SD Times July 2021 by d2emerge

FC_SDT049.qxp_Layout 1 6/27/21 1:02 PM Page 1

JULY 2021 • VOL. 2, ISSUE 49 • $9.95 • www.sdtimes.com

IFC_SDT049.qxp_Layout 1 6/25/21 1:52 PM Page 2

Instantly Search Terabytes

www.sdtimes.com EDITORIAL EDITOR-IN-CHIEF David Rubinstein drubinstein@d2emerge.com NEWS EDITORS Christina Cardoza ccardoza@d2emerge.com

dtSearch’s document filters support: popular file types emails with multilevel attachments a wide variety of databases web data

Jenna Sargent jsargent@d2emerge.com MULTIMEDIA EDITOR Jakub Lewkowicz jlewkowicz@d2emerge.com SOCIAL MEDIA AND ONLINE EDITOR Katie Dee kdee@d2emerge.com ART DIRECTOR Mara Leonardi mleonardi@d2emerge.com

2YHU VHDUFK RSWLRQV LQFOXGLQJ efficient multithreaded search

CONTRIBUTING WRITERS Jacqueline Emigh, Lisa Morgan, Jeffrey Schwartz, George Tillmann CONTRIBUTING ANALYSTS Enderle Group, Gartner, IDC, Intellyx

HDV\ PXOWLFRORU KLW KLJKOLJKWLQJ forensics options like credit card search

CUSTOMER SERVICE SUBSCRIPTIONS subscriptions@d2emerge.com ADVERTISING TRAFFIC Mara Leonardi mleonardi@d2emerge.com

Developers: 6'.V IRU :LQGRZV /LQX[ PDF26

LIST SERVICES Jessica Carroll jcarroll@d2emerge.com

&URVV SODWIRUP $3,V IRU & -DYD DQG NET with NET Standard / 1(7 &RUH

)$4V RQ IDFHWHG VHDUFK JUDQXODU GDWD FODVVLILFDWLRQ $]XUH $:6 DQG PRUH

REPRINTS reprints@d2emerge.com ACCOUNTING accounting@d2emerge.com

ADVERTISING SALES PUBLISHER David Lyman 978-465-2351 dlyman@d2emerge.com

Visit dtSearch.com for KXQGUHGV RI UHYLHZV DQG FDVH VWXGLHV IXOO\ IXQFWLRQDO HQWHUSULVH DQG developer evaluations

SALES MANAGER Jon Sawyer 603-547-7695 jsawyer@d2emerge.com

The Smart Choice for Text Retrieval® since 1991

dtSearch.com 1-800-IT-FINDS

PRESIDENT & CEO David Lyman

D2 EMERGE LLC www.d2emerge.com

CHIEF OPERATING OFFICER David Rubinstein

003_SDT049.qxp_Layout 1 6/28/21 1:41 PM Page 3

Contents

VOLUME 2, ISSUE 49 • JULY 2021

FEATURES

NEWS 4 14

News Watch How Hackers Can Poison Your Code

Two sides of Testing page 16 Software test automation for the survival of business Software is designed for humans: it should be tested by humans

AIOps a Key Link in BizOps Chain

Atlassian releases new cloud app development platform: Forge

Broadcom adds investment planning, Agile management to its ValueOps solution

page 6

Microservices at scale: a complexity management issue

Are your metrics right for a remote workforce?

page 10

BUYERS GUIDE APM: Cutting through the noise

COLUMNS 32

GUEST VIEW by Paul Heller The gap between ‘smart’ and ‘products’

ANALYST VIEW by Rob Enderle Anticipating China, NVIDIA disruptions

INDUSTRY WATCH by David Rubinstein Layered progressive delivery

page 24

Software Development Times (ISSN 1528-1965) is published 12 times per year by D2 Emerge LLC, 2 Roberts Lane, Newburyport, MA 01950. Periodicals postage paid at Plainview, NY, and additional offices. SD Times is a registered trademark of D2 Emerge LLC. All contents © 2021 D2 Emerge LLC. All rights reserved. The price of a one-year subscription is US$179 for subscribers in the U.S., $189 in Canada, $229 elsewhere. POSTMASTER: Send address changes to SD Times, 2 Roberts Lane, Newburyport, MA 01950. SD Times subscriber services may be reached at subscriptions@d2emerge.com.

004,5_SDT049.qxp_Layout 1 6/25/21 1:48 PM Page 4

SD Times

July 2021

www.sdtimes.com

NEWS WATCH Prosus to acquire Stack Overflow for $1.8 billion The technology investment company Prosus has announced its intent to acquire the online development community Stack Overflow for $1.8 billion. According to Stack Overflow, this acquisition will enable it to continue to operate as an independent company, but with the backing of a “global technology powerhouse.” According to Prosus, it decided to acquire the developer community because of its popularity within the developer and technologist community, as well as for the company’s knowledge management and collaboration solution Stack Overflow for Teams.

Android 12 adds privacy features in Beta 2 One new feature is the Privacy Dashboard, which provides users with more insight into what data apps access. It shows a timeline view of recent app accesses to microphone, camera, and location. Users will also be able to request information from an app on why it accessed certain data. Developers can provide this information through a new system intent: ACTION_VIEW_PERMISSION_USAGE_FOR_PERIOD. The Android development team is recommending developers utilize this intent and use the Data Auditing APIs to help track access in code and third-party libraries. Android 12 Beta 2 also adds indicators for when an app is using the microphone or camera. Users will be able to go to Quick Settings to learn which

Tim Berners-Lee auctioning off original source code for the web as NFT Tim Berners-Lee, the creator of the World Wide Web, has announced that he is auctioning off the original source code for the web as non-fungible token (NFT), which is a unique digital asset that exists on blockchains. Sotheby’s will be running the auction from June 23 to June 30, with the initial bidding starting at $1,000. The proceeds from the NFT sale will go to initiatives supported by Berners-Lee and his wife, Lady Rosemary Leith Berners-Lee. The NFT will contain four elements: Original time-stamped files that contain the source code, a visualization of 10,000 lines of code, a letter written by Berners-Lee, and a digital poster of the full code created by Berners-Lee. apps are accessing the microphone or camera and manage those permissions.

Apple announces Xcode Cloud and AR updates Xcode Cloud aims to simplify the developer workflow by integrating the cloud and developer tools together. When a developer commits a change to the code Xcode Cloud will automatically build the app. Since the app is built in the cloud, the device is free for other tasks and other members of the team see if a change introduces errors. Xcode Cloud runs automated tests in parallel, simulating how they would run on every Apple device and platform and test results are displayed in

Xcode. Once it passes all tests, it can be distributed to all testers on the team and even beta testers with Test Flight, according to Apple. For augmented reality, the company also revealed a new advanced rendering API and the ability to create realistic 3D objects using Object Capture — a technology that leverages photogrammetry that turns 2D pictures into 3D content. Other advancements to AR included the launch of Live Text, which can automatically identify text in pictures so that users can save it as a note or use it in an online search. In addition, the company ramped up its machine learning capabilities to be able to identify text, locations and objects that are on a screen and then enable users to search up these elements through Spotlight.

Infragistics Ultimate 21.1 zeros in on collaboration The latest version of the Infragistics Ultimate UI/UX toolkit is now available with new Indigo.Design, Agular, React, Web Components, Windows Forms and WPF features. Infragistics Ultimate 21.1 is built off of three key themes: l Enabling hyper-productivity and better collaboration between app development and design through its design-tocode platform, Indigo.Design App Builder l New innovations and experiences with Angular, React, Web Components, ASP.NET Core l New enhancements in Windows Form and WPF

004,5_SDT049.qxp_Layout 1 6/25/21 1:49 PM Page 5

www.sdtimes.com

Eclipse IDE Working Group Formed The Eclipse Foundation has announced it launched a working group for Eclipse IDE. The Eclipse IDE Working Group will work to ensure the “continued evolution, adoption, and sustainability of the Eclipse IDE suite of products, related technologies, and ecosystem,” according to the Eclipse Foundation. The Eclipse IDE Working Group will offer governance, guidance, and funding for communities supporting Eclipse IDE products.

Next.js 11 brings faster starts, changes Vercel, the company behind the React and JavaScript framework Next.js, announced the release of Next.js 11 at its Next.js Conf in June. New improvements include faster starts and changes, real-time feedback, and live collaboration. Vercel announced a preview of Next.js Live, which enables developers to develop in their web browsers. According to the company, this allows developers to collaborate and share with a URL, leading to faster feedback loops, less time spent waiting for builds, and real-time peer programming. Next.js 11 also adds a new tool to help developers migrate from Create React App to Next.js. According to Vercel, there has been an increase in these migrations over the past six months. The new tool adds a ‘pages/’ directory, moves CSS imports to the right location, and enables a Create React App compatibility mode which ensures patterns work with Next.js.

Facebook makes PyTorch its default AI framework

Harness updates platform with Test Intelligence

PyTorch is an open-source machine learning framework that the company co-created with AI researchers in 2016. By making PyTorch the default framework for all of its AI and machine learning models, the company believes its research and engineering initiatives will become more effective, collaborative and efficient as well as help advance the libraries and learn from PyTorch developers.

Harness’s new test intelligence feature reduces test cycle time by up to 98% by using AI/ML workflows to prioritize and optimize test execution without compromising quality. The new capabilities shift failed tests earlier into the build cycle so that developers can quickly find out if a fix worked. The new feature flag capa-

Google open sources FHE transpiler Google has announced that it is open sourcing a transpiler for Fully Homomorphic Encryption (FHE). According to the company, FHE will allow developers to work on encrypted data without being able to access personally identifiable information. FHE allows encrypted data to be transported across the Internet to a server and get processed without being decrypted. The transpiler will allow developers to write code for basic computations, like string processing or math, and run it on the encrypted data. The transpiler transforms the code into code that can run on the data. According to Google, this tool will allow developers to create new applications that don’t need unencrypted data. They can also use it to train machine learning models on sensitive data. Google noted that this is just a first step and that there is still a long way to go before most computations are possible with FHE.

July 2021

SD Times

bilities enable developers to release new features without making them visible to users. It also makes it easier to try capabilities such as A/B testing or software functionality variations like one- or twostep checkout. Harness also integrated its acquisition of Lightwing technology into its Cloud Cost Management module to enable engineering teams to auto-stop and restart their non-production environments within seconds. z

People on the move

n ConnectALL announced the appointment of Eric Robertson as its senior advisor to the office of COO

and president. In this role Robertson will work closely with the COO and president to advance the company’s value stream management initiatives, identify new market opportunities, and accelerate the company’s growth. His previous experience of nearly 20 years includes leadership in product development, VSM, Agile, and DevOps. n Prashant Ketkar has been announced as the new chief technology and product officer at Corel Corp. Ketkar has over two decades of experience in the software industry. He previously served as senior vice president of product and engineering at Resolve Systems. He’s also held leadership roles at Evident.io, Oracle and Microsoft. n Splunk welcomed Shawn Bice as its new president of products and technology on June 1. This is a new role that will oversee technical divisions like product, engineering, design, architecture, CIO, CTO, and CISO functions. Bice spent the past five years at AWS overseeing database products. Prior to that, he spent 17 years at Microsoft managing SQL Server and Azure data services. n Donna Wilczek has been appointed as the first independent director of Optimizely’s board of directors. She has over two decades of experience and currently serves as the senior vice president of product strategy and innovation at Coupa Software, where she helped scale the company from a startup to a public company. n Aqua Security announced two major hires last month: Darkbit co-founders Brad Geesaman and Josh Larsen. Geesaman will serve as director of cloud security and Larsen will serve as director of cloud product. Both have over 20 years of experience in information security and they’ve been working with Kubernetes since its creation.

006-9_SDT049.qxp_Layout 1 6/25/21 1:53 PM Page 6

BY GEORGE TILLMANN

George Tillmann is a retired programmer, analyst, systems and programming manager, and CIO. This article is adapted from his book Project Management Scholia: Recognizing and Avoiding Project Management’s Biggest Mistakes (Stockbridge Press, 2019). He can be reached at georgetillmann@gmx.com.

006-9_SDT049.qxp_Layout 1 6/25/21 1:53 PM Page 7

www.sdtimes.com

July 2021

SD Times

here is a potential train wreck out underperform as a 25 person-month projthere. According to the trade ect. Put simply, Big is Bad. press and peer-reviewed journals If big is bad, go small. Now, that alike, systems development is in trouble. should be the end of this article, but makThe much revered, and equally reviled, ing big projects small is not so easy. Standish Group’s Chaos Report says that Below are a few suggestions for accomonly about 30% of systems development plishing the small is beautiful effect. projects succeed, 20% outright fail or are cancelled, and around 50% hobble along Out of one, many in some middle (between success and The simplest way to reduce the risk of one big project is to make it multiple small failure) state. If you don’t like the Chaos Report, projects. Slicing up the megaproject into there are a number of academic studies bite-sized pieces is the best way of bring(hundreds of them) showing perhaps not ing in a large project. The result should be as dire results but the same message — a number of subprojects, or phases, each with their own staff, project manager, systems development is a blood sport. What they all agree on is that there is goals, and deliverables. But exactly how a fundamental flaw in how we build sys- big should the subprojects be? From the study’s findings, one could tems, and the project manager is caught in a real-life Catch-22 situation in trying conclude that a good team size would be in the range of 5 to 15 staff and a good to solve the problem. A 2007 study of more than 400 proj- duration somewhere in the 3- to 12ects in the United States and the United month range. Other authors have differKingdom titled “The Impact Of Size And ent but not terribly dissimilar numbers. Volatility On IT Project Performance,” is Reviewing more than a dozen research a telling example. The study found that as studies, one would not be wrong in conthe project headcount gets larger, the risk sidering the average recommended team of underperformance gets higher. The size seems to be in the four to seven larger the team size, the greater the risk range with a duration somewhere of failure. A 21 Full Time Equivalent between three and nine months. For (FTE) project is more than twice as likely simplicity, we refer to the four to seven staff and 3- to 9-month duration as the to underperform as a 10-FTE project. OK, you want to reduce project risk, project sweet spot. The project sweet spot has a number and the plan calls for too many people on the project. What do you do? Well, one of advantages. Its small headcount minioption is to spread the project out over mizes the required communication overtime thus requiring fewer staff. Figure 1 head, while the short duration mitigates (from the same study) presents the level the honeymoon problem. The project sweet spot can be impleof risk based on the duration of the project. It shows that as the schedule extends mented serially or in parallel, or in any out, the risk increases, with 18-month combination. A serial implementation has projects encountering twice the failure the mini-projects or phases executed one at a time, one after the other. If megarate of 12-month projects. continued on page 9 > In fact, the project manager can’t do much. As the same study shows, Figure 1 – Risk of Underperformance it doesn’t matter whether you Attributed to Duration thin the staff count and make the project longer or shorten the duration by adding staff, the devil is the project effort (person-months) required. Thick or thin (many staff or few staff), long or short (long duration versus short duration), a 500 person-month project is twice as likely to

Full Page Ads_SDT049.qxp_Layout 1 6/23/21 12:24 PM Page 8

Collaborative Modeling

Keeping People Connected ®

Autodesk | Bugzilla

sparxsystems.com

| Salesforce | SharePoint | Polarion | Dropbox

| *Other Enterprise Architect Models

Modeling and Design Tools for Changing Worlds

006-9_SDT049.qxp_Layout 1 6/25/21 1:53 PM Page 9

www.sdtimes.com

< continued from page 7

project X is broken down serially into mini-projects A, B, and C, IT could theoretically use the same staff on each project. When A is complete, the team moves on to B, etc. Parallel execution requires multiple project teams working on the different mini-projects at the same time. Parallel projects require different team members for each project—sharing staff across projects defeats the purpose of phasing. Most phasing is serial because it is often the easiest way to divide a project, however, parallel phasing becomes more desirable when there are significant schedule pressures. There are a number of technical challenges to successful project phasing. Communication. One of the reasons to break up a large project into smaller pieces is the communications overhead problem—as the number of team members increases, the time and effort needed to keep everyone up to speed on project activity increases exponentially. However, communication between teams is now needed, particularly if the phasing is parallel. While most intra-team communication is verbal, multi-team communication is often in writing, further increasing communication costs. Partitioning. Exactly how to carve up the megaproject into multiple smaller pieces called mini-projects, subprojects, or phases is not always obvious. To do it right, the project manager (or whoever is tasked with parsing the project) needs a good understanding of the finished system and the tasks to build it. Figure 2 shows a sample application data flow diagram (DFD). Processes or functions are depicted with rounded rectangles (example: A2, C1, etc.). Data stores or files (static data) are represented by open rectangles. Arrows depict the flow of data (data in motion) to and from data stores and communication (data sharing) between processes. Selecting which processes to include in a mini-project is critical to development success. A phase or subproject should consist of processes where the

communication (data sharing) between them is the highest. Phase boundaries should be defined to minimize crossphase communication. In Figure 2, processes A1, A2, A3, and A4 have the most significant communication between them and are kept together as a subproject, while a similar decision is made about processes B1, B2, and B3. Budget. Partitioning a large project into bite-sized chunks can have a negative impact on effort and schedules. Communication overhead was discussed above, but in addition, multiphased projects often require more analysis time (as business users are interviewed and re-interviewed) and testing time as the various sub-systems Figure 2 – Megaproject Divided into Three Subprojects (A, B, and C)

are integrated. Project managers for the various mini-projects need to incorporate the additional required effort and time into their individual plans. Testing. The testing of the individual subprojects is usually neither harder nor easier then testing a similar portion of a mega-project, however, it can be different. If the mega-project is divided serially into phases, then testing other than in the first phase might require revisiting previous phases. For example, imagine a mega-project divided into subprojects A, B, and C. If the subprojects are executed serially, then testing subproject C might uncover changes needed to earlier completed subproject A. This problem is not limited to serially executed subprojects, but can also occur in parallel subproject development and even in a big bang approach where the work on the various portions of the system is completed

July 2021

SD Times

at different times. However, it can be more prevalent and acute in serially developed subprojects. Integration. A megaproject that is divided into components can require some effort to reintegrate once the mini-projects are complete. Not necessarily a difficult task, but one that needs to be taken into account. Throwaway Code. Project phasing often requires additional non-application code that is not in the final production system. This code is required for the proper testing and integration of phase components that will eventually need to interact with components in other, not yet developed, phases. Slicing up what the user sees as a single project can present some management challenges. User management. Senior business managers are often suspicious of any “project” that does not deliver the entire end result. They see a potential “bait and switch” where A, B, C was promised but they are only going to get A or A, B. Further, the additional time and dollars required for the phased system adds insult to injury. To top it off, they are skeptical of the argument that partitioning will eventually cost less (no write-offs for cancelled projects, or increased maintenance costs for underperforming systems) while increasing the odds of getting what they want. IT management. Some IT organizations face a significant systems development backlog with needed applications having to wait months or even years before project work can begin. Some senior IT managers pressure current project managers to move ahead as quickly as possible to free up resources that can be applied elsewhere. In spite of the cons, and because of the pros, phasing a large systems development project into manageable subprojects is the single best planning action a project manager can take to increase the odds of project success, and, in spite of the increased development costs and schedules, one of the cheapest. z

010-12_SDT049.qxp_Layout 1 6/23/21 12:27 PM Page 10

SD Times

July 2021

www.sdtimes.com

Microservices at A complexity management BY JENNA SARGENT

he benefits of microservices have been touted for years, and their popularity is clear when you consider the explosion in use of technologies, such as Kubernetes, over the last few years. It seems that based on the number of successful implementations, that popularity is deserved. For example, according to a 2020 survey by O’Reilly, 92% of respondents reported some success with microservices, with 54% describing their experience as “mostly successful” and under 10% describing a “complete success.” But building and managing all of these smaller units containing code adds a lot of complexity to the equation, and it’s important to get it right to achieve those successes. Developers can create as many of these microservices as they need, but it’s important to have good management over those, especially as the number of microservices increases. According to Mike Tria, head of platform at Atlassian, there are two schools of thought when it comes to managing the proliferation of microservices. One idea is just to keep the number of microservices to a minimum so that developers don’t have to think about things like scale and security. “Every time they’re spinning up a new microservice they try to keep them

small,” Tria said. “That works fine for a limited number of use cases and specific domains, because what will happen is those microservices will become large. You’ll end up with, as they say, a distributed monolith.” The other option is to let developers spin up microservices whenever they want, which requires some additional considerations, according to Tria. Incorporating automation into the process is the key to ensuring this can be done successfully. “If every time you’re building some new microservice, you have to think about all of those concerns about security, where you’re going to host it, what’s the IAM user and role that you need access to, what other services can it talk to—If developers need to figure all that stuff out every time, then you’re going to have a real scaling challenge. So the key is through automating those capabilities away, make it such that you could spin up microservices without having to do all of those things,” said Tria. According to Tria, the main benefits of automation are scalability, reliability, and speed. Automation provides the ability to scale because new microservices can be created without burdening developers. Second, reliability is encapsulated in each microservice, which

010-12_SDT049.qxp_Layout 1 6/23/21 12:28 PM Page 11

www.sdtimes.com

scale: issue

means the whole system becomes more reliable. Finally, nimbleness and speed are gained because each team is able to build microservices at their own pace. At Atlassian, they built their own tool for managing their microservices, but Tria recommends starting small with some off-the-shelf tool. This will enable you to get to know your microservices and figure out your needs, rather than try to predict your needs and buy some expensive solution that might have features you don’t need or is missing features you do. “It’s way too easy with microservices to overdo it right at the start,” Tria said. “Honestly, I think that’s the mistake more companies make getting started. They go too heavy on microservices, and right at the start they throw too much on the compute layer, too much service mesh, Kubernetes, proxy, etc. People go too, too far. And so what happens is they get bogged down in process, in bureaucracy, in too much configuration when people just want to build features really, really fast.” In addition to incorporating automation, there are a number of other ways to ensure success with scaling microservices. Incorporate security. Because of the nature of microservices, they tend to evoke additional security concerns, according to Tzury Bar Yochay, CTO and co-founder of application security company Reblaze. Traditional software architectures use a castle-and-moat approach with a limited number of ingress points, which makes it possible to just secure the perimeter with a security solution. Microservices, however, are each independent entities that are Internetfacing. “Every microservice that can accept incoming connections from the outside world is potentially exposed to threats within the incoming traffic stream, and it has other security requirements as well (such as integrating with authentication and authorization services). These requirements are much more challenging than the ones typically faced by traditional applications,” said Bar Yochay. According to Bar Yochay, new and

July 2021

SD Times

better approaches are constantly being invented to secure cloud native architectures. For example, service meshes can build traffic filtering right into the mesh itself, and block hostile requests before the microservice receives them. Service meshes are an addition to microservices architectures that enable services to communicate with each other. In addition to added security, they offer benefits like load balancing, discovery, failure recovery, metrics, and more. These advantages of service meshes will seem greater when they are deployed across a larger number of microservices, but smaller architectures can also benefit from them, according to Bar Yochay. Of course, the developers in charge of these microservices are also responsible for security, but there are a lot of challenges in their way. For example, there can often be friction between developers and security teams because developers want to add new features, while security wants to slow things down and be more cautious. “As more apps and services are being maintained, there are more opportunities for these cultural issues to arise,” Bar Yochay said. In order to alleviate the friction between developers and security, Bar Yochay recommends investing in developer-friendly security tools for microservices. According to him, there are many solutions on the market today that allow for security to be built directly into containers or into service meshes. In addition, security vendors are also advancing their use of technology, such as by applying machine learning to behavioral analysis and threat detection. Make sure your microservices don’t get too big. “We’ve seen microservices turn into monolithic microservices and you get kind of a macroservice pretty quickly if you don’t keep and maintain it and keep on top of those things,” said Bob Quillin, chief ecosystem officer at vFunction, a company that helps migrate applications to microservices architectures. Dead code is one thing that can quickly lead to microservices that are bigger than they need to be. “There is

continued on page 12 >

010-12_SDT049.qxp_Layout 1 6/23/21 12:28 PM Page 12

SD Times

July 2021

www.sdtimes.com

Figuring out a plan for microservices automation at Atlassian Mike Tria, head of platform at Atlassian, is a proponent of incorporating automation into microservices management, but his team had to learn that the hard way. According to Tria, when Atlassian first started using microservices back in early 2016, it had about 50 to 60 microservices total and all of the microservices were written on a Confluence page. They listed every microservice, who owned it, whether it had passed SOC2 compliance yet, and the on-call contact for that microservice. “I remember at that time we had this long table, and we kept adding columns to the table and the columns were things like when was the last time a performance test was run against it, or another column was what are all the services that depend on it? What are all the services it depends on? What reliability tier

< continued from page 11

a lot of software where you’re not quite sure what it does,” said Quillin. “You and your team are maintaining it because it’s safer to keep it than to get rid of it. And that’s what I think that eventually creates these larger and larger microservices that become almost like monoliths themselves.” Be clear about ownership. Tria recommends that rather than having individuals own a microservice, it’s best to have a team own it. “Like in the equivalent of it takes a village, it takes a team to keep a microservice healthy, to upgrade it to make sure it’s checking in on its dependencies, on its rituals, around things like reliability and SLO. So I think the good practices have a team on it,” said Tria. For example, Atlassian has about

is it for uptime? Is it tier one where it needs very high uptime, tier two where it needs less? And we just kept expanding those columns.” Once the table hit one hundred columns, the team realized that wouldn’t be maintainable for very long. Instead, they created a new project to take the capabilities they had in Confluence and turn them into a tool. “The idea was we would have a system where when you build a microservice, it essentially registers it into a central repository that we have,” said Tria. “That repository has a list of all of our services. It has the owners, it has the reliability, tiers, and anyone within the company can just search and look up a surface and we made the tool pretty plugable so that when we have new capabilities that we’re adding to our service.” z

3,000 developers and roughly 1,400 microservices. Assuming teams of five to 10 developers, this works out to every team owning two or three microservices, on average, Tria explained. Don’t get too excited about the polyglot nature of microservices. One of the benefits of microservices—being polyglot—is also one of the downsides. According to Tria, one of Atlassian’s initial attractions to microservices was that they could be written using any language. “We had services written in Go, Kotlin, Java, Python, Scala, you name it. There’s languages I’ve never even heard of that we had microservices written in, which from an autonomy perspective and letting those teams run was really great. Individual teams could all run off on their own and go and

build their services,” said Tria. However this flexibility led to a language and service transferability problem across teams. In addition, microservices written in a particular language needed developers familiar with that language to maintain them. Eventually Tria’s team realized they needed to standardize down to two or three languages. Another recommendation Tria has based on his team’s experience is to understand the extent of how much the network can do for you. He recommends investing in things like service discovery early on. “[At the start] all of our services found each other just through DNS. You would reach another service through a domain name. What that did is it put a lot of pressure on our own internal networking systems, specifically DNS,” said Tria. z

Full Page Ads_SDT049.qxp_Layout 1 6/23/21 12:27 PM Page 13

INVOLVE EVERYONE Instant Access to Enhanced Model Viewpoints, Dashboards and Integrations Sitting on top of Enterprise Architect and Pro Cloud Server, Prolaborate offers a new and exciting way to harvest the value in your Enterprise Architect models and create a rich and involving experience for all stakeholders. With real time dashboards and indicators, curated viewpoints, multiple integrations with popular platforms and instant browser based access for everyone, Prolaborate is the next step in taking your model to the world and putting your architecture to work.

Live Controlled Access

Agile Model Reviews

Seamless Integration

Real-Time Collaboration

Ű Drive Key Decision making Ű Immediate Stakeholder Access and Involvement Ű Real time Dashboards and Indicators Ű A Curated and Enhanced EA Model for Everyone Ű Crowd Source your Architecture and Process Ű Instant Browser based Access Ű Multiple Integration Points

Find out more and book a demo today at: https://prolaborate.sparxsystems.com/book-demo

sparxsystems.com

SDTi

P l b

t Fi

2021 i dd 1

Modeling and Design Tools for Changing Worlds

28/5/21 3:10 pm

014_SDT049.qxp_Layout 1 6/25/21 1:54 PM Page 14

SD Times

July 2021

www.sdtimes.com

INDUSTRY SPOTLIGHT

How Hackers Can Poison Your Code Hackers are always looking for new attacks were recorded. Then, from July ways to compromise applications. As 2019 to May 2020, an additional 929 languages, tools and architectures attacks occurred. These next-generaevolve, so do application exploits. And tion supply chain attacks are increasing the latest target is developers. for three reasons. Traditionally, software supply chain First, open-source projects rely on exploits, such as the Struts incident at contributions from thousands of volunEquifax, depended on an organization’s teer developers and it’s difficult or failure to patch a known vulnerability. impossible to discern between memMore recently, supply chain attacks have bers with good or malicious intent. taken a more sinister turn because bad Second, when malicious code is actors are no longer waiting for public secretly injected “upstream” to the vulnerability disclosures. Instead, they’re injecting malicious code into opensource projects, or building ‘How can you be sure that what was malicious components that feed the global supply chain. okay a year ago No one in the enterprise, is still okay?’ including developers, knows — Brian Fox, CTO, Sonatype all of the components that an application comprises, nor do they understand all the dependencies associated with those developer via open source, it’s highly components. It’s a potential liability likely that no one realizes the malware issue that, combined with a demand for exists, except for the person who plantgreater transparency, has fueled the ed it. This approach allows adversaries adoption of software composition analy- to surreptitiously set traps upstream sis (SCA) and software bill-of-materials and carry out attacks downstream once (SBOM) tools. the vulnerability has moved through “We’ve created package managers the supply chain into the wild. that make it easy and fast for developers Finally, open-source projects typicalto reuse binary components which ly incorporate hundreds or thousands of arguably makes them more productive, dependencies from other open-source but those tools also introduce transitive projects, many of which contain known dependencies,” said Brian Fox, CTO of vulnerabilities. While some open-source Sonatype. “If I pull one thing, that thing projects demonstrate exemplary pulls in its dependencies and in Java it’s hygiene as measured by mean time to not uncommon to see a 10x or even remediate (MTTR) and mean time to 100x explosion. In JavaScript it’s even update (MTTU), many others do not. worse, 100x to 1,000x.”

Why Approved Component Lists Don’t Help Next-Gen Supply Chain Attacks Growing According to Sonatype’s 2020 State of the Software Supply Chain report, the number of next-generation cyberattacks actively targeting open-source projects have been rising rapidly. From February 2015 to June 2019, 216 such Content provided by SD Times and

The dynamic nature of software development is at odds with approved component lists because the lists are not to be updated as often as they should be. The task is too complex and time-consuming for humans. “There are millions of components if

you include the multiple ecosystems that are out there, and they’re changing four, 10, 100 times a year. How can you be sure that what was okay a year ago is still okay?” said Fox. “People are still using Struts because it’s on their approved list even though it’s been a level 10 vulnerability for about 15 years now.” Modern enterprises need the ability to define policies that can be applied to individual components, whether the rule is based on licensing, the age of the component, the popularity of the component or other criteria. Once the policy has been defined, it can be executed automatically. “With tooling, you can inspect the software, run those policies, understand why a certain component wasn’t used in this application and recommend a better one. By codifying all that, you can avoid walking over to legal, architecture or security to ask permission,” said Fox. While static and dynamic analysis tools help identify problems in code, their capabilities may not extend to third-party code because there are too many code paths to evaluate. So, the vast majority of code may not be scanned. In addition, when a developer downloads and runs a malicious component, that component could install a back door on their system. Similarly, with continuous integrations, the poisonous code can seep even further into the pipeline. “Attackers are now focused on the developers and the development infrastructure as the way into the organization,” said Fox. “That way, they can bypass all the enterprise security stuff like firewalls. By abstracting the sheer complexity of applications’ components and their dependencies into policies, you can provide developers with guardrails that help improve application security and those developers don’t have to ask others in the organization for permission every time.” Learn more at www.sonatype.com. z

Full Page Ads_SDT049.qxp_Layout 1 6/23/21 12:25 PM Page 15

Because software supply chain security should feel like a no-brainer.

Continuously monitor open source risk at every stage of the development life cycle within the pipeline and development tools you’re already using.

Lifecycle is made for developers. You make hundreds of decisions every day to harden your supply chain. You expect interruptions. They’re part of your work. The problem is when they get in the way of your work. We tell you what you need to know to build safely and efficiently — and we tell you when you need to know it. Then we quietly continue our work, and allow you to do the same.

With Nexus Lifecycle, devs can: Control open source risk without switching tools. Inform your decisions with the best intelligence database out there. Get instant feedback in Source Code Management. Automatically generate a Software Bill of Materials. Enforce open source policies without sacrificing speed.

See for yourself: www.sonatype.com/SDTimes

016-17_SDT049.qxp_Layout 1 6/25/21 1:55 PM Page 16

SD Times

www.sdtimes.com

July 2021

Two Sides Software test automation for the survival of business BY DON JACKSON

In today’s business environment, stakeholders rely on their enterprise applications to work quickly and efficiently, with absolutely no downtime. Anything short of that could result in a slew of business performance issues and ultimately lost revenue. Take the recent incident in which CDN provider Fastly failed to detect a software bug, which resulted in massive global outages for government agencies, news outlets and other vital institutions. Effective and thorough testing is mission-critical for software development across categories including business software, consumer applications and IoT solutions. But as continuous deployment demands ramp up and companies face an ongoing tech talent shortage, inefficient software testing has become a serious pain point for enterprise developers, and they’ve needed to rely on new technologies to improve the process.

The benefits of test automation As with many other disciplines, the key to quickly implementing continuous software development and deployment is robust automation. Converting manual tests to automated tests not only reduces the amount of time it takes to test, but it can also reduce the chance of human error and allows minimal defects to escape into production. Just by converting manual testing to automated testing, companies can reduce three to four days of manual testing time to one, eight-hour overnight session. Therefore, testing does not even Don Jackson is chief technologist of Application Delivery Management, Micro Focus.

have to be completed during peak usage hours. Automation solutions also allow organizations to test more per cycle in less time by running tests across distributed functional testing infrastructures and in parallel with cross-browser and cross-device mobile testing.

Challenges in test automation Despite all the benefits of automated software testing, many companies are still facing challenges that prevent them from reaping the full benefits of automation. One of those key challenges is managing the complexities of today’s software testing environment, with an increasing pace of releases and proliferation of platforms on which applications need to run (native Android, native iOS, mobile browsers, desktop browsers, etc.). With so many conflicting specifications and platformspecific features, there are many more requirements for automated testing – meaning there are just as many potential pitfalls. Software releases and application upgrades are also happening at a much quicker pace in recent years. The faster rollout of software releases, while necessary, can break test automation scripts due to fragile, properties-based object identification, or even worse, bitmap-based identification. Due to the varying properties across platforms, tests must be properly replicated and administered on each platform – which can take immense time and effort. Therefore, robust, and effective test automation also requires an elevated skill set, especially in today’s complex, multi-ecosystem application environment. Record-and-playback testing, a tool which records a tester’s

interactions and executes them many times over, is no longer sufficient.

Ensuring robust automation with AI To meet the high demands of software testing, automation must be coupled with Artificial Intelligence (AI). Truly robust automation must be resilient, and not rely on product code completion to be created. It must be well-integrated into an organization’s product pipelines, adequately data-driven and in full alignment with the business logic. Organizations can allow quality assurance teams to begin testing earlier – even in the mock-up phase – through the use of AI-enabled capabilities for the creation of single script that will automatically execute on multiple platforms, devices and browsers. With AI alone, companies can experience major increases in test design speed as well as significant decreases in maintenance costs. Furthermore, with the proliferation of low-code/no-code solutions, AIinfused test automation is even more critical for ensuring product quality. Solutions that infuse AI object recognition can enable test automation to be created from mockups, facilitating test automation in the pipeline even before product code has been generated or configured. These systems can provide immediate feedback once products are initially released into their first environments, providing for more resilient, successful software releases. Cumbersome, manual testing is no longer sufficient, and enterprises that continue to rely on it will be caught flatfooted and getting outperformed and out-innovated. Investing in automation and AI-powered development tools will give enterprises the edge they need to stay ahead of the competition. z

016-17_SDT049.qxp_Layout 1 6/25/21 1:56 PM Page 17

www.sdtimes.com

July 2021

SD Times

of Testing Software is designed for humans: it should be tested by humans BY JONATHAN ZALESKI

In the sprint to keep a competitive edge during digital transformation, organizations are optimizing and updating how they build and deploy software, trying to create a seamless continuous integration/continuous delivery (CI/CD) structure. Leveraging tech like AI, machine learning and automation is certainly helping to make this process as efficient as possible. But optimizing speed must be carefully balanced with maintaining — and improving — quality. Where and how does testing fit into accelerating software development pipelines? Shift-left testing has gone from new concept, to recognized buzzword, to reality for many digitally evolving organizations. Instead of running QA after code is developed, this testing is now taking place earlier and earlier in the software development life cycle (SDLC). This is done in part with the help of the developers who are actually responsible for building the code. Testing earlier in the SDLC has the potential to slow down development, which runs against the priority of developers building and shipping code as quickly as they can. But this slowdown has been worth it for many brands, leading to a reduced number of bugs released to end users and cost savings involved for fixing bugs later in development or once deployed. Essentially, many organizations are on board with compromising a bit of speed for an overall better user experience. But should they have to? Jonathan Zaleski is senior director of Engineering and Head of Applause Labs, at test solutions provider Applause.

Collaboration and real-time reviews At the core of shift-left testing is the notion that every member of a team is working together in the name of improved quality, but that shouldn’t mean that release velocity is sacrificed to a great degree in the process. Pair programming — where two developers work together to create code— is a great example of how important collaboration and real-time reviews can be used to improve code quality at the outset. With pair programming, one developer writes the code and one reviews it in real time so as to make the process as efficient and the code as clean as possible early on. This real-time review process goes against the grain of traditional automation, but is nonetheless an important tool in shifting testing and quality processes left. Real-time review and insprint testing methods like pair programming are useful steps to take while test automation matures. They also offer benefits that test automation cannot because only human testers can provide the dynamic and unbiased validation and verification of software that machines are simply not yet capable of providing. Automation can tell you if the intended result was achieved, for example, but cannot tell you if the experience was intuitive, easy to use or inclusive of all potential end users.

The human element Automated software testing does all it needs to do to tell developers and QA teams if software is working or not working. But in the wild, where that software is used and sees its value recognized, it isn’t so simple. When software is only tested in a lab environment, it doesn’t encounter all

these other variables. Automated testing simply does not cover the diversity involved in real user experience by the billions of humans accessing applications every day, around the world. For this reason, organizations committed to providing the highest quality of user experience and accessibility for their users and customers will keep humans involved in software testing.

Offsetting with automated testing Developers are an invaluable resource to organizations. IT leaders naturally want the majority of developer time to be spent focused on developing applications. Yes, at some organizations with less mature QA setups they do need to spend some time on quality and testing, but ideally, as little time as possible should be spent away from their main priority of developing exceptional software. Shifting testing left has pulled developers further into the mix of testing responsibility, however. This can reduce developer productivity, and as we know, reduce release cycle speed. But automated testing capabilities can actively offset these areas of compromise.

All in the name of user experience The benefits of automated testing practices can’t be understated. Automated tools pick up on issues that humans sometimes miss, and they do it in a way that is agile and efficient. But as long as the end product is being used by people, it is people who also need to be involved in some aspect of the testing. Adding this human element into the mix alongside the efficiency of automated testing is the best way to make sure an application is ready and accessible for any prospective user. z

018_SDT049.qxp_Layout 1 6/25/21 1:59 PM Page 18

SD Times

July 2021

www.sdtimes.com

INDUSTRY SPOTLIGHT

AIOps a Key Link in BizOps Chain Every company is going digital today and user experience is everything. However, deployment of dynamic, hybrid cloud infrastructure and the explosion of connected devices creates a lot of challenges in monitoring performance of digital services. Therefore, organizations are still struggling to build end-to-end pipelines that help ensure their applications and the business remain available, reliable and resilient. “Our customers are somewhere in the journey between [on-premises] and cloud so they have a lot of distributed, multi-cloud applications. For example, if you have a retail application, the systems of engagement could be running in the cloud while the system of record, where the actual data is stored, could be running on prem deep within the data center,” said Sudip Datta, general manager and head of AIOps at Broadcom. “When you’re dealing with such complex distributed applications, managing and monitoring those applications becomes problematic. So, the more automation you have, the better.”

What is AIOps? AIOps operationalizes AI in IT. In the era of digital transformation, it is an important link in the overall BizOps chain because it connects business outcomes to the software delivery chain (governed by DevOps). “Companies have to stay on top of their digital services to make sure that 100% of their customers are satisfied 100% of the time. At the same time, they have to deal with this complexity of cloud and on prem, and with a continuously evolving infrastructure and network. Especially when you consider ephemeral assets like containers, it’s not possible to keep pace with a rule-based approach,” said Datta. “That’s why we have AIOps.” Essentially, AIOps helps ensure that Content provided by SD Times and

companies can automatically find and fix application issues before customers notice them or at least shorten meantime to resolution (MTTR) if a noticeable problem occurs.

Observability is Important Achieving five-nines of service level requires observability, which is the ability to observe outputs, and gain insights from them. This capability is extremely crucial for developers who are working with cloud-native, containerized archi-

’The whole thing is about accelerating remediation and predicting problems before they happen.‘ — Sudip Datta

tectures. Simply monitoring the environment to keep the lights on isn’t enough because the intelligence is limited: it only says whether a component, network or server is up or down. “It’s not about collecting data, it’s about connecting data to glean insights out of it,” said Datta. “When you are dealing with a lot of components in a distributed, multi-cloud world, you need to connect topology data, metric data, unstructured data logs and traces to glean insights about what is really happening. With AIOps and the observability it provides, you can ideally predict problems before they happen, and in case they do, determine the root cause of the problem and automate the remediation.”

Why SREs Are Critical Site Reliability Engineers (SREs) are administrators with full-stack competencies who keep digital services running at peak performance. Today, most digitally progressive enterprises employ SREs for their mission-critical services. “If you’re a bank or a retailer offering a bunch of consumer-facing services,

who is responsible for the upkeep of the services?” said Datta. “You need a very specialized skillset with deep understanding of the architecture, because slow is the new ‘down.’ They have to be full-stack engineers. And they have to be equipped with the right tool that can track Service Level Objectives (SLOs) and the underlying Service Level Indicators (SLIs).”

AIOps Speeds Issue Resolution AIOps helps reduce the noise associated with issue resolution. Datta said an average enterprise’s tech stack generates 5,000 to 10,000 alarms per day or more. AIOps uses natural language processing (NLP) and clustering technologies to reduce alarm noise by as much as 90%, giving developers and IT more time to deliver actual value. “Customers joke about having a mean time to innocence — the time it takes to prove that it’s not my problem, and those responsibility debates are costing them four to five hours,” said Datta. “With AI and ML, we can determine the root cause or the probable root cause of a problem and fix it faster. The whole thing is about accelerating remediation and predicting problems before they happen.” Developers and IT should understand which technology assets make up a business service and which business services have the highest priority so they can focus their efforts accordingly. “It’s all about the data, and the ability to deal with the volume, velocity, variety and veracity,” said Datta. “What’s also critical for AIOps is making sure your solution is open so it can connect with the peer disciplines such as DevOps and BizOps. AIOps isn’t a nice to have, it’s a must have, especially in the modern digital era.” Learn more at Broadcom’s Sept. 28 AIOps event. z

018_SDT049.qxp_Layout 1 6/25/21 1:59 PM Page 19

www.sdtimes.com

July 2021

SD Times

DEVOPS WATCH

Atlassian releases new cloud app development platform: Forge BY JAKUB LEWKOWICZ

Atlassian announced that its next-generation cloud app development platform, Forge, is now generally available. Forge has been in beta since the beginning of 2020 and is designed to handle many of the maintenance aspects of app creation such as compliance, data management practices, scaling performance and security. The solution is made up of three main components: a serverless Functions-as-a-Service (FaaS) hosted platform, a declarative UI language, and a DevOps toolchain, all of which serve three main pillars. The first pillar is that Forge allows developers to build Atlassian-wide applications that have all the power of the Atlassian platform including data residency for customers that want their data in a particular place, encryption, audit locking, and audit trails, high scale and performance and is built on

Atlassian’s own cloud infrastructure. According to the company, more than 60% of Atlassian customers use at least one app or integration from the Marketplace to solve their specific needs. The second pillar is around security and enterprise, building enterprise capabilities such that every Forge app is an enterprise by default and can serve enterprise customers in a more explicit way than Connect, Atlassian’s previous framework for extending Atlassian cloud products and an option for building apps on Jira Cloud since 2014. The third pillar for the Forge platform is to enable developers to innovate faster. Developers can use Forge to build apps that are publicly available for other people to download and install or they can charge for it on the Marketplace. If the company is an Atlassian customer, developers can build apps just for their own company. z

Broadcom adds investment planning, Agile management to its ValueOps solution BY DAVID RUBINSTEIN

In an attempt to bring the concept of value stream beyond DevOps operations roles, Broadcom today announced an update to its ValueOps software that brings investment management and Agile management into its solution. Broadcom is integrating its Clarity investment planning software and its Rally Agile management software to provide visibility and metrics to all stakeholders tasked with ensuring the organization is delivering value. Highlights of the capabilities of ValueOps include digital product management features that visualize programs,

teams and other investment objects in ways that the business can best understand. ValueOps also provides contextaware insights by aggregating organizational data in real time to give a full picture of delivery, performance and return on investment. The solution now also helps technical leaders by connecting the work to strategic investment plans, business goals and OKRs, to ensure “resources are efficiently delivering the highest priority and most valuable initiatives,” the company said in its announcement. Further, ValueOps now maps value streams to investment decisions, creating better transparency. z

GitLab 14 aims to do away with DIY DevOps toolchains BY JENNA SARGENT

GitLab is moving forward to the next evolution of DevOps in the release of GitLab 14. According to the company, many DevOps teams use so-called “DIY DevOps” toolchains that are built with parts not designed to work together, leading to silos, lack of visibility, and maintenance challenges. This latest iteration of the GitLab platform aims to eliminate this notion and provide companies with advanced DevOps capabilities that allow developers to build software with velocity, trust, and visibility. One new feature in GitLab 14 is Epic Boards, which allow teams to continuously communicate the status of epics, and visualize and refine them in one place using a drag-and-drop interface. GitLab 14 also features a built-in Terraform module registry, which can be used to discover Terraform modules or publish them through GitLab CI/CD. This release also streamlined the top menu so that developers can get to what they need in fewer clicks. Another UI redesign in GitLab 14 is of the sidebar. According to the company, as more and more features have been added to GitLab, the left sidebar has become more packed and less intuitive. It has now been reorganized to improve usability, consistency, and discoverability. Other new features in GitLab 14 include: l Support for the complete merge request review process for VS Code l The ability to edit wiki pages with the WYSIWYG Markdown editor l Aggregation capabilities for identical DAST vulnerabilities l Cluster management project template l Templates that can be used to populate the CI/CD pipeline editor l Container scanning integration with Trivy l Lead time for merge requests at the group level A full list of new features is available in the release notes. z

020-21_SDT049.qxp_Layout 1 6/23/21 12:29 PM Page 20

SD Times

July 2021

www.sdtimes.com

BY JOHN KIM

obile apps have changed our world — from how we pay bills to how we date or order food, to even the ways we play games. They’ve opened up seemingly limitless possibilities, thanks to the talent of the developer community. Building the next killer app requires the creation of features that attract and delight while still supporting millions of concurrent users — and doing so without compromising the experience. And unfortunately, companies often underestimate just how difficult it can be to John Kim is co-founder and CEO at chat platform provider Sendbird.

strike a balance between performance and experience until they are so far down a path that it is difficult to course correct. As a result, some fantastic ideas never reach their full potential.

Building for scale: a critical factor The desire to acquire users as fast as possible with a compelling feature set often leads to limitations on the backend. It’s no surprise that when performance suffers, users migrate away from the app out of frustration and/or viral growth sputters. One of the most important things I’ve learned from building multiple companies is that we need to reverse this thinking. Architect based on the assumption of success

from the get-go. It’s easier and cleaner to build for scale early than trying to cobble your infrastructure together like Lego bricks as you go. A developer should always be thinking about what happens when you get a thousand users, ten thousand users, millions? What is the minimum viable product? With my most recent company, for example, we wanted to know how many people we could fit into a single chat room without it falling apart. We understood that sending a single line of text to someone is pretty simple, but having 10,000 people in a single chat room is not. Every time you send a message, that message is broadcast 10,000 times. If you add features like

020-21_SDT049.qxp_Layout 1 6/23/21 12:29 PM Page 21

www.sdtimes.com

read receipts or typing indicators on top of it, everything becomes exponentially more costly and more complicated. And we had to account for that before we released a commercial offering. To solve for this, we conducted some early experiments with consumer applications that our friends were building. This allowed us to quickly build and test how things were going in ways that we couldn’t simulate on our own-which ultimately led to three major overhauls in our infrastructure to ensure that we could support the massive global adoption we were striving for. We aimed big and we built to match that thinking.

Accounting for complications Getting a bit more granular about what organizations should be considering as they create the next big thing, I’ll highlight some of the issues we faced as we developed our product and feature set. While not an extensive list, these problems are common for many different types of applications. Global User Base. We had to make sure that every layer — mobile devices, to caching, the performance queue, task management, the data reads and writes and so forth-- had to scale horizontally. It also had to scale across different geographies to handle a global user base so that no matter where someone was located, they could chat simultaneously without lag. Solving this problem required quite a bit of effort and engineering time. Traffic Patterns. Expanding this further, there was also the challenge of traffic patterns. This was a big unknown because customers across different verticals can have very different traffic patterns, just as application deployments in different parts of the world do. Solving for this required not only understanding what the traffic patterns were, but also what features given customers would use more or less of, as well as how many users are typically in the group channels simultaneously. There’s a lot going on at once, and each of these pieces needed to be accounted for as we built for strong, reliable performance. Use Case Coverage. Ensuring our

infrastructure was capable of supporting a very wide range of use cases, from community chat to live streamed events, to doctor-patient consults to delivery applications, with their respective patterns involved a lot of servers and experimentation with autoscaling to adjust for high to low volume traffic fluxuations. Pushing through boundaries, we’ve been able to accomplish engineering feats that weren’t possible previously, such as enabling up to 20,000 users to engage in real-time private group chats. But it took a commitment to scalability from very early on in our company’s lifecycle and a willingness to try and fail until we got it right. We refused to compromise performance to push a feature- and this approach continues. Because we put in the infrastructure work early on, we are able to move very quickly today and can consistently innovate.

July 2021

SD Times

ally have to ask “How do we layer in features to make sure we deliver the high quality experience that users want and expect? And how do we do that without compromising scalability and performance?” This is where true value creation comes into play. The end goal is a seamless experience existing within the application, one that can be tailored for specific verticals if need be. To do this, the secret sauce is in the configuration and a common, scalable infrastructure layer that can host and scale with new features and services as they are created. If you’ve built a robust infrastructure, one that can scale horizontally, the performance impact of adding new features is minimized. Utilizing a common infrastructure layer also means you can more efficiently add new features and services without having to rebuild and test the underlying infrastructure for scalability every time.

And then come the features Building for scale and performance may not be sexy or appealing, particularly from the beginning, but it is critically important to design for this in early stages of development. . When the number of concurrent users grows, the user experience can be significantly impacted if the infrastructure doesn’t support user volumes to scale with the growth. Support for a high number of concurrent users is not easily architected into your solution after the fact. The chat space, for example, is moving really quickly. It’s not just Facebook Messenger driving the trend; it’s everyone from Slack to Tik Tok. Pretty much every app now demands some level of real-time interaction capabilities to appeal to consumers, and this is pushing companies to constantly roll out new features to stave off competitive pressure while attracting and retaining users. People also expect all of their favorite applications to have similar features. Think about read receipts. This was not a popular or common feature early on, but now almost every messaging app has them because users expect them. It’s part of the constant evolution of the user experience. To address this, companies perpetu-

Developer support required To build for both performance and experience, developer support is key. Companies should be saying, “We want you to help make our tools better. To do that, we will give you the easiest to use, very best tools.”. In the early days of my company, we were all developers at heart. As we grew, we understood how instrumental and beneficial developer support was to our growth, and we strive very hard to create a positive developer experience today. For about 95% of our feature set, we try to really focus on giving developers the power to incorporate it into their apps in unique and interesting ways. Developers fuel innovation so any company that hopes to tap into the genius of this community should make an SDK or UIKit that appeals to developers. After all, we have entered the API economy where developers are expected to integrate new capabilities at an incredible pace. Let’s strive to make it as easy as possible to build the most modern features for their applications — without compromising scalability and performance for a compelling user experience. Balance is key, and partnering with developers is how we achieve it. z

022,23_SDT049.qxp_Layout 1 6/25/21 5:38 PM Page 22

SD Times

July 2021

www.sdtimes.com

Are your metrics right for a remote workforce? BY GUARANG TORVEKAR

o much of what we do at work has to be measured. There is a sense that, if something cannot be measured, does it even really exist? Certainly, if a project or function can not demonstrate how it is being measured in a clear, understandable manner, its ability to secure approval or signoff is dramatically reduced. Metrics, key performance indicators, objectives and key results (OKRs), being able to measure progress — it all links back to a need within organisations to ultimately quantify return on investment. When we all worked in one

place, most metrics were tied to outputs — achieve sales targets, ship code, maintain a positive net promoter score.

Changing environments demand new metrics But how have those ways of measurement changed in the last year? Do they take into account the challenges and opportunities that come with remote working? As Dan Montgomery, the founder and managing director of Agile Strategies, said, the current situation “is a great opportunity to get better at managing people around outcomes rather than tasks or, worse yet, punching a virtual clock to prove they’re working.

Many employees working from home genuinely have big challenges, including bored kids, sick relatives and an unending stream of bad news. They need the flexibility right now and will appreciate your trust in them.” Having that flexibility is particularly critical in uncertain times. “Now more than ever, the goals that we’re setting are so critical for us to be able to navigate what happens next,” Ryan Panchadsaram, co-founder and head coach of What Matters said.

Defining a clear vision But how do we set those goals? One mistake many businesses make is not

022,23_SDT049.qxp_Layout 1 6/25/21 5:38 PM Page 23

www.sdtimes.com

vision, he says “Underpinning that is going to be the product and tech side of things. You will have your product vision: ‘what are we trying to achieve for our customers through the product?’ Then you have the engineering vision that underpins the product vision. It is complementary to the product vision, and it supports it. The engineering vision & strategy lines up to delivering the best outcomes for customers through the product vision.” It is only once that big picture is in place that a business can start to work out how it is going to get there.

The right framework for transparency and function

aligning targets and objectives throughout the business. It doesn’t matter whether you’re a start-up, a scale up or an established sector leader, without a goal at the company level, you’re lost. Chris Newton, VP of Engineering at Immersive Labs, calls this “Vision — it all needs to have a really clear, inspiring, well understood company vision that is really guiding every department in the business. Not just product and tech, but you’re talking about the whole wider business. There has to be a direction, a clear direction for the company.” Chris was talking as part of a recent Indorse Engineering Leaders panel discussion. Once you have that big

Chris was particularly keen on Objectives and Key Results, or OKRs. “Objectives framework, such as OKRs, can be a really powerful tool in terms of getting that prioritization and alignment right. It’s great to make a clear and visible link between what software engineers and managers are doing on the ground and how that then ties back up to top-level objectives.” What this brings to an organisation is transparency in goal setting. Everyone, from senior executives down to team members, is clear on how objectives are created and how what they do helps drive results. Having that process is critical to determining what action is going to be taken. As another panellist, Nik Gupta, Software Development Manager at Amazon, highlighted, getting the basics right is critical. Nik and his team “spend about two months just getting our metrics right. Literally, just figuring out what are the right metrics we should track worldwide — are they instrumented, are they reliable, and how would we validate them, etc. It is absolutely essential to get that framework built before you start delving into ‘what projects are we going to do and why.’” What that looks like is going to vary, and it can be easier for some functions than it is for others, as Smruti Patel, another panellist, highlighted. As Head of LEAP and Data Platform at Stripe, she has found that the former is easier to measure than the latter. For LEAP,

July 2021

SD Times

“the metrics here are obviously more tangible. It’s easier to measure how much you’re spending on your infrastructure or how much time the customer sees when they make a request.” However, on the data infrastructure side “some of the inherent qualities or principles from the platform that the internal users require are security, reliability, availability, and leverage, in terms of product enablement, which then enables Stripe’s users. Here, identifying the right set of metrics for infrastructure kind of work has been a challenge.” To solve this, Smruti and her team were looking at leveraging learnings from LEAP and seeing how they could be applied to Data Platform.

Prepare for change However, while it is important to be clear on what you should measure, being too rigid once they’re defined is counterproductive. Panchadsaram pointed out that “OKRs were never meant to be these rigid rails, they were meant to be a tool for your teams to collectively commit to something.” In a blog for O’Reilly.com, former Rent the Runway CTO Camille Fournier echoed this sentiment when she said “measurement needs to be focused on the right goals for right now, and you should expect that what you measure will change frequently as the state of systems and the business changes.” That can only be achieved when metrics are aligned throughout the organisation. Put simply, for metrics to be relevant in the current climate, they need to be aligned with a company vision which is then cascaded down the organisation. It is a process that needs to be rigorous in order to inform the work teams need to do, but it also needs to be flexible. At a time when the situation changes almost daily, it is the only way organisations operating with remote teams are going to develop metrics that are beneficial to the business. z Gaurang Torvekar is the founder of Indorse, a provider of engineering metrics solutions.

SD Times

July 2021

www.sdtimes.com

BY CHRISTINA CARDOZA AND DAVID RUBINSTEIN

t seems like the industry is leaving application performance management (APM) behind and moving towards a new observability world. But don’t be fooled. While vendors are rebranding themselves as observability tools, APM is still an important piece of the puzzle.

“Observability is becoming a bigger focus today, but APM just by design will continue to have a critical role to play in that. Think about observability holistically, but also understand that your applications, your user-face applications and your back-end applications are driving revenue,” said Mohan Kompella, vice president of product marketing at the IT Ops event correlation and automation platform provider BigPanda. Because of the complexity of modern applications that rely on outside services through APIs and comprise microservices running in cloud-native environments, simply monitoring applications in the tradi-

tional way doesn’t cover all the possible problems users of those applications might experience. “What’s important,” explained Amy Feldman, head of AIOps product marketing at Broadcom, “is to be able to take a look at data from various different aspects, to be able to look at it from the traditional bytecode instrumentation, which is going to give you that deep-level transactionability back into even legacy systems like mainframe or, TIBCO, or even an MQ message bus that a lot of enterprises still rely on.” Further, as more applications are running in the cloud, Feldman said she’s seeing developers “start-

024-30_SDT049-stretched.qxp_Layout 1 6/25/21 3:31 PM Page 25

www.sdtimes.com

July 2021

SD Times

Buyers Guide

ing to change the landscape” of what monitoring looks like, and they want to be able to have more control over what the output looks like. “So they’re relying more on logs and relying more on configuring it through APIs,” she said. “We want to be able to move from this [mindset of] ‘I’m just telling you what to collect from an industry and vendor perspective,’ to having the business be more in charge about what to collect. ‘This is the output, I want you to measure it, look at all the data and be able to assimilate that into that entire topological view.’”

APM, observability or AI Ops? Kompella explained there’s a lot of confusion in the market today because as vendors add more and more monitoring capabilities into their solutions, APM is being blended into observability suites. Vendors are now offering “all-in-one” solutions that provide everything from APM to infrastructure, logging, browser and mobile capabilities. This is making it

even harder for businesses to find a solution that works best for them because although vendors claim to provide everything you need to get a deep level of visibility, each tool addresses specific concerns. “Every vendor has certain areas within observability they do exceedingly well and you have to be really clear about the problem you’re trying to solve before making a vendor selection. You don’t want to end up with a suite that claims to do everything, but only gives you mediocre results in the one area you really care about,” Kompella said. When looking to invest in a new observability tool, businesses and development teams need to ask themselves what the specific areas or technologies that they are interested in monitoring are and where they are located. Are they on-premises or are they in the cloud? “That is a good starting point because it helps you understand if you need an application monitoring tool that’s built for microservices monicontinued on page 26 >

024-30_SDT049-stretched.qxp_Layout 1 6/25/21 3:36 PM Page 26

SD Times

July 2021

www.sdtimes.com

The trouble with alerts Alarms are a critical way to inform organizations of performance breakdowns. But alarm overload, and the number of false positives these systems kick off, has been a big pain point for those responsible for monitoring their application systems. Amy Feldman, head of AI Ops product marketing at Broadcom, said this problem has existed since the beginning of monitoring. “This is a problem we’ve been trying to sell for at least 20 years, 20 plus years … we’ve always had a sea of alarms,” she said. “There have always been tickets where you’re not sure where the root cause is coming from. There’s been lengthy war rooms, where customers and IT shops spend hours trying to figure out where the problem is coming from.” Feldman believes the industry is at a point now where sophisticated solutions using new algorithmic approaches to datasets have given organizations the capability to understand dependencies across an infrastructure network. Then, using causal pattern analysis, you understand the cause and effect of certain patterns that go on to be able to determine where your root cause is coming from.

“I think we’re at a really exciting point now, in our industry, where those challenges that we’ve always seen for the last 20 years, are something that we truly can accomplish today,” she said. “We can reduce the noise inside of the Event Stream to be able to show what really has the biggest impact on your business and your end users. We’re able to correlate the data to be able to recognize and understand patterns. ‘I’ve seen this before, therefore, this problem is a recurring problem, this is how you fix the problem.’” AI and ML are key, Feldman said. “I think APM was probably one of the first industries to kind of adopt that. But now we’re seeing that evolution of where it’s taking off across multiple data sets, whether that’s the cloud observability, data sets, networking, data sets, APM data sets, even, mainframe and queuing type information, all of that now is getting normalized in and then used your experience too. So all the information now is coming together is giving us a great opportunity.” z — David Rubinstein

< continued from page 25

toring and therefore in the cloud, or if you still have a large number of on-premise Java-based applications,” Kompella explained. Much of monitoring applications in the cloud is reliant upon the providers giving you the data you need. Feldman said cloud providers could give you information through an API, or deliver it through their monitoring tool. The APM solution has to be able to assimilate that information too. While Feldman said the cloud providers haven’t always provided all the data needed for monitoring, she believes they’re getting better at it. “There’s definitely an opportunity for improvement. And in a lot of areas, you do see APM vendors also provide their own way to instrument the cloud... being able to install an agent inside of the cloud service, to be able to give you additional metrics,” she said. “But we’re seeing, I think, a little bit more transparency than we had before in the past. And that’s because they have to be able to provide that level of service. And being able to have that trend, a little bit of transparency, helps to increase communications between the service and the provider.” BigPanda’s Kompella said the overarching driver of monitoring is to not just “stick your finger in the

wind” and decide to measure whichever way the wind blows. You really have to understand your systems to figure out what metrics are going to matter to you. One way to do that is by analyzing what is generating revenue. Kompella went on to explain that you have to look at where you’ve had outages or incidents in the last couple of months, how they’ve impacted your revenue and rating, and then that will lead you to the right type of APM or observability tools that can help you solve those problems. Additionally, businesses need to look at their services from the evolution of their technology stack. For instance, a majority of their applications may be onpremises today, but the company might have a vision to migrate everything to the cloud over the next three years. “You want to make sure that whatever investments you make in APM tools are able to provide you the deep visibility your team needs. You don’t want to end up with a legacy tool that solves your existing problems, but then starts to break down over the next few years,” said Kompella. “Technology leaders should judiciously analyze both what’s in the bag today versus what’s going to happen in the next few years, and then make a choice.” continued on page 31 >

Full Page Ads_SDT049.qxp_Layout 1 6/23/21 12:25 PM Page 27

Eight different APM tools and “We monitor still can't see an everything, we incident coming? SEE nothing.” Have you have ever said these words?

Managing today’s digital services is a significant challenge given the scale, velocity and fragmentation of modern technology environments. Human teams simply can’t keep up with the volume of alerts and manual work required to maintain an extraordinary digital experience for customers. If you have multiple observability and monitoring tools, and still lack situational awareness, here’s how we help: • BigPanda delivers domain-agnostic AIOps. We consolidate data regardless of which tools and vendors you work with. Read what Gartner has to say about domain-agnostic AIOps at my.bigpanda.io/GartnerMarketGuide. • BigPanda correlates and enriches diverse data into insights. With AIOps-powered event correlation and enrichment, we eliminate alert noise and give your experts highly-contextualized incidents. They pinpoint root cause and get through triage faster. • BigPanda improves collaboration with automation. Let us automatically push details about the profiled incident to your ticketing, chat and notification tools so you can eliminate manual handoffs and work on resolving the issue. Prevent and resolve outages. Visit www.bigpanda.io

Full Page Ads_SDT049.qxp_Layout 1 6/27/21 12:58 PM Page 28

Be the Master of the Unknowns Broadcom uniquely provides the ability to analyze, correlate, and connect business and IT data across domains, and apply machine learning and real-time analytics to improve app performance.

FOR MORE INFORMATION, VISIT https://www.broadcom.com/apm

024-30_SDT049-stretched.qxp_Layout 1 6/25/21 3:32 PM Page 29

www.sdtimes.com

July 2021

SD Times

How does your solution help teams manage monitoring? Mohan Kompella, vice president of product marketing at BigPanda: There are two main ways we help. For large companies that have multiple observability tools, multiple monitoring tools and multiple APM tools, which is basically a majority of the market out there, BigPanda comes in and unifies all of those fragmented domains and teams using those fragmented siloed products. The number one reason why companies choose us is because we are vendor agnostic, we are domain agnostic, we sit in the middle and unify all these APM tools and vendors. Secondly, we help with incident management — how you prevent and resolve outages. While APM and observability tools

Amy Feldman, head of AIOps product marketing, Broadcom: Broadcom's AIOps solution is based on open source, allowing it to be an open, agnostic platform, easily integrating various data sets such as metrics, logs, wire, performance, transactional and user experience. A differentiator is that the solution looks at time, text, topology and training in order to get to the root cause of the performance problem. Our APM plugs into our AIOps platform for increased observability. We analyze data based on those four spectrums — time, text, topology and training. There's not one single approach that solves all problems; you have to look at it from different angles, and at all the pieces. And because the platform is open and agnostic, we can then incorporate all different kinds of

What is to come? The reason monitoring strategies are becoming so important is because the pressure for digital transformation is just that much greater today. A recent report from management consulting company McKinsey & Company found the COVID-19 crisis has accelerated digital transformation efforts by seven years. “During the pandemic, consumers have moved dramatically toward online channels, and companies and industries have responded in turn. The survey results confirm the rapid shift toward interacting with customers through digital channels. They also show that rates of adoption are years ahead of where they were when previous surveys were conducted,” the report stated. This means that the pressure to move or migrate to the cloud quickly is that much greater, according to Mohan Kompella, vice president of product marketing at BigPanda, and as a result APM solutions have to be built for the cloud. “Enterprises can no longer afford to look for APM tools or observability tools that just don’t work in a cloud-native environment,” he said. Kompella also sees more intelligent APM capabilities coming

are fantastic at providing the deep, deep visibility businesses need, that forensic data doesn’t become important until later in the process. Teams need a smart detector to connect the dots and find probable causes or culprits, and then they can get into the forensics more. When you have an outage or a massive incident that is crippling to your users or system, BigPanda connects all the dots, connects all the signals together and says here is the problem and here is what we think is causing it. BigPanda excels at that root probable cause, and then your APM experts can come in and dive deeper into the issue. BigPanda sits in the front for the detection problem, root cause identification, and the APM and observability tools can come in to surface the data and resolve the problem. data, which gives you that extra observability, because the more data that you have across the entire landscape, the better insights you can get out of it. There is business-related data, user experience data, APM data, Open Tracing information, network data, and third-party data as well. We treat this data as if it was a first-class citizen, so it becomes part of the topology, incorporated into the data models, and incorporated into the platform itself. So that gives you that greater visibility you need to be able to deliver business outcomes. AIOps from Broadcom includes our full-stack monitoring capabilities — APM, user experience, networking infrastructure, along with AI and ML reducing alarm noise, providing root cause analysis tied with intelligent automation to resolve issues quickly and improve customer experience. z

out to meet today’s needs to move to the cloud or digitally transform. He went on to explain that APM capabilities are becoming very commoditized, so the differences between vendors are getting smaller and smaller. “Getting deep visibility into your applications has been largely solved by now. Companies need something to make sense of this tsunami of APM and observability data,” he said. The focus is now shifting to bringing artificial intelligence and machine learning into these tools to make sense of all the data. “The better the AI or the machine learning is at generating these insights, the better it is at helping users understand how they’re generating these insights,” said Kompella. “Every large company has similar problems, but when you start to dive in deeper, you realize that every company’s IT stack is set up a little bit differently. You absolutely need to be able to factor in that understanding of your unique topology in your unique ID stack into these machine learning models,” said — Christina Cardoza Kompella. z

SD Times

July 2021

www.sdtimes.com

A guide to APM tools n

FEATURED PROVIDERS n

n Big Panda: Big Panda is a event correlation and automation platform powered by AIOps to help IT operations, network operations, DevOps and SRE teams detect, prevent and resolve outages. The platform prevents incidents from escalating into outages, enables rapid incident and outage resolution with automated root cause analysis, and automates manual tasks to speed up incident response. n Broadcom: Broadcom DX Application Performance Management, part of the AIOps Platform from Broadcom, delivers mobile-to mainframe observability for user behavior, performance analysis, and code-level diagnostics along with easy-to-use workflows and dashboard to understand the health of any multi-cloud app. The solution provides advanced analytics based on time, text, topology, and training, so you can pinpoint and resolve performance issues quickly and ensure that every user transaction becomes a loyalty-building interaction. n Akamai provides application performance management as part of its Ion solution, which is a suite of intelligent performance optimizations and controls for delivering high-quality web iOS and Android app experiences. The solution continuously monitors real user behavior and adapts in real time to context, user behavior and connectivity changes. n AppDynamics by Cisco is an APM provider that provides customers with information on user experience. Its Experience Journey Mapping feature tracks the application paths most common among users and evaluates performance, enabling customers to see how their users are interacting with their app. Companies can use AppDynamics to optimize customer journeys across devices and quickly identify any issues. n Amazon CloudWatch is an application and infrastructure monitoring solution built for DevOps engineers, developers, SREs and IT managers. It provides data and actionable insights to monitor apps, respond to performance changes, optimize resource utilization, and get a unified view of operational health. n Catchpoint is the enterprise-proven ally that empowers teams with the visibility and insight required to deliver on the digital experience demands of customers and employees. With its combined true

synthetic, real user, network, and endpoint monitoring capabilities and the largest, most diverse global monitoring network in the industry, Catchpoint delivers in-depth, accurate, and full-stack performance insights. n Datadog APM provides end-to-end distributed tracing at scale capabilities for front-end devices and databases. Users can monitor service dependencies, reduce latency, and eliminate errors for the best possible user experience. n Dynatrace provides software intelligence to simplify enterprise cloud complexity and accelerate digital transformation. With AI and complete automation, our all in-one platform provides answers, not just data, about the performance of applications, the underlying infrastructure and the experience of all users. n InfluxData: APM can be performed using InfluxData’s platform InfluxDB. InfluxDB is a purpose-built time series database, real-time analytics engine and visualization pane. It is a central platform where all metrics, events, logs and tracing data can be integrated and centrally monitored. n Instana is a fully automatic APM solution that makes it easy to visualize and manage the performance of your business applications and services. The only APM solution built specifically for cloudnative microservice architectures, Instana

leverages automation and AI to deliver immediate actionable information to DevOps. n LaunchDarkly is a feature management platform that empowers all teams to safely deliver and control software through feature flags. By separating code deployments from feature releases, LaunchDarkly enables you to deploy faster, reduce risk, and iterate continuously. LaunchDarkly integrates with several observability and APM solutions such as AppDynamics, Datadog, Dynatrace, Honeycomb, New Relic, and SignalFX. These integrations help measure how each feature affects key service metrics such as response times and error rates. n Lightstep‘s mission is to deliver insights that put organizations back in control of their complex software applications. It provides an accurate, detailed snapshot of the entire software system at any point in time, enabling organizations to identify bottlenecks and resolve incidents rapidly. n Microsoft Azure Monitor provides full observability into applications, infrastructure and network. It’s application sights feature provides an APM service for developers and DevOps professionals to monitor live applications, detect performance anomalies, diagnose issues and understand what users are doing. n New Relic One aims to go beyond traditional monitoring solutions by embracing observability. It provides users with a real-time view of operational data so they can respond faster, optimize better and build great modern software. It includes a telemetry data platform, full-stack observability, and applied intelligence. n Oracle provides a complete end to-end application performance management solution for custom and Oracle applications. Oracle Enterprise Manager is designed for both cloud and on-premises deployments; it isolates and diagnoses problems fast, and reduces downtime, providing end-to-end visibility through real user monitoring; log monitoring; synthetic transaction monitoring; business transac-

024-30_SDT049-stretched.qxp_Layout 1 6/25/21 3:32 PM Page 31

www.sdtimes.com

July 2021

SD Times

< continued from page 26

Getting the big picture

tion management and business metrics. n OpsRamp is a modern IT operations management platform that allows enterprise IT teams and MSPs to “control the chaos” of digital infrastructure. OpsRamp does this through hybrid discovery and monitoring, event and incident management, remediation and automation, powered by AIOps. Users can detect and resolve incidents faster, understand resource dependencies and avoid costly performance issues that result in lost revenue and productivity. n OverOps captures code-level insight about application quality in real time to help DevOps teams deliver reliable software. Operating in any environment, OverOps employs both static and dynamic code analysis to collect unique data about every error and exception — both caught and uncaught — as well as performance slowdowns. n Pepperdata is a leader in the APM space with proven products, operational experience, and deep expertise. It provides enterprises with predictable performance, empowered users, managed costs and managed growth for their big data investments, both on-premise and in the cloud. n Plumbr is a modern monitoring solution designed to be used in microservice-ready environments. Using Plumbr, engineering teams can govern microservice application quality by using data from web application performance monitoring. Plumbr unifies the data from infrastructure, applica-

tions, and clients to expose the experience of a user. This makes it possible to discover, verify, fix and prevent issues. n Riverbed’s application performance solutions provide superior levels of visibility into cloud-native applications — from end users, to microservices, to containers, to infrastructure — to help you dramatically accelerate the application lifecycle from DevOps through production. n SmartBear: AlertSite’s global network of more than 340 monitoring nodes helps monitor availability and performance of applications and APIs, and find issues before they hit end consumers. The Web transaction recorder DejaClick helps record complex user transactions and turn them into monitors, without requiring any coding. n Splunk APM enables users to innovate faster in the cloud, improve user experience and future-proof applications. It features NoSample full-fidelity trace ingestion so developers never miss an anomaly, AI-driven analytics and directed troubleshooting, high cardinality exploration of traces, and an open standards approach. n Stackify by Netreo’s APM solution Retrace gives developers straightforward insights into performance bottlenecks. It integrates code profiling, error tracking and application logs; troubleshoots problems and looks for ways to optimize code; and collects detailed snaptops of what code is doing and how long it takes. z

Broadcom’s Feldman explained that a monitoring solution should give you perspective and context around what is happening, so having the traditional inside-out view of APM coupled with an outside-in perspective can aid in resolving issues when they arise. Such things as synthetic monitoring of network traffic, and real user monitoring of how applications are used can provide invaluable insight to an application’s performance. She also noted if the application is running in the cloud, you could use Open Tracing techniques to get things like service mesh information to understand what the user experience is for a particular cloud service. Kompella added that log management and network performance monitoring (NPM) can help extend your monitoring capabilities. While APM tools are good at providing a deep dive of forensics or metrics, log traces help you go even deeper into what’s going on with your applications and services and help improve performance, he said. Network performance monitoring is also extremely important because most large enterprises are working in very hybrid environments where some parts of their technology stacks live on-premises and in the private or public cloud. Additionally, applications tend to have a multi-cloud strategy and are distributed across multiple cloud providers. “Your technology stack is extremely fragmented and distributed across all these on-prem and cloud environments, which also means that understanding the performance of your network becomes super critical,” said Kompella. “You might have the most resilient applications or the best APM tools, but if you’re not closely understanding network traffic trends or understanding the potential security issues impacting your network, that will end up impacting your customer experience or revenue generating services.” z

032_SDT049.qxp_Layout 1 6/25/21 3:29 PM Page 32

SD Times

July 2021

www.sdtimes.com

Guest View BY PAUL HELLER

The gap between ‘smart’ and ‘products’ Paul Heller is CTO at innovation solution provider Sopheon.

he demand for smart products is growing to previously unimaginable levels. For example, the recent IDC Quarterly Smart Home Device Tracker stated that worldwide shipments of smart home devices alone would surpass 1.4 billion units in 2025. Simply put, any physical product that can be enhanced with connectivity likely will be in due time. One of the most common challenges to successful smart product development and launch is the disconnect between the software teams that develop connected components and those tasked with manufacturing the traditional physical product. This lack of coordination leads to launch delays, costly mistakes, recalls, and unsafe products to the market, potentially impacting brand reputation and eroding consumer confidence. To fully enjoy the ROI that smart product manufacturing can yield, manufacturers are recognizing and overcoming five common obstacles that prevent the ‘smart’ and ‘product’ sides from working in a cohesive manner: alignment, governance, predictability, visibility and risk control. Obstacle 1: Misalignment between physical product teams and digital development teams. Competing rhythms, cultures and methodologies between physical and digital product engineering and development lead to friction, delays and higher production costs. The direct line between smart product strategy and execution is broken at the operational level. The solution: The product realization process for smart, connected products requires alignment between departments, especially physical product development and software development. Allow each functional group to work the way they want to work while harmonizing deadlines, outputs and KPIs. Obstacle 2: Agreement on decision-making rules. The entanglement of multiple functions can leave governance unclear, resulting in conflicts of interest, power imbalances, high costs of restarts, and a lack of visibility into the smart product lifecycle. The solution: Establish a best-practice innovation management framework, ensuring it’s clear who

A ‘single source of truth’ is needed to gain cross-organizational agreement.

is responsible for what, the status of each facet of the development process and whether the launch is on track. For large manufacturers, an enterprise innovation management software, which is the face of your framework, can automate new product development (NPD) processes and increase transparency for confident decision making. Obstacle 3: Meeting launch deadlines. Meeting market and customer needs for smart product realization requires a predictable, efficient product development process that transcends disciplines and corporate hierarchies. The solution: Conduct comprehensive product line planning, tying together market segments, regions, needs with the realization of features, products, and assembly. Obstacle 4: See and manage product and feature data across disparate tools. Product owners are faced with disparate data and no way to leverage it for a better understanding of market segment needs. They have an incomplete picture of the consequences created by delays at the feature/project level within the product portfolio. The solution: A “single source of truth” is needed to gain cross-organizational agreement on product investments, launch timelines and revenue expectations while coordinating physical and digital teams, product engineering and manufacturing, and third-party suppliers — all using different methods and systems. Obstacle 5: Combine different ways of working with financial and risk management controls. Disconnection in the smart product development process can bring costly mistakes, recalls, and unsafe products to market. It can impact brand reputation and erode consumer confidence in a company’s products. The solution: Put an effective process of accountability in place at every stage of the product realization process. Distribute decision-making across the entire innovation chain, not just manufacturing or engineering. Clear communication and accountability are non-negotiable aspects of successful smart product development. The market expectations are too high to allow blind spots that can delay launches or, even worse, compromise the quality and safety of products. z

033_SDT049.qxp_Layout 1 6/25/21 3:29 PM Page 33

www.sdtimes.com

July 2021

SD Times

Analyst View BY ROB ENDERLE

Anticipating China, NVIDIA disruptions T

he personal technology market is overdue for change; two vectors to watch are NVIDIA’s ARM acquisition and the forced cutoff of technology-sharing with China. Both moves are inherently disruptive in and of themselves tactically, but strategically the implications are far more significant. Let’s look at each in turn.

NVIDIA ARM ARM has primarily lived on smartphones, tablets, and a host of growing IoT devices. It is increasingly favored as an architecture due to its collaborative nature. Intel is countering with a licensing strategy, but given the more collaborative nature of ARM founding much of the interest, that will likely be an inadequate response. With NVIDIA’s acquisition, ARM will quickly move from the low power side of market opportunity to mainstream and even performance segments with new configurations and designs. These new offerings will increasingly embrace NVIDIA’s Omniverse strategy, which focuses on creating a standard surrounding mixed reality that could eclipse Windows as a global platform — albeit tightly tied to various Cloud providers where much of the competition will emerge. This effort will likely create a cloud/device synergy we have not yet seen because it is being conceived during the market’s cloud pivot. This pivot will disrupt where applications run and how people get access to them as the cloud continues to evolve into the universal back end for much of what we currently do on our devices. I expect this to be a five-year window for change. This change will drive new hardware designs, new human/machine interfaces, and far deeper penetration of increasingly more capable AIs and Virtual environments, with Omniverse forming the core of that virtual effort.

China Currently, the world technology market primarily revolves around the United States, but manufacturing capacity and economies of scale reside in China. U.S. policies to cut China off from legally obtaining technology rights and limiting the flow of information to China while forcing a decoupling of Chinese manufacturing resources are put-

ting the country against a wall. China still maintains its inherent advantages and has ramped its ability to create technology over the last three decades sharply. Governments, particularly elected governments, tend to act tactically, not considering the long-range implications of policies that too often address the symptoms of a problem and not the problem itself. That appears to be the case in this instance as China will be driven to do what Japan did in the consumer electronics market and more aggressively develop their alternatives to the U.S. technology they no longer access. China represents one of the biggest threats to the current smartphone, PC, cloud status quo and not only could easily transition that state to alternative technology standards but, once economies of scale are reached, could provide relatively inexpensive alternatives to the then more expensive familiar smartphone and PC brands.

Wrapping Up: Confluence

Rob Enderle is a principal analyst at the Enderle Group.

They signal a level of market disruption we haven’t seen in decades.

NVIDIA's takeover of ARM, coupled with its Omniverse strategy, promises to massively disrupt not only where our processing power resides but the very nature of what we do. The goal is to digitize the world and create a virtual environment that, if successful, redefines how we compute and meet, interact, and collaborate. Meanwhile, U.S. policy is forcing China to focus the country on creating alternatives to U.S.-driven platforms to remain relevant in the technology space and keep their factories operating at profitable levels. Once economies of scale and quality levels are achieved, which should happen relatively quickly, these products should break out of the country with cost and price advantages due to China’s unique control of rare earth metals and traditional manufacturing cost advantages. These anticipated trends have a high potential to result in a pivot of market control from the U.S. to China. Individually, these two coming pivots are significant; together, they signal a level of market disruption we haven’t seen in decades, and are expected to hit in the 2024 to 2026 timeframe. z

034_SDT049.qxp_Layout 1 6/28/21 2:19 PM Page 34

SD Times

July 2021

www.sdtimes.com

Industry Watch BY DAVID RUBINSTEIN

Layered progressive delivery David Rubinstein is editor-in-chief of SD Times.

e’ve written a lot lately about progressive delivery, and how it can help organizations deploy more quickly to get feedback on changes before releasing them widely. Progressive delivery uses experimentation techniques such as feature flags, blue-green rollouts and canary releases to show new features or bug fixes to a small cohort of users, and takes feedback from those experiments to make a decision to go big with it or roll it back to its original state for more work. These experiments enable organizations to decouple deployment from release. In a recent conversation I had with Dave Kapow, evangelist at feature flag platform provider Split Software, he discussed something he called layered progressive delivery. This approach, he explained, begins with finding consensus with developers and SREs. “There’s nobody that’s not going to want better cycle time, shorter cycles. There’s nobody that’s not going to want automating the ability to detect when things go awry that you didn’t expect,” he said. He went on to say that this new approach to progressive delivery builds layer upon layer of richness to get more out of the experiments, and strongly debunked the notion that experimentation is both hardcode rigorous and that it requires building two versions of the code. Savvy experimenters, Karow said, do dynamic config, which he explained allows development teams to send data along with a flag that sets different parameters for different users. He said the parameters of a recommendation engine, for example, “could dictate, do I want to give David a lot of answers, or just a handful of answers? And if you’re deciding whether you’re going to expose people to this new thing, you could also create two or three cohorts that each have different parameters. Now you’ve got people on your legacy engine, and you’re got two or three cohorts in the new one, and you’re trying different things — like lots of answers, not very many answers, ranked by popularity versus ranked by relevance.” The key point he made is that you can change the value in the flags and what those parameters are without hav-

This new approach to progressive delivery builds layer upon layer of richness to get more out of the experiments.

ing to create new versions of the code. “So now David is in cohort three that gets this, but we’ve just changed that he’s going to see results ranked by popularity instead of ranked by relevance in the engine. And we’re going to run that for a week and see what happens. That’s not three copies of code.” When Karow talks about a layered approach, it simply describes a way to implement progressive delivery in progressively more value-rich ways, starting with the one that’s least threatening and not a point of debate with a developer. A hidden benefit of using a feature flag platform to deliver the variations is that it also is capturing telemetry from each of those cohorts separately and processing the data separately, to quickly compare how each cohort behaves. Karow gave an example from LinkedIn, which he said has been doing experimentation for a long time. They had an experiment on which version of an application would cause people to do more job listings. The developers didn’t monitor the application for speed, but got an alert from the platform that said the changes made the application slower. Automating guardrails, such as always monitoring for speed, can provide insights you might not have expected. The next layer is measuring release impact. “If you achieve shorter lead times, and you’re shipping a lot, you might be like a hamster on a wheel, like you’re in a feature factory, and it sucks,” Karow said. “It’s demotivating. But if you have direct evidence of your efforts, it leads to pride of ownership.” The top layer is test to learn, an area Karow said can help organizations take bigger risks but in a safe way. He gave the example of a food delivery service that wanted to ask customers questions about their eating and shopping habits to fine-tune their service, but didn’t want to ask too many questions for fear of turning off their users. So, he said, they did a status quo, a modest release, and a “go for it” release — which also increased onboarding time by two or three minutes. And right away, he said, they saw more money from every customer. So instead of the usual pre-release hand-wringing — Do it. Don’t do it. We’ll lose everything. We’ll miss our quarter. — they tried these changes out in a safe way that gave them hard data from real customers. z

IBC_SDT049.qxp_Layout 1 6/25/21 3:29 PM Page 2

Time to go with the flow! Organizations today are turning to value streams to gauge the effectiveness of their work, reduce wait times and eliminate bottlenecks in their processes. Most importantly, they want to know: Is our software delivering value to our customers, and to us? VSM Times is a new community resource portal from the editors of SD Times, providing guides, tutorials and more on the subject of Value Stream Management.

Full Page Ads_SDT016.qxp_Layout 1 9/21/18 4:14 PM Page 28

SD T Times imes News on Mond day The latest news, news analysis and commentary delivvered to your inbox!

• Reports on the newest technologies affecting enterprise deve developers elopers • Insights into the e practices and innovations reshaping softw ware development • News from softtware providers, industry consortia, open n source projects and more m

Read SD Times Ne ews On Monday to o keep up with everything happening in the software devvelopment industrry. SUB BSCRIBE TODA AY! Y!

SD Times July 2021

Articles inside

GUEST VIEW by Paul Heller

ANALYST VIEW by Rob Enderle

Are your metrics right for a remote workforce?

INDUSTRY WATCH by David Rubinstein

AIOps a Key Link in BizOps Chain

News Watch

How Hackers Can Poison Your Code