Software delivery has seen many shifts, first from single sourcing to multi-vendor global delivery, and onward to crowd-sourced development. Development also increasingly incorporates reusable software components, including open source components, to support an “assemble more, code less” philosophy.
These shifts have offered significant benefits, such as access to the best skills and talent and shorter time to market. But they’ve also led to a breakdown of the once holistic and transparent control over software delivery governance. As centralized control disperses out to autonomous delivery organizations, the variety of processes and tools used turns transparency into opacity. Different data structures and semantics make it difficult or impossible to create a common view across delivery partners, precluding any chance of spotting potential problems early. Technical and competitive restrictions on data sharing also create silos, further increasing the opacity.
This leads to poor coordination across delivery partners and, in practice, serious challenges in delivering secure, maintainable software. A systems integrator might realize quite late, for example, that a crowd worker has used a vulnerable open source component despite agreed-upon policies. That late discovery would require a high cost of rework to ensure security vulnerabilities are plugged.
Break the Silos
Fully enjoying the benefits of distributed software delivery requires a solution for these types of governance challenges. At Accenture Labs, we’ve developed a software delivery insights framework that uses “software sensors” in delivery tools and processes.1 These sensors generate a telemetry of specific software delivery data; it in turn creates and maintains a delivery knowledge graph. The knowledge graph supports various inferences and analyses to generate early insights into potential delivery problems, just as companies used to have with single-sourced development.
The emergence of crowd-sourced development requires this type of telemetry, data storage techniques, and insights on an even larger scale.2 Imagine a massive delivery knowledge graph that stores telemetry from all participants, facilitating a fully transparent software delivery environment! Think about the systems integrator we mentioned earlier. She could have received an immediate alert that a crowd worker added a vulnerable open source component to the project. The integrator could have then requested that the crowd worker to use the latest, secure component, even before the crowd worker shipped his software to the integrator.
Decentralized Delivery Insights
We’ve conceptualized a solution for recording just this type of telemetry from a set of autonomous and globally dispersed delivery partners. 3
There’s a major hurdle, however, in trustworthy recording of data when the delivery partners are competitors—something that’s becoming increasingly common. To address this added challenge, we’ve incorporated distributed ledger technology (DLT). DLT offers non-repudiation, tamper-resistance and transparent access to recorded data. Its decentralized nature also offers superior availability of the delivery telemetry for all partners. (Certain data can be kept off the DLT to address performance and confidentiality needs.)
Governance policies for the delivery, such as those related to the use of reusable components, coordination policies, and so on are encoded on the DLT using smart contracts, such as Chaincode on a HyperLedger platform. This facilitates real-time enforcement of critical policies.
This solution also uses the concept of intelligence augmentation and “smart advisors” to provide role-specific alerts, contextual awareness and remediation actions.4 Think about our system integrator again: a Smart advisor would directly alert the crowd worker and recommend the correct open source component to use, alerting the integrator but eliminating the need for her integrator to manually intervene herself.
Stay tuned to hear more about how Accenture Labs is using this framework to answer complex questions on software provenance, incentivizing developers using social tokens, securing machine learning models and more!
To learn more about our work in this space, contact Vikrant Kaulgud.
The authors would like to acknowledge the contributions of Vibhu Sharma, Rohit Mehra and Jagadeesh C. Bose for the foundational research work leveraged in this innovation.
1 Sharma, V.S. and Kaulgud, V., 2012, June. Pivot: Project insights and visualization toolkit. In Proceedings of the 3rd International Workshop on Emerging Trends in Software Metrics (pp. 63-69). IEEE Press.
2 Kaulgud, V. and Sharma, V.S., 2015, November. Software Development Analytics: Experiences and the Way Forward. In 2015 30th IEEE/ACM International Conference on Automated Software Engineering Workshop (ASEW) (pp. 10-13). IEEE.
3 Singi, K., Pradeepkumar, D.S., Kaulgud, V. and Podder, S., 2018, May. Compliance adherence in distributed software delivery: a blockchain approach. In 2018 IEEE/ACM 13th International Conference on Global Software Engineering (ICGSE) (pp. 126-127). IEEE.
4 Sharma, V.S., Mehra, R. and Kaulgud, V., 2017, May. What do developers want? - an advisor approach for developer priorities. In Proceedings of the 10th International Workshop on Cooperative and Human Aspects of Software Engineering (pp. 78-81). IEEE Press.