This website requires Javascript for some parts to function propertly. Your experience may vary.

Tidelift: Securing the Open Source Supply Chain  | Cisco Investments

We use cookies to improve your site experience and deliver personalized content. By continuing to use this site, you consent to our use of cookies.

Tidelift: Securing the Open Source Supply Chain 

Prasad Parthasarathi's avatar

Prasad Parthasarathi

Imagine someone asks you to build a house out of blocks. Sounds like an easy enough task, right?  

But then you are given the pieces. They are all different sizes and shapes. They come from different sets. Some are brand new, while others are old, broken, or warped. Also, there’s the sheer volume of blocks – so many in fact, that you cannot even tell the state of all of them.

You want to build a solid house, but with the blocks you have to work with, you are skeptical about the structural integrity.

This is what app development can sometimes feel like for enterprises.  

That’s because today’s enterprise relies heavily on open source code, or already created “blocks.” In fact, 92% of modern applications contain open source components, making up as much as 70% of the code in many cases, according to a 2022 Tidelift report. 

Open source has become the modern application development platform for the enterprise, and for good reason: with open source, developers can rapidly create and deploy applications at a lower cost.  

Yet, with open source components at the heart of so many enterprise applications, questions arise: Is this component being maintained? Does it have security vulnerabilities? Does it meet government standards? Are we compliant with the licensing terms? 

Such issues formed the central idea behind the genesis of Tidelift.

Founded in 2017 by Donald Fischer, Havoc Pennington, Jeremy Katz and Luis Villa, Tidelift set out to find a better way to secure and validate open source for the enterprise. The founding team is steeped in open source with experience at organizations including Red Hat, Google, Wikimedia, Mozilla, and the GNOME project. 

Drawing inspiration from crowd-sourcing and gig economy models like Uber and Airbnb, the founders applied the model to open source code: bringing together code creators and maintainers upstream with the enterprise platform engineers, DevSecOps app developers and CISOs downstream.  

Today, Cisco Investments is excited to announce its investment in Tidelift’s Series C. 

Tidelift Co-founders (l to r): Donald Fischer, Luis Villa, Havoc Pennington, Jeremy Katz

Validating Open Source Systems to Enterprise-level Standards 

When our Cisco Investments team first met Tidelift back in June, we were immediately struck by the startup’s unique view on solving the open source supply chain resilience problem.  

While other solutions today provide scanning tools that simply point out issues with code after the application is built, Tidelift solves the problem upstream by helping organizations create, track, and manage catalogs of pre-vetted and centralized open source components. Then, they work with open source maintainers to ensure these components meet important security, maintenance, and licensing standards that enterprises expect, now and into the future.   

CEO Donald Fischer points out this all too familiar scenario: “Whenever a new vulnerability is identified, it’s getting analyzed in parallel across thousands of organizations by sometimes thousands of individuals within those organizations. With Tidelift, you can have one team look at this alert or signal, judge whether it is a critical vulnerability or a false alarm, register that with credentialed credibility, and then flow that information down to everyone else who's relying on it.”  

Second, Tidelift’s co-founders understood perhaps better than anyone the power of engaging with the people behind the code: the creators and maintainers. Not only was this a smart business model decision, but it also shines a light on these true heroes of open source.  
“They envisioned a partnership, in which the original open source software creators could provide professional validation of their own code while earning an income for managing the more tedious, but critical, release engineering, software quality, and validation activities around their projects,” says Fischer.  

Lastly, Tidelift can help organizations take the guesswork out of meeting government and industry security standards. In the wake of the SolarWinds breach, and anticipating later incidents like Log4Shell, the US Government issued an Executive Order requiring vendors to include a Software Bill of Materials (SBOM) and improve transparency on the software supply chain. Tidelift is not only able to generate granular SBOMs, but also reference standards like OpenSSF Security Scorecards Project from the Open Source Software Security Foundation and validate against their requirements.

What’s Next for Tidelift 

Cisco and Tidelift understand the power of open source – and also the urgency for greater security. An increase in open source software is a fertile insertion point for attackers. Only 25% of utilized open source software components are updated actively and almost a third of open source software projects contain known vulnerabilities (CVEs). Securing and managing open source software has therefore never been more critical for enterprises and the government. The Tidelift platform is compatible with Cisco’s approach of weaving the Open Source Software (OSS) community, developers, and security to instill best practices throughout an application’s lifecycle. 

The Series C investment will help Tidelift expand the capabilities of its open source ecosystem solution and extend its market reach with additional partners in the OSS community. 

“We want to drive new creativity into the marketplace,” says Fischer, “but we need to do that in the context of the open source communities that already exist with partners like Cisco.” 

Given the company’s strong commitment to security and standards and its signature human component, there seems to be no limit to how high Tidelift’s open source wave might rise to meet the demand of the future. Cisco Investments is excited to work with Tidelift in enabling our customers to surf the open source wave securely.