Executive order 14028 calls for the National Institute of Standards and Technology (NIST) to provide software supply chain regulations within one year. These guidelines will determine how organizations should check for vulnerabilities within applications. (Since writing this, NIST has released the NIST Secure Software Development Framework (SSDF). You can read about these guidelines and how they impact open source on our blog.)
An SBOM provides a comprehensive list of the software components that comprise your applications. With the Tidelift Subscription, you will not only know which open source components are in use within your organization, you'll also be able to check the health of those applications. This report includes information on open source licenses, vulnerabilities, and dependencies.
Managing the security of your organization’s open source supply chain can be incredibly complex. Proprietary software like SolarWinds, which was involved in a recent hack, is created by a single supplier—but with open source software, there can be dozens of open source maintainers with commit privileges for a single component. Up to 70% of code that makes up the modern application is open source—and wrangling thousands of different suppliers can seem like an insurmountable task. With the Tidelift Subscription, you can easily generate a report that satisfies the new mandatory federal requirements.
On average it takes 3 days for a disclosed open source vulnerability to be exploited. If malicious code is injected into an open source package within your application, a breach could occur at deployment, giving developers zero time to react. This malicious code serves as a backdoor into your organization.
Tidelift partners with your organization and the developers behind open source projects to proactively protect your open source supply chain upstream. This means the open source that runs 70% of your applications is protected and maintained at the source.
The call for more secure software supply chains doesn’t end with executive order 14028. At the top of 2022, the U.S. Federal Trade Commission (FTC) issued a warning in response to the Log4Shell vulnerability incident, emphasizing the need for organizations to prepare for future, similar vulnerabilities to help prevent both compromised consumer data and the resulting fines for failing to do so (in this report the FTC refers back to the Equifax data breach, where Equifax was fined $700 million dollars).
In September of 2022, the U.S. National Security Agency (NSA) partnered with the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence to release a report entitled Securing the Software Supply Chain for Developers. This report made it clear that software tools alone are not enough to ensure open source supply chain security—organizations must dedicate time and resources to establishing open source management best practices within their organization, all while maintaining an active partnership with suppliers to validate secure development practices.
Furthermore, in the same month as the announcement of the NSA report, the U.S. government’s Office of Management and Budget (part of the Executive Office of the President) released memorandum M-22-18 on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. A follow up to executive order 14028, “this memorandum requires agencies to comply with the NIST Guidance and any subsequent updates.”
Get an complete view of open source in use across the organization, including transitive dependencies while dynamvically generating up-to-date SBOMs after every build.LEARN MORE
Make more informed decisions with human-reserached, validated, and normalized metadata from Tidelift and maintainer partners -- and share them across the organization.LEARN MORE
Centralize open source security, maintenance, and licensing policies and standards while empowering developers to self-serve from catalogs of approved components.LEARN MORE
Validate that the components you use meet emerging enterprise standards--now and into the future—with help from Tidelift and our maintainer partners.LEARN MORE
In December of 2021, Tidelift fielded our annual survey of technologists—including software developers, engineering executives and managers, architects, and devops pros—who build applications with open source.
As part of an open source software strategy, organizations are increasingly hosting curated OSS package management and artifact repositories internally to mitigate risk and reduce developer friction.
Tidelift CEO and co-founder Donald Fischer shares why software tools alone are an incomplete solution to open source supply chain challenges.