The challenges of running a software supply chain
VMware Tanzu is a modular software application platform that runs natively on multiple clouds and is geared toward important business outcomes such as developer productivity, operator efficiency, and security by default. If you are looking for a hands-on detailed treatment of VMware Tanzu, you won’t be disappointed.
However, before diving into the platform’s components, it may help to understand some history and background. If you’re reading this, there’s a good chance you participate in the coding, designing, architecting, operating, monitoring, or managing of software. However, you may not have considered that you are participating in a supply chain.
According to Adam Hayes in his Investopedia article, The Supply Chain: From Raw Materials to Order Fulfillment, a supply chain “refers to the network of organizations, people, activities, information and resources involved in delivering a product or service to a consumer.”
When a piece of software makes the journey from a developer’s workstation to an end user, that’s as much of a supply chain as when Red Bull and ramen noodles make the trek from raw ingredients to a production facility to a warehouse to the neighborhood grocery store.
Every supply chain has its own set of challenges, and software supply chains are no exception. Most software written today consists of libraries and frameworks containing millions of lines of open source software developed by people who are essentially anonymous and whose motivations are not entirely clear.
Much of that software changes hands many times as it moves from an open source repository to the developer, to source control, to building and packaging, to testing, to staging, and finally, to running in production. Furthermore, the infrastructure on which that software runs is often open source as well, with a worldwide community of hackers working to identify vulnerabilities in the operating systems, network protocol implementations, and utilities that make up the dial tone that your software runs on. This ecosystem presents an enormous surface area for bad things to happen.
For further reading on real-world examples of what can go wrong with software supply chains, I’d recommend a quick search of the web for the 2020 SolarWinds incident or the 2021 emergence of Log4Shell (CVE-2021-44228). The authors of this book, in their capacity as Tanzu solution engineers, have seen first-hand the impact software supply chain issues can have across the financial, government, telecom, retail, and entertainment sectors.
