By David Bendory, Tekton Engineering Manager, Google
Mature software engineering practices include automation at every stage of Continuous Delivery, but industry-wide standard measures of Supply Chain Maturity remain elusive.
With the increased focus on software supply chain security, the industry is collaboratively and quickly developing standards for tracing software provenance. But Continuous Delivery is not limited to building and deploying artifacts; it involves a long chain of events that begin with source code and result in stable production systems. Upgrading supply chain security requires mature Continuous Delivery practices, and that development will become much easier if there is a well-defined path for increasing the maturity of Continuous Delivery practices.
To accelerate the adoption of industry standards, the CD Foundations’ Software Supply Chain SIG is launching a Supply Chain Maturity Model workstream to focus on measuring Continuous Delivery practices and adoption.
New Workstream: Supply Chain Maturity Model
The Supply Chain Maturity Model Workstream will foster collaboration among SIG participants in defining a shared framework for discussing and measuring supply chain maturity. Initial members include engineers from Berkshire Grey, eBay, Google, Kusari, and of course the CDF itself. We will seek to define CD maturity in terms of automation, seeking metrics and best practices around processes like build, test, and deployment automation, canary analysis, blue-green deployments, automated rollback, and more.
The Workstream will build on prior art such as NISI’s Continuous Delivery 3.0 Maturity Model and DevOps Institute’s SKILup Assessments to define common best practices and measures of adoption. We will assess metrics with regard to existing compliance and audit standards like SOX, HIPAA, and FedRAMP.
The ultimate goal of the workstream is to benefit practitioners with consistent measures of CD maturity and guidance for gradually and iteratively improving their software delivery and management processes. Just as SLSA is a cross-industry collaboration supported by The Open Source Security Foundation, the Workstream’s ultimate goal will be a cross-industry, collaborative framework for measuring CD maturity. These measures will guide our industry toward greater security, integrity, and stability in our engineering practices. The Workstream will take a practice-oriented approach by implementing proofs-of-concept and reference Continuous Delivery systems that illustrate best practices in adopting maturity standards. As a Workstream in the broader Supply Chain SIG, we will promote open source practices and tooling projects that demonstrate best practices in Supply Chain Maturity.