Skip to main content

How software production using events helps to bring software securely to customers

By December 16, 2022December 19th, 2022Blog, Member

Contributed by Kristofer Hallén, Emil Bäckmark and Mattias Linnèr, Ericsson | Originally posted on ericsson.com

Emerging event driven architectures can offer a solution to complex interoperability problems resulting in faster and more secure innovation across the network. Below we explore what event-driven software production could mean for creating and deploying mobile network software and how it could lead to an interoperability-in-a-box future.

Secure Telecom

The telecomn industry is on its way from proprietary, tightly-coupled, and monolithic solutions to virtualized, hardware-agnostic, and loosely-coupled solutions, paving the way for cloudification of the industry. In parallel to changes in the technology stack, the new software development and delivery methodologies such as Continuous Integration, Continuous Delivery/Deployment (CI CD/D), and DevOps are becoming critical to service providers, allowing them to increase the speed of transitioning from idea to a sellable product or solution.

CI, CD/D and DevOps solutions are no longer concerns for individual development teams only, or even a single company. In an ever-increasing complex environment, due to increased requirements and regulations, we need the capability to quickly create and deploy high quality software in a secure way. This means that tools and services must be possible to integrate both inside the company and externally: internally between development teams and organizations and externally where a company will need to connect to both suppliers and customers. We are now creating solutions to achieve interoperability in this eco-system.

We have previously described the need for interoperability to speed up tech transformation in telecom i.e. the capability to efficiently and quickly put several CI/CD solutions together to create a full software production system. This offers everything needed to go from code to deployed product, including software supply chain, build, test, integration, deployment, and policy fulfilment. Why is this so important? Studies show that high performance software production has a positive impact on business.

Software production of course does not only exist in telecom. Other industries also have similar needs and a major emerging trend is to use event driven architectures to solve complex problems.

What are events in a software system context?

Events are notifications information about something that has happened and are often used in disparate systems where the change of state in one system will have an effect in another part of the system. A producer generates the event which a consumer receives and can act based on the content of the event.

CI/CD demo graphic 1

Events can be delivered through various industry standard protocols such as HTTP, AMQP and MQTT, open-source protocols (e.g. Kafka, NATS), or platform specific protocols.

We see that event usage leads to a decoupled eco-system with separation of concerns that enables scalability and maintainability. The benefit comes from creating a protocol where producers do not send messages to a specific consumer in the software production system, but instead broadcasts them and makes it easy to implement new use cases without having to change already existing use cases and implementations.

CI/CD demo graphic 2

Leveraging event usage in interoperability

By using standardized asynchronous events, different solutions can work together and support scaling and decoupling of large CI/CD systems. This makes events an especially good solution for achieving interoperability. Changes to the system, like scaling up and the introduction of new solutions, can be done without impacting the complete system. An example of this trend is CloudEvents that is a growing de facto standard for describing event data. CloudEvents is now supported by cloud providers like Azure and Google Cloud, as well as popular CI/CD tools such as Jenkins and Tekton. Events should however not be used for all use cases. A decoupled system could, for example, introduce challenges when it comes to troubleshooting and it could be difficult to guarantee the transmission of an event.

To fully leverage from event usage in interoperability we need to establish standards for how to use events in CI/CD. Based on Ericsson’s experience from creating the open-source CI/CD event protocol Eiffel we are pushing to establish standards for how to use events in CI/CD within the Continuous Delivery Foundation (CDF). Ericsson has been awarded for being one of the drivers in this area, being part of founding the Special Interest Group (SIG) Interoperability in the CD Foundation and then the SIG Events that is now defining the CDEvents standard. The CDEvents working groups have attracted interest both from companies such as IBM, Dynatrace and DeployHub, important CI/CD tools providers such as Jenkins and Tekton, and also from multiple smaller companies and organizations.

By providing a protocol describing the semantics of the consequences of executing CI/CD pipelines, CDEvents creates a language that facilitates communication between the different tools. CDEvents’ goal is to encourage tool providers to take part in CDEvents creation and then provide native support for CDEvents. Introducing events to a software production system also provides powerful ways to measure and trace activities in the system: the information in the events can be used to create Google Cloud’s DevOps Research and Assessment (DORA) measurements that is a de facto standard for describing how capable your organization is in deploying well working software.  Read more about the use cases intended for CDEvents in the Primer within the CDEvents Documentation. CDEvents is in active development with participants from IBM, Ericsson, doWhile, DeployHub and others. The protocol aims to provide a first draft version this year, making it possible for tools to start integrating it.

Event usage in other aspects of software production

Events can also be used in other important aspects of software production including supply chain security, contributing to being able to secure the software you bring to customers. This field has been in the spotlight after many software security issues with recent examples including MeDocMimecast and SolarWinds and Log4J. To mitigate these issues, several governments have added legislation in this area. We see this in e.g. the White House executive order on improving cybersecurity. All these legislations require vendors to document what software they have used by producing a Software Bill Of Materials (SBOM). Using events in all parts of the software production flow will create the traceability needed to collect the data that is essential to create SBOMs within a complex production setup consisting of different systems.

We foresee that with a continued adoption of event-based interoperability, using e.g. CDEvents in CI/CD tools and services, interoperability will be provided out of the box, not only in company internal CI/CD systems but also in software supply chains and customer deployment chains. This will reduce the need for investing in adapting and integrating software production solutions to make them work well together. As a direct result, the cost and lead-time will be reduced for all actors and create decoupled systems that can be evolved and adapted to new needs.

Read the first part of this blog post: Why interoperability in CI/CD matters for future innovation