SD Times February 2022 by d2emerge

FC_SDT056.qxp_Layout 1 2/2/22 1:23 PM Page 1

FEBRUARY 2022 • VOL. 2, ISSUE 56 • $9.95 • www.sdtimes.com

IFC_SDT054.qxp_Layout 1 11/17/21 11:09 AM Page 2

Instantly Search Terabytes

www.sdtimes.com EDITORIAL EDITOR-IN-CHIEF David Rubinstein drubinstein@d2emerge.com NEWS EDITOR Jenna Sargent jsargent@d2emerge.com MULTIMEDIA EDITOR

dtSearch’s document filters support: popular file types emails with multilevel attachments

Jakub Lewkowicz jlewkowicz@d2emerge.com SOCIAL MEDIA AND ONLINE EDITOR Katie Dee kdee@d2emerge.com

a wide variety of databases

ART DIRECTOR

web data

Mara Leonardi mleonardi@d2emerge.com CONTRIBUTING WRITERS

2YHU VHDUFK RSWLRQV LQFOXGLQJ efficient multithreaded search

Jacqueline Emigh, Elliot Luber, Caryn Eve Murray, George Tillmann CONTRIBUTING ANALYSTS Enderle Group, Gartner, IDC, Intellyx

HDV\ PXOWLFRORU KLW KLJKOLJKWLQJ forensics options like credit card search

CUSTOMER SERVICE SUBSCRIPTIONS subscriptions@d2emerge.com ADVERTISING TRAFFIC Mara Leonardi mleonardi@d2emerge.com

Developers: 6'.V IRU :LQGRZV /LQX[ PDF26

LIST SERVICES Jessica Carroll jcarroll@d2emerge.com

&URVV SODWIRUP $3,V FRYHU & -DYD and recent NET (through NET 6)

)$4V RQ IDFHWHG VHDUFK JUDQXODU GDWD FODVVLILFDWLRQ $]XUH $:6 DQG PRUH

REPRINTS reprints@d2emerge.com ACCOUNTING accounting@d2emerge.com

ADVERTISING SALES

Visit dtSearch.com for KXQGUHGV RI UHYLHZV DQG FDVH VWXGLHV IXOO\ IXQFWLRQDO HQWHUSULVH DQG developer evaluations

PUBLISHER David Lyman 978-465-2351 dlyman@d2emerge.com MARKETING AND DIGITAL MEDIA SPECIALIST Andrew Rockefeller arockefeller@d2emerge.com

The Smart Choice for Text Retrieval® since 1991

dtSearch.com 1-800-IT-FINDS

PRESIDENT & CEO David Lyman

D2 EMERGE LLC www.d2emerge.com

CHIEF OPERATING OFFICER David Rubinstein

003_SDT056.qxp_Layout 1 2/2/22 1:22 PM Page 3

Contents

VOLUME 2, ISSUE 56 • FEBRUARY 2022

FEATURES

NEWS 4 6

News Watch

An all-inclusive cloud experience

Linux 4 Eva

Microsoft adds features, integrations to make Azure the second-largest cloud provider in the world

codeSpark Academy launches “Adventure Game”

Weaveworks acquires Magalix to secure Kubernetes

page 8

COLUMNS 32 GUEST VIEW by Victor Kuppers 10 Steps to successfully implement citizen development

RPA: Handling mundane tasks, freeing up developers

33 ANALYST VIEW by Jason English 3 Apples in 2021 vs. 3 Oranges in 2022

page 18 34 INDUSTRY WATCH by David Rubinstein Remember ‘people over processes’

BUYERS GUIDE Security perimeter is no more as attack surfaces continue to expand page 22

Software Development Times (ISSN 1528-1965) is published 12 times per year by D2 Emerge LLC, 2 Roberts Lane, Newburyport, MA 01950. Periodicals postage paid at Plainview, NY, and additional offices. SD Times is a registered trademark of D2 Emerge LLC. All contents © 2022 D2 Emerge LLC. All rights reserved. The price of a one-year subscription is US$179 for subscribers in the U.S., $189 in Canada, $229 elsewhere. POSTMASTER: Send address changes to SD Times, 2 Roberts Lane, Newburyport, MA 01950. SD Times subscriber services may be reached at subscriptions@d2emerge.com.

004,5_SDT056.qxp_Layout 1 1/31/22 4:56 PM Page 4

SD Times

February 2022

www.sdtimes.com

NEWS WATCH AngularJS long-term support discontinued Four years after announcing discontinuation plans, Angular has officially discontinued long-term support (LTS) for AngularJS. AngularJS is the first version of the Angular framework, which was released in 2010. All subsequent released versions were called Angular. It had initially planned to end LTS in July 2021, but because of COVID-19, it decided to push that date back by six months to December 31, 2021. The Angular development team is urging developers to migrate all AngularJS applications to Angular 2 or higher. Last year the team published a blog post detailing ways to prepare applications to migrate, such as using ngUpgrade, which is a library that allows Angular and AngularJS to be run in the same application to allow for incremental migration. Going forward, CDN links for AngularJS will remain active and AngularJS.org will still stay online. The team will also archive the AngularJS repository on GitHub and provide read-only access to code,

issue, and pull request history. Finally, npm packages for AngularJS will still be available on npm and bower, but they will be marked as deprecated.

Aptiv to acquire Wind River Vehicle technology company Aptiv has announced its intent to acquire the embedded systems company Wind River from TPG Capital. The acquisition is valued at $4.3 billion and is expected to close mid-year. According to Aptiv, this acquisition will enable the company to expand into several high-value industries and produce innovations across connected devices like vehicles. Wind River Studio will become integrated into Aptiv’s SVA platform to further innovate on automotive software solutions. Wind River will continue to operate as a stand-alone unit within Aptiv, led by Wind River’s current CEO Kevin Dallas.

Open Source Institute forms to offer online training The Open Source Institute (OpenSI) is being formed

People on the move

n Allstacks has announced the appointment of Jamie Howard as its new VP of Engineering. He previously held roles at companies such as Qualcomm, Red Hat, and WebAssign, and also served as an Army Infantry Squad Leader. n Sharan Foga has joined Instaclustr as director of community and developer relations. She has over 30 years of experience in the technology industry and has been involved with the Apache Software Foundation since 2008 and is currently one of its board members. She is also an active project management committee member for the Apache ComDev team, Apache OFBiz, Apache Kibble, and the Apache Incubator.

through a collaboration between the University of Canberra and Instaclustr. OpenSI will focus on open source training, certification, and research and development. The first online course offered through OpenSI will be Developer Training and Certification for the event streaming platform Apache Kafka. This training will provide software engineers and system admins with the skills to develop and operate Apache Kafka. The course will include interactive workshops, webinar, online forums, self-paced assignment, and assessments. There will also be an optional exam that can be taken to receive certification through OpenSI for Apache Kafka. Other courses are in the works for other open source technologies like Apache Cassandra, PostgreSQL, and Cadence.

.NET MAUI preview supports Fluent UI Microsoft recently announced the release of .NET MAUI Preview 11. As a part of this release, users will gain access to the first batch of Fluent UI control styling, multi-window implementations, control fea-

tures, and another set of iOS type alignment. This preview runs on the latest preview of .NET 6 and is available with Visual Studio 2022 17.1 Preview 2. Windows 11 brings users new UI styling with the updated Fluent Design System. In .NET MAUI Preview 11, users will experience initial updates to Button, Editor, and Entry.

Visual Studio preview brings productivity features for Git Microsoft recently announced the second preview of Visual Studio 2022 17.1. This release includes new features that align with themes of Visual Studio 2022, such as productivity. New Git productivity features will make day-to-day work much easier, according to Microsoft. Developers will now be able to compare the current branch in a repository with other branches. This is useful when preparing for a pull request or before deleting a branch. Another new Git feature is enhanced detached head support, which allows developers to check out a commit and go back to a previous point in history to run or test code. Developers will also be able to quick-

n Databricks has made Naveen Zutshi the company’s new chief information officer. He spent the past six years as CIO of Palo Alto Networks where he helped the company expand into new security categories. Before that he was the senior vice president of technology at Gap. n Palo Alto Networks is working to grow in new markets and is appointing Helmut Reisigner to CEO of Europe, the Middle East and Africa (EMEA) and Latin America (LATAM) to drive this growth. He will work closely with company president BJ Jenkins to drive acceleration of the global growth strategy.

004,5_SDT056.qxp_Layout 1 1/31/22 4:56 PM Page 5

www.sdtimes.com

ly review pull requests and evaluate updates by checking the tip of a remote branch. Multi-repo support is also enhanced in this preview release through improvements to the inner loop branching experience. According to Microsoft, developers can now use branch pickers on the status bar or Git changes tool window to checkout branches or do certain branch management tasks. Other Git improvements include the ability to create branches across all active repositories at the same time and Line-staging preview functionality.

Facebook releases Create React App 5.0 Create React App 5.0 is a major release bringing users numerous new features and the latest version of all major dependencies. A few highlights of the release include webpack 5, Jest 27, ESLint 8, and PostCSS 8. With this, react-scripts@5.0.0 also contains several breaking changes. These changes include dropped support for Node 10 and 12. Node 10 has now reached End-of-Life. And Node 12 will be End-of-Life in April of 2022. Moving forward, only support for the latest LTS release of Node.js will be provided.

Microsoft updates feedback system for Visual Studio Microsoft recently announced that it is updating its feedback system in order to provide users with a higher quality experience. With this, older versions of Visual Studio will no longer be compatible to provide feed-

White House hosts OS Security Summit Organizations such as the Linux Foundation, OpenSSF, Google, Akamai, and Red Hat attended a White House Summit meant to address supply chain security challenges following the recent log4j crisis. “The open-source ecosystem will need to work together to further cybersecurity research, training, analysis, and remediation of defects found in critical open-source software projects. These plans were met with positive feedback and a growing, collective commitment to take meaningful action,” said Brian Behlendorf, the executive director of the Open Source Security Foundation. Key considerations for the government and industry include prioritizing investment into tools and technologies that can help increase the visibility of use of open source, optimally through automated tools; support strong privatepublic ownership; and improve information sharing, according to Akamai.

back. To continue submitting feedback, upgrade to version 16.7 or any LTSC service release after April 2021. This update brings users an enhancement to the Send Feedback options available in the help menu and feedback center. The new system is designed to make it easier for Microsoft’s engineering teams to track, organize, and transfer tickets. This works to provide a higher level of communication between users and the Visual Studio engineering teams.

Customized GPT-3 improves models Creating a custom version of GPT-3 tailored to their application allows for faster and cheaper running of models. GPT-3 is a natural language

programming tool developed by AI research laboratory OpenAI. Users have to run a single command in the OpenAI CLI tool with the file that they provide and a custom version will start training and be immediately available in the API. It takes less than 100 examples to start seeing the benefits of fine-tuning GPT-3 and performance continues to improve as you add more data, according to OpenAI. Then, doubling of number of examples tends to improve quality linearly. “Whether text generation, summarization, classification, or any other natural language task GPT-3 is capable of performing, customizing GPT-3 will improve performance,” the developers behind GPT-3

February 2022

SD Times

wrote in a blog post that also has the success stories of four companies that fine-tuned GPT-3. With the research dataset Grade School Math problems, fine-tuning GPT-3 improved the accuracy 2 to 4 times over what was possible with prompt design.

Microsoft reveals 2022 roadmap for Java in VS Code Microsoft said in 2022 it plans to focus on improving the fundamental inner-loop experience that impacts developers’ daily productivity. This includes efforts to improve code completion suggestions, provide more relevant code snippet generation, and offer various shortcuts based on user’s preference. The debugging experience will also be improved. The company will also focus on performance and reliability, with updates like improved reliability of Java Language Server. This will include reducing the number of instances where the Java Language Server becomes unresponsive. The company will continue to add new features to the Gradle for Java extension and the existing Maven extension. Also, it will make improvements to core Java extensions and Spring extensions such as making it easier to create workflows of Spring projects, controllers and beans; better visualization of core Spring concepts; and more. Microsoft also shared new features that are now available, such as the now-embedded JRE in Java extensions and added the ability to configure Java formatter settings. z

006,7_SDT056.qxp_Layout 1 1/28/22 11:20 AM Page 6

SD Times

February 2022

www.sdtimes.com

An expert on the operating system tells why she thinks the kernel is so important

ast month, the Linux kernel turned 30. If you’re someone who’s been immersed in the Linux world since Y2K like me, it may feel a bit surreal that so much time has passed since the kernel’s inception. As a training architect at A Cloud Guru (ACG), I teach courses about all things Linux and specialize in handson, lab-based learning. Before joining ACG, I worked as a Unix systems engineer at GE and IBM as well as Technical Account Manager and customer advocate for Red Hat. I’m hugely passionate about Linux because of its importance to my career, just like to the careers of so many other engineers and Linux enthusiasts. In its 30 years of existence, the Linux kernel has had a massive impact on the modern computing landscape — revolutionizing what’s possible for operating systems and allowing countless tinkerers to get their hands dirty in the process. Linux has also become the foundation of paradigm shifting innovations over the years due to its everevolving nature. To commemorate 30 years of Linux, I’m sharing some of the key reasons why the kernel is so valuable and why it will continue to be a major player in the computing landscape for years to come.

BY CARA NOLTE

My Linux journey My first exposure to Linux was in college in 1999. I took an introductory Unix Shell Scripting class and Fedora was installed on the lab servers because it was free and easily scalable. I view Linux as my entry-point into customizable operating systems. After learning basic Unix commands on Linux, I ultimately went on to pursue a career supporting multiple commercial Unix vendors. As Linux made its way into larger Enterprise level companies, I quickly returned to working with Linux distributions. Something I’ve always loved about Linux is the capacity to fine tune your system to support the applications and distros that work best for your projects. Linux improves the functionality of whatever applications you’re running. The Linux kernel has literally changed how the world processes information, which is why I’m so invested in the software. Now, it’s my job to share my knowledge and passion about Linux to other technologists. At ACG, I develop courses to help aspiring Linux experts learn how to optimize their systems. Additionally, I contribute to “Linux this

Cara Nolte is a Training Architect at A Cloud Guru, A Pluralsight Company. She is a distinguished engineer with nearly 15 years experience with leading tech companies including Red Hat, GE Digital, IBM and more.

Month,” an ACG-hosted web series that provides monthly updates from the global Linux community. The fact that I am able to build a career around teaching Linux and staying up to date with Linux news shows the vast uses and applications of the kernel. What makes Linux so unique and evergreen is its open-source nature - Linux innovations are only limited by the creativity of the technologists who use and adapt it.

The open-source effect When Linux first arrived, it was mostly a hobby for enthusiastic engineers and Computer Science students who could contribute by developing code. The steep learning curve associated with fitting Linux to your machine was a barrier for more novice programmers. Over time, this has changed considerably. Online forums, workshops, and classes have made Linux more accessible to the average internet user. The free sharing of ideas has come to epitomize the open-source community, and for software engineers, Linux is at the heart of this community. This democratization of Linux has had incredibly positive impacts on the computing world. Now, Linux is everywhere. Enterprise level companies use Linux distributions to process the biggest production workloads in the world. It has replaced proprietary commercial Unix operating systems in very large compa-

006,7_SDT056.qxp_Layout 1 2/2/22 2:39 PM Page 7

www.sdtimes.com

Linux runs the cloud

nies with better stability and less down time. Because Linux systems can be as small or as large as you want, it's also now being used in our homes for smart and mobile devices as well. The open-source nature of Linux is incredibly beneficial for these enterprise level companies. Linux distributors leverage the contributions of the entire open-source community. This wide range of contributors produces a more stable product with more features, but also ensures that the OS keeps growing and solving real world problems that are beneficial to a wide range of users.

Potentially the most impactful outcome of the kernel is the infrastructure of modern cloud computing. Linux’s scalability has paved the way for supercomputers and server farms to function efficiently while requiring relatively light-weight computing resources. In fact, Linux supports about 90% of the public cloud workload. Without Linux, the cloud as we know it would not exist. This is, in part, because Linux has become so ubiquitous — it’s use cases are nearly limitless. Because it has been time-tested, many engineers and IT professionals have a strong grasp on Linux fundamentals, making it an attractive choice for enterprise companies dealing in the cloud. Cloud-based softwares and products are increasingly becoming the norm in the engineering world. Unsurprisingly, major cloud providers such as AWS, Azure, and Google Cloud are all supported by Linux as well. Linux is unique because it is a shape-shifter that can conform to the needs of any given engineering environment, and it's incredibly stable because of the army of

February 2022

SD Times

contributors that fortify weak points in the software.

Linux forever The Linux “concept” is just as important as the Linux product. The concept allows a free and open source operating system to be refined, reinforced, and replicated across an endless web of contributors. Thirty years is a long time for a software to be relevant, especially with the ever-shortening tech product cycles. Because it was designed with the intention to be changed and updated by an opensource community, Linux has no foreseeable expiration date. Had Linux not achieved the prominence it has today, we would see more commercial Unix vendors attempting to solve some of the problems that Linux addresses, but none would address them all. Additionally, customers would have to choose which OS to invest in based on which addresses some of their use cases, but none would be as beneficial as the Linux OS. Linux is always growing and will become even more popular within the next few years. As more people become familiar with Linux and learn to use it, I see major potential for growth in the mobile computing space, within personal computers, and across small and large companies. In fact, we are already seeing it filter into home gaming systems and Raspberry Pi projects. With Linux, the sky's the limit! z

Linux Foundation announces new certifications in open source development The Linux Foundation announced that it created three new training courses on the edX platform, which cover Linux, Git, and other open-source software development tools. The courses can be taken individually or combined to earn a Professional Certificate in Open Source Software Development, Linux and Git. Open Source Software Development: Linux for Developers (LFD107x) covers concepts that are crucial in developing open-source software, as well as how to work productively in a Linux environment. Students will learn about Linux systems, including key concepts like installation, desktop environments, text editors, important commands and utilities, command shells and scripts, filesystems, and compiling software. The second course, Linux Tools for Software Development

(LFD108x) goes over the tools that one would use on everyday work in Linux development. It is intended for developers that are experienced with working on any operating system that want to learn the basics of opensource development. The final course, Git for Distributed Software Development (LFD109x), offers an introduction to Git and it will prepare participants to use Git to create new repositories or to clone existing ones, commit new changes, review revision histories, and more. To earn the professional certificate, participants must enroll in the program, complete all three courses, and pay a verified certificate fee of $149 per course. z —Jakub Lewkowicz

008-13_SDT056.qxp_Layout 1 2/2/22 2:41 PM Page 8

SD Times

February 2022

www.sdtimes.com

Microsoft adds features, integrations to make Azure BY JAKUB LEWKOWICZ

icrosoft Azure has been showing faster growth than any other cloud provider over the last few years, and its vast ecosystem of partnerships and integrations continually make it an appealing platform for existing and prospective customers. The platform currently stands as the second largest cloud offering in the world with 21% market share, following AWS’s 39% as of Q3 2021, according to Statista. It has a faster growth rate than it’s larger competitor at 59% for Azure and 32% for AWS. It offers many features in the data and analytics space, ranging from Plat-

form-as-a-Service (PaaS) solutions for data and big data management and analytics, to multiple AI and machine learning offerings, to specialized Software-as-a-Service (SaaS) solutions such as Azure Purview,which is a unified data governance solution that helps users manage and govern their onpremises, multi-cloud, and SaaS data. However, from a PaaS perspective of the cloud, Microsoft Azure is the leader. “So from a whole cloud point of view, from just moving compute and workloads, Amazon is still the market share leader. But when we look at this from (the standpoint of) developing and running applications, Microsoft is the leader with a little bit more than

25% of market share, followed by AWS at 15%,” said Lara Greden, research director for IDC’s PaaS practice. Azure’s expansion is a combination of both people who are already customers as well as more small and medium-sized businesses that are poised to become larger, especially those that are poised to utilize Kubernetes and cloudnative architectures. “I think Microsoft Azure really has the kind of leadership to tell people to come here to create the new applications to be a digital-first,” Greden said. The cloud in general has reached an inflection point as 75% of companies already have some combination of rehost, replatform, and refactor into the

008-13_SDT056.qxp_Layout 1 2/2/22 2:41 PM Page 9

www.sdtimes.com

February 2022

SD Times

the second-largest cloud provider in the world cloud, said Sambit Ghosh, senior vice president of the Microsoft practice at Datavail. Two-thirds of those are most likely lift-and-shift. “At this point Azure has definitely been creating and enhancing their cloud-native services in a more accelerated fashion in the last several years,” Ghosh said. Ghosh noticed that many customers are running applications in Oracle and are looking to move that into Azure Cloud. Now, Azure has opened up support for Linux and open-source technology to meet that need. Azure now offers full support for common Linux distributions, including Red Hat, SUSE, Ubuntu, Cen-

tOS, Debian, Oracle Linux and CoreOS. The endorsed Linux distributions are created and published by Linux partners for use in Azure environments.

Platform experience important In addition to pushing cloud-native, Microsoft Azure offers a plethora of features and integrations to entice people into their platform and to advance the way that people can meet their business goals more efficiently if they’re on the platform already. Part of this comes from meeting developers where they already are, whether they’re collaborating on Microsoft Teams — which doubled in usage from April 2020 to 2021 and now

has 145 million worldwide users, according to Statista — or by building on the skill sets that many developers already have. “Microsoft has the leadership ability there, because so many developers have skills in .NET. And then the integrations can be created in .NET with their integration suite. Now, you don’t just have to have a central team doing it,” IDC’s Greden said. “Integrations with legacy systems continue to be the key enabler in today’s economy and for the foreseeable future.” Microsoft is helping companies with integrations by dispersing that key scaling capability among all of their develcontinued on page 10 >

008-13_SDT056.qxp_Layout 1 1/28/22 3:36 PM Page 10

SD Times

February 2022

www.sdtimes.com

< continued from page 9

opers, rather than having integrations managed by a central integration team. “They’re providing that flexibility to customers to meet them in their journey, which I think is definitely a smart move in driving adoption onto the cloud, rather than switching platforms,” Datavail’s Ghosh said. Azure includes features like Azure Cosmos DB, which integrates with Azure services and allows users to choose from multiple database APIs including MongoDB, Cassandra API, and many others. It also offers plugins for companies that want to run Red Hat or JBoss Enterprise or some other Java apps through the Azure Marketplace. More people can get their hands on integrations because Azure helps citizen developers utilize integrations through its Power Apps, Microsoft’s low-code offering. Microsoft recognized the importance an elastic cost model has in alleviating one of the major concerns of moving the cloud: cost. Power Apps are now available in a pay-as-you go model as of Microsoft’s announcement at its Ignite event in November 2021. “[The pay-as-you-go model] basically allows you to take more risks and create more apps, because you’re going to pay the right amount,” Greden said. “Let’s say you have 1,000 users use it once a month; you’re not going to pay the same as somebody who’s having 1,000 users using it every day.” Microsoft added many new capabilities to Power Apps such as built-in commenting where users can write and share Office-like comments directly inside the authoring canvases of Power Apps, Power Virtual Agents, and Power Automate. Data insights can now be used to discover inefficiencies in workflows and business processes with Process Advisor in Microsoft Power Automate.

AI a heavy emphasis Azure is putting a heavy emphasis on strengthening its low-code capabilities through AI and its ownership of GitHub, according to Greden.

How these two companies rated their Azure journey Incorporation Insight — The main Azure feature that helped Incorporation Insight, a company that helps customers incorporate businesses, to find success is Azure Stack’s ability to store sensitive data and automatically optimize and process it with Azure Cloud, according to Michael Knight, the company’s co-founder. “We opted for Microsoft Azure particularly for its generous features that will enable us to address anticipated data distribution complexities due to the ever changing digital usage of consumers,” Knight said. “Being able to host DevOps public or private cloud interfaces also gives us greater flexibility as a scaling business.” Knight also said that his company chose Azure because of its budget-friendly subscription model that charges based on consumption and helps save money on IT. Other top features that he found included Azure’s cybersecurity guarantees and multiple compliance provisions.

CTDev — CTDev, a company that builds custom solutions of various complexity levels in the reinsurance business domain, found that using the Azure DevOps service as a CI/CD managed service provides frees up a lot of value and free-up operation people from managing worker nodes that use nontraditional continuous integration tools like Jenkins. Viachaslau Matsukevich, a solutions architect at CTDev, said that one can use Azure DevOps as a version control system for storing infrastructure as a code repository. Release management is also greatly implemented here so you can easily track which particular commit was deployed to the end system. Azure DevOps also has great integration with other Azure services. “Another feature that makes Azure stand out for me is resource groups. It is especially good for (proof of concept) or lab environments where you can clean up everything with a single click and don’t have to worry about some resource leftovers that will cost you money in the future,” Matsukevich said. “The biggest reason for companies to switch to Azure is their partnership with Microsoft. Also, Microsoft offers great discounts if you already have licenses purchased for MS products like Office or Windows.” z

“[Azure] is able to take all the data in GitHub and feed that through AI models to be able to do AI pair programming and we’re just at the cusp of what that will enable companies to do,” Greden said. “This is key to Microsoft’s strategy because it enables more people to develop with better quality because

quality is still a really big issue when it comes to applications.” All of the main AI capabilities that companies seek out have now been bundled into one kind of offering: Azure Applied AI Service, announced at Microsoft’s 2021 Build event. The continued on page 12 >

Full Page Ads_SDT052.qxp_Layout 1 9/23/21 5:07 PM Page 27

008-13_SDT056.qxp_Layout 1 1/28/22 3:36 PM Page 12

SD Times

February 2022

www.sdtimes.com

Security, governance are challenges for some moving to Azure When it comes to Azure’s security and governance models, some people are still wary of joining Azure for these reasons, according to Errin O’Connor, founder and chief architect for EPC Group and the author of four Microsoft Press books covering Power BI, SharePoint, Office 365 and Azure. “When COVID kicked in, people were moving to the cloud like crazy and a lot of people didn’t do it right. So their governance and security model is terrible,” O’Connor said. “There's just a lack of Azure governance. And there’s typically one or two or five people that know what the hell they're doing in the company with Azure. And they're typically so busy that they don't have time to do much of anything except the task that's at hand,” O’Connor said. “They're doing all these great things, but are they really thinking of the 12 or 24 month roadmap?” At first, it’s most important to align the business needs and then to work around that in building out which Azure features to take on, according to O’Connor. “It's like you have the Honda, the Porsche, and you have the Lamborghini options with Azure. In a lot of cases the Honda's

< continued from page 10

service includes Azure Cognitive Search, Azure Form Recognizer, and Azure Immersive Reader, in addition to newer offerings like Azure Bot Service, Azure Metrics Advisor, and Azure Video Analyzer. Azure Bot Service makes it easier to build, test, and publish text-, speech-, or telephony-based bots through an integrated development experience. Azure Metrics Advisor, now generally available, automatically detects and diagnoses issues to minimize downtime. “There are a lot of custom applications out there. We see companies running certain (electronic medical records systems) like hospital systems running more specific custom .NET applications that they have written. A lot of colleges have a lot of custom (learning management systems) applications that are running. Banking also

gonna work just fine. But then you have some CIOs or CFOs that are going to want the Lamborghini option. And so how do you match those together so that regardless of what option they take, it's still going to flow together and also work via the security model,” O’Connor said. “There are all these event grid services, there's web functions, functions, API, app logic…you can name all these different features, but I think they really need to dumb down what their services are and make it so that a person that's been in it for 15 years might know what’s going on.” When thinking of moving to the cloud, it’s important to first look at one’s existing tech stack and personal skill sets and make the choice around that, according to Datavail’s Ghosh. Other important considerations when moving to Azure would be to do a careful discovery roadmap and planning of the cloud journey and to look at the cost profile. “If you’re looking to move to Azure and you do the cloud strategy, the cloud planning, careful thought process and looking at what's the right thing, what is the right provider for your company, I think the cloud journey itself can be much, much less challenging,” Ghosh said. z

has a lot of customization. So within that, AI has been something that companies are more and more interested in,” said Errin O’Connor, founder and chief architect for EPC Group and the author of four Microsoft Press books covering Power BI, SharePoint, Office 365 and Azure.

Embracing data O’Connor said that the number one request he is seeing from Azure customers is that they want to move their existing on-premise SQL servers to Azure and then create a data warehouse. “Some of the services they’re rolling out around Synapse and Purview are around data governance; that’s all driving and analytics modernization into Azure,” Datavail’s Ghosh said. Azure Synapse Analytics was launched in 2019 as a service that

brings together data integration, enterprise data warehousing, and big data analytics. Users can query data on their own terms with either serverless or dedicated options at scale. The service provides a unified experience to ingest, explore, prepare, transform, manage, and serve data for immediate BI and machine learning needs. “It’s a little strange because you have Power BI and then you have Azure Analytics. But Analytics is more for Big Data,” EPC Group’s O’Connor said. This way, users can easily create a holistic, up-to-date map of their data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage and enable data consumers to find valuable, trustworthy data, according to Microsoft in a post. “We’re seeing a drive for moderniz-

008-13_SDT056.qxp_Layout 1 1/28/22 3:37 PM Page 13

www.sdtimes.com

ing applications being motivated by companies wanting to leverage data more and more to convert the data into information that they can then leverage to make intelligent decisions,” Datavail’s Ghosh said. “But in order to do that, you need to first start automating some of your processes and taking the data from your business and bringing it into a common data store.”

February 2022

SD Times

New Azure features

Hybrid cloud models

Azure Synapse Analytics service (December 2020)

Azure is expanding its customizability by embracing hybrid cloud models, and the platform offers ways to accomplish hybrid data integration. “I think Microsoft has done a good job of making that key and central to their strategy. Like they recognize that hybrid cloud will include other clouds and it will include people's own data centers,” IDC’s Greden said. “I think AWS is probably still a little heavy on the single cloud sort of point of view, but the rise of Kubernetes is definitely lending itself to that multiple cloud or data center type of operation.” For hybrid data integration, Azure includes Azure Data Factory, which enables users to build, manage and run ETL and ELT processes at any scale using code-free interactive user interfaces. This allows for many capabilities to be automated since they are exposed through APIs. “They’re releasing Azure Kubernetes Service and other container instances on top of their hybrid offerings, which allows you to bring your applications into Azure Cloud but you’re not locked into Azure Cloud,” Datavail’s Ghosh said. Going down the path of a hybrid model and containerization, Microsoft announced the public preview of Azure Container Apps at Ignite 2021. It functions as a managed serverless container service for developers who want to run microservices in containers without managing infrastructure. The service offers full support for Distributed Application Runtime (Dapr) and scales dynamically based on HTTP traffic or events powered by Kubernetes Event-Driven Autoscaling (KEDA). z

Azure Synapse Analytics brings together data integration, enterprise data warehousing, and big data analytics. It enables users to query data using either serverless or dedicated options at scale.

Azure Applied AI Service (May 2021) The service brings together Azure Cognitive Services, task-specific AI, and business logic to offer users AI services for common business processes. The Azure Applied AI Services are Azure Video Analyzer, Azure Metrics Advisor, Azure Bot Service, Azure Cognitive Search, Azure Form Recognizer and Azure Immersive Reader.

Azure support for Linux (August 2021) Azure now supports common Linux distributions and enables users to create their own Linux VMs, deploy and run containers in Kubernetes, or choose from hundreds of pre-configured images and Linux workloads available in Azure Marketplace.

Azure Purview (September 2021) This enables users to maximize the value of their on-premises, multicloud, and SaaS data with this unified data governance solution. Users can create a unified map of your data assets and their relationships with automated data discovery and sensitive data classification and get insights.

Partial document update in Azure Cosmos DB (November 2021) Azure Cosmos DB Partial Document Update feature (also known as Patch API) provides a convenient way to modify a document in a container. This provides an API for developers, performance improvements, and multi-region writes.

Azure Container Apps preview (November 2021) A serverless container service built for microservice applications and autoscaling capabilities without the overhead of managing complex infrastructure. Users can run containers and scale in response to HTTP traffic or a growing list of KEDA-supported scale triggers including Azure Event Hub, Apache Kafka, RabbitMQ Queue, MongoDB, MySQL, and PostgreSQL.

Ultra disks support on AKS (January 2022) Azure ultra disks offer high throughput, high IOPS, and consistent low latency disk storage for stateful applications. Ultra disks are suited for data-intensive workloads.

Azure IoT Edge tools for Visual Studio extension now supports Visual Studio 2022 (January 2022) Developers can now code, build, deploy, simulate and debug their IoT Edge solutions in Visual Studio 2022. This includes a new Azure IoT Edge project targeting different platforms, a new IoT Edge module and support of of .NET 6 for the C# module. z

014,15_SDT056.qxp_Layout 1 2/1/22 10:59 AM Page 14

SD Times

February 2022

www.sdtimes.com

For the love of codeSpark Academy launches game builder BY KATIE DEE hroughout childhood, a kid’s main goal is one simple thing: to have fun. Children seek out ways of playing that allow them to utilize their imagination and expand their own world into something bigger. Often, they achieve this through interactive video games such as “The Sims” or “Animal Crossing.” Imagine, though, that there was a video game that allowed children to build their own adventures, and learn in the process. This has become possible with codeSpark Academy’s newest release, “Adventure Game.” This update allows children to stretch their imagination and capacity for creativity even further with added customization

Photos by codeSpark Academy

A child works on creating a new adventure game.

features and new methods of coding that turn learning exercises into a non-stop, interactive adventure. According to Joe Shochet, codeSpark co-founder and head of product, “The most popular part of codeSpark Academy since the beginning has been our creative tools, we aim to give kids a fun place to create using code.” This latest release strengthens that effort by adding even more ways for kid coders to express themselves while they learn. With “Adventure Game” kids can now use code in order to create open-ended role-playing games that are inspired by well-known and loved games such as “Animal Crossing” and “The Legend of Zelda”. This

feature also requires a lower amount of hand-eye coordination, making it more accessible for younger kids. So far, the response from kid coders has been incredibly positive, according to Shochet, “Right now we’re getting about 20,000 ‘Adventure Games’ per day created, and that's right after launching… We’ve had 360,000 created and we just launched it a couple of weeks ago so it has really taken off.” Shochet explained that when introducing children to a topic as complex as coding, it is essential to give them a personal connection to that material in order to keep them engaged long term. He said, “By allowing kids to create the same kind of popular games they are already playing, we can encourage them to stick with the learning longer by turning game time into learning time. Building early confidence and positive attitudes towards coding will build persistence through their coding education.” According to Shochet, “Adventure Game” is codeSpark Academy’s biggest update since its inception back in 2014. He said that the goal of this update is to double down on and enhance what has already been shown to get a positive response from kids. “The create area is where kids are spending about ⅔ of all of their time on codeSpark. We released ‘Platformer Game Creator’ first and then followed that a couple years later with a ‘Story Creator’ and then this year with ‘Adventure Game,’” Shochet explained. Additionally, “Adventure Game” enables players to bring more life into the story with the option to add fun and engaging animation features such as speech bubbles for every character. This helps to add a new depth to the storytelling element of the game as well as fuel children’s creativity as they code. This game-based method of learning allows kids to absorb important knowledge that will give them a leg up later on in life, all while not really realizing they’re being taught because it is structured like play. Shochet says that this is the ultimate goal with every aspect of codeSpark. He hopes that the addition of “Adventure Game” will help to further kid coders' education without making the learning feel like work. “Adventure Game” enables kids to create their own unique avatar to represent them in the game, offering a variety of colors, outfits, and hairstyles.

014,15_SDT056.qxp_Layout 1 2/1/22 11:00 AM Page 15

www.sdtimes.com

February 2022

adventure to begin to teach children to code

The ‘Adventure Game’ builder

“We’ve gotten a lot of positive feedback on the creativity of the avatar creator,” Shochet said. He explained that with the customizable characters in “Adventure Game” representation and equity was the main factor in deciding what physical traits to include. “We spent a lot of time testing with kids, different hairstyles and different skin colors… a lot of them are kind of silly but a lot of them are about representation,” he said. When customizing outfits for avatars, Shochet explained that “Adventure Game” also offers a “Heros” component. This means that kid coders can create their character to be a real-life hero like a doctor or a firefighter if they wish to do so. Players can also click on another creator's profile image in order to open up that creator's portfolio of shared games. This allows children to enjoy the games and stories invented by their favorite creators as well as share their own portfolio with others. “We’re essentially trying to build the world's biggest community of kid coders… [after sharing] the game first goes to our team of human moderators… and usually within about 24 hours it’s published,” Shochet said. Shochet explained that he knows that not every kid who codes on codeSpark is going to grow up to be a computer scientist or a software engineer. The goal with “Adventure Game” and everything else on codeSpark Academy is for kids to begin to see them-

selves as someone who can code, therefore opening doors for future opportunities in the technology industry. “They are growing up in a world where computers are running things and if you don't know how they work and you sit back passively, the world is going to pass you by,” he said. In 2021, more than 12.6 million games and stories were created by kids on codeSpark Academy which is currently in use in more than one third of school districts in the United States. “A social good component of our business is making sure all kids around the world can play this, regardless of socioeconomic status, so we’ve gotten a ton of positive feedback from kids in schools that are playing and coding [with ‘Adventure Game’],” Shochet said. Grant Hosford, co-founder and general manager of codeSpark, said, “‘Adventure Game’ furthers our goal of inspiring kids to create with code and express themselves in new ways. This easy-to-use creative mode gives parents, teachers, and kids even more of what they love about codeSpark Academy. Kids were emphatic during play testing about how much they love creating open-ended 3D challenges using our ‘Adventure Game’ templates and tools. The biggest creative community for kids in the world will now be even more dynamic.” z

A scene from one of the games.

SD Times

Full Page Ads_SDT055.qxp_Layout 1 12/23/21 10:59 AM Page 20

Sponsored by

Event

017_SDT056.qxp_Layout 1 1/31/22 2:39 PM Page 17

www.sdtimes.com

February 2022

SD Times

DEVOPS WATCH

Weaveworks acquires Magalix to secure Kubernetes BY JAKUB LEWKOWICZ

Weaveworks acquired the policy-ascode startup Magalix to secure Kubernetes applications by integrating the solution into Weave GitOps. “Enterprise customers have made it clear that trusted application delivery is critical to the success of their increasingly complex cloud native platforms,” said Alexis Richardson, the CEO of Weaveworks. “With the acquisition of Magalix, Weaveworks introduces customizable policies, compliance capabilities and comprehensive risk visibility into GitOps workflows, ensuring only authorized applications are deployed and there are no nefarious activities.” The addition of Magalix’s policy engine will enable DevOps teams to apply consistent policies and best practices across multiple Kubernetes envin Checkmarx KICS

now integrated into GitLab 14.5 Checkmarx’s open-source KICS (Keeping Infrastructure as Code Secure) solution has been integrated into version 14.5 of the GitLab DevOps Platform as an infrastructure-as-code scanning tool. KICS automatically parses infrastructure-as-code files of any type to detect insecure configurations that could expose applications, data and services to attack. Users of Ansible, AWS CloudFormation, K8S or Terraform can now scan their IaC and manage IaC vulnerabilities alongside other comprehensive security scan results with GitLab’s vulnerability management capabilities. “The fact that we now see infrastructure-as-code (IaC) integrated as part of any DevOps pipeline shows that application security must now extend far beyond application source code,” added Razi Sharir, CPO at Checkmarx. “The world runs on code, and we secure it, from source code to open source to infrastructure-as-code.” n ZenHub announces

Productivity Insights ZenHub, the productivity management

ronments. These new developer guardrails will enable Weaveworks customers to bridge the gap between developers, DevOps and security teams. Also, Magalix’s KubeGuard agent detects and remediates runtime drifts. Magalix simplifies DevSecOps and enables cloud-native environments to be more secure by integrating directly into source, build, and deployment stages of the software lifecycle, according to Weaveworks. Customers will be able to use the same declarative approach as Kubernetes to scale their applications while maintaining regulatory requirements and security best practices with Magalix’s security capabilities. “We are seeing an increase in cussolution built into GitHub, today announced Productivity Insights, a new solution in its portfolio of productivity management tools. These Productivity Insights offer teams actionable insights of sprint progress and total productivity in real time. Productivity Insights automates the process of measuring and analyzing a software development team’s performance and immediately shares that data throughout the entire development organization. In addition, Productivity Insights and the analysis it provides is available at a glance from the standard ZenHub UI view that developers regularly use, giving all team members a clear view of the progress that is being made, what still has to be accomplished, and how to work through existing obstacles. n DevOps Institute:

Events, new certifications The new certifications include DevOps Practitioner and DevOps Engineering Foundation. Also, SKILup Days, SKILup Hours, and SKILup Festival 2022: A Live DevOps Educational Experience will provide insights and education needed by

tomers who run a zero-trust security model turning to GitOps to bring DevOps to cloud-native application development and IT operations,” said Mohamed Ahmed, the founder and CEO of Magalix. “Similar to how DevOps disrupted infrastructure management, we believe that integrating security into GitOps pipelines brings considerable agility and speed, preventing errors and protecting against attacks that could shut down the entire platform. Imagine securing your platforms 100 times faster with very high confidence while evolving them. Weaveworks and Magalix share that joint mission to make it easy to innovate fast without jeopardizing security and stability.” z DevOps professionals in a wide variety of disciplines. “As we ramp up our education and certification programs, we aim to empower the global member community with the skills and knowledge they need to further their careers and advance the DevOps initiatives at their organizations,” said Jayne Groll, CEO of DevOps Institute. The DevOps Institute also announced the availability of its new Continuing Education Program. The program works to provide certified members with the skills, knowledge, and learning needed in order to remain relevant, optimize rising trends, and meet professional goals. This program benefits individuals and organizations, both in different ways. For individuals, the program provides greater value to certifications through continuing education credits, supports continuous upskilling, increases work productivity and efficiency, and more. On the organizational side, the Continuing Education Program enhances employee recruitment and retention, assists with crosstraining and coverage, and increases team productivity and efficiency. z

018-21_SDT056.qxp_Layout 1 1/28/22 11:22 AM Page 18

SD Times

February 2022

www.sdtimes.com

RPA: Handling mundane tasks, freeing up developers BY KATIE DEE obotic Process Automation (RPA) has been a useful tool for many organizations. Despite the initial fear that it would grow to take over the jobs of developers, many have come to see that RPA and automation only function well when they work in tandem with developers. According to Yishai Beeri, growth technologies lead at LinearB, the best way for organizations to utilize RPA is to implement it with the purpose of eliminating the mundane tasks that would usually fall to developers. He also explained how this technology works to ensure consistency across a development team. Beeri said, “Developers have their own skills, they

can automate basically whatever they like if they put their time into it, but sometimes, you want a more organized or central solution for automating these things instead of every developer just scripting away,” he said. “Maybe it's not important enough for a single developer but if you look at 100 developers… the small time wasters are things that you can automate away with a more centralized solution.” Carlos Melendez, COO and cofounder of Wovenware, echoed Beeri’s sentiments by explaining that organizations would much rather have their developers working on tasks that bring value to the company rather than spending the majority of their time on

duties that could easily be automated with something like RPA. Melendez also explained that when implementing RPA, this is the message that can fight off the employee resistance that may come from the fear of losing their jobs to automation technology. “A lot of the time it’s not about replacing employees, it’s about augmenting their capabilities. So, if half of your time is spent kind of preparing a file or preparing an integration or moving data from one point to another or doing data entry, then you want that person to spend more time on their analysis and verifying what is happening instead of the actual data entry part,” he said.

018-21_SDT056.qxp_Layout 1 1/28/22 11:22 AM Page 19

www.sdtimes.com

RPA still new, and evolving Jon Knisley, principal consultant, automation, and process excellence at FortressIQ, said that RPA and other automation technologies are still relatively new and, therefore, rapidly evolving. He said, “Among companies that have deployed RPA, a majority have less than 10 bots in production and just 10% have launched more than 100 bots, according to a recent report from Automation Anywhere.” With this, he added that he believes that the full breadth of what RPA and automation in general can do is still undiscovered. “Only 11% of business executives surveyed by McKinsey believe their current business models will be economically viable through 2023. Given the potential disruption, organizations continue to invest in complex change programs despite dismal success rates of less than 30%. Automation is the new transformation,” Knisley said. He also noted that RPA has been the fastest growing segment for the enterprise software market for three consecutive years beginning in 2019. “Grand View Research estimates the global market for RPA will surpass $2 billion in 2022 and continue to grow annually at 40%,” he said. Arthur Villa, an analyst at Gartner, said that his company’s research has yielded the same results, saying that he has seen no evidence that RPA has been slowing down, even in the midst of newer technology. “[As far as] the state of RPA implementation, I would say that it is still in the relatively early days. If we look at it as a four quarter game we’re probably only in the second

February 2022

SD Times

Humans and robots... working together On an SD Times-led discussion of RPA on the Discord Dev Interrupted channel, participants had a lot to say. One of the respondents, Dr. Don Wilcox, talked about a robot used at his organization, which they named Marvin. “We have automation that completes a Task (the most-specific sort of ticket) when a PR associated with that Task is completed," Wilcox explained. "Then Marvin takes over and changes the state of the parent story based on whether the dev tasks, qa tasks, demo tasks, etc, are complete. Marvin has his own row on the board, and you can get him to perform certain automation tasks (such as adding the standard stories and tasks to a new sprint) just by giving him an appropriately named task in that sprint.” This is a good example of the way that automation and human employees have to work together. There's no doubt that the addition of the robot makes things run more smoothly but the robot cannot function without the direction of the human, which was the overall consensus from the discussion. The idea that RPA or another form of automation will be the end of human labor is far from the truth. In further support of this, Wilcox said, “Once you build a robot, someone needs to maintain, enhance, QA, replace. That robot assumes it's own product lifecycle, which will likely require humans. For the foreseeable future, it is going to be humans building the robots, even if the robots help.” z — Katie Dee

quarter... I think that there's still a lot of adaptations that have been made in the last couple of years,” he said. With this, Villa pointed out that RPA has only been growing in popularity as larger and more well-known organizations introduce this technology. “A lot of these new vendors are coming into the RPA market and shaking things up. There’s a lot happening within the market especially from the customer and buyer perspective… Many companies start small with RPA and then they rapidly expand those programs so I think we’re still early on in new customers buying RPA and beginning to experiment with the technology,” he said. Villa believes that the reason RPA has been so widely accepted and implemented is because it offers organiza-

A lot of the time it’s not about replacing employees, it’s about augmenting their capabilities.

tions simplicity and overall convenience. According to Villa, when compared to other artificial intelligences, RPA is lower in cost, easy to understand, and companies will usually see a quick return on investment.

Data, change management challenges In spite of this, though, it is not uncommon for organizations to face some challenges when introducing RPA into their business processes. According to Melendez, these challenges often fall into two categories: data driven and change management. Melendez explained that the data aspect of these challenges has to do with the quality of the data itself as well as overcoming the different types of roadblocks that arise when you try to automate using bad data. The change management sentric challenges have more to do with employees being worried about what RPA is going to do and how it will change their own jobs. When working to remediate these challenges, Melendez said, “Technology is moving so fast that you really need a good set of technology partners that you can trust, that you can go to when you need certain technology solutions. You have your AI partner, your RPA partner, and other partners that will help you navigate the complexities and the changes in those technologies.” continued on page 21 >

047_SDT032.qxp_Layout 1 1/17/20 5:23 PM Page 1

Reach software development managers the way they prefer to be reached A recent survey of SD Times print and digital subscribers revealed that their number one choice for receiving marketing information from software providers is from advertising in SD Times. Software, DevOps and application development managers at large companies need a wide-angle view of industry trends and what they mean to them. That’s why they read and rely on SD Times.

Isn’t it time you revisited SD Times as part of your marketing campaigns? For advertising opportunities, contact SD Times Publisher David Lyman +1-978-465-2351 • dlyman@d2emerge.com

018-21_SDT056.qxp_Layout 1 1/28/22 11:22 AM Page 21

www.sdtimes.com

< continued from page 19

Even with RPA’s rapid growth, it is noteworthy that it has fallen out of the spotlight somewhat in recent years. According to Brett Geenstein, data and analytics partner at PwC, this is the result of newer technologies being introduced. He said, “First, there is the screen scraping and click automation that allows RPA to execute the same steps a person would execute in any application. Second, there is the scripting for bots that identifies a sequence of actions with basic logic to decide what action to execute next. As APIs and microservices become more and more available, especially as applications modernize on the cloud, the need for screen scraping and click automation goes away.” Along the same lines, Beeri said that he feels RPA is not as widely talked about because, at its inception, it was overhyped and now it is failing to live up to all of the original promises. “I think when you start to look at how to deploy [RPA], and what tasks need to be removed, you’re finding that you can change the actual task, you don’t stop at just putting a robot in to automate data entry… The solution for the problem at that point might not be RPA, it might just be automating something using no-code or low-code methods,” he said. However, Melendez credits this lack of discussion to something different. He said that rather than RPA being at the center of the discussion, people have shifted to speaking more generally about automation. “RPA as well as AI is becoming so prevalent that the conversation is no longer about deploying RPA, it’s about the solution that we are going to deploy [using RPA],” he said. Melendez explained that because these tools and technologies are so advanced, not only is it assumed that they will be in place, but that it is also assumed that, in most cases, they are going to be able to easily automate whatever is necessary.

RPA as communication tool Beeri thinks there is a new role that RPA can fill in the face of a more distributed workforce. He said that RPA can be used as a communication tool that can remind developers of when it is time to

take the next step. “A lot of the work that software developers do as a team is a lot of back and forth and communication between people… so coordinating that in an environment where it is mostly asynchronous and we’re not in the same room anymore… automation and smart bots can really help in coordinating this ‘dance’ between people so that people are not interrupted,” he said. Beeri said that even though this is not a task that has been done in the past or a role that used to be filled by a separate employee, it has become important with the trend we’re seeing towards working remotely. He said, “It really helps to minimize interruptions and maximize speed when working together on things.” According to Villa, only a few organizations are currently experiencing the full benefits of RPA that Beeri is referring to. He believes that the majority of companies utilizing this technology are the ones that are generating high vol-

February 2022

SD Times

umes of revenue, meaning that small and mid-market organizations have yet to adopt automation technology. He said, “There's still a lot of education that has to happen within mid-market companies that need to understand ‘what is RPA? How can it be used? And how can I get the most bang for my buck?’” Knisley also pointed out that education around RPA and automation is essential when trying to implement it in the most effective way possible. However, he also placed an emphasis on the importance of fully understanding and optimizing the company itself before introducing automation. He said, “To achieve the magical future state promised by technology, companies first need to understand their current state. Unfortunately, most companies do not understand how they truly operate especially at a gradual user activity level. To be successful and avoid false starts, companies need to discover, re-engineer and automate — in that order.” z

From RPA to IPA (not the pale ale) The conversation around RPA has shifted slightly in recent years in order to cast a wider net, the newer terminology is Intelligent Process Automation (IPA). The lowcode automation company Nintex has been championing it, and according to Terry Simpson, senior solutions engineer at Nintex, “IPA is like the grownup and more mature sibling of RPA. When we say sibling, think about IPA being about 20 years older than its younger sibling RPA, on the maturity scale.” Simpson continued, “IPA is actually the combination of several technologies coming together to create a very mature and flexible automation capability. Intelligent workflows, natural language processing, machine learning, and even RPA are all integral parts of an IPA solution.” He explained that a key difference between RPA and IPA is that while RPA usually runs on a local machine, IPA is a cloudbased virtual environment. “In simple terms, think about IPA sitting right in the middle of all your applications and performing process automation focused on an entire solution, not just tasks. Tasks may make up a piece of the solution, but IPA brings the entire solution or process together,” he said. Brett Greenstein, data and analytics partner at PwC said, “RPA is getting less discussion… because automation has expanded well beyond screen scraping and bots, through the use of APIs, Microservices, and AI/ML. Many companies have adapted to this by expanding the term to IPA to include those newer capabilities as well as process mining.” Greenstein explained that in the current environment the need for automation is only growing. In the midst of the great resignation and a shortage of skilled developers, automating tasks using a smarter solution is quickly becoming a necessity rather than a luxury. This increased demand for automation has led to the expanding of RPA into IPA in order to introduce fresher technologies into an already reliable — Katie Dee method of automation. z

SD Times

February 2022

www.sdtimes.com

or a long time, security teams have been able to mostly rely on the safety of a security perimeter, but with things like IoT, embedded development, and now remote and hybrid work, this notion of a defensible perimeter is totally gone. Having all of these connected devices that don’t live under one network expands the attack surface that security teams need to worry about. This is especially true when you’re talking about remote or hybrid work, explained Ev Kontsevoy, CEO of Teleport, which is a company that provides tooling that enables users to remotely access computing resources. Kontsevoy explained the perimeters in terms of internet and application security are breaking apart completely, in two major ways. One is the type of perimeter that exists around your data center, where your equipment like servers or computers actually live, and the second type of perimeter is the office itself, which is where all the employees who work there sit and need access to data and applications. This is where technology like firewalls come in, Kontsevoy explained. “That’s the traditional approach that now makes no sense whatsoever,” said Kontsevoy. “And the reason why it doesn’t make sense is because computers themselves are not in the same data center anymore. So we’re now doing computing globally.” Kontsevoy used the example of Tesla. What is Tesla’s perimeter? Tesla deploys code to each of its charging stations, data centers, and cars. “Tesla deploys into planet Earth … Most organizations, they’re moving into the same direction. So computing itself is now becoming more and more global. So the notion of a perimeter makes no sense in a data center,” said Kontsevoy. Conversely, no one is sitting in an office anymore. “Now, we have engineers, contractors, auditors, and interns, all sitting in different parts of the world, using computers that might not necessarily be company computers,” said Kontsevoy. “They can borrow an iPad from their partner to do a production deployment, for example. For

What perimeter? Defending your connected devices in traditional ways ‘makes no sense’ BY JENNA SARGENT that reason, traditional security and access solutions are just no longer applicable.” According to Jeff Williams, chief technology officer at application security company Contrast Security, this idea of a perimeter had been dismantled long before COVID. In fact, he says people had a misguided sense of security in a perimeter that didn’t actually exist. “Once any one computer inside the

perimeter gets compromised then there’s what’s called the soft, chewy center where there’s nothing inside to prevent an attacker from moving around and doing whatever they want,” said Williams. “So the best strategy for a long time — since way before COVID — has been to really sort of consider your internal infrastructure as the same as your external infrastructure and lock it down.” According to Williams, development

www.sdtimes.com

machines are traditionally not very locked down and developers generally have the privileges to download any tools they need. “They’re running, honestly, thousands of pieces of software that come from anywhere on their machines, all the libraries that they use run locally, all the tools that they use run locally, typically with privilege, and any of that code could potentially compromise the security of that company’s applications. So it’s something that DevSecOps programs really need to focus on,” said Williams.” Williams also believes the current speed at which DevOps teams want to move isn’t really compatible with the old way of doing security. For example, scanning tools, which have been around for over a decade, aren’t very accurate, don’t run very quickly, and don’t really work well with modern applications because they don’t work on things like APIs or serverless. In order to move fast, companies will need to abandon these older tools and move on to the new ones, if they haven’t already. Interactive Application Security Testing (IAST) and Runtime Application Self Protection (RASP) are two newer technologies that work fast and are part of developers’ normal pipelines. “As the developers write their code, they can get instant accurate feedback on what they’re writing,” said Williams. “And that allows them to make those fixes very quickly and inexpensively, so that the software that comes at the end of the pipeline is secure, even if they’re moving at very high speed.”

Lack of automation and integration becomes even more problematic The act of actually working remotely doesn’t seem to make it harder for DevSecOps teams to work together. According to software supply chain security company Sonatype’s CTO Brian Fox, certainly, companies need to get tools that will make collaboration easier in a distributed setting, but he believes the core of DevSecOps remains the same. However, when a company goes remote, one of the first things that happens is the touch points that could cover up a lack of automation no longer

exist, Sandy Carielli, principal analyst at Forrester explained. “You don’t have those situations where you can walk to the next cube over and get a sign off from someone on the security or legal team … So as you started to have more people forced to go remote, the importance of having better integration of security tools into the CI/CD pipeline had better automation and better handoffs so that everything was integrated, and you could have sign offs in tool stage gates, all of that becomes a lot more important,” she said. According to Carielli, implementing tools that enable automation and integration between different security tools is a high priority.

Asynchronous DevSecOps A new thing that has sprung up for remote teams is the notion of asynchronous communication, where individuals are not necessarily communicating in real time with their coworkers. They might send someone a message and then have to wait a little bit for a response. DevSecOps is also becoming a bit asynchronous, according to Guy Eisenkot, VP of product and co-founder of Bridgecrew by Prisma Cloud, which provides security automation. “I think three years ago, we may have not even had the tooling, but now we can just ping each other on Slack,” said Eisenkot. You know, ask the developer, ‘Hey, did you intentionally commit this password? Or this access key into your code repository? Was that intentional?’ And the response can come in in a conversational manner and come in at any hour of the day. So I think the position for security has changed pretty drastically with how well connected we are and how we’re much better at async communication.” Now there’s a much stronger emphasis on when you should be available and when you’re expected to be responsive.

Remote-first mindset tooling helps developers think about security The tooling that companies have had to invest in to stay successful when remote has also had benefits for security, according to Eisenkot.

February 2022

SD Times

Buyers Guide Employers and managers have been much more deliberate about the type of tooling they put on developers’ machines, allowing for more control of the linting and securing tooling they have locally, Eisenkot explained. “Not only are we kind of protecting them with remote endpoint detection, but we can also now force them to use or enforce the usage of security tooling directly on the employees endpoint, which is something that I think was expedited by the fact that we’re no longer in the office and everybody had to now apply to the same type of corporate policy on their on their work computers,” said Eisenkot.

Embedding security into development tooling is now easier than ever In addition to the fact that remote tooling is making it easier to enforce security, there’s also something to be said about the fact that it’s getting easier and easier to embed controls into the development pipeline. As an example, Eisenkot explained that both its source control management and shipping pipelines are more accessible than they used to be and are controlled remotely using publicly accessible APIs. He believes development organizations should now find it much easier to incorporate things like secret scanning, open source package scanning, image scanning, and code scanning directly into the developer’s initial commit review process. “Some of these in the past were just not accessible. So the fact that this tooling was much cheaper, most of it is actually open source, but much more accessible through those public APIs. I think that’s where I would start by scanning either directly on developers’ individual workstations, that would be through extensions and IDs, and then implement stronger and stricter controls on source control management,” said Eisenkot. The fact that it’s easier than ever to place security controls on developers’ continued on page 25 >

Full Page Ads_SDT056.qxp_Layout 1 1/31/22 5:07 PM Page 24

Because software supply chain security should feel like a no-brainer.

Continuously monitor open source risk at every stage of the development life cycle within the pipeline and development tools you’re already using.

Lifecycle is made for developers. You make hundreds of decisions every day to harden your supply chain. You expect interruptions. They’re part of your work. The problem is when they get in the way of your work. We tell you what you need to know to build safely and efficiently — and we tell you when you need to know it. Then we quietly continue our work, and allow you to do the same.

With Nexus Lifecycle, devs can: Control open source risk without switching tools. Inform your decisions with the best intelligence database out there. Get instant feedback in Source Code Management. Automatically generate a Software Bill of Materials. Enforce open source policies without sacrificing speed.

See for yourself: www.sonatype.com/SDTimes

022-30_SDT056-print.qxp_Layout 1 2/2/22 2:03 PM Page 25

www.sdtimes.com

< continued from page 23

machines is extra important these days, since supply chain attacks are becoming more and more common. According to Sonatype’s Fox, attackers no longer want to get their malware into a shipped product, they want to get it into part of the development infrastructure. “And once you understand that, you can’t look at perimeter defense in terms of application security the same way anymore because it moves all the way left into development,” said Fox.

Security as coaches to developers rather than ultimate authority Another interesting thing that’s been happening in DevSecOps is that the role of security is changing. In the past security was more like a bottleneck, something that stood in the way of developers writing and pushing out code fast, but now they’re more like coaches that are empowering the developers to build code and do security themselves, said Contrast Security’s Williams. It used to be that the Sec part of DevSecOps was like the central authority, or the judge. If they determined code wasn’t secure, it got sent back to the development team to fix. “DevSecOps, when you do it right, is bringing development and security together so that they can have a common goal. They can work and they can sort of agree on what the definition of done is. And then they can work together on achieving that goal together,” said Williams. When DevSecOps is done wrong, it’s more like trying to fit a square peg into a round hole, Williams said. Companies try to take their existing tools, like scanners that take a long time to run, and put them into their already existing DevOps pipelines, and it just doesn’t work. “Usually, it doesn’t produce very good results. It’s trying to take your existing scanners that take a long time to run and don’t have very good results, and just kind of wedge them in or maybe automate them a little bit. But it’s not really DevSecOps; it’s really just trying to shove traditional security into a deficit DevOps pipeline,” said Williams.

February 2022

SD Times

Executive Order on improving Cybersecurity in the U.S. Last spring, President Biden signed an executive order related to improving cybersecurity. As part of this order, the government will solicit input from the private sector, academia, and others to “develop new standards, tools, best practices, and other guidelines to enhance software supply chain security,” according to the National Institute of Standards and Technology (NIST). These guidelines will include criteria for evaluating software security, criteria for evaluating security practices of developers and software suppliers, and tools and methods for demonstrating that products are following secure practices. “They’ve demanded that organizations be more transparent,” said Contrast Security’s Williams. “They put out minimum testing guidelines, and NIST is implementing these standards. They’re even investigating the idea of having software labels, so that when you go to your bank, or you buy software from somewhere, you’ll see a label that says, hey, here’s the details about security that you need to know. Kind of like everything else in this world has labels, like Energy Star and your car and your drugs and your Cheerios box has a label and your movies and your records. Everything has labels because they work. They fix economic problems in the market. And that’s going to happen to software over the next few years, which I think is exciting. It’ll make it much better for consumers to know that the software they’re using is trustworthy.” z

According to Williams, there are three key processes that companies need to have in place in order to have a successful DevSecOps organization. First, they need a process around code hygiene to make sure that the code the developers are writing is actually secure. Second, they need a process around the software supply chain in order to make sure that the libraries and frameworks that are being used are secure. Third, they need a process to detect and respond to attacks in production. “If development and security can come together on those three processes and say ‘hey, let’s figure out how we can work together on those things. Let’s get some tools that are a little more compatible with the way that we build software,’ that will help get them moving quickly in development,” said Williams. “And then in the production environment get some monitoring, that’s a little more up to date than just something like a WAF, which is a kind of firewall that you have to keep tailoring and tuning all the time.”

Traditional challenges to DevSecOps remain According to Sonatype’s Fox, the main challenge companies are facing when it

comes to DevSecOps is understanding the components in their software. Log4j is a great example of this, since if you look at the download statistics from Maven Central, around 40% of the downloads are still of the vulnerable version. “And that can’t be explained,” said Fox. “A lot of times, you can explain why people are not upgrading or doing things because well, the vulnerability doesn’t apply to them. Maybe they have mitigation controls in place, maybe they didn’t know about it otherwise, and so they didn’t know they needed to upgrade. For the most part, none of those things apply to the Log4j situation. And yet, we still see companies continuing to consume the vulnerable versions. The only explanation for that is they don’t even know they’re using it.” This proves that many companies are still struggling with the basics of understanding what components are in their software. According to Fox, automation is important in providing this understanding. “You need a set of tools, a platform that can help you precisely understand what’s inside your software and can procontinued on page 30 >

022-30_SDT056-print.qxp_Layout 1 2/2/22 3:09 PM Page 26

SD Times

February 2022

www.sdtimes.com

How does your solution help organizations to do DevSecOps? Guy Eisenkot, VP of product and co-founder of Bridgecrew by Prisma Cloud As hybrid work environments and cloud infrastructure environments become the norm, organizations’ attack surfaces are only getting larger and more complex. With less cohesive visibility into the multitude of tools and frameworks used across software supply chains, it’s hard for organizations to keep up with security risks and best practices. To mitigate those risks brought about by cloud complexity and remote work, many organizations are embracing DevSecOps. For engineering, Bridgecrew makes it easier to prevent infrastructure misconfigurations and vulnerabilities from progressing into build pipelines and production environments by surfacing feedback in developer tools. Via command lines and integrated development environments (IDE), Bridgecrew provides fixes as code so developers can adhere to secure coding practices. For DevOps, Bridgecrew enables speed and agility by automating security guardrails throughout the development lifecycle. Bridgecrew also comes equipped with the tools DevOps need to keep their software supply chain secure — from the individual components to the version control systems (VCS) and continuous integration (CI) pipelines that deliver them. Lastly, for security and compliance, Bridgecrew provides unified visibility into the security posture of all cloud resources and real-time notifications and ticketing to enable cross-functional collaboration. Jeff Williams, chief technology officer at Contrast Security Contrast is a platform of products that tries to enable teams to do their own security. So in a remote kind of environment, it’s really important to empower the developers to have the ability to test their software locally, as part of every time they change the code, they’ll get instant results. And our philosophy is sort of, they shouldn’t have to change anything about the way that they build, or test or deploy their code, they should just do their normal process. And the security tooling should be the thing that does the work, and then alerts them if there’s ever a problem. But we don’t want the developers to have to take extra steps. Because what ends up happening is they get frustrated with those extra steps. If there’s false positives, they have to go do extra work for no reason to investigate

those things. So we want to just empower them to just deal with the things that actually matter, make those changes themselves and check and clean code. And we want to do that really early in the development process. So that’s the role that Contrast plays — we’re just in the background doing our job. And if anything goes outside the guardrails a little bit, we help steer the developers back on track. Now, the security team can participate. They serve as managing the policy, they watch the metrics, they can go help projects that aren’t doing very well. But by monitoring all of their applications continuously, it gives you a very different viewpoint than if you’re just running tools, running scanners, kind of serially, one by one through your entire application portfolio. Ev Kontsevoy, CEO of Teleport Hybrid is the new normal. Hybrid work arrangements have put pressure on the corporate network, and employees at different levels of seniority need to be able to connect to corporate infrastructure from anywhere. Additionally, that infrastructure is increasingly complex. A typical customer environment is itself hybrid with Linux and Windows servers, Kubernetes clusters, databases, and internal applications like CI/CD systems and version control systems like GitLab. In this environment, protecting modern applications requires the consolidation of all aspects of infrastructure access into a platform built for a hybrid world. That platform is the Teleport Access Plane, the easiest, most secure way to access all an organization’s infrastructure. The open-source Teleport Access Plane consolidates the four essential infrastructure access capabilities every security-conscious organization needs: connectivity, authentication, authorization, and audit. By consolidating all aspects of infrastructure access into a single platform, Teleport reduces attack surface area, cuts operational overhead, easily enforces compliance, and improves productivity. The Teleport Access Plane replaces VPNs, shared credentials, and legacy privileged access management technologies, improving security and engineering productivity. With Teleport, organizations can easily shift to remote work and increase their use of hybrid cloud environments without impacting security or productivity. Teleport enables teams to securely connect to your global infrastructure regardless of network boundaries and provides identity-based access for humans, machines, and services, including finegrained access controls. z

Full Page Ads_SDT056.qxp_Layout 1 2/1/22 3:08 PM Page 27

Get Secure Code Mov ng In a world of outdated security tools that are slowing developers down, Contrast breaks through with a unified platform for DevSecOps to get secure code moving through the entire SDLC. Secure your code and hit every release deadline with 10x faster scan times and 45x faster fix rates. BOOK A DEMO AT www.contrastsecurity.com/request-demo

Full Page Ads_SDT056.qxp_Layout 1 1/28/22 11:18 AM Page 28

www.sdtimes.com

February 2022

SD Times

A guide to DevSecOps tools n

FEATURED PROVIDERS n

n Bridgecrew by Prisma Cloud automates security from code to cloud. By embedding earlier in the DevOps lifecycle, Bridgecrew enables developers to write secure code without slowing them down. In addition to its DevSecOps tools and integrations, Bridgecrew’s platform gives security teams instant visibility into their security posture across their entire software supply chain. Join Brex, Databricks, and Robinhood in bridging the gap between security and engineering by trying Bridgecrew's all-in-one DevSecOps platform for free. n Contrast Security secures the code that global business relies on. It is the industry's most modern and comprehensive Code Security Platform, removing security roadblock inefficiencies and empowering enterprise developers to write and release secure application code faster. The Contrast platform automatically detects vulnerabilities while developers write code, eliminates false positives, and provides howto-fix guidance for easy and fast vulnerability remediation. Security and development teams can then collaborate and innovate faster while accelerating digital transformation initiatives. n Sonatype: Sonatype’s software supply chain platform allows engineering teams to manage software quality and governance using a single control plane. It solves the problem of how to balance speed, quality, intelligence, and security at scale, equipping engineering teams with the tools they need to continually code smarter, fix faster, and be secure. By using Sonatype, developers can discover and fix security vulnerabilities and code quality issues at the most convenient time during software creation. n Teleport is the easiest, most secure way to access all your infrastructure. The opensource Teleport Access Plane consolidates connectivity, authentication, authorization, and audit into a single platform. By consolidating all aspects of infrastructure access, Teleport reduces attack surface area, cuts operational overhead, easily enforces compliance and improves engineering productivity. Get started at goteleport.com. n Aqua Security secures the entire software development lifecycle, including image scanning for known vulnerabilities during the build process, image assurance to enforce policies for production code as it is deployed, and run-time controls for visibility into application activity, allowing organizations to mitigate threats and block attacks in real-time. n Checkmarx provides application security at the speed of DevOps, enabling organizations to deliver secure software faster. It easily integrates with developers’ existing work environments, allowing them to stay in their comfort zone while still addressing secure coding practices. n Chef Automate is a continuous delivery platform that allows developers, operations, and security engineers to collaborate effortlessly on delivering application and infrastructure changes at the speed of business. Chef Automate provides actionable insights into the state of your compliance,

configurations, with an auditable history of every change that’s been applied to your environments. n CloudPassage has been a leading innovator in cloud security automation and compliance monitoring for high-performance application development and deployment environments. Its on-demand security solution, Halo, is a workload security automation platform that provides visibility and protection in any combination of data centers, private/public clouds, and containers. n CodeAI is smart automated secure coding application for DevOps that fixes security vulnerabilities in computer source code to prevent hacking. It’s unique user-centric interface provides developers with a list of solutions to review instead of a list of problems to resolve. Teams that use CodeAI will experience a 30-50% increase in overall development velocity.

n CyberArk Conjur is a secrets management solution that secures and manages secrets used by machine identities (including applications, microservices, applications, CI/CD tools and APIs) and users throughout the DevOps pipeline to mitigate risk without impacting velocity. Conjur is the only platform-independent secrets management solution specifically architected for containerized environments. n IBM provides a set of industry-leading solutions that work with your existing environment. Change is delivered from dev to production with the IBM UrbanCode continuous delivery suite. Changes are tested with Rational Test Workbench, and security tested with IBM AppScan or Application Security on Cloud. IBM helps you build your production safety net with application management, Netcool Operations Insight and IBM QRadar for security intelligence and events. n Imperva WAF protects against the most critical web application security risks: SQL injection, cross-site scripting, illegal resource access, remote file inclusion, and other OWASP Top 10 and Automated Top 20 threats. Imperva security researchers continually monitor the threat landscape and update Imperva WAF with the latest threat data. n JFrog Xray is a continuous security and universal artifact analysis tool, providing multilayer analysis of containers and software artifacts for vulnerabilities, license compliance, and quality assurance. Deep recursive scanning provides insight into your components graph and shows the impact that any issue has on all your software artifacts. n Liquidbase is a database company that allows organizations to deliver error-free application experiences faster. The company’s solutions make database code deployment as simple as application release automation, while still eliminating risks that cause application downtime and data security vulnerabilities. n NoSprawl is security for DevOps. As DevOps matures and finds broader adoption in enterprises, the scope of DevOps continued on page 30 >

022-30_SDT056-print.qxp_Layout 1 2/2/22 2:04 PM Page 30

SD Times

February 2022

www.sdtimes.com

< continued from page 25

vide policy controls over that, because what is good in one piece of software might be terrible in another piece of software,” said Fox. “If you think about license implications, something that’s distributed can trigger copyright clauses and certain types of licenses. Similar things happen with security vulnerabilities. Something run in a bunker doesn’t have the same connectivity as a consumer app, so policy controls to then have an opinion about whether the components that have been discovered are okay in their given context is important. Being able to provide visibility and feedback to the developer so they can make the right choices up front is even more important.” According to Bridgecrew by Prisma Cloud’s Eisenkot, if you look back on the big supply chain-related security incidents over the last six to eight month, it’s apparent that companies have not properly configured the correct code ownership or code review process in their source control management. He explained that those two things would make any source code much more secure, even in small development organizations.

Developer education is key Eisenkot emphasized that developer education and outreach is still one of the most crucial points of DevSecOps at the end of the day. Yes, it’s important to implement controls and checkpoints in the tooling, but he also believes the tooling should be thought-provoking in a way that it will empower developers to go out and educate themselves on security best practices. “Eventually, lots of tooling can point to a vulnerable package or a potentially exploitable query parameter,” said Eisenkot. “But not every tool will be able to provide actionable advice, whether that’s a documentation page or an automatically generated piece of code that will save the developer the time needed to now learn the basic fundamentals of SQL injection as an example.” z

A guide to DevSecOps tools < continued from page 29 must be expanded to include all the teams and stakeholders that contribute to application delivery including security. NoSprawl integrates with software development platforms to check for security vulnerabilities throughout the entire software development lifecycle to deliver verified secure software before it gets into production. n Parasoft: Harden your software with a comprehensive security testing solution, with support for important standards like CERT-C, CWE, and MISRA. To help you understand and prioritize risk, Parasoft’s static analysis violation metadata includes likelihood of exploit, difficulty to exploit/remediate, and inherent risk, so you can focus on what’s most important in your C and C++ code. n Qualys is a leading provider of information security and compliance cloud solutions, with over 10,300 customers globally. It provides enterprises with greater agility, better business outcomes, and substantial cost savings for digital transformation efforts. The Qualys Cloud Platform and apps integrated with it help businesses simplify security operations and automates the auditing, compliance, and protection for IT systems and web applications. n Redgate SQL Provision supports database DevSecOps, keeping compliance central to the process. It enables multiple clones of masked databases to be created in seconds, allowing them to be used safely within the development and test process. Each clone takes up just a few MB of storage and sensitive data can be pseudonymized or replaced with realistic data, ensuring protection and compliance. n Perforce helps thousands of global enterprise customers tackle the hardest and most complex issues in building, connecting, and securing applications. Our Klocwork static code analysis tool helps DevSecOps professionals, from developers to test automation engineers to compliance leaders, create more secure code with on-the-fly security analysis at the desktop and integrated into large-scale continuous integration workflows. n Signal Sciences secures the most important applications, APIs, and microser-

vices of the world’s leading companies. Our next-gen WAF and RASP help you increase security and maintain site reliability without sacrificing velocity, all at the lowest total cost of ownership. Signal Sciences gets developers and operations involved by providing relevant data, helping them triage issues faster with less effort. n Sumo Logic is the leading secure, cloudnative, multi-tenant machine data analytics platform that delivers real-time, continuous intelligence across the entire application lifecycle and stack. Sumo Logic simplifies DevSecOps implementation at the code level, enabling customers to build infrastructure to scale securely and quickly. This approach is required to maintain speed, agility and innovation while simultaneously meeting security regulations while staying alert for malicious cyber threats. n Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. n Veracode creates software that fuels modern transformation for companies across the globe. DevSecOps enables the build, test, security and rollout of software quickly and efficiently, providing software that’s more resistant to hacker attacks. Veracode offers a unified platform that enables organizations to implement DevSecOps and address security applications from inception through production. n WhiteHat Security The WhiteHat Application Security Platform is a cloud service that allows organizations to bridge the gap between security and development to deliver secure applications at the speed of business. Its software security solutions work across departments to provide fast turnaround times for Agile environments, nearzero false positives and precise remediation plans while reducing wasted time verifying vulnerabilities, threats and costs for faster deployment. z

Full Page Ads_SDT056.qxp_Layout 1 1/28/22 3:49 PM Page 31

032_SDT056.qxp_Layout 1 1/31/22 4:56 PM Page 32

SD Times

February 2022

www.sdtimes.com

Guest View BY VICTOR KUPPERS

10 steps to citizen development Victor Kuppers is the VP of Strategy at Betty Blocks.

electing a suitable citizen development platform is one thing. Getting employees to actually become citizen developers and use the platform to build solutions is another. This is a common problem for many organizations. Without a proper onboarding process and the right environment for business users to start experimenting, your organization just risks ending up with a lot of cool tools that nobody uses. The solution? Make the process clear, engaging and straightforward. Be sure to intertwine citizen development in all suitable company processes. citizen development needs to become second nature. Easier said than done — true. No worries, here are ten steps to make it happen: 1. Establishing support from executive sponsors at an early stage. The leadership team needs to make innovation and digitization a top priority for the whole business. From there, you can set up a core group of ‘first users,’ consisting of the most enthusiastic problem solvers in the business. Long story short: Any attempt at digitization without dedicated backing of the leadership team will inevitably fail. 2. Identifying the problem solvers in their organization. Who are the people who think outside of the box — the inspirational, hands-on employees who look for and actually create the solution for any problem themselves? Those are the people that create a support base within the organization if you involve them in setting up citizen development. 3. Learning what these problem solvers do and how they do it. How do they think? How do they work? Who do they turn to for help while solving their problems? How can they help to make citizen development happen by inspiring others to adopt their way of working? 4. Researching and selecting a low- and nocode platform. Start by mapping out your business needs from a citizen development platform. What are your requirements when it comes to functionalities, security, user friendliness, integration with other IT systems — and which platform meets them? 5. Implementing and integrating the cho-

Be sure to intertwine citizen development in all suitable company processes.

sen platform into the current infrastructure. Once you’ve found the right platform for your organization, it’s essential to properly integrate it with all your current IT-systems so any business user can seamlessly build, deliver, and implement their built solutions. 6. Establishing governance guidelines to ensure a fast and safe delivery of beautiful business applications. It makes no sense to develop applications if you can’t actually use them afterwards. Establishing governance guidelines facilitates the collaboration between IT and business, and allows IT to oversee the process. 7. Setting up a process for ideation, to gather the best ideas. Every single employee probably has a great idea for a new application or other software solutions that can help the company. Encourage them to share their ideas by setting up a recurring dedicated meeting to talk about innovation and new technology. 8. Inaugurating a place for citizen development in the Software Delivery Life Cycle. Organizations implementing a citizen development strategy are adding a second pipeline, besides IT, which delivers business applications. Although built by the business, your organization needs a process to assess if the app is still safe, efficient and adding value. 9. Organizing an onboarding process and setting up a proper training for new citizen developers in the business. In order to get people involved with citizen development you need to train them properly. Get them familiar with the steps of turning an idea into something ‘tangible,’ introduce them to the functionalities of the platform, and help them to get started. The IT department acts as a mentor in the process. Also, set up a Center of Excellence within the organization. 10. Establishing a maintenance process, ensuring that this cost driver is minimized. It’s essential to identify which applications produced in the citizen development platform require maintenance. Having a process in place to assess which applications need maintenance over time, at what frequency, and how this should be done, will make citizen development more efficient and ultimately minimize the cost aspect. z

033_SDT056.qxp_Layout 1 2/1/22 11:46 AM Page 33

www.sdtimes.com

February 2022

SD Times

Analyst View BY JASON ENGLISH

3 Apples in 2021 vs. 3 Oranges in 2022 Y

ou may see analyst predictions as meaningless, unless you find yourself choosing between an apple and an orange at a scarcely provisioned continental breakfast buffet. So it goes with the selection of strategies to fulfill an everincreasing set of digital transformation requirements from a scarce IT budget. I have here the seeds of Intellyx’s 2021 retrospectives and 2022 predictions. Unlike most other pundits, we try not to state obvious observations as predictions, and we score ourselves on last year’s crop of conjectures.

Predictions from 2021 Appreciating Sir Issac Newton’s theory of gravity, I collected three apples that fell on Jason Bloomberg’s head for his 2021 Intellyx prediction set. Let’s see if they had gravitas. First off, a dramatic counter-cyberattack against Russia in response to attacks like the SolarWinds hack. This one didn’t bear fruit — If anything, the rate of exploits and breaches in IT continued apace, crowned in December with the revelation of the widespread log4j vulnerability. Second, the massive Bitcoin-Tether Ponzi collapse didn’t happen yet–but all the conditions needed have intensified tenfold. Times of economic uncertainty and a mistrust of institutions drove celebrity shills and unsuspecting marks to throw down real money for magic blockchain beans. With over half of crypto exchange activity now circulating through stablecoin shell games, this failure is not a question of if — but when — the rug gets pulled. Last, the pandemic and recession ending with a bang instead finished with a series of sputters and pops, as an inability to truly shake COVID-19 put a damper on economic relief and constrained global business operations. But in terms of IT, the wait-and-see period of 2021 gave way to an explosion of innovation and consolidation, especially in cloud-native, edge, and AI technologies, showing no signs of slowing down.

Predictions for 2022 First, a great weeding out of vendors. Overvaluations in the space will gradually give way to more

responsible ways of evaluating the potential success of any vendor. Enterprises will become wiser about ROI metrics and refine their selection criteria to fit their desired architectural goals. Vendors that can demonstrate value for paying customers will be poised to accelerate, while the fortunes of runners-up in each category will decline, resulting in layoffs and surprise fire sales. This does not mean startup activity will decrease in 2022. Volatile conditions offer the most fertile ground for sprouting innovation to improve agility at scale and meet customer needs. Observability will branch out into many forms. This solution category has consumed aspects of software performance, security, testing, development, issue resolution, planning — and all of the data and infrastructure supporting it. Observability must process data feeding ITOps, network analytics and AI learning tools, as well as assisting developers with many aspects of legacy modernization and migration. Supply chain management will start to enter the IT mainstream discussion. Coordinating the many moving parts of SCM has always been a dark art beyond IT, even for the people running the cogs of supply chains — manufacturers, logistics providers, warehouses and retailers. Even though software is just a bunch of bytes, responsible orgs will consider software and hardware supply chain dependencies in every architectural aspect of planning and provisioning digital capabilities. Real global supply chains will also become the #1 growth market for edge computing and IoT.

Jason English (@bluefug) is a Principal Analyst and CMO of Intellyx.

Enterprises will become wiser about ROI metrics.

The Intellyx Take What will remain constant this year is change, and the determining factor of an organization’s survival will be its reaction speed for applying new technology to meet the chaos that change creates. To make it in 2022, organizations must value people more than ever to negotiate change, and listen to the experiences of employees, partners and customers — above the preferences of their own executives and shareholders. z

034_SDT056.qxp_Layout 1 2/2/22 12:42 PM Page 34

SD Times

February 2022

www.sdtimes.com

Industry Watch BY DAVID RUBINSTEIN

Remember ‘people over processes’ David Rubinstein is editor-in-chief of SD Times.

ere we are, late January, with a "bomb cyclone" weather pattern about to drop a foot or more of snow on us here in New York. What better time to hunker down and reflect on the last year and to determine what is really important in the year ahead? Many — if not most — of the technology conversations we had in 2021 centered on two things: Digital transformation and the speed it can enable; and the fact that despite advancements in AI and RPA (see the article in this issue), work remains about people — both those that are doing the work, and those on the receiving end of that work. Of course, the virus that shall not go away has changed much in the world. Many organizations have allowed a hybrid remote/in-office approach to work, or shut down completely, and many workers are struggling with mental health issues due to the isolation that quarantines and face masks have created. Of course, there are the outside stresses of climate change, impending war in Eastern Europe and, in America and elsewhere, deep and widespread divisiveness over issues that affect our daily lives. Largely because of these new conditions, workers are feeling more stress than ever to just maintain, while still being effective in their jobs and able to deliver valuable work to their organizations. Much of that stress comes from organizations responding to the constant drumbeat in the media and among software vendors that transforming the organization to move faster, crank out more features and just go-go-go is the only way for businesses to survive. While this may be true for the largest organizations, which by their sheer size and influence drive the narrative, many midsize and smaller companies are competitive and doing well with the processes and tools — and most importantly the people — that they’ve had in place for years. Their markets aren’t changing rapidly, and the need to pivot and react to every new initiative coming down the pike just isn’t there. Adding to worker anxiety is the fact that they are being asked to do things they haven’t been trained to do and likely don’t have much desire to do. Developers, for instance, are being asked to

Workers are feeling more stress than ever to just maintain.

become test engineers, and take responsibility for security, all of which takes time from what gives them satisfaction on the job — writing code, innovating, coming up with new approaches to problem-solving, and creating wonderful new features for their users. Some workers are embracing the new challenges of learning new skills. Others clearly are not. They also have to deal with a massive influx of new tooling into their organizations. There has been an explosion in tooling in organizations, so on top of everything else they need to learn, developers also have to learn the new tooling. Again, more time being taken from coding. Much of technology is about tools and solutions, for automation in testing and continuous improvement. But what we’re hearing from more than a few developers is that they feel like they’re just another cog in the wheel, that their concerns and desires aren’t being heard, and that their organizations are moving people around so much that they just can’t get comfortable. All this has played a role in what is being called “The Great Resignation.” People are leaving jobs in record numbers. Some are simply looking to be more highly compensated than they have been because of the shortage of tech workers. Others are seeking meaning in the work, flexibility to set their hours, and — as more are working from home — a balance of work life and family time. It’s time for the industry to take a step back and analyze the true cost of blindly going for speed. Workers are dissatisfied, burned out and looking for a better way. Some take solace in working on their own projects on their own time. Others clear their heads through video games. Many are wondering if they’re simply pawns in a corporate game. There has been somewhat of an awakening to these problems, as we’re hearing software companies starting to place their people above their processes. (Where have I heard that before?? Oh, right… Agile Manifesto!) We seem to have forgotten that in the never-ending race to the top. You can have all the tools and automations in place to deliver software like the wind, but it’s the people who ideate, create and innovate that should be prioritized above all. z

LCNC Teaser Ad.qxp_Layout 1 12/23/21 10:57 AM Page 12

N O O S G N I M CO

April 13, 2022

Organizations requiring a faster digital transformation are turning to low-code development solutions, empowering IT and non-IT personnel to use drag-and-drop tooling to quickly create necessary business applications. Low Code/No Code Developer Day is designed to help organizations understand the use of low-code and no-code tools, where they are appropriate to use, and what they can deliver.

sdtimes.com/low-code-no-code-developer-day-2022

Event

SubscriptionAd_2018_for PDF.qxp_Layout 1 8/28/18 2:08 PM Page 1

Discovery. Insight. Understanding. SD Times subscriptions are FREE!

SD Times offers in-depth features on the newest technologies, practices, and innovations affecting enterprise developers today — Containers, Microservices, DevOps, IoT, Artificial Intelligence, Machine Learning, Big Data and more. Find the latest news from software providers, industry consortia, open source projects and research institutions. Subscribe TODAY to keep up with everything happening in the ever-changing world of software development! Available in two formats — print or digital.

SD Times February 2022

Articles inside

Weaveworks acquires Magalix to secure Kubernetes

INDUSTRY WATCH by David Rubinstein

GUEST VIEW by Victor Kuppers

Linux 4 Eva

News Watch

ANALYST VIEW by Jason English

codeSpark Academy launches “Adventure Game”