Improving the Resilience, Transparency and Sustainability of the Software Supply Chain in the UK

Introduction

Software is increasingly influencing more dimensions of our lives, transforming the way we approach the world and how we interact with each other. During the COVID-19, it was thanks to innovative software applications that we could keep on working remotely, virtually attending classes, purchasing electronically, and adapting our essential supply chains (jiang, 2020). Especially regarding the latter, many of us recognize how the use of software in autonomous vehicles, cloud computing and the internet of things is steadily disrupting our material and information logistics (ashcroft, 2021). However, what we sometimes disregard is that, as a product, software is part of its own supply chain. In this document, we take an active role at analyzing how the current trends in automation can also benefit the sourcing, production and delivery of software in the UK. That, to ensure an increased resilience, transparency and sustainability of this prevailing essential resource.

Understanding the Software Supply Chain

Provenance: Where does software come from?

Naturally, the reason we are able to browse the internet through Chrome, chat with our friends trough WhatsApp, and manage our expenses in Excel, is because of the hard work of sophisticated organizations. US Companies like Google, Meta or Microsoft, annually invest hundreds of billions of dollars to keep such systems running and enhance their functionality (economist, 2022). Nevertheless, software is nowadays ubiquitous. For instance, during 2021 there were 6075 businesses working in software publishing and data processing in the United Kingdom [^1]. No matter their size, what all these organizations share in common is that they have to engage in the "integration of business processes from end users to original suppliers" (cooper, 1997). They have to manage their software supply chains.

[^1]: As reported by (vailshery, 2022) and (sava, 2022). Although the pandemic effects seem to have negatively affected the number of hosting and data processing businesses in the UK, the quantity of software publishing companies in the country have been continuously growing in the last 9 years.

But, what is in fact a software supply chain (SSC)? Like any other product, software is built from parts, by people performing development processes, who finally use diverse mechanisms to distribute it to consumers. Hence, a software supply chain is the set of elements intervening in any capacity on such activities (sonatype, 2022). Perhaps, one of the most critical (but often disregarded) aspects to understand about a SSC is the provenance of its building components. Forty years ago, purchasing licenses was practically the only way developers could build upon existing products (neary, 2018). But with modern solutions (perlow, 2022) depending on a 90% rate on Free and Open Source Software (FOSS), it is nowadays vital to ensure the transparency (new, 2010) of our software supply chains, as we'll cover later in this document.

Process: How software is made?

Software is written by programmers using tools like text editors, version control systems and testing containers (singh, 2021). Throughout the years, the developer comunity has experimented with different methodologies to produce working software, from waterfall to various agile incarnations (hoory, 2022) (dima, 2018). In essence, however, all of them are in certain way a representation of the PDSA Deming Cycle (i.e. Plan-Do-Study-Act) (deming, 2020), the only thing different being the frequency at which they perform an iteration. The complete software development lifecycle (SDLC) (altvater, 2021) would walk through several value adding steps: analysis, design, development, testing, deployment, and maintenance.

Once any software feature (apel, kastner_2009) has been completed, it is scheduled to be deployed into the production environment to make it available to external users (morchester, 2016). Generally, the code is uploaded to a central repository and from there the deployment pipeline starts. First, the new functionality is integrated to the complete codebase. Then, the whole source code is transformed by a compiler (toal, 2008) into an artifact that can be deployed on its own. Tests are applied afterwards upon the software package to be realeased to ensure that it works as intended. Finally, if the expected quality is met, the product is deployed into production, where it will be accessible to its end users.

Logistics: How is software distributed?

Depending on the kind of product they are developing, software publishers have different options to deliver their products to their users. For instance, if it is a desktop application, a binary executable might be provided through the publisher's website and the user would install it on their operating system (OS). On the other hand, a common mobile app would be downloaded through Google's, Apple's or Amazon's app stores. But nowadays, perhaps the most common way publishers deploy their products is over the cloud, trend that has only accelerated since the COVID-19 pandemic (aggarwal, 2022).

[^2]: According to what is reported by (richter, 2022) for cloud providers, (ceci, 2022) for mobile app stores, (statcounter, 2022) for desktop operating systems.

The use of Automation on the Software Supply Chain

Facilitating Sourcing: Lowering Barriers to Entry

All global supply chains have been affected by the use of automation. Of course, the software industry is not an exception, with automatic processing affecting the sourcing, development and deployment stages of its production lifecycle. Open Source Software (OSS) has provided users with increased transparency, and significantly facilitated the entrance to the industry of new participants, who automatically obtain sophisticated capabilities for their products without incurring in costs. The UK government openly promotes the use of OSS (govuk, 2021) as it is an important value generator for the national economy, contributing £46.5 billion to UK businesses in 2020 (openuk, 2021) (tung, 2021).

Cloud computing has been one of the areas that has benefited the most from open source software, not only because of all the tools available to manage its infrastructure (joseph, 2015), but also because it is the foundation of highly profitable consumer services (page, 2021). Despite having strengthen and simplified provisioning procedures for the businesses which are willing to use these open source products, big-tech cloud providers have been repeatedly accused of unfair value distribution by the developer communities behind these projects (anadiotis, 2020) (ramel, 2021). A sustainable software supply chain requires this issue to be addressed as soon as possible. The time is short for cloud providers to start building "deep supplier relationships" (liker, 2004).

Development

Another area in which automation has created a profound impact is in the variety and capabilities of the tools programmers have at their disposal (hodges, 2022). Code completers, Test Runners and Application Containers, provide an integrated development environment that facilitates the understanding of large codebases, and allows developers to perform "Stress Tests" (simchi, 2020) in their own machines as if they were production stations. Other benefits are not that obvious. Consider for instance how translation tools powered by artificial intelligence (AI) have made coding much more inclusive (whitney, 2022). In practice, all programming languages are written in English (poore, 2022), so, these tools assist non-english-speaking developers to engage into coding in ways they could not in the past (mcculloch, 2019).

Notwithstanding the indisputable benefits of this set of modern automating instruments, their uncapped proliferation might generate the opposite outcome that they intend, slowing down developers that have to be constantly learning how to use new tools to solve their old problems (carey, 2021). Furthermore, extreme tooling sophistication is leading the industry to consider ethical implications. For example, the case of Github Copilot an AI capable of writing code, has raised concern on the developer community not only because of the threat it might represent for the profession, but also because it has been trained on tons of open source code, but used for commercial purposes (krill, 2021) (moss, 2021) (gershgorn, 2021). Without a doubt, more discussion is needed in this area to ensure the well-being of all the stakeholders.

Enhancing Deployment: Quick and Reproducible Releases

Operations management is one of the areas of the software life cycle that has been most affected by automation. In fact, extant organizational silos have been broken down by practices like DevOps which bring together the development and systems-administration departments, increasing collaboration, trust and productivity (buchanan, 2020). Nowadays, development teams not only write the code of an application but are also responsible of its deployment and maintenance. By managing its infrastructure as code (downs, 2021) and arranging continous delivery pipelines (oren, 2021) they significantly improve process reproducibility and reduce time to market.

However, all this automation might create a "benefits without costs" illusion. In reality, the environmental impact that software processing has on the planet is so large, that some estimates make it responsible of 2% of the world's carbon emissions (stucke, 2021). The maintenance of all the additional automation infrastructure and the deployment of highly redundant architectures composed of multiple fully-independent services, demand an increased electricity consumption that simpler configurations would not require (currie, 2022). Fortunately, this problem has already been spotted by the software community, with large publishers like Apple or Facebook committing to reach net-zero emissions by 2030 (paratsii, 2022). Still, more environmental consciousness is always welcomed.

The Future of the SSC: Opportunities for Potential Developments

Resilience: Decentralizing Infrastructure

In today's turbulent world, there is a need for organizations to cultivate resilience by "understanding their supply chain vulnerabilities and by developing specific capabilities to cope with disruptions" (fiksel, 2015). As we have seen, the infrastructure that supports the software industry is highly concentrated, which imposes a significant risk on its security, independence and stability. Consider what would happen if Microsoft suddenly decides to charge for all the projects stored in Github, the largest open source repository. Immediate disruptions in the supply chains of most software publishers would wreak havoc. Even if the Linux Foundation itself has praised Microsoft as a good open source steward (sneddon, 2018), others are still very skeptical calling out obscure exploitation intentions (warren, 2018) (mattheij, 2018) (siebenmann, 2021).

Sir Timothy John Berners-Lee, the inventor of the World Wide Web, has also urged the hacker community to actively work on building decentralized network architectures to tackle the risks incurred at being "reliant on big companies, and one big server" (clark, 2014). Perhaps that kind of decentralization might come over by the hand of those delving into cryptographic and blockchain technologies to create what they call, the "Web3" (globaldata, 2021). Among its benefits are the additional robustness that it would provide to the web by replicating transactions in thousands of servers, and that such system does not require personal information to operate (richards, 2022). Maybe, those kind of developments could provide the separation of data, processing and infrastructure that users have been claiming for, and the UK might be at the forefront of such transformation with its active participation in that regulatory space (govuk, 2022).

Transparency: Simplifying Dependency Traceability

Another area with great potential for improvement is that of identifying the software provenance, especially regarding the usage of open source projects. As part of the aforementioned continuous delivery pipelines, artificial intelligence could be used more extensively to detect security and legal breaches caused by an application's software dependencies (snyk, 2022). Several developments already exist in this area, but the landscape is still inchoate, similar to what continuous delivery used to look like 10 years ago. A wider usage and sharing of software bill of materials (SBOM) among network participants (hendrick, 2022) (cisa, 2021), could accelerate the normalization of dependency-scanning practices, to bolster software legitimacy and security.

Sustainability: Fairer Value Redistribution

Software's omnipresence demands for a global approach to sustainability as proposed by (villena, 2020), where the industry partakers (especially the big ones) openly share information about the resources they are using to create their products. Products that have open source software as their foundation but that contribute very little to its maintainers (turner, 2021). "Liberty, Liberty, Liberty" were the words used to intentionally break the functionality of a dependency used by almost 20,000 Javascript projects, after its only maintainer angrily stated that he would no longer "support Fortune 500s (and other smaller-sized companies) with [his] free work” (williams, 2022). Innovations on commercial open source licenses, and new revenue generating business models, appear to provide a reasonable solution (riggins, 2021). Nevertheless, the call is urgent for the software community to create a more sustainable future.

Conclusion

The software supply chain is a critical resource in our modern society. To understand it, we have covered the elements that make part of it, walking through all the stages that have to be traversed to create a software product. In the process, also, we explored how the increased use of automation is revolutionizing the quality and speed with which software is produced, and the implications such trend has in the UK society and the world overall. As exciting as the future might seem, especial attention should be put on the resilience, transparency, and sustainability of the software supply chain. That, if we want such future to materialize into an inclusive reality.

References

• Aggarwal, Gaurav. 2022. "Council post: How the pandemic has accelerated cloud adoption"
• Altvater, Alexandra. 2021. "What is SDLC? understand the software development life cycle"
• Anadiotis, George. 2020. "Amazon and Commercial Open Source in the cloud: It's complicated"
• Apel, Sven and K"astner, Christian. 2009. "An overview of feature-oriented software development\ "
• Ashcroft, Sean. 2021. "Top 10: Disruptive Supply Chain Technologies"
• Buchanan, Ian. 2020. "Benefits of DevOps"
• Carey, Scott. 2021. "Complexity is Killing Software Developers"
• Ceci, L. 2022. "Biggest app stores in the world 2022"
• CISA. 2021. "Software bill of materials"
• Clark, Liat. 2014. "Tim Berners-Lee: We need to re-decentralise the web"
• Cooper, M. C. and Lambert, D. M. and Pagh, J. D.. 1997. "Supply chain management: more than a new name for logistics"
• Currie, Anne. 2022. "Operational choices in sustainable architecture"
• Deming, William Edwards. 2020. "PDSA cycle"
• Dima, Alina Mihaela and Maassen, Maria Alexandra. 2018. "From Waterfall to Agile software: Development models in the IT sector, 2006 to 2018. Impacts on company management"
• Downs, John. 2021. "The benefits of infrastructure as code"
• The Economist. 2022. "Big Tech's supersized ambitions"
• Fiksel, Joseph; Polyviou, Mikaella; Croxton, Keely L; Pettit, Timothy J.. Winter 2015. "From Risk to Resilience: Learning to Deal With Disruption"
• Gershgorn, Dave. 2021. "GitHub's automatic coding tool rests on untested legal ground"
• GlobalData. 2021. "WEB3: A fundamentally different kind of internet?"
• GOVUK. 2021. "Be open and use Open source"
• GOVUK. 2022. "Government sets out plan to make UK a Global Cryptoasset Technology Hub"
• Hendrick, Stephen. 2022. "The state of software bill of materials (SBOM) and cybersecurity readiness"
• Hodges, Nick. 2022. "5 tools to rule your software development life cycle"
• Hoory, Leeron. 2022. "Agile vs. waterfall: Which project management methodology is best for you?"
• Jiang, Nan. 2020. "How does digital technology help in the fight against COVID-19?"
• Joseph, Elizabeth K. 2015. "Open source infrastructure"
• Krill, Paul. 2021. "GitHub copilot is 'unacceptable and unjust,' says Free Software Foundation"
• Liker, J. K. and Choi, T. Y.. 2004. "Building Deep Supplier Relationships"
• Mattheij, Jacques. 2018. "Jacques Mattheij"
• McCulloch, Gretchen. 2019. "Coding is for everyone-as long as you speak English"
• Morchester, Wilbur. 2016. "Software testing environments best practices"
• Moss, Ben. 2021. "Poll: The ethical dilemma at the heart of github's copilot"
• Neary, Dave. 2018. "6 pivotal moments in open source history"
• New, S.. 2010. "The Transparent Supply Chain"
• OpenUK. 2021. "Open source software contributed an estimated \textsterling{}46.5bn to UK business in 2020, according to openuk"
• Oren, Inbar. 2021. "Continuous deployment"
• Page, Vanessa. 2021. "What is Amazon Web Services and why is it so successful?"
• Paratsii, Tetiana. 2022. "Why sustainability in software engineering matters - dzone devops"
• Perlow, Jason. 2022. "A summary of Census ii: Open source software application libraries the world depends on"
• Poore, Shaun. 2022. "Are all programming languages written in English?"
• Ramel, David. 2021. "Cloud computing and open source: It's complicated"
• Richards, Sam. 2022. "Web2 vs web3"
• Richter, Felix. 2022. "Infographic: Amazon leads USD 180-billion cloud market"
• Riggins, Jennifer. 2021. "Open source licenses: Who holds the power?"
• Sava, Justina Alexandra. 2022. "Data Processing, hosting and related activities businesses 2021"
• Siebenmann, Chris. 2021. "undefined"
• Simchi-Levi, David; Simchi-Levi, Edith. 2020. "We Need a Stress Test for Critical Supply Chains"
• Singh, Vijay. 2021. "10 top software development tools you should use in 2022"
• Sneddon, Joey. 2018. "The Linux Foundation says we should 'celebrate' Microsoft buying GitHub"
• Snyk. 2022. "Licensing compliance management"
• Sonatype. 2022. "Software supply chain management: Part 1 what is SSC?"
• StatCounter. 2022. "Desktop OS market share"
• St"ucke, Jan. 2021. "Sustainability focus: Cloud efficiency, not carbon emissions"
• Toal, Ray. 2008. "Introduction to compilers"
• Tung, Liam. 2021. "Open-source software: Nine out of 10 companies use it, but how much is it really worth?"
• Turner, James. 2021. "Open source has a funding problem"
• Vailshery, Lionel Sujay. 2022. "Number of software publishing businesses UK 2021"
• Villena, Ver'onica. 2020. "A More Sustainable Supply Chain"
• Warren, Tom. 2018. "Here's what github developers really think about Microsoft's acquisition"
• Whitney, Lance. 2022. "Don't speak the language? how to use Google Translate"
• Williams, Owen. 2022. "Open source developers, who work for free, are discovering they have power"