Tidelift has added new intelligence capabilities that will help customers minimize risk related to using open-source components. These capabilities are being added to Tidelift Subscription, which is a program that provides evaluations on security, licensing, and maintenance risks of open-source software.
The company has access to open-source package intelligence data through partnerships with thousands of open-source projects. It pays the maintainers of those projects to follow secure development practices, like the ones outlined in the NIST Secure Software Development Framework and the OpenSSF Scorecards project.
Tidelift also aggregates data from upstream package managers and source repositories into a centralized format. This data is then analyzed by Tidelift’s data team, which provides contextual insights on it.
Tidelift Subscription also includes a Software Bill of Materials feature to enable companies to build a list of all the components that are in use.
It also includes capabilities to help companies meet the upcoming compliance requirements from the U.S. government on supply chain security. These include a standardized attestations report and the ability to dynamically track attestations.
RELATED CONTENT: What the National Cybersecurity Strategy means for software providers
“Solutions like the Tidelift open source data intelligence capabilities can be ideal for organizations seeking human-validated data on the secure software development practices used in open source projects, ” said Jim Mercer, research vice president of DevOps and DevSecOps at IDC. “These types of insights can equip organizations with detailed and validated first-party information about the secure software development practices used by the open source projects in their software supply chain that can help them strengthen their security posture and assist them with complying with emerging government compliance requirements.”