The Business Case For An Outsourced Software Supply Chain

Outsoured Software Supply Chain Biz Case

Your software supply chain includes:

  • All the open source dependencies your project requires.
  • All the development and build tooling those open source ecosystems come with.
  • Any number of commercial tools you’ve purchased to ensure your dependencies are fit for use, which can include apps that help identify security and compliance concerns, for example.

As most organizations learned when they started leveraging open source software, despite the fact that it was free to license, there were significant costs in terms of time and resources to implement and maintain it. In fact, it’s so expensive that most organizations don’t bother to maintain their codebase, exposing them to cyberattacks as outdated codebases become more and more vulnerable over time.

But what can you do? Times are tough, and even cybersecurity budgets that have weathered cuts before are under pressure to reduce spend. For example, in 2023, cybersecurity budgets shrank by as much as two-thirds over 2022 according to the 2023 Security Budget Benchmark Summary Report. The good news is that cybersecurity budgets still grew by 6%, but that’s compared to 17% growth in 2022. Another survey by PwC suggests 2024 budgets are unlikely to help, with only ~8% of organizations willing to increase their cybersecurity budget by at least 15%.

This is all occurring at a time when:

Not to mention the fact that cybersecurity technology just keeps getting more complex and costly every year.

The real issue here is that your software supply chain is both vitally necessary to, and an enormous drag on your business. Because it’s not the thing you sell, your software supply chain is not the focus of your efforts. As a result, it’s typically been cobbled together from multiple solutions over time that do more to increase your costs than help meet your security and productivity goals. 

Let’s break down the costs to see what outsourcing can mean for your bottom line. 

Software Supply Chain Cost Analysis

When you step back and look at how open source software gets from an ecosystem’s public repositories onto a developer’s desktop, there’s probably more steps involved than you may think. While startups may be fine with just letting developers download and install open source packages directly, most organizations take a more process-oriented approach to ensuring packages are fit for use before they can be incorporated into their software development process. 

But with process often comes complexity, meaning that the solution your organization has implemented over the years has grown, and is probably costing you far more than you think. For example:


In-house Annual Cost

Creating and maintaining a software supply chain (including the ability to build key packages like OpenSSL securely from source code)

1 DevOp FTE per language in your tech stack

Package and environment management tooling adoption (costs may be significantly higher if commercial tooling is used instead)

$50 per developer

Maintaining an approved catalog of dependencies

10% of a Security FTE, an IT FTE and a Compliance FTE

Artifact repository (monitors dependencies over time for vulnerabilities)

$2500 per developer*

SCA tooling (identifies licenses, vulnerabilities and maintainability)

$139 per developer**

Cybersecurity professional (investigates alerts generated by SCA and artifact repository)


Open source maintenance & dependency remediation 

10% of a sprint

* based on repositories like JFrog Artifactory, Sonatype Nexus and others

** based on SCA Tools like Snyk, Mend, Checkmarx, and others

Using a $150K FTE and a team of 10 developers working with 2 programming languages we can calculate the cost of an in-house implementation of a software supply chain to be:


In-house Annual Cost

ActiveState Advantage

Creating and maintaining a software supply chain


Included for any number of languages

Package and environment management tooling adoption


Universal tooling for all languages

Maintaining an approved catalog of dependencies


Policy-driven eliminating the need for manual intervention

Artifact repository



SCA tooling



Cybersecurity professional



Open source maintenance & dependency remediation





10-20% of in-house costs, depending on requirements

While your actual numbers may vary depending on the size of your team, the number of languages in your tech stack, and the number of tools/processes you’ve implemented, the message is clear: outsourcing your software supply chain costs a fraction of your in-house implementation, while freeing up a number of dedicated resources to better focus on improving your software end product. 

Conclusions – Outsourced Software Supply Chain Security & Productivity Gains

The business case created here is a very simple one, erring on the side of minimizing the cost of an in-house software supply chain solution. For example, security-conscious organizations may want to build far more than just OpenSSL from source code in order to ensure security. This effectively means vendoring many of your dependencies, which can dramatically raise costs, especially if you want to ensure security by building them with a hardened build service that supports reproducibility. 

Those same security-conscious organizations are also likely to take alerts seriously, dedicating more than one cybersecurity professional to investigating the volume of false positives that can often plague a project, especially at the start or when significant changes are made. It’s also these kinds of organizations that are most likely to be affected by cybersecurity burnout, and may lack the resources to replace them at a time when there is a deficit of such workers in the marketplace. 

When it comes to productivity, the benefit of outsourcing is much more straightforward since outsourcing frees up internal resources from managing your software supply chain solution to better focus on your application, helping to close competitive gaps or extend your market lead. 

Next Steps

If the dollar and cents of this business case make sense, take the next step and learn How To Outsource Software Supply Chain Maintenance

Recent Posts

Scroll to Top