Supply chain management can raise the bar with continuous development, argues Joshua Corman, Director of the Cyber Statecraft Initiative and co-founder of Rugged Software. In his talk about Rugged DevOps and Software Suppy Chain at the GOTO Amsterdam 2016 conference, he stated that our dependence on IT and software is growing faster than our ability to secure it and that applying supply chain approaches to software development helps to address complexity, which reduces risks and increases quality.
InfoQ Interviewed Corman about the risks when using open source code, how supply chain management can be applied in software development and how it impacts software quality, and the relationship between DevOps and supply chain management.
InfoQ: Which in your opinion are the biggest risks when using open source code?
Joshua Corman: A few things.
- Our dependence upon OpenSource grew very, very quickly... and when you’re more dependent upon something, you’re more affected when things go wrong.
- OpenSource is less dependable than we once thought. Though this is often seen as an attack, it is not. It is a sober recognition of facts. We’ve long believed that Open Source was much more secure than it is. We believe this in part because of the old saying "With many eyeballs, all bugs are shallow." But what’s becoming clear is those eyeballs are not incentivized nor fully security qualified, as we’re seeing many, many security flaws which have been present for years and even over a decade or more.
- It’s Open Season on Open Source. Attackers have finally taken interest and notice in Open Source. Once OpenSSL Heartbleed was found, 31 other CVEs were found in the same year. Mass attacks have taken place against core projects like Apache Struts2, OpenSSL, Bash, Apache Commons Collection, etc. Attackers realize that exploiting flaws in these popular projects will yield them many victims. Our common dependence brings common attack surface and common risk.
InfoQ: Can you briefly describe supply chain management: what it is and which purpose it serves?
Corman: This is a principle from Edward Deming - which he pioneered for Toyota in post-World War II Japan.
There are three principles which transformed auto manufacturing:
- Use fewer and better suppliers
- Use the highest quality parts from those suppliers
- Track which parts went where throughout manufacturing
This is what enables automakers to only recall the affected cars when there is a bad batch of airbags, for example.
InfoQ: Can you give examples showing how supply chain management can be applied in software development?
Corman: In OpenSource terms the three above mentioned principles translate to:
- Use fewer and higher integrity OpenSource projects - who take good care of their security hygiene (e.g. logging frameworks)
- Use only the freshest and least vulnerable versions of these projects - avoiding elective known vulnerabilities
- Track which applications are using which versions, so when there is an attack, you can compress the Mean-Time-To-Identify and Mean-Time-To-Remediate to minutes versus weeks.
InfoQ: How do these approaches impact the quality of software products?
Corman: The benefits of using proven Deming supply chain principles in modern software development include:
- Developers massively reduce their unplanned, unscheduled work and painful context switching - enabling them to be on time and on budget and drive more value with less waste.
- Operations enjoys fewer break-fixes and service interruptions due to avoidable risks - and when things do go wrong, they can significantly compress their response times.
InfoQ: How does supply chain management relate to DevOps?
Corman: DevOps loves Deming... Agile has its roots in Deming, as does Lean, and does DevOps... as does TQM and SixSigma... This is just a fuller embrace of what DevOps already loves in Deming.
More specifically to development, Lean introduced the 8 types of Waste and culture to manage and reduce waste which comes at the cost of delivering code, delivering value, and pleasing/delighting your customers. Software supply chains introduced an unmeasured – and therefore unmanaged – form of waste. Managing out elective re-work can massively improve developer productivity. A Fortune 100 insurance company achieved a 20% boost in developer productivity in the 1st year.
For Operations, using higher quality projects can reduce service interruptions – as can avoiding elective attack surface of older and known vulnerable versions of otherwise high quality projects. Further, using fewer total versions of the projects you’ve chosen can reduce operational variance in production – improving quality of service delivered.
Let’s also not forget that the same choices improve security with fewer incidents due to entirely avoidable, elective risk and attack surface. Further, when unavoidable attacks rear their heads, the tracking of which libraries went where (with versions) enable a significantly faster MTTI/MTTR (Mean-Time-To-Identify and Mean-Time-To-Remediate).
InfoQ: If people want to learn more on supply chain management for software development, where can they go?
Corman: Toyota Supply Chain books are an interesting read here.
I’ve had a few talks on this recorded:
- Immutable Awesomeness at DevOps Enterprise Summit with Docker’s John Willis
- Continuous Acceleration with a Software Supply Chain Approach at DevOps Days DC
- CyberSafety for the Internet of Everything: Bits & Bytes meet Flesh & Blood at building IoT
I also think the best thing to do is just check the quality of your own consumption and your own application hygiene. There are some free tools of varying quality to finger-print what you’re using. I know Sonatype offers a free Application Health Check. OWASP has Dependency Checker.
If you want to size how much elective waste there is in your organization - in developer hours and dollars - in the millions (at scale), I worked with a Data Science/ Data Visualization friend and made a free interactive calculator which you can play with. If you’re already convinced, that tool can do wonders with your management and executive teams. Play with it here: www.sonatype.com/calculator.