We were excited to be one of eight companies featured at the AWS Startup Showcase last week. Tidelift CEO and co-founder Donald Fischer talked with Dave Vellante of SiliconANGLE Media to discuss open source supply chain security in light of Log4Shell and the White House cybersecurity executive order.
In the interview, Donald first explains what the Log4j component is, as well as the security vulnerability that was discovered in Log4j, dubbed Log4Shell.
“This is a form of security vulnerability that actually allows attackers, if the system hasn’t been patched, to get full control of a system, a server, that has the software running on it,” Donald said. “They can access private customer data on that system or really do anything. It’s called shell level access.”
Fixing this vulnerability was top priority for many over the holidays. It also showed that a small component in your overall application estate can have a disproportionate impact on your operations. However, there has been a silver lining in the vulnerability in that it has pushed companies to start looking proactively at putting measures in place to avoid future open source vulnerabilities.
“More than 70% of most custom applications are comprised of this third party open source code,” Donald said. “Projects very similar in origin and governance to Log4j. That’s just reality. We also have to be practical about it. How are we going to work together to make sure that that software, as much as possible, is vetted to ensure that it meets commercial and enterprise standards?”
The U.S. federal government was ahead of the game in both flagging the severity of open source vulnerabilities and directing organizations on how to respond to them. On May 12, 2021, the White House issued an executive order on cybersecurity, “Executive Order on Improving the Nation’s Cybersecurity.” The order implemented hard requirements around federal agencies' usage of open source software by requiring a software bill of materials, known as an SBOM, from vendors that are doing business with the government.
“The strategy there has been to expressly use the purchasing power of the U.S. government to level up industry as a whole and create the necessary incentives for organizations to take this seriously,” Donald said.
So how does Tidelift help organizations deal with this problem and secure their open source software supply chain?
Tidelift provides a purpose-built software solution that keeps track of the third-party open source flowing into an organization's application by connecting with a company’s DevSecOps toolchain, developer tooling, and application development process.
“[Tidelift sits] next to the point in your release process where you run your unit test to ensure the business logic in the code that your team is writing is accurate,” Donald said. “We do an inspection to look at the state of the third-party open source packages, like Apache Log4j, that are flowing into your application.”
The other aspect that makes Tidelift unique is the set of relationships that Tidelift has built directly with the independent open source maintainers. This model has also allowed Tidelift to pay the maintainers, creating a new income stream around what previously was often a volunteer activity. This incentivizes the developers to make sure their software meets enterprise standards for security and compliance, licensing, and accuracy and compatibility.
“We’re helping these open source maintainers ‘go pro’ on an aspect of what they do around open source,” Donald said. “That’s good for our customers, and it’s good for everyone who relies on open source software, which is really everyone in society these days.”
There are several implications for companies who don’t put the right tools and processes into place when managing their open source digital supply chain. Ignoring the problem is no longer a viable option if you want to avoid the next Log4Shell.
The FTC has said they will use their full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of the vulnerability in the Log4j library or similar known vulnerabilities in the future.
“Tidelift is contributing a different and novel solution to the mix that we hope will help organizations contend with this and avoid that kind of enforcement action from the FTC or other regulators,” Donald said. “There are new challenges moving into a world built on a foundation of independently created open source. We need new solutions and new ideas and that’s part of what we are showing up with from the Tidelift angle.”