In a typical manufacturing company, a supply chain is the chain of companies that you rely on to make your product. For example, a mobile phone manufacturer buys processor chips from a supplier. That supplier needs to buy a part from another manufacturer. And that manufacturer relies on yet another company for the raw metal.
But what is the software supply chain? And how do you keep it secure? We spoke with Kim Lewandowski, co-founder and head of product at Chainguard, to explain the details.
Your software supply chain is more complex than you think
The software supply chain can be complicated. Mainly because it’s difficult to know how far it reaches. Take a simple example: If you use Salesforce to keep track of your customers, you store your customers’ data on Salesforce’s servers. Not a problem, surely? But Salesforce could have a breach. And what about the servers themselves? Those servers might run on Windows. If that has a security bug, hackers have another way in. How about the software that Salesforce uses to host its website? If that is hacked, you have yet another breach.
“When I think of the software supply chain, it’s all the code and all the mechanics and the processes that went into delivering that core piece of software at the end,” Kim explained. “It’s all the bits and pieces that go into making these things.” -On the Dev Interrupted Podcast at 11:28
Keeping the software supply chain secure involves checking who has keys
The important part of keeping your supply chain secure is making sure that you track down what you’re using. And checking that they’re secure and reliable. Every new third party can be a potential problem. If you don’t do your due diligence, you won’t know what risks you’re taking.
As Kim explained, a favorite analogy of hers is thinking about doing construction work on your own home.
“You have a contractor. Well, they need keys. They have subcontractors. You give the keys out to all their subcontractors. Who are they? Where are they from? What materials are they bringing into your house?” -On the Dev Interrupted Podcast at 12:09
The more third party tools you use, the more out of control it can become
It all comes down to accountability. It can easily start spreading rapidly. One third-party tool that you use to create your software might rely on five separate third parties. And you don’t know what code they’ve got hidden under the hood. Your keys are suddenly all over the place.
The only way to keep it under control is to remind yourself to check and to do regular audits of the services you use. Kim believes it’s helpful to think of every new tool as a package coming to your home.
“How is your package getting to your house?” Kim said. “What truck is it riding on and who is driving those trucks?” -On the Dev Interrupted Podcast at 12:44
Get the full conversation
If you’d like to learn more about the software supply chain, and how to make sure that yours is secure, you can listen to the full conversation with Kim over on our podcast.
Starved for top-level software engineering content? Need some good tips on how to manage your team? This article is inspired by Dev Interrupted - the go-to podcast for engineering leaders.
Dev Interrupted features expert guests from around the world to explore strategy and day-to-day topics ranging from dev team metrics to accelerating delivery. With new guests every week from Google to small startups, the Dev Interrupted Podcast is a fresh look at the world of software engineering and engineering management.
Open source software has been around for quite some time, but as I highlighted on the Dev Interrupted Podcast, only within the last decade has it come to be widely accepted and used, though many organizations are yet to use the concept. While many people still remain skeptical of open source, its growing popularity and use is undeniable.
For many developers, open source is “the one true way”, almost a religion. Many of the world’s best and brightest developers devote themselves to creating and advancing the cause of open source projects. There are any number of foundations and organizations--from The Apache Software Foundation to the .NET Foundation--that openly support open source. Open source is a large part of some of the biggest tech giants in the world, including Google, Microsoft, and Amazon.
Benefits of Open Source
As the VP of Engineering of Logz.io, which has entirely embraced the open source benefits model, I am an open source “true believer” and see many benefits to using open source software. I highlighted five of these key benefits on the Dev Interrupted Podcast with LinearB co-founder Dan Lines:
1. Open source is widely used
What development organization doesn’t use git these days?
There are many open source projects that are widely used. Tools like Elastic, Kafka, and the Apache Web Server are amongst the most popular and commonly used software applications in the world. Because they and many other similar projects are so popular, there are copious resources available for learning, troubleshooting, and solving problems.
Finding developers that are skilled in a particular project can be much easier, as these projects are so widely used and known. Plus, developers prefer to work at companies that use open source, because they know that they won’t be locked into a proprietary solution and that their skills will be transferable.
2. Open source is responsive
Open source is usually very responsive to issues and bug reports, often delivering fixes and updates in days or even hours. These updates can often be deployed immediately whereas with proprietary software, you often have to wait months for the next release to resolve a problem.
New features are available earlier in the development cycle, and users can normally see and try out features as they develop. This enables organizations to more rapidly adopt new versions of projects.
3. Open source brings financial advantages
Open source can both cut costs and minimize maintenance. Of course, the biggest cost benefit comes from getting a complete, proven software package for no cost. Improvements and bug fixes also come to the software from external sources, keeping maintenance costs low. Development occurs outside of your organization, resulting in new features with little effort.
Using open source just makes financial sense. I don’t want to write a load balancer--why should I spend the time and effort to do so when I can use one built and maintained by experts?
Sure, there are some costs associated with open source, such as setup time, learning time, and continuing maintenance and configuration, but the same costs are incurred for closed source software.
4. Open source is more secure
Security is a worry with any software that you use, and some argue that open source isn’t secure because everyone and anyone can see what the application does--but I say that open source software is more secure because of this.
“What do you trust more? Security in a product that is fully transparent, where you have tens or hundreds of workers across the world testing and working on it, as opposed to a product where you have not seen the source at all.“
-- from the Dev Interrupted Podcast at 8:20
Since everyone and anyone can see the code, they do know exactly what the software does and doesn’t do. Thousands of pairs of eyes from all over the world look at the code and can spot vulnerabilities before they are exploited. Thanks to this transparency, it’s much more difficult to take advantage of security holes because they’re fixed as fast as they are found.
Proprietary software doesn’t have this advantage. It only has a single development team looking at the source, and you as a consumer have no idea what security holes may lurk within.
5. Open source is future-proof
One of the benefits of open source is that it can never disappear. A proprietary company can go out of business, leaving you high and dry and with no options but to stick with what you have or migrate to another solution.
However, open source is available, well, forever. Put a project up on GitHub, and it will live as long as someone has the source code.
In a worst case scenario, an organization can take over the project themselves, fixing things and adding features as desired.
Managed Service Providers
Open source software very commonly lends itself to the managed service model. In fact, most managed service providers would not be open source-able without open source software. A proprietary solution cannot be used in such a manner -- the licensing would forbid it. Taking open source and providing it as a service is a powerful business model that is only possible because of the open licensing of open source.
We here at logz.io provide managed services for log and tracing analytics and observability. We use a number of open source projects to provide these services. Our value, like all managed service providers, lies in our ability to provide expertise for a service that another organization probably doesn’t want to spend the time and money to become experts in. This is only possible because of open source.
Is open source for everyone?
No -- open source software is not for everyone.
Some organizations--especially large, enterprise companies--are not able to risk the “infection” from licenses like the GPL. Large organizations often have legal requirements that prevent them from safely absorbing open source. Some organizations simply can’t or won’t overcome NIH -- the “Not Invented Here” syndrome. Some want a company that they can yell at if something goes wrong. And some people just don’t see “the one true way”.
This is the Way
In the end, I truly believe that the benefits of open source vastly outweigh any costs that may be incurred. We’ve staked our whole business on it here at logz.io, and it’s clearly working not only for us but for many other companies and managed service providers. Fully and clearly considered, it’s hard to see why your company couldn’t benefit from using open source Software.
Listen here if you want to learn more about the benefits of enterprise open source software.
If you haven’t already joined the best developer discord out there, WYD?
Look, I know we talk about it a lot but we love our developer discord community. With over 2000 members, the Dev Interrupted Discord Community is the best place for Engineering Leaders to engage in daily conversation. No salespeople allowed. Join the community >>
We all understand that proper data analytics is crucial to the success of an organization. But what if your analytics can do more than help you troubleshoot current problems? Splunk is building a future where data analytics proactively solve problems before they occur.
Data is essential to success and innovation for modern organizations. However, no commercial vendor has an effective single instrument or tool to collect data from all of an organization’s applications.
However, there is an open source framework: OpenTelemetry. By providing a common format of instrumentation across all services, OpenTelemetry enables DevOps and IT groups to better understand system behavior and performance.
Last week, Splunk’s Spiros Xanthos joined us on Dev Interrupted to explain OpenTelemetry - and to understand OpenTelemetry, we first need to understand Observability.
What is Observability?
Observability is the practice of measuring the state of a system by its outputs, used to describe and understand how self-regulating systems operate. Increasingly, organizations are adding observability to distributed IT systems to understand and improve their performance and enable teams to answer a multitude of questions about these systems’ behavior.
Managing distributed systems is challenging because of their high number of interdependent parts, which increases the number and types of potential failures. It is hard to understand problems in a distributed system’s current state compared to a more conventional, standard system.
“It’s very, very difficult to reason about a problem when it happens. Most of the issues we’re facing are, let’s say, ‘unknown, unknowns’ because of the many, many, many, failure patterns you can encounter.” - Spiros Xanthos, from the Dev Interrupted Podcast at 3:02
Observability is well suited to handle this complexity. It allows for greater control over complex modern systems and makes their behavior easier to understand. Teams can more easily identify broken links in a complex environment and trace them back to their cause.
For example, Observability allows developers to approach system failures in a more exploratory fashion by asking questions like “Why is X broken?” or “What is causing latency right now?”
What is OpenTelemetry?
Telemetry data is the output collected from system sources in observability. This output provides a view of the relationships and dependencies within a distributed system. Often called “the three pillars of observability”, telemetry data consists of three primary classes: logs, metrics, and traces.
Logs are text records of events that happened at a particular time; a metric is a numeric value measured over an interval of time, and a trace represents the end-to-end journey of a request through a distributed system.
Individually, logs, metrics, and traces serve different purposes, but together they provide the comprehensive detailed insights needed to understand and troubleshoot distributed systems.
OpenTelemetry is used to collect telemetry data from distributed systems in order to troubleshoot, debug and manage applications and their host environment. In addition, it offers an easy way for IT and developer teams to instrument their code base for data collection and make adjustments as an organization grows. For more information, Splunk has an in-depth look at OpenTelemetry.
Benefits of OpenTelemetry
“In terms of activity, it is the second most active project in CNCF (Cloud Native Computing Foundation), the foundation that essentially started with Kubernetes. So it’s only second to Kubernetes and it’s pretty much supported by every vendor in the industry. And of course, ourselves at Splunk are big supporters of the project. And we also rely on it for data collection.” -- from the Dev Interrupted Podcast at 16:47
Since the announcement of OpenTelemetry 2 years ago, it has become highly successful.
On the Dev Interrupted podcast, Spiros discussed how in his role as the VP of Observability and IT OPS at Splunk, he has seen OpenTelemetry grow to become an industry standard that Splunk relies upon for data collection. He highlighted three key benefits of OpenTelemetry:
Prior to the existence of OpenTelemetry, the collection of telemetry data from applications was significantly more difficult. Selecting the right instrumentation mix was difficult, and vendors locked companies into contracts that made it difficult to make changes when necessary. Instrumentation solutions were also generally inconsistent across applications, causing significant problems when trying to get a holistic understanding of an application’s performance. Conversely, OpenTelemetry offers a consistent path to capture telemetry data and transmit it without changing instrumentation. This has created a de-facto standard for observability on cloud-native apps. Enabling IT and developers to spend more time creating value with new app features instead of struggling to understand their instrumentation.
Prior toOpenTelemetry, there were two paths to achieving observability: OpenTracing or OpenCensus, between which organizations had to choose. OpenTelemetry merges the code of these two options, giving us the best of both worlds. Plus, with OpenTelemetry’s backwards compatibility with OpenTracing and OpenCensus there are minimal switching costs and no risk to switching.
With OpenTelemetry developers can view application usage and performance data from any device or web browser. Now, it’s easy and convenient to track and analyze observability data in real-time.
However, the main benefit to OpenTelemetry is having the knowledge and observability you need to achieve your business goals. By consolidating system telemetry data, we can evaluate if systems are properly functioning and understand if issues are compromising performance. Then, it’s easy to fix the root causes of problems, often even before service is interrupted. Altogether, OpenTelemetry results in both improved reliability and increased stability for business processes.
Why OpenTelemetry is the Future
With increasingly complex systems spread across distributed environments, it can be difficult to manage performance. Analysis of telemetry data allows teams to bring coherence to multi-layered ecosystems. This makes it far easier to observe system behavior and address performance issues. The net result is greater efficiency in identifying and resolving incidents, better service reliability, and reduced downtime.
OpenTelemetry is the key to getting a handle on your telemetry, allowing the comprehensive visibility you need to improve your observability practices. It provides tools to collect data from across your technology stack, without getting bogged down in tool-specific deliberations. Ultimately, it helps facilitate the healthy performance of your applications and vastly improves business outcomes.
Listen here if you want to a deeper dive into the topics of OpenTelemetry and Observability - and how Splunk leverages them.
With over 2000 members, the Dev Interrupted Discord Community is the best place for Engineering Leaders to engage in daily conversation. No sales people allowed. Join the community >>