Securing your open-source software supply chain with Tidelift catalogs

Thanks to the Solarwinds fiasco, we now see the importance of knowing what's really in your software supply chain. Tidelift is doing just that for open-source projects with its Tidelift catalogs.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Do you think about what routines, sub-programs, libraries, and routines go into the software you use? You should. The Solarwinds security disaster, which will be causing trouble from now until the end of 2021, happened because the company fouled up its software supply chain. This, in turn, screwed millions of users. Open source can help prevent such disasters, but open-source methods need more supply chain improvements too. Now, Tidelift, an open-source management company has a way to help manage the open-source software supply chain's health and security with Tidelift catalogs.  

With catalogs, part of the Tidelift Subscription, companies get a comprehensive approach to curating, tracking, and managing their open-source components. This works whether you're using other group's open-source programs or your own "inner-source" code. Here's how:

  • A paved path: Organizations can accelerate development and reduce security and licensing-related risk by defining and curating catalogs of known-good, proactively maintained open source components. Developers can draw from them safely without fear of late-breaking deployment blockers.

  • Clear policies: Organizations can set and automatically enforce standards early in the development lifecycle, such as an organization's license policies.

  • Integrated experience: The Tidelift Subscription integrates with existing source code and repository management tools so developers don't need to change their workflow. They can pull approved components and submit new ones for approval directly from the command line.

Don't think that's important to your company because you "don't use open source"? Oh please! A recent Tidelift study showed that 92% of enterprise software projects contain open-source dependencies and, in those projects, as much as 70% or more of the code was open source. I live and breathe software development; I think those numbers are on the low side. 

Donald Fischer, Tidelift's CEO and co-founder, explained,  "As software supply chain security makes frontpage news in 2021, it's more important than ever that application development teams employ a comprehensive approach to managing the open-source components that make up their applications. With the addition of catalogs to the Tidelift Subscription, organizations can be confident that they are using open source safely without slowing down development."

That's easy to say, but can you prove it? Tidelift thinks it can by introducing its first set of Tidelift-managed catalogs.  With these, your developers can pull from Tidelift-managed catalogs of known-good, proactively maintained components that cover common language frameworks such as JavaScript, Python, Java, Ruby, PHP, .NET, and Rust, backed by Tidelift and its partnered maintainers

These can give your business a head start on building approved components for your development teams. Your programmers will soon let you know if these catalogs really are enterprise-ready and meet their needs for clearly defined security, maintenance, and licensing programs.

This isn't just for your programmers though. The company claims that with catalogs in place, the Tidelift Subscription can help people throughout your business. Specifically:

  • For managers: Increase development velocity while ensuring development teams are building with safe, approved, and compliant components from the start.

  • For developers: Move fast and avoid rework, eliminating late-breaking surprises that slow down development by using pre-approved, known-good components.

  • For information security: Get a single place to define, review, and enforce policies around security vulnerabilities in open-source components.

  • For legal: Get a single place to define, review, and enforce license policies and get indemnification to protect against licensing-related risk.

Tidelift's not wrong. If they can deliver the goods with their catalogs, your company will benefit. 

As Al Gillen, IDC's Group VP of Software Development and Open Source, said in a statement: "Recent software supply chain security compromises remind the industry how important it is to know where your software components come from, and to be able to trust those components. Open-source software is not immune to potential vulnerabilities, so it makes great sense to give your software development staff easy access to the components they need that meet enterprise standards. Tidelift's expansion of the Tidelift Subscription to include catalogs of known-good open source addresses this need by collecting in one location a full suite of key open-source components that an organization relies on."

If I were developing open-source software today, I'd be sure to kick Tidelift's wheels. It might just be what we need until the day comes when we have what David A Wheeler, the Linux Foundation's director of Open Source Supply Chain Security, has called Verified reproducible builds. These are source code builds which, "always produces the same outputs given the same inputs so that the build results can be verified. A verified reproducible build is a process where independent organizations produce a build from source code and verify that the built results come from the claimed source code".

We won't be there for a while yet, so in the meantime, approaches such as the one Tidelift approach makes perfect sense.

Related Stories:

Editorial standards