Donald Fischer, Co-founder and CEO, of Tidelift, in this chat, talks about the strategies to mitigate risks associated with using open-source, the future of software development, open-source supply chain security management impact, and more…
————–
Hi Donald, we’d love to hear about some of Tidelift’s recent advancements in open-source supply chain security management and how they’re helping organizations enhance their software development processes.
Tidelift’s main area of focus is helping organizations improve the security and resilience of their applications so they can reduce risk to their revenue, data, and customers. Because organizations today rely heavily on open source software to build their applications (in many applications, 70% or more of the code is open source), we’ve taken a unique approach at Tidelift to improving application security: partnering directly with the maintainers who created the open source components our customers are using and paying these maintainers to implement the same secure development practices our customers would expect in their own code.
Because these components are such a large portion of the code in customer applications, paying maintainers results in a significant and immediate improvement to application security. Recent software supply chain attacks like those that impacted Log4j and XZ Utils have made securing the open source used in commercial applications a board-level priority, so organizations we talk to are taking these threats very seriously.
Also Read:Â A Comprehensive Guide to DDoS Protection Strategies for Modern Enterprises
As organizations increasingly rely on open source, what strategies should they implement to mitigate risks associated with using these components in their applications?
First of all, organizations should have a strategy to document all of the open source components in their applications, both those they use directly and those that they transitively pull in. Once they have this list of ingredients, which many now refer to as a Software Bill of Materials, or SBOM, they can begin to systematically analyze the secure development practices followed by the maintainers of those components. The kinds of questions organizations may want to ask include:
- Are the maintainers of the projects we use being paid to keep them up to date and secure, or are they doing the work as a side, volunteer project? (Our research finds that 60% of open source maintainers are unpaid hobbyists.)
- Have any of the projects been abandoned, officially declared end-of-life, or appear otherwise unmaintained?
- Are the maintainers implementing important security practices (like implementing 2FA, providing fixes and recommendations for vulnerabilities, having a security vulnerability disclosure plan, etc.)
It’s critical that organizations not only have a solid understanding of the secure development practices of the open source components they use, but also a relationship in place with the maintainers of those components so that they can ensure the maintainers have the incentive to continue to follow those practices in the future.
Discuss how open-source supply chain security management impacts the speed and quality of software development within organizations.
It is nearly impossible to build modern applications without open source software. Open source speeds up the process of building applications because you can pull in pre-existing code that has in many cases been battle tested and is broadly used by millions of people rather than writing every component of your application from scratch. So the upside of open source is it dramatically increases the speed of development. The downside is that all open source is not created (and maintained) equally, so you need to do your homework to ensure the components you are bringing into your application are not increasing your security risk.
Highlight some of the emerging technologies or trends you think will significantly influence the future of software development.
Specifically related to open source and application development, here are a few things we are watching closely:
- Government regulations impacting the use of open source. Around the world, and especially in places like the United States and the EU, governments are playing an increasingly visible role in open source software security. In the EU, organizations should be closely monitoring what is happening with the Cyber Resilience Act, which will add new security and regulatory demands on organizations using open source. In the United States, a whole series of initiatives, including the National Cybersecurity Strategy, the Executive Order 14028 on Improving the Nation’s Cybersecurity, the NIST Secure Software Development Framework, and the CISA Secure by Design initiative all should be closely watched by organizations for the additional security and regulatory work they may require, especially for those organizations selling software to the US government.
- The impact of AI on open source security. Open source maintainers are already spending more time on security-related work than they were just a few years ago and are reporting seeing significant increases in AI-produced vulnerability reports that they now need to sift through as well. AI could be a helpful force for open source, but it may also slow things down if it ends up creating too much busy work for already overburdened open source maintainers.
- Open source maintainers are underpaid, stressed out, and many are considering quitting. Our new 2024 Tidelift state of the open source maintainer report shows that 60% of open source maintainers have either quit or considered quitting their maintenance work. If maintainers abandon their projects or quit making security updates, this could have a significant negative impact on the security of applications that rely on these projects. The trend is gaining momentum as maintainers, 60% of whom report receiving no income for their work, are seeing increasing demands from both government and industry to improve their security practices, in many cases with no compensation for their work. Organizations need to understand that keeping open source secure is not free and accept that they have a role in ensuring the open source software they rely on will continue to be healthy and resilient in the future.
Also Read:Â Protecting APIs at the Edge
How should organizations balance the need for adopting innovative open-source technologies while ensuring the maintenance of existing components?
Open source is an amazing resource, a public good that we’ve come to rely on. But, like any public good, like clean water, or a working electric grid, or safe highways, it takes investment to keep it well maintained. We’ve now reached the point where organizations can no longer expect open source to be an unlimited resource that will always be there. Instead, organizations need to invest time and money to ensure their open source software supply chain continues to remain healthy and secure.
Thank you, Donald, for sharing your insights with us.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
Donald Fischer is co-founder and CEO of Tidelift. Previously he was a venture partner at General Catalyst, a member of the investment team at Greylock Partners, and an executive at Typesafe (now Lightbend) and Red Hat. He holds a BS in economics and computer science from Yale University, an MS in computer science from Stanford University, and an MBA from Columbia Business School.
Tidelift helps organizations effectively manage the open source behind modern applications.
Through the Tidelift Subscription, the company delivers a comprehensive management solution, including the tools to create customizable catalogs of known-good, proactively maintained components backed by Tidelift and its open source maintainer partners.
Tidelift enables organizations to accelerate development and reduce risk when building applications with open source, so they can create even more incredible software, even faster.
