Tidelift improves software supply chain security with open source intelligence capabilities

Tidelift announced a broad new set of capabilities as part of the Tidelift Subscription that expand customers’ ability to utilize Tidelift’s maintainer-validated data to make more informed decisions about open source packages and minimize open source-related risk.

These new capabilities are the culmination of years of work by Tidelift to identify the secure software development practices with the largest impact on improving open source security, and then pay maintainer partners to ensure these practices remain in place for their projects into the future.

“With open source making up the vast majority of the code in modern applications, and against the backdrop of several recent high-profile security vulnerabilities impacting open source, organizations are urgently seeking innovative ways to ensure their software supply chain is properly maintained and secure,” said Lauren Hanford, VP of product, Tidelift.

“Tidelift is the only company working proactively with open source maintainers to validate that their packages meet the security standards newly codified by government and industry, and paying them for this important work. This allows organizations to make more informed decisions about open source and reduce related risk, while having assurances that the software they depend on will be there in the future,” added Hanford.

New open source software intelligence capabilities, including API access

Tidelift’s open source package intelligence data is researched and validated by Tidelift and its paid maintainer partners and available via the Tidelift Subscription. Tidelift automates the data collection, curates and structures the data, and provides APIs to easily integrate with existing workflows and business intelligence tools.

Organizations can save time by letting Tidelift do the work to collect open source intelligence data at scale, across millions of open source packages. This helps them reduce the time they spend analyzing individual packages and helps them make better decisions more quickly.

The Tidelift Subscription includes:

• First-party maintainer-sourced data. Tidelift partners directly with the maintainers of thousands of the most popular open source packages and pays them to validate that they follow secure development practices like those outlined by government and industry, such as the NIST Secure Software Development Framework and the OpenSSF Scorecards project. This provides organizations with unique first-party, maintainer-sourced insights available only via the Tidelift Subscription.
• Automated, structured, and centralized data. Tidelift aggregates data across multiple upstream package manager ecosystems and source repositories into a centralized and structured format.
• Tidelift human-researched data. The upstream data is analyzed and further researched by the Tidelift data team with the aim of providing more contextualized insights for our customers.

New government cybersecurity compliance capabilities

The U.S. government has announced a new requirement that will mandate that its software suppliers self-attest that they follow the secure software development practices outlined in the NIST Secure Software Development Framework (SSDF), including for the open source components used in their applications.

Dates for compliance are approaching soon, and organizations that do not meet compliance deadlines may risk losing valuable government contracts.

As the only source for first-party attestation data from the maintainers behind thousands of open source packages and aligned to the U.S. government’s NIST Secure Software Development Framework (SSDF) standards, the Tidelift Subscription also provides:

• A standardized attestations report, to be used as evidence that the open source dependencies in an organization’s applications follow secure software development best practices.
• A solution to help organizations dynamically track attestations for open source components going into their product and keep the attestations current in an automated manner.

Open source management and policy compliance

For organizations that rely heavily on open source software but struggle with a lack of visibility regarding package usage across the organization or those concerned that development teams are downloading and using packages that have not been evaluated against organizational risk parameters, Tidelift continues to offer a premier solution for managing open source.

The software bill of materials functionality, included in the Tidelift Subscription, allows organizations to build a centralized inventory of all open source components being used across the organization. This makes it easy to quickly identify every release of a compromised package when remediating vulnerabilities.

Through the Tidelift Subscription, organizations are able to implement open source standards consistently, across all of their development teams, ensuring developers are only using approved open source components that follow secure software development practices.

Tidelift then continuously evaluates the packages being used against the set of organizationally-defined open source standards to ensure compliance over time, while also making use of Tidelift’s enhanced data intelligence capabilities to help organizations make good decisions regarding the security and maintenance practices of the components included in their software bills of materials.

“Solutions like the Tidelift open source data intelligence capabilities can be ideal for organizations seeking human-validated data on the secure software development practices used in open source projects, ” said Jim Mercer, research VP of DevOps and DevSecOps at IDC. “These types of insights can equip organizations with detailed and validated first-party information about the secure software development practices used by the open source projects in their software supply chain that can help them strengthen their security posture and assist them with complying with emerging government compliance requirements.”