Tidelift

This week we released a new Tidelift company video that in 3 minutes articulates the problem Tidelift solves, how we solve it, and what makes us unique. 1️⃣ Problem: Using bad #opensource packages slows teams down and creates risk to organizations' revenue, data, and customers. 2️⃣ How Tidelift helps: Tidelift helps organizations proactively reduce their reliance on bad open source packages. 3️⃣ What makes us unique: We are the only company that partners with the #maintainers of 1000s of the most-relied-upon open source packages and pays them to make their packages healthier and more secure. Watch it for yourself today! 📽 If you want to talk further with us about anything you see in the video, get in touch with us here: https://lnkd.in/gksz64h8

David Dzergoski, Problem Solver at Tidelift gives valuable insight on building adaptable DevSecOps environments. David emphasizes the importance of understanding existing processes and tools while maintaining a clear mission objective. Key takeaways include the need for comprehensive toolsets, avoiding vendor lock, and ensuring effective communication across all organizational levels. By fostering a workgroup mentality and embracing small, iterative failures, agencies can improve efficiency, reduce cyber risk, and stay agile. This approach is essential for evolving missions and achieving success in federal software development. 🔍Learn more: https://lnkd.in/ehb-cWnY Presented by Tidelift & Carahsoft #FedGovToday #DevSecOps #Agile #Cybersecurity #GovernmentTech #SoftwareDevelopment

The last day to take the 2024 Tidelift state of the #opensourcemaintainer survey is Monday, July 29th 📆 We’ve received a large number of responses so far to our #opensource maintainer survey, but the one voice we’re missing is yours! If you’re a maintainer, take the survey today: https://lnkd.in/gNm4f-8W

Open source is under a microscope at the moment. 🔬 Ever since the xz utils backdoor hack, the open source community has been on edge. Trust has been broken and fingers are being pointed in every direction. However, open source isn’t going anywhere, and it’s time for all of us to be the standard bearer for open source. At Upstream this year, a panel of industry experts such as Josh Bressers of Anchore; Jordan Harband, prolific Javascript maintainer; Rachel Stephens from RedMonk; Roshunda Martin, CISA ,CISM, IT and security management consulting principal from BlackIce Solutions; and Terrence F. from Boeing, joined Tidelift VP of product Lauren Hanford to discuss how the xz hack has changed the landscape of open source software supply chain security. From Rachel during the talk: “Overall, I would love to see people supporting the OSI more. I would love to see people coming together to actually rally around the importance of truly open software. So if you want to have proprietary software, great, but if you want to have your software be open source, then that means something and it needs to mean something to the people who are making it into the people who are using it.” (Mic drop.) Watch the full talk here: https://lnkd.in/egYKaNwK

The data from our previous #opensource maintainer surveys have been cited in countless academic research papers and in the media. 📺 If you’re a maintainer, we need your insights. Share your voice! 📣 https://lnkd.in/gNm4f-8W

The numbers are staggering. Today’s numbers. And they’re wrong, meaning wildly underrepresented. What happens when we get the accounting right and track issues across all ecosystems and platforms tomorrow? The chase for “zero known vulnerabilities” is IMO a race to the bottom. We can change that trajectory and actually make _meaningful_ change if we’re willing to make thoughtful decisions and accept a reasonable amount of risk. Thanks for sharing this highlight Tidelift!

Do you actively maintain one or more #opensource projects? If so, take a few minutes to complete the 2024 Tidelift maintainer survey! https://hubs.la/Q02FnZ1r0

When we think about the fundamental purpose of patching a #security vulnerability, it's ultimately about avoiding being compromised. Unfortunately, many people jump to to the mistaken conclusion that, in order to avoid being compromised, you must be completely vulnerability free. As it turn out, evidence shows that most vulnerabilities do not and will not ever see exploitation. And with tens of thousands of #vulnerabilities pinging on scanners, the conversation needs to be more about "what" needs to be patched rather than "how many." At this year's Upstream, Donald Fischer, CEO and co-founder at Tidelift, sat with Vincent Danen, VP of Product Security at Red Hat, to challenge our thinking around the “patching everything” mentality. 🛠 Vincent says the best way to achieve this goal is to narrow our focus to the vulnerabilities with the biggest impact and start from there. From the talk: "...we're looking at those vulnerabilities that, if exploited, are going to lead to those unintended breaches and compromises or those that are most likely to be exploited. This number was around 25,000 CVEs in a year. If I go to Verizon’s DBIR report it says about 5% of breaches are based on software vulnerabilities, that means there's about 1000 vulnerabilities in there that would potentially lead to a breach." "So if we reduce this 25,000, down to 1000, that are actually meaningful—if we focus our attention on those 1000 versus the 25,000 as a whole, that saves everybody an immense amount of time, effort, and energy." Watch the full talk and other Upstream talks here! https://lnkd.in/e8Tk65gr

Do you actively maintain one or more #opensource projects? If so, take a few minutes to complete the 2024 Tidelift maintainer survey! https://hubs.la/Q02FnYW10

Simply put: organizations should strive to work with and support #opensource maintainers to secure and maintain the open source software supply chain. It's been a month since Upstream and we're looking back at some of the highlights from our talks featuring esteemed guests and panelists discussing #opensource, the open source software supply chain, and open source software #security. In this featured clip, Aeva Black, Section Chief, Open Source Security at Cybersecurity and Infrastructure Security Agency (CISA), talks about how organizations can get started with improving their open source usage, including signing the Secure by Design Pledge. From Aeva: "...there are a lot of these new tools being developed to help surface up the trustworthiness of a project at a given point in time, based on, a lot of, again, volunteers working together to track and measure these relationships. And it's not foolproof, it's not perfect; there are bugs in all software. Open source is still just software. So like with any software, mistakes might happen, but through working together and maintaining those relationships, it's pretty darn good. " We agree, it's pretty darn good. 👏 Watch the full talk here 👉 https://lnkd.in/gJztHSsz