Thank you to everyone who joined us at Upstream Live in Boston last week! This was a first for us at Tidelift: we brought together a corporate customer (John Mark Walker, from Fannie Mae), a paid maintainer (Jordan Harband, maintainer of over 500 JavaScript projects), and Tidelift co-founder and CEO, Donald Fischer, to discuss an area of opportunity in software development, live and in person. It was a first chance for our Boston community to meet the humans making open source better for everyone!
We congregated at the CIC in Kendall Square, the shared office space used by Tidelift, and had a great conversation with the folks in the room about how proactive work with open source maintainers to make their projects healthier and more secure has both changed the vulnerability management landscape for Tidelift customers and improved project outcomes for those maintainers themselves!
For those who missed it, here’s a quick recap of the conversation:
- Patch management needs an update: the number of reported vulnerabilities is rising, but many are not actively exploited, leading to questions about the effectiveness of clearing CVEs as a means of reducing actual risk or simply complying with the requirement to eliminate all CVEs. The existing CVE system is criticized for being inadequate, lacking context, and failing to facilitate meaningful communication between security researchers and maintainers.
- Current remediation methods are inefficient: participants noted that development teams struggle with contextually relevant prioritization, and often spend significant time addressing low-risk vulnerabilities, diverting resources from more critical security work.
- Incentives and motivations are worth exploring: our discussion revealed that current incentives in the security industry often lead to a focus on symptom management rather than solving underlying issues, creating perverse incentives for vulnerability reporting, like setting a “zero vulnerability” compliance goal that may not be the most effective way to improve security outcomes.
- What community engagement looks like: panelists and audience participants noted that engaging with open source maintainers is crucial, as many vulnerabilities remain unaddressed due to a lack of communication and resources for maintainers.
- We need to recognize developers: developers contributing to security efforts often lack recognition, leading to disengagement from "secure by design" practices.
- Government initiatives are on the rise: discussion included the potential of government-led initiatives, like CISA's "Secure by Design," to improve software security standards and hold vendors accountable for vulnerabilities.
- Adding context to risk assessment: emphasizing context as an important first step in mitigation or remediation, participants suggested integrating information from various sources to create a more comprehensive understanding of software risks.
- Recognizing the human element in security: there was acknowledgment from all participants that human factors play a significant role in security risks, suggesting that organizations should consider the human aspects of vulnerability management alongside technical solutions.
Customers use the Tidelift Subscription to retain government certifications, to navigate through and satisfy software audits, and to protect their applications. Maintainers use their income and the frameworks from Tidelift to focus their security work on what matters. We look forward to more conversations with more of you in other cities!