Tidelift steps up efforts to secure the open source supply chain
Commentary: Open source has never been more popular, or had more need to be actively maintained. Find out how Tidelift catalogs can help.
The problem isn’t open source. It’s what your company is doing about it. Or not, as the case may be.
According to a new report from Revenera, open source usage is on the rise and, with it, a 200% increase in the average number of issues uncovered per security audit (administered by Revenera). Some of this just comes down to numbers: The more dependencies enterprises take on open source software, the more open source software will show up in audits like these. And since all software has bugs, it’s not surprising that such audits will reveal a higher incidence of bugs as the incidence of open source increases.
That said, organizations may be taking on more open source supply chain risk than necessary. Think of the recent SolarWinds Orion security breach. While Orion isn’t open source, it shows how supply chain attacks have become increasingly critical to combat, and reflect what we’ve known since Heartbleed (and, really, should have known forever): As open source becomes a critical part of nearly all software, we need to improve how we secure it.
Tidelift, with its announcement of Tidelift catalogs, may be getting us closer to that ideal.
SEE: How to get top developer jobs (TechRepublic Premium)
A leaky open source supply chain
When I started covering Tidelift here in 2018, I noted that because “not all open source software is maintained equally,” enterprises can end up depending upon open source repositories–often without knowing it–that are no longer getting the level of love they need. Maybe the developer can’t afford to continue to invest as much time in her project. Or maybe the project is simply being used in unanticipated ways.
Either way, it’s a problem. Worse, the problem keeps growing as open source adoption keeps booming.
According to the Revenera report:
The average number of issues uncovered through audits rose 200% to 1,959 vs. 662 in 2019. Why? Because as popular open source ecosystems like NPM and PyPi grew in popularity, they’re increasing the number of dependencies enterprises will have in their codebases. Binaries—made up of a collection of compiled source code from various origins—grew 58%, year over year, with 1 issue discovered for every 12,126 lines of code.
Organizations face more risk than is disclosed. While 55% of the scanned codebase files were attributed to open source (an increase of 10% over the previous year), only 4% of the issues uncovered through audits were disclosed in advance of audit start.
Security vulnerabilities are growing. Data from forensic and standard audits identified 89 security vulnerabilities per project, jumping from 45 in the previous year’s findings.
That’s the downside. The upside is that Tidelift (and others in this space) offer new ways to tackle the open source supply chain problem.
SEE: Open-source developers say securing their code is a soul-withering waste of time (TechRepublic)
Getting cozy with your code dependencies
With the launch of Tidelift catalogs, Tidelift hopes to offer a “comprehensive approach to curating, tracking, and managing the open source components [organizations] are using for application development while setting and enforcing usage policies.” What this means, in practice, is that enterprises can define and curate their own catalogs of known-good, proactively maintained open source components. It also means enterprises can set and automatically enforce standards early in the development lifecycle, such as an organization’s license policies.
This gives their developers more freedom to build without unwittingly introducing supply chain risks. Because Tidelift integrates with a company’s existing source code and repository management tools, developers don’t need to fiddle with changes to their preferred workflows.
For example, if an enterprise were interested in the security-advised PyPi catalog, Tidelift offers the following information.
“For all packages in this catalog, we provide research and advice on:
Updated releases to ensure that no vulnerabilities apply, where available
Provide documented workarounds for each vulnerability, where not available
Provide custom patches where the maintainer has been unresponsive to a vulnerability
Version information on which release streams receive security updates and end-of-life dates on those streams, where available
For packages whose maintainers partner with us, we additionally work proactively to improve package security, including
Establishing a confidential security reporting address
Following coordinated disclosure best-practices to reduce subscriber exposure to zero-day vulnerabilities
Ensuring 2-factor authentication to reduce the risk of trojan horse attacks
Coordination by Tidelift’s security response team with upstream maintainers to release security fixes in a timely fashion”
You can also see an activity feed for that catalog that details what’s happening with the components within that catalog. It’s a bit like Twitter, except instead of reading rants about this or that, you’re seeing exactly how the open source software you care about is becoming better maintained and more secure. Tidelift has been working with catalogs since mid-2020, but they’re now generally available, and worth a look.
Disclosure: I work for AWS, but the views expressed herein are my own.