open-source software. Thanks to thousands of collaborations with open-source projects, the company contributes to the reliability of IT environments.

Tidelift has a fairly straightforward method of motivating open-source projects to adhere to secure standards. For a fee, developers agree to Tidelift’s stipulation that they strictly work according to the guidelines set by the NIST Secure Software Development Framework and the OpenSSF Scorecards project. In addition, Tidelift analyzes data from upstream package managers and source repositories, with subscribers to the service also receiving a Software Bill of Materials. This also contains information about the security of open-source components in the software package; thus, Tidelift ensures that organizations are not at unexpected risk.

Supply chain protection

Security risks can occur in all sorts of places. A consistent patching regime a good overview of what software an organization has in place are two fairly simple protection strategies. However, security incidents can be increasingly difficult to track: for example, a “fourth party” supplying components to external software can be the cause of a vulnerability. The role that open-source plays in this cannot be underestimated. VP of Product at Tidelift Lauren Hanford emphasizes that the vast majority of programming code is open-source at companies. “Tidelift is the only company working proactively with open source maintainers to validate that their packages meet the security standards newly codified by government and industry, and paying them for this important work. This allows organizations to make more informed decisions about open source and reduce related risk, while having assurances that the software they depend on will be there in the future.”

Tidelift has automated the collection of all data and provides APIs to build the structured data into existing workflows and BI tools. The analysis of upstream data is done by Tidelift’s own experts, who can provide insights on the total set of data in conversation with customers. A standardized attestations report can be used as proof that all open source dependencies within an organization follow best practices. Attestations for components can be dynamically maintained so that any vulnerabilities remain visible.

European legislation

Keeping track of supply chain security is always necessary, but within the European Union it could soon become legally more important. In April, there was an uproar over legislation on the table at the EU. The Cyber Resilience Act as it was formulated put open-source programming at risk, said Deb Nicholson, the head of the Python Software Foundation at the time. Because software companies would be held responsible for security threats in their products under the bill, open-source developers could be in trouble while unable to control who uses and monetizes the code they made available.

In other words, a party such as Tidelift may become even more attractive to European players in the future. Decisions around the deployment of open-source components can potentially be made more securely by offloading the sizable task of monitoring their security level to a third party. At any rate, consistent and clear standards are always a good thing, and that’s what Tidelift is trying to promote.