Does your organization rely heavily on open source software but struggle to understand how specific open source components might make you more susceptible to vulnerabilities and attacks?
This short demo will walk you through how Tidelift can help your organization address this challenge by providing first-party, human-researched insights on open source packages, powering the most informed decisions on which package and versions to use for development.
Let's talk about open source software supply chain data. Tidelift provides centralized open source intelligence that is automatically refreshed, normalized for accuracy, and research by humans to fill in the gaps. On top of that Tidelift works with our partnered maintainers to provide insights directly from those who write the software on how their software is built, managed, and solves its vulnerabilities.
Let's look at some examples.
Here you see the Python package urllib3, a key component underpinning much of the Python ecosystem. There's basic information such as its license, which has been researched by Tidelift, what versions are recommended for use, and how often it's released. You can also get information on the vulnerabilities that have been fixed by urllib3 in the past. Tidelift goes beyond to assess every open source package on a set of quality checks that you can use to make decisions on what you should use.
So for example, you can check that there's no vulnerabilities on the latest release. That there's a discoverable security policy, so you know that security issues in the project are being handled in a normal responsible manner. And that the package signs its releases so that you know that they aren't tampered with.
But you need to go beyond that. After all, when you're bringing a dependency into your organization, you're not just depending on it, you're depending on everything it depends on, whether directly or transitively. Tidelift does the research to determine if you're using the latest release of something, whether bringing it into your organization will bring other issues into your organization via its dependencies. This is powerful information, so you know that when you choose the release is something, you're not going to have any hidden issues.
But again, you still might need more information to assess something to know whether you should use it. After all, the fact that it's maintained today may not mean much if the developer isn't funded properly and won't have time to maintain it three months from now. That's why Tidelift researches to make sure that packages aren't deprecated, that they that they are getting updates, and that they are responsive to security issues so you can know what is actually maintained.
Let's look at another example. Here's an aid package called Angular. It's an older JavaScript UI framework, and it's actually been deprecated by its maintainers; they do not maintain it anymore. Tidelift checks this so you can see, if you're assessing it, that this package has been deprecated. It is not maintained and it is not responsive to security issues. If you're looking at it, you know that you should not start using it, and if you are using it, you know that you need to make plans to get off of it.
You can also use this data in other ways. Recent US government regulations have stated that you need to not only attest to your software is being developed securely to sell to the government, but also that the open source that you depend on is also being developed in a secure manner. Tidelift is there to help. We provide attestation data on the development practices of open source, so that if you need to generate this report for compliance purposes, you can get this information and see how all the software you depend on aligns to secure software development frameworks.
Now, obviously, you've got 100s or 1000s of dependencies for all this research that you want to do. You need to do it at scale. That's no problem with Tidelift. For Tidelift subscribers, Tidelift provides open source intelligence via a series of API's, so that you can integrate this information where and when you need it. All the data you've seen so far is available via the API. If you want to look at a package and get information on it and see how it stands up to these various checks, you can do that via our API. If you're looking to build a report on the development practices of the software you use and you need to get that attestation data, again, you can get that via our API's. And if you're researching vulnerabilities you need to fix and you want to get recommendations from the maintainers as to what workarounds there may be, or if it's a real issue at all and not a false positive. Again, you can get that data via Tidelift API's.
All of this is available with the Tidelift subscription, which allows you to integrate this data into any of your processes or tools. You don't need to spend weeks analyzing every dependency or application looking for hidden risk. Tidelift's already done the research so you can do what's important to your business.