<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

 

The impact of bad open source packages on enterprise application development

Watch this demo to learn how eliminating bad open source packages can lead to lowering security risks, improving productivity, improving application quality, and increasing operational efficiency.

TRANSCRIPT

Using bad open source packages is slowing your team down and creating risk to your organization's revenue data and customers. Tidelift helps you proactively reduce your organization's reliance on bad open source packages. We are the only company that partners with the maintainers of 1000s of the most relied upon open source packages and pays them to make their projects healthier and more secure. Our maintainer partners implement enterprise grade secure software development practices and document the practices they follow. Together with open source maintainers, we've developed a clear idea about what makes a package reliable and secure enough for enterprise use, and we use this knowledge to make package recommendations for our customers.

By using Tidelift recommendations to identify and eliminate bad packages in their applications, organizations can reduce security risk by eliminating attack entry points. Improve productivity by reducing vulnerability fire drills. Improve application quality by building with healthy and resilient open source packages. And improve operational efficiency by saving costly manual package evaluation time.

In fact, one large organization saved over $1.6 million in manual package evaluation time and eliminated over 3000 points of risk in applications running in production.

In this demo, we'll share how organizations are able to quickly reduce their reliance on bad open source packages and ensure the open source they have in production keeps getting better.

Here's how you might evaluate a package you are considering using in your application with Tidelift. We'll use urllib3 as an example, because it's one of the most popular Python packages, downloaded over two 50 million times per month. Here we can see the package is recommended by Tidelift, and Tidelift also has an active partnership with the maintainers of urllib3, and pays them to ensure it follows enterprise grade secure software development practices. There are also several additional package insights, such as the latest release, stable release, license info, contributor information, vulnerability information, specific quality checks that verify the package has implemented two-factor authentication, has reviewed release managers and more. Tidelift's package intelligence can easily be integrated into your preferred workflows by using our web UI seen here, through our command line interface or by using our flexible APIs.

Let's switch to the API view again. Here you see the package is recommended by Tidelift because we have a contractual relationship with the maintainer to uphold secure development practices. The API output also provides the same data and insights available in the Tidelift UI. In this example, we are looking at just one package using a tool like curl, but it is just as easy to do this research at scale by bulk querying this information about multiple packages.

We'll switch to an API tool called postman to show you how this is done. Postman is a tool used to interact with APIs to perform lookups and more. Here we will use Tidelift's lookup API to pull information about multiple packages at once. I'm passing a JSON that includes the packages I want to look up. We'll look at urllib3 again. We'll use the look at the NPM package moment and the NPM package QS. For the sake of this demo, we'll query just three projects, but with Tidelift, you can bulk query up to 1000 projects at a time. We send in the request and get information about these packages. Again, you'll get the same intelligence we showed in the earlier examples, including recommendation status, package specific URLs of interest, quality check results and more. But if we look at the NPM package moment, we'll see that it's not recommended by Tidelift. Because open source packages are constantly changing, it's important to monitor and review updates to packages already in use as well.

Tidelift makes it possible to identify bad packages through early warning signs that the package has been deprecated or abandoned. Let's look at an example. Let's say you previously pulled in moment and are now checking to see if it's a bad package for enterprise use. Tidelift is not recommending this package because it failed the "package is not deprecated check" and has been deprecated by its maintainers. This makes it risky to use, because future vulnerabilities may not be fixed. With this information, you can proactively allocate engineering resources to migrate away from moment before a future vulnerability puts the organization at risk.

Tidelift recommendations are a good place to start looking for early warning signs of packages that are risky for enterprise use. But we can also help you identify specific versions of packages that you may need to migrate away from. Let's look at the NPM package QS. For example. Here we see that QS has been recommended by Tidelift, and the latest recommended release is 6.12.0. However, if you're on an older version,  say 6.9.0, you will see that this version is not recommended because it's impacted by a CVSS score 7.5 vulnerability. When vulnerabilities do occur, our partnered maintainers are paid to review the vulnerability and provide timely fixes or workaround recommendations. As part of this work, during the CVE review, maintainers also provide an impact score. For the vulnerability impacting QS version 6.9.0 the impact score is 10 out of 10. This added information helps prioritize migration efforts on issues that will have the largest impact in eliminating risk for your organization. Tidelift also provides a description of the vulnerability and a recommendation directly from the maintainer of either upgrading or implementing a workaround to eliminate the vulnerability.

Finally, Tidelift reinforces at risk packages to keep them from becoming bad in the first place. Tidelift customers play a direct role in ensuring the packages they rely on keep getting better, because package maintainers are paid in part based on customer usage. Maintainers use this income to improve the secure development practices they have in place, to document these practices, and to commit to maintaining them over time. This means that customers can use open source with confidence, knowing that experienced maintainers have made the commitment to ensure their project follows enterprise grade secure software development practices, and that they have the income they need to ensure it stays resilient and healthy into the future.

Hopefully this demo has given you an initial glimpse into how Tidelift can help your organization reduce its reliance on bad open source packages, while helping the open source you rely on keep getting better. If you'd like to go deeper, please visit our documentation site or reach out directly to schedule a demo specific to your organization.