Tidelift

This week we released a new Tidelift company video that in 3 minutes articulates the problem Tidelift solves, how we solve it, and what makes us unique. 1️⃣ Problem: Using bad #opensource packages slows teams down and creates risk to organizations' revenue, data, and customers. 2️⃣ How Tidelift helps: Tidelift helps organizations proactively reduce their reliance on bad open source packages. 3️⃣ What makes us unique: We are the only company that partners with the #maintainers of 1000s of the most-relied-upon open source packages and pays them to make their packages healthier and more secure. Watch it for yourself today! 📽 If you want to talk further with us about anything you see in the video, get in touch with us here: https://lnkd.in/gksz64h8

What's it like to be an #opensource maintainer in 2024? While the state of the open source maintainer survey continues to collect responses (Open until August 5th! ➡ https://lnkd.in/gNm4f-8W), let’s take a look back to our maintainer panel from this year’s Upstream. 👥 In an annual Upstream tradition, Tidelift hosted a group of maintainers to hear firsthand what it’s like to be an #oss maintainer. This year's panel included Valeri Karpov (Val) from Mongoose, Irina Nazarova of Evil Martians, Tatu Saloranta of jackson-databind, and Wesley Beary, who maintains popular Ruby projects fog and excon. In today’s featured clip, Val discusses the impact of financial support when confronting competing priorities. From the talk: “...we all need to find a way to make money to support ourselves and our families. So if it's not via your open source project, then you need to work on something else, and then your work on the open source project comes out of your free time, basically. And I'm very fortunate that I can make a decent income working on my open source projects, but I know that if I had a full time job and my open source projects didn’t pay anything, I’d have to choose between: Okay, do I work on this open source project that’s sometimes kind of thankless and people are mean to me on the internet about it? Or do I go spend time with my kids?” To hear from all of the maintainer panelists, you can watch the entire talk (and many others!) on the Upstream site: https://lnkd.in/gkGakTJA

We��re extending the survey to Monday, August 5th! 👏 Let your voice be heard! Fill out the #opensourcemaintainer survey today and receive the 2024 edition of our Pay the Maintainers t-shirt🎉 : https://lnkd.in/gNm4f-8W

David Dzergoski, Problem Solver at Tidelift gives valuable insight on building adaptable DevSecOps environments. David emphasizes the importance of understanding existing processes and tools while maintaining a clear mission objective. Key takeaways include the need for comprehensive toolsets, avoiding vendor lock, and ensuring effective communication across all organizational levels. By fostering a workgroup mentality and embracing small, iterative failures, agencies can improve efficiency, reduce cyber risk, and stay agile. This approach is essential for evolving missions and achieving success in federal software development. 🔍Learn more: https://lnkd.in/ehb-cWnY Presented by Tidelift & Carahsoft #FedGovToday #DevSecOps #Agile #Cybersecurity #GovernmentTech #SoftwareDevelopment

The last day to take the 2024 Tidelift state of the #opensourcemaintainer survey is Monday, July 29th 📆 We’ve received a large number of responses so far to our #opensource maintainer survey, but the one voice we’re missing is yours! If you’re a maintainer, take the survey today: https://lnkd.in/gNm4f-8W

Open source is under a microscope at the moment. 🔬 Ever since the xz utils backdoor hack, the open source community has been on edge. Trust has been broken and fingers are being pointed in every direction. However, open source isn’t going anywhere, and it’s time for all of us to be the standard bearer for open source. At Upstream this year, a panel of industry experts such as Josh Bressers of Anchore; Jordan Harband, prolific Javascript maintainer; Rachel Stephens from RedMonk; Roshunda Martin, CISA ,CISM, IT and security management consulting principal from BlackIce Solutions; and Terrence F. from Boeing, joined Tidelift VP of product Lauren Hanford to discuss how the xz hack has changed the landscape of open source software supply chain security. From Rachel during the talk: “Overall, I would love to see people supporting the OSI more. I would love to see people coming together to actually rally around the importance of truly open software. So if you want to have proprietary software, great, but if you want to have your software be open source, then that means something and it needs to mean something to the people who are making it into the people who are using it.” (Mic drop.) Watch the full talk here: https://lnkd.in/egYKaNwK

The data from our previous #opensource maintainer surveys have been cited in countless academic research papers and in the media. 📺 If you’re a maintainer, we need your insights. Share your voice! 📣 https://lnkd.in/gNm4f-8W

The numbers are staggering. Today’s numbers. And they’re wrong, meaning wildly underrepresented. What happens when we get the accounting right and track issues across all ecosystems and platforms tomorrow? The chase for “zero known vulnerabilities” is IMO a race to the bottom. We can change that trajectory and actually make _meaningful_ change if we’re willing to make thoughtful decisions and accept a reasonable amount of risk. Thanks for sharing this highlight Tidelift!

Do you actively maintain one or more #opensource projects? If so, take a few minutes to complete the 2024 Tidelift maintainer survey! https://hubs.la/Q02FnZ1r0

When we think about the fundamental purpose of patching a #security vulnerability, it's ultimately about avoiding being compromised. Unfortunately, many people jump to to the mistaken conclusion that, in order to avoid being compromised, you must be completely vulnerability free. As it turn out, evidence shows that most vulnerabilities do not and will not ever see exploitation. And with tens of thousands of #vulnerabilities pinging on scanners, the conversation needs to be more about "what" needs to be patched rather than "how many." At this year's Upstream, Donald Fischer, CEO and co-founder at Tidelift, sat with Vincent Danen, VP of Product Security at Red Hat, to challenge our thinking around the “patching everything” mentality. 🛠 Vincent says the best way to achieve this goal is to narrow our focus to the vulnerabilities with the biggest impact and start from there. From the talk: "...we're looking at those vulnerabilities that, if exploited, are going to lead to those unintended breaches and compromises or those that are most likely to be exploited. This number was around 25,000 CVEs in a year. If I go to Verizon’s DBIR report it says about 5% of breaches are based on software vulnerabilities, that means there's about 1000 vulnerabilities in there that would potentially lead to a breach." "So if we reduce this 25,000, down to 1000, that are actually meaningful—if we focus our attention on those 1000 versus the 25,000 as a whole, that saves everybody an immense amount of time, effort, and energy." Watch the full talk and other Upstream talks here! https://lnkd.in/e8Tk65gr