(Not THAT one, the OTHER one!)

Though I started my career in software development writing embedded software for Aerospace Avionics Systems, I’ve spent the past 3 years working in the Supply Chain space, starting just before COVID-19 hit the world. 

I had worked the past 20 years in the eCommerce space, mainly in retail/CPG, working to help design, build, analyze, and optimize revenue (and promotions!) for my clients selling their products via web and mobile.  In 2020, I decided to dig in to the one area of eCommerce and selling goods to consumers that I had not delved into but was looking like it was going to be a huge problem area due to disruptions caused by a global pandemic:  The Supply Chain.  Transportation & Logistics.  Inventory Management.

I worked with many shippers and freight forwarders as they turned 5-year plans into 3-month plans.  Projects popped up and were funded.  Curb-side pick-up.  BOPIS (Buy On-Line Pick up in store), BORIS (Buy On-Line Return In-Store).  Retail clerks and cashiers were now being trained in warehouse processes, such as “pick-and-pack”, and IT systems were developed and accelerated overnight, it seemed, to support these new processes.

The biggest lesson learned?  It wasn’t technology.  It was people.  People adapting and learning new processes that literally were being designed, implemented, supported by shiny new technology and updated systems, and rolled out as fast as possible.

Now let’s look at a different kind of supply chain that hasn’t been around as long but is probably more key and more misunderstood than any single area in technology that I’ve seen in my entire career.

The Software Supply Chain.

It’s not Rocket Science, but it’s close

As I mentioned earlier, I started my career in Aerospace writing software for airplanes.  I was put in charge of ensuring that the software we wrote for the Lockheed Martin C-130J, the first fly-by-software airplane developed by Lockheed Martin, was certifiable by the FAA.  Simple, right?  No.  (You can read about it Here .)

The software had to be more than 99.999% solid.  Failures were measured in potential lives lost.  (How’s that for your KPI?)

So, what did we learn?  We learned that there were certain processes that we were rock solid in as a company and an industry.  Requirements definition, systems design, architecture, unit, and component testing, etc.  (Solid silos!)

What were we not so good at?  Any process that spanned a responsibility domain.  Like systems integration testing.  (Two systems, or dozens of systems, having to work together.). Separate teams were good at what they knew how to do, and not good at focusing upstream or downstream on the conveyor belt. 

We set out to solve the problem.  Enter ISO-12207.  The US Commercial Software Standard.

First, You Build the process framework.

The two main contractors of the time, Lockheed Martin and Boeing, decided to lay the groundwork to fix the problem going forward, while laying down best practices for future programs.

So, we built a process framework.  (Yes, “we”.  I was on the team and owned the Lockheed Martin piece.)  What’s a process framework?  It’s the “what” of the software/systems development process.  It tells you what processes to have, and where they fit.  (Not the “how”.  The “how” would be details that would use this framework, such as “Agile”, “Waterfall”, etc.)

Figure 1 – ISO 12207 Lifecycle Process Standard

(Credit to ResearchGate .)

When we wrote this process, we felt the key areas were what we called the “Supporting Processes”.  These processes are the foundation that forms the basis for what I call the “Software Conveyor Belt”. 

The software conveyor belt travels from left to right.  It starts on the left.  (Important for later.)  An idea, a business requirement, leading to design, code, unit test, then handoff to QA, tested, then continuing onto production for everyday use.

So, what’s the problem?

The problem is actually very simple to identify.  (Not so simple to fix.)

The weaknesses in complicated systems/software development, whether it’s aircraft avionics software, eCommerce mobile and web applications software, or any other type of software, such as Cloud-Based software, are always the same.

Supporting processes that span organizations, or domains (e.g. development team, QA team, operations team), are ALWAYS problem areas.  Why?  People skill sets do not span domains.  Companies historically don’t hire that way, and software vendors do not build tool environments that way, nor do they have the skill sets to sell that way, anyway. (And colleges certainly don’t educate that way, but that’s a whole other blog topic.)

And the problems are always are in these areas:  Non-Functional Requirements and what I’ve always called, “The Big 3”.  Configuration, Change and Release Management.  That is the foundation of your conveyor belt—and it has to be rock solid.

Non-Functional requirements include the following:

• Performance Testing
• Security
• Usability
• Availability, Reliability, Maintainability & SLAs
• Certification & Compliance (Including PII, GDPR, etc.)
• Portability, Compatibility & Localization
• Functionality & Extensibility

Non-functional requirements span organizational domains, expertise areas and in many cases, haven’t been, or aren’t, part of someone’s performance KPI.  (In other words, no one owns them across the organization, so they aren’t implemented correctly and do not become a focus unless an event occurs to make them a focus.  Think Black Friday website crash or data breach/malware intrusion putting your company on the front page of the Wall Street Journal.)

How to fix the problem, or at least where to start

First, ditch the acronyms.  Now.  Just stop.  They started with some marketing team for a SaaS vendor trying to do something catchy for their shiny new point product being sold with no process in mind.

Let’s start with this one:  Shift Left.  Stop using it.  If you have to shift left, then you didn’t do it right from the start in the first place.

Say what?  Remember what I said earlier.  The conveyor belt for the software supply chain starts on the left.  If you aren’t doing that already, with one or all the non-functional requirements I list above, or the “Big 3”, drop everything and do that.  Or hire someone to show you how to do that.  (Shameless plug here, my email is below. I do this in my sleep.)

The biggest problem areas that cause the Wall Street Journal front page articles are typically performance testing and security these days., though I’d argue that compliance is right up there as well. (Think GDPR and PII.)

The next ones to dump:  DevOps & DevSecOps.

Why?  For the same reasons as shift left, but also because many vendor offerings I see have “test” dumped inside development, or have placed “reliability” in Operations. (Or one I hear often, “We go from “Dev to the Cloud!” Say what? The cloud is not a process. You might want to dig deeper to explain what you mean there. But I digress.) 

Other than not knowing the process, or that marketing who never wrote a line of code in their life, had nowhere else to put it, it’s fine.  (Not!). I won’t shame any SaaS company, but there’s not one application performance or cloud security company that presents this accurately.  (Go ahead, prove me wrong. I’ll wait.)

So what now?  Where should you start?

Enter the Software Supply Chain & Software Bill of Materials (SBOM)

Going back to my introduction around the certification of software for the FAA with DO-178C, we introduced something new:  Software Bill of Materials (SBOM).  The FAA had long had a Hardware Bill of Materials, but software in an airplane was very new for us.  So we decided to lift the hardware BOM and utilize the framework and best practices hardware had for our use in software. (It had no “H” in front of it back then.  No need to.)

What does this mean today?

An SBOM is a complete list of all software used in the development, testing and execution/production of an application.  This includes all tooling (including cloud components, and the bits and pieces that tooling brings to the table), as well as any data, embedded software/website url’s, links, pixels, tags, open source libraries, etc.

And typically, this SBOM can literally change on the fly, without any notification, if the right safeguards are not in place for things like application monitoring, security/vulnerability scanning, etc.  (In other words, the ”supporting processes” I discussed earlier.)

Here’s an example of part of a stack from an online retailer’s website.  This is a cross-section example of what gets stuck on a conveyor belt:

Example 1 –  Output from Webpage Test by Catchpoint.

So what’s the problem, you say?

Each one of these components listed is provided by a third party and is part of your SBOM.  And it can change on the fly, and typically does particularly for web and mobile based applications, and cloud-based applications.

See the problem?  Without sound processes in place, especially around the key ones I listed above, you are vulnerable.  You are vulnerable wherever you have gaps. 

What’s an example of a gap?  One example would be inclusion of a third party pixel or tag on your website that gets changed or modified without your knowledge.  How would that ever happen?  Easy.  Poor configuration, change and release management.  Poorly integrated tools to manage that process.  Point products over platform.  (But just because a vendor says they have a platform, doesn’t necessarily mean its components are integrated against some standard.  (Many are not.)

And “integration” is very much a misunderstood and over-used term. Did you know that there are 7 layers of integration? There are. The model is here: OSI Model. (Digging into what this means would be another blog, but I wanted to bring it up anyway.)

How about another example?  How about security vulnerabilities?  With a lot of today’s application development also occurring in the cloud, security must certainly start from the left, at the commencement of the systems/software development lifecycle.  It must include development environments, containers, infrastructure as code, etc.

Many of the current SaaS vendors in the cybersecurity and performance space reference directives such as Executive Order 14028, the NIST minimum standard for testing in order to promote their compliance and why they should be your vendor of choice.

What don’t they mention?  That the Executive Order also specifically references ISO 12207 as the process framework to use for your conveyor belt.  (As does its follow-on guidance, NISTIR 8397.  Section 1.1)  And why wouldn’t they mention it?  It’s most likely due to a lack of understanding that a software conveyor belt, and for that matter, an SBOM, really has at its underlying foundation, a software process framework.  You can’t sell what you don’t understand. (Too bad, too, because that’s where the value and benefit lies the most.)

So what should you look for and what should you do?

Call to Action

Figure out what you want your conveyor belt to look like and where the gaps are.  Pick one key focus area and start there.  Is it performance/usability?  Is it security?  Only then should you start filling in the technology gaps.  (And by gaps, the most important ones are the ones I mention above that span silos.)

Are you looking at vendors who claim to “have a platform”?  Ask the tough questions.  Lay their “platform” against the process framework and conveyor belt.  Does it still hold water?  Where are the gaps?

I’ve seen a lot of “platforms” come and go over the years, whether they were software development “Integrated Development Environments” that didn’t even integrate their own tools together, or “Business Technology Optimization (BTO)”, where the former Mercury Interactive first started nobly integrating QA/test and production, to today’s shiny new “Cloud-Native Application Protection Platforms (CNAPP)”.  They all had/have one thing in common:  No process foundation for the conveyor belt. And no focus to help their customers get one via a mature professional services offering.

Start with asking your vendors for their SBOM for their solution.  You’d be amazed at the amount of open source and third party software that they use and bundle into their solution.  (It’s usually found in their SaaS agreement.)

So, assess your “as-is” first.  Your gap is your implementation project plan and the “to-be” as well as your roadmap.  Lay your technology down against the process.  Keep what fits, ditch what doesn’t.  Then fill in the gaps based on criticality.  Is GDPR and PII a concern?  Start there.  How about cloud application vulnerability?  Usability and performance? 

Any of those can get you company on the front page of the Wall Street Journal, and not in a good way.  Better start now.

And leave the acronyms at the door. 

Questions?  My e-mail is dan@CAVU-Global.io

I started my career as a software developer, writing assembly-level software for military airplanes. (Avionics and cockpit displays, including what you see in aircraft today.) I was always interested the the entire end-to-end software deployment, from initial requirements right through and into operations and production.

So naturally, it’s time to apply that end-to-end curiosity to what I work on these days: eCommerce.

After spending the better part of two decades in eCommerce, I’ve decided to take a peek behind the curtain. What do I mean by that, you ask? Easy. I’ve always been laser-focused on things like, web site performance, user experience, mobile applications, digital marketing campaigns, SEO, PPC, e-mails, campaign launches. I mean anything that would get a user/customer to click the “order” button and complete the purchase.

But now that there’s a level playing field from a web performance perspective and just about every digital agency and online seller runs the same type of playbook from a marketing campaign perspective, how does Amazon continually stay on top and hold everyone else at bay? (And, yes, I know that some folks will not agree with me about the level playing field from a web performance/UX perspective, but the numbers don’t lie. All the big online sellers are bunched at the top with not much separating them.)

So, what separates them? Sometimes, the answer just stares right back at you, it’s so obvious.

And there it is.

So while all the focus has been on, “I want my customers to be able to BUY IT fast”, most on-line purchasers are now focusing on, “I want to GET IT fast”. (I mean, admit it, how many of you check this box IMMEDIATELY when going online to make a purchase? Come on, show of hands….I thought so. Yeah, I do, too.)

So, what’s behind the curtain?

The supply chain. Logistics.

The back-end of the process that completes the definition of business logistics.

The definition I’ve heard many times over the years, but had never concerned myself with the end-to-end component of it, that being the process after purchase. The definition: “having the right item in the right quantity at the right time at the right place for the right price in the right condition to the right customer”.

So what does all this entail? It’s all about connecting the data and getting it to the right person, at the right time. What kind of data?

Commercial & Master Data – Purchase Orders, Commercial Invoices, Product/Item Masters, eCommerce orders & delivery, Shipment Status updates, inventory updates

Finance – Freight and Audit Pay, Accounting & General Ledger transactions

Freight & Logistics – Booking & Load Tender, Advanced Shipment Notices, Shipment events and milestones, Customs entry details, Document attachments

So, why now?

This part’s an easy question to answer. If I’ve seen anything over the past 3-4 months, it’s that eCommerce is changing forever. Because of COVID-19, eCommerce is booming. (See 2020 Q1 growth of on-line eCommerce Sales: https://bit.ly/2N5Kodb) This is a milestone change that is unlikely to revert back to pre-COVID-19 days.

What has this done? It has put a huge stress level and focus on the supply chain and logistics processes. Everyone reading this saw it first-hand.

Anyone still seeing the empty shelves where toilet paper should be?

The infrastructure and back-end systems and the information and data contained in these systems has not had the investment around it to handle the increase we are now seeing, and will continue to see, in eCommerce growth.

The critical need – especially now – is for real-time data sharing across supply chain partners.

Hence the opportunity I saw and why I joined the Chain.io team.

So, what does Chain.io do?

The Chain.io supply chain integration platform represents a new approach to an age-old supply chain question. “How do we make all of these systems and people work together?”

The Chain.io cloud-based platform solves these problems using an open application programming interface (API), developer friendly tools, an expertly developed data model, and event driven behaviors to make connecting and coordinating systems and people easier than ever before.

The platform uses complex, next generation technologies like data graphs, and Artificial Intelligence (AI) without all of the heavy lifting involved in most supply chain integration projects.

Takeaway

COVID-19 accelerated eCommerce growth significantly in a 3 month period of time, forever changing the way consumers shop, and put a spotlight and strain on the supply chain and logistics processes. This consumer pressure is forcing the industry as a whole to look at improving the technology and processes that make up these areas.

Optimizing these processes is no longer a “nice to have”, it’s a MUST HAVE that directly ties to bottom line revenue, complete with it’s own measureable ROI.

Many retailers are falling by the wayside and are not expected to survive. Many of those never got fully ahead of the consumer eCommerce purchasing wave to begin with. The ones that are surviving are putting renewed focus on supply chains and logistics.

If you’re in eCommerce, hop on.

Should be a fun ride!

Or, as Herb Brooks once said, “Great Moments are born from great opportunity.” –1980 US Olympic Ice Hockey Team, pre-game pep talk.