The Software Supply Chain: Explained
- Software development closely resembles a traditional supply chain.
- Open source packages serve as the sub-assemblies and constituent parts.
- These parts are stored in package registries and hosted artifact repositories which act as warehouses and storage for parts.
- Development teams assemble these parts into a finished product in the form of a software application or service.
- These products are then “shipped” to customers using continuous integration systems and hosting services for web-hosted products.
If you’re a Sonatype customer, or if you’re investigating Sonatype’s solutions, then you’ve probably heard the phrases “software supply chain” and “supply chain management” before. This guide defines and compares the terms, and provides an overview of how the traditional supply chain translates to the software supply chain.
What is Supply Chain Management?
“Supply Chain Management” describes the act of managing the flow of raw, unprocessed materials as they’re transformed into finished goods and delivered to consumers. Supply chain management is predominantly about the movement of materials, both large scale (like when raw materials travel across the ocean) and small scale (like when parts move from one conveyor belt to the next).
The concept of managing the supply chain isn’t new. Even the earliest civilizations were managing their supply chains to some extent – as the phrase goes, “Rome wasn’t built in a day,” but it also wasn’t built without a steady supply of concrete.
But the concept of modern supply chain management really developed in the 1980’s. Globalization promised faster manufacturing, greater efficiency, and higher quality products, but it also introduced serious risks. Supply chain management was developed to take advantage of the benefits and negotiate the risks.
Movement and Flow
As previously mentioned, supply chain management is predominantly concerned with the movement or flow of materials. That’s because most gains in quality and speed lay in improving the way materials move from one stage of production to the next. Losses in quality or speed usually stem from the same source.
To understand the importance of movement and flow, consider some of the questions an expert would ask if they were tasked with improving the efficiency of a manufacturing plant. They’d want to know where materials are stored, how they arrive at the plant, and how reliable the delivery partners are. They’d also want to know the speed of every conveyor belt and the capacity of every assembly machine. Later, they’d likely ask about how quickly finished products are packed into trucks and how quickly the trucks complete their deliveries.
What is the Software Supply Chain?
Speaking practically, the software supply chain is how components – small bits of pre-made code – move through the development process and are transformed into finished software, then distributed to customers. It’s analogous to how physical raw materials are transformed into finished products, then shipped to store shelves.
The phrase “software supply chain” is relatively new, coined around 2014 as a result of growing awareness of the role of open-source components in the SDLC. Sonatype was one of the first to adopt the phrase, along with its natural extension, “software supply chain management.”
Translating the Traditional Supply Chain to the Software Supply Chain
Supply Chain Management sometimes divides the manufacturing process into four stages: procurement, production, distribution, and customer interface. The software supply chain has 1-to-1 analogs of all four of these stages.
They Call it Procurement, We Call it Sourcing
In the Procurement stage, raw materials are found from suppliers, delivered to site, and stored until ready to use. It’s a highly strategic part of the supply chain. Cost is an issue, but so is speed and quality. Relationships also matter; a vendor who you trust, and who makes transparency a priority, is the best kind of partner.
In the software supply chain, this is the Sourcing stage, where open-source components are pulled from repositories and introduced into the development environment. Open-source components are free-of-charge (sort of – see our guide on OSS to learn more,) but cost is still a strategic factor, since development time is expensive and vulnerable or low-quality components will need remediation. Successful software organizations are deliberate in their choice of the best open-source components. They have a few trusted sources, and they select only the highest quality components.
The use of open-source components in software development has been the trend for years, and that trend is only accelerating. For example, in our 2021 State of the software supply chain Report, Sonatype estimated that Python component downloads increased by 92% and Java component downloads increased by 71% between 2020 and 2021.
They Call it Production, We Call it Development
In the Production stage, raw materials are transformed into their finished state and stored until ready for distribution. This stage is like a factory floor, where conveyor belts move parts into machines to be assembled. This stage is sensitive to the quality of the raw materials and the efficiency of the machinery that moves and assembles the product.
In the software supply chain, the Development phase is where the software is built. Software development can’t be observed like a factory floor, but the same concepts apply. Components are the raw materials, which are moved to developers, assembled into finished applications, and stored until ready to be distributed. The only difference is that developers write their own code as necessary to build important features or make the components “fit” together. Like the factory floor, this stage is sensitive to component quality and the efficiency of the processes that move and build the application.
They Call it Distribution, We Call it DevOps
The goal of the Distribution stage is to ensure that goods flow quickly and safely to the consumer. In traditional supply chain management, this is where a company’s fleet of trucks carefully pack and transport goods to their final destination. It’s a complicated task, and very sensitive to outside forces like weather and gas prices. The most important elements of this stage are consistency and speed. Frequent, speedy deliveries are key.
The modern, hyper-fast SDLC is very different to the traditional distribution methods of supply chain management. Continuous Improvement/Continuous Delivery (CI/CD) means that goods are constantly being returned to Development for further refinement and then redelivered to the consumer. It’s an ever-moving cycle that a fleet of trucks simply can’t duplicate.
But all the concerns of the Distribution stage in traditional supply chains hold true in software supply chains. DevOps is about optimizing speed and consistency in software delivery. In our guide What is DevOps?, we discuss how the principles of DevOps “all work toward a common goal of shortening software delivery cycles and improving the stability of deployments.”
They Call it Customer Interface, We Call it Customer Success
The Customer Interface stage of supply chain management is about the consumer’s interaction with the finished product. Good customer interface requires careful planning. Does the product meet the consumer’s needs? Is it easy to use? Can the consumer find help if they need it? These questions, and others like it, must be considered long before the product reaches its final destination.
In the software supply chain, this stage is called Customer Success, but its primary concern is still how the consumer interacts with the finished product, specifically whether or not the product meets the customer’s needs. Companies and individual users typically purchase software to satisfy a specific strategic goal, and customer success is about helping them achieve it.
Talk to Us
And visit my.sonatype.com for all things Sonatype.
Written By: Jonathan Zora
Jonathan is a Technical Content Developer at Sonatype.