The software program’s transparency motion serves as a catalyst for driving constructive change throughout the industry. At Cisco, we recognize the value of software transparency and aim to take a leadership role in this space. Will we proceed to engage in interactive discussions with prospective clients, along with our teams of experts and policy advisors, to establish and provide guidance on best practices regarding software transparency? As we speak, we’re excited to share groundbreaking advancements in open-source security that our development teams can now capitalize on.
In an earlier publication, we explored Cisco’s Inside Service, Corona, which leverages both proprietary and commercially available scanning capabilities to identify third-party software components. Corona provides an additional layer of assurance by validating essential safety postures within deployed Cisco software through a forensic analysis of software components and associated risks, ensuring the integrity and security of the network. As the Corona platform continues to evolve, it provides a fertile ground for Cisco to tackle cutting-edge projects like those with the National Institute of Standards and Technology (NIST) and the International Telecommunication Union (ITU)?
We’ve recently gained insight into safe growth practices employed by open-source maintainers through a novel data source in Corona, providing unprecedented visibility into a previously underserved threat vector. Tidelift provides this new information, collaborating closely with open-source maintainers to ensure the implementation of industry-recognized best practices for secure software development. Tidelift’s strategy provides funding opportunities to open-source maintainers to develop secure software.
Cisco’s internal development teams leverage Corona, bolstered by Tidelift’s open-source metadata, to access enriched package metadata, gaining deeper vulnerability insights, including guidance directly from maintainers on severity, exposure, and remediation strategies. Cisco engineers can quickly evaluate highly beneficial variations of software packages in programming languages such as Java, JavaScript, and Python. Builders can leverage high-quality checks, access direct provider information from maintainers, obtain accurate end-of-life data, and utilize scorecards for evaluations. This enhanced visibility enables Cisco to drive a more strategic and modern use of open-source software within our development pipelines, while simultaneously reducing the overall cost of managing open-source components in our supply chain.
The Cisco Corona Third-Occasion Administration platform leverages its predecessor, Kenna, to strategically prioritize growth based on threat dynamics. With the integration of Tidelift data, Cisco’s growth teams now possess a unified view of risk factors, encompassing package-level exploits outlined by CVEs and provider-specific perils such as secure development practices, maintainer counts, and end-of-life information. This enhanced visibility also enables developers to gain a more comprehensive understanding of threat profiles, including the transitive dependencies of open-source projects where they have limited control over decisions made by upstream open-source maintainers. This broader perspective enables growth groups to remedy threats more effectively within our software.
As organisations increasingly leverage open-source components in their systems, they confront a growing challenge in effectively managing and securing these dependencies at scale. We’re thrilled to extend Tidelift’s capabilities across Cisco by providing access to internal builders through the Corona service.
Share:
