EBN - Andy Chou - Liabilities of the Expanding Software Supply Chain

datasheets.com EBN.com EDN.com EETimes.com Embedded.com PlanetAnalog.com TechOnline.com

Events ▼

UBM Tech ▼

PlanetAnalog.com

					MOBILE




Home Blogs Message Boards Research Key Sections Supply Chain \| Join Login About

Facing Supply Risks: Korea, Europe, and Future Supply Chain Shocks - Peter Drucker famously ... Transferring Sourcing & Payment to the Cloud - Collaboration with sourcing partners and B2B ... Vietnam Stymied by Ongoing Port Headache - Asia's transportation revolution was supposed to ... Manufacturers Can Learn From Showrooming - The supply chain business model requires novel ... Boeing Cuts Both Risk & Costs - After reducing risk by spreading out its operations, Boeing ...
	ANDY CHOU Liabilities of the Expanding Software Supply Chain Bio Email This Print Comment Andy Chou, Chief Scientist & Co-Founder, Coverity 2/14/2011 (2) comments NO RATINGS Login to Rate Tweet In an increasing number of industries, development organizations are using less of their own code developed in-house and more codes that come from third parties or open-source projects. The extended software supply chain is a business necessity, as go-to-market times are shortened and customer demand for new device features has increased. But this extended supply chain can also turn into a liability if third-party code is not properly tested for defects. Take the example of the Android kernel that Coverity Inc. scanned in November as a part of our annual Scan Open Source Integrity Report. The Android kernel code base is derived from the Linux kernel. Google (Nasdaq: GOOG) developers then add on their own code and modify some of the existing Linux code and publish the result to mobile OEMs, the ultimate integrators in the mobile supply chain. Those integrators then take the Android platform from Google and stitch it together with code from third parties that drives devices such as the processor, touchscreen, WiFi, and 3G/4G wireless chips. Then they layer on their own changes to fix integration problems, improve battery life, and provide differentiating features to their phones. So what happens when a manufacturer or third party finds defects like those that we found during our scan? Working with Google developers, we’ve found that they are happy to fix Android-specific defects, but defects inherited from the Linux kernel are different -- the Android team would rather have these defects fixed upstream by Linux kernel maintainers. This means that they are relying on a community of thousands of open-source software developers to ensure high-quality code and testing, and to respond to issues in a timely fashion. OEMs have similarly wanted to defer defects found in the Android kernel that they did not change, back upstream to Google or the Linux community. We call this the "you-wrote-it-you-fix-it" philosophy of accountability for code quality. There are many good reasons to want developers who write code to fix it. Developers who wrote the code probably understand it the best. If the defects are fixed in the original source, then when changes are pushed downstream, the integration of those changes will also automatically pick up defect fixes. More subtly, the you-wrote-it-you-fix-it principle also applies to any changes made downstream. So, for example, if an OEM were to change part of the Android kernel, it could not reasonably expect Google to test those changes or fix defects related to that code. In essence, it would be taking ownership of that code indefinitely, and it would need to bear the cost of integrating future changes to Android with the custom changes it has made. This would potentially slow time to market and add to development and testing costs, so such changes are generally avoided. This model works well if everyone in the software supply chain has a common standard for quality, but it can be precarious if they don’t. If there were defined metrics for code to meet, then manufacturers could reject the code if the quality is not high enough and hold developers responsible for defects. But by distributing responsibility among multiple parties without well defined and effective quality control metrics, the result can be uneven quality across different components, even though all of them must work together to provide a high-quality end-user experience. For a given defect, the question of "when will this defect be fixed" cannot be answered unless the third-party and open-source providers are taken into account. The aerospace industry is an example of a highly regulated area that has been forced to get it right. All avionics software must meet certain coding standards and hold up to rigorous testing. We predict that the automotive industry will set standards of its own in the next few years. Other industries like mobile and independent software vendors need to follow suit to ensure that they can continue to efficiently build products that meet the quality levels their customers demand. Over time, we expect that as the software supply chain continues to get more complex, some common industry baselines for software integrity will be established without the need for government regulation. We have faith in this idea because it’s a win for everyone: Consumers get better products, and companies get cost savings and faster time to market with higher quality by leveraging their software supply chains more efficiently. Email This Print Comment COMMENTS View comments: newest first \| oldest first \| threaded [close this box] User Rank Stock Keeper Open source quality stochastic excursion 2/15/2011 12:12:38 PM NO RATINGS Login to Rate The developers of code or any other component understand it better in some ways. In terms of the relevant functionality and performance though, it should be the customer that has the better understanding of the product. With open source software especially, the cost of ownership is the time and effort required to do just that, take ownership by extensive incoming inspection. With a product with as many variables as an open sourced operating system kernel, quality assurance requires, on top of the usual evaluation protocols, the involvement of staff-level expertise to ensure all bases are covered. Open sourced components should also be kept simple, with base functionality to which value can be added using inheritance/aggregation principles. These object-oriented programming concepts haven't fully been adopted in operating systems, but with applications they prove useful for code maintenance. Reply Post Message Messages List Start a Board User Rank Supply Network Guru pinpointing the defect areas is more important prabhakar_deosthali 2/15/2011 1:24:19 AM NO RATINGS Login to Rate In the Software supply chain scenario described in this blog, if the heirarchy is followed for reporting and fixing the defects, then the software will become manageable during its life-cycle. At any stage when a problem is detected , the OEM at that stage should first verify whether the bug has got introduced because of the ADD-ONs developed by it. If yes then the bug should be fixed by that OEM itself. Else the bug should be reported to the one-up level in the supply chain heirarchy and that level OEM should fix the bug and pass on the new version or the patch code to the level down. For any such generic fixes the OEM could notify all other customers also about such problem and the related bug fix . With such mechanism the customer-vendor relationship should remain at the two adjacent levels only. This means that the OEM at certain level should own the total liability of all the software it supplies to the customer at the next level but pass on the related liability of the bought out software components to its upper level. Reply Post Message Messages List Start a Board				More Blogs from Andy Chou Mitigating Medical Device Software Risk (11) comments Software codes are proliferating in the medical device supply chain, and mitigating risks in the system is now a priority for OEMs. Third-Party Software Risks (9) comments Third-party software codes are gaining grounds in the electronics industry but not enough is being done to test them rigorously. Establishing Governance for Internal Software Supply Chains (5) comments What are the best practices and guidelines for managing a company's internal software supply chain? Automated Code Testing of Third-Party Software (13) comments Software are now seen as a part of the OEM's brand, so it's important that quality verification be conducted through automated code testing How to Work Better With the Open-Source Community (17) comments Incorporating open-source components isn’t as free or as effortless as it might seem MORE FROM ANDY CHOU Datasheets.com Parts Search 185 million searchable parts (please enter a part number or hit search to begin) Latest Poll (3) Comments MORE POLLS EBN Dialogue / LIVE CHAT Have a tête-à-tête with leaders & luminaries EBN Dialogue enables and encourages you to participate in live chats with notable leaders and luminaries. Not only editors and journalists, but the entire EBN community is able to comment and ask questions. Listed below are upcoming and archived chats. Archived Dialogues Thailand Stages a Comeback Join EBN contributor Jennifer Baljko on Thursday August 23, 2012, at 11:00 a.m. EST for a live chat on how electronic manufacturers in Thailand have shored up their supply chain to reduce the impact of future natural disasters. Read Euro-Crisis: What It Means for High-Tech Firms Join EBN Editor in Chief Bolaji Ojo and Contributing Editor Jennifer Baljko on Thursday, July 12, at 10:00 a.m. EDT for a Live Chat on high-tech and Europe's economic difficulties. Read Microsoft Surface: Potential Winners & Losers What are the implications for the electronics industry supply chain of Microsoft Corp.'s decision to launch its own tablet PC? Join industry veteran and EE Times' systems and OEM expert Rick Merritt on Tuesday, July 3, at 12:00 pm EDT for a Live Chat on this subject. Read ALL ARCHIVED DIALOGUES Latest EBN Dialogue Thailand Stages a Comeback Join EBN contributor Jennifer Baljko on Thursday August 23, 2012, at 11:00 a.m. EST for a live chat on how electronic manufacturers in Thailand have shored up their supply chain to reduce the impact of future natural disasters. READ DIALOGUE Webinars Upcoming Webinars Facing Supply Risks: Korea, Europe, and Future Supply Chain Shocks Date: 7/9/2013 11:00 a.m. eastern Peter Drucker famously said "Trying to predict the future is like trying to drive down a country road at night with no lights while looking out the back window." Yet in the razor's-edge world of electronics—with a lean supply chain and just-in-time demands—the need to know the future is vital. Archived Webinars Averting the Supply Chain Talent Crisis Date: 4/30/2013 You've heard the saying "the No. 1 supply chain risk is your people." That hasn't always been the case. But today's complex global supply chain requires a new type of multitalented employee. It's one who understands, finance, marketing, economics, is savvy with technology, graceful with relationships and can think analytically. Where are these people? Are universities properly preparing the next generation supply chain professionals? How do train your existing workforce for these new, demanding positions? Brian Fuller, editor-in-chief of EBN, will lead a 60-minute Avnet Velocity panel discussion that will ask and answer these and other questions swirling around today's supply-chain talent challenges. MORE WEBINARS \| WEBINAR ARCHIVES EBN Newswire ENGLEWOOD, COLO. 3/20/2013 Arrow Establishes IT Asset Disposition and Reverse ... PHOENIX 3/20/2013 Avnet, Inc. to Acquire RTI Holdings MANSFIELD, TEXAS 3/12/2013 Mouser Receives Top Award from Harwin PHOENIX 2/28/2013 Avnet Tapped Among Fortune’s “World's Most Admired ... SANTA CLARA, CALIF. 1/29/2013 UBM & Lytica Launch Component Pricing Tool PHOENIX 1/16/2013 Avnet Embedded Opens Development Labs SANTA MONICA, CA 1/15/2013 Master Distributors Offering Tamura Sensors PHOENIX 1/15/2013 Avnet Express Stocks Pulse NFC Antennas FORT WORTH, TX 1/15/2013 Executive Moves at Allied Electronics MOORESTOWN, NJ 1/11/2013 Alliance Sensors Partners With Marposs FORT WORTH, TX 1/9/2013 TTI Enhances Apple iOS Mobile App MANSFIELD, TX 1/9/2013 Mouser First to Stock Ultra-Slim Murata EDLCs MORE NEWSWIRE Resources sponsored content Digital Edition: Critical Issues & Challenges for the Supply Chain & Electronics in 2013 3/5/2013 Offshoring: Was it the right decision? 10/23/2012 Digital Publication: Electronics and the Challenges Manufacturers Face Today 9/19/2012 Nearshoring - OEMs Reevaluate Global Manufacturing Strategies 7/5/2012 Clusters Meld Benefits of Offshoring and Vertical Integration 7/5/2012 Component Data Management for Environmental Compliance: Challenges and Solutions 5/15/2012 Different Approaches to Standalone Solar Light 8/23/2011 Future Electronics FIRST Supply Chain Solutions 2/3/2011 Class D Amplifier Design 1/21/2011 Solar Electricity: A Renewable Energy Source 1/21/2011 Power Supply for High Performance Analog 1/21/2011 LED solutions make down light applications flexible, reliable, and more energy efficient 1/3/2011 Navigating unchartered waters: new challenges in specifying LED luminaire lifetime 12/28/2010 Medical: Freescale and Texas Instruments-Contributions to Pulse Oximetry 10/18/2010 Medical: Freescale and Texas Instruments-Infusion Pump Advancement 10/18/2010 Medical: Freescale and Texas Instruments-Monitoring the Heartbeat of ECG Technology 10/18/2010 Freescale Semiconductor: SAVING CRITICAL TIME: HOW TO SPEED UP MEDICAL SCREENINGS AND REMOTE PATIENT MONITORING 10/18/2010 MORE WHITE PAPERS Video Resources Twitter Feed follow us Like Us on Facebook


HOME BLOGS MESSAGE BOARDS RESEARCH \| JOIN LOGIN ABOUT RSS Contact Us Help

To save this item to your list of favorite EBN content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]