SD Times November 2021 by d2emerge

FC_SDT053.qxp_Layout 1 10/28/21 9:39 AM Page 1

NOVEMBER 2021 • VOL. 2, ISSUE 53 • $9.95 • www.sdtimes.com

Instantly Search Terabytes

www.sdtimes.com EDITORIAL EDITOR-IN-CHIEF David Rubinstein drubinstein@d2emerge.com NEWS EDITOR Jenna Sargent jsargent@d2emerge.com MULTIMEDIA EDITOR

dtSearch’s document filters support: popular file types emails with multilevel attachments

Jakub Lewkowicz jlewkowicz@d2emerge.com SOCIAL MEDIA AND ONLINE EDITOR Katie Dee kdee@d2emerge.com

a wide variety of databases

ART DIRECTOR

web data

Mara Leonardi mleonardi@d2emerge.com CONTRIBUTING WRITERS

2YHU VHDUFK RSWLRQV LQFOXGLQJ efficient multithreaded search

Jacqueline Emigh, Elliot Luber, Caryn Eve Murray, George Tillmann CONTRIBUTING ANALYSTS Enderle Group, Gartner, IDC, Intellyx

HDV\ PXOWLFRORU KLW KLJKOLJKWLQJ forensics options like credit card search

CUSTOMER SERVICE SUBSCRIPTIONS subscriptions@d2emerge.com ADVERTISING TRAFFIC Mara Leonardi mleonardi@d2emerge.com

Developers: 6'.V IRU :LQGRZV /LQX[ PDF26

LIST SERVICES Jessica Carroll jcarroll@d2emerge.com

&URVV SODWIRUP $3,V FRYHU & -DYD and recent NET (through NET 6)

)$4V RQ IDFHWHG VHDUFK JUDQXODU GDWD FODVVLILFDWLRQ $]XUH $:6 DQG PRUH

REPRINTS reprints@d2emerge.com ACCOUNTING accounting@d2emerge.com

ADVERTISING SALES

Visit dtSearch.com for KXQGUHGV RI UHYLHZV DQG FDVH VWXGLHV IXOO\ IXQFWLRQDO HQWHUSULVH DQG developer evaluations

PUBLISHER David Lyman 978-465-2351 dlyman@d2emerge.com MARKETING AND DIGITAL MEDIA SPECIALIST Andrew Rockefeller arockefeller@d2emerge.com

The Smart Choice for Text Retrieval® since 1991

dtSearch.com 1-800-IT-FINDS

PRESIDENT & CEO David Lyman

D2 EMERGE LLC www.d2emerge.com

CHIEF OPERATING OFFICER David Rubinstein

003_SDT053.qxp_Layout 1 10/27/21 5:09 PM Page 3

Contents

VOLUME 2, ISSUE 53 • NOVEMBER 2021

FEATURES

NEWS 4

News Watch

The Fungible Fallacy

Selenium 4: Improved Grid, new features for testers

Structural impediments to effective project management

Bootcamp launches to reduce DevOps barriers

CloudBees makes upgrades to feature management, compliance

COLUMNS

page 6

24 GUEST VIEW by Dori Exterman It pays to be a softie in software dev

Managing remote teams

25 ANALYST VIEW by Rob Enderle Watching Huawei’s Harmony OS

26 INDUSTRY WATCH by David Rubinstein Online shopping and drugs (not related)

page 14 COMING IN DECEMBER

BUYERS GUIDE Securing cloud-native applications page 18

THE YEAR IN REVIEW

Software Development Times (ISSN 1528-1965) is published 12 times per year by D2 Emerge LLC, 2 Roberts Lane, Newburyport, MA 01950. Periodicals postage paid at Plainview, NY, and additional offices. SD Times is a registered trademark of D2 Emerge LLC. All contents © 2021 D2 Emerge LLC. All rights reserved. The price of a one-year subscription is US$179 for subscribers in the U.S., $189 in Canada, $229 elsewhere. POSTMASTER: Send address changes to SD Times, 2 Roberts Lane, Newburyport, MA 01950. SD Times subscriber services may be reached at subscriptions@d2emerge.com.

004,5_SDT053.qxp_Layout 1 10/27/21 2:39 PM Page 4

SD Times

November 2021

www.sdtimes.com

NEWS WATCH IBM Research creates benchmark for AI models IBM Research has created AGENT, a benchmark for evaluating an AI model’s core psychological reasoning ability, or common sense, to help users build and test AI models that reason similar to how humans do. AGENT is used to challenge two baseline models and evaluate their performance using a generalization-focused protocol developed at IBM. The results show that the benchmark is useful for evaluating the core psychological reasoning ability of any AI model. The trials assess a minimal set of key common-sense concepts considered to be part of the core psychology in young children and are grouped into four scenarios: goal preferences, action efficiency, unobserved constraints, and costreward trade-offs.

Snyk announces language support Snyk Code, which offers a devfirst approach to static application security testing tooling, just received support for C#, Ruby, PHP and Go added to Java, Javascript, and Python. Also, Snyk Open Source offers new language support for Elixir and package managers Yarn 2 and Poetry, native integrations with Atlassian BitBucket and AWS CodePipeline, and much more. Snyk Container gained expanded container registry support for Quay, Github Container Registry, GitLab, Google Artifact Registry, Harbor, and new support for Trivy open-source container scan-

Android 12 improves UI One of the main themes of Android 12 is UI improvements. Android 12 introduces support for a new language for design, Material You. Other UI updates include redesigned widgets that are more useful and discoverable, notification UI updates, a new stretch overscroll effect in scrolling containers, and app launch splash screens. The Android development team also worked hard to improve performance for this release. According to the team, they were able to reduce CPU time updated by core system services by 22% and use of big cores by 15%. Android 12 also prevents apps from starting foreground services while in the background, features more responsive notifications, and faster machine learning. It also introduces Performance Class, which is a set of capabilities that support demanding use cases and high quality content on Android 12 devices. Privacy is another major theme of the OS update. Improvements include a new privacy dashboard, greater control over location data, indicators for when an app is using the microphone or camera, toggles for disabling microphone or camera access, and the ability to scan for and pair with nearby devices without needing to grant location permission. Finally, new user experience tools include rich content insertion with a new unified API, support for rounded corners, AVIF image support, compatible media transcoding, easier blurs and color filters, enhanced haptic experiences, new camera effects and sensor capabilities, and better debugging tools. ning tool with Snyk’s vulnerability database. Updates were also made to Snyk Infrastructure as Code, Snyk API v3, and Snyk Apps. The company also partnered up with DigitalOcean to help developers secure containerized applications during development and also introduced an integration to HashiCorp Terraform Cloud, which solves configuration security challenges that arise when delivering infrastructure as code.

Linux Foundation, IBM announce ML eXchange Machine Learning eXchange (MLX) is a one stop shop for trusted data and AI artifacts in open source and open governance. MLX provides a collection of free, open source, state-of-theart deep learning models for

common application domains. The curated list includes deployable models that can be run as a microservice on Kubernetes or OpenShift and trainable models where users can provide their own data to train the models. It provides developers and data scientists with automated sample pipeline code generation to execute registered models, datasets, and notebooks, and a pipelines engine powered by Kubeflow Pipelines on Tekton, the core of Watson Studio Pipelines. “Due to the large number of steps that need to be worked on in the Data and AI lifecycle, the process of building a model can be bifurcated amongst various teams and large amounts of duplication can arise when creating similar Datasets, Features, Models, Pipelines, Pipeline tasks, etc. This also poses a strong challenge for traceability, governance, risk

management, lineage tracking, and metadata collection,” the contributors to the project said. “To solve the problems mentioned above, we need a central repository where all the different asset types like Datasets, Models, and Pipelines are stored to be shared and reused across organizational boundaries.”

Amazon releases NLP query tool AWS announced the release of Amazon QuickSight Q, a natural language query tool for the Enterprise Edition of QuickSight. It uses Natural Language Understanding (NLU) to discover the intent behind questions and is able to answer questions that refer to all data sources supported by QuickSight, according to AWS. This includes data from all AWS sources such as Amazon

004,5_SDT053.qxp_Layout 1 10/27/21 2:39 PM Page 5

www.sdtimes.com

Redshift, Amazon Relational Database Service (RDS), Amazon Aurora, Amazon Athena, and Amazon Simple Storage Service (Amazon S3) as well as third party sources & SaaS apps such as Salesforce, Adobe Analytics, ServiceNow, and Excel. Q is powered by topics, which are generally created by QuickSight Authors for use within an organization. Topics represent subject areas for questions and are created interactively. In addition to results, it gives access to explanatory information that can be reviewed to ensure that the question was understood and processed as desired.

Google Cloud offers managed CD service Google Cloud Deploy is a managed, opinionated continuous delivery service that makes continuous delivery to GKE easier, faster, and more reliable. Deploying container image artifacts into various environments remains a difficult task to many, and there are still no agreed-upon best practices, according to Google. Google Cloud Deploy enables fine-grained restriction, with discrete resource access control and executionlevel security. Users can also take advantage of flow management features such as release promotion, rollback, and approvals. Cloud Audit Logs audits user-invoked Google Cloud Deploy activities, providing centralized awareness into who promoted a specific release or made an update to a delivery pipeline. Also, for integration, Google

Cloud Deploy embraces the GKE delivery tooling ecosystems in three ways: connectivity to CI systems, support for leading configuration (rendering) tooling, and Pub/Sub notifications to enable third-party integrations.

Netlify launches Enterprise Grid Netlify introduced new features, workflow, and automation for enterprises building modern web applications at scale. The new team governance features and Jira integration make it easier for large-scale enterprises to benefit from the Jamstack ecosystem and best practices. The company added a new integration with Jira to accelerate feedback on web projects, and availability of Netlify Enterprise on AWS Marketplace. With team governance simplified with Enterprise Grid, organization owners can view and manage every Netlify web project across the business from a single, consolidated console. Also, developer admins can monitor usage, manage business unit-level billing and invoicing, set team permissions, and more. The new Netlify Deploy Previews enable development teams to share, review and manage feedback on web projects with feedback that can now flow through directly to Jira. Also, Netlify can be a part of a single cloud bill in AWS.

Microsoft info on developing for Surface Duo 2 Microsoft yesterday announced its new Microsoft Surface Duo

and is now inviting developers to start building or enhancing apps for dual-screen devices. The best way to start is by using Jetpack Window Manager, according to Guy Merin, the senior director of engineering at Microsoft, in a blog post. It has a FoldingFeature class providing device-specific information so that a single code base can adapt to different dualscreen and foldable devices. “For app developers, the hardware differences will not materially affect the way you design and build dual-screen apps — the Jetpack Window Manager APIs will automatically provide the correct information for each device,” Merin wrote. The new Surface Duo 2 has slightly taller and narrower individual panes and the hinge area is smaller. Also, the screen resolution changes are now reflected in the resource qualifiers that developers can use to load resources and layouts. The Surface Duo 2 Android emulator provides a complete

November 2021

SD Times

dual-screen experience for running Android 11, simulating the hinge with a 3D modes view, supporting Jetpack Window Manager APIs for adaptive UI layouts, and more.

Wind River acquires Particle Design Wind River has announced that it completed the acquisition of the UI/UX design company Particle Design which brings UI/UX capabilities to the new Wind River Studio offering. Particle Design offers endto-end UX research services that employ a range of methodologies from ethnographic research to user evaluations and usability testing; its design services include prototyping, interaction design, and wireframing. The Studio offering will have expanded UI/UX capabilities, including cognitive UI, which uses AI/ML to predict and anticipate the needs and behaviors of the user, bringing a more intelligent assistant-type UX. z

People on the move

n Renu Motwani will be heading up Broadcom’s Rally Software unit as their product leader. Motwani previously held positions at Sun Microsystems, Oracle, Myriad Software, and CA Technologies, which Broadcom acquired in 2018. She was previously Broadcom’s head of product management for AIOps Operational Intelligence. n Ensono has appointed Duan Van Der Westuizen as its newest senior vice president of public cloud. In this role he will drive growth of Ensono’s public cloud business by launching differentiated offerings to solve unique challenges companies face as they adopt cloud. His previous role was SVP of marketing at Faction, and he also spent 11 years as general manager of the Microsoft Azure group at Rackspace. n Chris Malone has been announced as Applause’s newest CEO. He has been with the company since 2013 and has served as president and CFO. He will continue to serve on the company’s board of directors as well. Doron Reuveni, the previous CEO and founder, will now serve as executive chairman of the board.

006-8_SDT053.qxp_Layout 1 10/27/21 1:29 PM Page 6

SD Times

November 2021

www.sdtimes.com

The Fungible Structural impediments to effective project management BY GEORGE TILLMANN Is IT an art or a science? Practitioners seem to be happy leaving questions like these to philosophers. We do like numbers though. Basically, we like to count things. We count users, lines of code, errors, dollars and, one of the coolest things to count, people. We can calculate how many people are needed on a project, how long it will take them to do it, and even what they will cost, all without knowing who they are. The power of math makes individual team member experience and skills unimportant. At least that is how the process works.

STR UCTURAL PROBLEM ONE:

Our way of counting staff can be inaccurate and misleading Project managers have traditionally had three jobs. The first project manager job is planning the project, including estimating the costs and time needed to complete the work. Planning is needed to sell the project to the users, gain approval, and obtain necessary funding. The second job, once the project is approved, is acquiring the needed staff. This can be a dicey task because needed staff might be committed or assigned to other projects. IT management often plays the major role in deciding who is on what project, with the project manager delegated to a minor role. The third project management job is overseeing the actual work of building the system.

Project managers have traditionally had three tools for dealing with project estimating and staffing — head count, person-months, and full-time equivalents (FTEs). Head count is the actual number of staff on the project at any given time. A person-month is a measure of effort, not time, and is the amount of work one individual can complete in one month. What is nice about person-month is that it is not only countable but you can apply arithmetic operators to it. For example, 10 person-months is half of 20 person-months. A project requiring 100 person-months can be completed in 10 calendar months if the project is staffed with 10 people and completed in 5 calendar months if staffed with 20 people. Full-time equivalent (FTE) expresses how many virtual people will be needed to perform the tasks. For example, if an analyst spends 50 percent of his time meeting with users, 30 percent

George Tillmann is a retired programmer, analyst, systems and programming manager, and CIO. This article is adapted from his book Project Management Scholia: Recognizing and Avoiding Project Management’s Biggest Mistakes (Stockbridge Press, 2019). He can be reached at georgetillmann@gmx.com.

conferring with team members, 20 percent doing administrative tasks such as writing reports and meeting with project management, then the job could be categorized as one-half FTE meeting with users, three-tenth FTE meeting with team members, and one-fifth FTE doing admin. If the project manager wants to have the analyst work 60 percent with users, then she needs to reassign one-tenth FTE to other staff. A partial FTE is just what it sounds like, for example a half-FTE is the equivalent of a half-time person, or two quarter-time people or four eighth-time people, etc. In the analyst example, the total work (meeting with users, conferring with team member, and admin) was assigned to one person —one FTE and a head count of one. However, if staffing is just a math problem, then the job could have just as easily been staffed by a half-time person for the analysis work, a second person at 30 percent working with team members, and two people at 10-percent each working on admin and training. In total, one FTE and a head count of four.

www.sdtimes.com

Fallacy

Fungibility Person-months and FTEs work because of a concept called fungibility. Fungible refers to an asset that can be substituted for another asset of the same kind. Fungible objects have no individuation and are interchangeable with all other objects of the same class. For example, U.S. dollars are fungible. If someone owes you 10 dollars then any 10 dollars (one 10-dollar bill, or two 5-dollar bills, or 40 quarters) will do. In terms of people, fungibility means that one staff member equals two half-time staff and four quartertime staff. Fungibility is the mechanism that allows the IT manager and project manager to easily translate FTEs into person-months.

Taking the fun out of fungibles: The Planning Problem Virtually all project planning takes place before the project manager knows who will be staffed on the project and their skills, experience, and salaries. Yet costs and schedules are needed before funding. Most organiza-

tions use a standard (cost) model. It might use a generic cost such as all IT staff have a loaded cost of $10,000 per month. Some models are title specific such as: analysts $11,000 per month, designers $10,000 per month, programmers $8,000 per month, project managers $15,000 per month, etc. Standard models, even title-specific ones, assume that all staff in a given category have the same skill level, the same experience, are equally productive, and are paid the same. However, this is never true. Staff skills, experience, productivity, and salaries vary considerably in the typical organization, making standard models problematic. For example, programmer productivity can vary more than ten-fold within the same organization (See “The Most Important Factor in Project Success? Your Staff,” SD Times, June 2020). Therefore, accurate projected numbers cannot be baked into the plan. Conclusion One: Real people are not fungible. Costs generated based on the fungibility of staff are, at best, tentative. But wait, it gets worse.

November 2021

SD Times

STR UCTURAL PROBLEM TWO:

Team staffing, even when every team member shares the same skills and work ethic, might be uncountable You often hear in a movie or read in a novel the refrain, “Put more men on the job.” The phrase is from some confrontation between management and the foreman trying to make the best of a bad situation. The implication is that by adding bodies to the project it will happen faster or at least get done. Almost everyone in IT has heard of Fredrick Brooks, who, in his monumental book, “The Mythical ManMonth,” confronts the fallacy of just adding bodies to a job to make it finish sooner. Brooks shows that, in fact, added staff can actually further slow down progress. For example, if a 50person-month project with a staff of 10 is two months behind schedule, adding five more staff might cause it to become three months behind schedule. The math simply doesn’t work. Why? Many reasons. For example, the existing staff have to stop the critical project work they are doing to get the new staff up to speed. Also, numerous studies show that larger teams require more coordination and communication than smaller teams, with the additional time taken away from project work.

Taking the fun out of fungibles: The Communication Overhead Problem The need for team members to consult with other team members is called communication overhead and is part of the overall project cost in time and effort—even if it is rarely recognized by IT. Brooks and others point out that as staff are added to a project, the communication overhead soars, with some reporting an exponential increase. All of that additional time and effort must to be accounted for, but usually isn’t. The result? You guessed it — the situation goes from bad to worse. Assume a team of 21 staff. Using Brooks’ numbers, a team of 21 requires 210 individual staff interactions. If each continued on page 8 >

006-8_SDT053.qxp_Layout 1 10/27/21 1:31 PM Page 8

SD Times

November 2021

www.sdtimes.com

...a team of 21... If each team member interacts with every other team member once a week for 10 minutes, then 2,100 minutes are consumed each week, or 87.5% of a normal 40-hour workweek. < continued from page 7

team member interacts with every other team member once a week for 10 minutes, then 2,100 minutes are consumed each week, or 87.5% of a normal 40-hour workweek. Add this wrinkle. Remember FTEs? According to our math the time required to perform some task should be the same whether one person is assigned full-time or four staff are each assigned 25% of the time. The effort should be the same but, owing to communication overhead, it is not. The four people will require more effort and/or more time than a single person doing the job. The problem with FTEs in general, and partial FTE specifically, is that the reality often does not match the math. Conclusion Two: Any team larger than one person has to account for communication overhead and the amount of communication overhead depends on head count, not FTEs, playing further havoc with the fungibility of staff.

What you can do about The Project Planning Problem It is a grave error is to assume that a person is a person is a person — that staff are interchangeable. Person-month/FTE math only works if staff are fungible and, as we have shown, they are not. So why does IT put so much emphasis on FTEs and fungibility? The answer is that IT has little choice because project costs and schedules are often required months before a project starts. Person-month and FTEs are useful, but only at the right time and in the right context. During project proposal or the early stages of project planning, they are often the only means for providing senior management with a ballpark estimate of project costs and schedules. However, they are only useful as a starting point. As soon as actual staff assignments are known, then the project manager should provide more

credible numbers. It is important that the tentativeness of the project plan, with its FTE-driven budget, be known for what it is — a firstblush look at costs. The project manager, ideally with the help of IT management and the project champion, needs to: (1) explain to the senior user management that the pre-kickoff project plan reflects standard and not real costs and productivity, and (2) review the project plan shortly after kickoff and possibly adjust it to reflect actual project staffing. Will senior business management go along with this Day 2 project plan review? Maybe not, but even if they do not, at least the project manager has gone on record raising the issue. At the very least, it should help at your court martial.

What you can do about the Communication Overhead Problem Brooks’ model says that a team of 21 people will spend almost 90% of its time comparing notes and little more than 10% doing real project work. There is a partial solution to this problem however — partitioning. Imagine the 21-person project consists of one project manager and five sub-teams each of four staff, with one sub-team member designated team leader. Each sub-team member communicates with other sub-team members for 10 minutes per week and each team leader interacts with the other team leaders and the project manager for an additional 10 minutes per week. The weekly communication overhead for a partitioned team is 450 minutes

Next month, Part 2 of “The Fungible Fallacy: Sociological Impediments to Project Management.”

per week or 18.8% of a 40-hour workweek. In this example, partitioning the team produced an almost fivefold reduction in communication overhead. Some project experts are skeptical of Brooks’ formulas. Not every team member needs to individually communicate with every other team member. However, while Brooks’ numbers might overstate the problem, experience has shown that they are directionally correct. Small teams are more efficient than large teams. Turning a single large team into multiple small teams can reduce costs and improve the odds of the project finishing successfully. However, any team with a head count greater than one must deal with the communication overhead problem, partitioned or not.

Fungibility: The reality of the situation There are two fungibility problems for the project manager. First, head count and FTEs play a major role in determining the resources needed to complete a project. However, until the staffing and the structure of the team are known, resource requirements are volatile. Once project staffing is finalized, the project manager should review the project plan to determine whether any staffing decisions affect projected project costs or schedules. Second, team size and team structure play a major role in the resources needed to complete a project. The culprit is communication overhead: the need to keep all team members informed increases significantly as the project head count increases, potentially playing havoc with costs and schedules. The good news is that communication overhead can be mitigated by partitioning large projects into multiple smaller sub-projects. The bad news is that while communication overhead can be reduced, it cannot be eliminated. z

Full Page Ads_SDT052.qxp_Layout 1 9/23/21 5:07 PM Page 14

Collaborative Modeling

Keeping People Connected ®

Autodesk | Bugzilla

sparxsystems.com

| Salesforce | SharePoint | Polarion | Dropbox

| *Other Enterprise Architect Models

Modeling and Design Tools for Changing Worlds

010_SDT053.qxp_Layout 1 10/27/21 5:22 PM Page 10

SD Times

November 2021

www.sdtimes.com

Selenium 4: Improved Grid, new features for testers The former project lead explains the release from the points of view of testers and the Grid updates BY DAVID RUBINSTEIN

Selenium is the most widely used software for automating UI testing, and while some maintain it is flaky and not facile at managing dependencies, the project has found its way into many development shops. Last month saw the release of Selenium 4, which Simon Stewart, former lead of the open-source Selenium project, said introduced “a lot” of new features and bug fixes, both from the point of view of a tester using Selenium to automate a browser, and from an improved Selenium Grid. For testers using Selenium, new features include “relative locators,” which allow the tester to describe where an element is on a page using human language, such as “above this element” or “to the right of that element,” explained Stewart, who stepped down from his role on Oct. 27. The release adds support for handling authentication, intercepting and stubbing out network traffic, and capturing JavaScript errors. Further, there is new support for Chromium-based Edge out of the box. “When we released the last version of Selenium 3, that browser didn’t even exist,” Stewart told SD Times. He added that the project team cleaned up the internals of Selenium itself, allowing work on the codebase to proceed at speed. “It’s not often a project has a chance to pay down some technical debt,” Stewart said. Stewart described the update to Selenium Grid as “a ground-up rewrite of what we had in Selenium 3.” This includes integrated support for using Docker containers, and adds a “fully

distributed” mode, designed to ease the deployment of large Grids into environments such as Kubernetes, he said, to go along with support for the original “standalone” and “hub and node” configurations. Grid has a new UI sitting atop a GraphQL back end, and offers live views of tests running on the Grid. This, Stewart explained, “is a remarkably useful thing to be able to do. Of course, modern sysadmins don’t just rely on an app’s UI

‘Selenium Grid is like any distributed system ... when things are working well, it’s fine, but debugging issues can take time and specialist skills.’ –Simon Stewart, former Selenium project lead

to determine if everything is working as it should, so we’ve made the Grid ‘observable’ using … OpenTelemetrty APIs. This allows you to use tools such as Jaeger or Honeycomb to dig into the internals of each and every request.” Stewart has heard critics who say Selenium requires special expertise to run, that it’s difficult to scale and needs a lot of maintenance, and responded by saying, “I’d suggest that the Selenium Grid is no more complex or complicated than any distributed system you may wish to deploy to Kubernetes … He went on to say that “the Selenium Grid is like any distributed system you may want to run at your company: when things are working well, it’s fine, but debugging issues can take time and specialist skills.” He noted that the project has tried to lower this kind of burden through support for Observability, which helps teams keep up with the rapid release schedules of modern browsers. “That’s why ‘Selenium-as-a-Service’ providers, such as SauceLabs and BrowserStack,

are so popular. Even projects that compete with the Selenium Grid try and steer people to centralized systems that they maintain for you,” he said. Observability also makes diagnosing issues simpler, Stewart said. Each of the components within the Grid has a clear REST-based API that can be implemented in whichever way a user prefers. In-memory implementations of these are part of the main Selenium 4 distribution, and there are database or Redis-backed implementations of the stateful parts of the system, which had not been done previously. While Selenium offers automated browser testing, Stewart said, “I don’t think we’ll ever be able to remove people from the mix, no matter which test library we use — particularly if the test is to be written before the software has been developed,” such as in teams practicing Test-Driven Development. Stewart explained: “I’ve seen people try to automate generating Page Objects, and these usually end up mapping input elements to properties of the object, so rather than ‘loginPage.loginAs(“admin”, “admin”)’ you end up with ‘loginPage.setUsername(“admin”); loginPage.setPassword(“admin”)’. That is, expressiveness and clarity have been sacrificed to the convenience of generating the Page Object, and since the real cost of a test is in understanding and maintaining it, I think this is a false economy. “On the other hand,” he continued, “computers are really good at generating and running exhaustive examples and inputs. I’ve seen some very creative uses of Selenium which spider a site and attempt to spam any forms that they come across, or that ensure that the “tab index” (the order in which form elements are focused as people hit the “tab” key) makes sense. For those kinds of tests, I’d much rather rely on an autonomous test than one a human wrote.” To get started with Selenium itself, there are numerous resources, such as those offered by the Test Automation University. The Selenium site has documentation in multiple languages. More immediate help can be found in the project’s Slack channel, where the core developers are often online. z

Full Page Ads_SDT053.qxp_Layout 1 10/27/21 9:49 AM Page 11

NEW NEW

Full Page Ads_SDT052.qxp_Layout 1 9/23/21 5:06 PM Page 11

013_SDT053.qxp_Layout 1 10/27/21 9:51 AM Page 13

www.sdtimes.com

November 2021

SD Times

DEVOPS WATCH

Bootcamp launches to reduce DevOps barriers BY JENNA SARGENT

The Linux Foundation and Continuous Delivery Foundation (CDF) have teamed up to help reduce the barrier to entry for various technology roles. Through their new DevOps Bootcamp, students can learn the necessary knowledge and skills to practice DevOps in different roles. According to The Linux Foundation’s 2021 Open Source Jobs report, 88% of technology professionals utilize DevOps, which highlights the importance of understanding these practices. The Linux Foundation and CDF designed the bootcamp to be for existing or aspiring developers, operations professionals, engineers, or anyone else involved in software development, delivery, deployment, and maintenance. The DevOps Bootcamp will provide an introduction to areas like DevOps

and Site Reliability Engineering (SRE). It also gives more detailed information into specific DevOps toolsets, such as Jenkins, then the course finishes off with advanced topics, such as GitOps and DevSecOps. The foundations also noted that while the program talks about specific tools like Jenkins, it’s not intended to train students on those toolsets. This is because there are many DevOps tools out there and many organizations use a combination of tools, so it is better to take specific training on those tools as needed. In addition to the classes, students will get access to an online forum where they can interact with other students, as well as virtual office hours with instructors four days a week. The program can be completed in

six months if a student dedicates 10-15 hours of effort per week to it, according to the foundations. “Implementation of continuous delivery techniques varies widely by industry and requires case-by-case understanding of your own unique development environment. The Linux Foundation continues to provide high quality courses for software developers who want a better understanding of the continuous delivery landscape, and this DevOps Bootcamp is an excellent way to turbocharge your understanding and proficiency,” said Tracy Miranda, executive director of the Continuous Delivery Foundation. “By enrolling in the DevOps Bootcamp, within just a half year, you will be able to better evaluate and implement a solution that meets your DevOps needs.” z

CloudBees makes upgrades to feature management, compliance BY JENNA SARGENT

CloudBees is aiming to make improvements to feature management and compliance through new updates to its platforms announced at its DevOps World 2021 conference. CloudBees Feature Management now provides full visibility into feature flags throughout development and release pipelines. This allows companies to more efficiently scale their use of feature flags. The platform now integrates with Jenkins, allowing developers to see their flags in the build pipeline. According to CloudBees, feature flag management has traditionally been separate from CI, which led to inefficiencies. Now, Jenkins users will be able to create, delete, or update a flag within a CI job. “In order for feature management to be scaled effectively across enterprises, it

cannot operate in a silo separate from the tools used for CI and CD,” said Dinesh Keswani, chief technology officer of CloudBees. “There must be common visibility and governance of feature flags throughout the software delivery lifecycle. These new enhancements lay the foundation for fully integrated feature flags across the CloudBees Platform, enabling enterprise-scale progressive delivery, especially for our customers with highly complex environments.” The company also announced CloudBees Compliance, which provides compliance and risk analysis throughout the development lifecycle. The solution can assess compliance of code, binary artifacts, data, identity, and infrastructure environments. It also provides developers with actionable feedback so that they can resolve compliance issues quickly.

It uses a common repository of rules in its assessments, and also deduplicates alerts to eliminate double alerting. Teams can also set custom thresholds based on their acceptable risk level. CloudBees Compliance is expected to be generally available in the first quarter of 2022. “Shifting left is not enough for enterprises that are highly regulated, highly complex and operating at extraordinary scale,” said Stephen DeWitt, CEO of CloudBees. “Putting code into production that doesn’t work, whatever the reason, isn’t a viable option – the risks and costs are just too high. What enterprises want and need is immediate and actionable feedback at every point of the software delivery life cycle so that they have the peace of mind of being compliant at all times, all while enabling developers to focus on creating business value.” z

014-16_SDT053.qxp_Layout 1 10/27/21 2:38 PM Page 14

SD Times

November 2021

www.sdtimes.com

he COVID-19 pandemic forced the closure of many offices, and even as we see the virus waning, companies are still allowing their workforces to stay at home, creating management challenges to overcome. For many, this is a new practice that requires trial and error in order to find the most efficient remote management strategy. Even then, project managers and employees find themselves battling new challenges. According to Bill Palombi, senior technical product manager at the dataflow automation organization Prefect, these hardships vary depending on what stage a company is at in terms of growth. “I would say the most substantial challenge by far is onboarding people and gelling different teams together,” Palombi said. “The processes that you need to be successful [remotely] simply change as a company grows.” According to Palombi, the struggle with onboarding teams remotely is compounded by the fact that team members and managers, or even team members and other team members, struggle to form a solid relationship without meeting in person. “Particularly, those informal ties within an organization are sometimes hard to develop with a remote team… when everybody is in the same workspace, there’s a

BY KATIE DEE propensity to lean on more informal ways of doing things,” he said. Without those informal bonds and methods that in-person work offers, project managers overseeing remote teams must leverage certain tools that are well suited for collaboration. Palombi believes that any kind of task and project management software that allows managers and team members to keep track of in-progress tasks, has become an essential part of managing teams remotely. “There’s a tool that we use to capture tasks, assign those tasks to people, and then use that task… as a point to share status updates relevant to the completion of the task,” he said. These types of tools can be a huge benefit to project managers as they not only allow for a certain level of collaboration, but also the tracking of different team members’ work. Another struggle Palombi highlighted was that of the mental health and the home life of team members and managers alike. “I don’t know that it’s any more important now [to offer mental health resources] than it always has been, but I do think that is it getting more attention,” he began, “We have a lot of informal conversations at Prefect that act as opportunities for those with

challenges to come forward.” Creating an environment where team members feel comfortable going to their managers with personal problems that can have an effect on their work is more important now than ever.

Personal connections are key Ahva Sadeghi, co-founder and CEO of Symba, a women-founded tech startup that connects companies with qualified remote interns, also emphasized the importance of forming this personal connection with employees when managing teams remotely. According to Sadeghi, the major challenges of managing a remote team can be broken up into two aspects: clear communication and mental health support. “One aspect is managing the workload, the workflow and communication,” she said. “It’s about making sure that project managers are in touch with their team, that there are clear expectations, and that their team is well suited to deliver on projects.” She explained that this can be harder to accomplish in a remote setting as managers no longer have full access to their team members. According to Sadeghi, without the option to knock on someone’s door and see how they are doing with the work they are assigned, managers can be left feeling slightly out of touch with how things are going.

014-16_SDT053.qxp_Layout 1 10/27/21 2:38 PM Page 15

www.sdtimes.com

However, Sadeghi said the solution to this problem is striking the right balance between being overbearing and being too hands off. “It’s been challenging for some of these project managers whether they are overstepping and creating a micromanaging environment or if they’re not giving enough direction and their employees and teams feel lost,” she said. The next challenge Sadeghi highlighted was that of the mental health of team members working remotely, specifically during the pandemic. “I think the second biggest challenge is definitely around mental health because not only have we been in a remote setting where we don’t have a lot of the culture and experiences that we had in a workplace setting, but going through the pandemic we find ourselves isolated from other aspects of our social environment,” she explained. Throughout the pandemic, millions of people around the world found themselves disconnected from their friends and family. This social detachment paired with a remote work environment can leave people feeling alone, putting a strain on their mental health. According to Sadeghi, there are some ways organizations can combat this. She said, “The first thing is really treating your employees and team as people rather than just employees.” For project managers and team leaders operating in a remote setting it can be easy to fall into the trap of viewing team members as employees only. One way Sadeghi thinks organizations can prevent this is by hosting regular mental health check-ins with team members. One tip Sadeghi had for project managers trying to make these mental health check-ins as effective as possible was her “red, yellow, green” system. “This is one thing that we do where we just ask how their doing and they categorize their feelings into either red, yellow, or green,” she explained, “red meaning things are on fire, I need to stop what I’m doing and I need to focus on something else. Yellow meaning I’m struggling with things, or green meaning I’m doing really great.” Having simplified terms for team members to express their feelings to their managers makes them feel supported throughout this challenging time. “This allows us to continued on page 16 >

November 2021

SD Times

One-to-one meetings ‘powerful’

Hazim Macky, vice president of engineering for the cryptocurrency platform Coinme, believes that the most effective way to manage a team remotely is through personalized one-to-one meetings with team members. “I think in general that one-to-one meetings are a very powerful tool for any leader,” Macky said. “It is an opportunity for both the leader or the manager and the employee to connect on so many levels.” Unfortunately, this personal connection between managers and their employees can seem unattainable in the remote working world we now live in. According to Macky, one-to-one meetings might be the solution for the disconnect that many companies are facing because they allow employees and managers to personally share expectations and work on plans for growth and development. When working remotely, it can sometimes be difficult to find motivation and intention to put behind different tasks. The same goes for the practice of one-to-one meetings in a remote setting. “This type of meeting is a great tool for any manager to have in their toolkit, however, there needs to be intentionality to back it up,” Macky said. He placed an emphasis on the effectiveness of these types of meetings for both the employee and the manager — both parties need to leave the meeting feeling as if they got something out of it and that it was a productive use of time. This becomes especially important when managing a team remotely because face time with your employees becomes more rare. This leads to the question of how to conduct one-to-one meetings remotely in the most effective way possible. Macky’s strategy for this is to schedule one-to-one meetings not as a method to get updates on certain projects, but rather as an avenue to invite open communication and form a trusting relationship between manager and employee. According to Macky, shared understanding is an important place to start. “They come from a ground of understanding, meaning that the manager understands what the employee wants to address,” he explained. “What are the expectations? How does the employee want the manager to behave? Do they want suggestions or do they want the manager to merely listen and hold a space for them?” For a manager, taking this time to hear employee feedback and understand their experience within the organization can be just as important for company growth and overall progress as hearing about updates on different projects. “There is a great opportunity with one-toones for the manager to see how they can best provide support for their employees during this challenging time,” Macky said. He placed an emphasis on the effect of COVID-19 on the mental health of the masses and how employees' struggles in that regard may negatively affect their work, especially when that work is being conducted remotely. “It is important to create the environment to really let the employees know that they are heard,” he said. “If needed, the manager can offer some resources that either the company provides or that I just want you to know about.” Macky said this is oftentimes uncharted territory for managers, as they most likely have never had a need to be exposed to or trained in mental health services prior to the past year. Now, in the remote work setting, addressing these concerns becomes a more pertinent issue than ever before. When an employee is granted this kind of one-on-one, open communication, it also helps to build company loyalty, something that can be challenging to accomplish in a remote setting. According to Macky, using one-to-one meetings to let your employees know that you care about them as people rather than just as workers will motivate them to work harder and boost company morale. “Letting the employee know that they’re heard and being listened to [by the manager] is a powerful tool,” he said. “It creates a culture of inclusivity and belonging within the organization that I think every company should be striving for.” z

014-16_SDT053.qxp_Layout 1 10/27/21 2:38 PM Page 16

SD Times

November 2021

www.sdtimes.com

90% of project teams working remotely

According to the new Global Trends in Project Management 2022 report, nearly 90% of project teams are working remotely in multiple locations. Of those surveyed, 48% reported that they operate in multiple locations within the same country while 39% said that their teams function in multiple different countries. It was also revealed that only 26% of respondents are working with an established project or work methodology, such as Agile or Waterfall, meaning, that there are many scattered teams operating without a uniform method in their organizations. 39% reported that they use a combination of Agile and Waterfall, 18% used many different styles within a single project, and 17% operate with no established methodology at all. When it comes to managing remote hybrid teams, there are many challenges for a leader to consider. According to the survey, the number one challenge these teams find themselves faced with is poor cross team collaboration. 26% of respondents reported that their organization struggled with this while operating remotely, meaning that many organizations are still learning to successfully accommodate hybrid teams. In addition to this, respondents reported that organizations also faced chal-

< continued from page 15

really understand and support our remote team,” Sadeghi said. “You can really create space for those feelings and see if certain employees need to take a step away or would benefit from a mental health day.”

Take needed time off Sadeghi believes that offering employees the option to take a day to focus on getting back in the right headspace will help to avoid burnout, and this does not just go for employees but managers and team leaders as well. “One other thing that’s really important as a manager is to take your own paid time off and encourage people to sign off when the day is done; that really sets a tone for the organization,” she said. Burnout and fatigue are struggles for everyone. As a project manager working remotely, taking care of your own mental health and well-being will inevitably have a domino effect on team members. This will create a culture of inclusivity and care, ultimately leading to the production of better work as well as a healthier and happier work environment. Another challenge of working from home is setting boundaries around work-

lenges such as outdated or ill-suited processes, overall difficulty working in a remote environment, and ineffective scheduling. In an attempt to try and mend these issues, 50% of organizations operating remotely use scheduled meetings as the primary way to collaborate within the team while 25% reported that they use chat or email to foster team communication. In terms of tracking project progress, 29% of those surveyed reported that they also use in-person or virtual meetings in this way while 20% use project management software to stay up to date with projects, and lastly, 13% said they utilize spreadsheets. In a hybrid work environment, project managers also find themselves facing the issue of balancing the wide range of skill sets displayed across team members. This becomes a bigger problem when many of those expected to manage projects in the remote environment were never formally trained in project management. According to the survey, almost 30% of respondents reported that they were not specifically hired to be a project manager, however, they consistently find themselves in these kinds of leadership roles. In addition, nearly 30% of those surveyed also said that they never participated in a formal management certification program. z

ing hours. According to Sadeghi, “It is so important to respect people’s hours. “If someone is working from 8 to 5, as a manager, you have to be sure not to reach out to them before or after those hours unless it is incredibly urgent.” In that same vein, Sadeghi believes that working hours should be used methodically and meetings should be scheduled in a way that allows for the most productivity. “You have to make sure you’re scheduling efficient meetings that are mindful of everyone’s time,” she began. “Knowing the right people are there and knowing when to leverage certain communication tools will save people’s time in the end.” Sadeghi also stressed the importance of letting team members know that their hard work is valued in the organization. “I think in this remote setting it’s so important to give kudos or shoutouts to different teams,” she said. Sadeghi uses this in her own organization and she believes that having this model of positive reinforcement and employee recognition helps to set a positive tone. Showing team members that you appreciate their work gives them a feeling of pride and accomplishment and will, in turn, lead to more

commendable work in the future. Having open communication pathways to express both positive and constructive feedback offers organizations a level of transparency that will help them thrive. With this transparency, Sadeghi said that another struggle of managing a remote team can be staying on top of the work each person is assigned. “I think that it’s really important to have a structure within your team,’’ she began, “One thing we do is design OKRs to understand what the objective is and what key results we hope to accomplish with each task.” Sadeghi believes that as a manager, especially one working remotely, it is essential to know what is on every team member’s plate to ensure that the workload is being evenly divided. This is another place where she cites her “red, yellow, green” method, but in a professional way. “As a good manager you have to understand how you’re delegating tasks,” she said. “And beyond that, you have to ask your team for feedback; another part of that ‘red, yellow, green’ thing is the professional side.” This offers team members a way to let their manager know if they feel overloaded with tasks and projects. z

Full Page Ads_SDT052.qxp_Layout 1 9/23/21 5:07 PM Page 27

SD Times

November 2021

www.sdtimes.com

loud-native development has become the de facto way that companies make new apps due to its speed and cost savings. While it has opened up the world of Kubernetes, containers, and serverless to most organizations, they still need to grapple with certain complexities and security concerns that this style of development brings. Concerning the use of modern, cloud-native application services such as microservices, functions as a service, containers, and container orchestration frameworks (Kubernetes), more than 80% of developers report that their organizations are in the process of implementing, in the process of piloting, or already using these services, according to the IDC report “PaaSView and the Developer 2021.” This is only expected to grow, according to analysis from Gartner that found that the cloud platforms with the highest (over 20% of respondents) adoption plans in the next 12 months were cloud-managed Kubernetes and container platforms (CaaS) or aPaaS, citizen development platforms, and cloud-managed serverless function platforms (fPaaS/FaaS). “Today, if I’m going to write a new kind of customer service portal, for an insurance company, the likelihood of that not being cloud-native is very low. Because it is just more scalable and much easier to update and much more resilient,” said Rani Osnat, the VP of strategy and product marketing at Aqua Security. Cloud-native development changes the way that developers traditionally approached development with the use of CI/CD and more rapid methods of continuously updating software. This has presented some challenges since users don’t necessarily have advanced knowledge of where everything will run because it can run anywhere, according to Osnat. “You get this much more flexible environment to work in, but it also requires you to be a lot more cognizant in how you package code and deliver it compared with older kinds of waterfall SDLC or where it was a much slower

process,” Osnat said. Because of the difficulty in setting up Kubernetes, few companies use the vanilla Kubernetes, instead opting for more managed options. One such option is a distribution of Kubernetes that has better defaults and is more suited to certain types of applications like K3s, the lightweight Kubernetes which is used a lot in IoT. The single-node Kubernetes can also be effectively used in development and testing, according to Osnat. Moving deeper are the cloud-man-

in hand, prompting companies to put up additional security measures to work with the much more open code. “Today, in a typical cloud-native application, you’ll see that 70-80% of the codebase is open source. So you could say the cloud-native applications have a lot of reusable code. And the issue that creates is that first of all, there’s a supply chain issue where you don’t govern all the code that comes in,” Osnat said. “And the second is known vulnerabilities. So open source

Securing cloud-native applications BY JAKUB LEWKOWICZ aged offerings such as AKS, EKS, GKE, and others. “Those are basically set up for you in terms of the cluster. You don’t need to do much with configuring a master node,” Osnat said. “ A lot of the cloud developers will create on-prem versions of these. Amazon, for example, has EKS Anywhere, which is identical to EKS, but you can run it on-prem, or even another cloud if you want, at least in theory.” Even further are the platforms like OpenShift, Tanzu, where they wrap Kubernetes with additional functionality with more opinionated or preset configurations and other capabilities around it such as identity access management, and better versioning and deployment controls, Osnat explained.

Cloud-native’s dependence on open-source requires extra security Both the use of cloud-native development and open source is growing hand

has many more known vulnerabilities than custom code simply because it’s open.” Contrast Security’s 2021 State of Open-source Security Report revealed that traditional software composition analysis (SCA) approaches attempt to analyze all of the open-source code contained in applications — which translates into a huge time and resource expenditure chasing vulnerabilities that pose no risk at all. Yet, for third-party code that is invoked, the risk is inherent: The average age of a library is 2.6 years old, and applications contain an average of 34 CVEs. While working with functions, it becomes more apparent that the traditional tools that are used for security won’t suffice, according to Blake Connell, the director of product marketing at Contrast Security. “With functions, because you’re just assembling these small bits of code, all those little small bits of code are enti-

018-22_SDT053.qxp_Layout 1 10/27/21 5:10 PM Page 19

www.sdtimes.com

ties in and of themselves. So the sort of exposure is broader for security issues. And then these permissions that are part of these functions are sort of set in kind of a default way,” Connell said. “Depending on how you assemble your application, you may want to tighten down the screws a bit more on those permissions. And that’s a common challenge with the functions serverless security angle, which is this notion of overly permissive functions.”

Securing serverless architecture Also important is securing serverless architecture since serverless computing is at the forefront of the cloudnative development trend, according to Connell. According to Contrast Security's State of Serverless Application Security report, a big majority (71%) of organizations now have six or more development teams creating serverless applications. These findings are consistent with other research, such as New Relic’s Serverless Technology Semiannual report, that shows a 206% increase in average weekly invocations of serverless applications from 2019 to 2020. Connell added that the typical company is protecting its serverless applications with a disconnected set of legacy tools that no longer work that well — even for applications on traditional infrastructure.

For serverless applications, these tools are even less effective. “No-edge blindness” resulting from functions that do not have a public-facing URL gives them poor visibility into serverless architectures. The abstraction of infrastructure, network, and servers proves confusing for traditional tools and contributes to a false-positive rate that can exceed 85%, Contrast Security found. Legacy tools simply lack the context to do adequate analysis. Serverless also presents its own challenges because it’s based on ephemeral things that can happen quickly, and then disappear. So all of these require a very different set of controls, according to Osnat. As a result, organizations need a good prioritization strategy to understand which vulnerabilities are affecting the environment, Osnat explained. “You might have vulnerabilities that rely on some network connection to be exploited. But if you’re running this in a purely internal and capsulated application, it’s less adverse than an open one that’s open to the internet,” Osnat said.

The stack affects cloud-native security The third factor that affects security in cloud native is the beginning of this new stack that applications are being run on. Companies are no longer relying on an underlying server or VM to do the isolation for them. Users are also running various types of workloads. For example, if they’re running containers on a container as a service platform like AWS Fargate, or ACI on Azure, these are containers that run in a continued virtualized environment, and there is no underlying VM that one has access to. Organizations are giving developers more security responsibilities, however, there is a skill shortage in this area, and there are many more developers than security professionals. This has prompt-

November 2021

SD Times

Buyers Guide ed companies to look towards more automated solutions that can augment the way developers handle security. “We solve it by introducing a high degree of automation that enables developers to make security part of their daily work, but without expecting them or requiring them to change how they work or to become security experts. Nobody expects developers to become security experts and expects developers to set policies. The policy should be set by security. So what we do is we enable this solution that spans developers, DevOps, and security,” Osnat said. “Security has visibility into what’s going on and can prioritize issues for developers, and then have developers fix that in their code as far left as possible or as early as possible knowing full well that some things will not be fixed. We can say this needs to be remediated as soon as possible, you upgrade to this version, or you swap this package with this package or you change this configuration, and what cannot be remediated or can be maybe snoozed or remediated later, or you can have a mitigating control for it.” While there is a lot that cloud providers are doing, there is also a big area of startup development of individual vendor providers of solutions that help address security concerns, according to Lara Greden, research director for IDC’s Platform as a Service (PaaS) practice. “It’s not that organizations with their software development teams are just only making use of what the major cloud providers are providing in terms of security,” said Greden. “They’re also adding these other services that their applications are calling on the back end for services.” Another way to solve some of these security issues is through the notion of “deputizing” developers to be a part of the security effort. The days of developers flinging code over to security, having the security team running static scans, and creating a pile of potential vulnerabilities before shipping them continued on page 20 >

018-22_SDT053.qxp_Layout 1 10/27/21 5:12 PM Page 20

SD Times

November 2021

www.sdtimes.com

How does your company help cloud-native development? Rani Osnat, VP of strategy and product marketing at Aqua Security From day one, we started out focusing on containers, because that was the big technology that was pushed in the earlier days with Docker and later on with Kubernetes. Now, we support containers of various flavors, as well as serverless, VMs, and cloud infrastructure. With security, we took this approach of a full life cycle security solution because we felt that was the only way to really solve these issues. If you’re just looking at runtime, the attack surface is too big, and you’re basically chasing endless risks that you can’t really address that effectively. If you’re only focusing on shift-left and only handling developers, you’re doing what’s necessary, but it’s insufficient, because not everything is based on vulnerabilities. You have to have these multiple control points and layers. Our solution helps organizations at any scale to address the key challenges of cloud-native security across development, DevOps, cloud and security teams. Our Complete Cloud Native Security Platform has the ability to give each type of stakeholder the information and ability to control what they need. Also, Aqua’s Cloud Security Posture Management (CSPM) scans, monitors, and remediates configuration issues in public cloud accounts according to best practices and compliance standards, across AWS, Azure, Google Cloud, and Oracle Cloud. There are also additional add-ons, like vShield, that allow you to specifically detect and block vulnerabilities that you weren’t able to fix, and we have a product called Dynamic Threat Analysis (DTA), which addresses a different risk we see in the supply chain: hidden malware. To learn more about Aqua’s Cloud Native Security Platform or start a free trial of the plan that’s right for your organization, visit us online at www.aquasec.com. Blake Connell, Director of Product Marketing at Contrast Security Organizations are turning to serverless environments to help realize the full potential of DevOps/Agile development. Serverless technologies enable instant scalability, high availability, greater business agility, and improved cost efficiency. While serverless is quickly becoming a preferred approach for helping organizations accelerate the development of new applications, their existing toolsets for application security testing (AST) perpetuate inefficiencies that ultimately bottleneck release cycles. There are also some key differences that create some unique challenges: l An expanded attack surface. Serverless has more points of attack to potentially exploit. Every function, application programming interface (API), and protocol presents a potential attack vector. l A porous perimeter is harder to secure. Serverless applications have more fragmented boundaries. l Greater complexity. Permissions and access issues can be challenging and timeconsuming to manage. Contrast Serverless Application Security is designed specifically for serverless development. The complimentary, purpose-built solution for serverless AST ensures that security and development teams get the testing and protection capabilities they need without legacy inefficiencies that delay release cycles. Key benefits include: l Visibility. Gain complete security visibility across your serverless architecture. l Speed. Onboarding takes two minutes, with zero configuration and immediate results after scanning. l Frictionless. Automatically discovers any new change deployed to the tested environment, issues new tailored security tests, and validates finding in close to real-time. l Accuracy. Provides near zero false positive results with vulnerability evidence for true vulnerabilities. z

< continued from page 19

back to developers just won’t fly in today’s cloud-native world, according to Contrast Security’s Connell. Now automation finds a vulnerability, perhaps an overly permissive function, and gets that information to a developer in their environment early. Then it provides sample code and the suggested remediation. Developers can then literally copy and paste code, or modify it slightly, and then just resubmit that function. And the solution scans again, and when everything is ok and it moves on, Connell explained.

Cloud-native development is becoming more accessible and more expansive Whereas at first organizations were thinking in terms of using a private cloud for their applications by making use of technologies in their data centers, now it has increasingly moved towards computing at the edge, according to IDC’s Greden. “What we have today is edge compute, that is, in some cases, being provided by the cloud providers,” Greden said. “And that’s sent as a cloud service, but from edge locations. It’s also being accessed in terms of organizations owning their own mini data centers.” Even though there is less investment now in on-premises types of data centers or location centers, the need for compute to be close to the application for things like latency reasons has not gone away. “Now, we’re able to apply cloud-native development to those types of locations,” Greden added. Also, now more people than ever before can make use of cloud-native development through citizen development and the use of low code. “It’s really more an era of augmented application development where developers, including full-stack developers, whether they’re junior or senior, are saying that the number one attribute of the tools they use is code abstraction, as represented by low code and no code,” Greden said. “We’ve gotten to the point where vendors are able to package certain components together, not have to rewrite code, and it really contributes to code simplicity and code elegance.” z

SD Times

November 2021

www.sdtimes.com

A guide to cloud-native tooling n

FEATURED PROVIDERS n

n Aqua Security Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform provides prevention, detection, and response automation across the entire application life cycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed. Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions, and cloud VMs. n Contrast Security Contrast Security is the leader in modernized application security, embedding code analysis and attack prevention directly into software. Contrast’s patented deep security instrumentation completely disrupts traditional application security approaches with integrated, comprehensive security observability that delivers highly accurate assessment and continuous protection of an entire application portfolio. This eliminates the need for disruptive scanning, expensive infrastructure workloads, and specialized security experts. The Contrast Application Security Platform accelerates development cycles, improves efficiencies and cost, and enables rapid scale while protecting applications from known and unknown threats.

n Amazon: AWS Lambda, a serverless, event-driven compute service that lets users run code for virtually any type of application or backend service without provisioning or managing servers. Users can trigger Lambda from over 200 AWS services and software as a service (SaaS) applications, and only pay for what they use. Build serverless backends using AWS Lambda to handle web, mobile, Internet of Things (IoT), and third-party API requests. n DigitalOcean Kubernetes enables development teams both small and large to quickly take advantage of Kubernetes without the lead time required to provision, install, and operate a cluster. With its simplicity and developer-friendly interfaces, DigitalOcean Kubernetes empowers developers to launch their containerized applications into a managed, production-ready cluster without having to maintain and configure the underlying infrastructure. n IBM / Red Hat: With Red Hat OpenShift on IBM Cloud, OpenShift developers have a fast and secure way to containerize and deploy enterprise workloads in Kubernetes clusters. OpenShift clusters build on Kubernetes con-

tainer orchestration that offers consistency and flexibility in operations. Because IBM manages OpenShift Container Platform (OCP), you’ll have more time to focus on your core tasks. Protect your cluster infrastructure, isolate your compute resources, encrypt data, and ensure security compliance in your container deployments with the securityrich IBM Cloud. Includes strict Security Context Constraints for greater pod security by default. n Nutanix HCI provides a cloud-like experience in your environment across compute, networking and storage. It is easily managed, highly resilient, and scales linearly without limit, enabling you to easily meet the demands of Kubernetes and other complex distributed systems. Through strategic partnerships with Microsoft, Google Cloud, and AWS, Nutanix enables you to seamlessly extend your public cloud investment and user experience to your onprem Kubernetes environment. n Palo Alto Networks: Prisma Cloud secures infrastructure, applications, data and entitlements across the world’s largest clouds, all from a single unified solution. With a combination of cloud

service provider APIs and a unified agent framework, users gain unmatched visibility and protection. From container security to threat detection to web application and API security, security teams benefit from best-in-class protection. n Rancher Labs: Rancher is a complete software stack for teams adopting containers. It addresses the operational and security challenges of managing multiple Kubernetes clusters, while providing DevOps teams with integrated tools for running containerized workloads. When Rancher is used alongside K3s, organizations are equipped with a simple yet complete solution to run Kubernetes at the edge. K3s simplifies deployment at the edge and enables users with the ability to quickly launch thousands of clusters. Rancher helps K3s users manage the high volume of clusters with Rancher Continuous Delivery which gives users a controller that allows them to efficiently manage Kubernetes at the edge. n Stackery provides operational tools for developers building serverless applications. Easily detect and surface application errors, version control your serverless infrastructure, and securely manage configurations and deployments. Stackery helps developers build production-grade serverless applications by providing an abstraction layer on top of base serverless technologies like AWS Lambda. Stackery allows you to focus on your business logic rather than configuring infrastructure services. n VMware: offers vSphere, which enables users to manage complex, modern apps as easily as traditional apps and VMs on infrastructure that supports container-based application development. Rearchitected with native Kubernetes, you can now modernize the 70+ million workloads running on vSphere. And now, you can run modern, containerized applications alongside existing enterprise applications on existing infrastructure with vSphere with Tanzu. z

O Ik _ c k

c _ | _ A c c [ [ A 1 k 1 O I c q _ 1 k #S F B L U I S P V H I "Q Q M J D B U J P O 4F D V S J U Z G P S 4F S W F S M F T T & O W J S P O NF O U T

$P OU S BT U 4F S W F S M F T T "QQM J D B U J PO 4F D VS J U Z J T Q V S Q P T F C V J M U B T Q B S U P G B V O J m F E T F D V S J U Z Q M B U G P S N P G G F S J O H C V J M U U P H F U T F D V S F D P E F NP W J O H U I S P V H I U I F F O U J S F E F W F M P Q NF O U Q J Q F M J O F B O E D P O U J O V P V T M Z Q S P U F D U B D S P T T U I F D P NQ M F U F T P G U XB S F M J G F D Z D M F $P O U S B T U T E F W F M P Q F S G S J F O E M Z B Q Q S P B D I U P T F S W F S M F T T B Q Q M J D B U J P O T F D V S J U Z U F T U J O H J O D M V E F T Q J Q F M J O F O B U J W F B V U P O P NZ B O E B V U P NB U J P O 0S H B O J [ B U J P O T H B J O D P NQ M F U F T F D V S J U Z W J T J C J M J U Z G P S " 84 B NC E B G V O D U J P O T XJ U I O F B S [ F S P G B M T F Q P T J U J W F T 6T F $P O U S B T U 4F S W F S M F T T U P B D I J F W F $P NQ S F I F O T J W F P C T F S W B C J M J U Z "V U P NB U F E B Q Q M J D B U J P O T F D V S J U Z 4F B NM F T T S B Q J E E F Q M P Z NF O U B O E NB O B H F NF O U

7J T J U D P O U S B T U T F D V S J U Z D P N T F S W F S M F T T U P M F B S O NP S F

024_SDT053.qxp_Layout 1 10/27/21 9:50 AM Page 24

SD Times

November 2021

www.sdtimes.com

Guest View BY DORI EXTERMAN

It pays to be a softie in software dev Dori Exterman is CTO at Incredibuild.

et’s be honest: software development has not always been the most worker-friendly world. Historically, crunch times made super-human demands on developers. This frequently resulted in highly disgruntled employees, and ultimately led many developers to unionize against crunch culture. What’s more, the end-products of this culture were — unsurprisingly — not always optimal. Thankfully, today’s forward-thinking development leaders are taking a wholly different approach to productivity. Microsoft research reveals that developer fulfillment, happiness and health boosts their ability to innovate and maximize productivity. And when GitHub found that developer well-being was at an all-time low, we started seeing companies like Google, Cisco and others encouraging workers to take mental health days. The beauty of this new focus on developers as people is that it does not compromise productivity in any way. Quite the opposite. A stronger emphasis on managerial soft skills has been shown to raise developer throughput, speed release cycles and (most importantly) enhance quality. Soft skills have finally gained recognition in the software world. Basically, it pays to be a softie in software. The Secret Sauce: Four Tips Soft skills in software development are the secret sauce that drives business performance. Here are some best practices you should consider adopting: Tip #1 – Teach your developers to fail More and more companies are realizing that failure is not a bad thing in software development. And the faster we find these failures, the faster we can correct them. By teaching your developers that failure is acceptable, you offer them a safety net. Keep in mind that an effective “fail-fast” methodology must be accompanied by a thorough post-fail analysis process to ensure continuous improvement. Tip #2 – Grow their confidence Nobody proceeds quickly when they don’t feel confident. Developers are no different. In addition to teaching them that failing is OK, ensure they

Today’s forward-thinking development leaders are taking a wholly different approach to productivity.

understand that your process has got their backs. Because when developers understand that A/B testing, feature flagging and other tools will give them fast feedback on proposed changes in the product, and test-driven development (TTD), static code analysis and a shift-left approach will empower them to find and fix problems earlier, and move much faster — they gain the confidence to raise velocity while relying on the course correction you built into the system. Tip #3 – Help them find work-life balance, even with WFH To facilitate effective communication and collaboration among your dev teams working remotely, first ensure that they maintain a clear timeframe for working hours. Schedule quick daily team sync meetings (no more than 10 minutes) with open cameras, and weekly or bi-weekly in-person team meet-ups, even if work itself remains remote. Encourage team friendships and self-education, and embrace new tech whenever possible — developers love to work with, or at least be exposed to, the latest gadgets. Take the time to update developers about company news, strategic goals and (especially) wins. Help them understand that wherever they’re located, they remain a crucial part of the team. Tip #4 – Take KPIs with a grain of salt Although they are important managerial measures of development progress, don’t over-emphasize product and development KPIs. The reason? They can be false indicators of progress, and relying on them too heavily can inadvertently incentivize your developers to make the metrics the target rather than a tool for reaching the target. Rather than defining KPIs that divert your team from your actual targets, try setting goals closer to these targets, and allowing team members to arrive at these targets faster. Set them up to win in what really matters — not just what you need to show to management.

The Bottom Line Being a softie on software development teams was once considered managerial weakness. Today, it’s increasingly seen as a strength that should be nurtured and ultimately implemented to create a stronger, more resilient, more productive development organization. z

025_SDT053.qxp_Layout 1 10/27/21 9:50 AM Page 25

www.sdtimes.com

November 2021

SD Times

Analyst View BY ROB ENDERLE

Watching Huawei’s Harmony OS W

hen the United States moved to sanction Huawei and deny it access to American technology, it forced Huawei to pivot away from Google and Android and embrace a next-generation operating system it had been working on quietly for years. The disadvantage to a new OS is that it has no initial developer support; the advantage is that since there is no developer support, the company doesn’t have to worry about backward compatibility and can therefore push the envelope with the technology. Huawei Harmony, now in its second generation, is a microkernel OS designed to span a variety of devices. While it started on TVs, Huawei wasn’t anticipating being booted off of U.S. technology. The plan then shifted to expand it to many more smart home devices, including laptops and wearables. As of this writing, the OS hasn’t yet appeared on a PC. The model appears to be similar to Apple’s, where Huawei controls the user experience with far more flexibility and lower charges than Apple requires.

One OS for everything One of the significant failed efforts by Microsoft was Windows 8. It was supposed to span PCs and smartphones but failed because Microsoft had to assure backward compatibility, which created issues with its smartphone offerings, rendering it uncompetitive. In addition, the common user interface was panned by PC users, causing both the PC OS and the smartphone effort to fail. The concept of one OS covering all devices is compelling but was not on the table when Windows was created, so retrofitting that capability over a decade later didn’t work. Apple couldn’t do this either and still has different operating systems on its PCs, smartphones, and tablets. Apple’s questionable path to lower the related costs appears to eliminate the PCs over time and replace them with iOS-running iPads. That path hasn’t been a resounding success either. Both DOS and the macOS came to be because IBM’s platforms at the time couldn’t scale down to PCs. We have a similar problem now but with much smaller devices. Still, the concept of one OS across various personal and IoT devices like digital assistants remains compelling. Huawei has stepped up to this opportunity with its Harmony OS. While Steve Jobs tried to get Dell to license the macOS, Michael Dell refused because he couldn’t

justify a dual boot PC’s added cost. Huawei isn’t asking anyone to dual boot anything, nor do I think that approach would be more viable for them than it was for Dell and Apple. Still, the threat of a technology ban has Chinese hardware manufacturers banding together, and both Xiaomi and Oppo have joined this effort as a hedge against the U.S., banning them as well. Current projections have Huawei’s Harmony OS on up to 300M devices by the end of 2021. This goal is undoubtedly aggressive, but with the backing of the Chinese government, it’s certainly possible in the regions where Huawei continues to sell. So, the potential here is for Harmony OS to become a blend of Apple focus and Microsoft licensing for the next wave of vendors, primarily out of China, who need an alternative to Microsoft and Google and are attracted to this open-source alternative.

Wrapping up

Rob Enderle is a principal analyst at the Enderle Group.

The potential here is for Harmony OS to become a blend of Apple focus and Microsoft licensing.

The U.S. ban on Huawei has forced the company to pivot rapidly and take a microkernel OS it was developing for TVs and expand its capabilities massively. Huawei uses a blend of the Microsoft and Apple legacy concepts and current technology to create a next-generation platform already successful in Asia and Europe and promises a far better developer experience than Apple has, but with a similar focus on quality and user experience. Huawei’s new second-generation Harmony OS is a blend of new technology and trusted concepts that promise a far better developer experience than Apple can or will provide. Huawei is moving fast on hardware. Its new Metapad Pro already rivals the iPad Pro (in Asia), and its Huawei Watch 3 is the closest in capability to an Apple Watch I’ve seen so far. Both products’ problem isn’t the technology or platform. It is the lack of apps. This shortage means that if you are having a problem getting noticed on the Apple platform due to the sheer number of apps, you shouldn’t, at least for now, have a problem with Harmony. With Apple seemingly at war with their developers, maybe it is time to consider a vendor who still believes it needs developers and, instead of being lost in Apple’s app ocean, can gain visibility in Huawei’s growing, but still small, developer pond. z

026_SDT053.qxp_Layout 1 10/27/21 5:22 PM Page 26

SD Times

November 2021

www.sdtimes.com

Industry Watch BY DAVID RUBINSTEIN

Online shopping and drugs (not related) David Rubinstein is editor-in-chief of SD Times.

couple of items crossed my desk this past month — one didn’t surprise me, based on the current state of the world, but one did. First, the expected. Adobe released its Digital Economy Index, with data gleaned from more than a TRILLION visits to U.S. retail sites. Based on that, Adobe expects U.S. holiday sales (from Nov. 1 to Dec. 31) to reach $207 billion, which would be a new record. Global holiday spending should hit $910 billion, Adobe found, and for all of 2021, it expects spending to eclipse $4 trillion, which would also be a new milestone for e-commerce. Because so many people are taking advantage of shopping online, Adobe reports that the major shopping days — Thanksgiving and Black Friday through Cyber Monday — are losing prominence. Adobe said sales during that time will still be a robust $36 billion, which will account for 17% of all holiday spending. But growth is slowing, expected to be just 5% over the same period last year. There are other troubling signs on the horizon, however. Supply chain issues such as crowded ports, cargo delays and disruptions in overseas manufacturing will heavily impact the holiday season, even as demand surges, the Adobe report says. In fact, compared to the pre-COVID-19 pandemic period of January 2020, shoppers are receiving out-of-stock messages at an increase of 172%. That is staggering. And, of 18 categories of merchandise tracked by Adobe, apparel has the highest levels of being out of stock, followed by sporting goods, baby products and electronics. All of this is driving consumer prices higher, and Adobe expects customers will pay on average 9% more during Cyber Week than they did during that time period last year. Discounts are also expected to be lower in the range of 5% to 25%, when historically discounts have been in the 10% to 30% range. Couple that with inflationary pressures, and online prices are up 3.3% percent going into the holiday season (September 2021), while in past years, online prices were down on average 5% year over year going into the holiday season. So the advice is to shop early to try to ensure

Shoppers are receiving out-of-stock messages at an increase of 172%. That is staggering.

product availability, and shop during Cyber Week when the biggest discounts should be available. The other item that caught my eye last month was a report from medical lab Quest Diagnostics that revealed some data regarding drug use among software developers. While the sample size was large (Quest performed 10 million drug tests last year, mostly during the pre-employment phase), the way Quest categorizes workers made broad generalizations impossible. Workers were sorted by the largest revenue component of the company they work for. So, for instance, developers who work at Samsung would not be categorized as information technology but as retail or electronics, and there is no insight into job function within those industry categories. That said, developers are notorious for ingesting high-caffeine drinks to help them through those long, often late, coding sessions. Add to that the enormous pressures developers are under in this DevOps/Cloud Native world to deliver applications better and faster. The data from Quest shows only a slight increase in the use of amphetamines in the information technology sector from 2016 to 2020, but only from 0.91% to 1.2%. While that represents a 31.9% increase, the overall number of positive test results in the information technology sector remains quite low. Marijuana — America’s newly legal (in many states) drug darling — also increased for the IT sector over the same time period, going from 2.3% to 2.7%. That’s an increase of 17.4%. Barry Sample, senior director of science and technology for the employer solutions business at Quest Diagnostics, noted that in all sectors, much of the increase in drug use can be attributed to marijuana use. More telling is a February 2020 report from the American Addiction Centers that showed almost 1 in 10 IT workers are identified as problem drinkers, above the 7% average for all American adults. And, across the entire working class of America, more than 16% of employees have had problems with prescription drug abuse. And similar to alcohol numbers, painkillers substance abuse in the tech industry is higher than the overall average. With a rate of 19.53% of tech professionals abusing opioids, nearly one in five have an issue with pills like OxyContin, Vicodin, Xanax, and others. The stories are in the data. z

IBC_SDT049.qxp_Layout 1 6/25/21 3:29 PM Page 2

Time to go with the flow! Organizations today are turning to value streams to gauge the effectiveness of their work, reduce wait times and eliminate bottlenecks in their processes. Most importantly, they want to know: Is our software delivering value to our customers, and to us? VSM Times is a new community resource portal from the editors of SD Times, providing guides, tutorials and more on the subject of Value Stream Management.

Full Page Ads_SDT053.qxp_Layout 1 10/27/21 11:41 AM Page 24

The latest news, n news analysis and commentary delivvered to your inbox!

• Reports on the newest technologies affecting enterprise deve developers elopers • Insights into thee practices and innovations reshaping softw ware development • News from softtware providers, industry consortia, open n source projects and more m

Read SD Tim mes Daily to keep up with everything happening in the software devvelopment industry. SUB BSCRIBE TODA AY! Y!