- Comprises an application programming interface (API) access to a meticulously curated feed of open-source package insights validated by humans.
- It empowers users to generate reports in accordance with obligatory government cybersecurity regulations.
In today’s cyber landscape, reacting to late-stage risks is insufficient due to numerous vulnerabilities. Organisations need verified data to address threats proactively. Timely, accurate information is crucial for early action and cost-saving. Tidelift enhances its subscription with maintainer-validated data to help customers make informed decisions on open-source packages and reduce risks. These enhancements stem from the company’s research on software development practices, improving open-source security and compensating maintainers for their efforts.
“Amid growing reliance on open source code in modern applications and recent security issues, Tidelift, led by Lauren Hanford, is actively collaborating with open source maintainers to ensure compliance with new security standards. They pay maintainers for this work, offering organisations better risk management and software assurance.”
Enhanced open-source software intelligence, now with API access
The company and its paid maintainers extensively research and validate open-source package data available via its Subscription. They also automate data collection, curate and structure it, and provide APIs for easy integration into workflows and business tools. This speeds up decision-making by efficiently gathering vast open-source intelligence data, saving time on package analysis for faster, informed decisions. The subscription offers:
- Exclusive first-party maintainer-sourced data: The company partners with open-source maintainers, paying them to validate secure development standards like NIST and OpenSSF, offering exclusive insights to organizations.
- Automated, centralised, and structured data: Consolidates data from various package manager ecosystems and source repositories, presenting it in an organized format.
- Enhanced human-researched data: The company’s data team conducts in-depth analysis and research on upstream data to provide customers with more contextualized insights.
The U.S. government requires software suppliers to confirm adherence to the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), including open-source components. Failing to comply may risk government contracts. Subscription aligns with these standards and provides crucial attestation data from open-source maintainers. Additionally, the subscription offers:
- A standardized attestation report that serves as compelling evidence affirming that an organisation’s applications’ open-source dependencies adhere to best practices in secure software development.
- An automated solution designed to assist organizations in actively monitoring and maintaining current attestation records for open-source components integrated into their products.
Managing and Enforcing Open Source Policies
The company provides a solution for organizations heavily reliant on open-source software by offering a software bill of materials within the subscription. This helps create a centralized inventory of all open-source components, simplifying the identification of compromised packages when addressing vulnerabilities.
With the subscription, organisations can enforce open source standards across all development teams, ensuring the use of approved, secure components. The company assesses package compliance and offers data intelligence for informed decisions on component security and maintenance in its software inventory.
Jim Mercer, IDC’s VP of DevOps and DevSecOps, stated that the company’s open-source data intelligence is ideal for organizations seeking secure software insights from open-source projects. This firsthand data enhances security and aids compliance with government regulations.