Software has its own supply chain. This is not because software ships on a container vessel down the Suez Canal (although software containers are involved in the virtualized sense), but because different application code components and connections all come together in an order that is not necessarily pre-defined to any shape or form of reliable schedule.
The links that form a software supply chain are chunks of code along with network connections and conduits (to channels such as Application Programming Interfaces (APIs) etc) that will all typically have a different release frequency and cadence of ‘dependency’ updates i.e. the virtual cabling that denotes what one piece of software code might require from another in a different code base, API, web service or entire application.
Continuous checking & testing
Real world supply chains are checked for integrity, scope and their ability to deliver throughput all the time – and software supply chains are no different, or at least they shouldn’t be. An enterprise organization will typically be running a whole variety of different software tests against the coalface of their application stack at any one moment in time.
The problem is, software testing is complex, convoluted and occasionally discombobulated, which means that many tests fail and need to be repeatedly repeated until the software team gets satisfactory results. The results the team are looking for come in the shape of data that denotes each piece of software code’s ability to exhibit code quality.
Software supply chain management specialist Sonatype explains code quality as a set of requirements that are common to all software projects. “Properties like readability, maintainability, modularity, performance, and security are all important aspects of software, whether in a social media app or financial clearinghouse software,” said Stephen Magill, vice president of product innovation at Sonatype.
Software supply chain automation
Sonatype’s Nexus Lifecycle Advanced Development Pack product is designed to change how teams manage open source (and other) code dependencies throughout an ever-evolving software supply chain through the use of intelligent automation controls.
It enables software developers to choose application code components based on their project quality ratings and their ease of upgradability; it also combines an advanced level of knowledge relating to any abnormal ‘committer’ (i.e. someone who commits submitted software code to a project) behavior. Estimates suggest that over two-thirds of developers are regularly impacted when dependency upgrades break the functionality of their application.
Sonatype CEO Wayne Jackson co-founded the restarted company with CTO Brian Fox in 2010. Since that time the firm has expanded from its Maryland-headquarted base to now also operate offices in Europe and the Asia-Pac region. Today, with employees across the world working in around a 75% remote capacity even before Covid-19, the company continue to expand its platform, vision and footprint. Jackson and Fox suggest that the same supply chain management principles found in a Toyota automobile manufacturing plant (other makes of car are also available) do indeed apply to the supply chain mechanics evidenced and experienced in software.
The parallel breaks down as follows:
- Better suppliers (better car components manufacturers = better software projects with strong coders).
- Better parts (better cars components = better versions of software).
- Better transparency (better insight into the automotive production line’s bill of materials, performance & faults = better insight into software code’s efficiency & functionality).
“Whether it’s cars or software, this structure has a fourth element which stipulates that when and if any defect is found, we stop work and resolve that defect and do not start up the production line again until that problem is fixed,” said CEO Jackson. “Companies as large as major investment banks download millions of open source components every year, usually with the perception that there are no defects or vulnerabilities in their Java (or other) roots. This reality basically means you’re handing over the source kernel in your innovation stream to people that you have never physically met or worked with. In what other scenario of business would any organization think about embedding that kind of DNA into their operational structure?”
Any color you like
Sonatype’s Jackson speaks of the wider business dynamic at work here that, again, we’ve seen before in automotive.
“Ford used to make all its own steel back in the days of the [any color you like, as long as it’s black] ground-breaking Model-T. Eventually, economies of scale and workforce specialization drove Ford to start outsourcing its steel requirements – and, if we think about the consumption of open source components, the same thing is happening. The difference now is that it’s the shop floor factory workers (in this case, the developers) that are driving the change and not the management,” said Jackson.
What this means in operational reality is that more enterprise organizations are using more software components (open source in the first sense of this argument, but proprietary code as well) from more suppliers. For Jackson’s money, this is understandable, but overall he insists that fewer better suppliers is the best way to reduce and eliminate ‘technical debt’ i.e. those parts of an enterprise IT stack that are usually more quickly assembled, often poorly tested and typically ripe for later refactoring and reengineering.
Jackson’s own theory of software innovation reads as follows:
Raw innovation – technical debt = net (positive) innovation
“To really understand the ‘hygiene’ of any given software project, you need to know how good the [software code] committers are that have been populating the codebase itself, which means knowing as much as possible about their integrity,” said Jackson.
Because there is no formal yardstick to measure coder quality and integrity, Jackson and team advocate looking at a number of key criteria. Some of the factors to assess here include how often a developer might commit code to a project and at what frequency. It might also be some measure of how well used and maintained a section of software code is. We could also incorporate some measure of whether a developer (or team) is using some new class of algorithm that is abnormal to the structure of the project so far.
“It’s a lot like a credit card check, if people suddenly show up in unusual places or in two places at the same time, then an alert mechanism should automatically come into action,” said Jackson.
According to Sonatype’s “State of the Software Supply Chain” report, intelligent automation that standardizes engineering teams on exemplary open source projects could remove 1.6 [million] hours and $240M of real-world waste spread across [a] sample of 100,000 production applications. As noted on the New Stack, if extrapolated out for the entire software industry, the report stated, savings could reach billions, with intelligent automation saving companies an average of $192,000 annually.
Brian Fox, CTO of Sonatype says that there are always a lot of ‘speed bumps’ that surface on the road through the software supply chain. Many of these would materialize as a result of one piece of code ‘breaking’ another’s ability to function the way it was originally constructed one connected to the complete application stack.
Other bumps in the road come about due to compliance issues, version control challenges and cybersecurity vulnerabilities that surface and cause concerns. All of which will delay expected ‘delivery timelines’ inside the software supply chain.
Lettuce-based labelling logic
Sonatype’s Fox extends the automobile-software supply chain analogy one step further and recounts the fiasco that ensued around the time of the USA’s E. coli outbreaks associated with lettuce supplies.
“The USA’s E. coli outbreaks happened for three consecutive years; the same problem came to the fore until somebody realized that lettuce suppliers should be labelling their produce in order to show its point of provenance to help track faults, infections and so on,” said Fox. “Just imagine a car manufacturer not knowing which make of airbags or brake pads its engineers were installing at the production line; it’s the same principle with software, which should be an even more exacting and accurate process, except it’s often not.”
As we have reported before here, the type of technology Sonatype brings forward here is a set of organizationally defined rules that use automation to shield an organization from obsolete or dangerous (or unclassified) open source code and other third party components. This was they can be prevented from entering or exiting application development.
Policy automation, ongoing monitoring and proactive alerts provide visibility and control of components throughout the software supply chain. This way, applications start secure and remain that way over time. Software shops can use tools like this for blocking and quarantining open source software components that do not meet policies. It’s all about yielding improved development hygiene through use of better, safer components at the earliest point in the development process.
Seven pillars of software supply chain
We can point to seven defined pillars of software supply chain management that emanate from this discussion as: safety, scalability, standardization, speed, savings, solidity and sustainability. As a company that specializes in software supply chain management through open source (and wider) software code governance, Sonatype advocates software supply chain automation and management as the key enabling differentiator in this space.
If there is one lesson we can take going forward post-pandemic and post-epiphany for supply chain appreciation (real world chains – and software chains) then it must be that we do not always know the potential risks associated with life until the cracks start to appear.
As Sonatype’s Jackson concludes on these matters, “It doesn’t take a pandemic to disrupt a software supply chain, this is the sort of diligence that public and private organizations should be applying every day 24×7.”
Be nice to your supply chain, a link without kinks and chinks keeps a business in sync.