[Spike] Research software supply chain

[binkley]

Related to #569.

An important idea in recent years is the "software supply chain".
(I'll abbreviate as SSC below for readability.)

This has implications both for security, and for quality -- ensuring known trusted versions of dependencies and plugins, and repeatable, verifiable builds.
We might want to recast the book as "SSC" for the big theme.
This has upsides with potential publishers looking for a 1-line description of the project, or fitting it into a bucket they understand

For example, Spring Boot relies on https://github.com/CycloneDX to manage the SSC for applications built in the Spring ecosystem.

Task

• Discuss SSC and if it makes sense for us to put that label on the book
• Update writing in pages to use the SSC theme rather than "containerized builds" and other related ideas
• Look into tooling for Gradle and Maven to explicitly provide SSC artifacts
• Gov't and other sources on SSC on recommendations

Refs

• https://spring.io/blog/2024/05/24/sbom-support-in-spring-boot-3-3/ -- blog post from Pivotal
• https://github.com/CycloneDX -- what Spring Boot uses

More context

A web search auto-generated this summary:

The software supply chain refers to the entire process of creating, building, and deploying software, including all the components, activities, and practices involved. It encompasses everything from code development to deployment, including dependencies, libraries, and tools. The software supply chain is critical to ensuring the security, quality, and reliability of software products.

Components of the Software Supply Chain

The software supply chain consists of:

Code: The actual software code, including proprietary and open-source components.
Configurations: The settings and configurations used to build and deploy the software.
Binaries: Compiled code and libraries used in the software.
Dependencies: External libraries and dependencies required by the software.
Container dependencies: Dependencies required by containerized applications.
Building orchestrators and tools: Tools used to build, compile, and package the software.
People, organizations, and processes: The individuals, teams, and processes involved in software development.

Risks and Challenges in the Software Supply Chain

The software supply chain is vulnerable to various risks and challenges, including:

Security risks: Vulnerabilities in dependencies, libraries, and code can compromise the security of the software.
Quality risks: Poor quality code, configurations, and dependencies can lead to software failures and errors.
Reliability risks: Unreliable dependencies and components can cause software downtime and failures.
Compliance risks: Failure to comply with regulations and standards can result in legal and reputational consequences.

Best Practices for Securing the Software Supply Chain

To mitigate these risks and challenges, it is essential to implement best practices for securing the software supply chain, including:

Continuous integration and testing: Automate testing and integration to ensure code quality and detect vulnerabilities.
Code analysis and review: Regularly review and analyze code for security vulnerabilities and quality issues.
Dependency management: Manage dependencies and libraries to ensure they are up-to-date and secure.
Supply chain visibility: Maintain visibility into the software supply chain to detect and respond to security incidents.
Compliance and governance: Establish policies and procedures to ensure compliance with regulations and standards.

Conclusion

The software supply chain is a critical component of software development, and its security, quality, and reliability are essential to ensuring the success of software products. By understanding the components and risks of the software supply chain, and implementing best practices for securing it, organizations can mitigate these risks and ensure the delivery of high-quality software products.