Proactively evaluate the security, licensing and maintenance risks of open source software using Tidelift’s
centralized, structured, and continuously curated database of insights spanning millions of open source packages.
The best way to reduce future risk is to build with more secure and better maintained components to begin with. Before bringing new open source components into your organization, you should be able to answer questions such as:
With Tidelift’s open source intelligence, organizations can easily answer questions like these about the secure software development practices of millions of open source packages. For thousands of the most-relied-upon open source packages, we pay maintainers to meet enterprise level security and maintenance standards (like those, including standards aligned with the NIST Secure Software Development Framework) and keep their packages maintained to those standards into the future.
Open source packages are constantly changing and it is important to monitor and review updates. Packages can change licenses. Maintainers can walk away from a project if they’re not being paid for their work. Direct and transitive dependencies can cause an issue-free component to have problems when used in production. What once was the best of breed framework for doing something can fall out of favor, while its maintainers move on and the project is deprecated. These are all important leading indicators to the potential of an open source component being compromised by a vulnerability.
Building on healthy, secure open source software requires ongoing monitoring for updates and changes that impact the packages you use. Our customers are using Tidelift’s open source intelligence in their ongoing monitoring workflows to stay informed about the packages they use, and get early warning when changes take place that might make a package risky to continue using in their applications.
Ensure stakeholders are able to respond to issues and vulnerabilities by giving them appropriate visibility of open source software usage across the organization.
Tidelift provides a detailed view into the open source components the organization is using along with the transitive dependencies being pulled into your software development lifecycle. SBOMs include insights such as:
Organizations have access to granular mapping of specific open source packages being used across individual applications, including:
With Tidelift, organizations get advanced visibility into whether a dependency is direct or transitive with the ability to identify how specific dependencies are being pulled into their code.
Mitigate long-term organizational risk by standardizing open source software management practices and policies across the organization.
Tidelift’s built-in security standards provide guidance for developers on what releases are allowed within the organization, based on our continuous evaluation and decision-making. Exceptions can also be created for specific use cases not impacted by a vulnerability.
Included out-of-the-box licensing templates ensure developers have the guidance they need to use packages with approved licenses, preventing the organization from being exposed to unexpected and unwanted legal risk.
Organizations can also implement maintenance standards that guide developers away from using deprecated or out-of-date package versions.
.png)
One question we get a lot when talking to customers: how does Tidelift go hand in hand with software composition analysis tools, like Black Duck or Snyk or Mend.io? Short answer: Tidelift is proactive, SCA is reactive.
Within days of using the Tidelift application, the Distributive team found a potential vulnerability that npm-audit hadn’t, and quickly and safely fixed those issues with Tidelift’s CLI tool.
.png)
Check out the new state of the open source maintainer report which included 11 key headlines coming out of our new survey of over 300 open source maintainers.
50 Milk St, 16th FloorBoston, MA 02109