Software is playing an increasingly decisive role in many products, services and existing and new business models. Small and large digitization strategies help make companies fit for the future and competitive, open up new markets, strengthen customer ties and drive innovation. The share of value added to products and services by software has multiplied in recent years, there is no end in sight, and in the near future value added by software will often account for the largest share and, incidentally, have a not inconsiderable impact on our modern society.
A dream worth billions! Software can be incorporated, integrated and networked everywhere, i.e. in every product, every process and every service. Software-supported systems are becoming smaller and smaller, more powerful, but also much more complex. Even crises such as the shortage of chips and raw materials in certain areas will only slow down these processes, but not stop them.
Technological success stories have already been sufficiently and loudly publicized, be it autonomously driving vehicles, digital currencies, intelligent refrigerators or advice-giving toothbrushes, all software! Even somewhat more discreet AI and analytics-based systems for dynamic pricing, evaluation and recommendation systems. No matter what, it's always software!
So far, so understandable, however, there are three very crucial issues that contribute significantly to the dynamics and complexity, and which form the basis of risk management faced by responsible parties:
1. Digitization is necessary
Companies, i.e., corporations as well as medium-sized enterprises, have understood the opportunities and benefits of digitization and are adapting their own corporate structures accordingly. Software development and IT is no longer the necessary 'appendage', but is positioned as a central core element in the company.
Nevertheless, it takes years to implement such a new structure in the company in a functional way. It is also important to get started and gain experience, always combined with the willingness to adapt processes and structures at any time. There is no ready-made recipe and often no real 'right' or 'wrong' and yet decisions have to be made if things are to move forward. Here, too, there is only 'lifelong learning'.
2. Modern systems are complex and faulty
Every single modern application and every modern system is extraordinarily complex and consists today of hundreds or even thousands of components in the form of packages, libraries, modules, frameworks, development languages, as well as a multiplicity of versions and respective dependencies among themselves. In addition it comes that these systems and components constantly develop further and thus also permanently must be updated. Be it for functional reasons, performance-relevant or, most importantly, security-relevant reasons. And no one alone can penetrate this 'jungle' nowadays, but everyone has to rely on it. For the software developer it should be made as easy as possible to concentrate on the business problem. The rest is provided by the 'ecosystem' ...and that is quite a challenge:
The most prominent example of the recent past is the Java library 'Log4j2', which represents the de facto standard for the elementarily important functionality of 'logging', an absolutely necessary core functionality in software development and system operation. This component is used (almost) everywhere where Java is used, and the question never arises whether this library is used, but rather why it should not be used. And of all things, this library, in use everywhere by the tens of millions, provides functionality that has been available (and even documented) for years and allows arbitrary code to be reloaded and executed. A nightmare for those responsible and the reason for many sleepless nights and hectic, high-priority activity in companies in recent times.
3. Developers skills are different and distributed software development is challenging
Software development takes place in teams, often distributed teams. Near- and offshoring for cost reasons, remote work for hygiene, cost and convenience reasons, and more recently to save energy. And each team contributes, intentionally or not, to the company's IT strategy. Software design decisions, development standards, integration mechanisms and protocols, testing procedures, code reviews, release and update processes, software vulnerability scans, and production software delivery are handled differently for a variety of reasons, some of which are understandable.
However, the quality of the results differs enormously as a result. Explanations are then difficult and often to be found in cost structures or different areas of responsibility, which does not make things any easier.
In addition: The common software developer is comfortable. Not all of them have such a pronounced knowledge or self-responsibility that they question themselves and their approaches or optimize their code. Or design it in such a way that others understand it. In software development, there are a variety of ways to get to the goal, and not everyone is always the best.
And: New methods and mechanisms, even if they are better, are initially viewed critically and adapted only sluggishly; sprint scopes and deadline pressure do the rest to deviate from the idea of an ideal software supply chain.
So a volatile world full of uncertainties and dangers? What risks result from this?
Due to the large number of software projects and the complexity of the applications and systems, it is not possible to know all the challenges in advance and to establish countermeasures before the first productive rollout takes place. It is not always possible to rule out all eventualities and security risks through elaborate pre-testing procedures and simulations, as is normally the case in the aerospace industry.
Even with these protective mechanisms based on extensive regulations, bad things happen, as the disaster involving the Boeing 737 Max a few years ago showed.
And there are a number of other serious risks that can arise in the context of software and applications:
- Data theft through inadequately secured systems leads to loss of reputation and can result in claims for damages.
- Poor system performance in terms of operation or response behavior alienates customers and users, who are reluctant to give your system a second chance.
- Inadequate processes make it difficult to keep applications and systems operational, maintain them and develop them further. This leads to instability and increased costs.
- Uncovered security gaps, even on the scale of the Log4j 'feature' mentioned above, occur time and again. If not acted upon quickly and correctly, major damage can result.
All things that no one can use. So what to do to limit the risk?
For this we would like to make the following recommendations:
- Software increases the added value of your products and services. So invest sustainably in the further training and qualification of your employees, especially software architects, developers and system administrators.
- Decide which software projects and applications are part of your core business and therefore belong in your own hands. Leave decisive positions in the company and do not outsource them. Try to build up and keep the crucial knowledge redundant. In the worst case, you can compensate for failures; in the best case, you can spread best practices throughout the company.
- Use agile software development standards and also give the specialist product owners sufficient time to participate in the project. The dovetailing of software development and the business unit and the direct and permanent collaboration ensure the same level of knowledge, direct results and the targeted and effective continuation of the project.
- Build infrastructure for your systems and applications in an automated way. Script your environments and eliminate manual steps in building systems. As a result, you create a high and consistent level of quality in all stages, from development to production. Repeatability, traceability, significantly simplified system updates and verifiable compliance with regulations are the positive results of this approach.
- Automate your development paths as well, starting from code check-in by developers. This includes code reviews, automated tests, ongoing security checks, packaging and versioning of delivery statuses, and technical approval processes prior to productive deployment. In this way, you create essential prerequisites for frequent and successful software updates. You can react immediately and do not have to consider quarterly or semi-annual maintenance windows.
- Establish monitoring for infrastructures and applications and use modern and automated monitoring and restart methods in case of errors and failures. Permanently adapt your monitoring mechanisms. This will ensure high system availability, even during peak loads, and compliance with the expectations of your users and customers.
From experience with our own customers, especially corporations and medium-sized companies with a long history and tradition, where 'own software' has only been part of the core area of their own products and services for a few years, we know how time-consuming it is to introduce these methods in the company sustainably and over years. Nevertheless, it is inevitable to institutionalize the software supply chain, i.e. the provision and permanent secure adaptation of applications and systems in the company. Even a long road begins with the first step.