<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Tidelift integrates Sonatype open source vulnerability data

Matt Rollender
by Matt Rollender
on October 29, 2020

We know that application developers have a lot to manage including a strategic move by organizations to shift security to the left and into their purview. We also know that app development budgets are being cut due to the recession. The solution? Use more open source.

Yet, if not diligently managed, known vulnerabilities in an open source library can increase risk of compromise despite a development team’s best efforts and intentions. Relying on scanning tools is not enough.

The Tidelift Subscription is designed to reduce the burden on application development teams by offering access to customizable catalogs of known-good, proactively maintained components (e.g. JavaScript, Python, etc). Tidelift will now offer integration of Sonatype’s OSS Index data to help developers more quickly identify and remediate security vulnerabilities in open source packages and libraries managed by Tidelift. 

This integration enables us to more rapidly notify our subscribers of cybersecurity issues present in their dependencies and also provides a fast-track process for remediation through Tidelift’s vast network of independent maintainers. 

“Adversaries are increasingly targeting vulnerabilities in open source components. We’re thrilled that Tidelift sees how much value our OSS Index Data provides to its customers and is integrating it into the Tidelift Subscription.” -- Matt Howard, EVP, Sonatype

Sonatype’s OSS Index contains aggregate data from a variety of vulnerability information sources, including Common Vulnerabilities and Exposures (CVE) entries, a growing list of public vulnerability sources, and community contributions. 

The Tidelift platform integrates with CI/CD pipelines via several mechanisms, offers bill of materials management, and is backed by a growing list of maintainers who are compensated for the work they do to keep packages enterprise-ready. 

In other words, it’s a win-win-win. Shift left the right way with Tidelift today.

New call-to-action

You might also like:

There are no related posts