A managed approach to securing your open source dependencies

Jeremy Katz
by Jeremy Katz
on September 26, 2019

Most applications are built on a foundation of more than 70 percent open source components. Who is on the hook for ensuring those components are properly maintained and secure?

If you don’t know the answer to that question, it might be you. 

Open source packages can contain errors, like all software, and those errors can be exploited. Since historically many open source maintainers were not paid for the value they provide, they don’t necessarily have time or sense of urgency to apply security fixes as quickly as corporate users need them.

Just last year, there was a high profile case of the maintainer of a popular npm package, event-stream, accidentally handing over controls to a malicious actor. He hadn’t worked on the project for years, and thought he was helping open source users by giving access to someone who might take over the necessary maintenance work that wasn’t being done.

There are a number of tools out there that will tell you about security issues with your open source dependencies. But do you know what would be even more useful than getting an alert about a security issue? To actually have it fixed for you in a timely, professional fashion.

Enter the Tidelift guide to securing your open source dependencies. This guide details how a managed open source approach ensures that the components you use to build applications consistently adhere to security best practices, reducing open source-related risk and allowing you to stay focused on your own application development. 

Using a managed open source approach is simply a better way to keep your dependencies secure. Download the guide now to learn more about how to get started.



New call-to-action