Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Software Supply Chains

1,293 views

Published on

Keynote at MODELS 15 conference held in Ottawa, October 2015.

Discusses the spectrum of software supply chains presenting results of an analysis of open-source component production and providing an overview of challenges with both loose and tight software supply chains.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Software Supply Chains

  1. 1. Gail Murphy
 Univ. of British Columbia Tasktop Technologies
 Software Supply Chains @gail_murphy Photo copyright Wierink/Shutterstock With exception of pictures and icons
  2. 2. 2 ○ ○○ ○ ○○ ○ ○ ○ iPhone Supply Chain Source: Supply Chain 24/7, 09/14 California:
 Design TI:
 Touchscreen Micron:
 Flash memory Cirrus Logic:
 Audio Murata:
 Bluetooth/
 Wifi Infineon:
 Phone network Dialog Semiconductors:
 Power mngmt Samsung:
 Processors ST
 Microelectronics:
 Accelerometers/
 Gysroscope
  3. 3. 3 Software Supply Chains Loose Tight
  4. 4. 4 Loose Software Supply Chain component
 requests 17.2B suppliers total 
 components >105K >834K 2014: Central Repository of Java open source components 2015 State of the Software: Supply Chain Report (Sonatype)
  5. 5. 5 Tight Software Supply Chain
  6. 6. 6 All is good?
  7. 7. 7 Outline Reality: Loose Supply Chain Naïve View Reality: Tight Supply Chain „ ä "
  8. 8. 8 Open Problems Key points: (re)use is not free controlled transparency Caveats: challenges over solutions "
  9. 9. Naïve View
  10. 10. 10 specialized excellence lower costs higher quality 
 Supply Chain: suppliers, parts, manufacturers, finished goods… Naïve View
  11. 11. 11 Software Supply Chain Spectrum Naïve View Loose Tight Bouncy Castle
 used >> 10K organizations
  12. 12. 12Naïve View Loose (vast) majority of developers are part of a software supply chain suppliers components YOU! software
  13. 13. 13Naïve View Loose suppliers total 
 components >105K >834K central repository GitHub project dependences
  14. 14. 14Naïve View Loose build products (and other components) faster
 higher-quality components low cost to (re)use ongoing updates { { { {
  15. 15. 15Naïve View Tight multiple tiers of contractually-obligated suppliers Boeing General Electric Hydro-Aire
  16. 16. 16Naïve View Tight higher-quality components on-time production lower overall product cost { { {
  17. 17. 17 Software Supply Chains Loose Tight faster, better, cheaper open closed
  18. 18. Reality View:
 
 Loose Supply Chain Photo copyright Gniot/Shutterstock
  19. 19. 19Reality View / Loose Supply Chain Two Parts Social S Quality Q
  20. 20. 20Reality View / Loose Supply Chain Social Implications of OSS Library Use S How often does the use of an OSS library lead to a social link between projects? Do social contributions occur before or after a dependence is introduced on a library? What kind of social contributions occur? #1 #2 #3 Palyart and Murphy, 2015, under review
  21. 21. 21 Terminology Reality View / Loose Supply Chain S A B technical dependence social interactions issue comments pull request commit Palyart and Murphy, 2015, under review user
 project/ repository library
 project/ repository
  22. 22. 22 Data Reality View / Loose Supply Chain S 23,059 - not a fork - public - forked at least twice - use Maven 17,900 - depend on GitHub 1,227 - high confidence in 
 correct library dependences 1,409 - > 20 issues - issues > 5% pull requests - handle account deletions =1,125 GitHub repos Palyart and Murphy, 2015, under review
  23. 23. 23 Data Reality View / Loose Supply Chain S A B Library / Date Technical Link Dev / Date / Contrib issue comments pull request commit Social Link Palyart and Murphy, 2015, under review
  24. 24. 24 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink Palyart and Murphy, 2015, under review
  25. 25. 25 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that often have a social link (28%) Palyart and Murphy, 2015, under review
  26. 26. 26 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that sometimes have a social link (23%) Palyart and Murphy, 2015, under review
  27. 27. 27 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that rarely have a social link (49%) Palyart and Murphy, 2015, under review
  28. 28. 28 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink generally…
 the more popular the library, 
 the less likely developers of a user project are to get involved Palyart and Murphy, 2015, under review
  29. 29. 29 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S A B Technical Link Social Link in only 61% of pairs, 
 did technical precede social Palyart and Murphy, 2015, under review
  30. 30. 30 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S Palyart and Murphy, 2015, under review July August September October November in 39% of pairs, social preceded technical social before technical http://www.cs.ubc.ca/~mpalyart/stc_timeline/
  31. 31. 31 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays social before technical 
 most interactions within a few months
 
 technical before social
 
 more interactions span a longer time time to involvement Palyart and Murphy, 2015, under review 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions
  32. 32. 32 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays social before technical 
 either short involvement or
 quite long
 
 technical before social
 
 most involvement under 5 days duration of involvement Palyart and Murphy, 2015, under review 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions
  33. 33. 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions 33 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S social before technical 
 more contributions, stronger
 communities?
 
 technical before social
 
 mostly < 10 contributions number of contributions 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions Palyart and Murphy, 2015, under review 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays
  34. 34. 34 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions when social before technical (39%)…
 
 more often closely tied to technical and often more contributions when technical before social (61%)… may take a long time for interaction and then the interactions are often quick
 Palyart and Murphy, 2015, under review
  35. 35. 35 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Forward User Library 35% of pairs seeking help, feature requests, pull requests Palyart and Murphy, 2015, under review
  36. 36. 36 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Backward User Library 30% of pairs existing social community between projects Palyart and Murphy, 2015, under review
  37. 37. 37 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Forward & Backward User Library 35% of pairs user developers contribute to library library developers later do pull-request to user project to update library Palyart and Murphy, 2015, under review
  38. 38. 38 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only # developers # social contributions Palyart and Murphy, 2015, under review
  39. 39. 39 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only Palyart and Murphy, 2015, under review involvement time
  40. 40. 40 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only # developers # social contributions Palyart and Murphy, 2015, under review more backward social contributions than expected and their presence indicates a strong social link
 involvement time
  41. 41. 41 Loose Software Supply Chain Reality View / Loose Supply Chain often a social cost to using a library more often than expected cost to being a library
  42. 42. 42Reality / Tight Supply Chain Two Parts Social S Quality Q
  43. 43. 43Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q component
 requests 17.2B suppliers total 
 components >105K >834K 2014: Central Repository of Java open source components 2015 State of the Software: Supply Chain Report (Sonatype) constant updating ~ 3.5 times / yr
  44. 44. 44Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q Almost too Big to Fail, Geer and Corman, USENIX 2014 A B direct (1-hop) only 41% of vulnerable dependencies remediated mean-time-to-repair of these was 390 days CVSS level 10 - still 224 days to repair B’
  45. 45. 45Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q CVE-2013-2251
 CVSS 9.3
 Exploitability 10 since identification… 4,076 organizations have downloaded the vulnerable component 179,050 times 2015 State of the Software: Supply Chain Report (Sonatype)
  46. 46. 46Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q CVE-2007-6721
 CVSS 10
 Exploitability 10 since identification… 11,236 organizations have downloaded the vulnerable component 214,484 times 2015 State of the Software: Supply Chain Report (Sonatype)
  47. 47. 47Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q 2015 State of the Software: Supply Chain Report (Sonatype) 7.5% 66% of 240,757 component downloads by large financial or technology firms in 2014… were of known defective part and or those with a defective part, the defects were older than 2013
  48. 48. 48 Loose Software Supply Chain Reality View / Loose Supply Chain (re)use is not free social and upgrade costs to use
  49. 49. Reality View: Tight Supply
 Chain Photo copyright Gniot/Shutterstock
  50. 50. 50Reality / Tight Supply Chain Two Parts Social S Quality Q
  51. 51. 51 Tight Software Supply Chain Reality / Tight Supply Chains S contractual agreement contractual agreement
  52. 52. 52 Tight Software Supply Chain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire S contractual agreement contractual agreement
  53. 53. 53 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement restricted information flow restricted information flow
  54. 54. 54 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement Req Change #2 Req Change #1 Test Result #3
  55. 55. 55 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement Req Change #2 Req Change #1 Test Result #3
  56. 56. 56 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement
  57. 57. 57 Communication Reality / Tight Supply Chains S Doors
 RTC HP Quality Center Blueprint RTC HP Quality Center VersionOne Eclipse HP Quality Center
  58. 58. 58 Communication Reality / Tight Supply Chains S Doors
 RTC HP Quality Center Blueprint RTC HP Quality Center VersionOne Eclipse HP Quality Center Schema Mappings Schema Mappings
  59. 59. 59 Tight Software Supply Chain Reality View / Loose Supply Chain need tools to facilitate appropriate communication
  60. 60. 60Reality / Tight Supply Chain Two Parts Social S Quality Q
  61. 61. 61 Tight Software Supply Chain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire Q ability to verify the brake software wasn’t built in
  62. 62. 62 Tight Software Supply Chain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire Q full transparency
 full opacity
  63. 63. 63 Tight Software Supply Chain Reality / Tight Supply Chains Q controlled transparency balance need to share with protection of intellectual property
  64. 64. Open
 Problems Illustration copyright Ai825/Shutterstock
  65. 65. 65Open Problems Loose Software Supply Chains 
 
 
 assess when a component upgrade is needed? 
 
 lower the cost of quality and security upgrades? 
 
 
 measure
 and predict
 social cost of
 component use? 
 
 
 
 
 
 determine when backward social
 contributions are
 needed? can we…. ä ä ä ä
  66. 66. 66Open Problems Tight Software Supply Chains 
 
 
 
 
 cost-effectively manage multi-tiered supply chains? 
 
 effectively handle arrangements of tight and loose supply chains? 
 
 
 automatically apply IP filters to information exchange? 
 
 
 provide white-box information without revealing secret sauce? can we…. ä ä ä ä
  67. 67. Illustration copyright Nenov Brothers Images /Shutterstock
  68. 68. 68Summary Thanks to many post-docs, students and industrial collaborators over the years for their insights.
 
 Thanks to NECSIS colleagues (particularly Jo Atlee, Marsha Chechik and Mark Lawford)
 for conversations. Thanks to Sonatype for an analysis of the Central Repository. Marc Palyart Mik Kersten Dave West
  69. 69. 69Summary Software Supply Chains Naïve Better, faster, cheaper Loose Supply Chain Reuse is not free Tight Supply Chain Controlled transparencyNaïve Tight Loose Open Open Problems Technical and ecosystem
  70. 70. 70Summary Software Supply Chains “supply chain” conjures up thoughts of organized, managed flows for software supply chains, the reality is different (chaotic? brittle?) (re)use is not free controlled transparency @gail_murphy Loose Tight Photo copyright Wierink/Shutterstock
  71. 71. 71Summary Software Supply Chains “supply chain” conjures up thoughts of organized, managed flows for software supply chains, the reality is different (chaotic? brittle?) (re)use is not free controlled transparency @gail_murphy Loose Tight Photo copyright Wierink/Shutterstock
  72. 72. Gail Murphy
 Univ. of British Columbia Tasktop Technologies
 Software Supply Chains @gail_murphy Photo copyright Wierink/Shutterstock With exception of pictures and icons

×