By Bill Bensing, coauthor of Investments Unlimited: A Novel about DevOps, Security, Audit Compliance, and Thriving in the Digital Age
Are vendors selling the software supply chain story 18 years behind the curve? Did the Solarwinds hack give these vendors a new marketecture? What if I told you the software supply chain is not a new concept? Even more, it existed before “cloud” was a thing. To qualify “cloud as a thing,” I use 2006 as when the cloud was born because that is when the first cloud services, as we know them, were launched by Amazon Web Services. Amazon first launched the Simple Storage Service (SES) on March 13 and followed up with the Elastic Cloud Compute (EC2) beta on August 24th, 2006.
The idea of a software supply chain is nothing new. It was prevalent in the open source community for a while. As far as I can tell, open-source licensing is the origin story of the software supply chain concept. This information was news to me. After digging around on the interwebs for a bit, I got to thinking, “Has the idea of what a software supply chain is changed over time?”
A Brief History of Software Supply Chains
To scratch this itch, I went to my trusty companion, Google Trends. Google trends allow you to explore the popularity of keyword searches over time. It’s pretty much where I start all my research. Unless the topic is pre-2004.
Google’s metric of interest over time gauges how popular a search term is at any given time. What exactly is the Interest Over Time score? It’s simply a popularity score. The bigger the score, the more popular the term. Here is the exact definition from Google Trends :
Numbers represent search interest relative to the highest point on the chart for the given region and time. A value of 100 is the peak popularity for the term. A value of 50 means that the term is half as popular. A score of 0 means there was not enough data for this term.
The concept of software supply chain stretches back to at least 2004. Data shows interest in software supply chain dropped at the end of 2006. This interest did not pick up again until Dec. 2020. What happened in December 2020? The SolarWinds hack happened. The data shows interest in the software supply chain gained a lot of steam in May 2021. What happened in May 2021? Joe Biden, President of the United States of America, talked about SBOM and supply chain security in his Executive Order on Improving the Nation’s Cybersecurity (See Sec. 4. Enhancing Software Supply Chain Security.) After May 2021, interest has grown to resemble its pre-2006 proportions.
The First Time, It Was about the BOM
Bill of materials was the first popular period of the software supply chain, between Jan 1, 2004, and Jan 1, 2007. Google Trends from this period only shows three (3) related topics and two related queries; the majority of these topics bill of materials related. This part of the software supply chain history lacks references to security as a topic, or concern, of the software supply chain. Extrapolating from the related topics and queries, it seems the focus was on the software bill of materials (SBOM). Post-SolarWinds, we began associating SBOMs with security.
The Second Time, It Was a Mandate
Fast forward fifteen years (15) from January of 2007, and SBOM is still a related topic to the software supply chain. What differences are there? There are five (5) significant changes in the related topics:
- First, the May 2021 Executive Order tops the results.
- Second, the related queries for the software supply chain are only specific to SBOM and types of SBOMs (SPDX CycloneDx)
- Third, the results contain many references to the topic of security.
- Fourth, Institutes, and organizations are now associated with the software supply chain. (NIST, NTIA, OWASP, Linux Foundation)
- Fifth, it lists many vendors. (GitHub, Docker, Snyk, Veracode, GitLab, JFrog)
The software supply chain rose from its humble origins for open source license tracking to a concept embroiled within security, adopted by institutions, and a place to make money. The software supply chain has become analogous to software security. Its emphasis focuses on the security of the underlying components that make up any given software system.
The software supply chain has become the practice of, “How do I protect myself and my customers from something negative that someone else did out of malice or ignorance when using what you built or sold me?”
Eighteen Years of Software Supply Chain Changes
All supply chains are a function of the product. A supply chain changes when the manufacturing or sourcing of the materials changes. It’s categorically wrong to compare software supply chain issues today to one’s experiences back in 2004. Why so? Today’s software product has fundamentally changed.
Most software today is an amalgamation of open source, purchased network-based services, and bespoke software. In the early 2000s, software was largely bespoke. The software went from being artisanal to industrial in the past 18 years. Back then, when you wanted to build a new piece of software, most companies built most of what they needed from scratch. Most of the software was one-off. During this time, the focus of software reuse was on the organization’s own internal components.
There is a worldwide ecosystem of open source and network services today. These options reduce the need to build everything from scratch. They also reduce the cost of managing the software. The burden and cost of management have shifted to the open source community. Of course, unless a company is paying another company to maintain a dependency.
These same options drive transitive dependencies into your software. Transitive dependencies are things you consume indirectly because the things you directly depend upon have other dependencies. These dependencies are the most crucial aspect of the change in software supply chains over time. They easily hide the gremlins you can’t see.
In the early 2000s, the supply chain for software was arguably small, with relatively few situations of transitive dependencies. You either entirely built what you needed, or you purchased a pre-made packaged software. A small supply chain means less surface area for supply chain quality issues. The exponential growth of the cloud computing operating model changed how software is manufactured. In conjunction with this growth, the increase in the open source software ecosystem changed the competitive landscape.
What I find interesting is that concepts of supply chain did not grow as the supply chain makeup grew over time. Overnight, the idea of a software supply chain became one of security. Solarwinds was the black swan event that altered perspectives. Nassim Nicholas Taleb is responsible for the Black Swan Theory. I consider Solarwinds a black swan event because it was an unexpected event of large magnitude and consequence with a dominant role in history. While some folks were talking about security in the supply chain, the majority of folks assessed the metaprobablility of such risk as very low. Simply put, people didn’t believe there was a way for a Solarwinds outcome to happen.
Is Software Supply Chain the Best Term?
The software supply chain is a thing. It’s broader than licensing and security. Did you know the Council for Supply Chain Management Professionals (CSCMP) does not define a supply chain? Instead, the CSCMP thinks of it this way. “With the supply chain covering a broad range of disciplines, the definition of what is a supply chain can be unclear. Often times SCM can be confused with the term logistics management. CSCMP and the board of directors, comprised of industry experts, created official definitions for the following terms.” (CSCMP Supply Chain Management Definitions and Glossary)
Instead of defining a supply chain, the CSCMP defines the act of managing a supply chain. “Supply chain management encompasses the planning and management of all activities involved in sourcing and procurement, conversion, and all logistics management activities. Importantly, it also includes coordination and collaboration with channel partners, which can be suppliers, intermediaries, third-party service providers, and customers. In essence, supply chain management integrates supply and demand management within and across companies.”
In addition, the CSCMP also defines the boundaries of supply chain management. “Supply chain management is an integrating function with primary responsibility for linking major business functions and business processes within and across companies into a cohesive and high-performing business model. It includes all of the logistics management activities noted above, as well as manufacturing operations, and it drives coordination of processes and activities with and across marketing, sales, product design, finance, and information technology.”
The key takeaway. It’s not about what a supply chain is; it’s about how you manage a supply chain. It is all the activities from sourcing to runtime. What we call security is simply a measure of quality. Security is one activity to manage in a supply chain. Licensing is one aspect to manage.
The software supply chain is a new marketecture. Existing vendors are modifying stories to align with current security narratives within the software supply chain. The software supply chain is a real thing. Most software today is an amalgamation of software not written or managed by the person or company which writes the software they sell. Said in another way, for any given software system we build today, the people who design it only write a tiny part. We source the other software components from elsewhere, mainly open-sourced software.
This history of software supply chain topics and queries demonstrate that the concept of software supply chain morphed into a security-first-focus. Understanding the requirements of what, what, and how of a given software component is the root of the software supply chain. Having current, accurate, and complete information about ingredients that make up a system is critical context. Various analyses and actions use this context.
Overnight, companies adopted a new marketecture for the software supply chain. Are these companies doing anything new? Or is software supply chain the new buzzword that CIOs and IT Executives leverage to maintain face within their companies? There will be future articles around this topic: The Bamboozlement of the Supply Chain.