Open Source & More - Blog | Tidelift

How to create an effective open source software supply chain management plan

Written by Caitlin Bixby | December 13, 2022

Open source helps developers build applications more quickly because they are able to draw from billions of lines of freely available code. However, open source also comes with hidden security and maintenance challenges.

In a recent article for Spiceworks, Tidelift CEO and co-founder Donald Fischer proposes the importance of an effective open source software supply chain management plan that addresses both internal security and maintenance challenges as well as external software supply chain resilience challenges. Here are some of the key recommendations from that article:

Organizations should put a plan in place to address internal open source security and maintenance challenges. This plan should answer questions such as:

  • Does the organization have a system in place to determine which components are approved for use, and how can developers find those answers?
  • If a developer wants to bring in a component that is not already approved for use, how do they do it, and who needs to be involved?
Organizations should also have a plan for addressing supply chain resilience challenges. As we’ve seen with Log4Shell and the U.S. government’s response, the health and security of upstream open source components is becoming increasingly important. However, with a majority of open source maintainers being volunteers: there is a challenge that must be addressed, namely, who is going to take on the work of validating these open source packages so that they meet the standards enterprises and government entities expect?

How can organizations proactively address these security and maintenance and supply chain resilience challenges?

In the article, Donald suggests three key ways to address these challenges:
  • Engage with the maintainers of the open source projects used at scale in your organization. This also means ensuring that maintainers get paid.
  • Identify the tools and research necessary to make sense of emerging industry standards.
  • Build a catalog of pre-vetted and approved open source packages, set open source policies and standards for open source usage, and grow the catalog of approved packages over time.

Read the full original blog post on Spiceworks to learn more about how your organization can create an effective open source supply chain management strategy today.