Fact: most application developers love open source because it makes them more productive. Also a fact: Open source brings with it some security and maintenance and supply chain resilience challenges. How do you take advantage of the flexibility and speed open source provides while also proactively taking steps to mitigate potential security risks—Log4Shell and heartbleed, anyone?
In this new Solutions Review article, Tidelift co-founder and head of engineering Jeremy Katz highlights some of the hidden challenges of securing the open source software supply chain.
One eye-popping statistic Jeremy cites in the article: a U.S. federal government department reported spending 33,000 hours remediating the Log4Shell vulnerability. That is 16 person years of time just to deal with a single vulnerability! And according to the U.S. Department of Homeland Security's Cyber Safety Board, we'll be dealing with repercussions from Log4Shell for a decade.
You should read the whole article, then watch this talk by Tidelift CEO and co-founder Donald Fischer where he proposes an optimistic and practical approach to improving open source software supply chain security that brings software and people into the solution.