<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">


Defense in depth: proactive and reactive strategies

Hear Tidelift CEO and co-founder, Donald Fischer, highlight the Tidelift Subscription's defense in depth approach, an approach that combines proactive and reactive strategies to manage application security.

This video clip comes from our on-demand webinar, why software composition analysis tools aren't enough. In this webinar, Donald talks about a new approach to improving open source supply chain resilience that brings together people and software. You can watch the entire webinar on-demand here

Watch Now


There's this familiar principle in information security called defense in depth, which relies on multiple reinforcing layers of security controls. I think that's a really useful framework to have in mind when talking about this problem space, as it is in others like network security, or other parts of information security.

At Tidelift, we recommend that organizations take such a multi-layered approach to application security, which involves both these reactive strategies that are not bad, they're not useless, but they're just not going to comprehensively solve all problems by themselves. But organizations should apply some reactive strategies, such as SCA tools and other scanner-type approaches. You might have container security scanners, other application testing tools in place as well. But at the same time, you should also ensure that your organization has some proactive strategies in place for application security.

For example, how do you manage your open source usage within your organization? How do you ensure consistent application of the standards that your software needs to meet across the applications that get built? And beyond that, how are you supporting the upstream software supply chain health and resilience for the software that's flowing into your applications? And how can you ensure that those open source components meet these objective enterprise standards that are necessary?