Software supply chain maintenance is a new term that recognizes the fact that most of the code in our modern applications is open source software. As such, it’s no longer under the direct control of your developers like your proprietary code is, but it still needs to be managed and maintained if you hope to benefit from the innovation that open source provides, while avoiding being hacked.
In effect, software supply chain maintenance is the new tech debt, and it’s set to explode as more applications than ever before are being built on top of open source libraries.
But this approach to building software raises a number of problems:
- Too many organizations treat their software supply chain as a one-and-done event: I assembled the parts and built the environment on which my program runs; I’m done. But then, why do you have a supply chain? Supply chains are only required if you intend to continually produce at scale.
- Nobody wants to maintain and fix code they didn’t write, especially when doing so might break the build. For this reason, ~80% of codebases are almost never updated, which I’ve discussed in a previous blog: Best Practices: How To Update Your Codebase Without Breaking The Build. But if you’re not leveraging your supply chain to make constant updates, why incur the overhead of one?
The unfortunate reality, however, is that if you’re not maintaining your software supply chain, your application WILL break and/or become a target for hackers. For example:
- Package Vulnerabilities – while low, medium and high risk vulnerabilities are constantly being reported, most organizations will minimize the time and resource to fix them by addressing only those that are deemed critical, which means:
- Patching or updating the vulnerable open source library.
- Wrestling with dependency management, since the new package version may generate conflicts with existing dependencies.
- Fixing your code that may have broken due to the patch/upgrade.
- Programming Language Bugs & Vulnerabilities – much like packages, your programming language regularly releases patches, some of which may also include critical vulnerability fixes, which means:
-
- Updating the language patch version, which typically requires updates to core libraries.
- Refactoring your code if the patch has introduced breaking changes.
- API Changes – your software supply chain may also include APIs, which are constantly in a state of flux as they’re versioned, deprecated or deleted, resulting in breaking changes. This means:
- Fixing your code’s API calls that broke due to the API change
For organizations that regularly update their software supply chain, all of these maintenance tasks take up ~30% of your developers’ time today, but it’s not an exhaustive list. Some organizations also have a “no outdated” packages policy, which means that every 3-6 months they refresh their runtime environment with:
- Package Updates – most open source packages are regularly updated with new features and functionality, which offer further opportunities for innovation, but also mean:
- Fixing your code that may have broken due to the update.
- Wrestling with dependency management, since the new package version may generate conflicts with existing dependencies.
Even fewer organizations are taking a longer term view of their software supply chain, which is based on a version of a programming language that will inevitably become EOL after a few years, forcing:
- Programming Language Upgrade/Migration – most organizations either outsource or attempt to use internal resources to move to the latest version of the language in a “big bang” manner, which rarely ends well.
Software supply chain maintenance doesn’t need to be this painful. An emerging class of software supply chain platforms can help to automate many of these tedious, repetitive – and expensive — maintenance tasks.
How to Automate Software Supply Chain Maintenance
Legacy, monolithic applications often continued running for decades since they relied on very few third party elements (think the software on board NASA’s Voyager 2, for example). By comparison, today’s modern applications may cease to function and/or expose your organization to significant security risk in a matter of weeks due to breaking changes in some part of your software supply chain.
That’s because most organizations are not in the business of supply chain management, so they rarely invest the time and resources required to set up their software supply chain properly. And why should they? The days of vertical integration are long over. Vertical integration went out of fashion in manufacturing decades ago for a reason: it’s far more economical to focus on your finished product and outsource the commoditized components to someone else.
This is why our customers turn to ActiveState: to be their outsourced software supply chain so they can focus on their application, rather than maintaining the open source their app requires.
ActiveState ensures:
- Package and language vulnerabilities are identified ASAP, including zero day vulnerabilities.
- New package releases are built securely from vetted source code, and made available in a timely manner.
- New major, minor and patch versions of programming languages are built securely from vetted source code, and made available in a timely manner.
- Package/language updates are identified (eg., updates that resolve critical vulnerabilities); dependency changes are resolved, and the runtime environment automatically rebuilt as a branch that you can pull at any time.
- Any breaking changes to your code as a result of the update can also be identified and resolved if you provide ActiveState access to your GitHub repository.
- Upgrades to your programming language are automated and can be initiated at any time; dependency changes are resolved, and the runtime environment automatically rebuilt as a branch that you can pull at any time.
- Any breaking changes to your code as a result of the upgrade can also be identified and resolved if you provide ActiveState access to your GitHub repository.
If this sounds like something you could take advantage of, please Contact Us to get started today.
Conclusions – Outsourcing Your Software Supply Chain
Unlike the old version of tech debt that was based on each developer fixing mistakes in the code they wrote, organizations have very little control over today’s software supply chain tech debt since it is entirely composed of third-party code.
Only the largest organizations can afford to spend the time and resources to create and manage their open source software supply chain in a robust and sustainable manner. SMBs are stuck cobbling together a bunch of point solutions (SCA tools, repositories, build tools, and so on) just to be able to compete. Given such a system, it’s no wonder that most SMBs take an ad hoc approach to maintaining and updating their software supply chain, which is the equivalent of building a house on a shifting foundation.
The ActiveState Platform provides a holistic solution for generating a repository that contains the secure set of dependencies your application requires, and then constantly keeping them up to date (along with your programming language) while avoiding breaking your build.
By outsourcing your software supply chain to ActiveState, you can gain:
- Time & Resources – regain the 30% of your developer’s time currently spent on maintenance.
- Agility – If you currently release 6 times a year, you can create 2 more releases that can close 2 more competitive gaps and/or introduce new features with the time and resources saved through outsourcing.
- Revenue – If the new releases allow you to generate just 5% more revenue, that translates into millions of dollars for an SMB.
- Innovation – with an always-up-to-date set of packages and programming languages, you’ll always be able to take advantage of the latest features and functionality to create even more differentiated offerings.
Turn your organization into a modern software factory by outsourcing your software supply chain so you can focus on your finished product. Focus is a powerful thing.
Next Steps
For a concrete example of the pitfalls associated with software supply chain maintenance, watch our webinar on The Python End of Life Trap: Avoiding Legacy Open Source Risks in Your Software Supply Chain.