Why the Supply Chain Matters

Many examples currently exist of mature supply chains with a plethora of available tooling, as well as established relationships between suppliers and buyers focused on delivering high-quality products to end customers. One example is the aviation industry. It is heavily regulated and includes great risk to the health and safety of humans. Therefore, the provenance of parts that make their way into any aircraft is well documented and can be used to assess impact and origin if/when things go wrong.

Unfortunately, the same is not true in the software supply chain.

Unregulated Software Supply Chain

The software supply chain is quite immature in both tooling and relationships, with software parts being brought into applications from various unregulated sources including supplier code, partner code, Open Source projects, and inhouse development.

Developers are often able to source Open Source and third-party code from a variety of places on the Internet ranging from well-known ecosystems like Apache Software Foundation and Eclipse Foundation to many well-regarded artifact repositories like Maven Central (Java), NuGet (.NET), npm (JS), RubyGems (Ruby), PyPI (Python), and many others. At times though, code comes into an organization from individual developers, from anywhere around the world, who simply host their work on popular source code repositories like GitHub or GitLab.

All of this Open Source and third-party code typically does not go through the same inbound controls and scrutiny as commercial off-the-shelf (COTS) software.

Large Percentage of External Code in Software Applications

If you look at a Boeing 787 Dreamliner, Boeing manufactures a tiny fraction of the overall parts that comprise the final aircraft. The remaining parts are sourced from Boeing’s vast hardware supply chain from vetted and stringently selected partners.

787 Dreamliner Structure Supply Chain Suppliers

The same is true in the software industry where most organizations build applications mostly comprised of code developed outside of their company. According to The Linux Foundation’s A Summary of Census II report, it has been estimated that Free and Open Source Software (FOSS) constitutes 70-90% of any given piece of modern software solutions. FOSS is an increasingly vital resource in nearly all industries, public and private sectors, among tech and non-tech companies alike.

If 80% or more of your application is comprised of code your team did not develop, then you need to manage the associated legal and security risk that comes with the additional exposure.