Tidelift has added new intelligence capabilities to help customers minimize risks associated with using open source components.These features have been added to tiedrift subscriptionis a program that provides security, licensing, and maintenance risk assessments for open source software.
The company has access to open source package intelligence data through partnerships with thousands of open source projects. Maintainers of these projects are compensated for following secure development practices such as those outlined in the NIST Secure Software Development Framework and OpenSSF Scorecard projects.
Tidelift aggregates data from upstream package managers and source repositories into a centralized format. This data is analyzed by Tidelift’s data team to provide contextual insights.
Tidelift subscriptions also include a software bill of materials feature that allows companies to create a list of all components used.
It also includes features to help businesses meet upcoming compliance requirements from the U.S. government regarding supply chain security. This includes standardized certificate reporting and the ability to dynamically track certificates.
Related content: What the National Cybersecurity Strategy means for software providers
“Solutions like Tidelift open source data intelligence capabilities are ideal for organizations seeking human-verified data on safe software development practices used in open source projects,” said IDC’s Research Vice President, DevOps and DevSecOps. said Jim Mercer. “These types of insights give organizations detailed, verified first-party information about the secure software development practices used by open source projects within their software supply chain, strengthening their security posture. , we can help you meet new government compliance requirements. “