Do you really understand the software supply chain?
THERE was a time, not so very long ago, when we used to buy software in a cellophane packaged cardboard box with bold colors and flashy logos emblazoned across it.
These so-called CD-ROMs had eventually replaced the various versions of the floppy disk that had seen us through the previous decades as the primary means of installing new applications (be they games or serious enterprise apps) onto our machines.
The download generation
As we all know, with the advent of Internet-based cloud-centric connectivity, the ability to transfer software code from a central repository onto every individual’s machine made things a lot easier – and so the download generation was born.
But with convenience, speed and power often comes an associated risk. Our software today is constantly connected and so (very often) continually updated.
Looking deeper, much of this software is increasingly open source and this means that some of the libraries, dependencies and code structures (the internal architecture of your app, basically) may be dynamically open to change; such is the open nature of open source.
The open source stream
Duncan Clark of Intellectual Property (IP) analytics software company PatSnap has said that open source code can enter a firm’s software source code by being directly downloaded, or indeed through being incorporated into internally developed proprietary code by an enterprise’s own developers.
This is a generally a good thing of course i.e. open source software is widely agreed to be a positive advancement and even the previously puritanically proprietary Microsoft has now opened to open platforms. But a sensible proviso is that the adoption of open source and indeed all other software should be done in a managed way.
The problem says Clark is that software adoption is often done in a haphazard undocumented fashion, which makes the code itself notoriously difficult to identify and subsequently manage in terms of its licensing obligations and risks.
“Intellectual property risks include copyright infringement, lawsuits and fines, combined with bad publicity. Meanwhile, misuse of open source software or issues of non-compliance can cause complications when it comes to company valuations for investment opportunities or mergers and acquisitions,” said Clark.
The software supply chain
So what this leads us to is the need to understand the size and shape of your firm’s software supply chain. We need to know where code comes from, where it resides, what data it is connected to, who has access to it, what critical functions it performs and how well it is locked down.
Some vendors are now telling us that Artificial Intelligence could be the answer to our woes. But to do this we need to be able to look inside our apps and evaluate what code is doing what. We need a more granular view.
San Francisco based OverOps produces an analytics tool that captures data from applications and services to provide code-aware insights to developers so they can detect and troubleshoot issues. The company also offers software quality dashboards and an API that open this data up to fuel the use of Artificial Intelligence (AI).
“The industry has retooled almost the entire software supply chain, yet organizations still rely on manual and shallow methods to investigate and measure errors found within code,” said Stephen Elliot, program vice president for management software and DevOps at technology analyst house IDC.
“There is a need to rethink the way development and [software management] teams gather insight about code-level issues. By having more granular visibility into the quality of applications and services across all environments (including production) organizations can proactively prevent outages that could otherwise lead to brand degradation and loss of revenue.”
The road ahead
Do we need to plug AI-empowered machine data analysis (as OverOps suggests) and forensic IP-aware code analysis (as PatSnap advocates) into every single piece of software running inside our business?
Ideally yes, but reasonably and practically speaking the answer is probably no.
How we fare on the road ahead depends upon our ability to take a measured approach and apply some of these controls to the more mission-critical applications that any given business depends upon.
Software may not come in a box anymore, but it still forms the blocks in a supply chain that is running your digital business, so please make sure you know where the weakest links might exist.