<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Tidelift for government agencies

Get better at identifying indicators of compromise associated with open source software. 

In recent years, the rise in sophisticated cyberthreats has led to an increased global focus on cybersecurity. Governments worldwide are now placing a higher priority on developing strategies and regulations to counter these threats. This focus is evident in key initiatives such as the White House Executive Order 14028, the NIST Secure Software Development Framework, the European Union Cyber Resilience Act, and the CISA Secure by Design Pledge, to name a few. All of these guidelines and requirements advocate for a robust approach to cybersecurity, emphasizing the need for comprehensive and proactive security measures—including for open source components. 

Tidelift is used by government agencies implementing defense-in-depth and secure by design principles both in the software they build internally and in the software they acquire from suppliers. 

Schedule a demo
2560px-USGS_logo_green
Platform One
240px-Jet_Propulsion_Laboratory_logo.svg
309th SWEG
DARPA_Logo_2010

"The United States Air Force, and the Government as a whole, are among the largest consumers of open source software. With the increasing requirements around Software Supply Chain Risk Management (SCRM) and Software Bills of Materials (SBOM) initiatives, we are excited to partner with Tidelift to enhance cybersecurity resilience outcomes for open source software dependencies that support our most critical work."

Robert "Devo" DeVincent, Chief Software Officer, Air Force 309th Software Engineering Group.

Software supply chain outcomes recognized by government agencies

 

Evaluate Packages

 

Defense-in-depth, proactive open source software evaluation

The Tidelift Subscription is leveraged by federal agencies to strengthen their cybersecurity supply chain risk management (C-SCRM) initiatives. Defense-in-depth is a cybersecurity principle that incorporates both a reactive and proactive approach towards open source supply chain security. With reactive strategies already in place, these agencies now want to enhance their defense-in-depth capabilities by evaluating open source packages and identifying early risk indicators to avoid packages that could be impacted by vulnerabilities in the future. 

As customers of Tidelift, these agencies have built a data driven approach, that includes human-validated, first-party insights from Tidelift and our partnered open source maintainers to evaluate risk indicators such as:

  • Are maintainers implementing two-factor-authentication?
  • Are releases being published by authorized release managers?
  • Is there a documented security and vulnerability disclosure policy in place?
  • What is the maintenance status of a particular package or package version, has it been deprecated or past its end-of-life date? 

Learn more

Incentivizing open source maintainers to eliminate threat vectors

Proactively evaluating open source software is an effective solution to eliminating risks associated with new open source software. However, most federal agencies that work with Tidelift also depend on a vast footprint of open source software that they previously brought in for application development. Having identified risk vectors linked to these under maintained open source components, these agencies are now focused on taking necessary steps to minimize their exposure. To address these challenges, they are leveraging Tidelift's network of partnered maintainers, and incentivizing them to work together with other open source maintainers and contributors to implement and enforce more secure software development practices such as those outlined in the NIST Secure Software Development Framework (SSDF)

 
 
jackson-databind

jackson-databind

Maintainer Tatu Saloranta used income from Tidelift and its customers to completely rearchitect jackson-databind and eliminate the risk of RCE vulnerabilities.
Read the story
minimist

minimist

Maintainer Jordan Harband saved minimist from deletion when its maintainer decided to delete their projects from GitHub.
Read the story
urllib3

urllib3

Maintainer Seth Michael Larson was able to substantially improve urllib3 security practices thanks to income from Tidelift and its customers.
Read the story
sockjs

SockJS

When SockJS maintainer Bryce Kahle took a new job that didn’t involve JavaScript, Asif Saif Uddin stepped in as maintainer, ensuring the project wasn’t abandoned.
Read the story
jordan-harband-javascript-logo

Jordan Harband

Maintainer Jordan Harband used income from Tidelift and its customers to consistently maintain over 450 JavaScript packages during good times and bad.
Read the story
Pillow: a Tidelift maintainer case story

Pillow

Maintainer Jeffrey A. Clark significantly improved security practices used to maintain Pillow, a popular Python Image Library package downloaded 3 million times a day.
Read the story
mongoose-1

Mongoose

Maintainer Valeri Karpov of Mongoose implemented additional secure development practices and significantly improved the project’s OpenSSF scorecards score.
Read the story
Apache Commons

Apache Commons

Maintainer Gary Gregory of Apache Commons used income from Tidelift and its customers to carve out &nbsp;time to create a more robust security review process.
Read the story

Actively monitoring

 

Informed technical debt remediation

In light of recent events such as Log4Shell and xz utils, many of the agencies that work with Tidelift recognize that reacting to late-stage risk and vulnerabilities alone is no longer enough to secure software. Open source software supply chain threats are much broader than what CVEs tell us—and managing all of this at scale is overwhelming. The path out of such fire drills is using data to drive action, earlier.

To mitigate risks, agencies are looking to migrate away from outdated software versions, tackling technical debt that poses the greatest threat, and prioritizing the most relevant vulnerabilities impacting their software. All of these initiatives require a significant undertaking, and federal agencies often struggle to prioritize actions that would have the most substantial impact on risk reduction.

Working with Tidelift has allowed federal agencies to adopt a more efficient and data-driven approach for managing technical debt and addressing vulnerabilities. This approach focuses on maximizing impact by predicting possible compromises and assessing risk indicators such as:

  • Current vulnerabilities impacting open source components, if any
  • Whether the vulnerability is a false positive 
  • Likelihood of being impacted by a vulnerability after it has been discovered 
  • Maintenance status such as whether a package had been deprecated or past its end-of-life date
  • Number of critical applications relying on an older version of open source software

 

Eliminating licensing risks

It is important to remember that open source software, while free, must be used in line with the license that it is made available under. Open source licenses are crucial because they define the terms under which the software can be used, modified, and distributed. They ensure that the rights of both the original creators and the users are protected, setting clear boundaries for how the software can be utilized. Tidelift is working with a number of federal agencies who require full transparency and understanding of the licensing policies in place across all of the open source in use, in an effort to prevent legal and financial ramifications. 

Tidelift’s data research team, in partnership with open source maintainers, maintains machine readable SPDX license data for millions of open source packages. We ingest license data from various sources, curate and normalize the data. Most importantly our team is able to identify missing or inaccurate license information and then does the manual research to correct the license information. This allows federal agencies to confidently evaluate licensing requirements on a per-release basis with the ability to answer questions such as: 

  • What licenses are in use in our organization?
  • Are these licenses appropriate for use, given the risk profile of certain applications in the organization?
  • How widespread is license mis-use in our organization?
  • Is the use of open source software in alignment with federal guidelines?

Licensing

 

SBOM

 

Software Bill of Materials (SBOM) automation 

Per Executive Order 14028, healthcare, automotive, and critical infrastructure require software vendors to provide an SBOM along with software attestation. However, simply generating SBOMs is not enough, and government agencies are looking for solutions to systematically analyze SBOMs and to operationalize the data. They are specifically asking “what do we do with all these SBOMs?”

Tidelift, along with other leaders in the space, is helping government agencies to automate supply chain compliance requirements by digesting SBOM data and triggering intelligent data based decisions regarding:

  • Vulnerability and incident prioritization and remediation
  • Component usage and differences between builds
  • Open source licenses and implications on legal risk
  • Approaching or past component end-of-life events
  • Overall software quality

How can Tidelift help?

Government agencies need visibility and specific insights relating to security, maintenance, development, and licensing practices for their open source software supply chain. Yet, the so-called open source software supply chain is not a traditional supply chain in that open source maintainers typically do not have a business relationship with their users and license their software “as-is” with no warranty. With Tidelift, government organizations can achieve the following key outcomes:

  • Proactively evaluate and select healthy and resilient open source packages
  • Actively monitor the packages in use to understand dependencies and risk
  • Identify and eliminate potentially risky packages already adopted
  • Reinforcing at-risk packages to keep them from becoming bad

Tidelift is the only company that partners with and pays open source maintainers to implement enterprise class secure software development practices and validate the practices they follow so organizations can have the same confidence in the security of their open source that they have in their own code. In addition, our relationships ensure that maintainers are contractually committed to continuing these practices into the future so that federal agencies can confidently make long term investments in the software they use.

Defense-in-depth

At Tidelift, we advocate applying the fundamental cybersecurity principle of a defense-in-depth approach to open source software supply chain security that utilizes both a reactive approach such as using SCA tools, and a proactive approach. This helps in preparing for future compromises and ensuring the open source software being used is developed using secure development practices, in order to minimize the likelihood of being impacted by issues and vulnerabilities in the future.

Questions to consider before using specific open source software: 

  • Is the software you use deprecated or past its end-of-life date?
  • Are release managers vetted and approved?
  • Is the software you use responsive to security issues?

Learn about the 10 critical things to know before depending on an open source project.

Watch the webinar

Secure by design

Tidelift is a proud signee of the US Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design pledge, having joined other leading technology companies in an industry-wide effort to ensure security is built into the design of products from the start. At Tidelift, we collaborate closely with open source maintainers to integrate secure by design principles into their projects, helping protect the software supply chain from emerging threats. Below are some examples of how we work with maintainers to ensure their projects are built with security at the forefront.

Related reading

jackson-databind

jackson-databind eliminates RCE vulnerability

Maintainer Tatu Saloranta completely rearchitected jackson-databind and eliminated the risk of remote code execution (RCE) vulnerabilities.

Read More
urllib3

urllib3 improves security practices

Maintainer Seth Michael Larson was able to substantially improve urllib3 security practices thanks to income from Tidelift and its customers.

Read More