.

Handing Companies a Medium to Achieve Compliance across a Stricter Open-source landscape

The human capabilities have had the chance to touch upon some really valuable elements, but at the same time, they haven’t seen a thing more significant than our tendency to improve at a consistent clip. We say this because the stated tendency has already fetched the world some huge milestones, with technology appearing as a rather unique member of the group. The reason why technology’s credentials are so anomalous is purposed around its skill-set, which was unprecedented enough to realize all the possibilities for us that we couldn’t have imagined otherwise. Nevertheless, a closer look should be able to reveal how the whole runner was also very much inspired by the way we applied those skills across a real world environment.  The latter component was, in fact, what gave the creation a spectrum-wide presence and made it the ultimate centerpiece of every horizon. Now, having such a powerful tool run the show did expand our experience in many different directions, but even after reaching so far ahead, technology will somehow keep on delivering the right goods. The same has grown to become a lot more evident in recent times, and assuming one new GRC-themed development pans out just like we envision, it will only propel that trend towards greater heights over the near future and beyond.

Tidelift, a provider of solutions for improving the security and resilience of the open source software supply chain powering modern applications, has officially launched a broad new set of capabilities to compliments its subscription service. According to certain reports, the stated capabilities expand customers’ ability to utilize Tidelift’s unique, maintainer-validated data to make more informed decisions regarding open source packages and minimize the related risk. The announcement comes at the heels of US government announcing a new requirement to mandate its software suppliers to self-attest that they follow the secure software development practices outlined in the NIST Secure Software Development Framework (SSDF). This notably includes the open source components used in their application. But makes Tidelift’s new feature an ideal answer for the new mandate? Well, for starters, we must acknowledge how Tidelift partners directly with the maintainers of thousands of the most popular open source packages. The company effectively pays them to validate that they follow secure development practices like those outlined by government and industry, such as the SSDF and the OpenSSF Scorecards project. Such an interpersonal relationship with maintainers ensures Tidelift’s subscribers have unique first-party insights available exclusively on the company’s platform. Next up, enhancing Tidelift’s prospects even further is the company’s ability to aggregate data across multiple upstream package manager ecosystems and source repositories. By doing so, Tidelift is able to deliver the necessary information in a centralized and structured format, something which empowers companies to quickly identify every release of a compromised package when remediating vulnerabilities. Once the upstream data is in trough the door, the company’s data team makes a point to perform an extra piece of analysis on it, therefore enabling Tidelift to offer more contextualized insights along the way. This analysis, of course, also helps in keeping an organization’s open source standards compliant with the regulations over time.

“With open source making up the vast majority of the code in modern applications, and against the backdrop of several recent high-profile security vulnerabilities impacting open source, organizations are urgently seeking innovative ways to ensure their software supply chain is properly maintained and secure,” said Lauren Hanford, vice president of product at Tidelift. “Tidelift is the only company working proactively with open source maintainers to validate that their packages meet the security standards newly codified by government and industry, and paying them for this important work. This allows organizations to make more informed decisions about open source and reduce related risk, while having assurances that the software they depend on will be there in the future.”

Hold on, we still have a few bits left to unpack, considering we still haven’t gotten into Tidelift subscription’s pledge to provide a standardized attestations report. This report, in turn, can be used as evidence that the open source dependencies in an organization’s applications follow secure software development best practices. In case the whole value proposition still feels a step too short, then it might be worth mentioning how Tidelift also provides all subscribers with the means to dynamically track attestations for open source components going into their product. Here, the company lets you access an automated technology so to simplify the process of aligning those attestations with the latest benchmarks.

“Solutions like the Tidelift open source data intelligence capabilities can be ideal for organizations seeking human-validated data on the secure software development practices used in open source projects, ” said Jim Mercer, research vice president of DevOps and DevSecOps at IDC. “These types of insights can equip organizations with detailed and validated first-party information about the secure software development practices used by the open source projects in their software supply chain that can help them strengthen their security posture and assist them with complying with emerging government compliance requirements.”

 

Hot Topics

Related Articles