Your software supply chain includes:
- All the open source dependencies your project requires.
- All the development and build tooling those open source ecosystems come with.
- Any number of commercial tools you’ve purchased to ensure your dependencies are fit for use, which can include apps that help identify security and compliance concerns, for example.
As most organizations learned when they started leveraging open source software, despite the fact that it was free to license, there were significant costs in terms of time and resources to implement and maintain it. In fact, it’s so expensive that most organizations don’t bother to maintain their codebase, exposing them to cyberattacks as outdated codebases become more and more vulnerable over time.
But what can you do? Times are tough, and even cybersecurity budgets that have weathered cuts before are under pressure to reduce spend. For example, in 2023, cybersecurity budgets shrank by as much as two-thirds over 2022 according to the 2023 Security Budget Benchmark Summary Report. The good news is that cybersecurity budgets still grew by 6%, but that’s compared to 17% growth in 2022. Another survey by PwC suggests 2024 budgets are unlikely to help, with only ~8% of organizations willing to increase their cybersecurity budget by at least 15%.
This is all occurring at a time when:
- Software supply chain attacks are growing at 633% year on year
- Ransomware payouts (as well as malware attacks in general) hit an all time high in 2023
- Cybersecurity burnout is reaching epidemic proportions
- New SEC rules around cybersecurity disclosures were just introduced
Not to mention the fact that cybersecurity technology just keeps getting more complex and costly every year.
The real issue here is that your software supply chain is both vitally necessary to, and an enormous drag on your business. Because it’s not the thing you sell, your software supply chain is not the focus of your efforts. As a result, it’s typically been cobbled together from multiple solutions over time that do more to increase your costs than help meet your security and productivity goals.
Let’s break down the costs to see what outsourcing can mean for your bottom line.
Software Supply Chain Cost Analysis
When you step back and look at how open source software gets from an ecosystem’s public repositories onto a developer’s desktop, there’s probably more steps involved than you may think. While startups may be fine with just letting developers download and install open source packages directly, most organizations take a more process-oriented approach to ensuring packages are fit for use before they can be incorporated into their software development process.
But with process often comes complexity, meaning that the solution your organization has implemented over the years has grown, and is probably costing you far more than you think. For example:
|
Capability |
In-house Annual Cost |
|
Creating and maintaining a software supply chain (including the ability to build key packages like OpenSSL securely from source code) |
1 DevOp FTE per language in your tech stack |
|
Package and environment management tooling adoption (costs may be significantly higher if commercial tooling is used instead) |
$50 per developer |
|
Maintaining an approved catalog of dependencies |
10% of a Security FTE, an IT FTE and a Compliance FTE |
|
Artifact repository (monitors dependencies over time for vulnerabilities) |
$2500 per developer* |
|
SCA tooling (identifies licenses, vulnerabilities and maintainability) |
$139 per developer** |
|
Cybersecurity professional (investigates alerts generated by SCA and artifact repository) |
1 FTE |
|
Open source maintenance & dependency remediation |
10% of a sprint |
* based on repositories like JFrog Artifactory, Sonatype Nexus and others
** based on SCA Tools like Snyk, Mend, Checkmarx, and others
Using a $150K FTE and a team of 10 developers working with 2 programming languages we can calculate the cost of an in-house implementation of a software supply chain to be:
|
In-house Annual Cost |
ActiveState Advantage |
|
|
Creating and maintaining a software supply chain |
$300K |
Included for any number of languages |
|
Package and environment management tooling adoption |
$500 |
Universal tooling for all languages |
|
Maintaining an approved catalog of dependencies |
$45K |
Policy-driven eliminating the need for manual intervention |
|
Artifact repository |
$25K |
Included |
|
SCA tooling |
$1390 |
Included |
|
Cybersecurity professional |
$150K |
Included |
|
Open source maintenance & dependency remediation |
$150K |
Included |
|
Total |
~$672K |
10-20% of in-house costs, depending on requirements |
While your actual numbers may vary depending on the size of your team, the number of languages in your tech stack, and the number of tools/processes you’ve implemented, the message is clear: outsourcing your software supply chain costs a fraction of your in-house implementation, while freeing up a number of dedicated resources to better focus on improving your software end product.
Conclusions – Outsourced Software Supply Chain Security & Productivity Gains
The business case created here is a very simple one, erring on the side of minimizing the cost of an in-house software supply chain solution. For example, security-conscious organizations may want to build far more than just OpenSSL from source code in order to ensure security. This effectively means vendoring many of your dependencies, which can dramatically raise costs, especially if you want to ensure security by building them with a hardened build service that supports reproducibility.
Those same security-conscious organizations are also likely to take alerts seriously, dedicating more than one cybersecurity professional to investigating the volume of false positives that can often plague a project, especially at the start or when significant changes are made. It’s also these kinds of organizations that are most likely to be affected by cybersecurity burnout, and may lack the resources to replace them at a time when there is a deficit of such workers in the marketplace.
When it comes to productivity, the benefit of outsourcing is much more straightforward since outsourcing frees up internal resources from managing your software supply chain solution to better focus on your application, helping to close competitive gaps or extend your market lead.
Next Steps
If the dollar and cents of this business case make sense, take the next step and learn How To Outsource Software Supply Chain Maintenance
