SD Times June 2021 by d2emerge

JUNE 2021 • VOL. 2, ISSUE 48 • $9.95 • www.sdtimes.com

IFC_SDT046.qxp_Layout 1 3/29/21 9:26 AM Page 2

Instantly Search Terabytes

www.sdtimes.com EDITORIAL EDITOR-IN-CHIEF David Rubinstein drubinstein@d2emerge.com NEWS EDITOR Christina Cardoza ccardoza@d2emerge.com

dtSearch’s document filters support: popular file types emails with multilevel attachments a wide variety of databases

SOCIAL MEDIA AND ONLINE EDITORS Jenna Sargent jsargent@d2emerge.com Jakub Lewkowicz jlwekowicz@d2emerge.com ART DIRECTOR Mara Leonardi mleonardi@d2emerge.com

web data

CONTRIBUTING WRITERS Jacqueline Emigh, Lisa Morgan, Jeffrey Schwartz, George Tillmann

2YHU VHDUFK RSWLRQV LQFOXGLQJ efficient multithreaded search

CONTRIBUTING ANALYSTS Enderle Group, Gartner, IDC, Intellyx

HDV\ PXOWLFRORU KLW KLJKOLJKWLQJ forensics options like credit card search

CUSTOMER SERVICE SUBSCRIPTIONS subscriptions@d2emerge.com ADVERTISING TRAFFIC Mara Leonardi mleonardi@d2emerge.com

Developers:

LIST SERVICES Jessica Carroll jcarroll@d2emerge.com

6'.V IRU :LQGRZV /LQX[ PDF26 &URVV SODWIRUP $3,V IRU & -DYD DQG NET with NET Standard / 1(7 &RUH

)$4V RQ IDFHWHG VHDUFK JUDQXODU GDWD FODVVLILFDWLRQ $]XUH $:6 DQG PRUH

REPRINTS reprints@d2emerge.com ACCOUNTING accounting@d2emerge.com

ADVERTISING SALES PUBLISHER David Lyman 978-465-2351 dlyman@d2emerge.com

Visit dtSearch.com for KXQGUHGV RI UHYLHZV DQG FDVH VWXGLHV IXOO\ IXQFWLRQDO HQWHUSULVH DQG developer evaluations

SALES MANAGER Jon Sawyer 603-547-7695 jsawyer@d2emerge.com

The Smart Choice for Text Retrieval® since 1991

dtSearch.com 1-800-IT-FINDS

PRESIDENT & CEO David Lyman

D2 EMERGE LLC www.d2emerge.com

CHIEF OPERATING OFFICER David Rubinstein

Contents

VOLUME 2, ISSUE 48 • JUNE 2021

FEATURES Open source is a community, not a brand

page 14

page 6

Low code meets the urgency of today’s rapidly changing world

NEWS 4

News Watch

Data Improves Value Stream Management

Google continues to grow with Kotlin

Atlassian reveals Open DevOps vision

JetBrains releases CI/CD solution TeamCity Cloud

Protect your users and your business with a software bill of materials

Guard your mobile endpoint and your end users

COLUMNS 36 37

GUEST VIEW by Charles Sword The time has come for RPA standards

page 20

BUYERS GUIDE Security shifts left as a team effort page 24

INDUSTRY WATCH by David Rubinstein Security first and foremost

Software Development Times (ISSN 1528-1965) is published 12 times per year by D2 Emerge LLC, 2 Roberts Lane, Newburyport, MA 01950. Periodicals postage paid at Plainview, NY, and additional offices. SD Times is a registered trademark of D2 Emerge LLC. All contents © 2021 D2 Emerge LLC. All rights reserved. The price of a one-year subscription is US$179 for subscribers in the U.S., $189 in Canada, $229 elsewhere. POSTMASTER: Send address changes to SD Times, 2 Roberts Lane, Newburyport, MA 01950. SD Times subscriber services may be reached at subscriptions@d2emerge.com.

004,5_SDT048.qxp_Layout 1 5/19/21 3:02 PM Page 4

SD Times

June 2021

www.sdtimes.com

NEWS WATCH Red Hat introduces OpenShift GitOps and Pipelines Red Hat OpenShift GitOps and OpenShift Pipelines are being added to the OpenShift portfolio. Together, the new capabilities will help companies reduce friction between developers and operations teams. OpenShift GitOps provides IT teams with GitOps workflows to use for cluster configuration and application delivery. It is based on the idea of GitOps, which enables developers and operations teams to use a Git repository as a single source of trust. OpenShift Pipelines runs in each step of the CI/CD pipeline in its own container. It allows each step to scale independently, which helps reduce the cost and overhead for running the pipeline.

Angular version 12 aims at Ivy compiler Angular v12 moves the language closer to “Ivy Everywhere,” an approach to transi-

tion the Angular ecosystem to the Ivy compiler. As of this release View Engine is officially deprecated and will be fully removed in a future release. Current libraries that use View Engine will still work with Ivy apps, but the Angular team recommends that library authors start transitioning to Ivy, explained Mark Techson, developer advocate on the Angular team, in a blog post. Another transition in Angular v12 is the move away from legacy i18n message IDs. According to Techson, these legacy message IDs can cause issues based on whitespace, formatting templates, and ICU expressions. The new message ID format will be more resilient and intuitive and will reduce unnecessary translation invalidation and retranslation cost in applications where translations don’t match.

Kotlin 1.5 released with JVM records The first major Kotlin release of 2021 is now available. Kotlin 1.5 adds JVM records, sealed interfaces, inline classes, and

the new JVM IR compiler. JVM records are classes that carry a fixed set of values. Kotlin developers can now use a Kotlin class as a record in Java by making it a data class and marking it with the @JvmRecord annotation. Sealed interfaces provide more control over inheritance. According to Kotlin’s documentation, once a module containing a sealed interface is compiled, no new implementations of it can appear. Inline classes are a subset of value-based classes. They only hold values and can be used as wrappers for values of a certain type, thus preventing additional overhead associated with using memory allocations.

Amazon releases data science IDE AWS released its new IDE, EMR Studio, designed to help data scientists and data engineers develop, visualize and debug applications written in R, Python, Scala and PySpark. The IDE was first previewed at AWS re:Invent 2020 and since then, new features

were added such as the ability to use the Amazon EMR console and AWS CloudFormation to create and configure a new EMR Studio for teams. To help with debugging, the IDE provides fully managed Jupyter notebooks and tools like Spark UI (which can now be launched directly from an EMR Studio notebook) and YARN Timeline Service.

Grafana, Loki and Tempo switch to AGPLv3 Observability platform provider Grafana Labs announced its open-source projects Grafana, Grafana Loki and Grafana Tempo will now be available under the Affero General Public License v3 (AGPLv3). The projects were previously available under the Apache License 2.0. Raj Dutt, CEO of Grafana Labs, explained it chose AGPLv3 because it is an Open Source Initiative approved license and meets the criteria of free and open-source software. “Ensuring we maintain these freedoms for our commu-

People on the move

n Apache CloudStack has named Gabriel Beims Bräscher as its new vice president. Bräscher first started his work with CloudStack as a student, and quickly moved up to a contributor and PMC member. As vice president, he will act as a bridge between the ASF board and project. n Mark Surman, executive director of the Mozilla Foundation, has joined the company’s board of directors. Surman will help advise the company’s overall direction and brings more than two decades of experience working with leading projects and organizations focused on the public interest of the internet. n Planview has appointed Razat Gaurav as its new chief executive officer and member of the board of directors, effective immediately. Guarav succeeds Greg Gilmore, who is retiring as CEO, but remains on the board of directors. Previously, Gaurav served as CEO of

LLamasoft and has held leadership positions with Blue Yonder, i2 Technologies, and Ernst & Young. n Bill Staples has been promoted to the CEO of observability company New Relic, effective July 1, 2021. Staples will succeed founder and CEO Lew Cirne. Cirne will become executive chairman of the board, and the current chair Hope Cochran will become the vice chair of the board and lead independent director. Staples first joined New Relic as chief product officer last year, and was promoted to president and CPO. n Adam Blitzer is now the chief operating officer of monitoring and security platform provider Datadog. Biltzer has 14 years in the SaaS space and held a number of leadership positions at Salesforce. Additionally, he founded Pardot, a B2B marketing automation platform that is now owned by Salesforce.

004,5_SDT048.qxp_Layout 1 5/19/21 3:03 PM Page 5

www.sdtimes.com

nity is a big priority for us. While AGPL doesn’t ‘protect’ us to the same degree as other licenses (such as the SSPL), we feel that it strikes the right balance. Being open source will always be at the core of who we are, and we believe that adopting AGPLv3 allows our community and users to by and large have the same freedoms that they have enjoyed since our inception,” he wrote in a post.

Progress releases Kendo UI for Angular Progress announced the new release of Kendo UI R2 2021, which introduces Kendo UI for Angular, jQuery and Vue as well as KendoReact. Kendo UI for Angular delivers new components such as BottomNavigation, MultiSelectTree, Skeleton and Circular Gauge to enhance users’ interaction with the app, data visualization and performance. KendoReact aims to empower developers to build business apps with components such as External Drop Zone, Skeleton and Circular Gauge as well as an extensive set of new Grid, DatePicker and Scheduler features.

Red Hat offers OpenShift sandbox for Kubernetes Red Hat unveiled its Developer Sandbox for Red Hat OpenShift to make it easier for developers to get started with building Kubernetes-based applications using the same infrastructure and tools that they run in their application environments. The new solution provides a private OpenShift environment in a shared, multi-tenant cluster that is pre-configured

June 2021

SD Times

IBM Project CodeNet teaches AI to code In an effort to make code easier to debug, maintain and update, IBM has unveiled Project CodeNet, an open-source dataset for advancing AI’s understanding and translation of code. The project was announced at last month’s Think conference as a part of IBM’s AI for Code initiative, which aims to help developers improve productivity by automating more of their engineering process. Project CodeNet includes 14 million code samples and 500 million lines of code from programming languages like C++, Java, Python, Go, COBOL, Pascal and FORTRAN. The project also includes high-quality metadata and annotation, and sample input and output to help researchers program intent when translating one programming language to another. with a set of developer tools. The tight integrations between the infrastructure and tools provide a safe environment for prototyping or building new applications, creating containers from source files or Docker files and more, according to the company.

Visual Studio Code 1.56 improves feedback The latest release of Visual Studio Code includes improved hover feedback to help users quickly find clickable editor actions, terminal profile improvements, and debugger inline values. Developers can also now temporarily toggle the line numbers of a cell in the current sessions from the cell toolbar or change the visibility of line numbers for all notebooks through the ‘notebook.lineNumbers’ setting. The team explained the release continues to improve its support for the upcoming TypeScript 4.3 release and Microsoft is also previewing Remote Repositories (RemoteHub), which enables developers to instantly browse, search,

edit and commit to any GitHub repository directly from within VS Code.

Productivity the focus of Android Studio update Android Studio 4.2 focuses on upgrading the IntelliJ platform and adding a handful of new features that are centered around improving productivity as an Android app developer. The new app project upgrade assistant in Android 4.2 is designed to make it easier to migrate a project and to utilize Android Gradle Plugin APIs. The release also contains enhancements to existing features such as Database Inspector, System Trace, SafeArgs support, Apply Changes and more.

Contrast Security adds support for Go Contrast Security announced the addition of the Contrast Go agent to its Contrast Application Security Platform. The Contrast Go agent performs software composition

analysis to locate known vulnerabilities while using integrated analysis to detect unknown vulnerabilities. “Contrast eliminates falsepositive security alerts that plague legacy application security approaches,” said Steve Wilson, the chief product officer at Contrast Security. “These inundate security teams with alerts that pose no risk and bog down development release cycles. For applications in Go, a better alternative did not exist until now,” said Steve Wilson, the chief product officer at Contrast Security.

DotData Py Lite AI solution introduced DotData Py Lite is a new containerized AI automation solution that enables data scientists to execute quick POCs and to deploy dotData on their desktop. The solution includes automated feature engineering and machine learning in a portable environment, which allows data scientists to explore 100 times more features, augment their hypotheses and improve their ML models, according to the company. z

006-11_SDT048.qxp_Layout 1 5/24/21 12:22 PM Page 6

SD Times

June 2021

www.sdtimes.com

Is open source fracturing? Companies creating licenses to protect their IP, but critics say they don’t meet the OS standard

t’s no longer a question of why you should use open source. The tables have turned and businesses are asking themselves why aren’t they using open source? But an even bigger question has been left unanswered, and that is how are they using open source? Are they staying true to the open source meaning? As open source has become increasingly more popular, companies have begun to adopt open source for the brand, but then try to go against the purpose of open source, according to Gordon Haff, a technology evangelist at open-source company Red Hat. “I’ve definitely been on a lot of calls where one of the first things I’ll ask business leaders is why do you want to be open source, and often the answer is: because our customers seem to like that, but we don’t want Amazon to com-

BY CHRISTINA CARDOZA pete with us. We don’t want someone else to compete with us. We want to be able to maintain some proprietary parts of our software,” he said. Open source itself has never gotten away from its meaning, according to Vicky Brasseur, author of the book “Forge Your Future with Open Source.” The problem, she said, is that people haven’t bothered to learn or understand the true meaning of open source. “They make up their own definitions of open source, or they do it via the telephone game...and so the definition they’re working under in no way relates to what it actually is,” she said. According to Brasseur, the Open Source Initiative (OSI) defined open source over 20 years ago, and that is the one true meaning there is.

Creating a business model around open source According to Robin Schumacher, vice president of product at open-source monitoring solution provider Netdata, the reason why open source has been so successful is because of the social aspect of it. Unlike proprietary software, it’s collaborative. It’s communityoriented and community-driven. There are ways for a business to successfully use open source to their competitive advantage while staying true to the nature of open source, but open source shouldn’t be adopted just because it makes a company look good. “Your primary responsibility as a business owner, as a founder, as a manager of an organization, of a business, of a company, is not necessarily to open source. It is to your business,” said Brasseur. “If you are starting from open

006-11_SDT048.qxp_Layout 1 5/24/21 12:25 PM Page 7

www.sdtimes.com

source and then trying to reverse engineer a business out of that, you’re coming at it from the wrong direction.” A business should be looking at what the user needs, what the environment is they are targeting, what the trends are, whether or not they can meet those user needs or do it better than someone else, and then decide if it makes sense to use open source or release software to open source, Brasseur explained. If open source makes sense for the business goal, then companies need to put the effort into building the community around open source and understanding what the goal of releasing to open source is going to be. “If you don’t know your business goals, you won’t be able to maintain and guide that open-source project in a way that you can actually meet your business goals,” said Brasseur. According to Sacha Labourey, cofounder of enterprise software delivery company CloudBees, there are a number of models and tools today to make sure organizations are able to properly manage and govern the use of free and open-source software (FOSS). “We talk a lot about FOSS, but the reality is that it has been incredibly stable in how it operates and the value it provides. What has really been evolving fast are the various business models around FOSS,” he said. One of the best and most proven models out there is the open core model, according to Schumacher. In the open core development model, vendors open source a portion of their software, but surround it with proprietary offerings. While it is valid from a business model perspective, Red Hat’s Haff noted that it’s important to recognize the open core model makes things a lot harder for the community to do collaborative open development. It takes a lot of time for people to figure out how to use the code, set it up properly and then maintain it, explained Angie Byron, core co-maintainer of the Drupal project, an open-source web content management framework. What companies like Acquia, a digital experience platform built around Drupal, and Red Hat do is provide a cloud platform that takes all the guesswork out for continued on page 8 >

June 2021

SD Times

The Open Source Initiative’s definition of open source Open Source Initiative’s (OSI) open source definition states that open source goes beyond just accessing the source code. To be open source, the software must comply with the following 10 criteria: 1. Free redistribution, 2. Source code, 3. Derived works, 4. Integrity of the author’s source code, 5. No discrimination against persons or groups, 6. No discrimination against fields of endeavor, 7. Distribution of license, 8. License must not be specific to a product, 9. License must not restrict other software, 10. And the license must be technology-neutral. “That is the one, the only, the worldwide recognized standard,” said Vicky Brasseur, author of the book “Forge Your Future with Open Source.” “Standards are very important because otherwise we can be using the same words and mean completely different things, and from a business perspective, that can be devastating for people to be using different words or the same word open source and meaning different things. There is no other definition of open source.”

Open-source software in the enterprise Red Hat’s 2021 State of Enterprise Open Source report found 90% of IT leaders are using open source in the enterprise, and 79% expect their use of enterprise opensource software for emerging technologies (edge, IoT, AI and ML) to increase over the next couple of years. The main drivers for adopting open source are infrastructure modernization, digital transformation, higher quality software, access to latest innovations, and better security. This year, the company decided to ask respondents whether or not they look to see if a vendor contributes back to open source when looking to implement a new solution. Surprisingly, the report found that IT leaders not only care, but they are much more likely to choose a vendor who contributes. “That means the IT leaders are starting to appreciate the virtuous cycles that you have in open-source development,” said Gordon Haff, a technology evangelist at open source company Red Hat. But barriers still remain with respondents citing level of support, compatibility, and lack of internal skills as top challenges to adopting open source. Software solutions provider Perforce, which recently released a report on open-source opportunities with Forrester Research, believes that while open source has cemented its role as a critical agenda driver in the enterprise, not enough organizations are taking the necessary steps to optimize their OSS strategies. “Without comprehensive and optimized strategies that govern the critical pillars of running OSS, organizations risk missing out on the benefits it can deliver, including greater flexibility and better efficiency, time to market for products, customer and employee experiences, and more,” the report stated. While free and open, open source can be complex and require expertise to maintain, support and operate. According to the Perforce report, it’s important to partner with industry leaders to maximize open-source success through migration help, ongoing management and support. Additionally, an open-source strategy that can clarify the open source initiatives, governance, role of internal resources and external support can help pave the way for open source in the enterprise. “Finding success with open-source software as an enterprise organization requires a fully formed strategy — especially as it applies to critical areas like sup—Christina Cardoza port,” said Rod Cope, CTO at Perforce Software. z

006-11_SDT048.qxp_Layout 1 5/24/21 12:23 PM Page 8

SD Times

June 2021

www.sdtimes.com

The challenges facing open source today Vicky Brasseur, author of the book “Forge Your Future with Open Source,” sees three main issues plaguing the open source landscape today. The influx of open-source projects: According to Brasseur, there has been a flood of new projects being released. While that can be a good thing, it can also be problematic if organizations are just releasing things into open source to be trendy. She explained it makes the signal-to-noise ratio off-balance and makes it difficult to find useful projects. “It’s contributing to this age-old problem of reinventing the wheel, rather than perhaps contributing back to the existing wheel that’s already there,” she said. It’s tempting to want to release something rather than contribute to something, but you don’t necessarily have to start everything from scratch. Support what’s already out there, fork it, or take it into a different direction, according to Brasseur. Lack of knowledge: Knowledge should go beyond just the definition of open source and free software. Businesses and developers need to understand the copyright and licensing details that go behind open source. Developers that “play fast and loose” with the laws, Brasseur said, make it difficult for

< continued from page 7

users and provides users with professional services and a support system. When projects and vendors commercialize open source, they have to understand there are various levels of commitments and contributions they are going to get from the community. It’s not always about code contributions, Schumacher said. There are other ways the community can help out. For instance, they can help by doing testing, quality assurance, performance testing, bug reports, feature requests, forum contributions, meetups, and sharing best practices and pitfalls.

Giving back to the open-source community Technology giants like Google, Red Hat and others have been the most successful in the open-source world because they embrace the developer. “The love of the developer, the understanding that the developer is the set of ground troops

companies to use their software because they have to take the time to figure out what the license is and how they can use the software. Too many hours are wasted just talking about and chasing down licensing information. Monocultures: Brasseur sees a number of monocultures plaguing the open-source ecosystem through fiscal sponsors, tooling and foundations. “These monocultures are a problem. All you need to do is watch Twitter on any day when GitHub is down. All of open source screeches to a halt. That is a huge problem. People equating open source with GitHub, that is a problem… I like GitHub, they do good things, but from an ecosystem point of view, that’s a problem. Projects that assume the only place I can go to have somebody support me from a foundational level is the Linux Foundation, that is a problem. There are lots of different options. The Linux Foundation does a very good job in many ways, but it’s not the be-all and end-all. Companies that think in order to participate in open source, I have to pay to become a member of a foundation, that is a problem,” she explained. z —Christina Cardoza

that takes the technology into a particular enterprise, ingrains it into the lines of business, then it begins to bubble up to the higher-ups who see the benefits of what’s going on or just the proliferation of this software, and have no choice but then to make a commitment to it,” said Netdata’s Schumacher. A successful open-source vendor will provide a very smart and qualified developer relations staff, he explained. “You are going to need people who understand the spirit, mindset and everything of the developer community, of open source in general…” he said. Schumacher has three pillars for a successful developer relations staff: 1. Community managers who are active in the industry and evangelizing the software, participating and scheduling meetups and events, are present on social media, and are broadcasting the benefits of projects to the open-source community

2. Skilled technical members who are responsible for helping the community implement the open-source software and providing best practices, jump-starts, sample apps, and code contributions 3. Lastly, you need an educational aspect that goes beyond how to use the software and talks about the next steps in terms of how to utilize the software to the user’s advantage. This area should include videos, written content and other resources to provide users with a pass to success. “The developer relations staff is absolutely critical for any vendor that wishes to work with open-source software, commercialize and be successful,” said Schumacher. However, author Brasseur warns that while developer relations and open-source program offices can be beneficial, you have to make sure you are hiring the right or qualified people. continued on page 11 >

Full Page Ads_SDT045.qxp_Layout 1 5/19/21 11:22 AM Page 9

Bad Data Happens. We'll Help You Fix It.

TALK TO AN EXPERT

You can’t improve your business unless you know what’s wrong with it. Inaccurate customer data leads to poor business insight, lackluster communications, and inefficient operations. For over 35 years, Melissa has been one of the most trusted global experts in data quality, address verification and identity resolution. When bad data is holding your business back, we’ll help you find it, fix it, or flush it. Guaranteed.

Unify Data to Improve Customer Connections

PowerBad Business Prevent Data from Entering Your Database Intelligence

Increase Enrich Data ROI to Fuel Audience Insights & BI

Ask Melissa for a free troubleshooting & our 120-Day ROI Guarantee.

Melissa.com 1-800-MELISSA

006-11_SDT048.qxp_Layout 1 5/24/21 12:23 PM Page 10

SD Times

June 2021

www.sdtimes.com

< continued from page xx

The battle of open-source licenses BY CHRISTINA CARDOZA

Earlier this year, Elastic reignited the open-source licensing debate when it announced it would be changing its license model to better protect its open-source code. Over the last couple of years, a number of companies — including Redis Labs, MongoDB, Cockroach Labs, and Confluent — have been switching their open-source licenses to avoid what they call “the big code robbery,” where cloud providers like Amazon take their successful opensource project, adopt and profit off it as a cloud service without giving back to the community. “Cloud vendors do not care about monetizing FOSS projects, they are about getting more workloads running on their infrastructure — hence, to be the preferred destination for such workloads,” said CloudBees’ cofounder and chief strategy officer Sacha Labourey. Confluent created a new community license, and MongoDB announced its Server Side Public License (SSPL) to combat cloud providers. In January, Elastic announced it would move its

Kibana and Elasticsearch open-source projects to a dual license under the Elastic License v2 and SSPL. However, these new licenses that companies are switching to are not considered open source by the Open Source Initiative’s standard, leaving many in the industry to wonder where these companies now stand with open source. Justin Colannino, director of developer policy and counsel at GitHub, wrote in a post: “These new ‘source available’ licenses contain restrictions to prevent cloud infrastructure providers from building a service out of their code. Early efforts like the commons clause limited ‘commercial use’ broadly and users found that the license language ‘created some confusion and uncertainty.’ Recent efforts by Elastic and others are more surgical. They simply attempt to restrict users from standing up the software alone as a service. The goal of these new licenses is to continue to capitalize on the widespread availability of the software and its source code to gain future customers while shutting out competing SaaS

services based on the same code.” According to Stephen O’Grady, principal analyst and co-founder of the developer analyst firm RedMonk, while it can be upsetting, the cloud providers are not actually abusing open-source projects if they are still abiding by the rules of the open-source license. “If project owners don’t want certain parties to be able to use their software, they shouldn’t be using open-source licenses,” he said. MongoDB argues that under SSPL, developers are still able to access, use, modify and redistribute its code. “We adopted the SSPL license to protect our right to build an innovative business in the Cloud era. We wanted to counter the threat of hyperscale cloud vendors taking our free product and offering it as a service without giving anything back,” said Dev Ittycheria, CEO and president of MongoDB. Tomer Levy, CEO of Logz.io, a cloud observability platform provider, argues that changing licenses shakes the entire foundation of the opensource philosophy and shows that those in control of popular projects have the

006-11_SDT048.qxp_Layout 1 5/24/21 12:23 PM Page 11

www.sdtimes.com

ability to take these projects away from the community at any time. “We were disappointed to hear about Elastic’s decision to change to a license which is not truly open source. This is a slap in the face to the engineers that helped build the community and make the open source software the staple that it is today,” he said. O’Grady added that changes like these have the potential to blur the definition of what is and isn’t open source, creating more uncertainty in the space. “If these companies genuinely want to protect open source, they would actively and aggressively maintain a bright line of distinction between their source available, proprietary licenses and genuine open source alternatives,” he said. Elastic made the decision to no longer refer to Elasticsearch or Kibana as open source and instead refer to the projects as free and open. “While we have chosen to avoid confusion by not using the term open source to refer to these products, we will continue to use the word ‘Open’ and ‘Free and Open.’ These are simple ways to describe the fact that the product is free to use, the source code is available, and also applies to our open and collaborative engagement model in GitHub. We remain committed to the principles of open source — transparency, collaboration, and community,” the company explained in a post. Red Hat evangelist Gordon Haff actually thinks it can be a good thing if a project is successful and popular enough that a big public cloud provider is going to try to compete with it. “There’s a saying in the opensource space that your biggest challenge isn’t to be competed with, it’s to have no one know or care what you do,” he said. Some ways to combat the cloud providers, other than changing your software licensing model, is to form innovation partnerships with the cloud vendor so there’s a window where they can’t just steal your functionality and hopefully during that window the project innovates and

moves past the threat. Drupal’s Angie Byron thinks creating a form of Creative Commons for open source could help categorize open-source projects into projects that are free to use, projects that require attribution and so on and so forth. “That sort of thing around open-source licenses could be really interesting to explore, because it would allow the expression of what these different projects are trying to do, but through the singular lens of this organization that has proven its importance and it’s credibility within the community,” she said. She also suggested creating social pressures on these companies to do better. WSO2’s Newcomer thinks we are already seeing Amazon react and change. In response to Elastic, the company created OpenSearch, an open-source fork of Elasticsearch and Kibana, and it is working with the industry to support and maintain the project long-term. Additionally, New Relic recently contributed Pixie, the open-source project for Kubernetesnative observability, to the Cloud

“Changing licenses

shakes the entire foundation of the open-source philosophy.” —Tomer Levy, Logz.io CEO

Native Computing Foundation, and expanded its relationship with Amazon to run Pixie on AWS. Amazon “is the lead right now in this market. They have the capability to just take a leadership position in solving new problems through collaboration and open source,” said Newcomer. “What we need is more standard ways of interacting with them, standard platforms that all cloud providers should implement to solve the problems in the way of people so they’re not in this situation of having to pick and choose, which is difficult for everyone.” z

June 2021

SD Times

< continued from page 8

“There are great people out there for this, but there aren’t nearly as many experienced people for this.” You can’t just hire internally because a developer contributed to an open-source project once, she explained. Other ways organizations can give back or get involved in the community include getting involved in industry initiatives or open-source foundations. Organizations “have to change their mindset from, we’re just going to develop what we think we need to be competitive to let’s help develop what the industry needs,” said Eric Newcomer, CTO at WSO2, an API management company. “One of the reasons open source is so successful is because people can collaborate on a shared vision of a common problem that everybody has.” It’s not as easy as telling organizations to give back though, Drupal’s Byron explained. She said you have to incentivize companies to give back. At Drupal, the project created a contribution record where contributors and committers can show how they are helping to sustain the project and the Drupal Association. “Hammering on that is probably the best way to do it because companies are probably not going to contribute out of the kindness of their heart. They need to have an incentive that matches with their return on investment,” Byron said. She also explained that contributing to open source not only helps solidify an organization as an expert in their field, but it helps gain and retain talent because many developers want to work for companies that make time for open source. Contribution credits can help weed out the true open-source experts from the pretenders. “If you are selling yourself as an AWS vendor, but you have no record of ever contributing to anything around the AWS ecosystem, it’s sort of like, well did you just take a test and now you’re calling yourself an expert versus if you can see the trail of this person making contributions, writing blog posts and such, it’s easy to choose between the two. One is literally establishing themselves as an expert,” Bryon added. z

012_SDT048.qxp_Layout 1 5/19/21 2:59 PM Page 12

SD Times

June 2021

www.sdtimes.com

INDUSTRY SPOTLIGHT

Data Improves Value Stream Management Today’s companies are drowning in bits and bytes. According to Hubspot, the average enterprise manages 347.56 TB of data, while Splunk claims 55% of business data is unused. It’s obvious that organizations need to utilize data more effectively. When they do, they’re in a better position to enable effective value stream management. Both data and value stream management have become competitive issues. When data remains trapped in application silos, value stream management fails to deliver on its promise. “There’s a lot of waste when it comes to data. If organizations aren’t using 55% of it, it can cost them millions of dollars of data collection and storage investments that aren’t providing any value,” said Laureen Knudsen, chief transformation officer at Broadcom. “If you consider the sheer amount of data that tools in a value stream are producing, it equates to more waste and slower value delivery time frames when everyone’s trying to speed up to stay competitive.” Some organizations don’t know how they’re using data or how they want to use data. Another common problem is data lakes. Organizations are throwing all kinds of data into a data lake, hoping it will produce some sort of value eventually. Meanwhile, dashboards have become so complex that executives don’t understand what’s being presented to them. Worse, the dashboard may indicate that all is well when all is not well. Yet another challenge is success measurement. A recent survey found that 68% of companies struggle to create business metrics from their data. “A lot of people aren’t really sure what data will have material impact on their business,” said Knudsen. “Look at Content provided by SD Times and

how you’re measuring your people because you want to get something out the door quickly, but if you’re adding constraints that serve as obstacles to value delivery, then you’re never really going to have a true value stream.”

To achieve a true value stream, everyone must have the same goals, such as improving customer experience. Everyone should also have the same definition of “done.” “One company I worked for had 35 different kinds of strategic projects globally. We all used a standardized definition of ‘done’ so that the leaders could see, even a high level, how each segment was doing,” said Knudsen. “At the team level, your tools should accurately track reality. If a user story is accepted after the time box is over, does it count towards the team velocity? It shouldn’t yet some tools report this way. You’ve got to have consistency to the data so when you roll it up from software development and delivery to the C-suite, it tells the same story.”

The role data plays in Value Stream Management Sophisticated data driven companies move orders of magnitude faster than other organizations because they understand what data they have, what data they need and how to operationalize it all so they can drive value from it. “You can look at throughput reports, but if you don’t know what ‘done’ means

then done could mean the coding is done but the code hasn’t been tested,” said Knudsen. “Your throughput may look great because people have marked their work complete and that can impact the whole flow from top to bottom in your value stream. The details will make or break the effectiveness of your value stream.” Despite the sheer volume of data organizations have at their disposal, they still may lack the data they need to meet their goals. In addition, the quality of the data will determine whether value stream insights are trustworthy or not. Finally, data access and flow speeds will determine how agile a company can be. In fact, 74% of organizations fail to have key data available in real-time, which inhibits timely, data driven decision-making. “Data is essential to the value stream,” said Knudsen. “You can’t have gaps in data or the value stream. Work and data have to flow through the organization seamlessly and it has to make sense.” Data can help pinpoint the areas of friction in value stream flow. “You can’t have really good value streams unless you have a frictionless end-to-end data flow,” said Knudsen. “But when you achieve that flow, your company can be more agile, insight-driven, innovative and competitive.”

Unleash the power of Value Stream Management Join Broadcom, Chipotle, Boeing, Hershey and retired NASA astronaut Leland Melvin for the Value Stream Management Summit online, June 23, 2021. The event will address the strategic and tactical issues today’s companies must master. Learn more on our registration page, https://www.vsmsummit.com. z

013_SDT048.qxp_Layout 1 5/19/21 2:59 PM Page 13

www.sdtimes.com

June 2021

SD Times

Google continues to grow with Kotlin BY CHRISTINA CARDOZA

As of 2021, Kotlin is now a generally available language across all of Google. The company first announced in 2019 that it was taking a Kotlin-first approach in Android, but since then it has expanded its support and implemented Kotlin in more than 60 applications such as Google Home, Drive, Maps, Pay, Sheets and Docs. “What we have really seen is that our developers love it, and we’ve seen a ton of growth just in terms of usage both outside and inside Google,” said Karen Ng, product lead for Kotlin and Android development tools. Ng explained the adoption happened organically within the company. Before Google decided to adopt it, the Android community wrote an open letter to the company about Kotlin and its benefits. After adopting it, Google found it was just easier, safer and more reliable to work with than other languages. For instance, it’s fully interoperable with Java, making it easier for developers and Google to adopt it without having to rewrite a bunch of code, according to Ng. Kotlin also provides safer code by being able to take nullable and non-nullable information into the type system and help developers avoid whole crashes, Ng explained. Google Home was able to reduce crashes by more than 30% with the help of Kotlin. “The Google Home team decided to incorporate Kotlin into their codebase to make programming more productive and to enable the usage of modern language features like var/val, smart casts, coroutines, and more,” the company revealed in a case study. “Because Kotlin can make nullability a part of the language, tricky situations can be avoided, like when inconsistent usage of nullability annotations in Java might lead to a missed bug. Since the team started migrating to developing new features with Kotlin, they saw a 33% decrease in NullPointerExceptions. Since this is the

most common crash type on Google Play Console, reducing them led to a dramatically improved user experience.” Other features like coroutines were especially important for Google to be able to help mobile apps handle asynchronous data. Ng also finds developers are able to do more with less code, “which makes it a lot more maintainable, easier to read, and you get improved productivity.” Swiggy, the online food ordering app, wrote 74% of their app in Kotlin and saw a 50% reduction in crashes as well as huge improvements in app rollout times, Ng revealed. “When we survey developers in our benchmark survey on language satisfaction or productivity, we find that developers find themselves much more productive in Kotlin. It’s the conciseness of code, the type safety extension functions, and coroutines that [enable developers to] ship apps faster with Kotlin,” said Ng. In addition to it becoming a general availability language, Google launched a new curriculum to help more developers get started with Kotlin. “The reason why this is important is because we see so many different career opportunities for Android developers in our ecosystem, we want more people to be able to take advantage of this regardless of what background they come from, even people with no programming experience,” said Katherine Kuan, a developer advocate for Android. The company has invested in learning materials for different backgrounds and learning systems. There are course materials available for developers who want to learn online at their own pace, developers who want to learn in a peer

group, and developers who prefer more structured learning. Kuan recommended those learning Kotlin as a first language to take advantage of the Kotlin Playground, which is “in the browser so without even needing to install an IDE, you can start writing a simple Kotlin program and playing with the syntax. That gives people an easy win upfront.” Google is also trying to help developers who are coming from Java. Ng explained that Java developers tend to try the same flow or idioms as they would in Java that aren’t necessarily efficient in Kotlin. “Some of our content and training has now started thinking about Kotlin idioms, how you might think of writing something a little bit differently,” she explained. “With the digital world, there is such a need for growing skill sets and time is more precious, so a language like Kotlin helping you become more productive just becomes that much more valuable,” Ng added. Going forward, Google plans to continue to grow and improve the language inside of Google. The company recently announced the beta version of Jetpack Compose, its UI toolkit, which is built on Kotlin. “Built entirely in Kotlin, Compose takes advantage of its great language features to offer powerful, succinct, intuitive APIs. Coroutines for example enable us to write much simpler async APIs such as describing gestures, animation or scrolling. This makes it easier to write code that combines async events, like a gesture which hands off to an animation, all with cancellation and clean-up provided by structured concurrency,” AnnaChiara Bellini, Android product manager, and Nick Butcher from Android developer relations, wrote in a post. z

014-17_SDT048.qxp_Layout 1 5/24/21 12:19 PM Page 14

SD Times

June 2021

www.sdtimes.com

They’re ready for their close-ups BY DAVID RUBINSTEIN

ifficult digital transformation efforts and responding to 2020’s coronavirus pandemic set many organizations back in the last year, but also presented opportunities for others. Software tooling and solutions providers saw unexpected growth in helping companies change the way they interacted with their customers, as well as how they managed their staff, and how teams managed to collaborate even as working from home — ‘WFH’ — became the new normal. This year’s SD Times 100 honors those technology leaders and innovators for helping their customers find the new ways of working — be it restaurants that needed new applications for taking orders and payments online, to logistics companies delivering those meals, groceries and packages from a variety of different suppliers. That meant creating new applications quickly, which led to this year’s renaming of the “Low Code/No Code” category to include the term “Digital Transformation.” Further, many organizations turned to value stream management to ensure they were working efficiently and reducing bottlenecks that waste time and hinder efforts to deliver value rapidly. This year’s SD Times 100 gives those solution providers their moment in the limelight as well. Along with the more traditional categories of software development, this year’s SD Times 100 reflects an image of where the industry is at right now — a snapshot, if you will. Get the picture? Hope you enjoy this year’s SD Times 100. z

014-17_SDT048.qxp_Layout 1 5/24/21 12:19 PM Page 15

www.sdtimes.com

APIs and Integration Boomi

Postman

CodeStream

TIBCO Software

CData Software Jitterbit Kong

MuleSoft

SmartBear

TriggerMesh

WSO2

Cloud Native Amazon

DigitalOcean

IBM / Red Hat Rancher Labs

Stackery

Stackrox VMware

DevOps Atlassian

JFrog

CloudBees

Octopus Deploy

CircleCI

CodeFresh

Micro Focus

Puppet

ServiceNow

June 2021

SD Times

014-17_SDT048.qxp_Layout 1 5/24/21 12:20 PM Page 16

SD Times

June 2021

www.sdtimes.com

Data and Database Management Cockroach Labs

Melissa

DataStax

Neo4j

Confluent Elastic

Informatica

MongoDB Oracle

Tableau Software

Redgate Software Talend

Development Tools ActiveState

Optimizely

GitHub

Progress

Flexera

JetBrains

LaunchDarkly

Redis Labs

Testing Applause

Perforce

Applitools Eggplant

Sparx Systems

Gremlin Mabl

Mobile Labs Parasoft

Perfecto

Tricentis

Value Stream Management Broadcom

ConnectALL Digital.ai GitLab HCL

Plandek Plutora

Tasktop

014-17_SDT048.qxp_Layout 1 5/24/21 12:20 PM Page 17

www.sdtimes.com

Security

Aqua Security

Signal Sciences

Checkmarx

Sonatype

Veracode

Synopsys

WhiteSource

Bugcrowd

Snyk

Contrast Security

Splunk

WhiteHat Security

Performance Monitoring Catchpoint Cisco AppDynamics Datadog Dynatrace Instana

Lightstep New Relic Sentry Stackify

Innovation Leaders

Amazon

Facebook Google

Microsoft

Netflix

Low Code/Digital Transformation Appian

Appify

Isomorphic

Kintone

Mendix

Nintex

OutSystems

Quick Base

June 2021

SD Times

Full Page Ads_SDT048.qxp_Layout 1 5/19/21 11:26 AM Page 18

Collaborative Modeling

Keeping People Connected ®

Autodesk | Bugzilla

sparxsystems.com

| Salesforce | SharePoint | Polarion | Dropbox

| *Other Enterprise Architect Models

Modeling and Design Tools for Changing Worlds

019_SDT048.qxp_Layout 1 5/19/21 2:58 PM Page 19

www.sdtimes.com

June 2021

SD Times

DEVOPS WATCH

Atlassian reveals Open DevOps vision BY CHRISTINA CARDOZA

Atlassian announced a new DevOps experience at its Team ‘21 conference. Open DevOps is a development solution built on Jira designed to connect software development teams, tools and technologies. “We believe that every software team should choose the best tools and technology without sacrificing the ability to collaborate across the company. That’s why our approach is open and integrated — open so teams can use the tools of their choice, and integrated so collaboration doesn’t come at the expense of velocity,” Suzie Prince, head of product, DevOps at Atlassian, wrote in a post. Open DevOps combines Atlassian products and partner offerings such as Jira Software, Confluence, Bitbucket, Opsgenie, GitHub and GitLab. “GitLab and Atlassian are both strongly committed to meeting the needs of our users. We’re proud of the work we’ve done together with GitLab and Jira integration. Our joint customers gain the autonomy to remain in their chosen context and tool, without sacrificing visibility or the ability to collaborate,” said Patrick Deuley, senior

product manager at GitLab. Features include: • Ability to code in Jira with integrated Git repositories • Ability to deploy in Jira with support for Bitbucket Pipelines, GitLab, Jenkins, Azure DevOps, CircleCI and JFrog • On-call schedule in Jira so the right person is notified when something breaks • Pages in Jira to access templates for change management, runbooks and post-incident reviews • Automation in Jira to create workflows across development tools and keep work in sync • Deployment frequency trends to see how over teams ship value over time • Cycle time trends to provide better insights into bottlenecks and improve team performance Other Open DevOps integrations include: Snyk for security; mabl, SmartBear and XRay for testing; LaunchDarkly and Split for feature flagging; Datadog, Dynatrace, Sentry and Sumo Logic for observability; and CircleCI, JFrog, Codefresh, Harness and GitLab for CI/CD.

The company also announced a new program to create products in collaboration with customers and a new effort to bring Jira to non-technical teams. The Point A program includes Jira Work Management for tracking, coordinating and managing work; Jira Product Discovery, a product management tool for Agile teams; Team Central to ensure teams are connected and able to communicate; Compass to connect engineering output with teams; and Halp, a modern ticketing help desk tool. Jira Work Management also enables marketing, HR, finance and design teams to manage projects with their technical counterparts. “This is one of our biggest set of product announcements in the history of Atlassian. Point A is a game-changer for us. It means we can deliver world-class innovation at a fast pace with our customers, on cloud,” said Mike CannonBrookes, co-founder and co-CEO of Atlassian. ““We are building products to truly empower the modern enterprise. Our expansion into business teams with Jira Work Management means every team across an organization can now unlock the power of Jira.” z

JetBrains releases CI/CD solution TeamCity Cloud BY JAKUB LEWKOWICZ

JetBrains introduced TeamCity Cloud, a managed CI/CD service designed for DevOps teams that don’t want to deal with maintaining and scaling their own infrastructure. The cloud version is based on the original TeamCity and it shares a lot of the same functionality including integration with popular development tools, test intelligence and easy configuration, the company explained. TeamCity Cloud’s test intelligence analyzes test history, reports flaky tests, visualizes trends, and lets teams know

how their code quality changes over time. The new solution also lets teams configure their CI/CD pipelines through a web UI and offers the option to create them programmatically using Kotlin. According to JetBrains, the core key difference of TeamCity Cloud from the on-premise version is that it is maintained by the company and thus has fewer administration features. Moving forward, JetBrains plans to add macOS support since it only comes with Linux and Windows build agents

currently. Developers who wish to use the features have to install TeamCity Build Agent and connect it as a selfhosted build agent. A new enterprise version is also expected for the end of 2021, and it will support plugins and have various additional customization options. “We believe that TeamCity Cloud will bring the power and the deep expertise of the on-premises TeamCity to the cloud CI/CD market, allowing the companies of all sizes to orchestrate and streamline their DevOps pipelines,” said Max Shafirov, the CEO at JetBrains. z

020-23_SDT048.qxp_Layout 1 5/24/21 12:17 PM Page 20

SD Times

June 2021

www.sdtimes.com

Low code meets the urgency of today’s rapidly changing world t should come as no surprise that low code was instrumental in facilitating the large-scale changes many companies had to undergo last year, and continues to be an important part of many organizations’ strategies moving forward. In fact, an upcoming survey by IT company ServiceNow and Radar Media shows that 45% of respondents have adopted low-code platforms and that 79% say now is an optimal time to invest in low code. According to John Bratincevic, senior analyst at research firm Forrester, there were two major use cases for low code and no code in the past year: building new apps or adding onto existing ones. Examples of new apps developed using low code include medical clinics needing to build an app to route patients to different parts of a building based on COVID rules, or vendors making apps for distributing PPP loans, he explained. “One vendor wrote a solution in 48 hours and sold it to like 25 regional banks. So they themselves got into a whole new business line overnight, well, in two days. And then the banks of course could adopt the solution. Lots of people self-served and made their own using the platforms,” he said. Adding onto or changing existing apps was also very easy using low-code platforms. For example, Bratincevic recalled a retailer that had to get into the delivery business quickly and because they’d already used low code to build their important applications, it was as simple as adding a new module on top of that application to handle delivery and transportation management. “You can build stuff faster, you can change stuff faster and easier, and more

people can do it,” said Bratincevic. “In the context of the current need — COVID was a very desperate need. Just in general the sheer amount of software that needed to be made and changed, if you look at the numbers, it’s just ridiculous. It’s just the right thing at the right time at the right level of maturity, and the economic and social factors all kind of colliding.”

Changing needs require development speed One of the key benefits of low-code development is speed. Traditional software takes a long time to deliver, and sometimes by the time it actually has been delivered, requirements have changed. ServiceNow and Radar Media’s survey found that low code cut development time at least in half. Forty-two

percent of respondents had a 2x reduction in development time and 43% saw reductions of 3x. In addition to being able to build solutions faster, low code also provides the ability to make changes quickly, without compromising on quality, Bratincevic explained. “There’s a lot of quality checks in these platforms, so like if you’re going to delete a field in a database it’ll stop and go ‘hold it, if you do that it’ll break these hundred other things. Here’s how it fits into the architecture.’ There’s a lot of quality checks that are built into the products that make it so that, in addition to being able to develop quickly, you can change quickly with a certain level of quality maintained,” he said. Bratincevic added that it would be nearly impossible to build and change

020-23_SDT048.qxp_Layout 1 5/24/21 12:17 PM Page 21

www.sdtimes.com

working from home and not driving their cars, insurance companies needed to have a way to change their billing systems quickly to be able to issue billions of dollars in refunds. “That’s a fast big change to really core systems that theoretically aren’t supposed to change very much. That paradigm of there being these systems that don’t change very much so we can kind of leave those be, but maybe there’s some kind of narrow set of systems that need to change or are very unique, that kind of broke. You realize for everything you need to be able to plan for change and be able to do it quickly, or make new stuff,” said Bratincevic.

Younger workers adopting low code

software at the scale and speed that’s needed using only traditional methods, in the traditional working pattern of developers only doing software and business people only doing business work. “To me that’s the kind of big thing, it’s sort of the technology key for many firms to really transform,” he said. The pandemic has made companies more wary of something like this happening again and how they could respond. “A lot of people had systems that couldn’t change to respond to whatever the different needs of COVID were and that was a huge problem,” said Bratincevic. “So people I think are changing their approach to say ‘what do we do when this happens again? How do we build that concrete ability to change into the systems?’” For example, when people started

Hari Subramanian, founder of nocode tool provider Appify, believes the generational change in the workforce and their customer bases—both shifting younger—is also contributing to low code’s success. Younger workers tend to be very tech-savvy, having lived most of their lives surrounded by technology. Younger workers with no development experience might be able to leverage that knowledge to go into a low-code or no-code platform and create an application from scratch. At the same time, younger customers are expecting modern digital experiences, Subramanian explained. “They want to be able to at the click of a button get a $14 pizza and track it until it reaches their door… If I’m going to meet a salesperson, I need that same modern digital experience. Things need to be available at my fingertips. I need rapid access to rich information. I need to be able to engage in a very rich way and that demand is being placed on businesses as well. And it kind of comes back to no-code/low-code platforms as a way for businesses to accelerate and deliver to that need,” he said. In addition to the age of workers, the age of the company also plays a role in adoption. According to Jinen Dedhia, co-founder of low-code platform DronaHQ, new companies are able to

June 2021

SD Times

adopt low code without a ton of baggage. He compared the low-code movement to the introduction of the Ford motor car. “You always want to go from A to B the fastest and you have horse carts, which can take you there (horse carts in our world are developers and tooling), but tools like low code/no code are like the Ford motor car. You get to do things extremely fast. And the proof of the pudding, the ones who experience it would definitely not look at anything else.” Larger, more established companies might have some experiences with low code, however. For example, a company with a Microsoft ecosystem could get started using Microsoft PowerApps. “But you won’t see a lot of adoption because a lot of people won’t do it unless you are a power user or somebody who will do very well with SharePoint and so and so. Large enterprises are going for the citizen developers and in smaller companies they are basically making full-fledged systems, missioncritical applications,” said Dedhia.

IT still key to low-code success Low code may have been a popular choice this year, but a few years ago reception among developers and architects was mixed. A 2018 Progress survey of 5,565 developers revealed that 28% of developers and 20% of managers had a positive opinion on low code. The rest fell into categories such as “skeptical” (37% of developers and managers combined), “negative” (21%), “customization and flexibility seen as shortcoming” (17%), and “good for simple apps and prototyping but not suitable for complex ones” (16%). The increasing push to adopt lowcode/no-code tools might have developers and IT teams worried, but the need for those technical roles isn’t going away any time soon, Dedhia explained. These solutions enable you to build faster, but technical expertise is still needed. “You definitely need engineering skill sets. It’s just that without these tools a typical engineer would take 10 days and with these tools an engineer could go about building it in a day’s continued on page 23 >

Full Page Ads_SDT048.qxp_Layout 1 5/20/21 1:03 PM Page 22

Need unique solutions for unique business problems?

Wonka’s Chocolate Factory CEO

Creator Workflows from ServiceNow are just the ticket to create custom digital solutions for any problem. No matter the flavor. Whatever your business is facing, let’s workflow it. servicenow.com/letsworkflowit © 2021 ServiceNow Inc. All rights reserved.

020-23_SDT048.qxp_Layout 1 5/24/21 12:18 PM Page 23

www.sdtimes.com

< continued from page 21

time,” said Dedhia. Even after an application is built, those skill sets are still needed. Once applications are live, they need to be maintained long-term. “Even if they start off with building their applications they have to move at some point in time to IT for maintenance,” said Dedhia. “You need IT to maintain and you need

IT to do governance.” In addition, there are some limitations to these tools that require users to turn to their development or IT teams. Dedhia gave the example of a low-code platform not allowing you to create an API endpoint for accessing the data. “Even if you do not have an out-ofthe-box way of doing it on the platform, there will always be workarounds,” said

June 2021

SD Times

Dedhia. “And there will always be ways and means in which you can accomplish and get things done. I think IT companies who are taking up low code/no code should have clarity on their expectations and the willingness that if they’re adopting low code/no code, they might encounter scenarios where they might have to look beyond augmenting the low-code capabilities.” z

Creating a citizen development program at Medtronic A few years ago, Lori Breitbarth, senior IT program manager at anyone needs additional coaching or has a question, the platmedical device provider Medtronic — a company with about form team is able to provide that support. “We have meetings 105,000 employees as of 2020 — and a developer came that our platform team hosts weekly that they can join and ask together and created an application using ServiceNow’s lowany questions and we can help them through whatever issue code capabilities. Since then demand for low-code applications that they’re facing,” said Breitbarth. at Medtronic has skyrocketed. Breitbarth also shared three key lessons learned from creAt the start they were tasked with creating an application ating the citizen development program. that could capture people who were calling Medtronic for speFirst is that they didn’t always have perfect guardrails in place cific things and route those tasks to the appropriate team. from the start. “Make sure you really focus on some guardrails, Using low code they were able to deliver a solution in about a not to slow down your citizen developers, but to ensure the week and a half. health and well-being of all of the “[Citizen developers] are “When we had a review of it at the platform residents,” she advised. the ones who know the end of their project, they said it was The second lesson is to communipretty much exactly what they needcate, and communicate often. For stuff that they need ed and they didn’t have a lot of sugbetter than anybody else.” example, at Medtronic they have a gestions for how it could have been — Lori Breitbarth Yammer site where citizen developmade better,” said Breitbarth. ers can go and ask questions and As more departments learned about what low code could often another citizen developer will answer. do for them, the requests started flowing in. At first, they The third lesson is to automate as much as possible to ensure looked to external resources to help with the low-code developthat milestones don’t act as impediments to progress. Medtronic ment, as they didn’t want to hire someone and run into a situautomated testing and code moves from the development to test ation where they did not have enough guaranteed work for environment. “The more we can automate those milestones or them for the next 10-15 years. “What we found using external checkpoints, the faster we'll be able to enable them.” resources, is that it’s really, really expensive, and no matter Now the program at Medtronic has about 30 citizen develhow much you try to do a knowledge transfer, the bulk of the opers and after the first year, 56% of demands were being satknowledge trust walks out with that external resource when isfied through citizen development, Breitbarth explained. they leave the project. So we thought there’s got to be a differ“Most of our citizen developers are employees that come ent way for us,” said Breitbarth. from the area where they are the subject-matter experts and Their next option? Start a citizen development program. the developers and it gives them the ability to sort of control According to Breitbarth, the program at Medtronic relies on their roadmap and the speed at which they are able to move three foundational pillars: themselves. So we became more of a support and had less of a 1. Users must understand how to use ServiceNow and go bottleneck with internal developers. We gave them the ability through a training and certification program. to manage their own priorities and they absolutely love that,” 2. Users must understand how to use ServiceNow at said Breitbarth. Medtronic, meaning understanding how all of the apps interact Breitbarth said the freedom to be able to take those busiwith each other. “We say here’s what you should do. You should ness users that don’t have technical expertise, quickly train never update a global object to do something specific to you. them, and enable them to create stuff has been great. “They You should follow these naming practices. You should run our are the ones who know the stuff that they need better than quick-lint utility before you promote anything from developanybody else,” said Breitbarth. “That's the beauty of the citizen ment to test. It will tell you if you have not followed best pracdeveloper and putting it back into the hands of the people who tices and give you some recommendations, fix it and run it own the applications that are trying to serve whatever business function it is that is being served by that application. You again, and as soon as it comes back clean you can submit to know, give that power back into the hands of the people who have it move from dev to test,” said Breitbarth. understand that business function the best.” z 3. Provide a support system for citizen developers so that if

SD Times

June 2021

www.sdtimes.com

Security shifts left as BY JAKUB LEWKOWICZ

s organizations look towards DevSecOps as a way to infuse security throughout the software development life cycle while at the same time accelerating releases, more sides of the business have their hands on deck regarding security. However, it’s still the security side that’s on the hook when a major breach happens. “People like to say that everyone owns security now and that everyone is responsible, but in the end they will blame security,” said Eitan Worcel, the AppScan product manager at HCL Software. The security side encompasses the CISO, the traditional security architects, network security teams and application security teams that are in charge of overall security procedures and cloud-security posture management tools. Within the organizations that are enacting DevSecOps, the security team no longer has the mandate to block software from going into production due to today’s quick iterations. As a result, security teams now have to engage more with developers and the business side to get them up to speed on security standards and practices, and to work together with them on what tooling and knowledge can be implemented to secure the process as much as possible. “Security should have the last say, but security also needs to understand that they need to partner with the developers and everyone and that they’re not a street cop anymore,” Worcel added.

Preventing vulnerabilities from getting into code is falling to development squads, but it’s the security side that’s still on the hook for breaches Today, the role of the CISO has greatly expanded and has come under greater oversight from regulators, executive teams and boards of directors, and that has put greater pressure on the information security function to be more agile and flexible than ever before. A Gartner survey “CISO Effec-

tiveness: A Report on the Behaviors and Mindsets That Impact CISO Effectiveness,” conducted last September, found that only 12% of CISOs are considered highly effective. These key challenges that organizations are facing were compounded as a result of the pandemic, which shifted

Buyers Guide

www.sdtimes.com

ability to deliver security projects within their organizations,” Peter Firstbrook, the research vice president at Gartner, said at the Gartner Security & Risk Management Summit, which took place in March. Organizations now recognize how integral security is to their risk manage-

a team effort ment along with regulatory compliance. Some have even decided to manage security all the way at the top and are beginning to create a dedicated cybersecurity committee at the board level that’s spearheaded by a board member or third-party consultant. By 2025 Gartner predicts in its 2021 Board of Directors Survey that 40% of the board of directors will have a dedicated cybersecurity committee as opposed to the mere 10% that have one today.

Communicating about security

workspaces and workloads off of traditional networks, leading to endpoint diversity and a shifting attack environment. Ransomware attacks — such as the recent attack on the Colonial Pipeline in May — and business email compromises have become particularly worrisome.

Security personnel hard to find Organizations looking to strengthen their security tactics soon discover that finding the right security personnel is not easy. “Eighty percent of organizations tell us they have a hard time finding and hiring security professionals and seventy-one percent say it’s impacting their

Currently, there are many tools and methodologies that security teams and developers can use to encourage communication between one another to make applications more secure. The security architects first need to step back and look at the overall approach and figure out what kind of security requirements are appropriate for this application, what sort of role it plays in the organization and whether it’s sensitive or not, according to Dale Gardner, a senior director and analyst at Gartner. “You can do things like threat modeling, risk assessments to decide what sort of security requirements are appropriate. You might decide that some sort of authentication and access control was appropriate or some kind of a web application firewall or some other protection is needed,” Gardner explained. “So there’s a lot of valuable information that comes out of that that helps get you a good foundation for building a secure application.” Security teams can also mentor a

June 2021

SD Times

security champion — often a developer that shows interest in security that can serve as a conduit for delivering security best practices to the development side, and to also address developers’ needs. Another way to bring developers up to speed on security training is by providing “bite-sized” continuous targeted training on a given task within their work environments, according to Robert Haynes, open source and SCA evangelist at Checkmarx. “If this team has logged a few of these particular problems with security, whether that’s input validation or whatever the secure coding practice they may be struggling with may be, I want to be able to deliver targeted, reasonably short training sessions for them so that they can go at their own pace,” Haynes said. It’s important to provide developers with the most up-to-date knowledge because they’re constantly gaining more influence in what is being done and are taking on more responsibilities. Full-stack developers and those who are writing infrastructure as code are gaining more responsibilities of what gets put out, be it a Kubernetes YAML file or a cloud formation template, or Terraform that can often present huge vulnerabilities for the organization, Haynes added. In addition to the developer side, the business side of an organization needs to be included at the security level so that they can understand what the device is doing, what is the value, but also what is the risk to the organization from that application? “If the developers are working on an application that deals with customer information, credit cards and it’s up in production and everyone has access to it, it’s a big risk to the organization and the business owner should have the power to prioritize and say that there shouldn’t be any vulnerabilities here,” HCL’s Worcel said. One of the major challenges that commonly occurs between both the security and developer sides is figuring out which vulnerabilities need to be continued on page 28 >

025-31_SDT048.qxp_Layout 1 5/24/21 2:46 PM Page 26

SD Times

June 2021

www.sdtimes.com

Recent major infrastructure attacks force enterprises to rethink cybersecurity Recent large-scale attacks on enterprise and infrastructure security have led the federal government and private businesses to rethink the way they manage security. Last month’s ransomware attack on the Colonial Pipeline shut down the main part of its network for five days, affecting fuel supplies across the United States. Additionally, an attack on SolarWinds infrastructure last year comprised a number of federal agencies and businesses. Gartner’s senior director and analyst Dale Gardner said lax security around infrastructure code is in large part to blame. Infrastructure code tends not to be locked down very tightly because that makes it much easier for developers to go in and make alterations, but on the flipside, it also makes it easier for attackers to gain access. The International Association of IT Asset Managers (IAITAM) pointed to weak IT asset management within organizations as the cause of these attacks. “This country is way behind where it needs to be in ensuring that every single device and piece of software associated with these infrastructure projects is accounted for, secure, and up to date. Old infrastructure is already under attack today because of a lack of rigorous IT Asset Management, and the prospect of the federal government adding billions of dollars to infrastructure without proper management will only add to the problem and open up more security loopholes. The government ratings on asset management are already low compared to private firms and we see that in GAO reports every year.,” said Dr. Barbara Rembiesa, the president and CEO of IAITAM. The distributed workforce brought on by the pandemic has increased the attack surface area, since not all employees are operating behind a company’s firewall and monitoring access is much more difficult. The hackers just need to find someone who is running a laptop in an unsecure fashion as their point of attack. Instead of leaving a wide attack surface for hacks, organi-

zations need to make sure that they have an incident response plan that includes the stakeholders within the company with decision-making authority, according to Robert Cattanach, a partner at the international law firm Dorsey & Whitney. Organizations also need to review their key contracts and see what obligations they have to their business partners and customers to ensure that the proper security measures were instituted, and to constantly communicate with industry groups and regulators to make sure that the organization doesn’t fall into commonly exploited patterns, Cattanach added. Gartner has seen a growing trend for adopting a cybersecurity mesh, which is a modern security approach that consists of deploying controls where they are most needed and identity-first security, which puts security at the center of security design by taking a zero-trust approach. President Biden’s administration responded to the increased attacks by enacting a cybersecurity executive order, in which the federal government will partner with the private sector to create a more secure cyberspace amid a continuously changing threat environment. It calls for updated recommendations on contracts, the removal of contractual barriers and increased sharing of information about threats. In addition, the government aims to release a standard playbook for responding to cyber incidents by federal departments and agencies and to create a cybersecurity committee. Gardner said that this executive order could propel the security industry through its far-reaching provisions and the fact that the mandates will be incorporated into the Federal Acquisition Regulation (FAR), which will force agencies to remove software that doesn’t meet the new requirements from a wide range of contracting and acquisition vehicles. “Much will depend on the final form of the proposed regulations, but the prospect of the US federal government using its considerable ‘power of the purse’ to force improved software security practices will ripple through corporate and consumer markets,” Gardner said. “It looks very promising.” z

Full Page Ads_SDT045.qxp_Layout 1 5/19/21 11:24 AM Page 27

)DVW DFFXUDWH DJLOH VHFXULW\ WHVWLQJ '$67 'HWHFW VHFXULW\ YXOQHUDELOLWLHV OLNH D KDFNHU ZRXOG GR ,$67 ,GHQWLI\ YXOQHUDELOLWLHV LQ UXQWLPH HQYLURQPHQW GXULQJ UHJXODU WHVWLQJ DFWLYLWLHV 6$67 )LQG VHFXULW\ ZHDNQHVVHV LQ \RXU DSSOLFDWLRQ FRGH 6&$ ,GHQWLI\ YXOQHUDEOH RSHQ VRXUFH SDFNDJHV XVHG LQ \RXU DSSOLFDWLRQ

*HW D IUHH WULDO QRZ +&/WHFK6: FRP $SS6FDQ 32&

025-31_SDT048.qxp_Layout 1 5/24/21 2:50 PM Page 28

SD Times

June 2021

www.sdtimes.com

< continued from page 25

addressed first, and this is where the tooling can come in to streamline and help developers prioritize the most serious vulnerabilities first. “I’ve seen pushback from developers that security is just another thing being lumped at my feet but also, I’ve never met a developer who didn’t want to make good software,” Checkmarx’s Haynes said. “At the end of the process, they get some sort of spreadsheet back from a security team with lots and lots of red pen on it and half the time, the things that have been highlighted aren’t

really relevant or correct. Then they’re kind of in a hard place, but if you give them the experience, if you give them tools that they can use as part of the software build process that give them fast feedback and you can give them some easy-to-consume training, then developers are more than happy to build secure software.”

Avoiding tool sprawl Organizations need to make sure that they correctly define what problems they aim to solve with a tool to know what to look for. Vendors sometimes

force companies to use the tool that they offer rather than trying to fit it to the use case that the company has, according to HCL’s Worcel. With increased complexity and increasing attack surfaces for applications, it’s easy to get mixed up in a tool sprawl, which is why another major trend in the security field is tool consolidation to “solve as many problems as possible with as few tools as possible,” Checkmarx’s Haynes said. Teams are looking for consolidated tooling that they can fit to their particular use case and can access continued on page 31 >

How leading vendors help organizations secure their applications Robert Haynes, open source and SCA evangelist at Checkmarx As the Application Security Testing (AST) pioneer and leader, Checkmarx has been relentless in our mission to continuously innovate, leading the industry with solutions that measurably improve security for software-driven organizations that develop their own applications. The Checkmarx suite of AST solutions fits perfectly into modern development environments. Our solutions enable integrated and automated security testing at all stages of the SDLC, while empowering our customers to accelerate development, delivery, and deployment timelines for more secure, mission-critical applications. Checkmarx delivers the industry’s most comprehensive static and interactive application security testing, software composition, and infrastructure as code analysis solutions, along with a groundbreaking developer AppSec awareness and training platform. Together, they help organizations reduce and remediate risk from software vulnerabilities. Organizations that adopt Checkmarx solutions, deployed on-premises or in hybrid and full cloud implementations, empower their developers and security teams to improve software security easily, and at scale. Checkmarx offers a list of services that let you shift critical aspects of your software security program to our experts, allowing you to effectively scale your team and achieve your risk management goals faster and more efficiently. Checkmarx Managed Services include: • Private Hosting: Supporting cloud-based software security initiatives in secure, compliant, private cloud environments. • AppSec Accelerator: Combining our leading AST solutions with services from dedicated Checkmarx security experts to offload and enhance your software security programs. Checkmarx Professional Services are focused on addressing your critical secure software development needs with enterprise-class deployment and onboarding. After 15 years of innovation and growth, Checkmarx is trusted by more than 40 of the Fortune 100 companies and half of

the Fortune 50. Recommendations from industry analyst firms, customer validations, testimonials, and widespread recognition are key indicators that you are making the right choice with Checkmarx.

Eitan Worcel, Head of Product, AppScan at HCL Software HCL AppScan delivers fast, accurate, agile application security testing tools to ensure your business and your customers are not vulnerable to attacks. With its breadth of scanning capabilities, HCL AppScan can offer the right scanning technology for the DevOps use case with a simple to use experience. It empowers developers to focus on the fix, reducing overall remediation time with self-correlating findings, targeted guidance, and developer assisted services. This enables organizations to manage large scale security programs with the right level of control, visibility, and performance to provide improved governance. HCL AppScan is committed to helping companies improve their application security posture and is doing so through several commercial and community edition offerings. HCL AppScan on Cloud includes SAST, DAST, IAST, and SCA for web, mobile, and open-source software to detect pervasive security vulnerabilities and facilitate remediation. HCL AppScan Standard offers dynamic application security testing to effectively identify, understand, and remediate web application vulnerabilities. HCL AppScan Enterprise provides large-scale, multi-user, multi-app dynamic application security to identify, understand, and remediate vulnerabilities and achieve regulatory compliance. HCL AppScan Source is a static application security testing solution that helps identify vulnerabilities early in the development lifecycle, understand their origin and potential impact, and remediate the problem. HCL AppScan CodeSweep, available as a free community edition, enables developers to check their code for vulnerabilities directly in their Visual Studio Code IDE or GitHub, empowering them to shift security left and address issues earlier. z

Full Page Ads_SDT045.qxp_Layout 1 5/19/21 11:25 AM Page 29

Accelerate AppSec. Secure your software, protect your reputation. )LQG DQG ȴ[ IDVWHU ZLWK &KHFNPDU[ DXWRPDWHG VROXWLRQV WKDW LQWHJUDWH LQWR WKH HQWLUH GHYHORSPHQW OLIHF\FOH IURP FRQFHSW WR FUHDWLRQ DQG EH\RQG

We’ve got you covered.

SD Times

June 2021

www.sdtimes.com

A guide to application security tools n

FEATURED PROVIDERS n

n Checkmarx: Checkmarx is the global leader in providing software security solutions that unify with modern application development initiatives like DevOps to reduce and remediate risk from software vulnerabilities. Checkmarx delivers the industry’s most comprehensive suite of Application Security Testing solutions and is trusted by more than 40 of the Fortune 100 companies and half of the Fortune 50. Checkmarx solutions are used by over 1400 customers worldwide in 70+ countries to measurably improve applications security programs. n Digital.ai: Digital.ai Essential App Protection is a low code, easy-to-use solution that provides a first line of defense against application layer attacks. It prevents apps from running in unsafe environments while providing timely intelligence into how, when, and where apps are being attacked. Essential App Protection is the latest addition to Digital.ai’s comprehensive application and data protection portfolio which prevents reverse engineering, code tampering, IP theft, data exfiltration, malware, and more in today’s ever-changing threat landscape. n HCL AppScan: HCL AppScan delivers a best-in-class application security testing platform to ensure your business, and your customers, are less vulnerable to attacks. Part of HCL Software, the AppScan platform helps organizations adopt powerful DevSecOps to pinpoint and remediate application vulnerabilities in every phase of the development lifecycle. Application security testing with HCL AppScan shifts security left to ensure compliance with regulations and catch issues when the cost to address them is low. n Sonatype: Sonatype is the leader in developer-friendly, full-spectrum software supply chain management, providing organizations total control of their cloud-native development life cycles, including third-party open-source code, first-party source code, Infrastructure as Code, and containerized code. The company’s Nexus Lifecycle and Platform automatically enforce open-source governance and control risk across every phase of the SDLC. Fueled by Nexus Intelligence, which includes in-depth security, license, and quality information on millions of open-source components across dozens of ecosystems, the platform precisely identifies open-source risk and provides expert remediation guidance, empowering developers to innovate faster.

n Aqua Security enables enterprises to secure their container and cloud-native applications from development to production, accelerating application deployment and bridging the gap between DevOps and IT security. The Aqua Container Security Platform protects applications running on-premises or in the cloud, across a broad range of platform technologies, orchestrators and cloud providers. Aqua secures the entire software development life cycle, including image scanning for known vulnerabilities during the build process, image assurance to enforce policies for production code as it is deployed, and run-time controls for visibility into application activity, allowing organizations to mitigate threats and block attacks in real-time.

n Bugcrowd reduces risk with coverage powered by its crowdsourced cybersecurity platform. Crowdsourced security supports today’s key attack surfaces, on all key platforms, as well as “the unknown.” As organizations move to cloud architectures and applications, the biggest concerns are web application front ends and APIs, which may be deployed on IoT devices, mobile apps, or on-prem/cloud. All of these can be evaluated for risk by crowdsourced security. Furthermore, a public crowd program can uncover risks in areas unknown to the security organization, such as shadow IT applications or exposed perimeter interfaces. n Contrast Security achieves comprehensive security observability across the entire software life cycle that enables

users to remediate critical vulnerabilities and protect against real threats faster and easier. Contrast OSS allows organizations to establish a comprehensive view of all open-source components and their risks and Contrast Assess uses instrumentation to embed security directly into the development pipeline. It automatically identifies and diagnoses software vulnerabilities in applications and application programming interfaces (APIs). n FOSSA enables users to get an accurate view of their open-source dependencies with Deep Discovery. It adds deep license scanning, dependency analysis, and intelligent compliance into a users’ real-time development workflow. FOSSA natively supports complicated workflows including multiple branches, tags and release channels. This allows users to compare releases, see what changed and integrate with code review to preview patches before they bring in issues. n Palo Alto Networks prevents attacks with its intelligent network security suite featuring an ML-powered next-generation firewall. Its Cortex DR solution is a detection and response platform that runs on fully integrated endpoint, network, and cloud data. Users can manage alerts, standardize processes and automate actions of over 300 third-party products with Cortex. n Parasoft offers static analysis, dynamic analysis, unit testing, and code coverage for software testing of embedded systems to ensure they are safe, secure, and reliable. Parasoft solutions are built to automate functional safety compliance and keep up with the ever-changing coding standards — so users can rest assured that their application remains compliant at all times. n Signal Sciences, acquired by Fastly, is a hybrid and multi-cloud platform that provides next-gen WAF, API Security, RASP, Advanced Rate Limiting, Bot Protection, and DDoS protection purpose-built to eliminate the challenges of legacy WAF. The company’s unified web application and API protection platform provides comprehensive web attack detection and real-time visibility across any environment.

025-31_SDT048.qxp_Layout 1 5/24/21 2:47 PM Page 31

www.sdtimes.com

n Snyk’s Open Source Security management automatically finds, prioritizes and fixes vulnerabilities in users’ opensource dependencies throughout the development process. Snyk’s dependency path analysis which allows you to understand the dependency path through which transitive vulnerabilities were introduced. Snyk also offers an Infrastructure as Code solution that helps developers find and fix security issues in Terraform and Kubernetes code. n Splunk predicts and prevents problems with one unified monitoring experience. Its Data-to-Everything Platform unlocks data across all operations and the business and offers AI-driven insights so that IT teams can see the technical details and impact on the business when issues occur. It also provides security professionals with comprehensive capabilities that accelerate threat detection, investigation. The platform offers full-stack, real-time cloud monitoring, complete trace data analysis and alerts, and a mobile-first automated incident response. n Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open-source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

n Veracode offers a holistic, scalable way to manage security risk across your entire application portfolio. It provides visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing, in one centralized view. Its solution provides instant security feedback in the IDE, fix-first recommendations alongside findings, automated fix advice, and code reviews with secure coding experts. Veracode’s program managers also advise teams on flaw types prevalent in particular development teams, suggesting targeted training courses to further reduce new flaws. n WhiteHat Security’s Application Security Platform is a cloud service that allows organizations to bridge the gap between security and development to deliver secure applications at the speed of business. Its software security solutions work across departments to provide fast turnaround times for Agile environments, near-zero false positives and precise remediation plans while reducing wasted time verifying vulnerabilities, threats and costs for faster deployment. n WhiteSource enables users to secure and manage open-source components in their apps and containers with support for over 200 languages and frameworks, automated remediation with policies and fixed pull requests, and advanced license compliance policies and reporting. WhiteSource automatically generates detailed reports using the most up-to-date data, so the information remains as accurate as possible. With automated reports, users can have the freshest data on hand, saving time and energy, and become truly agile. z

June 2021

SD Times

< continued from page 28

through a unified platform. The consolidation trend continues with the expansion of interactive application security testing (IAST) tools, which help get rid of redundancies and the flood of alerts that static or dynamic testing tools are guilty of. “When I’m using static analysis, for example, we find X amount of issues, and then when I add dynamic, I will add another Y amount of issues. And now I have X plus Y issues where I couldn’t even handle half of X. What we are doing now is called auto-correlation, whereby the fact that you are adding interactive application security testing, we are able to consolidate issues that were found in different technologies,” HCL’s Worcel said. “This reduces the amount of work that the developer needs to do, reduces the amount of work that has issues that they need to triage and to fix because we can merge them.” Another major trend in the security tooling space is the expansion of software composition analysis (SCA) tooling, which automates the visibility into open-source software for the purpose of risk management, security and license compliance. While using open-source code within the organization can speed up a lot of processes within an organization, it could also introduce severe security risks. “A vulnerability that you have in a third-party component is probably the worst vulnerability that you may have. It’s usually reported with a guidebook for the hacker on what to do in order to hack it. At the same time, there’s a problem with the tooling, because it will report that you have a vulnerable component, but that doesn’t necessarily mean that you are vulnerable to it,” Worcel said. “Developers are not happy with a tool that tells them, ‘Hey, you need to replace those 20 components.’” The SCA tooling can report on whether compromised sections of code can be exploited when they’re put into the application. It can also then coordinate with static application security testing (SAST) or IAST to help security teams and developers get visibility into the data flow at their organizations. z

Full Page Ads_SDT048.qxp_Layout 1 5/22/21 9:19 AM Page 32

Because software supply chain security should feel like a no-brainer.

Continuously monitor open source risk at every stage of the development life cycle within the pipeline and development tools you’re already using.

Lifecycle is made for developers. You make hundreds of decisions every day to harden your supply chain. You expect interruptions. They’re part of your work. The problem is when they get in the way of your work. We tell you what you need to know to build safely and efficiently — and we tell you when you need to know it. Then we quietly continue our work, and allow you to do the same.

With Nexus Lifecycle, devs can: Control open source risk without switching tools. Inform your decisions with the best intelligence database out there. Get instant feedback in Source Code Management. Automatically generate a Software Bill of Materials. Enforce open source policies without sacrificing speed.

See for yourself: www.sonatype.com/SDTimes

033_SDT048.qxp_Layout 1 5/24/21 11:54 AM Page 33

www.sdtimes.com

June 2021

SD Times

INDUSTRY SPOTLIGHT

Protect your users and your business with a software bill of materials T

oo many companies are missing a key software component in their businesses: their software bill of materials (SBOM). An SBOM is a list of all the components that make up a piece of software. According to Brian Fox, chief technology officer at Sonatype, while some may think it is a trivial requirement, an SBOM provides transparency not only to your end users, but to your business. Any good software security program will tell you that you have to understand all the components in your system and the risks associated with those components. When a majority of the software assembled today is made up of opensource software or third-party code, an SBOM is the only way to provide full visibility into what is inside. “Security is a knowledge warfare game more than anything, so we need to make it easier for people to understand what’s inside the software that they’re deploying on their networks, in their car, in their hearts, in their insulin pumps,” said Fox. “These things are not so readily observable so requiring an SBOM is a step towards providing that transparency.” Unfortunately, fewer than 50% of companies actually produce an SBOM, but it is something that they will soon no longer be able to ignore. U.S. President Biden recently signed a cybersecurity executive order that requires any business that produces or sells software to the federal government to provide an SBOM along with the application. “Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk,” the order states. Fox hopes that the executive order Content provided by SD Times and

will be a step forward to translating the importance of the SBOM to the broader software community. The executive order follows the recent software supply chain attacks on SolarWinds and Codecov, as well as the ransomware attack on the Colonial Pipeline, all of which impacted a number of federal agencies and businesses. “The attacks we are seeing in the software supply chain are attacking developers and development infrastructure. So many application security programs are focused on defending against shipping stuff to their end users that might cause data leakage and cause customers to be hacked, but as we have seen with SolarWinds, the developers are the target,” said Fox.

How to successfully produce a software bill of materials The traditional approach to application security is to scan an application before it ships or goes into production, but that’s an old school mentality that creates a bill of vulnerabilities, not a bill of materials. “You are going to miss stuff if you can’t precisely detect what you are looking for,” said Fox. He explained the key to successfully producing an SBOM is through automation. If you are doing it manually, you are doing it wrong because there are so many components that go into software, it’s almost impossible to find them all and then manage it. “When all these things are changing weekly, monthly, by the time you are done, you have to start all over. It’s just not possible to do it by hand,” Fox added. The tools you incorporate to automatically produce a software bill of

materials have to be precise and have to analyze existing applications. If you are using open-source software like Apache Struts that has a number of subcomponents and you are only using a few of them, your tool needs to know exactly what those components are, otherwise it will give you a bunch of false positives for components that aren’t in your system. “At Sonatype, we try to go to the next level and understand where does the vulnerability actually lie in the code, and then understand which of the individual subcomponents it is in and whether or not you have a potential vulnerability,” said Fox. “We’ve created a dataset that is precise enough to be actionable and automated to make that connection.” The company also recently announced support for the CycloneDX Software Bill of Materials Standard, which worked with a number of stakeholders including Sonatype to provide a practical standard that can facilitate interoperability between systems. Fox hopes companies will take the executive order seriously and not just try to check the box and put it on their website. “If a vendor gives you a bill of materials, you have to trust it because you can’t verify that it is accurate. I fear a lot of companies will move towards just putting it together so it’s good enough,” he said. However, he does note that the executive order is a great start for getting the awareness around SBOMs and having people understand it. “These types of things can finally move the needle for the industry even if they didn’t really want to,” he said. z

SD Times

June 2021

www.sdtimes.com

INDUSTRY SPOTLIGHT

pplication security initiatives and programs are getting good at getting down to where an organization’s data lives and protecting it against threats, but that is only one piece of the security puzzle. With limited amounts of time, resources and people available to tackle security, organizations have had to prioritize what gets protected. “For instance, an organization may develop 100 different applications. Since it is not always cost effective or time efficient to come up with a customized security plan for each application, only the applications considered critical receive top priority, maybe five or six of them, and the remaining 95 or so are deprioritized in terms of security,” according to Chad McDonald, chief information officer and chief information security officer at Digital.ai, a software solutions provider. “That doesn’t mean those 95 applications don’t require protection, it just means that the risk is somewhat lower,” he noted. McDonald explained that this lack of resources and forced prioritization results in poor endpoint security. Endpoint security becomes an even bigger concern with mobile devices as these devices are often connected to highly vulnerable data including banking information, credit cards, and in some cases even medical records and equipment. According to a recent report, a majority of all financial applications are vulnerable to basic reverse engineering attacks because they lack simple binary code protections that validate whether or not an application is running in a safe environment. “There is a whole host of information that now lives on your mobile device or is accessed via your mobile device via an application,” said McDonald. “We haven’t really yet seen security controls get pushed down broadly to that point.” It’s difficult to tackle mobile endpoint security when there are a number of different programming languages being used to make up an application, and operating systems are constantly

Content provided by SD Times and

Guard your mobile and your end users evolving and being refactored, making things more complicated and taking a toll on application security. But mobile endpoint security is not something that can really be ignored or only applied to the more business critical applications. McDonald explained that even those “lesser important applications” can still touch other parts of the organization and do significant damage. “The bad guys only have to be right once. They only have to get into one app,” he said. “You very rarely see an attacker come in directly through the system they’re trying to attack. More often, they attack a system that is vulnerable, gain some level of control inside the perimeter, and then pivot to something more critical.” In a mobile app, that would translate to a hacker exploiting one of those lesser critical applications, looking for ways to jump into a more relevant system or

elevating privileges from a user to an administrator, and interrupting operations or shutting down the server.

What developers can do Developers really need a way to expand their security abilities across their entire portfolio and bake telemetry into their applications. According to McDonald, while there has been a lot of attention on application performance monitoring lately, a majority of those efforts are aimed at driving marketing data and looking at what section of the application the user spends the most time or is performing the best, and how long it takes for the application to load. Developers really need security specific telemetry data such as how an application is being attacked and what section of the code is at risk, with the ability to feed that information back to the organization so they

www.sdtimes.com

should make sure their application is valid and certified because there could be copies of those applications out there in the wild with nefarious functionality baked in. Additionally, some users tend to jailbreak their device or route their mobile device to download a game or gain access to other content, but that byasses all the built-in security controls and opens a huge gap in the security perimeter of the mobile device. “If you are not careful about what you’re putting on your phone, essentially you’re opening the floodgates for the bad guys to do whatever they choose,” said McDonald.

endpoint can make informed decisions about locking accounts or updating code. “My recommendation to developers is to really shine the flashlight in the dark corners of the application,” said McDonald. “Understand how your applications are actually being used from a security perspective in addition to that performance and marketing data.” It also helps to educate the users about application security. Most users don’t really think about or understand the different layers of application security. “There is an assumption that Apple or your Android handheld device, or Google in the case of Android, has your back and is providing all the necessary security controls that you may need for protection of the application,” said McDonald. Just because an application is in the App Store, Google Play Store or available for download from a website doesn’t mean that it is safe or secure. Users

The Digital.ai Essential App Protection Digital.ai is focused on integrating security into the software development pipeline so organizations don’t have to pick and choose the applications that are more critical to protect. In addition to it’s Premium App Protection solution, the company recently introduced Digital.ai Essential App Protection, which provides a first line of defense against application layer attacks. Digital.ai Essential App Protection protects applications from unsafe environments and provides actionable insight into how, when and where applications are vulnerable. “What you end up with is security essentially backed into the normal software development process. This approach doesn’t introduce undue drag on development teams or security teams as they build software and roll it out,” said McDonald. “You have the ability to understand different applications being attacked, where that attack is coming from and what sections potentially of the application are being attacked. What that allows you to do is constantly evolve or listen to what the threat or the bad guys are doing, and evolve your security controls to meet that ever-changing concern.” Digital.ai Essential App Protection provides persistent monitoring of an organization’s attack surface so they can understand what attacks look like,

June 2021

SD Times

strengthen controls or change controls to continually defend against hackers. This targeted approach enables developers to really focus their efforts on where the attacks are happening instead of taking the traditional shotgun approach. “What is impossible today from a security perspective is quite likely possible tomorrow with advances in technologies and new and innovative ways that the bad guys are learning to grow their attacks and become more sophisticated as they attack or leverage new tools,” said McDonald. Key features of the Essential App Protection solution includes: • Actionable threat insights on compromised devices and applications with follow-on response and protection updates • Runtime self-protection to detect and prevent app instances from running in unsafe environments • Class encryption so it is more difficult for attackers to review and analyze decompiled app code, gain access to information and exploit vulnerabilities • Integration into CI/CD pipelines • Visibility into how an application is being attacked • Low-code capabilities so users don’t have to configure or modify source code • Compatibility with iOS and Android applications “With app security expertise in short supply, organizations are often limited to protecting only their most critical apps. Not anymore. With Digital.ai Essential App Protection and Digital.ai Premium App Protection, organizations have the solutions they need to embed security right into their DevOps pipeline and protect all their apps, regardless of the organizations’ level of security expertise,” said Aviad Arviv, general manager of security at Digital.ai. “Digital.ai App Protection provides organizations peace of mind that they are protecting their IP and their customers.” Learn more at digital.ai/essential-appprotection. z

34_SDT048.qxp_Layout 1 5/19/21 5:24 PM Page 34

SD Times

June 2021

www.sdtimes.com

Guest View BY CHARLES SWORD

The time has come for RPA standards Charles Sword is the chief revenue officer at Blueprint Software Systems.

he robotic process automation (RPA) market is white hot. Driven in part by the global pandemic, which pressured companies to digitally transform the way they work and do business, RPA has rapidly become the fastest growing enterprise technology for industrial and manufacturing operations. Projected RPA sales for 2021 are on track to exceed 2020’s $1.5 billion sales by nearly 20 percent. There’s a lot of money being thrown at RPA investment, too. Yet, despite all of this momentum behind RPA, one of the greatest challenges across the segment as a whole is the lack of industry standards for the way process automations are specified. Consequently, as many as 40 percent of all automation initiatives fail to realize positive returns on investment, such as lower costs, increased productivity, or better customer experiences. And only a small percentage of organizations have actually been able to successfully scale their digital workforce. Perhaps what’s most frustrating about these lackluster results is that they are often the by-product of easily avoidable errors. We can right the ship fairly easily, however, by establishing a core structure for automation; a set of design standards that would exist to not only help to prevent errors, but also to keep RPA on its skyrocketing trajectory. Consider for a moment what having a set of standards accomplished for the portable document format (PDF). When Adobe released the PDF as an open standard a few years back, the ability to save a PDF in any word processor and open it in another tool freed up cooperation and portability that did not exist previously. These standards, in effect, advanced the paperless office and fueled digital transformations everywhere. Automation doesn’t have to be different. However, if RPA vendors, influencers and others like us continue to operate without a set of design standards, we will continue to experience the following problems.

One of the greatest challenges across the segment as a whole is the lack of industry standards.

Vendor lock-in Today, all the leading RPA vendors have their own way of describing process automations, making it

extremely difficult for a company to change RPA vendors without starting a new RPA build from scratch. This scenario is exacerbated further when a company uses an automation vendor that goes out of business or discontinues its product. A company in this position can only rebuild their entire RPA system with no support from the original vendor and, what’s worse, has no ability for their bots to operate on another platform. A total loss.

Automation bottlenecks It’s no secret that RPA deployments often battle automation pipeline bottlenecks. Reasons can be attributed to soft governance, no thought to identifying and prioritizing automation candidates, or simply the taxing nature of RPA maintenance and support. As serious as these factors are to contributing to the problem, the real culprit is a lack of compatibility and platform interoperability.

Fast, not so fast As previously noted, the RPA market is growing at a tremendous rate despite known drawbacks. But frustration with the difficulty of scaling and delivering on RPA returns has many companies and industries shying away from further investment in the technology. That, combined with the problems created by having no RPA design standards, will eventually throttle down market growth. Likewise, improvements to RPA technology will advance at a snail’s pace without the type of collaboration afforded by industry standards. At the very least, a common way to specify process automations would connect data similarities into a format that all RPA tools can understand. By doing this, digital workforces could more easily migrate from one platform to another; drastic improvements could be made to productivity and RPA candidate identification, and the RPA market spend and growth would accelerate in response to better RPA ROI. We’ve only begun to scratch the surface of what automation can be, and most organizations we speak to are in the early days of their RPA journey and with relatively crude technology. What RPA will be able to do over the next few years will be transformative. Having a well-defined set of RPA design standards would help us realize this sooner than later. z

IBC_SDT048.qxp_Layout 1 5/24/21 2:36 PM Page 35

www.sdtimes.com

June 2021

SD Times

Industry Watch BY DAVID RUBINSTEIN

Security first and foremost he SolarWinds and Colonial Pipeline hacks have brought security to the fore of software development. Once again. And again, our “thoughts and prayers” go out to the customers of those companies, and the companies themselves, harmed by the attacks. I say this because, not unlike the mass shootings that plague America — and please, do not mistake this metaphor as conflation of killings and software breaches — we seem unable to get a handle on either. In both cases, I place the blame at the feet of the industries. Clearly, the gun industry has a vested interest in the proliferation of weapons, despite the human cost. In software, our industry has an interest in giving people the tools they need to move more quickly, pounding the business users of their platforms and tools with messaging that if they don’t deliver software more quickly, fickle humans will simply leave the store they love for another whose website responds a couple of seconds more quickly, or who can deliver a package to your doorstep a few hours sooner. Some might call this heretical, or biting the hand that feeds us. That is not what this is meant to be. I am awed by the changes I’ve seen covering this industry for more than 20 years. Back then, who could have even envisioned the cloud, Kubernetes, edge computing or Infrastructure as Code? Yet for all the advantages the cloud provides, we never saw the kinds of damaging hacks and data losses we’re seeing today when applications were run in on-premises data centers, behind firewalls and with code that didn’t rely on calls to so many outside services, so the attack vectors were minimal. Ransomware? Millions of social security numbers and credit card numbers stolen? Unacceptable, and almost completely preventable, if our industry took security as seriously as it does speed to market. There’s a reason cross-site scripting and SQL injection remained on the OWASP Top 10 list of application vulnerabilities for over a decade — organizations see security as a necessary evil, not as their first priority. Security — like overall software testing — slows delivery. Meanwhile, the “bad actors” on the other side have made breaking into applications and systems their top priority — it is, in fact, their reason for being. In the Colonial

Pipeline hack, they had 4.4 million good reasons to hold the energy pipeline hostage. What we need to do to curb this damage requires a reset of priorities. Security must be the key consideration for all software releases. Not something to merely be “shifted left,” adding to the list of things developers have foisted upon them, without the necessary knowledge and training to do it effectively. We’ve put the speed cart before the security horse, and it’s costing society in a big way. I cannot argue against many of the benefits of speed and agility to organizations. Being able to deliver new features quickly based on customer requests and user data are important for any business. But when quality suffers through insufficient testing, and when security suffers due to a lack of diligence, that more than offsets the gains that speed offers. The Colonial Pipeline attack alone has caused large portions of the Eastern Seaboard to not have gasoline available, and where it can be bought, the price has gone up by nearly a dollar a gallon in some places. Some have again called on the government to take the lead on cybersecurity on our vital infrastructure. This column once voiced support for that idea, when data leaks and identity theft first began to occur. Yet, federal efforts to control gun violence — or even to prevent foreign governments from interfering in our elections — show they will not be able to handle this crisis either. No, it is up to our industry to change the notion that security is some necessary evil to which lip service is paid so the speed of innovation isn’t impeded. Perhaps, it’s because software breaches usually only result in monetary losses, and — unlike the gun industry — not human lives. Perhaps, like the culture changes required to implement many of the new processes created for software development, efforts on security require even more time and concerted effort to achieve. Yet, I remain optimistic security initiatives being put in place today can result in slowing the invasion of our systems and stanching the bleeding of data. It will take a renewed commitment to make security the highest priority in software delivery. z

David Rubinstein is editor-in-chief of SD Times.

We’ve put the speed cart before the security horse, and it’s costing society in a big way.

BC_SDT048.qxp_WirelessDC Ad.qxd 5/19/21 2:55 PM Page 1

presents

Move Fast & DON’T Break Things: Modernize Your SDLC without Compromising Customer Trust EXCLUSIVE TECH TALK

June 16, 2021 at 1:00 pm ET | 10:00 am PT Companies around the world and across a myriad of industries are feeling the pressures of evolving from legacy, on-prem infrastructure to hybrid and cloud-native architectures.

Meanwhile, both B2B and B2C buyers today demand faster delivery—whether of business or consumer-facing services. And with COVID-19 forcing a global shift to remote work, enterprises now have to govern and foster efficient collaboration across distributed teams while delivering reliably and securely.

Join Edith Harbaugh, CEO of LaunchDarkly; Joe Duffy, CEO of Pulumi; and DROdio, CEO of Armory, for a roundtable discussion of how forward-thinking companies are grappling with the challenge of deploying faster, more reliably, and at greater scale.

https://asset.d2emerge.com/armory-move-fast-dont-break-thingsmodernize-your-sdlc-without-compromising-customer-trust