SUPRA Framework for Software

Delivering software within an enterprise is not that easy. Everyone strives to drive outcomes across the 5Ss - Speed, Security, Scalability, Stability, and Savings but they realize it takes a lot to move the needle across all the vectors. Enterprises know to deliver those outcomes they need a robust and modern DevSecOps framework and that is where SUPRA (yet another acronym!) comes in. Supra in Latin means "to surpass" or "go beyond" and that is exactly what enterprises really need to do. So what are the elements of SUPRA?

Security, Usability (DevX), Progressive (Delivery), Resiliency, and Automation. Let's look at each of these in detail.

Security - In the last 2 years and for all the right reasons there has been a flurry of activity around the need for Secure Software Supply Chains. Part of this stems from the Executive Order on CyberSecurity but most of it comes from the fact that most enterprise software systems are riddled with easily exploitable holes.

Key Elements for Security - Supply Chains to Runtime

SBOMs - Having a clean manifest of what's in a software artifact enables various actors to understand and trust the artifacts. There are three major standards SPDX, CycloneDX, and SWID from known standards organizations. This may converge into one over a course of time but for now, each standard has its own merits (like some are more machine-readable vs some that are more human-readable etc.). Good read by Chris on some of the differences.

Buildpacks - Buildpacks provide a white box way of converting code to an OCI compliant container so containers are more maintainable with greater control thus improving overall security.

SLSA - While SBOMs are great for understanding what's in a specific artifact it's not enough as operators need to be able to see and trust the full picture from source code to a running artifact(s). Enterprises need to understand the various SLSA levels, and have a plan on what level they want to be at and what tooling/platforms in addition to Sigstore can help them get there. One example here.

Runtime: Use of OPA Gatekeeper for admission control to ensure bad images (less likely if SLSA level is 2+) do not make it to production. While runtime security is a very broad topic relying on MTLS is a basic step and when done right ensures all runtime communications are encrypted.

Key Elements for Usability (DevX)

"Developer experience is the next major competitive front in enterprise tech" - Protocol

Usability/DevX has emerged as a key building block for developing leaders in the enterprise. DevX is a broad topic and captured best in James' comprehensive writeup but one thing is clear the industry is moving towards having an internal developer portal powered by Backstage. Connecting an IDP like Backstage with Supply chains described above is the most logical step we are seeing in the enterprise and platforms like VMware Tanzu Application Platform achieve just that.

Progressive Delivery

Progressive Delivery is a relatively new term and emerged as a superset of Continuous Delivery practices. Modern software organizations are now using a growing number of progressive techniques: Review Apps, Blue/Green, Canaries, Feature Flags, A/B Testing. It's becoming more common to see open frameworks like Flagger and Istio being used to deliver elements of Progressive Delivery but also common for end-to-end platforms like Harness to deliver it as well.

Resiliency & Observability

There is a wealth of information on the topic of SLA, SLO and SLIs already and they have steadily become a foundational framework for building resilient systems. While most observability players like Datadog, New Relic have support for SLOs, SLIs, etc what has been missing is a well-integrated platform that blends observability metrics with progressive delivery techniques. The Harness team has done a great job of delivering SLO driven pipelines as has the Tanzu Service Mesh team for scaling and resiliency.

"We don’t want to go into production if our SLOs are saying that we have violated our error budget threshold. If we see error budgets get depleted in production after rollout, we want an automated rollback or occur" - Harness F500 customer

Automation

Automation is the key building block for both speed as well as to reduce failure rates (by reducing human contact points). While automation can and should be used across the software life cycle there are some recurring use cases that have high ROI:

1 Click Developer Environments - Having the ability to spin up developer/qa environments in minutes that are consistent with what ops wants goes a long way to delivering high-quality software. But most enterprises struggle with that and dredge developers through trouble tickets and even workflows using ServiceNow (which does not make them go any faster). Companies like Coder, StackBlitz are examples of how automation can help.

GitOps - GitOps when done right can be the right glue between developers and operators and their environments. Companies like Weave and now Tanzu Application Platform make GitOps easy in the enterprise.

In addition to the above, you have the obvious IaaC automation using Terraform which is now starting to become pretty common in enterprises.

Summary

If you care about 5Ss like outcomes then you do need to think about the various elements of the SUPRA framework. SUPRA is not meant to be a fully exhaustive framework and if there are any you feel are absolutely essential then please recommend them in the comments.