Hear Tidelift CEO and co-founder Donald Fischer discuss why we should be asking the important question: when considering the evolving list of government and industry cybersecurity requirements, who is going to do the work?
This video clip comes from our on-demand webinar, why software composition analysis tools aren't enough. In this webinar, Donald talks about a new approach to improving open source supply chain resilience that brings together people and software. You can watch the entire webinar on-demand here.
But the big question is who's going to actually do that work? And who is actually capable of doing that work to ensure that the software meets those objective standards?
This quote from the Cyber Safety Review Board report that I referenced earlier really sums up the issue as we see it. So the CSRB reports says, "Log4Shell also called attention to security risks unique to the thinly resourced volunteer based open source community. This community is not adequately resourced to ensure that code is developed pursuant to industry recognized secure coding practices, and audited by experts."