Open Source in Finance Forum New York 2024

Most efforts to improve the security of the open source software supply chain revolve around finding and remediating vulnerabilities, and an entire industry has been built around vulnerability patch management. But there is another way to improve open source security outcomes proactively instead of waiting for vulnerabilities to appear: paying maintainers to ensure their projects follow secure software development practices. In this session, Donald Fischer, CEO, Tidelift, shares the results of a recent program where maintainers were paid recurring income to validate that their projects follow secure software development practices ( i.e. Open SSF Scorecards, NIST SSDF). Among other findings, this experiment resulted in projects improving their OpenSSF Scorecards scores by an average of 57%. Donald will also share data from a new open source maintainer survey showing what additional practices maintainers are willing to implement when they are paid for their work. He will also provide strategies financial services organizations interested in reducing supply chain risk from open source packages can use to make open source maintainers part of their security strategy.