Sonatype Selected by Equifax to Support OS Governance Press Release

blog-logo Sonatype Blog

Achieving a Managed State Model For Your Software Supply Chain

June 24, 2019 By Katie McCaskey

Santi Mulukutla, Customer Success Engineer at Sonatype, invites you to embrace ambiguity.

Building a successful software supply chain means developing a framework. Most importantly, that framework should be flexible and scalable. It should continue to prompt questions to keep your team moving forward. In other words: a framework for change.

Her talk, Achieving a Managed State Model for Your Software Supply Chain, at the Nexus User Conference, explores how a flexible framework enhances the stability of the software supply chain.

As with reading, cooking, and sports -- three activities every human does, to some degree -- a framework is necessary for best results. Delicious food is produced through orderly steps; life-changing books depend on your capacity to understand words. They have additional commonalities, too, says Santi. All have clear starting points. Each activity has a path to completion. Simple steps move the process forward.

Secure software development processes share these attributes, too.

How You Start Determines How You Finish

First, some context. The last decade has been transformative for open source software. Up to 90% of all software is comprised of open source components. Introducing code you didn’t write into your supply chain provides great value. It also demands vigilant risk management.

While software developers strive to use trusted components, unlike other industries, such as automobile or food manufacturers, the software industry lacks a common framework to deliver safe, quality goods.

Therefore, it is up to development teams to develop a framework. It must maintain an up-to-date inventory so problems are quickly remediated. It must be flexible enough to scale, too.

A Multi-Dimensional Approach Builds the Most Resilient Model

Santi identifies three important, interdependent parts of a secure software manufacturing process:

  • People - Assemble the right people to review data and take action
  • Process - Develop a culture that allows for successful engagement and response
  • Technology - Identify the technical tools you can rely on to support people and process, such as Nexus

Working in parallel these elements manage the risk across your software development lifecycle (SDLC). This framework enhances speed to delivery and produces higher quality software.

That Path Ahead

Once people, process, and technology are working in tandem there is swift movement forward. Santi refers to this as her “Go Forward” framework. It builds an upward-moving spiral of strength because the elements reinforce one another.

“Convergence creates a natural momentum that allows for a path forward to unfold,” explains Santi.

For example, developers want to contribute to their team. By using automation tools to surface actionable data, it is easier to identify needs. The team becomes faster at identifying vulnerabilities, remediating problems, and clearing technical debt. This ongoing process supports product stability and security.

By automating open source governance, surfaced data can be swiftly and effectively addressed. Sonatype’s product suite supports this kind of comprehensive, flexible framework. Santi explains how each product works across the SDLC.

She gives specific recommendations to achieve a managed state model:

  • Start by setting the tone - the atmosphere you set makes a huge difference
  • Understand your current state, so you can benchmark change
  • Establish the right framework for the right things to happen - ideally, one that is inclusive and flexible
  • Plan to work across multiple dimensions (the interconnectedness of people, process, and technology)
  • Be open to questions and conversations that surface
  • Follow the path that unfolds…

“In the end it is about having the ability to effectively manage the state of ongoing change,” says Santi. Watch her entire talk, here:

 

Tags: open source software supply chain, Open Source, devsecops, Post security/devsecops

Written by Katie McCaskey

Katie is an experienced technology writer and entrepreneur. At Sonatype, she's focused on creating and finding great content.