Resources Blog Strengthening Software Supply Chains for Everyone: Why ...

Strengthening Software Supply Chains for Everyone: Why Grafeas is a Great Idea

At Sonatype we've been talking about securing and strengthening software supply chains for quite a while.  We've even produced the annual State of the Software Supply Chain report since 2015.

A few years ago, most people had never heard of a "software supply chain".  They couldn't quite grasp how applications were being assembled from third-party components.  They couldn't see how traditional software development had transformed into a supply chain-like process.

So much has changed in the past six years.  Today, we're reaping the benefits of maturing DevOps, containers, and microservices.  Development teams everywhere are embracing continuous delivery practices and realizing the importance of maintaining a trusted software supply chain from the very beginning, to the very end, of the value chain.

The latest evidence of this trend is Grafeas; an open source initiative launched by Google to define a uniform way for auditing and governing the modern software supply chain.  Grafeas is an open API designed to expose relevant metadata about artifacts to help customers continuously audit and govern the volume and variety of components and containers flowing through the modern development lifecycle and into production.

Perhaps more than any organization in the world, Google understands that software innovation is a strategic weapon of choice for delivering new customer experiences and creating new markets.  Whether you’re a bank, a drug maker, an auto maker, or a retailer, survival in today’s application economy depends on your ability to innovate.

Organizations are fundamentally changing how they build and deliver software to the market.  They are shifting from waterfall releases once per quarter; to continuous deployments happening dozens of times a day.  Nowadays, innovation is king, speed is critical, and more than ever -- organizations need strong governance and policy enforcement underpinning every phase of their software supply chain. 

At Sonatype we have a rich history of supporting open software innovation.  From our humble beginning as core contributors to Apache Maven, to supporting the world’s largest repository of open source components (Central), to distributing the world's most popular repository manager (Nexus), we value the power of community collaboration.

Grafeas is a terrific idea.  Google, IBM, Red Hat, CoreOS, Twistlock, Aqua, jFrog, and Black Duck should be applauded for their initiative.

In keeping with our long standing commitment to open innovation  — Sonatype is excited to add unique value to the Grafeas community so organizations everywhere can automatically strengthen and secure software supply chains early, everywhere, and at scale.

Picture of Brian Fox

Written by Brian Fox

Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.