SD Times October 2020 by d2emerge

OCTOBER 2020 • VOL. 2, ISSUE 40 • $9.95 • www.sdtimes.com

IFC_SDT036.qxp_Layout 1 5/20/20 10:52 AM Page 4

Instantly Search Terabytes

www.sdtimes.com EDITORIAL EDITOR-IN-CHIEF David Rubinstein drubinstein@d2emerge.com NEWS EDITOR Christina Cardoza ccardoza@d2emerge.com

dtSearchâ&#x20AC;&#x2122;s document filters support: Â&#x2021; popular file types Â&#x2021; emails with multilevel attachments Â&#x2021; a wide variety of databases Â&#x2021; web data

Â&#x2021; efficient multithreaded search Â&#x2021; HDV\ PXOWLFRORU KLW KLJKOLJKWLQJ Â&#x2021; forensics options like credit card search

ART DIRECTOR Mara Leonardi mleonardi@d2emerge.com

CONTRIBUTING ANALYSTS Enderle Group, Gartner, IDC, Intellyx

CUSTOMER SERVICE SUBSCRIPTIONS subscriptions@d2emerge.com ADVERTISING TRAFFIC Mara Leonardi mleonardi@d2emerge.com LIST SERVICES Jessica Carroll jcarroll@d2emerge.com

Developers: Â&#x2021; 6'.V IRU :LQGRZV /LQX[ PDF26 Â&#x2021; &URVV SODWIRUP $3,V IRU & -DYD DQG NET with NET Standard / 1(7 &RUH

Jakub Lewkowicz jlwekowicz@d2emerge.com

CONTRIBUTING WRITERS Jacqueline Emigh, Lisa Morgan, Jeffrey Schwartz

2YHU VHDUFK RSWLRQV LQFOXGLQJ

SOCIAL MEDIA AND ONLINE EDITORS Jenna Sargent jsargent@d2emerge.com

Â&#x2021; )$4V RQ IDFHWHG VHDUFK JUDQXODU GDWD FODVVLILFDWLRQ $]XUH $:6 DQG PRUH

REPRINTS reprints@d2emerge.com ACCOUNTING accounting@d2emerge.com

ADVERTISING SALES PUBLISHER David Lyman 978-465-2351 dlyman@d2emerge.com

Visit dtSearch.com for Â&#x2021; KXQGUHGV RI UHYLHZV DQG FDVH VWXGLHV Â&#x2021; IXOO\ IXQFWLRQDO HQWHUSULVH DQG developer evaluations

The Smart Choice for Text RetrievalÂ® since 1991

dtSearch.com 1-800-IT-FINDS

SALES MANAGER Jon Sawyer 603-547-7695 jsawyer@d2emerge.com

PRESIDENT & CEO David Lyman CHIEF OPERATING OFFICER David Rubinstein

D2 EMERGE LLC 80 Skyline Drive Suite 303 Plainview, NY 11803 www.d2emerge.com

003_SDT040.qxp_Layout 1 9/23/20 10:56 AM Page 3

Contents

VOLUME 2, ISSUE 40 • OCTOBER 2020

FEATURES

NEWS 4 12

News Watch

The art of code reviews

Survey: Early VSM adopters reaping benefits

Talk yourself into an application? page 14

Progress acquires Chef to extend DevOps and DevSecOps offerings

page 6

COLUMNS 36

GUEST VIEW by Richa Roy Use ‘EI’ before ‘AI’ in process change

ANALYST VIEW by Arun Chandrasekaran Some FAQs on serverless computing

INDUSTRY WATCH by David Rubinstein Accelerating digital transformation

page 10

SOFTWARE TESTING How API management can fuel your digital business page 19

The Future of Testing is AI: Visual AI

Parasoft Leads Testing Innovation

Supercharge Testing with Mobile Labs

Automate Mobile Testing with Kobiton

Fix Penetration Testing Finds Faster

Software Testing Showcase

page 32 Software Development Times (ISSN 1528-1965) is published 12 times per year by D2 Emerge LLC, 80 Skyline Drive, Suite 303, Plainview, NY 11803. Periodicals postage paid at Plainview, NY, and additional offices. SD Times is a registered trademark of D2 Emerge LLC. All contents © 2020 D2 Emerge LLC. All rights reserved. The price of a one-year subscription is US$179 for subscribers in the U.S., $189 in Canada, $229 elsewhere. POSTMASTER: Send address changes to SD Times, 80 Skyline Drive, Suite 303, Plainview, NY 11803. SD Times subscriber services may be reached at subscriptions@d2emerge.com.

004-5_SDT040.qxp_Layout 1 9/21/20 11:27 AM Page 4

SD Times

October 2020

www.sdtimes.com

NEWS WATCH HCL launches cloud-native database HCL Software wants to address its users’ changing data demands with the release of OneDB, a cloud-native enterprise database for data-driven platforms. According to the company, OneDB was designed with multi-model capabilities and automated management functions. Key features include: l The ability to deploy OneDB as a Docker container for applications at the edge, on premises or in the cloud l 99.999% uptime and scalability l Automated monitoring tools for database administration l Support for a variety of data demands and data models l A single, integrated datastore l Ability to encrypt data and secure connections l Extensive programming language support

TensorFlow-DirectML now open source Microsoft has announced it is open sourcing its extension of TensorFlow for Windows. The source code for TensorFlow-DirectML is now available on GitHub. “TensorFlow-DirectML broadens the reach of TensorFlow beyond its traditional Graphics Processing Unit (GPU) support, by enabling high-performance training and inferencing of machine learning models on any Windows devices with a DirectX 12-capable GPU through DirectML, a hardware accelerated deep learning API on Windows,” wrote Microsoft’s senior program manager Clarke Rahrig, senior software

LaunchDarkly adds flag triggers Feature management company LaunchDarkly has announced that it is adding flag triggers through new integrations with Honeycomb and Datadog. Flag triggers are one-step automations that can be triggered after a specific alert goes off or a performance metric is met. They work by sending webhooks to a URL. This allows them to be turned on and off from any tool that fires a webhook, like a CI or APM tool. According to LaunchDarkly, a benefit of feature flagging is that developers can disable features that are negatively impacting users or systems. They also can be used to smoothly advance a rollout when everything is going as planned. engineer Justin Stoecker, and principal software engineer lead Chai Chaoweeraprasit. TensorFlow-DirectML supports native Win32 and Windows Subsystem for Linux, and is suitable for students, beginners and enthusiasts looking to accelerate model training and prediction on DirectX 12 GPU machines.

OXIDE provides new low-code experience Application development platform provider JourneyApps has announced a new solution that aims to bring the power of low-code and professional code app development together. OXIDE is a next-generation Integrated Development Environment (IDE) for building and maintaining business applications. According to the company, OXIDE fills a gap in the application development market by combining the speed and efficiency of low-code platforms with the flexibility and power of professional development in a single platform. OXIDE allows developers to switch between code and visual tools to build cross-platform apps on iOS, Android, macOS,

Windows and Linux without additional configurations. Any app built in OXIDE can be run as a web app in a browser, making it ideal for use cases such as customer portals. Other features include multiwindow and customizable workspaces, pair programming capabilities, code as the first-class citizen, and visual point-and-click tools.

GitHub ReadME project highlights dev and teams GitHub announced the ReadME Project, a new space designed to share and highlight open-source stories that are moving humanity forward. According to the company, while 99% of the software that powers the world is built on open-source code, the maintainers and developers of the code often go unnoticed. “We read a lot about the preeminence of software, less so about the communities of people pouring their efforts and passions into it,” Brian Douglas, senior developer advocate at GitHub, wrote in a post. “Today, and throughout the coming months, you’ll read stories of personal growth, professional chal-

lenges, and lessons learned— the journeys you might not see behind projects you probably use every day.”

Microsoft: TypeScript 4.0 the next gen The latest version of TypeScript is now available. According to Microsoft, TypeScript 4.0 represents the next generation of TypeScript releases and focuses on expressivity, productivity, and scalability. New features in this release include: l Variadic tuple types l Labeled tuple elements l Class property inference from constructors l Short-circuiting assignment operators l Unknown on catch clauses l Custom JSX factories l Speed improvements in build more with –noEmitOnError l –incremental with –noEmit l Editor improvements

Kotlin 1.4 improves quality, performance JetBrains has released the latest version of Kotlin. For Kotlin 1.4, the team focused on quality and performance of the

004-5_SDT040.qxp_Layout 1 9/21/20 11:27 AM Page 5

www.sdtimes.com

language and its tooling. This release includes over 60 performance fixes. One performance enhancement is that files open much faster and content is highlighted faster. According to the team, content will appear highlighted 1.5 to 4 times faster than before. The team also improved the speed at which autocomplete suggestions appear. The IDE also got a few new updates, including a new feature called Coroutine Debugger, which allows developers to pinpoint bugs in concurrent applications, and a new Kotlin Project Wizard for creating and configuring Kotlin projects.

Enterprise Architect 15.2 expands core modeling Sparx Systems has announced the release of Enterprise Architect 15.2. Enterprise Architect is a modeling platform for software development. According to the company, this release expands core modeling capabilities and adds new collaboration and simulation tools. New collaboration features include peer-to-peer chat and streamlined reviews, discussions, notifications, and processes. Enterprise Architect 15.2 also adds new UI windows and tools that will expose useful features of the program, like Model Views, Traceability, Searching, and Model Navigation.

Gitpod now open sourced The prebuilt development environment provider Gitpod has announced it is now open source. The project is

designed to automatically spin up ready-to-code environments for GitLab, GitHub and Bitbucket projects. Gitpod is a browser-based, VS Code-powered Kubernetes application. With Gitpod, developers can maintain their environments as code and turn manual tasks into machine-executable code.

NativeScript 7.0 aligns with modern JS NativeScript 7.0 is now available. According to the language’s Technical Steering Committee (TSC), this release marks a significant step forward in aligning the framework with modern JavaScript standards and bringing consistency across the stacks. In addition, the TSC noted that in this release there was a more holistic approach to managing the open-source components surrounding the framework. In this release the language now targets es2017+ instead of es5. This allows for faster and more performant code. Developers will be able to utilize the latest ES advances, such as Nullish coalescing operator ??. The release also adds support for the v8 iOS engine.

Istio 1.7’s hybrid cloud features Istio 1.7’s new features were built to make Istio easier to operate and to expand its capabilities for hybrid cloud environments. This includes multiple control plane upgrades such as the canary upgrade that enables users to verify a new control plane using continuous integration and Istio’s

telemetry features. Once a portion of the workloads are verified, more workloads can be transferred until all are running using the new Istio control plane. The release also pushes virtual machine integration to beta quality. The new WorkloadEntry API in Istio 1.7 treats VMs like Kubernetes pods, so users can manage their infrastructure with APIs. New security enhancements include token bootstrapping and certificate rotation.

Android 11 focus: controls Android 11 was released last month with three primary themes: a focus on controls to let users get to and control all of their smart devices,

October 2020

SD Times

increased privacy, and a people-centric approach to communication. The release also includes new features for developers such as conversation notifications, device and media controls, one-time permissions, enhanced 5G support, IME transitions, and more. “Android 11 is people-centric and expressive, reimagining the way we have conversations on our phones, and building an OS that can recognize and prioritize the most important people in our lives. For developers, Android 11 helps you build deeper conversational and personal interactions into your apps,” Stephanie Cuthbertson, director of product management for Android, wrote in a blog post. z

People on the move

n Flint Brenton has been appointed the chief executive officer for the identity-centric privileged access management solution provider Centrify. Brenton replaced former CEO Tim Steinkopf, who retired due to health reasons. Renton was previously the president and CEO of CollabNet VersionOne (now Digital.ai). At Centrify, Brenton will work to redefine PAM for modern IT environments. n New Relic has appointed Anne DelSanto and David Henshall to its board of directors. Additionally, Hope Cochran has been named chair of the board. DelSanto is a limited partner at Operator Collective and Stage 2 Capital venture funds with years of cloud transformation experience. Henshall is the president and CEO of Citrix with over 25 years of technology management experience. Cochran is currently the managing director of Madrona Venture Group. She has served as a New Relic board member since May 2018. Cochran replaces Peter Genton, who stepped down after 12 years of service. n CData Software has named industry veteran Hugh Raiford as its new chief revenue officer. Raiford previously led sales for Progress DataDirect. At CData, Raiford will ensure the CData team is closely aligned with the needs of its customers as it becomes a leader in the standards-based data connectivity space.

006-9_SDT040.qxp_Layout 1 9/22/20 4:02 PM Page 6

It’s as much about the right skills and process as BY CHRISTINA CARDOZA

ode reviews are a crucial component of the software development process. It encourages the software development team to interact with one another, collaborate, and improve the quality of their code. However, it’s more than just checking new code to detect errors and become familiar with the codebase. According to Phil Hughes, front-end engineer at GitLab, it’s about how you provide and convey that feedback — and that’s an art form and a skill that is learned over time. “Reviewing code efficiently is a skill that gets learned the more you do it. Spending time coming up with a workflow that works for yourself is just as important,” he wrote in a blog post.

006-9_SDT040.qxp_Layout 1 9/22/20 4:03 PM Page 7

www.sdtimes.com

October 2020

SD Times

what you’re writing and hopefully they see something you don’t see. Sometimes it is about reviewers having more expertise of the particular file and a particular repository so they can give you extra context on the thing you might be changing or identify a potential issue,” said Jarred Colli, head of product for Bitbucket at Atlassian. n Manage time effectively: One of the

it is about going line by line Here are some tips and tricks to perfect your code review process and to help teams get on the right path: n Decide how you want to do code

reviews: According to Sandya Sankarram, software engineer at SurveyMonkey, there are three ways to do a code review: 1. Group walkthroughs where code is reviewed as a group in person. The benefits of this is the ability to

debate about concerns and feedback in real time. 2. Pair programming where two developers work together with one writing the code and the other observing and offering advice along the way. 3. Pull request code reviews where code reviews happen offline; reviews, changes and feedback can be added line by line, and feedback can be given through commits. “It’s like having a proofreader look at

top challenges of code reviews is making sure developers allocate enough time to review each other’s code. “It’s not uncommon for somebody to submit a pull request and wait two weeks for their teammates to give them feedback before it can be merged,” said Colli. “Ultimately, the goal for development teams is to merge high-quality code quickly. Some people err on the side of making sure the code is high quality. Some people prefer to err on the side of making sure that it’s done quickly. The goal is to try to do both.” One way to do both is to make sure code doesn’t stay unmerged for long periods of time. The less time it stays unmerged, the less opportunity it has to change or cause potential problems, according to Colli. Colli added pull requests should be reviewed by teammates within a couple of days and then get merged. According to GitLab’s Hughes, individual developers should find a time in their daily routine that works best for them. For instance, he finds starting his day off with code reviews for him provides less distractions and more productivity. Additionally, Hughes says to have an agreement for how long code reviews should take. GitLab has a 2-day Service Level Objective for reviewers to get feedback to developers. n Keep it short and simple: There is

an inclination to put all changes together in one large package and then make it available for everyone to review. This makes the process confusing because there could be multiple files changing simultaneously, making it hard to effectively review the code. It also reduces the likelihood team members are going continued on page 8 >

006-9_SDT040.qxp_Layout 1 9/22/20 4:03 PM Page 8

SD Times

October 2020

www.sdtimes.com

< continued from page 7

to find problems. “Developers are so busy with a million different things, it’s hard to sit down and do that all at once. They end up having to come back to the review multiple times, they might skip a file, lose their place, or forgot what they read before,” said Colli. Tightening the feedback loop between writing the code and getting feedback also prevents developers from getting too attached to the code and then getting defensive over changes being made to it, according to Erik Dietrich, a programmer and cofounder of the technical content marketing firm Hit Subscribe. Pair programming works well here because developers are closely aligned so when they make a mistake they can immediately get that feedback. n Automate when possible: According to Aki Asahara, CEO of the software development company Sleeek, about 30% or more of a team’s working time is made up of code reviews. By being able to automate parts of the code review, it can save time and enable higher-quality code. Asahara explained that a majority of code reviews involve just checking the state and style of the code. With an automated tool, teams can write custom policies or rules so developers don’t have to worry about spellcheck or repetitive tasks, and they can deal with more essential parts of the code. Atlassian’s Colli explained there are a lot more automated tools coming out to help support and reduce the amount of time it takes to perform a code review. Code insight tools can help identify dependencies and issues to let developers know if things need to be updated and provide more context around code that is being changed. Security scanning tools can help find potential vulnerabilities. Having automated tools also takes pressure and conflict off developers and teammates, according to Dietrich. He explained developers tend to have negative connotations towards reviewers because they feel like they take too much time or nitpick their code. “And beyond the interpersonal dynamic,

automated reviews are relatively infallible. [Automated tools] won’t miss something because they haven’t had their coffee yet, or because they’ve been at this for hours, it’s Friday, and they want to knock off for the day,” said Dietrich. n Have a checklist: Atlassian’s Colli

explained it can be difficult for teammates to confirm that the reviews have been done and the suggestions and feedback were appropriately acted upon. A checklist could include whether or not the code reviewed feedback; was anything done about it; was it done the way it was suggested to be done, why or why not?

developers by telling them how they could have been more effective. “Few people realize the impact on knowledge sharing and mentorship code reviews have on a team. They are a tool to help engineers grow faster (junior engineers see seniors’ code more frequently), get better at mentoring (giving constructive feedback),” Gergely Orosz, an engineering lead at Uber, wrote in an email to SD Times. Without code reviews, the software development process can suffer from “less knowledge sharing, more easily preventable mistakes going into production,” and code that is “often less readable as a result,” he explained.

Ultimately, the goal for development teams is to merge high-quality code quickly.

Take advantage of merge checks or branch restrictions: Similarly to custom policies, merge checks or branch restrictions can set conditional rules in place before a pull request can be merged. “The more structure that you can add to the back and forth between teammates providing feedback, the better off you are going to be,” said Colli. For example, a check can be to make sure the code was checked and approved by at least two reviewers before it can move on; or if a security vulnerability is identified by the security scanning tool the code won’t be merged. n Take advantage of talent: One strategy is to find developers who understand the complexity of the code or who are an expert in the area of the code being checked so they can provide feedback about any risky changes, according to Colli. n Use code reviews as a teaching

opportunity: Code reviewers help developers become more familiar with the codebase, but it’s also an opportunity for senior developers to help junior

From meaningless to meaningful code reviews Code reviews can be a source of anxiety and misery for groups that are more sensitive and appreciate polite gentle feedback. But on the other hand, code reviews can also be great for groups of people who appreciate direct and honest feedback, no matter how blunt or brutal it may be. “For the latter group, code review is great; it’s a chance to duke it out over strongly held personal beliefs with (theoretically, in their minds) no hard feelings,” said Dietrich. It doesn’t have to be one way or another. According to Sankarram, there is some middle ground. In a talk on “Unlearning toxic behaviors in a code review culture,” Sankarram pointed out some toxic behaviors she and others have experienced as well as provided recommendations to improve code review culture. “Please keep in mind that I’m not discouraging feedback. I’m just making a plea for people to govern their tone and the way that they choose to deliver the content of their feedback,” she said in her talk.

006-9_SDT040.qxp_Layout 1 9/22/20 4:03 PM Page 9

www.sdtimes.com

n Don’t pass your opinion off as fact:

Unless you can provide proper resources and documentation to back up your claim. According to Sankarram, this is common when it is a question of style and syntax. She recommended implementing a linter or automatic code fix so team members can see what style guidelines they should be following. “You should be

n Don’t leave an overwhelming amount of comments: “When a person makes an error, chances are that they’ve made the same error in several places,” Sankarram explained. Instead of leaving comments in every single place the error occurred, simply leave detailed notes with helpful links and resources so you are conveying your message, but not overwhelming the developer.

October 2020

SD Times

or actionable feedback. It is better to describe the problem and not waste time,” Sankarram explained. n Don’t use emojis to convey feelings

or point out issues: For instance, Sankarram has seen the thumbs-down or puke emoji used in previous code reviews. Emojis, while fun, are cryptic and easy to misunderstand as well as wastes people’s time trying to figure out what the emoji means. n Don’t ghost people: Developers

seeking code reviews can also contribute to the toxic culture by not responding to feedback, leaving people wondering why they even bothered to help you in the first place. If you don’t agree with something or are not going to make a particular change, let the reviewer know why.

fostering debates and not making demands,” said Sankarram. Dietrich explained saying “that’s wrong” or “that’s bad” can cause developers to be defensive. “Contrast that with a statement like ‘that’s not what I’d have done there,’” which is essentially inarguable. Even better, though, I’ve found, is to ask questions instead, like ‘why did you choose that implementation,’ or ‘couldn’t that lead to a race condition?’” he added. Using opinions instead of fact can also waste developers’ time arguing over subjective concerns. “If you have domineering reviewers that are providing feedback that’s completely non-actionable or arbitrary, it creates learned helplessness in the subjects of that review. They learn to do a pretty minimal amount of effort, since the domineering personality will pick apart everything they do anyway,” said Dietrich.

n Don’t ask reviewers to fix prob-

lems: If there are issues within the code that aren’t directly related to the reviewers’ change, it becomes a separate discussion. n Don’t ask judgmental questions:

This is unhelpful and implies that the developer should have known about a simple solution. It also forces the developer to have to defend their work. Instead, you could recommend they do it a different way rather than using harsh and judgmental words such as “Why didn’t you do it this way?” said Sankarram. n Don’t be sarcastic: Code reviews

are not the time to be sarcastic, it is a time to offer someone feedback. “Saying something like ‘Did you even test this code before checking it in?’ is sarcastic, it’s rude and it gives no context

n Don’t ignore toxic behaviors: It’s typical to deemphasize behavior especially if it is coming from a high performing or productive developer, according to Sankarram, but these developers still need to understand that their behaviors are stressful and draining and not helpful to other team members. “The stakes are pretty high, not taking steps to unlearn these toxic behaviors have serious setbacks for the team as developers feel overwhelmed, attacked and unmotivated. They start to draft these feedback processes that are supposed to help them grow,” Sankarram said. Dietrich also suggested code reviews should be bidirectional and includes all team members regardless of the experience level. Also, letting team members pick their own code reviewers can help them be more comfortable with the review. “You want to make sure people feel safe to take risks and get feedback, and not be scared to get negative feedback or try something different. Every team needs to start with figuring out how to build that trusting environment among other collaborators so that kind of bleeds through all the work that you do together,” Atlassian’s Colli added. z

010,11_SDT040.qxp_Layout 1 9/21/20 12:53 PM Page 10

SD Times

October 2020

www.sdtimes.com

s technology advances and morphs, startups continue to emerge, looking to differentiate themselves from the rest against incredible odds — some 90% of all startups fail, according to Forbes. (That’s in all fields; not just tech startups.) Identifying which will ultimately succeed or fail is like trying to find gold in the bottom of a stream. But that’s what the editors of SD Times look for each year: Those companies that have somehow shined more brightly than the others. In some cases, we’ve found fool’s gold; in others, we’ve struck the mother lode. Having said all, here are the companies we think will pan out and find their pot at the end of the rainbow. (See what I did there?)

Cutover What they do: Work orchestration and observability Why we are watching them: Cutover aims to enhance visibility and reduce risk by enabling software teams to plan, orchestrate, and analyze complex work better and faster.

DataKitchen What they do: DataOps Why we are watching them: DataKitchen aims to automate and coordinate people, tools and environments of an entire data analytic organization. The company also works to help organizations on applying Agile, DevOps and Lean principles to their data processes with the DataOps Cookbook and manifesto.

DeepCode What they do: AI-powered code analysis Why we are watching them: DeepCode’s cloud service reviews code and provides alerts about critical vulnerabilities, with the intent of stopping security bugs from making it into production. The goal is to enable safer, cleaner code and deliver it faster.

DeepFactor What they do: DevOps monitoring Why we are watching them: The company just released a pre-production monitoring solution that aims to combine security, performance and behavior monitoring. It features the company’s deep passive monitoring technology with its application runtime intelligence engine to find issues and risky and unexpected behavior changes between releases.

010,11_SDT040.qxp_Layout 1 9/21/20 12:53 PM Page 11

www.sdtimes.com

October 2020

SD Times

Env0

Spell

Tecton.ai

What they do: Self-service cloud environments Why we are watching them: env0 wants to extend Infrastructure as Code capabilities by allowing teams to manage their own environments, governed by their own policies with complete visibility and cost management.

What they do: Machine learning Why we are watching them: Spell handles the infrastructure aspects of machine learning, which makes it easier for users to start machine learning projects, get results faster, and be more organized and safer than if they had to manage infrastructure on their own.

Netlify

Stateless

What do they do: Machine learning Why we are watching them: Tecton wants to make machine learning accessible to everyone. It features an enterprise-ready data platform for developing and deploying high-quality features, building accurate training data sets, monitoring production features, and the ability to share, discover and re-use features across the organization.

What they do: Modern static web development Why we are watching them: Netlify coined the term Jamstack, which stands for JavaScript, API, and markup. The Jamstack process aims to provide faster, more accessible, more maintainable and globally available websites and apps.

What they do: Network connectivity Why we are watching them: Stateless network connectivity technology is designed to simplify how businesses access remote IT services and and costeffectively use computing resources.

Nuweba What they do: Serverless computing Why we are watching them: Nuweba is a Function-as-a-Service platform provider with a mission to make serverless technology 10 times faster and safer.

Sleeek What they do: Software development productivity Why we are watching them: The company aims to improve software development productivity. It just released an automated code review service called Sider, which automatically detects problem areas, sends reports to team members, and improves the quality of code.

Sternum What they do: IoT Security Why we are watching them: The company says it is taking a different approach to IoT security with embedded integrity verification technology (EIV). EIV puts integrity-based attack prevention directly in the deviceâ&#x20AC;&#x2122;s code and protects against remote code execution, USB socket exploitation, communication stack and protocol vulnerabilities, and OTA Update vulnerabilities.

Tidelift What they do: Managed open source Why we are watching them: Tidelift helps organizations manage, secure and maintain their open-source software as well as helps compensate open-source maintainers for their projects. The company offers a subscription-based service for offloading licensing, security and maintenance aspects of open-source components.

Transposit What they do: Automation for DevOps Why we are watching them: Transposit is a next-generation platform for DevOps teams that incorporates human-centric automation to provide better context to incidents and operations.

Symmetry Systems What they do: Data security Why we are watching them: Symmetry Systems just recently came out of stealth to help organizations protect sensitive data. Upon its launch, it released DataGuard to provide visibility into data objects across all data stores.

Vercel What they do: Front-end development Why we are watching them: Vercel wants to improve the front-end development experience for JavaScript developers by bridging the gap between development feedback and release.

012_SDT040.qxp_Layout 1 9/21/20 2:03 PM Page 12

SD Times

October 2020

www.sdtimes.com

Survey: Early VSM adopters reaping benefits BY DAVID RUBINSTEIN

Which of these Value Stream Management capabilities is In the software development industry, value stream management (VSM) is a MOST valuable to you? relatively new concept. While it’s been Value Stream Management 7% used in physical manufacturing for Actionable insights aand Other is not valuable to me decades, it’s application within software KPI tracking 10% 17% development poses unique challenges, in that the product is always changing and — in a more esoteric sense — softcontinuous delivery 15.5% Orchestrating 30.5% ware development is not linear. and release activities across So it’s not surprising that a recent many teams and tools Better visibilitty into survey on the uptake of value stream work in progresss across the software delivery ry pipeline management in development shops 12% Collection of data across found that only 29% of 238 respondents many teams and tools are either implementing or planning to 8% Clearer accountability implement value stream management. for individuals Source: D2Emerge and HCL Software Meanwhile, 33% indicated they had never even heard of the term. of value stream maturity, more than 8% are still working on DevOps fundamen“What this tells me is that this marsaid they have created a value stream tals such as CI/CD. ket is still quite new, and many organi- map in their organizations; 15% are colYet for those who are implementing zations facing application moderniza- lecting and analyzing metrics; 8% are value stream management, the VSM tion and digital transformation issues managing multiple streams; 7% are capability that is most valuable to 30% haven’t been able to put anything more eliminating waste and gaining efficien- of the respondents is better visibility on their plates right now,” said David O cy; and another 7% have clear tracing of into work in progress across the softLyman, publisher of SD Times, which value from idea to deliverable. ware delivery pipeline. Another 17% created the survey in conjunction with Because value stream management is said they derive the most value from HCL Software. “But those who have not a one-size-fits-all solution, respon- actionable insights and KPI tracking, started down the value stream manage- dents to the survey said they are facing and more than 15% said they value the ment path are finding clear benefits.” challenges in implementing the practice orchestration of continuous delivery “Thinking about it in the context of across their organizations. Of these, 47% and release activities across many teams ‘crossing the chasm,’ where you’ve got said their biggest challenge is a lack of and tools. Further, 12% said they valinnovators and early adopters — typi- experience with VSM techniques, which ued collection of data across many C cally the group to the left of the chasm were developed for physical manufac- teams and tools. — I really do feel like that’s where the turing and are now being applied to softBut visibility is only the first step in value stream management space is ware. Another 26% said they aren’t get- value stream management. “We can today,” said Steve Boone, head of prod- ting executive buy-in on the business provide visibility into where the work’s uct management, HCL DevOps Portfo- value of VSM, while 32% said they have going, but once you know, once you see, lio. “What the market needs to do is no current funding for implementing once you understand, what do you do?” show the concrete value.” Boone said. VSM tools and techniques. In early 2018, value stream manageWhen asked how they stand in terms Interestingly, another 31% said they ment was a zero-dollar market, and some analyst firms did not even recognize it. What is your current understanding of the benefits Today, it is projected to be a $500 million of value stream management? market by 2025. Boone believes the ben33% Never heard of it efits will drive growth, but more is needed today. “That’s where as an industry, 28% I’ve heard of it, but don’t plan to implement it within my organizattion with education, best practices, having independent groups that aren’t software 19% I have plans to implement it within my organization g vendors, [we need to] be able to educate people and teach them what to make of 14% I currently practice Value Stream Management the data they’re seeing and do something meaningful with it. That’s how we’re 6% I’m aan expert in Value Stream Management and teach others how to implement it going to make that transformation.” z Source: D2Emerge and HCL Software

Full Page Ads_SDT040.qxp_Layout 1 9/18/20 3:52 PM Page 13

014-15_SDT040.qxp_Layout 1 9/21/20 10:58 AM Page 14

Talk yourself into an SD Times

October 2020

www.sdtimes.com

BY JEFFREY SCHWARTZ

OpenAI says it is backlogged with a waitlist of prospective testers seeking to assess if the first private beta of its GPT-3 natural language programming (NLP) tool really can push the boundaries of artificial intelligence (AI). Since making the GPT-3 beta available in June as an API to those who go through OpenAI’s vetting process, it has

certainly disconcerting to have GPT-3 produce a plausible-looking interview with me. GPT-3 seems to be closer to passing the Turing test than any other system to date (although “closer” does not mean “close”).” Another early tester of GPT-3, Arram Sabeti, was also impressed. Sabeti, an investor who is chairman of ZeroCater, a company that provides catering services

OpenAI’s plan to commercialize GPT-3

The potential for misuse is why OpenAI chose to release it as an API rather than open sourcing the technology, the company said in a FAQ. “The API model allows us to more easily respond to misuse of the technology,” the company explained. “Since it is hard to predict the downstream use cases of our models, it feels inherently safer to release

OpenAI seeks to push the boundaries of natural language processing

generated considerable buzz. GPT-3 is the latest iteration of OpenAI’s neuralnetwork-developed language model. The first to evaluate the beta include Algolia, Quizlet and Reddit, and researchers at the Middlebury Institute. Although GPT-3 is based on the same technology as its predecessor GPT-2, released last year, the new version is an exponentially larger data model. With nearly 175 billion trainable parameters, GPT-3 is 100 times larger than GPT-2. GPT-3 is 10 times larger than its closest rival, Microsoft’s Turing NLG, which has only 17 billion. Experts have described GPT-3 as the most capable language model created to date. Among them is David Chalmers, professor of Philosophy and Neural Science at New York University and codirector of NYU’s Center for Mind, Brain, and Consciousness. Chalmers underscored in a recent post that GPT3 is trained on key data models such as Common Crawl, an open repository of searchable internet data, along with a huge library of books and all of Wikipedia. Besides its scale, GPT-3 is raising eyebrows at its ability to automatically generate text rivaling what a human can write. “GPT-3 is instantly one of the most interesting and important AI systems ever produced,” Chalmers wrote. “This is not just because of its impressive conversational and writing abilities. It was

Source: Moiz Saifee, Towards Data Science

for workplaces, was among the first to get his hands on the GPT-3 API in July. “I have to say I’m blown away. It’s far more coherent than any AI language system I’ve ever tried,” Sabeti noted in a post, where he where he shared his findings. “All you have to do is write a prompt and it’ll add text it thinks would plausibly follow,” he added. “I’ve gotten it to write songs, stories, press releases, guitar tabs, interviews, essays, technical manuals. It’s hilarious and frightening. I feel like I’ve seen the future and that full AGI [artificial general intelligence] might not be too far away.” It is the “frightening” aspect that OpenAI is not taking lightly, which is why the company is taking a selective stance in vetting who can test the GPT-3 beta. In the wrong hands, GPT-3 could be the recipe for misuse. Among other things, one could use GPT-3 to create and spread propaganda on social media, now commonly called “fake news.”

them via an API and broaden access over time, rather than release an open source model where access cannot be adjusted if it turns out to have harmful applications.” OpenAI had other motives for going the API route as well. Notably, because the NLP models are so large, it takes significant expertise to develop and deploy, which makes it expensive to run. Consequently, the company is looking to make the API accessible to smaller organizations as well as larger ones. Not surprisingly, by commercializing GPT-3, OpenAI can fund ongoing research in AI, as well as continued

014-15_SDT040.qxp_Layout 1 9/21/20 10:58 AM Page 15

application? efforts to ensure it is used safely with resources to lobby for policy efforts as they arise. Ultimately, OpenAI will release a commercial version of GPT-3, although the company hasn’t announced when, or how much it will cost. OpenAI, started as a non-profit research organization in late 2015 with help from deep-pocketed founders who include Elon Musk, last year emerged into a for-profit business with a $1 billion investment from Microsoft. As part

of that investment, OpenAI runs in the Microsoft Azure cloud. The two companies recently shared the fruits of their partnership one year later. At this year’s Microsoft Build conference, held as a virtual event in May, Microsoft CTO Kevin Scott said the company has created one of the world’s largest supercomputers running in Azure.

OpenAI seeds Microsoft’s AI supercomputer in Azure Speaking during a keynote session at the Build conference, Scott said Microsoft completed its supercomputer in Azure at the end of last year, taking just six

months, according to the company. Scott said the effort will help bring these large models in reach of all software developers. Scott likened it to the automotive industry, which has used the niche highend racing use case to develop technologies such as hybrid powertrains, allwheel drive and antilocking brakes. Some of the benefits of its supercomputing capabilities, and the large ML models hosted there they enable, are significant to developers, Scott said. “This new kind of computing power is going to drive amazing benefits for the developer community, empowering previously unbelievable AI software platforms that will accelerate your projects large and small,” he said. “Just like the ubiquity of sensors and smartphones, multi-touch location, highquality cameras, accelerometers enabled an entirely new set of experiences, the output of this work is going to give developers a new platform to build new products and services.” Scott said OpenAI is conducting the most ambitious work in AI today, indicating work like GPT-3 will give developers access to very large models that were out of their reach until now. Sam Altman, OpenAI’s CEO, joined Scott in his Build keynote to explain some of the implications. Altman said OpenAI wants to build large-scale systems and see how far the company can push it. “As we do more and more advanced research and scale it up into bigger and bigger systems, we begin to make this whole new wave of tools and systems that can do things that were in the realm of science fiction only a few years ago,” Altman said. “People have been thinking for a long time about computers that can understand the world and sort of do something like thinking,” Altman added. “But now that we have those systems beginning to come to fruition, I think what we’re going to see from developers, the new products and services that can be imagined and created

www.sdtimes.com

October 2020

SD Times

are going to be incredible. I think it’s like a fundamental new piece of computing infrastructure.”

Beyond natural language As the models become a platform, Altman said OpenAI is already looking beyond just natural language. “We’re interested in trying to understand all the data in the world, so language, images, audio, and more,” he said. “The fact that the same technology can solve this very broad array of problems and understand different things in different ways, that’s the promise of these more generalized systems that can do a broad variety of tasks for a long time. And as we work with the supercomputer to scale up these models, we keep finding new tasks that the models are capable of.” Despite its promise, OpenAI and its vast network of ML models don’t close the gap on all that’s missing with AI. Boris Paskalev, co-founder and CEO of DeepCode, said GPT-3 provides models that are an order of magnitude larger than GPT-2. But he warned that developers should beware of drawing any conclusions that GPT-3 will help them automate code creation. “Using NLP to generate software code does not work for the very simple reason that software code is semantically complex,” Paskalev told SD Times. “There is absolutely no actual use for it for code synthesis or for finding issues or fixing issues. Because it’s missing that logical step that is actually embedded, or the art of software development that the engineers use when they create code, like the intent. There’s no way you can do that.” Moiz Saifee, a principal on the analytics team of Correlation Ventures, posted a similar assessment. “While GPT-3 delivers great performance on a lot of NLP tasks — word prediction, common sense reasoning — it doesn’t do equally well on everything. For instance, it doesn’t do great on things like text synthesis, some reading comprehension tasks, etc. In addition to this, it also suffers from bias in the data, which may lead the model to generate stereotyped or prejudiced content. So, there is more work to be done.” z

Full Page Ads_SDT040.qxp_Layout 1 9/18/20 3:46 PM Page 16

017_SDT040.qxp_Layout 1 9/22/20 4:00 PM Page 17

www.sdtimes.com

October 2020

SD Times

DEVOPS WATCH

Progress acquires Chef to extend DevOps and DevSecOps offerings BY JAKUB LEWKOWICZ

Progress announced that it entered into a definitive agreement to acquire Chef to provide complete infrastructure automation to build, deploy, manage and secure applications in modern multi-cloud and hybrid environments, as well as on-premises. Progress is set to acquire the company for $220 million in cash. “Chef has built a successful business, product portfolio and go-to-market strategy and we will expand and accelerate that by bringing our resources to

bear, building on the momentum Chef has established to date,” said Yogesh Gupta, the CEO of Progress. The acquisition will bolster Progress’ core offerings and enable customers to respond faster to business demands and improve efficiency. Chef’s mission is “to help the most enduring and transformative companies use technology to become fast, efficient and innovative software-driven organizations,” according to a press release. Chef’s current products include Chef Enterprise Automation Stack,

DeepFactor emerges with continuous pre-production monitoring platform BY CHRISTINA CARDOZA

Application development company DeepFactor wants to provide the missing DevOps link with the release of its continuous pre-production monitoring platform. According to the company, development teams have struggled too long with trying to combine security, performance and behavior monitoring in one solution. “Today, software developers & QA engineers focus on building & testing

In other DevOps News:

n Perforce announced the 2020.3 release of Klocwork, designed to simplify DevOps workflows. According to the company, Klocwork by Perforce expands Klocwork’s Continuous Compliance functionality with faster analysis, broader coverage, increased accuracy, and seamless integration into developer and DevOps workflows. An integral part of the solution is Klocwork’s Differential Analysis, which delivers developers fast results by analyzing only the files that changed — providing them

application functionality, but they lack visibility into the application's runtime behavior, security & performance, in dev, test and staging environments,” said Kiran Kamity, co-founder and CEO of DeepFactor. “This leads to the risk of high cost production problems that could have easily been avoided if the developers had a continuous runtime visibility platform.” DeepFactor aims to address this with its deep passive monitoring techwith the shortest analysis times, according to the company. Klocwork 2020.3 also features an improved C# and Java analysis engine with broader language support, improved accuracy, and new defect detection. n Security Compass introduced the new DevOps tool category Balanced Development Automation (BDA) in order to empower organizations to build secure digital products without compromising time to market. According to the company, development teams usually

Chef Infra, Chef InSpec, Chef Habitat, Chef Compliance and Chef Desktop. “Chef and Progress share a vision for the future of DevSecOps and Progress will provide the scale to further drive Chef’s platform forward and deliver additional value to our customers,” said Barry Crist, the CEO of Chef. “At the same time, Chef fills a need in the Progress portfolio in DevSecOps, infrastructure, application, and compliance automation that is highly complementary to its existing products. For Chef, this acquisition is our next chapter, and Progress will help enhance our growth potential, support our open-source vision, and provide broader opportunities for our customers, partners, employees and community.” z nology and application runtime intelligence engine. The platform is designed to detect potential security and performance issues as well as any unexpected and risky heavior changes between releases. “This will give developers continuous visibility into their application’s behavior, security and performance, before releasing the application into production,” said Kamity. “It’s going to shift developers from running blind to actually being runtime ready.” In addition, it features a centralized management and reporting interface; and pre-packaged integrations with DevOps life cycle management tools such as Jira, Jenkins, Slack, and GitHub. z have to choose between “fast and risk” or “slow and safe.” n Tricentis announced its continuous testing platform is now available on ServiceNow. Tricentis Test Automation for ServiceNow features continuous automation; accelerated deployments; customizable capabilities; decreased defects; and DevOps compatibility. According to the companies, by being able to test faster, developers can focus more time on business requirements and collaborating in a more agile way.

Devtech Webinar Ad.qxp_WirelessDC Ad.qxd 9/21/20 12:49 PM Page 1

presents

14 remote working mistakes killing your dev teams’ innovation and performance

FREE VIRTUAL EVENT

Wed. Oct. 7 at 12:00 Noon EST

The pace of innovation is accelerating. Yet continuous WFH diminishes software teams’ output. What can you do to increase individual — and team — performance, without burning out? Join innovation expert Nils Vesk and Devtech Group for a live session that unpacks the 14 most common mistakes affecting your team's performance. Nils will also explain how to flip these mistakes into principles that will deliver innovative, cohesive teams for years to come. Some of the mistakes that Nils will discuss include:

Nils Vesk

•Thinking that to create behavior change you need to change motivation first •Insufficiently distinguishing between people vs. process issues •Measuring outcomes, but not measuring behaviors or having process goals •Failing to use stories to drive behavioral change •Allowing assumptions to take over from fact — in team dynamics, execution, and problem-solving

Register now. Go from feeling overworked and overwhelmed to feeling confident and strategic. Experience an increase in team capacity without being a taskmaster. Register Now

https://resources.sdtimes.com/devtech-remote-working-mistakes-thatcould-be-killing-your-developers-innovative-output-and-performance

19_SDT040.qxp_Layout 1 9/21/20 11:26 AM Page 19

SOFTWARE TESTING SHOWCASE

Testing in a Complex Digital World

bout a decade ago, application testing was fairly straightforward, albeit a manual effort and somewhat of a drag on delivery. Tests cases were written, functional and UI tests were done, regression, pen and load testing would happen, and the application was deemed ‘good to go.’ Today's digital world of APIs, open-source components, mobile devices, IoT endpoints, DevOps pipelines and containers — not to mention the squeezed timelines for application delivery — render manual testing almost completely ineffective.

Yes, the testing world has evolved. We're seeing automated testing, continuous testing and security testing emerge, as well as non-traditional testing such as feature experimentation and chaos engineering advancing to keep pace with organizational demands in the digital age. This showcase is a guide to some of the companies that provide testing tools, and each comes at the issue from a different perspective. We hope you find it useful, and encourage you to reach out to these solution providers to learn more.

Full Page Ads_SDT040.qxp_Layout 1 9/18/20 3:47 PM Page 20

ULTRAFAST TEST CLOUD 18x Faster End-to-End Testing

Visual AI provides 99.9999% accurate test coverage

Render across all web & mobile screens in seconds

GET YOUR COPY OF MODERN CROSS BROWSER TESTING THROUGH VISUAL AI

appl i t ools.com/ultra f a s t

Eliminate slow & flakey tests to speed up CI/CD workflows

021_SDT040.qxp_Layout 1 9/21/20 11:48 AM Page 21

SOFTWARE TESTING

The Future of Testing is AI: Visual AI

pplications and the environments they live in continue to become more complex. While shift-left testing helps improve app quality, alone it’s not enough to ensure quality as new frameworks and tools emerge. With Applitools’ AI-powered visual testing and monitoring platform, leading companies are improving app quality, accelerating delivery cycles and reducing the time it takes to test. “Application changes occur several times a day now. These changes need to work on many browsers, devices, operating systems and different environments, so you need to do far more work in far less time,” said Gil Sever, CEO and cofounder of Applitools. “You can’t manually write and maintain all the scripts needed, so you need Visual AI to take over these rote aspects of the work.” A recent survey of 400 of Fortune 1,000 companies reveals that those organizations use an average of 30 different applications that include 94 pages which need to display correctly on six to 10 different screen sizes in six to eight different human languages. “The number of nuances ranges from 100,000 to 700,000, and the number of applications is growing 30% to 50% per year,” said Sever. “Salesforce runs 100,000 tests per day so a 10 percent false positive rate would be 10,000 instances that humans would have to analyze. Using AI, we reduce the false positive rate to 1 in a million, so it’s 99.9999% accurate.” Applitools also accelerates testing by 30 to 70 times using containers. The faster testing cycles and higher levels of testing accuracy enables UI testing to keep pace with CI/CD. Importantly, Applitools integrates with existing tools in a team’s DevOps tool chain, ensuring app quality throughout the SDLC. Examples include CI and CD servers, test automation platforms, deployment tools, monitoring tools and repositories. That way, when code is pushed to the repository, it can be tested and automatically deployed if it passes.

and visually compare them to the results with the baseline.” Applitools automatically surfaces UI issues and their root cause so they can be resolved faster. Specifically, it provides side-by-side screenshots showing the expected result and the actual result so testers don’t have to recreate the errors themselves. The baseline comparisons can be a previous version compared to the new version, such as what a page looks like on one browser or device versus another. It also reveals how a page appears given different screen resolutions.

“Application changes occur several times a day now... You can’t manually write and maintain all the scripts needed...” —Gil Sever

“We use automatic maintenance which saves a lot of time. It also keeps the [test] coverage high,” said Sever. “When you’re manually maintaining and fixing thousands of scripts, test coverage drops.” Applitools boasts nearly 100 of the Fortune Global 500 as customers including Amazon, Salesforce, Capital One, McKesson, and Sony. Four of the top seven pharmaceutical giants use Applitools to ensure that drug warnings render properly irrespective of devices and also use Applitools UI version control results as evidence of regulatory compliance. Other Applitools customers include nine of the 10 largest software companies and half of the largest U.S. banks. As more software development and testing frameworks emerge, Applitools supports them via APIs so customers can connect to them quickly and easily. Applitools also supports content management systems (CMSs) such as Adobe Experience Manager so data can flow seamlessly from the CMS to an app. Applitools users simply write the navigation script and the validation or assertion in the Applitools’ chat window.

Visual AI Manages the Rote, Error Prone Aspects of Software Testing

Attend Applitools Online Automation University, Free

Applitools proprietary Visual AI comprises a set of algorithms that analyze computer screens, including desktop and web applications, mobile apps, games and more. “Traditionally, you’d use Selenium or Appium test automation scripts to mimic a human interaction with the UI. Then, the results would be compared to the expected results to make sure everything is appearing in the right place,” said Sever. “This is what we automate with Visual AI so instead of writing hundreds of lines of code to assert and validate that everything works, you can use Applitools to test all the screen interactions

Applitools is on a mission to deliver a Next Generation Test Automation Platform through Visual AI and Ultrafast Grid. The company enables engineering teams to release high quality web and mobile apps at incredible speed at a reduced cost. Applitools also created Test Automation University, the largest educational entity of its kind, with more than 60 online courses available for free. Today more than 60,000 engineers are enrolled taking courses covering major test frameworks and languages. Learn more at Applitools.com. 3

022_SDT040.qxp_Layout 1 9/21/20 11:47 AM Page 22

SOFTWARE TESTING

Parasoft Leads Testing Innovation

he COVID-19 pandemic has caused organizations to accelerate their digital transformation strategies. Two of the major trends are supporting a remote workforce and engaging customers primarily, if not exclusively, through digital channels. Critical to employee productivity and customer experience is adequate software testing that requires a high level of automation. “Organizations are figuring out how to enable the digital side of their business to both protect existing markets and take advantage of new ones,” said Mark Lambert, VP of strategic initiatives at Parasoft. “A lot of them are leveraging lowcode platforms like Salesforce Lightning to accelerate digital transformation and their movement into the cloud.” Faced with rapidly evolving circumstances, businesses need to ensure that the software they develop, customize and deliver provides the needed functionality and meets all compliance requirements.

Low-Code Use Is Increasing Many developers originally dismissed low code as simple tools built for those who are unable to code. However, as software development and delivery cycles continued to shrink with the 2020 COVID-19 pandemic, more organizations are now using low code to become more Agile than they were before. “As organizations mature in their adoption of low code, they’re creating teams that include both citizen developers and professional developers to support the increasing scope of functionality, which tends to increase pretty quickly.” said Lambert. “It’s the job of the technical team to create building blocks that enable the less technical business developers across the organization.”

The Pandemic Is Driving Greater Test Automation Since entire white-collar workforces are now working remotely, more teams are containerizing their DevOps pipelines and pushing them into the cloud. “Test automation is the only way you can efficiently verify functionality and ensure compliance. It’s the key to unlocking Agile and DevOps,” said Lambert. “You need a robust delivery pipeline and process. Quality needs to be built into that pipeline to accelerate delivery with confidence.” Since one small code change can have a negative cascading effect across an application, other applications and use cases, organizations are figuring out how they can create a scalable test automation strategy that integrates with their ecosystem. Parasoft covers everything from code analysis and auto-

mated unit testing to automated API and UI testing. By leveraging AI and machine learning across these quality practices, Parasoft’s suite of test automation products assist developers and testers with the underlying activities.

Service Virtualization Speeds Development and Testing “When you’re connecting across different services and providers, the level of interconnectedness explodes the complexity of your test environment. You need a way to control that environment,” said Lambert. “Test automation is the only way you can efficiently verify functionality and ensure compliance.” —Mark Lambert

Service virtualization decreases the time and cost required to test due to constrained dependencies. With today’s remote work mandates, more organizations want to emulate backend system dependencies and control their functional behavior. With Parasoft service virtualization, developers and testers can create synthetic data and virtual services that behave like their real counterparts. “Like many others, one of our Canadian partners now has fully remote software development teams. Their challenge is giving teams access to systems without leveraging on-network devices,” said Lambert. “They’re rolling out service virtualization now to address this and unblock the teams.”

Why Customers Love Parasoft Parasoft continues to be recognized by industry analysts and customers as the platform of choice for testing throughout the development pipeline—from code analysis that ensures security compliance and reliability to automated unit, API, UI and load and performance testing. Parasoft integrates with open source testing frameworks like Selenium, TestNG and JUnit, providing complementary functionality that assists with the difficult tasks of creation and maintenance. “We’re recognized as a leader and visionary by Forrester and Gartner, respectively. We pride ourselves on delivering innovations that go beyond continuous testing to help clients achieve continuous quality. We’re also honored to have received the Gartner Peer Insights Customer Choice award in both 2019 and 2020, validating that we’re building products that make teams more effective,” said Lambert. Learn more at www.parasoft.com. 3

Full Page Ads_SDT040.qxp_Layout 1 9/18/20 3:47 PM Page 23

โ ข ย |ol-|; v;1ย ub|ย ฤท u;ัดb-0bัดb|ย ฤท -m7 1olrัดb-m1; -v 1o7; bv ย ub||;mฤบ โ ข 1_b;ย ; 1o7; 1oย ;u-]; |-u];|v ย b|_ ล roย ;u;7 ย mb|ฤท ฤท -m7 & |;v|bm]ฤบ โ ข !;ย v; =ย m1|bom-ัด |;v|v |o v_b=| ัด;=| ัดo-7 -m7 r;u=oul-m1; |;v|bm]ฤบ โ ข m-0ัด; 1om|bmย oย v ;m7ล |oล ;m7 -m7 bm|;]u-|bom |;v|bm] ย b|_ v;uย b1; ย bu|ย -ัดbย -|bomฤบ โ ข m|;]u-|; tย -ัดb|ย bm|o ย oย u ล rbr;ัดbm; |o vblrัดb=ย -m7 -ย |ol-|; 7;ัดbย ;uย 7;1bvbomvฤบ

PA R A S O F T.C O M | I N F O @ PA R A S O F T.C O M | 8 8 8 . 3 0 5 . 0 0 41

Full Page Ads_SDT040.qxp_Layout 1 9/18/20 3:48 PM Page 24

025_SDT040.qxp_Layout 1 9/21/20 11:49 AM Page 25

SOFTWARE TESTING

Supercharge Testing with Mobile Labs

ffective mobile app testing is even more important today than it was before COVID-19 hit. These days, mobile app experiences impact which brands and services customers choose and how productive work-from-home employees can be. To ensure the highest performance and scalability of apps ranging from enterprise productivity to games, teams serious about product quality choose Mobile Labs. “COVID-19 has accelerated the digitalization of businesses in every industry because it’s the only way for them to engage with their customers. Instead of going into physical businesses, consumers are using mobile apps to check their bank balance, apply for loan or to order fast food for curbside pickup,” said Dan McFall, president and CEO of Mobile Labs. “Before the pandemic, a lot of mobile testers were relying on the few physical devices they kept in a drawer at work. Now, they’re realizing they need access to a device cloud that provides the same interactive capabilities desktop and web developers get using virtual machines.”

Improve Mobile Test Coverage and Automation While testing an app on a wider range of devices, operating system versions and browser versions helps ensure better app experiences across more customers, most developers, testers and QA engineers say they still need to improve test coverage and the velocity of testing. While many have adopted the Appium open source automation tool, Appium can be difficult to scale and manage because, as an open source project, it’s not clear when updates will occur and the documentation leaves much to be desired. To help customers get more from their automation efforts, Mobile Labs created its own Appium server that benefits customers irrespective of whether they’re using Appium yet or not. Current Appium users benefit from improved Appium performance and reliability. They also discover it’s easier to manage and support their automation infrastructure. Those without Appium find they can start scripting immediately without downloading, installing or configuring Appium. A surprising benefit of Mobile Labs’ Appium server is the 4X or greater scalability it provides. “One of the challenges with Appium is if you try to run more than 8, 10, 12 concurrent tests, you’re going to need a lot of hardware,” said McFall. “We can increase that to 40, 48 concurrent tests running against a single server, making it easier to scale. Since it’s hard for people to go into the office and set up new hardware now, the more they can get out of what they have, the better.” What’s more, Appium users don’t have to wait for commu-

nity fixes because Mobile Labs handles them proactively. Customers facing script automation issues, which commonly arise as the result of internal skills shortages, can find intelligent scripting solutions in Mobile Labs’ partner network. Like robust software development IDEs that pinpoint coding errors, intelligent scripting solutions rapidly identify test automation script errors. “Since it’s hard for people to go into the office and set up new hardware now, the more they can get out of what they have, the better.” —Dan McFall

Test Your Way Many enterprises have Mobile Labs running on-premises behind a firewall. However, with COVID-19 remote work trends, Mobile Labs’ hosting has mushroomed. “We’ve been getting rave reviews on our hosting, so more people are starting to realize we’re not just the on-premises people,” said McFall. “In fact, we’ve seen a lot of growth in the gaming sector because of the device performance we provide.” Customers who choose Mobile Labs hosting can always move their environment on-premises at any time without fear of vendor lock-in. Teams that want to tame the chaos of testing multiple apps across multiple platforms, operating systems, and device types behind a firewall tend to choose Mobile Labs’ GigaFox Red mobile device testing cloud. Teams that need access to more devices or enhanced graphics features behind a firewall or hosted choose GigaFox Silver. Small teams or teams that are just getting started with mobile app testing can jumpstart their journey with GigaFox StarterKit. All GigaFox versions help accelerate development and continuous testing because they provide developers, testers and QA with access to the same devices. Moreover, those devices are the actual devices customers use. Another benefit of Mobile Labs is future-proof testing. Instead of purchasing new equipment because Apple just released its latest versions of iPhone, for example, customers can simply subscribe to the Mobile Labs Device Refresh Program, which allows them to swap old devices for new ones. When paired with GigaFox Red or GigaFox Silver mobile device clouds, teams can be sure they always have the devices they need to ensure the best quality user experiences. Learn more at www.mobilelabsinc.com. 3

026_SDT040.qxp_Layout 1 9/22/20 3:59 PM Page 26

SOFTWARE TESTING

Automate Mobile Testing with Kobiton

rganizations are automating more types of tests to keep pace with DevOps and CI/CD, but they all face a common challenge which is automating mobile testing. “Getting to automation is a big challenge with mobile,” said Frank Moyer, CTO at Kobiton. “It’s painful, because unlike the web world where there’s a W3C specification for HTML, in the mobile world, all of the manufacturers can render the XML however they choose. Each generates the DOM in a unique way which makes it impossible for automation engineers who need to navigate through an application to use a single selector that fits all devices.” To navigate through an app effectively, one needs to write a test automation script that can execute across the multitude of devices customers actually use. Then, hours must be spent combing through the tests to detect problems identified on the different devices. End-to-end mobile testing platform Kobiton speeds and simplifies the process so businesses can get to market faster with better quality mobile apps. “We use machine learning so manual testers and automation engineers can accomplish more in less time,” said Moyer. “All you do is run a manual session and we can automate that test across hundreds of devices. It will tell you that these two devices crashed, these three devices have performance issues or if the text on the screen wraps off the edge incorrectly on these four devices so you need to address those issues.” With Kobiton, test automation scripts can be created and executed orders of magnitude faster, which speeds value delivery, improves product quality and boosts ROI. For example, one Kobiton customer spent 18 months automating mobile tests. The same scope of work can now be completed in just three weeks. Kobiton Intelligent Test Automation integrates with defect tracking systems so defects can be created in context. Best of all, the entire flow is seamless from manual test creation to test automation to defect identification and remediation. Kobiton remembers all of it so customers can benefit from regressions between one release and the next.

Kobiton Alleviates Pain Points A recent Kobiton survey of 350+ mobile developers and software testers reveals that although 55% said automation would improve software quality, 76% are automating fewer than half of all software tests. About half (51%) are releasing software updates daily or weekly, but 73% are running at least 100 manual tests before each software release. Although test automation is a mature concept, 58% said

their automation programs are either new or at least six months away from beginning. The biggest barriers to achieving automation are evaluating and choosing test automation tools (20%) and training and acquiring skilled automation engineers (17%). Seven in 10 said they recognize mobile is strategic or critical to their business. With Kobiton Intelligent Test Automation, those same professionals could create functional test scripts that provide the quickest path to mobile automation at scale. Because Kobiton fully supports a variety of assertions, test scripts can be as simple as checking an app’s layout or as complicated as performing complex functional logic tests. “In the mobile world, all of the manufacturers can render the XML however they choose.” —Frank Moyer

Importantly, organizations can deliver better mobile experiences by testing on real devices, in the cloud or on premises, while leveraging the latest in Appium test automation for seamless test script creation. As the first and only mobile scriptless test automation platform, Kobiton accelerates testing and delivery. And, instead of choosing between on-premises devices or devices in a test lab, Kobiton allows customers to take advantage of both to achieve truly hybrid mobile testing.

Mobile Test Automation Just Got Simpler Kobiton recently announced it is taking mobile test automation to an entirely new level. As of the latest release, Kobiton Intelligent Test Automation generates 100% open standard Appium code which can be customized, run on a competing device testing platform or integrated into a DevOps process. Manual testers and automation engineers are able to run a manual session on a specific device, such as an iPhone X, and within 20 minutes export the fully-functioning Appium script which is capable of running on more than 350 different devices. Companies using other device clouds, such as SauceLabs, BrowserStack, and Perfecto, can simply point Kobiton at those environments. The result is higher levels of test automation with minimal time and effort. “Organizations want to accelerate their digital app initiatives. To do that, they need a complete mobile experience platform that’s flexible and easy to use,” said Moyer. Learn more at www.kobiton.com. 3

Full Page Ads_SDT040.qxp_Layout 1 9/18/20 3:48 PM Page 27

Full Page Ads_SDT040.qxp_Layout 1 9/21/20 4:41 PM Page 28

A Faster Pentest that integrates with your devops workflow Cobalt offers on-demand Pentest as a Service for agile software development. Be up and running in 24 hours. Get real-time visibility into tester findings. Use Slack and Jira for easy communication.

029_SDT040.qxp_Layout 1 9/21/20 12:11 PM Page 29

SOFTWARE TESTING

Fix Penetration Testing Finds Faster

f you want to know whether your code is truly secure, it needs to be penetration (pen) tested. White hat pentesters can identify application vulnerabilities before bad actors exploit them, leaving you to remediate bugs proactively. Traditionally, developers and pentesters have both suffered from a lack of direct communication because, among things, pentesting is too slow for the fast-moving world of DevOps. Cybersecurity startup Cobalt bridges the gap with a “pentesting as a service” (PtaaS) platform and talent community that connects developers directly with pentesters. And, the platform integrates seamlessly with Jira, Github and Slack so developers can get the information from familiar tools. “Penetration testing is used as a gate by Waterfall teams. With DevOps, gating doesn’t work because it would disrupt the delivery cycle when delivery cycles are accelerating,” said Caroline Wong, chief strategy officer at Cobalt. “You need to integrate pentesting into the DevOps workflow.” Although today’s organizations are automating as much security testing as possible, there are entire classes of security vulnerabilities that go undetected when using automated methods alone, such as business logic bypasses, race conditions and change exploits. With Cobalt, pentesting becomes part of the DevOps pipeline. Better still, highly skilled pentesters are available on demand.

Cobalt Helps Secure Code Traditionally, when a pentest is completed, the testers provide a PDF report. The security team forwards the PDF to the engineering teams, usually without providing guidance or prioritizing the findings. “If developers are just getting a piece of paper with a bunch of problems and told to go fix them, you can’t blame them for ignoring the email altogether,” said Wong. “Security teams haven’t attempted to learn about the engineering workflows, let alone integrate security requests with those workflows. So, there’s no obvious channel for developers to ask security or pentesters how to resolve issues or even to clarify what the issues are.” Also, in a traditional workflow, pentests tend to be a oneoff engagement with little-to-no collaboration between developers and testers. In today’s increasingly digital world, DevOps and DevSecOps teams can’t afford to sacrifice security for application delivery speed. “DevOps and DevSecOps both rely on collaboration and communication. Developers should be able to collaborate with security and pentesters as easily as they communicate

with IT ops,” said Wong. “When that happens, pentesters can better understand the context, such as the application’s use cases. Conversely, developers can ask questions about the found vulnerabilities.” With Cobalt, developers can engage pentesters directly, on demand. That way, developers can ensure the timely retesting of their code and they deliver the code into production with a higher level of confidence because they know that the vulner-

“What might look like a high-severity risk to a pentester may be a lower priority to the business.” —Caroline Wong

abilities have been remediated. Similarly, developers can use Cobalt to get guidance from the security team about how the vulnerabilities should be prioritized.

A Dynamic PtaaS Approach Jira, Github and Slack are staples for Agile and DevOps teams. Cobalt integrates with all three so developers can get the information they need without launching yet another environment or application. Cobalt now also includes data analytics, which provide additional insights about what’s causing vulnerabilities and whether they were successfully remediated. “If you’re still relying on PDFs, there’s no way to bring the metadata together to gain insights and learnings,” said Wong. “With Cobalt, you can compare your approach and results with what others have done or see how one pentest compares to the other tests in your pentest program.” The Cobalt platform includes a SaaS-enabled global marketplace that connects pentest talent with DevOps and DevSecOps teams on demand. That way, more vulnerabilities can be identified, prioritized and remediated faster. “Pentesters and developers don’t always have the full picture, so what might look like a high-severity risk to a pentester may be a lower priority to the business because they lack context,” said Wong. “By communicating with security and engineering teams, pentesters are able to assign a more appropriate risk rating and level of criticality.” DevOps and DevSecOps teams can leverage Cobalt and its marketplace using a single account simply by sharing credits. Yet each team can get access to pentesters as needed without waiting for an intermediary. Learn more at Cobalt.io. 3

030-31_SDT040.qxp_Layout 1 9/21/20 1:58 PM Page 30

SOFTWARE TESTING

Featured Companies n Applitools is on a mission to help test automation, DevOps, and software engineering teams release mobile and web apps that are visually perfect. The company provides the only commercial-grade, visual AI-based test cloud that instantly validates any application’s user interface in a fully automated manner, across all customer engagement points and digital platforms – using its groundbreaking image-processing stack, developed from scratch in-house. n Cobalt.io offers a modern application security plat-

form as a service that supports a complete find-to-fix workflow for all your pentesting and vulnerability assessments throughout your organization. Cobalt Pentests are on-demand hacker-powered penetration tests performed by a certified pentester. When a program is launched you will receive vulnerability reports on Cobalt Central, your own application security inbox. Assign reports to your team members via your preferred workflow, such as Jira or Github. Clear up questions quickly by asking pentesters directly on Cobalt Central, and ensure that your security is hardened as efficiently as possible. n Kobiton is a powerful mobile device cloud that allows companies to manage the devices they own and access real public cloud devices for efficient, comprehensive test coverage. Simple to use, easy to access from anywhere, and highly flexible, Kobiton minimizes costs while increasing productivity, so businesses can get apps to market sooner.

n Applause is the worldwide leader in digital quality and crowdtesting. Software is

at the heart of how all brands engage users, and digital experiences must work flawlessly everywhere. With highly-vetted testers available on-demand around the globe, Applause provides brands with a full suite of testing and feedback capabilities.

n AutonomIQ can discover, ingest, and transform English language artifacts into

immediately executable, shareable and manageable Test Scripts. Using deep-learning and AI algorithms, AutonomIQ detects natural language documents and changes, automates and enables self-healing, and provides advanced diagnostics. In real world situations, AutonomIQ has been shown to provide ~90% improvement in speed and quality compared to existing tools and techniques.

n CA, a Broadcom Company: CA offers next-generation, integrated continu-

ous testing solutions that automate the most difficult testing activities – from requirements engineering through test design automation, service virtualization and intelligent orchestration. Built on end-to-end integrations and open source, Broadcom’s comprehensive solutions help organizations eliminate testing bottlenecks impacting their DevOps and continuous delivery practices to test at the speed of agile, and build better apps, faster.

n Eggplant helps organizations put users at the center of software testing to cre-

ate amazing digital experiences that drive user adoption, conversion, and retention. Its Digital Automation Intelligence Suite interacts with software exactly like a real user to test the true user experience, and auto-generates tests at the UI and API level for greater productivity. Eggplant solutions enable customers to test the full user experience, including performance and usability, managing the test environment and orchestrating large-scale test execution, and generating predictive analytics to understand the impact of a change on users across a wide range of operating systems and platforms.

n Froglogic is well-known for its automated testing suite Squish with its flagship product Squish GUI Tester, the market- leading automated testing tool for GUI applications based on a wide variety of languages, operating systems and web browsers. In addition, froglogic offers the professional, crossplatform C, C++, C# and Tcl code analysis tool Coco Code Coverage.

n Mobile Labs remains the leading supplier of in-

n Functionalize is a cloud-based autonomous testing solution uses AI and ML to

house mobile device clouds that connect remote, shared devices to Global 2000 mobile web, gaming, and app engineering teams. Its patented GigaFox is offered onpremises or hosted, and solves mobile device sharing and management challenges during development, debugging, manual testing, and automated testing. A pre-installed and pre-configured Appium server provides “instant on” Appium test automation.

n HPE Software’s automated testing solutions simplify software testing within

n Parasoft’s software testing tool suite automates

time-consuming testing tasks for developers and testers, and helps managers and team leaders pinpoint priorities. With solutions that are easy to use, adopt, and scale, Parasoft’s software testing tools fit right into your existing toolchain and shrink testing time with next-level efficiency, augmented with AI. Parasoft users are able to succeed in today’s most strategic development initiatives, to capture new growth opportunities and meet the growing expectations of consumer demands.

provide intelligent test automation. Its Adaptive Language Processing (ALP) converts test plans written in plain English into fully functional test scripts. It can even use the output of your test management system. With autonomous testing, you now have an intelligent test agent (ITA) supercharging the work of your test and DevOps teams. This ITA is the perfect regression tester – focused, tireless, and driven, but still intelligent. Functionalize turns testing into a competitive advantage when it matters the most – getting to market faster while ensuring higher customer satisfaction.

fast-moving agile teams and for Continuous Integration scenarios. Integrated with DevOps tools and ALM solutions, HPE automated testing solutions keep quality at the center of today’s modern applications and hybrid infrastructures.

n IBM: Quality is essential and the combination of automated testing and service vir-

tualization from IBM Rational Test Workbench allows teams to assess their software throughout their delivery lifecycle. IBM has a market leading solution for the continuous testing of end-toend scenarios covering mobile, cloud, cognitive, mainframe and more.

n mabl is the most reliable codeless UI testing service available. mabl enables con-

tinuous testing with an auto-healing automation framework and maintenance-free test infrastructure. mabl advances traditional UI testing using proprietary machine learning models to automatically identify application issues, including JavaScript

030-31_SDT040.qxp_Layout 1 9/21/20 2:02 PM Page 31

errors, visual regressions, broken links, increased latency, and more.

can boost their test portfolio with crossbrowser testing in the cloud.

n Micro Focus is a leading global enterprise

n ProdPerfect fully automates the

software company with a world-class testing portfolio that helps customers accelerate their application delivery and ensure quality and security at every stage of the application lifecycle – from the first backlog item to the user experience in production. Simplifying functional, mobile, performance and application security within fast-moving Agile teams and for DevOps, Micro Focus testing solutions keep quality at the center of today’s modern applications and hybrid infrastructures with an integrated end-toend application lifecycle management solution that is built for any methodology, technology and delivery model.

development and maintenance of browser-level testing using live user data. ProdPerfect analyzes your web traffic to create aggregated flows of common user behavior, which is built into an end-to-end testing suite that is maintained and expanded over time, which kicks off automatically from CI.

n Microsoft provides a specialized tool set for

testers that delivers an integrated experience starting from agile planning to test and release management, on-premises or in the cloud. n NowSecure is the mobile app security soft-

ware company trusted by the world’s most demanding organizations. Only the NowSecure Platform delivers fully automated mobile app security and privacy testing with the speed, accuracy, and efficiency necessary for Agile and DevSecOps environments. Through the industry’s most advanced static, dynamic, behavioral and interactive mobile app security testing on real Android and iOS devices, NowSecure identifies the broadest array of security threats, compliance gaps and privacy issues in custom-developed, commercial, and business-critical mobile apps. NowSecure customers can choose automated software on-premises or in the cloud, expert professional penetration testing and managed services, or a combination of all as needed. NowSecure offers the fastest path to deeper mobile app security and privacy testing and certification.

n Orasi is a leading provider of software testing

services, utilizing test management, test automation, enterprise testing, Continuous Delivery, monitoring, and mobile testing technology.

n Perfecto offers a cloud-based continuous

testing platform that takes mobile and web testing to the next level. It features a continuous quality lab with smart self-healing capabilities; test authoring, management, validations and debugging of even advanced and hard-to-test businesses scenarios; text execution simulations; and smart analysis. For mobile testing, users can test against more than 3,000 real devices, and web developers

n Progress: Telerik Test Studio is a test

automation solution that helps teams be more efficient in functional, performance and load testing, improving test coverage and reducing the number of bugs that slip into production.

n QASymphony’s qTest is a Test Case

Management solution that integrates with popular development tools. QASymphony offers qTest eXplorer for teams doing exploratory testing.

n QMetry is a leader in test management, test

automation, and test analytics products. QMetry Intelligent Digital Quality Platform is designed for Agile & DevOps teams to build, manage & deploy quality software faster & better. QMetry has the complete agile testing solution with test management, automation, & powerful quality analytics for digital enterprises.

n Rogue Wave is the largest independent provider of cross-platform software development tools and embedded components in the world. Rogue Wave Software’s Klocwork boosts software security and creates more reliable software. With Klocwork, analyze static code on-the-fly, simplify peer code reviews, and extend the life of complex software. Thousands of customers, including the biggest brands in the automotive, mobile device, consumer electronics, medical technologies, telecom, military and aerospace sectors, make Klocwork part of their software development process. n Sauce Labs provides the world’s largest

cloud-based platform for the continuous testing of web and mobile applications. Founded by the original creator of Selenium, Sauce Labs helps companies accelerate software development cycles, improve application quality, and deploy with confidence across hundreds of browser / OS platforms, including Windows, Linux, iOS, Android & Mac OS X. Optimized for Continuous integration (CI), Continuous delivery (CD), and DevOps, the Sauce Labs platform is built to handle the most secure data from its customers.

n SmartBear provides a range of frictionless

tools to help testers and developers deliver robust test automation strategies. With powerful test planning, test creation, test data management, test execution, and test environment solutions, SmartBear is paving the way for teams to deliver automated quality at both the UI and API layer. SmartBear automation tools ensure functional, performance, and security correctness within your deployment process, integrating with tools like Jenkins, TeamCity, and more.

n SOASTA’s Digital Performance Management (DPM) Platform enables measurement, testing and improvement of digital performance. It includes five technologies: mPulse real user monitoring (RUM); the CloudTest platform for continuous load testing; TouchTest mobile functional test automation; Digital Operation Center (DOC) for a unified view of contextual intelligence accessible from any device; and Data Science Workbench, simplifying analysis of current and historical web and mobile user performance data. n Synopsys: Through its Software Integrity plat-

form, Synopsys provides a comprehensive suite of testing solutions for rapidly finding and fixing critical security vulnerabilities, quality defects, and compliance issues throughout the SDLC.

n TechExcel: DevTest is a sophisticated quality-management solution used by development and QA teams of all sizes to manage every aspect of their testing processes.

n TestRigor is an automated regression testing tool that allows VPs of Engineering and Directors of QA improve test coverage to 100%, speed up testing schedules by at least four weeks, and increase team productivity by up to 210% – all for less than their entire outsourced QA department.

n Tricentis is recognized by both Forrester and

Gartner as a leader in software test automation, functional testing, and continuous testing. Our integrated software testing solution, Tricentis Tosca, provides a unique Model-based Test Automation and Test Case Design approach to functional test automation – encompassing risk-based testing, test data management and provisioning, service virtualization, API testing and more. 3

032-35_SDT040.qxp_Layout 1 9/21/20 12:14 PM Page 32

SD Times

October 2020

www.sdtimes.com

How API management can fuel your digital business BY CHRISTINA CARDOZA

hile APIs are the building blocks of digital transformation, a recent survey found that API management solutions are not part of everyone’s digital strategies. SmartBear’s 2020 State of API Report found 24% of respondents aren’t using an API management tool. This is worrisome because in order for APIs to drive businesses forward, they need to be properly maintained and managed, according to Randy Heffner, an analyst at the research firm Forrester. “By opening access to digital business capabilities, APIs drive agility to optimize customer experiences, create dynamic digital ecosystems, achieve operational excellence, and build platform business models,” he wrote in the Forrester Wave: API Management Solutions, Q3 2020. But businesses need a formal way to create, secure, manage, and optimize APIs at scale, in addition to making sure all stakeholders have access to the tools and information necessary to do their jobs. What is stopping organizations from adopting an API management solution is a misunderstanding of what it can do for the business. According to Heffner, organizations sometimes look at API management solutions as something that can help people sign up or adopt their APIs as well as just something that provides security for their APIs. “It isn’t less than that, but it is much more than that,” he said. “The first way to think about an API management solution is as a business application for managing relationships between API users and API providers. It’s much more than just

Buyers Guide this technical thing to help people subscribe to APIs.” He explained that an API management solution is crucial when your API users are organizations. An organization can be doing 12 different things with your API with 12 different teams, so there needs to be a way to manage identities and access, and a way to let users leverage documentation and testing processes. “APIs can be used in so many different ways. You have to put context around them before you can say how they add value,” said Heffner. “What’s the ROI of APIs? That’s like asking what’s the ROI of nuts and bolts.” As organizations start to realize the important of API management solutions and as vendors start to invest in more features to meet the needs of cloud-native, modern architectures,

Heffner sees a few trends taking the space to the next level.

Beyond REST API management solutions are starting to move beyond REST. According to Heffner, REST was and still is a popular API format because it is supported across the entire web/Internet landscape, but at the root of REST it is just a “request-reply type of message exchange pattern,” and today’s solutions are event-based, data-oriented and include exchange patterns. Forrester refers to this as digital bonding, which encompasses a broader array of interaction models. For instance, webhooks, SOAP and GraphQL are becoming top architectural style choices. “We are seeing more openness to a broader way of thinking about what the scope of an API management solution should be

032-35_SDT040.qxp_Layout 1 9/21/20 12:15 PM Page 33

www.sdtimes.com

just from a technology point of view,” said Heffner. Vendors are starting to put more investment into the way their developer portals are provided with better ability to manage APIs, have different teams use APIs and provide life cycle management. Heffner sometimes sees users having to go off and build their own portals or solutions because tool providers aren’t providing enough. In the State of API report, it found that 16% were using an API management tool built in-house. Vendors are now trying to figure out how to provide a portal that includes configurability options and let users go a good distance with it. And lastly, there is a bigger push to understand how microservices and APIs work together. Heffner noted that organizations usually define and treat

microservices and APIs as the same thing, but microservices are a deployment approach while APIs are an access approach. The two go together, but they are different things. The State of API Report found that 65% of respondents believe microservices will drive the most API growth over the next couple of years. As service meshes become more popular and advanced, vendors will need to figure out how to include microservices, containers, and service mesh environments as different options and architectures.

What to look for in an API management tool According to Heffner, users should align their API management solution with their API strategy. For instance, do they need richer features and more coverage, or a simple strategy with a high level of customization?

October 2020

SD Times

The higher-end solutions will provide a breadth of capabilities and features, but organizations might find that a lower-end solution works better because it gives them basic capabilities they need and don’t have to build from the ground up, but also allows them to add in their own custom features. Other considerations when looking at an API management solution include how it supports governance and API user engagement needs, and if it supports a cohesive API design process. “The central role of an API management solution is to manage relationships between API providers and API users, whether inside or across enterprise boundaries. APIs have widely varying use cases, governance styles, business models, and delivery processes, resulting in a wide array of breadth and depth in API management solution feature-function,” Heffner wrote in the Forrester Wave on API Management solutions. The most popular features offered by API management vendors include: l A developer portal: which allows developers to discover, explore, purchase and test APIs as well as supports developer onboarding and collaboration l API gateways: to secure and manage the traffic between clients and back ends or between APIs and developers, customers, partners or employees l API catalog: that gives users a full view of their API landscape including which assets are available and ready for reuse. An API catalog also can help users view dependencies and analyze changes. l API life cycle management: where developers can design, develop, publish, deploy and version APIs l API policy and security: such as encryption, schema validation, signatures, threat protection, and PII protection l Monetization: capabilities that allow users to package, price and publish APIs for others to access l Analytics: that allow all stakeholders in an organization to view and manage all aspects of their APIs and API programs. z

032-35_SDT040.qxp_Layout 1 9/21/20 12:15 PM Page 34

SD Times

October 2020

www.sdtimes.com

A guide to API management solutions n Akana by Perforce provides an end-toend API management solution for designing, implementing, securing, managing, monitoring, and publishing APIs. Ranked by Forrester as a leader in API management and the top vendor for API security, Akana has proven tools to take your APIs from strategy and design to deployment and optimization. The Akana API Platform helps you create and publish secure, reliable APIs that are elegant, easy to consume, built the right way, and running as they should be to improve the customer experience. n Apigee is an API management platform for modernizing IT infrastructure, building microservices and managing applications. The platform was acquired by Google in 2016 and added to the Google Cloud. It includes gateway, security, analytics, developer portal, and operations capabilities. n Axway AMPLIFY API Management combines API life cycle management with agile API development for a modern and adaptable approach. The API management features enable users to create custom APIs; control access to APIs at runtime; and discover, understand and use APIs through the API manager portal. n Boomi’s API management solution provides a unified and scalable, cloud-based platform to centrally manage and enrich API interactions through their entire life cycle. With Boomi, users can rapidly configure any endpoint as an API, publish APIs onpremise or in the cloud, and manage APIs with traffic control and usage dashboards. n Broadcom: Layer7 API Management includes the industry’s most innovative solution for microservices, and provides the most trusted and complete capabilities across the API life cycle for development, orchestration, security, management, monitoring, deployment, discovery and consumption. n Cloud Elements delivers an API integration platform that allows APIs to work uniformly across hundreds of applications while sharing common data models. “Elements” unify APIs with enhanced capabilities for authentication, discovery, search, error handling and API maintenance.

“Formulas” combine those Elements to automate business processes across applications. “Virtual Data Hubs” provide a normalized view of data objects, such as “accounts” or “payments.” n IBM’s API Connect is designed for organizations looking to streamline and accelerate their journey into digital transformation; API Connect on IBM Cloud is an API lifecycle management offering that allows any organization to secure, manage and share APIs across cloud environments — including multi-cloud and hybrid environments. n Kong Enterprise, built on Kong's core open-source technology, is a cloud-native, end-to-end service connectivity platform that enables organizations to manage the full life cycle of APIs and services. Kong’s platform intelligently secures, connects and orchestrates all of a company's APIs and services, making it easy for developer teams to create scalable, microservicedriven applications that drive business growth. n Microsoft’s Azure API Management solution enables users to publish, manage, secure and analyze APIs in minutes. It features the ability to create an API gateway and developer portal quickly, ability to manage all APIs in one place, provides insights into APIs, and connects to back-end services. n MuleSoft’s Anypoint API Manager, part of its Anypoint Platform, is designed to help users manage, monitor, analyze and secure APIs in a few simple steps. The manager enables users to proxy existing services or secure APIs with an API management gateway; add or remove prebuilt or custom policies; deliver access management; provision access; and set alerts so users can respond proactively. n Nevatech Sentinet is an enterpriseclass API Management platform written in .NET that is available for on-premise, cloud and hybrid environments. It connects, mediates and manages interactions between providers and consumers of services across enterprises for businesses or end-customers. Sentinet sup-

ports industry SOAP and REST standards as well as Microsoft-specific technologies and includes an API Repository for API Governance, API versioning, auto-discovery, description, publishing and Life cycle Management. n Oracle’s API Platform Cloud Service was developed with the API-first design and governance features from the company’s acquisition of Apiary as well as Oracle’s own API management capabilities. The service provides an end-to-end method for designing, prototyping, documenting, testing and managing the proliferation of critical APIs. n Postman is the leading collaboration platform for API development, used by more than 7 million developers and 300,000+ companies worldwide. Postman allows users to design, mock, debug, test, document, monitor, and publish APIs — all from one place. Postman’s native apps for macOS, Windows, and Linux provide advanced features and a variety of tools that can be used to extend Postman including Newman, Postman’s commandline tool, the Postman API, the API Network, and integrations. n Red Hat Integration is an agile, distributed, containerized, and API-centric solution. According to the company, it provides service composition and orchestration, application connectivity and data transformation, real-time message streaming, change data capture, and API management. Other features include: over 200 pluggable connectors; ability to create, deploy, monitor and control APIs; a container-native infrastructure; real-time messaging, data capture and state streaming; and self-service for business users. n SmartBear Software empowers users to thrive in the API economy with tools to accelerate every phase of the API lifecycle. SmartBear is behind some of the biggest names in the API market, including Swagger, SoapUI and ServiceV. With Swagger’s easy-to-use API development tools, SoapUI’s automated testing proficiency, AlertSite’s API-monitoring and ServiceV’s mocking and virtualization capabilities, users can build, test, share

032-35_SDT040.qxp_Layout 1 9/21/20 12:15 PM Page 35

www.sdtimes.com

October 2020

SD Times

and manage the best performing APIs. n SnapLogic Lifecycle API Management is an end-to-end solution designed for managing, scaling and controlling API consumption quickly, seamlessly and securely. Features include request/response transformations, API traffic control and productization, OAuth2 authentication support, advanced API analytics, threat detection, and the developer portal. n Software AG: The webMethods API management solution provides end-toend API management capabilities for accelerating API programs and building an API ecosystem. It enables users to create and publish to the web; to use, access, govern and provide feedback on APIs; and manage and monitor the full life cycle. Features include an API catalog, gateway, consumption capabilities, and portal. The company also provides a cloud version for securing, managing and exposing APIs. n TIBCO Cloud Mashery is a cloud-native API management platform that can be deployed anywhere, either as a SaaS service or containerized in cloud-native and on-premise environments. Mashery delivers market-leading full life cycle API management capabilities for enterprises adopting cloud-native development and deployment practices, such as DevOps, microservices, and containers. Its capabilities include API creation, productization, security, and analytics of an API program and community of developers. n Tyk Technologies offers an API gateway, API management platform, an API portal as well as analytics. The API gateway helps users manage and secure API transactions as well as access control and expose REST endpoints. The API dashboard allows users to design, maintain, manage, promote and protect APIs as well as get a handle on the whole API life cycle in one glance. n WSO2 API Manager is an open-source hybrid API management platform that can be run anywhere. It includes a cloudnative API gateway and provides a Kubernetes operator for converting raw microservices into managed APIs. In addition, it integrates with service meshes and provides a management plane and control plane for managing, monitoring and monetizing APIs and API products. z

How organizations are using APIs to take their business to the next level After seeing success with its global API partners, the local, national and global weather forecast provider AccuWeather decided it wanted to branch out to new customers — individual developers. In order to do this, the organization needed to tailor its offering to meet the range of needs from developers and monetize those needs. According to the company, an API management solution was able to offer different levels of API offerings; provide flexible billing for API usage; provide a self-service portal for developers to develop; purchase or build APIs; and gain analytics that helped its team understand traffic patterns and how users view weather data. “A single developer always has the potential to be working on the next big thing and become our next big enterprise partner. We needed a way to reach them,” said Mark Iannelli, senior technical account manager at AccuWeather. Within two months of launching its developer portal, the company says it saw more than 6,500 new users sign up; about 2,500 users that created API keys; and 60 users that purchased one of its API packages. Beachbody is a home exercise and dietary supplement provider that needed new ways to increase its speed and agility as well as manage its over 400 enterprise APIs. “The digital transformation initiative at Beachbody is about consolidating and creating one common platform that can meet the needs of our direct response business, supplement line, our digital customers as well as our coaches,” said Michael Lee, vice president of engineering at Beachbody. “We see thousands of API transactions per day either from the ecommerce pieces, from our content API to our ecommerce API to registration and identity validation.” After rearchitecting its platform, the company realized that it couldn’t handle its API traffic alone and turned to API management solutions to help internal and external developers create APIs and secure development. Through API gateways, Lee said they were able to address developer concerns and move them into a more central location. Additionally, the API management solution’s portal was able to provide the security, documentation and presentation layer necessary to be successful. “All of these things help us build a lively, evergreen API ecosystem that is going to be easy to consume for both external and internal developers at Beachbody,” said Lee. PermataBank, a leading Indonesia bank, began a digital and IT modernization transformation three years ago in order to catch up to competitors in the digital banking space and meet the demands of its customers who expected faster and better technology solutions. Previously, PermataBank was made up of legacy systems in dire need of an overhaul. To modernize and re-architect its platform, the bank focused on digital self-service channels and was able to expose products and services to partners outside the bank through the use of APIs. According to the bank, with the help of APIs, it was able to increase its account acquisition by 375%, and saw a 275% CAGR growth in transaction volume. With the use of APIs, the bank also has been able to implement mobile banking, roll out digital capabilities, and use APIs to power new products and services. As a result, it has entered new markets, extended its customer based and increased the size of its transactions. “APIs are becoming a core part of our business now because the digital economy is progressing well in Indonesia. We have more than 1,000 partners using our services already, and have 150 APIs published that anyone can use, but we are just getting started,” said Abdy Salimin, CIO and director of technology and operations for PermataBank. “There are a lot more services in the area of supply chain, payments.” z

036_SDT040.qxp_Layout 1 9/18/20 3:53 PM Page 36

SD Times

October 2020

www.sdtimes.com

Guest View BY RICHA ROY

Use ‘EI’ before ‘AI’ in process change Richa Roy leads the Business Analysis team at Municipal Securities Rulemaking Board (MSRB).

rocess change is more about people than process; at least until processes can be fully automated. So, when considering process improvement or process automation as RPA becomes more mainstream; do not ignore the people aspect of processes. Think about emotional intelligence before artificial intelligence. The term “Emotional Intelligence” was popularized by researchers Peter Salovey and John Mayer, and they describe it as a “form of social intelligence that involves the ability to monitor one’s own and others’ feelings and emotions, to discriminate among them, and to use this information to guide one’s thinking and action.” When taking on the task of process improvement, it is critical to monitor others’ feelings and emotions, and equally critical to guide your thinking and actions based on information gathered from monitoring others’ emotions.

Sometimes processes look one way on paper but are executed differently in person.

If it ain’t broke, don’t fix it

If you are the only one seeing the problem in the process but people are not complaining about it, there is a high probability that it is working fine and maybe you do not have complete knowledge of the process. When selecting the process to be improved you would want to be extra careful, first and foremost, to understand the current process in its entirety. Sometimes processes look one way on paper but are executed differently in person. What seems broken on paper may very well be working flawlessly in reality. The reason being, as people run the processes, they make tweaks knowingly or lazily, but these changes are not reflected in the documentation. Often shadowing the person running the process will give you the most current and upto-date process. Once you have identified the process that needs to be improved, make a list of people that may be directly or indirectly associated with that process. Questions you may ask to come up with the list of people to be involved, informed, or educated: • Who runs the process? • Who is the backup? • How often is the process run? • What department owns the process?

• What departments are directly or indirectly impacted by this process? Do not forget the person who came up with this process to begin with; let’s call him Joe. Joe may have moved on to another department, but old-timers in the organization still go to Joe to ask questions about the process. Joe must be on your list. Your biggest stakeholder is the person who runs the process. Plan for how often you will keep them engaged and create a cadence of communication. Listen to all their ideas, incorporate them into your plan.

‘Muscle’ over ‘whining’ In addition to the person who is running the process, use your list to identify people with muscle and whining power. Small and medium organizations are, on one hand, more flat, democratic, more aware of “squeaky wheel staff,” and on the other hand are very hierarchical when it comes to bringing changes. It is important to understand the lay of the land and the politics of the company. Muscle power comes from educating people on what is not working or less efficient, how will you fix it, and why the new process will be more efficient. These are the people who will help you during the adoption of the process. Whining power comes from the fact that some individuals are well-known squeaky wheels within the organization; they will object to any change. The whiners cannot be ignored, and they cannot be satisfied. You can, though, give them an opportunity to whine early on, so when you launch the process there will not be much disruption from whiners.

Frameworks can only take you so far Lastly, there are plenty of process improvement frameworks (PDCA, Lean Management, Lean Six Sigma, Total Quality Management, Agile Management, Just-In-Time, etc) available to choose from. A process management framework will provide you with the structured approach for changes you want to bring in. However, frameworks can only take you so far in absence of consensus, support, and adoption from people. z

037_SDT040.qxp_Layout 1 9/21/20 1:57 PM Page 37

www.sdtimes.com

October 2020

SD Times

Analyst View BY ARUN CHANDRASEKARAN

Some FAQs on serverless computing S

erverless computing is a next-generation technology that enables agility, elasticity and cost-effectiveness when applied to appropriate use cases. It is redefining the way enterprises build, consume and integrate cloud-native applications. However, the term “serverless computing” is a misnomer: The technology eliminates the need for infrastructure provisioning and management, but certainly does not eliminate the need for servers. It is not surprising, then, that market confusion still exists on what serverless computing is and the benefits of adopting it within an enterprise. Here are some of the most frequently asked questions about serverless computing. What is serverless computing? Serverless computing is a new way of building or running applications and services without having to manage the infrastructure itself. Instead, code execution is fully managed by a cloud service provider. This means that developers don’t have to bother with provisioning and maintaining system and application infrastructure when deploying code. The most prominent manifestation of serverless is function platform as a service, or fPaaS. What is the value of serverless computing? Serverless computing enables operational simplicity by removing the need for infrastructure setup, configuration, provisioning and management. Serverless computing architectures require less overhead compared to those in which developers target the virtual machines (VMs) or containers directly. Most importantly, serverless architectures enable developers to focus on what they should be doing — writing code and optimizing application design — making way for business agility and digital experimentation. The benefits of serverless computing must be balanced against its drawbacks, including vendorlock in, inevitable skills gaps and other architectural limitations. What are the key capabilities of serverless computing? l Runs code residing as functions without the need for the user to explicitly provision or manage infrastructure such as servers, VMs and containers l Automatically provisions and scales the runtime environment, including all the necessary underlying resources (specifically the compute, storage, network-

ing and language execution environment) required to execute many concurrent function instances l Offers additional capabilities for test and development environments along with monitoring, logging, tracing and debugging How does serverless computing differ from other virtualization technologies? VMs, containers and serverless functions have a few fundamental differences. Hypervisors virtualize the hardware and scale via VMs, while containers virtualize the operating system (OS). Serverless fPaaS virtualizes the runtime and scales via functions. How can my organization take advantage of serverless fPaaS? Being “ready” for serverless fPaaS means considering three aspects of the organization. The first is application development: Since operations are farther removed from visibility with serverless fPaaS, place developers and operators closer together — even on the same team — so they can share close responsibility for the development and maintenance of a software product throughout its entire life cycle. The second is security and risk: The biggest change that security and risk management leaders will have to adjust to is that they no longer own or control the OS, hypervisor, container and application runtime. The third is I&O: Serverless technologies do not make other forms of infrastructure (physical machines, containers) obsolete. Most organizations will need a mix of these over time, so it’s critical for I&O leaders to rethink IT operations, from infrastructure management to application governance. What lessons learned have we seen from early adopters of serverless? IT leaders can shorten the learning curve and time to adoption by starting training on the general cloud infrastructure as a service (IaaS)/platform as a service (PaaS) environment and adopting a DevOps culture. Learning the security and technical aspects of serverless deployments is paramount, so build a proof of concept to validate assumptions about the serverless application design, code, scalability, performance and cost of ownership. z

Arun Chandrasekaran is a Distinguished Research Vice President at Gartner.

Serverless architectures enable developers to focus on what they should be doing.

038_SDT040.qxp_Layout 1 9/23/20 11:23 AM Page 38

SD Times

October 2020

www.sdtimes.com

Industry Watch BY DAVID RUBINSTEIN

Accelerating digital transformation David Rubinstein is editor-in-chief of SD Times.

he horrors of the novel coronavirus cannot be understated. As of this writing, there are 31.5 million cases of COVID-19 around the world, and 970,673 have died — closing in on the grim milestone of a million lives lost. One million lives lost. This month, we’ve seen wildfires devastate California and the American Pacific Northwest, and hurricanes submerge much of the Gulf Coast, with more storms headed their way. To those readers who have lost someone they know and love, we extend our deepest sympathies. For those who have managed to avoid infection, or the loss of life and property, keep on doing whatever it is you’re doing to stay safe. These events have driven large segments of the global workforce into isolation, as offices have closed, perhaps never to reopen. In many cases, companies that hadn’t yet begun a move towards completely digital operations have had to scramble to create environments in which their people could do their jobs and the businesses can move forward. What this has resulted in is the acceleration of ‘digital transformation,’ to use a term people seem to understand in spite of its vagueness. And this has been a boon to many providers of software, infrastructure and data platforms. We saw it in the growth of food delivery applications, in online sales — notably of cleaning products that were no longer on physical store shelves — and in information about the virus. Companies like Instacart, DoorDash and GrubHub went from little-known applications to household names. Alibaba, the China-based retailing equivalent of Amazon, saw its 2020 Q2 revenue increase to $22.7 billion as demand for goods surged amid the coronavirus breakout, according to reports. In fact, it was after the SARS virus outbreak in 2003 that Alibaba emerged as China’s leading online retailer. And, as large as that Q2 growth was, it was still four times less than its top global competitor, Amazon. To help the companies that have lagged in this

Platforms that provide security and incident remediation are the foundational cornerstones of digital transformation.

rush to digital, a number of multimillion-dollar acquisitions have been announced that will aid them in their transformation. PagerDuty, which offers digital operations management solutions, announced late last month that it will acquire Rundeck, which offers DevOps automation.The deal will merge PagerDuty’s incident response solution with Rundeck’s automated self-service workflows that have seen a 50% reduction in incident response times, which improves team productivity and helps maintain a high-level customer experience, according to the company’s announcement. As per the acquisition agreement, the purchase price is about $100 million, and is expected to close later this month. Another deal sees a company called AHEAD, which offers digital business platforms, agreeing to acquire two companies — RoundTower Technologies and Kovarus. AHEAD recently announced that a private equity firm plans to buy a major stake in AHEAD. The companies all offer managed services in the areas of data center infrastructure, converged platforms, DevOps, cloud automation and orchestration and cyber security. Their offering, the company said, enables customers to become more agile, efficient and secure — three critical components of a digital transformation. Also, software-driven security solutions provider Secureworks has complete the acquisition of Delve, a software-as-a-service provider that uses AI and ML to automate vulnerability detection. Secureworks said in a statement the deal will enable the company to pivot from detection/response to cyber-risk assessment and security validation. These kinds of platforms, which provide security and incident detection and remediation, are the foundational cornerstones of digital transformation. If any good could come from the devastation of a global pandemic, it is that businesses have not only seen but felt the impacts of a world embracing e-commerce, remote work collaboration, and online training and education. Ensuring those services can be offered securely, and with an excellent user experience, is where that transformation should begin. z

039_SDT040.qxp_Layout 1 9/18/20 3:53 PM Page 1

presents

Next year’s date:

March 10, 2021

Join your peers for a day of learning Virtual VSM DevCon is a one-day, digital conference examining the benefits of creating and managing value streams in your development organization. At Virtual VSM DevCon, you will learn how to apply value stream strategies to your development process to gain efficiencies, improve quality and cut costs.

Highlights from last year’s sessions: l

An examination of the VSM market

What exactly is value?

Slow down to speed up: Bring your whole team along on the VSM journey

Why developers reject Value Stream Management — and what to do about it

You can measure anything with VSM. That’s not the point

Who controls the flow of work?

Taught by leaders

Tying DevOps value streams to business success

on the front lines of Value Stream

Making VSM actionable

Value Stream Mapping 101

How to integrate high-quality software delivery into the Value Stream

Transitioning from project to product-aligned Value Streams

The 3 Keys to Value Stream infrastructure automation

Event

Full Page Ads_SDT016.qxp_Layout 1 9/21/18 4:14 PM Page 28

SD T Times imes News on Mond day The latest news, news analysis and commentary delivvered to your inbox!

• Reports on the newest technologies affecting enterprise deve developers elopers • Insights into the e practices and innovations reshaping softw ware development • News from softtware providers, industry consortia, open n source projects and more m

Read SD Times Ne ews On Monday to o keep up with everything happening in the software devvelopment industrry. SUB BSCRIBE TODA AY! Y!