I made homebrew for Christmas. There’s nothing particularly unusual about that as I tend to be bottling something every few months. It was a lager with quite a dry finish, so probably like that popular Japanese beer. (Which reminds me, I must search how to make it less “brut”). But seeing the pale, slightly carbonated liquid in a clear plastic bottle got me thinking… this is what large portions of the software industry does every day. And as an industry, we could learn a lot from.. well literally anybody else!
I was lucky enough to receive chocolates for Christmas and on the back of the box was a breakdown of the contents and calories of each individual chocolate. Even the toffee ones which are still sitting unloved in the box 12 days into January. I could also see the number of calories, but I admit, I didn’t look too deeply into the operational risk.
Then I was thinking about the pharmaceutical industry and the analysis and testing and documentation which is required for the organisations there to take a product to market. A supply chain which reaches across discovery partners, testing companies, laboratories, universities all documenting and working hard to explain a drug composition, operation and side effects.
Finally, I received a box from Amazon. Inside was a packing list with suppliers, items, dates, stock numbers and even a number representing who packed my box!
If we think back to my homebrew, we know it’s beer (roughly) and the alcohol does what it is intended (to be fair, I don’t know the exact percentage of the alcohol and I am now wondering if I need to provide a waiver form for anyone sampling!). But there is no Bill of Materials, packing list or ingredients. I have no way of proactively preventing vulnerabilities – if someone was to have an allergy for example.
With much of the software, much of the industry provides circumstantial detail:
- Testing – Yep, your beer is beer and can be drunk
- Documentation – Drain bottle contents into glass. Raise glass to lips and pour into mouth.
- System Requirements – In order to use this product, you require a mouth and digestive system of human origin. The system must be at least version 18 for the product to be used in public.
- Disclaimer / Warranty notice – If you don’t like this beer remember that we didn’t make you drink it, you did that all by yourself and it’s probably your tastebuds at fault.
Yes, I’m being deliberately obtuse for the purposes of humour and to make a point. I’m not advocating all ISV’s (or home brewers) require a gas chromatograph. There is no need to reveal your trade secrets down to the carbon, oxygen and sodium level, there is always room on the label for something like Coca Cola’s “flavouring”.
But we can do better than this! We are part of a supply chain and our customers deserve a Bill of Materials BoM. Software Composition Analysis (SCA) is achievable, important and ISV’s could use it to demonstrate the quality of the product. My customers would have a label, and an ingredients list and a packing list and I’m pretty sure they would appreciate that transparency and potential security insights.
It will happen. In the last month, I’ve spoken to a healthcare provider who intend to require Software Composition Analysis detail of their suppliers and a Fintech company who mentioned that Banks were now asking for a Software Composition Analysis prior to buying software. I nearly ran downstairs and opened a bottle of unlabelled homebrew!