What Toyota Unlocked Decades Ago Drives Software Supply Chain Management Today
What secrets did Toyota unlock decades ago that drive the success of today’s software supply chain?
Sonatype’s Matt Howard explained during a chat with Dave Bittner on an episode of The CyberWire Daily podcast.
The discussion focuses on the findings of Sonatype’s fifth annual Software Supply Chain Report. The report identifies the shared characteristics of exemplar open source projects and commercial teams. As curators of the Central Repository, the largest public repo for Java components, we have the unique capability to do deep and rigorous research on emerging trends. This year’s report spans 36,000 projects and 12,000 teams.
MTTR vs. MTTU
To appreciate Toyota’s crucial — yet inadvertent — contribution to software development, it is important to understand two metrics in today’s software supply chain.
The first, MTTR (mean time to remediate) measures how quickly a software team can identify and locate a defective or compromised component.
Commercial teams must know this immediately, says Matt. “Are you aware if a compromised component is in the library or dependencies of your application, in your call flow, or out in the wild? How fast can you find and remediate it?”
Similarly, open source projects that develop software components “must understand their transitive dependencies.” That is, quickly find and manage the interlocking components (similar to a stacking Russian doll) within their collaborative projects. “When a new vulnerability is disclosed, do the open source projects themselves remediate?” asks Matt. “It is a question of hygiene.”
The software industry is only starting to appreciate how hygiene practices influence MTTR. Currently, the average MTTR is 326 days. That’s almost a year before a known vulnerability is fixed.
Meanwhile, MTTU (mean time to update) measures how frequently developers, either in commercial or open source teams, refresh software components. “Good teams reserve time (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: https://blog.sonatype.com/what-toyota-unlocked-decades-ago-drives-software-supply-chain-management-today
