Tidelift Introduces New Open Source Intelligence Capabilities
October 18, 2023

Tidelift announced a broad new set of capabilities as part of the Tidelift Subscription that expand customers’ ability to utilize Tidelift’s maintainer-validated data to make more informed decisions about open source packages and minimize open source-related risk.

These new capabilities are the culmination of years of work by Tidelift to identify the secure software development practices with the largest impact on improving open source security, and then pay maintainer partners to ensure these practices remain in place for their projects into the future.

“With open source making up the vast majority of the code in modern applications, and against the backdrop of several recent high-profile security vulnerabilities impacting open source, organizations are urgently seeking innovative ways to ensure their software supply chain is properly maintained and secure,” said Lauren Hanford, VP of Product, Tidelift. “Tidelift is the only company working proactively with open source maintainers to validate that their packages meet the security standards newly codified by government and industry, and paying them for this important work. This allows organizations to make more informed decisions about open source and reduce related risk, while having assurances that the software they depend on will be there in the future.”

Tidelift’s open source package intelligence data is researched and validated by Tidelift and its paid maintainer partners and available via the Tidelift Subscription. Tidelift automates the data collection, curates and structures the data, and provides APIs to easily integrate with existing workflows and business intelligence tools.

Organizations can save time by letting Tidelift do the work to collect open source intelligence data at scale, across millions of open source packages. This helps them reduce the time they spend analyzing individual packages and helps them make better decisions more quickly.

The Tidelift Subscription includes:

- First-party maintainer-sourced data. Tidelift partners directly with the maintainers of thousands of the most popular open source packages and pays them to validate that they follow secure development practices like those outlined by government and industry, such as the NIST Secure Software Development Framework and the OpenSSF Scorecards project. This provides organizations with unique first-party, maintainer-sourced insights available only via the Tidelift Subscription.

- Automated, structured, and centralized data. Tidelift aggregates data across multiple upstream package manager ecosystems and source repositories into a centralized and structured format.

- Tidelift human-researched data. The upstream data is analyzed and further researched by the Tidelift data team with the aim of providing more contextualized insights for our customers.

Tidelift Subscription also provides:

- A standardized attestations report, to be used as evidence that the open source dependencies in an organization’s applications follow secure software development best practices.

- A solution to help organizations dynamically track attestations for open source components going into their product and keep the attestations current in an automated manner.

For organizations that rely heavily on open source software but struggle with a lack of visibility regarding package usage across the organization or those concerned that development teams are downloading and using packages that have not been evaluated against organizational risk parameters, Tidelift continues to offer a premier solution for managing open source.

The software bill of materials functionality, included in the Tidelift Subscription, allows organizations to build a centralized inventory of all open source components being used across the organization. This makes it easy to quickly identify every release of a compromised package when remediating vulnerabilities.

Through the Tidelift Subscription, organizations are able to implement open source standards consistently, across all of their development teams, ensuring developers are only using approved open source components that follow secure software development practices. Tidelift then continuously evaluates the packages being used against the set of organizationally-defined open source standards to ensure compliance over time, while also making use of Tidelift’s enhanced data intelligence capabilities to help organizations make good decisions regarding the security and maintenance practices of the components included in their software bills of materials.

Share this

Industry News

November 25, 2024

Sonatype and OpenText are partnering to offer a single integrated solution that combines open-source and custom code security, making finding and fixing vulnerabilities faster than ever.

November 25, 2024

Red Hat announced an extended collaboration with Microsoft to streamline and scale artificial intelligence (AI) and generative AI (gen AI) deployments in the cloud.

November 25, 2024

Endor Labs announced that Microsoft has natively integrated its advanced SCA capabilities within Microsoft Defender for Cloud, a Cloud-Native Application Protection Platform (CNAPP).

November 21, 2024

Red Hat announced the general availability of Red Hat Enterprise Linux 9.5, the latest version of the enterprise Linux platform.

November 21, 2024

Securiti announced a new solution - Security for AI Copilots in SaaS apps.

November 20, 2024

Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.

November 20, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:

November 20, 2024

Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.

November 20, 2024

Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.

November 19, 2024

OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.

November 19, 2024

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.

November 19, 2024

Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.

November 19, 2024

Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.