In traditional manufacturing there are suppliers, parts, warehouse, manufacturers, assembly lines and finished goods. In software development we have uncanny similarities. Yet software supply chains lack the rigor and processes that have fueled high-velocity production, operational efficiencies and competitive differentiation witnessed in other supply chains. The free-for-all nature of component availability and consumption practices has led to significant waste, lower quality, and increased drag often not recognized by CIOs, enterprise architects, DevOps leaders and software development teams.
Hidden Speed Bumps on the Road to ‘Continuous’
Sonatype has been on the forefront of creating tools to improve developer efficiency and quality since the inception of the Central Repository and Apache Maven in 2001. As the steward of the Central Repository, Sonatype facilitated 17.2 billion component download requests in 2014 alone. This gives Sonatype a detailed perspective on the suppliers, consumption volumes, distribution mechanisms, and quality attributes of Java-based components across today’s software supply chains. Eye-opening insights and analysis of this ecosystem were just published in the “2015 State of the Software Supply Chain Report: Hidden Speed Bumps on the Road to ‘Continuous’.”
The research indicates current practices are silently sabotaging a software development organization’s efforts to accelerate development, improve efficiency and maintain quality. In short, the dependence on open source software components is growing faster than the ability to effectively source, manage, and secure it.
• Of the billions of downloads, 1 in 16 included a known security vulnerability
• 57 percent of organizations have policies to manage component quality, unfortunately, 75 percent don’t enforce them
• The average application has 106 components and 23 percent of those have known vulnerabilities
• 63 percent of businesses do not keep a complete inventory of components used in each application
All of this creates mountains of technical debt and risk, leading to unplanned, unscheduled rework and context switching.
Applying Proven Supply Chain Principles to Software
Sonatype takes a unique approach because they think about the challenge differently. The manufacturing industry was transformed with three basic principles. Use fewer and better suppliers, use higher quality parts, and track what is used and where. Sonatype uses automation to apply these principles across the software development lifecycle so organizations can reduce complexity, inefficiency, unplanned rework and risk.
“What Toyota did for the automotive supply chain is what Sonatype is doing today for the software supply chain,” said Wayne Jackson, CEO, Sonatype. “Sonatype’s Nexus software platform is revolutionizing the distribution, automation, and integration of components used across the software supply chain by eliminating complexity and making continuous delivery and DevOps practices even faster.”
The Nexus platform includes the Nexus repository managers, with more than 50,000 installations worldwide, along with Nexus Lifecycle and Nexus Auditor. Customers using the Nexus platform have eliminated elective and avoidable rework as well as downstream maintenance, freeing 15 percent to 40 percent of a developer’s time to advance the pace of innovation.
Nexus tracks and monitors software components across the software lifecycle to reduce the mean time to repair component vulnerabilities from days to minutes. It provides visibility to reduce the variety and volume of components used which reduces both software complexity and technical debt, for example eliminating the number of outdated versions being actively used by 10x.