Software Supply Chains

Gail Murphy
Gail MurphyProfessor at University of British Columbia
Gail Murphy
 Univ. of British Columbia Tasktop Technologies
 Software Supply Chains @gail_murphy Photo copyright Wierink/Shutterstock With exception of pictures and icons
2 ○ ○○ ○ ○○ ○ ○ ○ iPhone Supply Chain Source: Supply Chain 24/7, 09/14 California:
 Design TI:
 Touchscreen Micron:
 Flash memory Cirrus Logic:
 Audio Murata:
 Bluetooth/
 Wifi Infineon:
 Phone network Dialog Semiconductors:
 Power mngmt Samsung:
 Processors ST
 Microelectronics:
 Accelerometers/
 Gysroscope
3 Software Supply Chains Loose Tight
4 Loose Software Supply Chain component
 requests 17.2B suppliers total 
 components >105K >834K 2014: Central Repository of Java open source components 2015 State of the Software: Supply Chain Report (Sonatype)
5 Tight Software Supply Chain
6 All is good?
7 Outline Reality: Loose Supply Chain Naïve View Reality: Tight Supply Chain „ ä "
8 Open Problems Key points: (re)use is not free controlled transparency Caveats: challenges over solutions "
Naïve View
10 specialized excellence lower costs higher quality 
 Supply Chain: suppliers, parts, manufacturers, finished goods… Naïve View
11 Software Supply Chain Spectrum Naïve View Loose Tight Bouncy Castle
 used >> 10K organizations
12Naïve View Loose (vast) majority of developers are part of a software supply chain suppliers components YOU! software
13Naïve View Loose suppliers total 
 components >105K >834K central repository GitHub project dependences
14Naïve View Loose build products (and other components) faster
 higher-quality components low cost to (re)use ongoing updates { { { {
15Naïve View Tight multiple tiers of contractually-obligated suppliers Boeing General Electric Hydro-Aire
16Naïve View Tight higher-quality components on-time production lower overall product cost { { {
17 Software Supply Chains Loose Tight faster, better, cheaper open closed
Reality View:
 
 Loose Supply Chain Photo copyright Gniot/Shutterstock
19Reality View / Loose Supply Chain Two Parts Social S Quality Q
20Reality View / Loose Supply Chain Social Implications of OSS Library Use S How often does the use of an OSS library lead to a social link between projects? Do social contributions occur before or after a dependence is introduced on a library? What kind of social contributions occur? #1 #2 #3 Palyart and Murphy, 2015, under review
21 Terminology Reality View / Loose Supply Chain S A B technical dependence social interactions issue comments pull request commit Palyart and Murphy, 2015, under review user
 project/ repository library
 project/ repository
22 Data Reality View / Loose Supply Chain S 23,059 - not a fork - public - forked at least twice - use Maven 17,900 - depend on GitHub 1,227 - high confidence in 
 correct library dependences 1,409 - > 20 issues - issues > 5% pull requests - handle account deletions =1,125 GitHub repos Palyart and Murphy, 2015, under review
23 Data Reality View / Loose Supply Chain S A B Library / Date Technical Link Dev / Date / Contrib issue comments pull request commit Social Link Palyart and Murphy, 2015, under review
24 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink Palyart and Murphy, 2015, under review
25 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that often have a social link (28%) Palyart and Murphy, 2015, under review
26 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that sometimes have a social link (23%) Palyart and Murphy, 2015, under review
27 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that rarely have a social link (49%) Palyart and Murphy, 2015, under review
28 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink generally…
 the more popular the library, 
 the less likely developers of a user project are to get involved Palyart and Murphy, 2015, under review
29 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S A B Technical Link Social Link in only 61% of pairs, 
 did technical precede social Palyart and Murphy, 2015, under review
30 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S Palyart and Murphy, 2015, under review July August September October November in 39% of pairs, social preceded technical social before technical http://www.cs.ubc.ca/~mpalyart/stc_timeline/
31 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays social before technical 
 most interactions within a few months
 
 technical before social
 
 more interactions span a longer time time to involvement Palyart and Murphy, 2015, under review 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions
32 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays social before technical 
 either short involvement or
 quite long
 
 technical before social
 
 most involvement under 5 days duration of involvement Palyart and Murphy, 2015, under review 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions
1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions 33 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S social before technical 
 more contributions, stronger
 communities?
 
 technical before social
 
 mostly < 10 contributions number of contributions 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions Palyart and Murphy, 2015, under review 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays
34 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions when social before technical (39%)…
 
 more often closely tied to technical and often more contributions when technical before social (61%)… may take a long time for interaction and then the interactions are often quick
 Palyart and Murphy, 2015, under review
35 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Forward User Library 35% of pairs seeking help, feature requests, pull requests Palyart and Murphy, 2015, under review
36 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Backward User Library 30% of pairs existing social community between projects Palyart and Murphy, 2015, under review
37 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Forward & Backward User Library 35% of pairs user developers contribute to library library developers later do pull-request to user project to update library Palyart and Murphy, 2015, under review
38 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only # developers # social contributions Palyart and Murphy, 2015, under review
39 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only Palyart and Murphy, 2015, under review involvement time
40 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only # developers # social contributions Palyart and Murphy, 2015, under review more backward social contributions than expected and their presence indicates a strong social link
 involvement time
41 Loose Software Supply Chain Reality View / Loose Supply Chain often a social cost to using a library more often than expected cost to being a library
42Reality / Tight Supply Chain Two Parts Social S Quality Q
43Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q component
 requests 17.2B suppliers total 
 components >105K >834K 2014: Central Repository of Java open source components 2015 State of the Software: Supply Chain Report (Sonatype) constant updating ~ 3.5 times / yr
44Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q Almost too Big to Fail, Geer and Corman, USENIX 2014 A B direct (1-hop) only 41% of vulnerable dependencies remediated mean-time-to-repair of these was 390 days CVSS level 10 - still 224 days to repair B’
45Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q CVE-2013-2251
 CVSS 9.3
 Exploitability 10 since identification… 4,076 organizations have downloaded the vulnerable component 179,050 times 2015 State of the Software: Supply Chain Report (Sonatype)
46Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q CVE-2007-6721
 CVSS 10
 Exploitability 10 since identification… 11,236 organizations have downloaded the vulnerable component 214,484 times 2015 State of the Software: Supply Chain Report (Sonatype)
47Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q 2015 State of the Software: Supply Chain Report (Sonatype) 7.5% 66% of 240,757 component downloads by large financial or technology firms in 2014… were of known defective part and or those with a defective part, the defects were older than 2013
48 Loose Software Supply Chain Reality View / Loose Supply Chain (re)use is not free social and upgrade costs to use
Reality View: Tight Supply
 Chain Photo copyright Gniot/Shutterstock
50Reality / Tight Supply Chain Two Parts Social S Quality Q
51 Tight Software Supply Chain Reality / Tight Supply Chains S contractual agreement contractual agreement
52 Tight Software Supply Chain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire S contractual agreement contractual agreement
53 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement restricted information flow restricted information flow
54 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement Req Change #2 Req Change #1 Test Result #3
55 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement Req Change #2 Req Change #1 Test Result #3
56 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement
57 Communication Reality / Tight Supply Chains S Doors
 RTC HP Quality Center Blueprint RTC HP Quality Center VersionOne Eclipse HP Quality Center
58 Communication Reality / Tight Supply Chains S Doors
 RTC HP Quality Center Blueprint RTC HP Quality Center VersionOne Eclipse HP Quality Center Schema Mappings Schema Mappings
59 Tight Software Supply Chain Reality View / Loose Supply Chain need tools to facilitate appropriate communication
60Reality / Tight Supply Chain Two Parts Social S Quality Q
61 Tight Software Supply Chain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire Q ability to verify the brake software wasn’t built in
62 Tight Software Supply Chain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire Q full transparency
 full opacity
63 Tight Software Supply Chain Reality / Tight Supply Chains Q controlled transparency balance need to share with protection of intellectual property
Open
 Problems Illustration copyright Ai825/Shutterstock
65Open Problems Loose Software Supply Chains 
 
 
 assess when a component upgrade is needed? 
 
 lower the cost of quality and security upgrades? 
 
 
 measure
 and predict
 social cost of
 component use? 
 
 
 
 
 
 determine when backward social
 contributions are
 needed? can we…. ä ä ä ä
66Open Problems Tight Software Supply Chains 
 
 
 
 
 cost-effectively manage multi-tiered supply chains? 
 
 effectively handle arrangements of tight and loose supply chains? 
 
 
 automatically apply IP filters to information exchange? 
 
 
 provide white-box information without revealing secret sauce? can we…. ä ä ä ä
Illustration copyright Nenov Brothers Images /Shutterstock
68Summary Thanks to many post-docs, students and industrial collaborators over the years for their insights.
 
 Thanks to NECSIS colleagues (particularly Jo Atlee, Marsha Chechik and Mark Lawford)
 for conversations. Thanks to Sonatype for an analysis of the Central Repository. Marc Palyart Mik Kersten Dave West
69Summary Software Supply Chains Naïve Better, faster, cheaper Loose Supply Chain Reuse is not free Tight Supply Chain Controlled transparencyNaïve Tight Loose Open Open Problems Technical and ecosystem
70Summary Software Supply Chains “supply chain” conjures up thoughts of organized, managed flows for software supply chains, the reality is different (chaotic? brittle?) (re)use is not free controlled transparency @gail_murphy Loose Tight Photo copyright Wierink/Shutterstock
71Summary Software Supply Chains “supply chain” conjures up thoughts of organized, managed flows for software supply chains, the reality is different (chaotic? brittle?) (re)use is not free controlled transparency @gail_murphy Loose Tight Photo copyright Wierink/Shutterstock
Gail Murphy
 Univ. of British Columbia Tasktop Technologies
 Software Supply Chains @gail_murphy Photo copyright Wierink/Shutterstock With exception of pictures and icons
1 of 72

Software Supply Chains

Download to read offline
Software

Keynote at MODELS 15 conference held in Ottawa, October 2015. Discusses the spectrum of software supply chains presenting results of an analysis of open-source component production and providing an overview of challenges with both loose and tight software supply chains.

Gail Murphy
Gail MurphyProfessor at University of British Columbia

Recommended

Software Supply Chain by
Software Supply ChainSoftware Supply Chain
Software Supply ChainJohn Rauser
298 views30 slides
Cisco ERP Implementation by
Cisco ERP ImplementationCisco ERP Implementation
Cisco ERP Implementationsaili mane
6.6K views27 slides
Uber - Building Intelligent Applications, Experimental ML with Uber’s Data Sc... by
Uber - Building Intelligent Applications, Experimental ML with Uber’s Data Sc...Uber - Building Intelligent Applications, Experimental ML with Uber’s Data Sc...
Uber - Building Intelligent Applications, Experimental ML with Uber’s Data Sc...Karthik Murugesan
444 views47 slides
Apple Supply Chain Mgmt by
Apple Supply Chain MgmtApple Supply Chain Mgmt
Apple Supply Chain MgmtLloyd Soans
25K views15 slides
Applichem case Analysis by
Applichem case AnalysisApplichem case Analysis
Applichem case AnalysisJyotsana Shrivastava
984 views14 slides
Case Study: Intel Corporation 1968-2003 by
Case Study: Intel Corporation 1968-2003Case Study: Intel Corporation 1968-2003
Case Study: Intel Corporation 1968-2003National Taiwan University Graduate Institute of Business Administration
40.2K views20 slides

More Related Content

What's hot

Presentation CISCO & HP by
Presentation CISCO & HPPresentation CISCO & HP
Presentation CISCO & HPAbhijat Dhawal
8.4K views34 slides
Fold rite furniture v1.7 by
Fold rite furniture v1.7Fold rite furniture v1.7
Fold rite furniture v1.7Frisca Listyaningtyas
22.8K views40 slides
Merton Truck Company by
Merton Truck CompanyMerton Truck Company
Merton Truck CompanyTushar Arora
43.8K views20 slides
CRM case study for MBA Students by
CRM case study for MBA StudentsCRM case study for MBA Students
CRM case study for MBA StudentsRuchita Pangriya
1.5K views7 slides
Apple supply chain management by
Apple supply chain managementApple supply chain management
Apple supply chain managementAnil Bharti
27K views17 slides
Bill french case study by
Bill french case studyBill french case study
Bill french case studyHimanshu Arya
11.8K views12 slides

What's hot(20)

Presentation CISCO & HP by Abhijat Dhawal
Presentation CISCO & HPPresentation CISCO & HP
Presentation CISCO & HP
Abhijat Dhawal8.4K views
Fold rite furniture v1.7 by Frisca Listyaningtyas
Fold rite furniture v1.7Fold rite furniture v1.7
Fold rite furniture v1.7
Frisca Listyaningtyas22.8K views
Merton Truck Company by Tushar Arora
Merton Truck CompanyMerton Truck Company
Merton Truck Company
Tushar Arora43.8K views
CRM case study for MBA Students by Ruchita Pangriya
CRM case study for MBA StudentsCRM case study for MBA Students
CRM case study for MBA Students
Ruchita Pangriya1.5K views
Apple supply chain management by Anil Bharti
Apple supply chain managementApple supply chain management
Apple supply chain management
Anil Bharti27K views
Bill french case study by Himanshu Arya
Bill french case studyBill french case study
Bill french case study
Himanshu Arya11.8K views
Business simulation game a new path to management education (v 1.2) by Ganesh S
Business simulation game a new path to management education (v 1.2)Business simulation game a new path to management education (v 1.2)
Business simulation game a new path to management education (v 1.2)
Ganesh S2.7K views
Cola wars continue by Rohan Khandelwal
Cola wars continueCola wars continue
Cola wars continue
Rohan Khandelwal13.7K views
Supply Chain Metrics That Matter by Lora Cecere
Supply Chain Metrics That MatterSupply Chain Metrics That Matter
Supply Chain Metrics That Matter
Lora Cecere9K views
Tl 9000 by ahmad bassiouny
Tl 9000Tl 9000
Tl 9000
ahmad bassiouny2.4K views
Konica Minolta by monotech system ltd.
Konica Minolta Konica Minolta
Konica Minolta
monotech system ltd.4.6K views
Amazon and Future Group: Rethinking the Alliance Strategy by Shashank Mishra
Amazon and Future Group: Rethinking the Alliance StrategyAmazon and Future Group: Rethinking the Alliance Strategy
Amazon and Future Group: Rethinking the Alliance Strategy
Shashank Mishra996 views
Delwarca software remote support unit by Santosh Mishra
Delwarca software remote support unitDelwarca software remote support unit
Delwarca software remote support unit
Santosh Mishra4.7K views
Focal factory - Toshiba - Case Analysis- V.V.L.N. Sastry by Dr.V.V.L.N. Sastry
Focal factory - Toshiba - Case Analysis- V.V.L.N. SastryFocal factory - Toshiba - Case Analysis- V.V.L.N. Sastry
Focal factory - Toshiba - Case Analysis- V.V.L.N. Sastry
Dr.V.V.L.N. Sastry535 views
Precise software solutions case by Abhijeet Kumar
Precise software solutions casePrecise software solutions case
Precise software solutions case
Abhijeet Kumar8.9K views
Apple supply chain analysis by Nitin Maurya (MBA, MS-SCM)
Apple supply chain analysisApple supply chain analysis
Apple supply chain analysis
Nitin Maurya (MBA, MS-SCM)33.6K views
Allentwen material corporation - Electronic product division by Saurabh Arora
Allentwen material corporation - Electronic product divisionAllentwen material corporation - Electronic product division
Allentwen material corporation - Electronic product division
Saurabh Arora5.4K views
Maersk by Manpreet Khurana
MaerskMaersk
Maersk
Manpreet Khurana479 views
Learn 2 Win H4D Stanford 2019 by Stanford University
Learn 2 Win H4D Stanford 2019Learn 2 Win H4D Stanford 2019
Learn 2 Win H4D Stanford 2019
Stanford University109.7K views
Ba401 Cisco Systems, Inc by Pinggi
Ba401 Cisco Systems, IncBa401 Cisco Systems, Inc
Ba401 Cisco Systems, Inc
Pinggi3.1K views

Similar to Software Supply Chains

Findings Revealed: 2015 State of the Software Supply Chain by
Findings Revealed: 2015 State of the Software Supply Chain Findings Revealed: 2015 State of the Software Supply Chain
Findings Revealed: 2015 State of the Software Supply Chain Sonatype
1K views44 slides
Embracing Web 2.0 - Archives and the Next Generation of Web Apps by
Embracing Web 2.0 - Archives and the Next Generation of Web AppsEmbracing Web 2.0 - Archives and the Next Generation of Web Apps
Embracing Web 2.0 - Archives and the Next Generation of Web Appsguestf0bb3e
238 views19 slides
Twitter analytics: some thoughts on sampling, tools, data, ethics and user re... by
Twitter analytics: some thoughts on sampling, tools, data, ethics and user re...Twitter analytics: some thoughts on sampling, tools, data, ethics and user re...
Twitter analytics: some thoughts on sampling, tools, data, ethics and user re...Farida Vis
5.8K views105 slides
LAM 2015 - Social Networks Technologies by
LAM 2015 - Social Networks TechnologiesLAM 2015 - Social Networks Technologies
LAM 2015 - Social Networks TechnologiesLuigi De Russis
1.3K views52 slides
Social Information & Browsing March 6 by
Social Information & Browsing March 6Social Information & Browsing March 6
Social Information & Browsing March 6sritikumar
413 views31 slides
Blockchain by
BlockchainBlockchain
BlockchainAlessandro Confetti
216 views19 slides

Similar to Software Supply Chains(20)

Findings Revealed: 2015 State of the Software Supply Chain by Sonatype
Findings Revealed: 2015 State of the Software Supply Chain Findings Revealed: 2015 State of the Software Supply Chain
Findings Revealed: 2015 State of the Software Supply Chain
Sonatype 1K views
Embracing Web 2.0 - Archives and the Next Generation of Web Apps by guestf0bb3e
Embracing Web 2.0 - Archives and the Next Generation of Web AppsEmbracing Web 2.0 - Archives and the Next Generation of Web Apps
Embracing Web 2.0 - Archives and the Next Generation of Web Apps
guestf0bb3e238 views
Twitter analytics: some thoughts on sampling, tools, data, ethics and user re... by Farida Vis
Twitter analytics: some thoughts on sampling, tools, data, ethics and user re...Twitter analytics: some thoughts on sampling, tools, data, ethics and user re...
Twitter analytics: some thoughts on sampling, tools, data, ethics and user re...
Farida Vis5.8K views
LAM 2015 - Social Networks Technologies by Luigi De Russis
LAM 2015 - Social Networks TechnologiesLAM 2015 - Social Networks Technologies
LAM 2015 - Social Networks Technologies
Luigi De Russis1.3K views
Social Information & Browsing March 6 by sritikumar
Social Information & Browsing March 6Social Information & Browsing March 6
Social Information & Browsing March 6
sritikumar413 views
Blockchain by Alessandro Confetti
BlockchainBlockchain
Blockchain
Alessandro Confetti216 views
The evolution of research on social media by Farida Vis
The evolution of research on social mediaThe evolution of research on social media
The evolution of research on social media
Farida Vis4.6K views
Enhancing user engagement on mobile devices by Randall Arnold
Enhancing user engagement on mobile devicesEnhancing user engagement on mobile devices
Enhancing user engagement on mobile devices
Randall Arnold888 views
Implications of Open Source Software Use (or Let's Talk Open Source) by Gail Murphy
Implications of Open Source Software Use (or Let's Talk Open Source)Implications of Open Source Software Use (or Let's Talk Open Source)
Implications of Open Source Software Use (or Let's Talk Open Source)
Gail Murphy714 views
Managing Community Contributions: Lessons Learned from a Case Study on Andro... by Nicolas Bettenburg
Managing Community Contributions: Lessons Learned from a Case Study on Andro...Managing Community Contributions: Lessons Learned from a Case Study on Andro...
Managing Community Contributions: Lessons Learned from a Case Study on Andro...
Nicolas Bettenburg624 views
Privacy Concerns vs. User Behavior in Community Question Answering by Nicolas Kourtellis
Privacy Concerns vs. User Behavior in Community Question AnsweringPrivacy Concerns vs. User Behavior in Community Question Answering
Privacy Concerns vs. User Behavior in Community Question Answering
Nicolas Kourtellis308 views
Crowdsourcing and data journalism by Tanja Aitamurto
Crowdsourcing and data journalism Crowdsourcing and data journalism
Crowdsourcing and data journalism
Tanja Aitamurto631 views
ICSE10 StakeSource Talk by Soo Ling Lim
ICSE10 StakeSource TalkICSE10 StakeSource Talk
ICSE10 StakeSource Talk
Soo Ling Lim401 views
2015 pdf-marc smith-node xl-social media sna by Marc Smith
2015 pdf-marc smith-node xl-social media sna2015 pdf-marc smith-node xl-social media sna
2015 pdf-marc smith-node xl-social media sna
Marc Smith11.9K views
Io t loraalliance-marketingday_vfinal by Thierry Lestable
Io t loraalliance-marketingday_vfinalIo t loraalliance-marketingday_vfinal
Io t loraalliance-marketingday_vfinal
Thierry Lestable757 views
NYPL Internet Lending pre-pilot OST survey results by jamesenglish
NYPL Internet Lending pre-pilot OST survey resultsNYPL Internet Lending pre-pilot OST survey results
NYPL Internet Lending pre-pilot OST survey results
jamesenglish714 views
WiFi: Current And Future Opportunities by Peter Jarich
WiFi: Current And Future Opportunities WiFi: Current And Future Opportunities
WiFi: Current And Future Opportunities
Peter Jarich2.9K views
Digital Generation by Ottawa Catholic School Board
Digital GenerationDigital Generation
Digital Generation
Ottawa Catholic School Board1.2K views
Benefits of the Social Web: How Can It Help My Museum? by lisbk
Benefits of the Social Web: How Can It Help My Museum?Benefits of the Social Web: How Can It Help My Museum?
Benefits of the Social Web: How Can It Help My Museum?
lisbk1.2K views
Web2.0.2012 - lesson 9 - social networks by Carlo Vaccari
Web2.0.2012 - lesson 9 - social networksWeb2.0.2012 - lesson 9 - social networks
Web2.0.2012 - lesson 9 - social networks
Carlo Vaccari398 views

More from Gail Murphy

Architecting-Flow-in-SE.pdf by
Architecting-Flow-in-SE.pdfArchitecting-Flow-in-SE.pdf
Architecting-Flow-in-SE.pdfGail Murphy
13 views55 slides
The (Un) Expected Impact of Tools in Software Evolution by
The (Un) Expected Impact of Tools in Software EvolutionThe (Un) Expected Impact of Tools in Software Evolution
The (Un) Expected Impact of Tools in Software EvolutionGail Murphy
198 views52 slides
Icsme 2021-keynote-creating-usable-and-useful-software-tools by
Icsme 2021-keynote-creating-usable-and-useful-software-toolsIcsme 2021-keynote-creating-usable-and-useful-software-tools
Icsme 2021-keynote-creating-usable-and-useful-software-toolsGail Murphy
310 views53 slides
Is software engineering research addressing software engineering problems? by
Is software engineering research addressing software engineering problems?Is software engineering research addressing software engineering problems?
Is software engineering research addressing software engineering problems?Gail Murphy
330 views74 slides
Developing Effective Software Productively by
Developing Effective Software ProductivelyDeveloping Effective Software Productively
Developing Effective Software ProductivelyGail Murphy
181 views40 slides
Making Effective, Useful Software Development Tools by
Making Effective, Useful Software Development ToolsMaking Effective, Useful Software Development Tools
Making Effective, Useful Software Development ToolsGail Murphy
351 views41 slides

More from Gail Murphy(16)

Architecting-Flow-in-SE.pdf by Gail Murphy
Architecting-Flow-in-SE.pdfArchitecting-Flow-in-SE.pdf
Architecting-Flow-in-SE.pdf
Gail Murphy13 views
The (Un) Expected Impact of Tools in Software Evolution by Gail Murphy
The (Un) Expected Impact of Tools in Software EvolutionThe (Un) Expected Impact of Tools in Software Evolution
The (Un) Expected Impact of Tools in Software Evolution
Gail Murphy198 views
Icsme 2021-keynote-creating-usable-and-useful-software-tools by Gail Murphy
Icsme 2021-keynote-creating-usable-and-useful-software-toolsIcsme 2021-keynote-creating-usable-and-useful-software-tools
Icsme 2021-keynote-creating-usable-and-useful-software-tools
Gail Murphy310 views
Is software engineering research addressing software engineering problems? by Gail Murphy
Is software engineering research addressing software engineering problems?Is software engineering research addressing software engineering problems?
Is software engineering research addressing software engineering problems?
Gail Murphy330 views
Developing Effective Software Productively by Gail Murphy
Developing Effective Software ProductivelyDeveloping Effective Software Productively
Developing Effective Software Productively
Gail Murphy181 views
Making Effective, Useful Software Development Tools by Gail Murphy
Making Effective, Useful Software Development ToolsMaking Effective, Useful Software Development Tools
Making Effective, Useful Software Development Tools
Gail Murphy351 views
The Need for Context in Software Engineering by Gail Murphy
The Need for Context in Software EngineeringThe Need for Context in Software Engineering
The Need for Context in Software Engineering
Gail Murphy1.2K views
Beyond DevOps: Finding Value through Requirements by Gail Murphy
Beyond DevOps: Finding Value through RequirementsBeyond DevOps: Finding Value through Requirements
Beyond DevOps: Finding Value through Requirements
Gail Murphy689 views
Impactful SE Research: Some Do's and More Don'ts by Gail Murphy
Impactful SE Research: Some Do's and More Don'tsImpactful SE Research: Some Do's and More Don'ts
Impactful SE Research: Some Do's and More Don'ts
Gail Murphy2.3K views
The Elusive Nature of Context: Why We Need It and Were We Might Find It by Gail Murphy
The Elusive Nature of Context: Why We Need It and Were We Might Find ItThe Elusive Nature of Context: Why We Need It and Were We Might Find It
The Elusive Nature of Context: Why We Need It and Were We Might Find It
Gail Murphy762 views
Human-centric Software Development Tools by Gail Murphy
Human-centric Software Development ToolsHuman-centric Software Development Tools
Human-centric Software Development Tools
Gail Murphy1.2K views
Is Continuous Adoption in Software Engineering Achievable and Desirable? by Gail Murphy
Is Continuous Adoption in Software Engineering Achievable and Desirable? Is Continuous Adoption in Software Engineering Achievable and Desirable?
Is Continuous Adoption in Software Engineering Achievable and Desirable?
Gail Murphy2.2K views
Acm productivity-webinar-2016-slides by Gail Murphy
Acm productivity-webinar-2016-slidesAcm productivity-webinar-2016-slides
Acm productivity-webinar-2016-slides
Gail Murphy1K views
Getting to Flow in Software Development (ASWEC 2014 Keynote) by Gail Murphy
Getting to Flow in Software Development (ASWEC 2014 Keynote)Getting to Flow in Software Development (ASWEC 2014 Keynote)
Getting to Flow in Software Development (ASWEC 2014 Keynote)
Gail Murphy1.4K views
The Human Element by Gail Murphy
The Human ElementThe Human Element
The Human Element
Gail Murphy405 views
What is Software Development Productivity Anyway? by Gail Murphy
What is Software Development Productivity Anyway?What is Software Development Productivity Anyway?
What is Software Development Productivity Anyway?
Gail Murphy2.2K views

Recently uploaded

360 graden fabriek by
360 graden fabriek360 graden fabriek
360 graden fabriekinfo33492
38 views25 slides
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema by
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDeltares
17 views13 slides
DSD-INT 2023 Exploring flash flood hazard reduction in arid regions using a h... by
DSD-INT 2023 Exploring flash flood hazard reduction in arid regions using a h...DSD-INT 2023 Exploring flash flood hazard reduction in arid regions using a h...
DSD-INT 2023 Exploring flash flood hazard reduction in arid regions using a h...Deltares
5 views31 slides
SUGCON ANZ Presentation V2.1 Final.pptx by
SUGCON ANZ Presentation V2.1 Final.pptxSUGCON ANZ Presentation V2.1 Final.pptx
SUGCON ANZ Presentation V2.1 Final.pptxJack Spektor
22 views34 slides
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action by
Gen Apps on Google Cloud PaLM2 and Codey APIs in ActionGen Apps on Google Cloud PaLM2 and Codey APIs in Action
Gen Apps on Google Cloud PaLM2 and Codey APIs in ActionMárton Kodok
5 views55 slides
Programming Field by
Programming FieldProgramming Field
Programming Fieldthehardtechnology
5 views9 slides

Recently uploaded(20)

360 graden fabriek by info33492
360 graden fabriek360 graden fabriek
360 graden fabriek
info3349238 views
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema by Deltares
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
Deltares17 views
DSD-INT 2023 Exploring flash flood hazard reduction in arid regions using a h... by Deltares
DSD-INT 2023 Exploring flash flood hazard reduction in arid regions using a h...DSD-INT 2023 Exploring flash flood hazard reduction in arid regions using a h...
DSD-INT 2023 Exploring flash flood hazard reduction in arid regions using a h...
Deltares5 views
SUGCON ANZ Presentation V2.1 Final.pptx by Jack Spektor
SUGCON ANZ Presentation V2.1 Final.pptxSUGCON ANZ Presentation V2.1 Final.pptx
SUGCON ANZ Presentation V2.1 Final.pptx
Jack Spektor22 views
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action by Márton Kodok
Gen Apps on Google Cloud PaLM2 and Codey APIs in ActionGen Apps on Google Cloud PaLM2 and Codey APIs in Action
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action
Márton Kodok5 views
Programming Field by thehardtechnology
Programming FieldProgramming Field
Programming Field
thehardtechnology5 views
EV Charging App Case by iCoderz Solutions
EV Charging App Case EV Charging App Case
EV Charging App Case
iCoderz Solutions5 views
Navigating container technology for enhanced security by Niklas Saari by Metosin Oy
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas Saari
Metosin Oy14 views
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ... by Deltares
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
Deltares11 views
AI and Ml presentation .pptx by FayazAli87
AI and Ml presentation .pptxAI and Ml presentation .pptx
AI and Ml presentation .pptx
FayazAli8711 views
FIMA 2023 Neo4j & FS - Entity Resolution.pptx by Neo4j
FIMA 2023 Neo4j & FS - Entity Resolution.pptxFIMA 2023 Neo4j & FS - Entity Resolution.pptx
FIMA 2023 Neo4j & FS - Entity Resolution.pptx
Neo4j7 views
Headless JS UG Presentation.pptx by Jack Spektor
Headless JS UG Presentation.pptxHeadless JS UG Presentation.pptx
Headless JS UG Presentation.pptx
Jack Spektor7 views
The Era of Large Language Models.pptx by AbdulVahedShaik
The Era of Large Language Models.pptxThe Era of Large Language Models.pptx
The Era of Large Language Models.pptx
AbdulVahedShaik5 views
DSD-INT 2023 The Danube Hazardous Substances Model - Kovacs by Deltares
DSD-INT 2023 The Danube Hazardous Substances Model - KovacsDSD-INT 2023 The Danube Hazardous Substances Model - Kovacs
DSD-INT 2023 The Danube Hazardous Substances Model - Kovacs
Deltares8 views
Myths and Facts About Hospice Care: Busting Common Misconceptions by Care Coordinations
Myths and Facts About Hospice Care: Busting Common MisconceptionsMyths and Facts About Hospice Care: Busting Common Misconceptions
Myths and Facts About Hospice Care: Busting Common Misconceptions
Care Coordinations5 views
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium... by Lisi Hocke
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Lisi Hocke30 views
Generic or specific? Making sensible software design decisions by Bert Jan Schrijver
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
Bert Jan Schrijver6 views
SAP FOR CONTRACT MANUFACTURING.pdf by Virendra Rai, PMP
SAP FOR CONTRACT MANUFACTURING.pdfSAP FOR CONTRACT MANUFACTURING.pdf
SAP FOR CONTRACT MANUFACTURING.pdf
Virendra Rai, PMP13 views
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge... by Deltares
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...
Deltares17 views
WebAssembly by Jens Siebert
WebAssemblyWebAssembly
WebAssembly
Jens Siebert48 views

Software Supply Chains

  • 1. Gail Murphy
 Univ. of British Columbia Tasktop Technologies
 Software Supply Chains @gail_murphy Photo copyright Wierink/Shutterstock With exception of pictures and icons
  • 2. 2 ○ ○○ ○ ○○ ○ ○ ○ iPhone Supply Chain Source: Supply Chain 24/7, 09/14 California:
 Design TI:
 Touchscreen Micron:
 Flash memory Cirrus Logic:
 Audio Murata:
 Bluetooth/
 Wifi Infineon:
 Phone network Dialog Semiconductors:
 Power mngmt Samsung:
 Processors ST
 Microelectronics:
 Accelerometers/
 Gysroscope
  • 4. 4 Loose Software Supply Chain component
 requests 17.2B suppliers total 
 components >105K >834K 2014: Central Repository of Java open source components 2015 State of the Software: Supply Chain Report (Sonatype)
  • 7. 7 Outline Reality: Loose Supply Chain Naïve View Reality: Tight Supply Chain „ ä "
  • 8. 8 Open Problems Key points: (re)use is not free controlled transparency Caveats: challenges over solutions "
  • 10. 10 specialized excellence lower costs higher quality 
 Supply Chain: suppliers, parts, manufacturers, finished goods… Naïve View
  • 11. 11 Software Supply Chain Spectrum Naïve View Loose Tight Bouncy Castle
 used >> 10K organizations
  • 12. 12Naïve View Loose (vast) majority of developers are part of a software supply chain suppliers components YOU! software
  • 13. 13Naïve View Loose suppliers total 
 components >105K >834K central repository GitHub project dependences
  • 14. 14Naïve View Loose build products (and other components) faster
 higher-quality components low cost to (re)use ongoing updates { { { {
  • 15. 15Naïve View Tight multiple tiers of contractually-obligated suppliers Boeing General Electric Hydro-Aire
  • 16. 16Naïve View Tight higher-quality components on-time production lower overall product cost { { {
  • 17. 17 Software Supply Chains Loose Tight faster, better, cheaper open closed
  • 18. Reality View:
 
 Loose Supply Chain Photo copyright Gniot/Shutterstock
  • 19. 19Reality View / Loose Supply Chain Two Parts Social S Quality Q
  • 20. 20Reality View / Loose Supply Chain Social Implications of OSS Library Use S How often does the use of an OSS library lead to a social link between projects? Do social contributions occur before or after a dependence is introduced on a library? What kind of social contributions occur? #1 #2 #3 Palyart and Murphy, 2015, under review
  • 21. 21 Terminology Reality View / Loose Supply Chain S A B technical dependence social interactions issue comments pull request commit Palyart and Murphy, 2015, under review user
 project/ repository library
 project/ repository
  • 22. 22 Data Reality View / Loose Supply Chain S 23,059 - not a fork - public - forked at least twice - use Maven 17,900 - depend on GitHub 1,227 - high confidence in 
 correct library dependences 1,409 - > 20 issues - issues > 5% pull requests - handle account deletions =1,125 GitHub repos Palyart and Murphy, 2015, under review
  • 23. 23 Data Reality View / Loose Supply Chain S A B Library / Date Technical Link Dev / Date / Contrib issue comments pull request commit Social Link Palyart and Murphy, 2015, under review
  • 24. 24 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink Palyart and Murphy, 2015, under review
  • 25. 25 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that often have a social link (28%) Palyart and Murphy, 2015, under review
  • 26. 26 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that sometimes have a social link (23%) Palyart and Murphy, 2015, under review
  • 27. 27 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink projects that rarely have a social link (49%) Palyart and Murphy, 2015, under review
  • 28. 28 #1 - How often does library use lead to social links? Reality View / Loose Supply Chain S Guava mcMMO Vault Netty Assertj Junit AppsgateJSONassert 0% 25% 50% 75% 100% 4 32 256 2048 Number of user repositories Rs:Ratioofuserrepositorieshavingasociallink generally…
 the more popular the library, 
 the less likely developers of a user project are to get involved Palyart and Murphy, 2015, under review
  • 29. 29 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S A B Technical Link Social Link in only 61% of pairs, 
 did technical precede social Palyart and Murphy, 2015, under review
  • 30. 30 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S Palyart and Murphy, 2015, under review July August September October November in 39% of pairs, social preceded technical social before technical http://www.cs.ubc.ca/~mpalyart/stc_timeline/
  • 31. 31 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays social before technical 
 most interactions within a few months
 
 technical before social
 
 more interactions span a longer time time to involvement Palyart and Murphy, 2015, under review 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions
  • 32. 32 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays social before technical 
 either short involvement or
 quite long
 
 technical before social
 
 most involvement under 5 days duration of involvement Palyart and Murphy, 2015, under review 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions
  • 33. 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions 33 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S social before technical 
 more contributions, stronger
 communities?
 
 technical before social
 
 mostly < 10 contributions number of contributions 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions Palyart and Murphy, 2015, under review 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays
  • 34. 34 #2 - When do social contributions occur related to library use? Reality View / Loose Supply Chain S 0 1000 2000 3000 Social before technical Technical before social Numberofdays 10 1000 Social before technical Technical before social Numberofdays 1 10 100 1000 10000 Social before technical Technical before social Numberofcontributions when social before technical (39%)…
 
 more often closely tied to technical and often more contributions when technical before social (61%)… may take a long time for interaction and then the interactions are often quick
 Palyart and Murphy, 2015, under review
  • 35. 35 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Forward User Library 35% of pairs seeking help, feature requests, pull requests Palyart and Murphy, 2015, under review
  • 36. 36 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Backward User Library 30% of pairs existing social community between projects Palyart and Murphy, 2015, under review
  • 37. 37 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S A B Technical Link Social Link Forward & Backward User Library 35% of pairs user developers contribute to library library developers later do pull-request to user project to update library Palyart and Murphy, 2015, under review
  • 38. 38 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only # developers # social contributions Palyart and Murphy, 2015, under review
  • 39. 39 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only Palyart and Murphy, 2015, under review involvement time
  • 40. 40 #3 - What kind of social contributions occur? Reality View / Loose Supply Chain S ● ●●● ●●● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●●●●●● ● ●●●● ● ●●●●●●●●● ● ●● ● ● ● ● ● ● ●● ● ●●● ● ● ●● ● ●●●●●●●●● ● ● ●●●●● ● ●●● ● ●●● ● ● ●●● ● ●●● ● ● ● ● ●●● ● ●●● ● ●●● ● ●●●● ● ●●●●●● ● ● ● ● ● ● ● ●●● ● ● 0 10 20 30 40 BO F&B FO Numberofdevelopers ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 200 400 600 BO F&B FO Numberofdays ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ● ●●● ● ● ● ● ● ●● ● ● ● ● ● ●●● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 500 1000 1500 2000 BO F&B FO Numberofcontributions = backward only = forward & backward = forward only # developers # social contributions Palyart and Murphy, 2015, under review more backward social contributions than expected and their presence indicates a strong social link
 involvement time
  • 41. 41 Loose Software Supply Chain Reality View / Loose Supply Chain often a social cost to using a library more often than expected cost to being a library
  • 42. 42Reality / Tight Supply Chain Two Parts Social S Quality Q
  • 43. 43Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q component
 requests 17.2B suppliers total 
 components >105K >834K 2014: Central Repository of Java open source components 2015 State of the Software: Supply Chain Report (Sonatype) constant updating ~ 3.5 times / yr
  • 44. 44Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q Almost too Big to Fail, Geer and Corman, USENIX 2014 A B direct (1-hop) only 41% of vulnerable dependencies remediated mean-time-to-repair of these was 390 days CVSS level 10 - still 224 days to repair B’
  • 45. 45Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q CVE-2013-2251
 CVSS 9.3
 Exploitability 10 since identification… 4,076 organizations have downloaded the vulnerable component 179,050 times 2015 State of the Software: Supply Chain Report (Sonatype)
  • 46. 46Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q CVE-2007-6721
 CVSS 10
 Exploitability 10 since identification… 11,236 organizations have downloaded the vulnerable component 214,484 times 2015 State of the Software: Supply Chain Report (Sonatype)
  • 47. 47Reality View / Loose Supply Chain Quality Implications of OSS Library Use Q 2015 State of the Software: Supply Chain Report (Sonatype) 7.5% 66% of 240,757 component downloads by large financial or technology firms in 2014… were of known defective part and or those with a defective part, the defects were older than 2013
  • 48. 48 Loose Software Supply Chain Reality View / Loose Supply Chain (re)use is not free social and upgrade costs to use
  • 49. Reality View: Tight Supply
 Chain Photo copyright Gniot/Shutterstock
  • 50. 50Reality / Tight Supply Chain Two Parts Social S Quality Q
  • 51. 51 Tight Software Supply Chain Reality / Tight Supply Chains S contractual agreement contractual agreement
  • 52. 52 Tight Software Supply Chain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire S contractual agreement contractual agreement
  • 53. 53 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement restricted information flow restricted information flow
  • 54. 54 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement Req Change #2 Req Change #1 Test Result #3
  • 55. 55 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement Req Change #2 Req Change #1 Test Result #3
  • 56. 56 Communication Reality / Tight Supply Chains S contractual agreement contractual agreement
  • 57. 57 Communication Reality / Tight Supply Chains S Doors
 RTC HP Quality Center Blueprint RTC HP Quality Center VersionOne Eclipse HP Quality Center
  • 58. 58 Communication Reality / Tight Supply Chains S Doors
 RTC HP Quality Center Blueprint RTC HP Quality Center VersionOne Eclipse HP Quality Center Schema Mappings Schema Mappings
  • 59. 59 Tight Software Supply Chain Reality View / Loose Supply Chain need tools to facilitate appropriate communication
  • 60. 60Reality / Tight Supply Chain Two Parts Social S Quality Q
  • 61. 61 Tight Software Supply Chain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire Q ability to verify the brake software wasn’t built in
  • 62. 62 Tight Software Supply Chain Reality / Tight Supply Chains Boeing General Electric Hydro- Aire Q full transparency
 full opacity
  • 63. 63 Tight Software Supply Chain Reality / Tight Supply Chains Q controlled transparency balance need to share with protection of intellectual property
  • 65. 65Open Problems Loose Software Supply Chains 
 
 
 assess when a component upgrade is needed? 
 
 lower the cost of quality and security upgrades? 
 
 
 measure
 and predict
 social cost of
 component use? 
 
 
 
 
 
 determine when backward social
 contributions are
 needed? can we…. ä ä ä ä
  • 66. 66Open Problems Tight Software Supply Chains 
 
 
 
 
 cost-effectively manage multi-tiered supply chains? 
 
 effectively handle arrangements of tight and loose supply chains? 
 
 
 automatically apply IP filters to information exchange? 
 
 
 provide white-box information without revealing secret sauce? can we…. ä ä ä ä
  • 68. 68Summary Thanks to many post-docs, students and industrial collaborators over the years for their insights.
 
 Thanks to NECSIS colleagues (particularly Jo Atlee, Marsha Chechik and Mark Lawford)
 for conversations. Thanks to Sonatype for an analysis of the Central Repository. Marc Palyart Mik Kersten Dave West
  • 69. 69Summary Software Supply Chains Naïve Better, faster, cheaper Loose Supply Chain Reuse is not free Tight Supply Chain Controlled transparencyNaïve Tight Loose Open Open Problems Technical and ecosystem
  • 70. 70Summary Software Supply Chains “supply chain” conjures up thoughts of organized, managed flows for software supply chains, the reality is different (chaotic? brittle?) (re)use is not free controlled transparency @gail_murphy Loose Tight Photo copyright Wierink/Shutterstock
  • 71. 71Summary Software Supply Chains “supply chain” conjures up thoughts of organized, managed flows for software supply chains, the reality is different (chaotic? brittle?) (re)use is not free controlled transparency @gail_murphy Loose Tight Photo copyright Wierink/Shutterstock
  • 72. Gail Murphy
 Univ. of British Columbia Tasktop Technologies
 Software Supply Chains @gail_murphy Photo copyright Wierink/Shutterstock With exception of pictures and icons