Part 1: What is a software supply chain?
First, we must consider a standard supply chain.
The term comes from manufacturing and is just one way to help explain a complex system of independent sources working together. A supply chain is a simplified model that can help describe a complex process.
An easy and familiar example is that of a grocery supply chain. Here, food is grown, harvested, processed, and then purchased from a store:
Each object in this step is a link in the chain of people, tools, and processes to put food on your table. Likely the most common way food is distributed worldwide, every company builds its business by optimizing this process.
The first complication you can imagine is the effort to make sure that perishable food stays cold at every stage of this process. Steps in this process could include refrigerated trucks, quality assurance, and continuous monitoring for harmful spoilage.
But what about non-domestic purchases like coffee that are frequently imported and involve more processing and packaging? Their supply chain has more steps and branches:
We can also try to describe imports from multiple sources? Cars in particular have a complex supply chain that involves dozens or hundreds of different sources. After all, Toyota does not make its own tires. Here we see the supply chain starts from sources that have their own supply chains.
All of these help explain how a ship stuck in the Suez canal in 2021 represented a serious failure in the global supply chain process.
This is because, when manufactured goods are disconnected from the companies who order them, the delays create shortages, and cause problems down the chain. After all, no one is buying a car without an engine.
These parts can be exceptionally small. For example, a chip shortage has exposed faults in the automotive supply chain, delaying car manufacture throughout 2021 and 2022.
Worse, having the best product on the market doesn’t count for much if customers cannot buy your product. Companies in hotly competitive markets may risk going out of business as a result of shortages. As a result, the world economy and robust supply chains can make market decisions long before consumers decide what they prefer.
How does software fit into this?
Much of the software industry looks to the “supply chain” model due to parallels between the manufacturing process and modern software development. Because software is also made from component parts, it looks very similar:
The analogy continues in other areas:
- Product testing
- Quality assurance
- Distribution
- Warranties (or Service-Level Agreements)
And software is frequently a competitive market where key features and capabilities can make the difference between leadership and old news.
Because software can be infinitely copied, it lacks the same shortages that are caused by blocked shipping channels. However, software still experiences delays and scarcity around quality components, qualified developers, and computing power.
Modern software development happens in a similar way: it is also built from parts, involves multiple developers, teams, and systems both inside and outside of a given company. And, just like airplanes, some software must continue to function under stress.
Therefore, we define the “software supply chain” as anything that impacts this evaluation, production, and distribution.
We define the “software supply chain” as anything that impacts software evaluation, production, and distribution.
How Manufacturing Optimization Informs Software
It should be common sense that products made with inferior, low quality parts represent a gamble that can result in failure. Whether it’s a toaster oven or an airplane, failure can harm your brand. Likewise, products made from parts can be improved using better parts.
But, that hasn’t always been the case. We, and the rest of the supply chain world, credit Edwards Deming, and his work with Toyota, with giving us structure when it comes to managing supply chains. Deming, an expert in what is now known as lean manufacturing, urged Toyota to develop vehicles based on rigid adherence to quality principles.
Deming’s Quality Principles
Four principles that apply to both regular and software supply chains:
- 1. Use better and fewer suppliers
- 2. Use high-quality parts from those suppliers
- 3. Resolve defects early and never pass known defect downstream
- 4. Create transparency and track what you use and where
Quality Matters Just as Much as Speed
Deming preached that if you have the highest quality parts, you can make the highest quality products at high velocity. But, if you just focus on speed, you’re going to lose every time.
If you just focus on speed, you’re going to lose over time.
Although these ideas are over 40 years old, many concepts are lucidly stated and just as relevant today. In particular, his suggestions about the power of trusted suppliers, or using third-party components rather than creating everything yourself mirrors in many ways the open source component software of today. The idea of sharing knowledge in the form of parts allowed companies like Toyota to build better cars, faster.
Consider the initial releases of the Toyota Prius compared to the Chevy Volt as a somewhat recent example. At the time of release, the Prius cost nearly 60% less to build than the Volt and was sold 13 times more often. Toyota was making half as much of their own car, meaning significantly less labor for them — and did it all with a fraction less suppliers than Chevy did.
The point being, if you’re going to build the highest quality vehicles — or software — you need to pick the highest quality parts. And, you need to know what parts you’ve used so, if anything goes wrong, you know exactly where they are.
In manufacturing, failures could mean an expensive recall, but even as software is easy to distribute, software vulnerabilities and quality issues can rapidly eclipse the price tag of a device recall. Companies that don’t take this danger seriously can lose value (to the tune of $350 million in the case of Yahoo’s purchase by Verizon), receive fines, or result in bankruptcy. There is no shortage of companies in the news who describe experiencing a “wake-up call” after a breach. But it’s more than just security – understanding quality principles can save you time and money throughout the software development lifecycle.
There is no shortage of companies in the news who describe experiencing a “wake-up call” after a breach.
Upstream vs. Downstream
While most readers will likely imagine software supply chain considerations like these as relevant only at the assembly stage, every link in the chain benefits from this analysis. In fact, many development teams function in the middle and develop software for the next link in the chain.
Adding to our image above, if you’re part of the Assembly step in the supply chain, steps to the left are upstream and to the right are downstream:
These concepts are important both for orienting activity in the software supply chain and for describing attacks.