What secrets did Toyota unlock decades ago now drive the success of today’s software supply chain?
Sonatype’s Matt Howard explained during a chat with Dave Bittner on an episode of The CyberWire Daily podcast.
The discussion focuses on the findings of Sonatype’s fifth annual Software Supply Chain Report. The report identifies the shared characteristics of exemplar open source projects and commercial teams. As curators of the Central Repository, the largest public repo for Java components, we have the unique capability to do deep and rigorous research on emerging trends. This year’s report spans 36,000 projects and 12,000 teams.
MTTR vs. MTTU
To appreciate Toyota’s crucial -- yet inadvertent -- contribution to software development, it is important to understand two metrics in today’s software supply chain.
The first, MTTR (mean time to remediate) measures how quickly a software team can identify, locate and fix a defective or compromised component.
Commercial teams must know this immediately, says Matt. "The question is, if you have an application in the wild, in production, are you aware of whether or not that particular library is in your application? Do you have a dependency? If so, is that dependency in the call flow? Is it exploitable in the wild? If it is, how fast can you find it and remediate it?"
Similarly, open source projects that develop software components “must understand their transitive dependencies.” That is, quickly find and manage the interlocking components (similar to a stacking Russian doll) within their collaborative projects. “When a new vulnerability is disclosed, do the open source projects themselves remediate?” asks Matt. “It is a question of hygiene.”
The software industry is only starting to appreciate how hygiene practices influence MTTR. Currently, the average MTTR is 326 days. That’s almost a year before a known vulnerability is fixed.
Meanwhile, MTTU (median time to update) measures how frequently developers, either in commercial or open source teams, refresh software components. “Good teams reserve time in a project schedule to do dependency management,” says Matt. “The best teams automate their dependency checks and are constantly updating software.”
Teams with high MTTU scores practice the best hygiene. By default, they are also building the most secure software. This year’s report shows that MTTU and MTTR are both crucial, but MTTU is the more important characteristic.
Deming, Toyota, and Today
Turns out, Toyota embraced and mastered both behaviors decades ago thanks to their work with W. Edwards Deming.
Deming, an expert in what is now known as lean manufacturing, urged Toyota to develop vehicles based on rigid adherence to four key principles:
- Source materials from the best suppliers
- Source only the best parts from those top suppliers
- Trace and track the location of parts from start to finish, throughout the supply chain manufacturing process
- Provide a Bill of Materials after a vehicle is released to conduct an orderly recall in the event of a faulty part
The same manufacturing processes support today’s software supply chain.
“Not all open source parts are created equally,” says Matt. “There is a real difference between high quality and lower quality. We also know, whether you're manufacturing digital or physical goods, it is always a good idea to source the best parts, and the best suppliers, just as Deming taught Toyota years ago.”
For more details, download the State of the Software Supply Chain report and listen to the entire episode here: