The past year has not been an easy one for security in the software industry.

First there was the SolarWinds breach caused by exploits in software tools downloaded from a third-party provider. Then there was the more recent Log4j Apache open-source logging framework vulnerability, which the tech world has been scrambling to patch since mid-November.

The software community increasingly finds itself dealing with questions around security, and startup companies are working to provide answers. One of these is Tidelift Inc., a startup founded in 2017 with a mission to help organizations manage open-source software that powers many of today’s modern enterprise applications.

“Our mission is to make open-source software work better for everyone,” said Donald Fischer (pictured), co-founder and chief executive officer of Tidelift. “We make it work better for all the organizations and governments, everybody who depends on open-source software to build the applications that we all rely on, and making open source work better for the creators of open source. We want to do our part to help both sides of that equation.”

Fischer spoke with David Nicholson, host of theCUBE, SiliconANGLE Media’s livestreaming studio, in advance of the AWS Startup Showcase: Open Cloud Innovations event. They discussed the prevalence of open source in enterprise applications, Tidelift’s software-as-a-service-based security solution and the startup’s work with Amazon Web Services Inc. (* Disclosure below.)

Driving enterprise applications

Vulnerabilities such as the Log4j example have brought further scrutiny to a need for more extensive security controls in open-source software. Open source has become extensively used by enterprise information technology leaders, and simply removing key software tools that drive core applications is not an option.

“Don’t panic boss, but it’s only about 70% to 80% of the software in our enterprise that is third-party open-source software,” Fischer said. “In the modern era, that means building on open-source packages and technologies across a whole slew of languages and ecosystems. We use all of it here boss, and we don’t have a business unless we do.”

Recognizing this reality, Tidelift has built its business around a SaaS-based solution for managing thousands of open-source components across an organization. Tidelift seeks to do this through forming relationships with the maintainer community while recognizing that many open-source contributors are motivated to build new tools for reasons unrelated to their current full-time jobs.

“There’s a pride in their work and the impact that they’re making,” Fischer explained. “The challenge with this model is that when it’s only an impact and pride sort of thing, a good feeling-driven effort, maybe not all of the standards that organizations might want software to meet get done. You might not get to some of the more boring aspects of commercial software like security engineering and some of the documentation and release engineering. That’s the gap that we are really trying to fill at Tidelift.”

Meeting specific standards

There is an opportunity for open-source maintainers to earn money from Tidelift for creating a baseline standard where versions of open-source packages are delivered free of known defects, according to Fischer. The work includes using resources such as the National Vulnerability Database, a government repository of standards-based vulnerability management data.

“We’re asking them to help us ensure that software the organizations depend on meets certain specific concrete enterprise standards,” Fischer said. “We work with the open-source maintainers to make sure we have figured out which versions of software packages are impacted by known security vulnerabilities.”

The goal is to create a set of open-source software options that application developers can build into releases with confidence.

“They will plug Tidelift into their release process to ensure that the 70% or 80% of the software they ship that comes from GitHub, comes from the Python Package Index, or npm, or the Maven Central Repository for Java, meets their enterprise standards,” Fischer said. “They can work with us and our unique network of hundreds of these open-source maintainers to ensure there is a feed of known good, vetted packages into their applications. This is an unsolved problem for almost every serious organization.”

In November, Tidelift joined the AWS Independent Software Vendor Accelerate Program to co-sell its services with the cloud provider. Tidelift will collaborate with AWS field sellers to help improve the health and security of the open-source software supply chain.

“It’s really important, whether it’s running on an edge device or in a cloud datacenter, that applications meet standards, especially on the security front,” Fischer said. “AWS recognizes this need and opportunity for their customers, and we’ve been working jointly with them. Accelerate gives us the ability to co-engage with AWS and work together to solve mutual customers’ challenges.”

Tidelift’s model is based on a belief in two absolutes. One is that enterprises will continue to use open-source software as a key resource for developing critical applications to run the business. The other is that the community-based spirit of the open-source community will remain firmly entrenched.

“There’s no other path to take than building with modern building blocks,” Fischer said. “If you think about this network of open-source maintainers working together, a rising tide lifts all boats.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the AWS Startup Showcase: Open Cloud Innovations event. (* Disclosure: Tidelift sponsored this segment of theCUBE. Neither Tidelift nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE