<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

NIST Secure Software Development Framework (SSDF) attestations for open source

Talk to an expert

The U.S. government has announced plans to make software vendors liable for damages caused by cybersecurity defects in their products. Software suppliers could be facing millions of dollars in fines and penalties if their products have security vulnerabilities that cause harm to consumers. 

Minimize liability risk from open source

Liability can run into hundreds of millions of dollars. In 2019, the FTC fined Equifax $700 million for not updating a vulnerable version of the Apache Struts open source package, leading to the theft of personal information from about 147 million consumers.

Take advantage of liability shield protections

The U.S. government has announced the intent to provide a “safe harbor” liability shield to software suppliers who can show they are following secure software development practices. 

How Tidelift can help

Watch a demo to learn how Tidelift can help your organization attest to the cybersecurity practices of the open source components in your software supply chain
HubSpot Video

Many organizations already have internal secure software development practices in place for the code they write themselves. Tidelift helps you document the secure software development practices of the open source dependencies in your applications (which in many codebases makes up 75% or more of the code).

The Tidelift Subscription is a complete solution for managing open source, including the tools, data, and strategies you need to document your open source software supply chain security practices.

Tidelift pays the maintainers behind thousands of the most commonly used open source packages to attest their projects are developed using secure software development practices. Our subscription includes:

The only source for first-hand attestation data from the maintainers behind thousands of open source packages that go into your software, aligned to the U.S. government’s NIST Secure Software Development Framework (SSDF) standards.

A standardized attestations report, to be used as evidence that the open source dependencies in your organization’s applications follow secure software development best practices.

A solution for dynamically tracking attestations for open source components going into your product, and keeping these attestations current automatically.

Tidelift named Gartner® Cool Vendor™

Read the report

gartner_cool_vendor_2022-1

Learn more about government actions impacting open source

Guide to cybersecurity requirements with shadow
Learn more about how emerging US government cybersecurity actions will affect your business.
Read the guide
National cybersecurity strategy with shadow
Get a complete view of government actions impacting open source
Visit resource center