Open Source & More - Blog | Tidelift

Tidelift catalogs and the rising urgency of managing your open source supply chain

Written by Donald Fischer | February 2, 2021

Today, Tidelift is introducing several exciting elements of the Tidelift Subscription that help organizations more efficiently manage the health of their open source supply chain. 

At the heart of this news are some important advancements around Tidelift catalogs, which provide a comprehensive way for application development teams to create, track, and manage collections of known-good, proactively maintained open source components with help from Tidelift and its partnered maintainers.

We’ve also introduced the first set of Tidelift-managed catalogs, giving organizations a head start on building a paved path of approved components for development teams to use. These catalogs are enterprise ready, with Tidelift and its partnered maintainers managing them to meet clearly defined security, maintenance, and licensing standards.

More on this in a minute, but first…

Why should open source software supply chain health matter to you right now?

It used to be that the only people thinking about the software supply chain were CIOs and industry analysts. Today—thanks to the breach impacting SolarWinds and its customers around the world—these words have found their way to the front page of the New York Times and into tense boardroom conversations.

For good reason. The potential costs of software supply chain attacks can be staggering. We are only beginning to come to grips with the impacts of the SolarWinds exploit. The Equifax breach cost that company billions in shareholder value and caused unknowable damage to all of us in terms of compromised data security.

In conversations with executives—especially over the past few months—I’ve seen software supply chain health go from somewhere in the middle of the list of IT priorities to the very top.

Meanwhile, open source continues to become a larger and larger part of the application development supply chain, with our research showing that 92% of applications contain open source components and in some cases open source makes up 70% or more of the code.

Which brings me to some simple math and a new reality.

More software supply chain attacks
+
More open source software 
=
More risk of open source software supply chain attacks.

Supply chain risks are compounded in the open source world because every project has historically had its own standards and processes for handling security and maintenance. Some projects have robust checks and balances in place, with extensive staff paid by the biggest companies to look after their open source code full time. Other projects have—as xkcd so artfully put it—a lonely maintainer, living in Nebraska, thanklessly maintaining their code since 2003. And some projects have no one actively looking after the code at all—even thanklessly—because the last maintainer ragequit after a particularly bad day in the issue tracker.

So if you work in an organization using open source for software development, and let’s face it, most of us do, you’ve probably at some point made a judgement call on whether your organization would rather move fast or stay safe.

Move fast—letting developers pull in whatever open source code they need, YOLO and go, take whatever risks may come in stride and deal with any security or code maintenance issues as they come up. Roll the dice, and hope for the best, so your developers can keep moving.

Or stay safe—put guardrails in place to ensure any open source being used in the organization is fully vetted, run through scanning tools to check for security, maintenance, and licensing issues and basically implement a bureaucracy that keeps risk at bay, while also dulling all of the shiny parts of using open source to accelerate development.

It is a depressing tradeoff to make. And thankfully, no longer a necessary one.

Let’s solve this with the creators of open source!

For the past few years at Tidelift we’ve been focused on how to help development teams and the organizations they serve avoid this false choice—between moving fast and staying safe— by constructively partnering with the creators behind the open source packages they depend on. We wanted to develop a solution that allowed them to move fast and stay safe. With Tidelift catalogs, that’s exactly what they get via the Tidelift Subscription.

 

 

Manage your open source supply chain with Tidelift catalogs

With catalogs—included as part of the Tidelift Subscription—organizations have a comprehensive approach to creating, tracking, and managing the open source components they are using for application development across the organization while setting and enforcing usage policies.

  • A paved path: Organizations can accelerate development and reduce security and licensing-related risk by defining and curating catalogs of known-good, proactively maintained components. Developers can draw from them safely without fear of late-breaking deployment blockers.
  • Clear policies: Organizations can set and automatically enforce standards early in the development lifecycle, such as an organization’s license policies.
  • Integrated experience: Tidelift integrates with existing source code and repository management tools so developers don’t need to change their workflow. They can pull approved components and submit new ones for approval directly from the command line.

As I mentioned above, today we are also introducing our first set of Tidelift-managed catalogs, giving organizations a head start on building a paved path of approved components for their development teams to use. 

Organizations can pull from Tidelift-managed catalogs of known-good, proactively maintained components covering common language frameworks like JavaScript, Python, Java, Ruby, PHP, .NET and Rust, backed by Tidelift and its partnered maintainers. These catalogs are designed to be enterprise ready, with Tidelift and its maintainer partners managing them to meet clearly defined security, maintenance, and licensing standards.

Address the open source-related concerns of multiple stakeholders

With catalogs in place, the Tidelift Subscription now delivers value across the organization:

  • For managers: Increase development velocity while ensuring development teams are building with safe, approved, and compliant components from the start.
  • For developers: Move fast and avoid rework, eliminating late-breaking surprises that slow down development by using pre-approved, known-good components.
  • For information security: Get a single place to define, review, and enforce policies around security vulnerabilities in open source components.
  • For legal: Get a single place to define, review, and enforce license policies and get indemnification to protect against licensing-related risk.

And help pay open source maintainers for their work

Best of all, Tidelift-managed catalogs are backed by Tidelift and our growing network of partnered open source maintainers. We pay the maintainers to keep their projects and these catalogs enterprise-ready.

The more subscribers using a project, the more its maintainers get paid. Which means they can dedicate even more time to maintenance and security tasks, while continuing to invest in making their projects even better.

Making open source work better—for everyone

Look, it can be an ugly world out there and no matter how you slice it the threats to the health of your software supply chain are going to continue to increase over the coming years. Straight talk. 

But now with catalogs as part of the Tidelift Subscription you can begin to take back control of your destiny, and avoid making lose-lose choices about slowing development speed or increasing risk. Instead, start to efficiently manage open source across the organization, ensuring you can take advantage of all of the things you love about open source—and using it to its full potential.