This short demo will walk you through how Tidelift can help your organization attest to the cybersecurity practices of the open source components in your software supply chain and meet government compliance requirements.
Hey there, and welcome. Today I'm going to show you how Tidelift customers can attest to the secure development practices for all of the open source that they're using. What you're seeing on your screen here is the project's view within the Tidelift product. This is going to give you a centralized list of all of the applications at your company, as well as their corresponding software bill of materials or SBOM. This will allow you to see where teams are doing well with submitting regular, recurring software bills of materials, or where teams may need a little bit more support to get their SBOMS in. The SBOM is going to provide a critical index to what open source dependencies are coming into your software.
When we click into a project, you can quickly download an attestation report for the latest software bill of materials in this project. This attestation report is going to show you exactly how each open source dependency aligns to the NIST Secure Software Development Framework (SSDF). With this view of all of the SBOMs for this particular project, you can see that we show you which releases have been tagged as major releases of your software. When you click into an individual SBOM, you'll be able to export a machine-readable format for any software bill of materials. You can use this for attestation purposes. We'll create it once we've read in the SBOM or generated it, and then we'll store that for you for when you need it.
Let's click into a package. Tidelift has done the work to map many different fields on each individual package both to the executive order 14028, as well as the NIST Secure Software Development Framework. As you can see here, this is extensive data that you're not going to find on any package manager or GitHub repository, including was two factor authentication enabled, who's the security contact, and in the event of a security incident, will the package maintainer be responsive? As you can see here, this data would take a lot of time to acquire on a per package basis. Just the basics alone takes about an hour per package.
We've been building the largest dataset of open source software build practices in the world through our maintainer partnerships for years. We pay maintainers to provide accurate data both on how they're building and securing their software. Because we have this rich data set of maintainer provided attestations, Tidelift can provide an automated scalable answer when you need to attest to how your open source software is being built. All of this data is available via API and Tidelift can integrate easily into your existing CI/CD workflows.
As part of compliance with M-22-18 and other emerging regulatory requirements, Tidelift will be your partner in generating a plan of actions and milestones for understanding and monitoring how your open source is being built and what outcomes it's delivering. From the beginning Tidelift will work with you to make sure that you have an SBOM per application being generated and centralized so that you can begin generating open source attestation reports per application SBOM.
Software supply chain security today is not just about knowing what you're using or if there are any open vulnerabilities. It's about trusting the steps taken to secure the development and build processes throughout the development lifecycle. Contact us for a demo or to learn more.