We know that application developers have a lot to manage including a strategic move by organizations to shift security to the left and into their purview. We also know that app development budgets are being cut due to the recession. The solution? Use more open source.
Yet, if not diligently managed, known vulnerabilities in an open source library can increase risk of compromise despite a development team’s best efforts and intentions. Relying on scanning tools is not enough.
This integration enables us to more rapidly notify our subscribers of cybersecurity issues present in their dependencies and also provides a fast-track process for remediation through Tidelift’s vast network of independent maintainers.
“Adversaries are increasingly targeting vulnerabilities in open source components. We’re thrilled that Tidelift sees how much value our OSS Index Data provides to its customers and is integrating it into the Tidelift Subscription.” -- Matt Howard, EVP, Sonatype
Sonatype’s OSS Index contains aggregate data from a variety of vulnerability information sources, including Common Vulnerabilities and Exposures (CVE) entries, a growing list of public vulnerability sources, and community contributions.
The Tidelift platform integrates with CI/CD pipelines via several mechanisms, offers bill of materials management, and is backed by a growing list of maintainers who are compensated for the work they do to keep packages enterprise-ready.
In other words, it’s a win-win-win. Shift left the right way with Tidelift today.