A managed open-source approach can improve the health of your open-source supply chain

The rise in attacks against the software supply chain is one outgrowth of vulnerabilities in open-source code that go unnoticed and therefore unpatched, a problem that has escalated despite the best efforts of enterprise development teams. As many recent high-profile breaches have underscored, it takes little for an overlooked patch to wreak havoc. 

Even those organizations that follow recommended secure development life cycle processes are finding themselves overwhelmed by the complexity in keeping up-to-date their modern, business-critical systems and applications that are built with open-source components from a broad array of providers. Accordingly, this raises the risk of vulnerabilities compromising the software supply chain.

Supply chain compromises increased 78 percent last year, according to the most recent Symantec 2019 Internet Security Threat Report. The attacks on the software supply chain haven’t let up. Last autumn, users of the event-stream JavaScript library employed by large open-source projects and commercial codebases all over the world discovered a vulnerability in the package caused by a malicious actor who had taken over as the project maintainer and was trying to steal Bitcoin. This year, compromised projects included Webmin, where thousands of public-facing web servers were potentially impacted, and a set of eleven ruby libraries, where code was also inserted to mine for cryptocurrency. 

Often under the radar when it comes to these software supply chain vulnerabilities are the limitations in managing these open-source components. Donald Fischer, co-founder and CEO of Tidelift, a startup that removes the burden of managing open-source dependencies from dev teams, says that 70 percent of the software in modern enterprise-developed applications and their underlying systems now consists of open-source components from various package repositories and community-led efforts rather than big projects that have direct corporate backing. 

Many of the maintainers behind these projects aren’t paid to keep them up to date, so lack the incentive to add new functionality over time or even to patch them when vulnerabilities are discovered. Consequently, tracking patches from the disparate communities that build and maintain these components, or forking and patching projects themselves, can take up to 20 percent of developers’ workdays, according to research conducted by Tidelift. 

Managing open-source packages requires developers to properly choose the right packages in the first place. It also requires that dev teams understand how well these packages are being maintained and who is doing the maintenance work. While some might come from established providers, many open-source components are from a single maintainer. 

“Maintenance is probably for many the second biggest chunk of time developers spend in their day and a lot of that is open-source related maintenance,” Fischer told SD Times. “If you could you take that work off of these people’s plates, pay the people who actually are in the best position to do the maintenance and gave developers that time back, imagine what great things could be done. What better innovations could they create if developers weren’t spending time making sure that the plumbing is not leaking and were doing original coding work instead?”

While this is not a new problem, Fischer says some companies are now responding with managed open-source solutions that support open-source components to commercial standards. Tidelift’s subscription-based service lets dev teams effectively offload the licensing, security and maintenance aspects of open-source components within an organization’s application and systems infrastructure. 

Led by open-source industry veterans, many whom were on the original Red Hat Enterprise Linux team—including Fischer—Tidelift has partnered with a network of developers who typically are the original creators and maintainers of open-source components. Maintainers collaborating with Tidelift, or “lifters,” are compensated to deliver vetted updates as they’re released and then Tidelift delivers them to its subscribers. As part of the service, Tidelift helps organizations select and identify all the components within an environment. The service also draws on knowledge from Tidelift’s database of information on 3.3 million open-source packages. 

“We’re providing as a service, a stream of known, good, open-source packages, where it’s somebody’s job to keep those patches, keep the licenses in compliance and ensure the quality is there around those open-source components,” he says. “Our customers don’t need to do their own due-diligence and research. Certain things break, it’s not their problem to fix it, it’s our problem to fix it, they just consume it, like they would consume any sort of raw open source without all of those issues that would come with raw open source.”

Tidelift connects to a customer’s software development lifecycle by linking to their code collaboration environment, such as GitHub, Atlassian Bitbucket or other source code control or development tools, including the Microsoft tool suites. “We help ensure that with the open-source software that they’re consuming that they don’t pull in anything with a known security vulnerability,” Fischer says. “When they pull a new package into their application, we ensure that the open-source licenses are clearly articulated, and in compliance with their organization’s policies. And we ensure that when they add a package to their application, it works and somebody’s on the hook to keep it working in the future.”

Content provided by SD Times and Tidelift