Tidelift Subscription Enhanced with Sonatype Integration
October 29, 2020
has integrated Sonatype's OSS Index data into the Tidelift Subscription to help
developers more quickly identify and remediate security vulnerabilities in open
source packages and libraries managed by Tidelift.
Over 92% of software applications today contain open source components and, due
to the economic downturn resulting from the global pandemic, 42% of
organizations are likely to accelerate their use of open source. Known
vulnerabilities in a library can increase risk of compromise despite a
development team's best efforts and intentions.
This integration enables Tidelift to more rapidly notify its subscribers of
cybersecurity issues present in their dependencies and also provides a
fast-track process for remediation through Tidelift's vast network of
Sonatype's OSS Index vulnerability data provides developers with foundational
vulnerability information and the ability to better identify and remediate
security risks for components managed by Tidelift. OSS Index contains aggregate
data from a variety of vulnerability information sources, including:
Common Vulnerabilities and Exposures (CVE) entries;
A growing list of public vulnerability sources;
a recent Tidelift survey, 58% of the respondents cited 'identifying and
resolving open source security vulnerabilities' as a key issue," said Matt
Rollender, Head of Partnerships, Tidelift. "Giving our customers access to
Sonatype's OSS Index vulnerability data through the Tidelift Subscription
directly addresses a key pain point for our growing client base."
"Adversaries are increasingly targeting vulnerabilities in open source
components," said Matt Howard, EVP, Sonatype. "We're thrilled that Tidelift sees
how much value our OSS Index data provides to its customers and is integrating
it into the Tidelift Subscription."
Tidelift subscribers have access to customizable catalogs of known-good,
among others. The platform integrates with CI/CD pipelines via several
mechanisms, offers bill of materials management, and is backed by a growing list
of maintainers who are compensated for the work they do to keep packages