One question we sometimes get when talking to customers: how does Tidelift fit in with software composition analysis (SCA) tools, like Black Duck, Snyk, or Mend.io?
Short answer: Tidelift provides a proactive way to minimize open source related risk, while SCA is reactive.
Long answer: Many customers are using Tidelift and one or more SCA tools together as part of what we call a “defense in depth” strategy, where SCA handles reactively detecting security vulnerabilities and Tidelift handles proactively improving the health and security of the open source software supply chain.
Two weeks ago, Tidelift CEO and co-founder Donald Fischer hosted a live webinar where he discussed why a defense-in-depth approach using both SCA and Tidelift has become a winning strategy for many organizations to make their open source software supply chain more secure and resilient. Below, we provide the key moments of Donald’s talk but if you’d like to watch the webinar in full you can follow this link.
92% of applications contain open source components and open source code makes up 70% or more of the average application. But whose job is it to keep that open source software secure and well maintained? Is it the responsibility of open source project maintainers? Before you say yes, some data:
We found in a recent Tidelift study that 60% of open source projects are maintained by people who describe themselves as unpaid hobbyists. Volunteer maintainers often lack the time and incentives to implement the secure software development practices enterprise users require.
If it’s no one’s job, it’s your problem.
This puts the onus on organizations to ensure their open source software supply chain is secure and well maintained—something that is extremely research-intensive and time-consuming work.
Software scanning tools are historically what organizations have relied on to manage open source security issues. Software composition analysis tools are a good way to help an organization fix known vulnerabilities in open source. Most organizations think they are safe after implementing a scanner to help them patch vulnerabilities. However, while scanning for vulnerabilities and addressing them is super valuable, it is not by itself enough.
“SCA tools are about making sure you don’t consume known dangerous things,” Donald said, “but you should also invest in consuming things that are healthy and lead to good outcomes.”
This is where a defense in depth approach comes into play that utilizes both a reactive approach like SCA as well as a more proactive approach. A reactive approach using an SCA tool protects an organization against current, known risk. A proactive approach protects against future issues.
How can you ensure the open source projects your organization are using are developed using secure development practices, so you can minimize the likelihood that issues will impact you in the first place? That is where Tidelift comes in.
In partnership with paid open source maintainers, Tidelift provides accurate, human-validated data about how the open source your organization relies on is secured and maintained, allowing an organization to make better decisions and manage future risk when using open source.
“Tidelift’s proactive approach is to gather available data on millions of open source packages,” said Donald, “but then we pay open source maintainers to attest to their own secure software development practices, or bring them up to an enterprise standard, with practices including those defined in the NIST SSDF and in the OpenSSF scorecards project. We then continue to pay them to uphold these standards over time.”
Using the data provided by Tidelift in tandem with SCA tools allows organizations to support their own internal development workflows and give their team the intelligence they need to make the best possible decisions about open source.
To learn more about how organizations use data provided by Tidelift, why paying maintainers is so important, and how a defense in depth approach lets your organization take full advantage of the benefits of using open source, check out the full webinar here.