What is the software supply chain?
It’s a connected system of software development using third-party sources shared online.
The reference to a “chain” suggests that each link in the process affects the next, such that a failure or delay at one stage can slow or stop the entire process. Individual links in the chain could represent an individual developer, a whole team, or management software.
Using third-party components is ideal because software developers can move faster by using tools that have already solved common computing problems, rather than writing their own.
Although building software using third-party components has been happening since the early days of computing, thinking of the process this way likely began in the 1990s with the appearance of the Linux operating system. This collaboratively developed software was built from a connected group of independent developers that resulted in a wildly successful software now in use in everything from satellites to wristwatches.
To better explain the concept, let's start with the term’s origin in the manufacturing world:
What is a supply chain?
When you think of building something, most people think of a factory. Products made in a factory are built from parts, and the fastest way to stop your factory is to have parts in short supply.
In the early days of manufacturing, almost all parts were built entirely in-house. Individual companies were entirely responsible for their own supply, meaning shortages in one part of the factory would immediately slow production. Optimizing meant making sure you had a steady supply of parts.
As demand increased for more complex products and features in everything from cars to appliances, individual parts also grew in complexity. It only made sense that companies source their parts from a separate factory that could specialize in that specific part. The process itself multiplied with parts created, pieced together, and finally assembled into a final product, all in different factories.
These connected suppliers could be thought of as a "supply chain".
Because factories and their eventual customers spread further and further apart, and so the notion of a supply chain also had to include transportation. Whether your trucks, trains, or planes moved reliably is crucial to any supply chain.
In fact, only companies that manage and adapt to changes in the software supply chain stay in business. Those especially effective at optimizing their supply chain can excel.
Although supply chains were rarely a topic of general conversation outside of manufacturing, major disruptions in the last 10 years have brought it into the fore. Notably when a single ship blocked the Suez Canal and of course the 2020 COVID-19 pandemic. Both highlighted the global economic reliance on supply chains.
How does manufacturing relate to the software supply chain?
As with standard manufacturing, software development initially built all parts in-house. Over time, the number of projects integrating third-party software components has increased dramatically. We now estimate upwards of 90% of software use elements from community-driven software projects.
Development teams all over the world now use software from these projects, which use readily-visible internals known as “open source” to rapidly prototype, develop, and ship software.
Today, software is less written and more assembled, with the average modern applications made up of 70–90% open source components. And just like regular supply chains, those who can optimize their software supply chain are succeeding in the wake of entrenched rivals (think Zoom and Slack versus Skype and Google Chat).
This transition of “software from scratch” to “software from parts” is just one of many ways the language of manufacturing is relevant to software. This is because there are many overlapping areas between software development and standard supply chains:
Similarities with standard supply chains
Very old software and old parts. Both have issues. Similar to how metal parts sitting in a warehouse can corrode, the chance of vulnerabilities being discovered in software increases over time.
Third-party sources can close up shop. This will create problems for factories and developers alike.
Suppliers may use inferior parts. Just as car part manufacturer issues may result in an expensive recall, software needs to use quality parts from good third-party projects. Software that your team relies upon may not be using the best components.
The latest-and-greatest is not always the best. This is especially if a new supplier turns out to have quality control issues. Similarly, software supply chains should avoid the temptation to always use the latest software.
Although there is immense overlap, not all topics in manufacturing are the same. Here are some places where the topics diverge:
Differences from standard supply chains
Software is infinitely reproducible. No individual software component will ever run out of space in your warehouse. However, there are often so many options to choose from, selecting the right one can be difficult.
Software supply chain attacks. Malware developers and other bad actors are attacking software factories. Attacks are rarely something that most physical factories have to worry about.
No need to transport software. Thanks to widespread adoption of broadband, this is less of an issue. However, connections still need to be secured and reliable. And manufacturers and software both need to authenticate that the right components are coming from the right people.
Attacks and growth
If you’re reading this article, it’s likely because you’ve seen a reference to the phrase “software supply chain” or heard about it in the news.
Unfortunately, the thing that’s made this topic move out of the technology circles into the mainstream are security problems. In particular, the way the target of one attack seems to affect unrelated companies. For example, the notorious attack on SolarWinds in late 2020 ended up affecting Microsoft services due to a “software supply chain attack.”
The way one attack can affect many other systems is due to the integrated nature of modern software development. And understanding that can open doors to improving software for everyone.
One thing that’s not commonly discussed in the news is how not only attacks but the software supply chain itself is growing and by leaps and bounds. For software from publicly available sources, downloads are expected to pass 3 trillion for just 2021-2022. The continued adoption of software components by developers around the world means we expect that number to be bigger in 2023 and beyond.
Optimizing your secure software supply chain
It’s definitely the case that most of the news around this topic is focused on the harm from a security breach. However, improvements to the software supply chain are more than just about preventing harm. They also address everyone’s desire for better software, including more features and reliability.
Not surprisingly, improving your part in the software supply chain also resembles recommendations from the manufacturing world:
Introduce automation, continuous testing, and ongoing improvements
Resolve issues early in the process
Selecting the best components
Transparency with customers about what you use
Many readers may wonder “but aren’t computers already automated?” It’s certainly true that computers are definitely faster and the software is smarter. However, many steps in the software development process are still very manual and human-centric.