Software Supply Chain Query from São Paulo

advice column hero image

Software Supply Chain Query from São Paulo

Hello Sloan,
My peers sometimes talk about the “software supply chain” or our “supply chain management.” I’m a programmer and don’t really get the connection of supply chains to our work. Can you break it down for me?

Supply Chain Query from São Paulo

Dear Supply Chain Query,

I can understand your confusion! The words “supply chain” don’t immediately invoke thoughts of software development. I don’t know about you, but when I think about a supply chain I imagine a complex object, like an airplane. This analogy to the manufacturing world should help to explain how supply chains apply to software as well. 

A Quick Analogy

Let’s continue on thinking about airplanes for a moment. Think about how many parts it takes to build an airplane. Those parts can come from many different suppliers, all around the world. It’s a tricky calculus, balancing speed, quality, and cost, when it comes to determining which parts to use. 

Software is not dissimilar when you think about it. Countless parts and pieces make up software these days, with a 2020 stat pointing to up to 90% of software being made up of open-source components. As with most anything these days, the pressure to deliver the end product quickly is omnipresent. 

Risk and the Supply Chain

Millions of people rely on air transportation every day. Because safety is of utmost concern, manufacturers keep bills of materials for every part that goes into a plane. This ensures that if there is an issue with a part, the manufacturer knows which planes the part is in and the manufacturer of the part. If there is a vulnerability or bug in a software application, knowing which parts are in your software is just as important. It’s so important that in May of 2022, United States President Joe Biden issued an executive order stating that any software company needs to provide a Software Bill of Materials, or SBOM, along with their applications.

Developers like yourself use open-source components to speed up the development process. Pulling in components that do what you need them to do is much faster than writing your own code. A lot of the same risk assessment that goes into sourcing airplane parts also applies to open-source components. 

  • Is the supplier of the part or component known and/or trusted? 
  • Is that supplier well-regarded or often used? 
  • Do they regularly update their parts to ensure the highest quality possible?

While cost and speed are important, quality is a factor that cannot be ignored in any kind of supply chain. Any end product, be it an airplane or an application, relies on the strength of its parts. 

Where You Can Learn More

Sonatype recently put out our eighth annual State of the Software Supply Chain Report, which contains industry-leading research and analysis on the state of open-source software. This year’s report tackles topics like software supply chain maturity, trends in managing open-source dependencies, and the security of the open-source supply. These insights are invaluable to describing the state of open source in modern software development. Now that you’ve got a high-level understanding of the software supply chain, take a peek at it!

For further reading check out our one of our Sonatype blog post on the supply chain, and our introductory guide to the topic! As a parting question, I’ll leave you with this: how do you approach finding quality components to use in your applications? Let us know in the comments below, and let us know if there is anything you want covered in an upcoming Sloan column!

Until next time,


0 0 votes
Article Rating
Notify of
Oldest Most Voted
Inline Feedbacks
View all comments

Things I look for when selecting a component:

  • Does it fulfill the functional requirements I’m looking for?
  • Is it licensed in a way that will satisfy my Legal department?
  • What is the vulnerability history for the component?
  • If lots of vulnerabilities, how quickly are fixes put in place?
  • What is the reputation of the team behind the open source component?
  • If updates lag, how quickly can I contribute a fix to the open source project and have it released?