SD Times June 2022

FC_SDT060.qxp_Layout 1 5/27/22 10:15 AM Page 1

JUNE 2022 • VOL. 2, ISSUE 60 • $9.95 • www.sdtimes.com

IFC_SDT054.qxp_Layout 1 11/17/21 11:09 AM Page 2

®

Instantly Search Terabytes

www.sdtimes.com EDITORIAL EDITOR-IN-CHIEF David Rubinstein drubinstein@d2emerge.com NEWS EDITOR Jenna Sargent jsargent@d2emerge.com MULTIMEDIA EDITOR

dtSearch’s document filters support: popular file types emails with multilevel attachments

Jakub Lewkowicz jlewkowicz@d2emerge.com SOCIAL MEDIA AND ONLINE EDITOR Katie Dee kdee@d2emerge.com

a wide variety of databases

ART DIRECTOR

web data

Mara Leonardi mleonardi@d2emerge.com CONTRIBUTING WRITERS

2YHU VHDUFK RSWLRQV LQFOXGLQJ efficient multithreaded search

Jacqueline Emigh, Elliot Luber, Caryn Eve Murray, George Tillmann CONTRIBUTING ANALYSTS Enderle Group, Gartner, IDC, Intellyx

HDV\ PXOWLFRORU KLW KLJKOLJKWLQJ forensics options like credit card search

CUSTOMER SERVICE SUBSCRIPTIONS subscriptions@d2emerge.com ADVERTISING TRAFFIC Mara Leonardi mleonardi@d2emerge.com

Developers: 6'.V IRU :LQGRZV /LQX[ PDF26

LIST SERVICES Jessica Carroll jcarroll@d2emerge.com

&URVV SODWIRUP $3,V FRYHU & -DYD and recent NET (through NET 6)

.

.

)$4V RQ IDFHWHG VHDUFK JUDQXODU GDWD FODVVLILFDWLRQ $]XUH $:6 DQG PRUH

REPRINTS reprints@d2emerge.com ACCOUNTING accounting@d2emerge.com

ADVERTISING SALES

Visit dtSearch.com for KXQGUHGV RI UHYLHZV DQG FDVH VWXGLHV IXOO\ IXQFWLRQDO HQWHUSULVH DQG developer evaluations

PUBLISHER David Lyman 978-465-2351 dlyman@d2emerge.com MARKETING AND DIGITAL MEDIA SPECIALIST Andrew Rockefeller arockefeller@d2emerge.com

The Smart Choice for Text Retrieval® since 1991

dtSearch.com 1-800-IT-FINDS

PRESIDENT & CEO David Lyman

D2 EMERGE LLC www.d2emerge.com

CHIEF OPERATING OFFICER David Rubinstein

003_SDT060-DIGITAL.qxp_Layout 1 5/31/22 2:01 PM Page 3

Contents

VOLUME 2, ISSUE 60 • JUNE 2022

FEATURES

NEWS 4

News Watch

19

JFrog brings native support for Terraform IaC files

19

Opsera and Mindtree announce partnership

20

How games are changing the education system

COLUMNS 26 ANALYST VIEW by Joachim Herschmann Software quality with digital immunity

page 14 27 GUEST VIEW by Shanea Leven

What do you mean by “communicate?”

Don’t lose developers to bad culture

28 INDUSTRY WATCH by David Rubinstein Cross-talk blurs value of VSM

BUYERS GUIDE

page 6

Stuck in the [DevOps] middle with you Microservices push the testing focus from UI to API page 10 page 22 Software Development Times (ISSN 1528-1965) is published 12 times per year by D2 Emerge LLC, 2 Roberts Lane, Newburyport, MA 01950. Periodicals postage paid at Plainview, NY, and additional offices. SD Times is a registered trademark of D2 Emerge LLC. All contents © 2022 D2 Emerge LLC. All rights reserved. The price of a one-year subscription is US$179 for subscribers in the U.S., $189 in Canada, $229 elsewhere. POSTMASTER: Send address changes to SD Times, 2 Roberts Lane, Newburyport, MA 01950. SD Times subscriber services may be reached at subscriptions@d2emerge.com.

004,5_SDT060.qxp_Layout 1 5/27/22 1:04 PM Page 4

4

SD Times

June 2022

www.sdtimes.com

NEWS WATCH Microsoft’s new lab for inclusive tech The Inclusive Tech Lab is a successor to a lab that was created by the Xbox team. The purpose of the lab will be to “to learn and develop specifically for people with various types of disabilities.” Compared with the original lab, this one is larger and will be more equipped to bring in visitors who can participate in the product-making process. Though the lab will showcase Microsoft’s accessible hardware, software, and services, it will mostly serve as a design incubator for inclusive products. The company also revealed new adaptive accessories that will be released this fall for people who might have difficulty using a mouse and keyboard. The adaptive accessories consist of three main compo-

nents, an Adaptive Mouse, Adaptive Hub, and Adaptive Buttons. The Adaptive Mouse can be customized with the Microsoft Adaptive Mouse Tail and Thumb Support to make a unique mouse. The Thumb Support accessory also includes the ability to customize it to switch sides for left or right-handed users. The Adaptive Hub and Buttons can be used together to replace traditional keyboards. Options for button toppers include a d-pad, joystick, or dual button, or users can 3D print their own button topper to suit their specific need.

Hasura launches GraphQL Joins This new service lets developers join data from different GraphQL services. This new GraphQL Joins feature can be

People on the move n Talend has announced two new major executive appointments: Sam Pierson as chief technology officer and Jason Penkethman as chief product officer. Chief product officer is a newly created role within Talend, reflecting the company’s focus on developing new solutions for its customers. Pierson previously served as senior vice president of engineering at Illuminate Education, and Penkethman was Spireon’s chief product and strategy officer for the past five years. n Jamf has appointed Michelle Bucaria as its new chief people officer. She will oversee the company’s people operations, including attracting and retaining talent to meet the company’s needs. She was previously chief people officer at PointClickCare, chief human resources officer at Teladoc Health, and held executive human resources and recruiting roles at J.P. Morgan Chase. n Adi Sharabani is joining Snyk as its new chief technology officer, where he will drive the short- and longterm vision of the company’s developer security platform, as well as overseeing Snyk Labs. Prior to this role, he was SVP & GM of endpoint solutions at Symantec, as well as worked at IBM in security strategy and architecture after IBM acquired Watchfire where he was a security and research manager.

used to create a unified GraphQL API. According to the company, this feature builds on Hasura’s existing data federation capabilities. It also gives them the ability to mix and match data sources, which will reduce development time, security risks, and ongoing maintenance costs. Hasura explained that it’s important that developers have the ability to compose data from different sources. Even though data is coming from different places, usually it is semantically related. Previously, building relationships between this related data has required custom code where multiple APIs call each of the sources. GraphQL Joins provides a single schema that lets developers query, mutate, or federate data without having to write custom code. GraphQL Joins is best suited for developers who have more than one GraphQL API, existing investment in GraphQL servers, and databases for which they haven’t already created APIs.

Docker unveils platform updates This year at DockerCon 2022, Docker made two major updates to its platform to increase developer productivity. First, it announced the release of Docker Extensions, enabling developers to add development tools to Docker Desktop. This will allow developers to extend Docker Desktop’s existing capabilities to better suit their needs. As part of this announcement, the company also revealed the first 14 launch partners that are providing Docker Extensions: Ambassa-

dor, Anchore, Aqua Security, GOSH, JFrog, Layer5.io, Okteto, Portainer, Red Hat, Snyk, Tailscale, SUSE/Rancher, Uffizzi, and VMware. The second announcement made at the event is the availability of Docker Desktop for Linux. This new offering will give Linux users the same Docker Desktop experience those on macOS and Windows receive. Docker Desktop for Linux also includes access to the new Docker Extensions feature, along with all of the newest features being added to Docker Desktop. The current main focus of the Docker team when it comes to Docker Desktop for Linux is ensuring that installation and getting updates is as easy as possible, according to the company.

Flutter 3 brings multiplatform capabilities With Flutter 3, users are empowered to build experiences for six platforms from a single codebase, offering developers heightened productivity and enabling startups to bring new ideas to the full addressable market from the start. Additionally, this release offers added support for macOS and Linux apps, bringing users new input and interaction models, compilation and build support, accessibility and internalization, and platform-specific integration. According to the company, the goal of this is to provide customers with the flexibility to take advantage of the underlying operating system while sharing as much UI and logic as they choose. Flutter has invested in supporting both Intel and Apple Silicon on macOS, with Uni-

004,5_SDT060.qxp_Layout 1 5/27/22 1:04 PM Page 5

www.sdtimes.com

versal Binary support that allows apps to package executables that run natively on both architectures. On Linux, Canonical and Google have worked in collaboration with each other to bring users a highly-integrated, best-of-breed option for development. With improved performance, Material You support, and productivity updates, Flutter 3 also works to enhance many of the fundamentals. This version is also fully native on Apple Silicon for development, allowing users to take full advantage of Dart’s support for Apple Silicon. Flutter’s work for Material Design 3 is also mostly completed with this release. This enables developers to take advantage of an adaptable, cross-platform design system that offers dynamic color schemes as well as updates visual components.

Codefresh offers hosted version of GitOps platform This new hosted offering works to provide Argo CD as a Service as well as introduces new DORA dashboards and integrations with multiple CI providers at no cost for small teams and community projects. According to Codefresh, the hosted GitOps service is a simplistic way for users to get started with GitOps. Additionally, it is cost-effectively scalable for bigger teams that target multi-cluster, multi-application deployments. Codefresh GitOps CD will also add new dashboards, including fully integrated DevOps Research and Assessment tracking that provides visibility across Deployment Frequency, Lead Time for Changes,

Climate change the focus of Call for Code 2022 Call for Code is an annual development challenge in which developers create solutions to help with a problem the world is facing. It is sponsored by David Clark Cause, IBM, United Nations Human Rights, and the Linux Foundation. This year, the challenge urges developers to create solutions that take on climate change. The solutions that are submitted can address a diverse range of climate challenges and provide things such as new ways to improve sustainable production, consumption, and management of resources; reduce pollution creation; protect biodiversity; and much more. The teams that register for the Global Challenge on the resource page on BeMyApp can attend Challenge Accelerator events to help fast-track their projects that include skills-building materials, exclusive toolkits, APIs, and data sets from The Weather Company and participating IBM Ecosystem partners. The challenge opened this month and projects can be submitted before the deadline of October 31, 2022. The Grand Prize winner will receive $200,000 and solution implementation support from IBM Ecosystem partners. Change Failure Rate, and Time to Restore Service easily filterable by project and team. For the first time, Codefresh has added first-class integrated support for external CI providers beginning with Jenkins and GitHub actions. This integration with existing CI pipelines allows teams onboarding to use Codefresh GitOps and immediately start gaining insights from the Universal Dashboard.

Android 13 Beta 2 emphasizes user privacy In pursuit of improving privacy, this release includes a new permission for sending notifications, a privacy- protecting

photo picker, and improved permissions when pairing with nearby devices and accessing media files. Additionally, it is now easier to support app-specific language settings, match your app’s icon to the user’s chosen theme colors, and build with modern standards such as HDR video, Bluetooth LE Audio, and MIDI 2.0 over USB. Android 13 Beta 2 also continues to provide users with an even better OS on tablets and other large screen devices, offering better tools to improve the experience. To get started using Beta 2 and provide any feedback on the new features, enroll any supported Pixel device here. If you have already installed an

June 2022

SD Times

Android 13 preview or beta build, you’ll automatically receive beta updates. Interested users can also access this beta on selected phones, tablets, and foldables from Android partners, including ASUS, HMD, Lenovo, OnePlus, Oppo, Realme, Sharp, Tecno, Vivo, Xiaomi, and ZTE. Click here for the full list of partners.

Latest version of Android Studio now available Android Studio Chipmunk is the latest version of the official IDE for building Android apps. One new feature is the Compose Animation Preview which enables developers to inspect and debug animations that were built with Compose. They can inspect the exact values of each animated value at any given time, pause the animation, loop it, fast-forward it, or slow it down. The Compose Animation Preview currently supports AnimatedVisibility and updateTransition and it will have support for more animation types in the future, according to the Android team. Another new feature is the CPU Profiler which shows updated jank information, including jank types, and expected and actual deadlines that can help developers spot the actual cause of the jank available on the Android Emulator or physical devices with Android 12 or higher. Android Studio Chipmunk includes the IntelliJ 2012.2 platform major release, which has new features such as project-wide analysis, a new powerful Package Search UI, and IDE actions enhancements to speed up workflows. z

5

006-9_SDT060.qxp_Layout 1 5/27/22 3:49 PM Page 6

6

SD Times

June 2022

www.sdtimes.com

What Do You Mean by “Communicate?” BY GEORGE TILLMANN

P

roject management tools are amazing. Not only can they tell you the status of your project, but they also produce numerous spiffy charts and colorful graphs that you can paste into the PowerPoint report you are preparing for that senior user management presentation you need to give. You are sure you will dazzle them with your RACI matrix (responsibility assignment matrix) and knock them off their feet with your Pareto Diagram (look it up). Imagine your surprise when senior managers are not impressed. Hours spent color coding the work-breakdown structure wasted on an audience that does not appreciate the nuances of project management. To be fair, you might be bored at one of their presentations on RAROC (risk-adjusted return on capital), DSCR (debt service coverage ratio), or EBITDA (earnings before interest, taxes, depreciation, and amortization). The reality is that each specialty has its own language, methods, and measurements that are often understandable only to the properly initiated. It makes sense, you would not trust your favorite Japanese chef to fly your plane or the pilot to prepare your fugu dinner. Worse, you might think that hearing all of that unintelligible-to-senior-usermanagement-geeky-jargon would make them realize that true IT experts are

running their project. Not the case. You would probably be more effective reporting project progress through interpretative dance. Many senior managers consider jargon (at least not their jargon) a smokescreen hiding something you do not want them to know. To effectively communicate, project managers need to see IT and the systems development process from the perspective of the user. Many users, including corporate senior management, do not understand what IT staff do and why they do what they do. They have a decent understanding of hardware— you need to buy it, you need to maintain it, you need to replace it. However, software and networks are seemingly unfathomable mysteries. You can see a computer; you can touch it; it has a physical presence, it is real. Software? It is intangible—who has ever seen it or touched it? It is not physical, so why do you need to fix something that is not physical—how can the non-physical break? Why does IT have people who dress like hippies (honest, who wears sandals in the winter?), smell like the homeless, (this is them talking, not me!), keep bizarre hours, and talk in a language unknown to anyone on this side of the Shire? And the costs! Why

George Tillmann is a retired programmer, analyst, systems and programming manager. This article is excerpted from his book Project Management Scholia: Recognizing and Avoiding Project Management’s Biggest Mistakes (Stockbridge Press, 2019). He can be reached at georgetillmann@gmx.com.

does something not real cost so much and take so long to develop? They have a good point (except for the smell thing). They are competent and accomplished senior managers who know how to run their business. They might be experts in their respective fields, quoted in the Wall Street Journal or interviewed on CNBC. For them, IT is a very costly wizard shop of very expensive staff doing…who knows what. This uncertainty leads to many unanswered questions. Are the company’s IT people “the good ones” or are they the dregs of the profession? Are they working hard or treating the job like summer vacation? Are all those dollars spent on things the company really needs, and what is the deal with the pizza delivery bills? They simply don’t know. It must be very uncomfortable for people who pride themselves on knowing exactly what is going on in their

006-9_SDT060.qxp_Layout 1 5/27/22 3:50 PM Page 7

www.sdtimes.com

business to need IT to run critical parts of that business, to have it cost so much, to be overseen by such strange people, and to know so little about it. Yet, the need is mutual and symbiotic. IT needs the business just as much, if not more, than the business needs IT. Organizations have survived without IT, but no IT shop can survive without an organization behind it and willing to write all those checks. Therefore, it is incumbent on IT staff to adequately explain to business executives exactly why they are doing what they are doing, why it takes so long, and why it costs so much. IT staff who fail to learn this lesson might find themselves facing the Big-O (outsourcing), replacing them with consulting staff trained in business speak. If you, the project manager, can’t present that RACI matrix and don’t know what RAROC is, then you have to do something else. You have to ask

yourself, what does senior management want to learn from a meeting with the development team? What is it that will make them come away feeling that those in charge of their project know what they are doing and are working in the best interests of the company? Hundreds of projects, thousands of project status meetings, and more than enough experience doing the wrong things, has taught successful project managers that, when all the dust has settled, management wants to know three things. 1. Is the project on schedule? Will the project end when is supposed to end? 2. Is the project on budget? Will the project cost what it was projected to cost? 3. Will it work? Will the system do what it was promised to do—features and quality? Anything else is either gilding the lily or obfuscation. The challenge for the project manager is to adequately answer these three questions. Less is More. Have you ever been

June 2022

SD Times

to a really good PowerPoint presentation? Have you ever been to a really bad one? Content aside, one of the big differences between the good and the bad is the slide-to-minute ratio. Bad presentations contain a large number of slides in a short period of time. If your 30-minute presentation contains thirty slides (slide-to-minute ratio of 1:1) then the odds are high that few people will come away with a good picture of the project and/or a good impression of the presenter. The truly good presenters have a higher than 1:5 slide-to-minute ratio. Why? Because bad presenters get it backwards. They think that the presentation is the slides while their comments are the background. The truth is just the opposite. The primary means of communication at the meeting is the presenter speaking. The slides just underscore some of what is said. The successful presenter, and the successful project manager, must hobble together, not a series of charts and graphs, but a story—a story of how the project is doing. People remember stories—nobody remembers graphs. There is no greater take-away from this section than… PROJECT MANAGEMENT REVIEW RULE ONE: A good presentation contains a good story that the audience can take with them when they leave.

With this is mind, let’s look at the three senior management questions.

Is the Project on Schedule? Schedules are tricky. For senior management, some projects schedules are very important, while for others they are the least important answer to the three senior management questions (cost, time, and functionality). The difference is when the system is needed and the impact it has on the organization. For example, The Hershey Company, the chocolate manufacturer, required that IT have its new businesscritical systems installed before the busy Halloween and Christmas seasons (when most orders are placed). Project continued on page 8 >

7

006-9_SDT060.qxp_Layout 1 5/27/22 3:51 PM Page 8

8

SD Times

June 2022

www.sdtimes.com

How Not to Do It The Hershey Company undertook a major IT upgrade (installing packaged software for new ERP, supply chain management, and customer relationship management systems) in 1996. The original schedule called for a 48-month rollout but senior management demanded a 30-month rollout to avoid Y2K problems and be live before their most important business seasons (Halloween and Christmas) when they receive the majority of their orders. Both schedule and feature problems made the implementation a disaster, costing the company a reported $100,000,000 in lost revenue.

< continued from page 7

schedule slippage (read the sidebar) caused mountains of unfilled orders and put the very existence of the company is jeopardy. The best advice for any meeting with senior management is to know before you go. If schedules are non-critical to the user, then the project manager of a late project will probably get a pass. If, on the other hand, they are critical to the business, then considerable prepresentation preparation, including possibly replanning, is needed. If the project manager doesn’t already know the importance of schedules to the user, the project champion (See “Projects, Politics, and Champions,” SD Times, March 2022) probably does. If the project manager is unsure of the business users’ tolerance for project lateness, then some pre-presentation homework is needed. The project manager should schedule interviews with a senior business manager or two to learn their allowance for lateness. Work on one or more possible solutions to the scheduling problem before the meeting— don’t show up without some options for remediating the problem. However, don’t postpone a meeting to avoid giving bad news. If there is bad news, it needs to come from the project manager and the sooner the better. Having management learn about it elsewhere can turn a bad situation into a disaster. PROJECT MANAGEMENT REVIEW RULE TWO: Do not present a problem without an accompanying well thought out solution.

This is a good place to learn a lesson from lawyers—no really. Every lawyer will tell you that they never ask a ques-

tion of a witness in court when they do not already know the answer. They want no courtroom surprises. Likewise, a project manager should strive to have no surprises at a senior management presentation. Vet everything possible before the big event.

Is the Project on Budget? Budgets can generate the most noise but are often the least critical of the three management questions. Budgets are what senior managers understand the best; after all, they have spent careers crafting them, enforcing them, and learning how to get around them. They can manipulate a budget faster than a politician can change positions. Their adherence to a budget can be fanatical while, at the same time, they can be eminently practical. If the project is needed for the business, e.g., if it will “kill more than it eats” (business speak for “generate more revenue than it costs”), then spending more than anticipated will be approved. Oh, there might be some public castigation of the project manager, but most of that will be for show. If the project is needed, then it will be funded. The project manager just has to utter some public mea culpas, and all will be right. If the project is considered anywhere between unneeded and frivolous, then the situation is entirely different. An overbudget report is often the catalyst to kill the unwanted or undervalued. This is not an entirely bad situation. Cancelling unneeded projects frees up scarce resources for more valuable work. It can, however, be a blot on the project manager’s career, though some perceptive and resourceful project managers have turned the tables to their advantage by being the one who recom-

mends that, “for the good of the company,” the project should be cancelled. An awkward budget meeting can point out one important reality of senior management thinking. Both project management tools and project managers themselves tend to focus on actuals (schedule actuals, actual spend, tasks completed), while senior managers are more interested in projections (what will happen when and what will it cost?). Spend more resources and time on when things will happen rather than when things did happen, what costs are ahead rather than what was spent, and what features are being developed rather than what was developed. For example, if you are a nickel overbudget then you need to be prepared to explain the impact it will have on projected costs. PROJECT MANAGEMENT REVIEW RULE THREE: Traditionally, project management reviews focus on the past (work accomplished, milestones achieved, spend so far), but what management really wants to know is the future (when will it finish?, what will it cost?, what am I getting when all is done?).

Just ensure that focusing on the future is not perceived by senior managers as masking past failures.

Will it Work? This is by far the most important of the three senior management questions but often the least discussed at project review meetings (where the focus tends to be on numerical issues such as schedules and budgets) and the most difficult to answer for two reasons. First, there are so many questions to answer. Functional failure can be caused by a lack of analysis, or programing that does not adequately do what is needed, or the architecture cannot support the production environment (platform, data volume, transaction volume, etc.). The list goes on and on. When reporting on budget and schedule progress, the project manager has many numerical and presumably objective measures; however, there are few mathematical crutches when reporting on feature progress. Progress on the functionality landscape

006-9_SDT060.qxp_Layout 1 5/27/22 4:07 PM Page 9

www.sdtimes.com

is highly subjective. This is where iterative and incremental (I-I) development approaches, such as rapid application development, prototyping, extreme programming, and agile development, etc. come into play. By having user staff intimately involved in the project, providing insight and reviewing work accomplished, senior business management has the input of their own staff regarding the progress and quality of the system so far. There is an added benefit. If user staff assigned to the project are excluded from the preparation and presentation of the project review, then they might take on a more adversarial position, searching for project flaws rather than extolling its virtues. On the other hand, if user staff are charged with reviewing and presenting functional progress at the management meeting, then their inclinations will be more toward supporting the project rather than criticizing it. Many a project manager has suffered a self-inflicted wound by minimizing the role of user project staff. The wise project manager uses business staff assigned to the project as ambassadors to the user community. Lastly, do not stand up at a senior management meeting and toss a project management hand grenade—giving sen-

ior managers bad news cold. Short of announcing at a senior management project review that you won the lottery and are quitting your job immediately, surprises are not a good idea. Moderate less than good news is OK, but senior executives hearing for the first time that the project will not deliver 50 percent of its promised functionality is not. Bad news, particularly about functionality, needs to be pre-sold, ideally with one-onone meetings with selected senior managers. This is also the time to use your project champion to pour oil on the troubled waters. But do not dawdle. Bad news is like dead fish—it does not get better with age. Too many project managers procrastinate about giving bad news, but as awkward as it is for senior managers to hear about problems from the project manager, it is far worse if they hear about them first from someone else. Any credibility you had will be lost. PROJECT MANAGEMENT REVIEW RULE FOUR: Never wait for a formal management meeting to present bad news. Always pre-sell bad news to the project champion or at least one or two senior managers before the meeting. No surprises.

June 2022

SD Times

Salty old project managers are awash with tales of presenting terrible news at a senior management meeting and getting no reaction, while getting skewered on something the project managers considered trivial. You never know what will pass without a sigh and what will cause a brouhaha. When in doubt, pre-sell. Managing the Managers. Like it or not, a project manager needs to manage up as well as down. The project manager techniques that are so successful in managing subordinates are rarely the same techniques needed to manager superiors. Techniques and styles that work so well with programmers might be the absolute wrong thing to apply to user supervisors. The successful project manager has a separate tool kit for each constituency and the number one tool in the manageup kit is communication (See “5 tasks project managers must perform to ‘sell’ their proposals,” SD Times, November 2020). A good project manager uses every opportunity in front of senior staff to sell the project, its benefits, its team, and its project manager. Anything else is shortchanging the project and the user. z

The Little Book of Big Mistakes and How to Avoid Them Project Management Scholia focuses on the 17 most consequential reasons IT projects fail and presents ways the project manager can avoid these problems by reading the danger signs and taking timely corrective action. The book dives into the often painful lessons learned — not from the library or the classroom — but from the corporate trenches of real-world systems development.

By George Tillmann

Available on Amazon

George Tillmann is a retired programmer, analyst, management consultant, CIO, and author.

9

010-12-DIGITAL.qxp_Layout 1 5/31/22 3:07 PM Page 10

10

SD Times

June 2022

www.sdtimes.com

Microservices push the testing focus from UI to API BY JAKUB LEWKOWICZ

A

PI testing has become more important than ever because the world of three-tier architectures and monolithic applications is being replaced by something much more complex. That has driven up the number of APIs in applications. According to Joachim Herschmann, senior director and analyst on the application design and development team at Gartner, the number of APIs in applications has grown tremendously over the past few years because APIs offer a great way to extend the functionality of an application without having to write code. However, the sheer number of API tests has created many challenges for developers; challenges that are similar to those in other types of testing. It is often difficult to test API calls because they require a testing environment to be set up and maintained. This can be a difficult and time-consuming task for developers who already have a lot on their plate. There are also many different types of API testing, including

functional testing, load testing, security testing, fuzz testing, and performance testing which testers have to handle often. Organizations are having to move API testing up from their developers who may have written some initial API testing or frameworks or patterns and shift it to test engineers or quality engineers who may need to maintain those tests, build new versions of those tests, and frameworks to help them do that, explained Coty Rosenblath, CTO at Katalon. However, many organizations still rely on collaboration between QA working in tandem with developers. “Since we can’t gain the knowledge and experience overnight, it’s important that we ask for help and use the knowledge and experience of other people — like developers. They offer great support and they can teach QA a lot,” said Adam Lochno, a quality assurance analyst at The Software House. Certain platforms enable testers to do different types of tests in one place, making it easier. Often people look for

a platform to shift into automated functional testing and once they have those tools they can then shift that over to the API world. “This enables the combination of functional and API testing in a way that lets testers and engineers do things like setting up a context for testing using the API and then check its functionality. Or vice versa, they can do a functional test suite, and then check its performance and confirm that it did the things it was supposed to through an API so that you’re not having to deal with some of the vagaries of functional testing except when you really want to know the specifics,” Rosenblath said. Another challenge is being able to track the performance and behavior of those tests, which is a problem amplified especially in API testing. It’s especially critical in API testing to be able to track how quickly someone responds because it can scale up and cascade. Any given functional test may be dependent on a number of different API calls, and they may stack up.

010-12-DIGITAL.qxp_Layout 1 5/31/22 3:07 PM Page 11

www.sdtimes.com

Testers want to be able to understand the baseline performance and understand when it goes off the rails and tackle it because it can have wide-ranging implications. “If your login API or your tracking API starts to spike in terms of maybe 1020% performance, it could have an impact across your application. So having a system to track not only the working capability of the API, but did it perform its function, and how does it perform, it is important,” Rosenblath said. API standards also vary often so testers need to keep up with the state of the art when it comes to API testing and its complexity. Whether it’s SOAP or REST APIs or dealing with GraphQL, each has its own authentication protocols and network configurations that need to be tracked, Rosenblath explained. The Software House’s Lochno found that documentation is sometimes lacking for REST APIs, leading to a lack of information about what fields endpoints take and what are frequent blockers during tests. In such situations, he said that it is necessary to find a person who can provide testers with this information. “Any form of documentation is invaluable. When we have it, we can easily find the information we need, such as the required fields in the body request, or what response we can expect. Swagger deserves special attention. This automatically created documentation not only presents all the data on the tray but also allows you to ‘shoot the API’ directly from the documentation,” said Lochno. With the absence of documentation, testers are forced to look at the developer console and they have to spend a lot of time sifting through all of the info to find the answer which is often obstructed by all of the unnecessary information.

API tests are ideal for automation While APIs and how they behave can be very complex, API testing is very suitable for automated testing and even autonomous testing, which can generate tests.

“It’s comparatively straightforward these days to take API definitions like Swagger files, or similar definitions, read them, and create test cases right out of that. And most vendors have capabilities to do that,” Herschmann said. “On the other hand, for UI tests, there is not necessarily such a thing as a definition of a user interface. There’s a lot of change going on, which makes UI tests a lot more brittle. So API tests are more stable in the sense that these interfaces or the contracts or definitions change less frequently than a user interface does.” Another common way to do API testing is to create test cases by recording the traffic against the API, similar to how UI tests are performed. The developer or tester uses the recorder mechanism to record the raw blueprint of the test case. They can record a day’s worth of recorded traffic, then replay that same traffic on another system to see if this new system is capable of handling the same kind of traffic. A useful way to perform API tests is by directly accessing the business logic

June 2022

SD Times

that is accessible through the APIs rather than first going through whatever interface layer is there. In order for developers or testers to do some of the testing, they can virtualize the service and instantiate it in another environment through service virtualization. “Service virtualization is really intelligent in the sense that it implements the behavior of a more complex set of APIs that interact with one another," Herschmann said. He used the example of wanting customer data, and a single request goes out, but on the back end, it triggers several subsequent requests — one for customer name, another for the customer address, and another for the financial details of that account. All of those might go to different databases. “It triggers a real simulated activity of that service. And so that allows me to do very complex testing in environments where the actual services may not be available,” he said. API tests are more accessible to computer processing than traditional continued on page 12 >

One company’s journey into API testing The job search site Jooble has a distributed monolith architecture but is trying to move to a microservice architecture. Andrii Rybalko, a developer at Jooble, said that in their case, the hardest thing is separating APIs from their dependencies. Here a dependency is any executable thing that is not a part of our app, like other APIs, databases, Rabbit, Redis, etc. The team at Jooble divides dependencies into two groups: APIs and all the others. For APIs, they create stubs or mocks. But they use real databases, Rabbit, Redis, etc in a special testing environment, like in Docker or virtual machines, which is recreated from scratch on each test run. “At first, we were creating static stubs of APIs, but this way we cannot check that some endpoint was called, and it’s unclear which setup of the stub corresponds to which test. So, we moved to another approach where we dynamically set up mocks of APIs inside the test itself,” Rybalko said. “This solves the previous problems, but introduces new ones — setups can intersect each other, and when you run tests in parallel, this can cause some strange bugs. To deal with that, we generate pseudo-random data, which differentiates from one setup to another.” This approach with pseudo-random data is also used for databases and other dependencies, for the same reason — intersections of tests. This gives the team the ability to deploy logical units independently and automate the regression, which leads to daily releases and a reduction of slow and at times unreliable manual testing. This decreases the testing time of business hypotheses and provides a reliable and stable development speed. z

11

010-12-DIGITAL.qxp_Layout 1 5/31/22 3:07 PM Page 12

12

SD Times

June 2022

www.sdtimes.com

< continued from page 11

functional testing, according to Katalon’s Rosenblath. With API tests you just have text, you can parse that, and you can understand what was asked for and what was returned. An automated testing tool will be able to track the actual execution of APIs by watching API logs as they’re occurring in the live system to service test configurations and context. Then, for example, the tool can look at a stream of API calls and understand what the dependencies are between those API calls and then structure the test so that everything occurs in the right order, and then can look at the data that are being passed back. Once the normal data is established from the tests, teams can infer what might be outliers and then push that in as potential edge case tests. According to Herschmann, organizations are generally not doing enough testing at the API layer and are rather focusing on UI testing. But that might change as more organizations are focused on creating tools for API tests. “Instinctively, the first way to think about testing is through the user interface, because we humans interact with an application through the user interface. But basically, humans only see the tip of the iceberg, literally, the front end. We don’t see that, potentially, the website makes hundreds of calls to the back end,” Herschmann said. However, there are some organizations that go the other way around and instead start at the API testing level and those are the organizations such as highly interactive financial network types of solutions where it’s all about low latency and fast connections to all servers. Now testing vendors who have long focused on UI testing tools are now shifting their focus toward APIs either through growing tool capabilities organically or through acquisitions, according to Gartner’s Herschmann. While API testing needs to be in the spotlight, organizations want to make

Contract testing offers a more holistic approach to automated testing An important aspect of API testing is contract testing which focuses on ensuring that spec files such as Swagger or OpenAPI and RAML properly fulfill contracts between API consumers and producers. “Contract testing is important because it’s the type of technology that allows you to gain some level of confidence with the aspects that contract testing tests, while also increasing velocity. It’s a lower overhead method that’s actually piggybacking or leveraging something that’s already enumerated, in many of these cases: the API contract,” said Abel Matthew, CTO at Sauce Labs. Contract testing can also validate spec files in an automated way by capturing how an API consumer and producer communicate with each other. By creating this contract, developers have a mechanism by which they can specify the behavior of your APIs. But additionally, they can leverage code-generation techniques. By creating a spec file, developers can generate a bunch of the boilerplate often associated with an API, according to Matthew. “I can leverage that same file to take the same requirements, the request and response that I use, and then I can say, well, now that I know what this should look like from a black box testing perspective, I can effectively validate what the request and response should look like in terms of both form and content,” Matthew said. “Now, because it’s using a spec file that’s created at the beginning of the development cycle, the first benefit that we have here is that an introduces some form of testing early on in the development cycle.” Without this type of testing, an error might occur in functional testing and then one has to drill it down further to identify what was the cause. This method of test generation also allows for the testing of third-party APIs fairly easily as well, according to Matthew. For example, if an API calls in some sort of third-party, one can effectively enumerate what the expected contract from that API is such as a strike. Now, testers can get more holistic testing, which is a huge advantage as opposed to writing functional tests, Matthew said. z

sure that they have a good balance of all types of testing, according to Rosenblath. Some organizations have extensive API suites but have neglected their functional testing which can leave them blind to user experience issues. If testing is handled purely within the development organization, the engineers may build a lot of API tests, but they may not be building enough functional tests and vice versa for companies that focus their testing efforts in the testing ward. All in all, API tests need constant maintenance and need a testing team around them to handle changes that the engineers are not fully aware about.

“You may have new tests that are needed, that aren’t the result of changes to the API code itself, but changes to the way the business is operating, maybe something upstream, or maybe something in the data infrastructure has changed. And that changes the way the API behaves. That’s something the engineering organization is probably not dealing with,” Rosenblath said. “But your test organization needs to take that into account and needs to be connected with their business organization and put those tests in place quickly so that they know and they can assure you as a business that you’ve got that new business requirement covered in your API.” z

EL

S RE HA

MOD

Full Page Ads_SDT060.qxp_Layout 1 5/27/22 10:19 AM Page 28

EN G AGE

Modeling and Design Tools for Changing Worlds sparxsystems.com

® ® ® ® ® ® UML | BPMN | BPSim | BPEL | DMN ™ | Google & AWS Icon Sets | TOGAF | Zachman ® ® ® XSD | ArchiMate | MARTE | SysML | NIEM ™ | BABOK | BIZBOK | BMM ™ | CMMN ™ | Code | DataBase | IFML ™ | GML ODM™ | Schema | SoaML™ |SOMF ™ | SPEM ™ | UAF | UBL | UPMC | VDML ™ | *More

NEW Enterprise Architect Version 16

012-15_SDT060.qxp_Layout 1 5/31/22 1:59 PM Page 14

14

SD Times

June 2022

www.sdtimes.com

“You like me… You really like me” BY DAVID RUBINSTEIN

T

he great actor Sally Field, upon winning her Academy Award in 1984 for “Places in the Heart,” understood that the trophy meant that a rising Hollywood star had gotten the recognition for her on-screen work that she had longed for. It came not just from industry insiders, but from the general public at large. Fast forward to 2022, and — while the Oscars haven’t lost their sheen — technology companies have their “You like me” moments through the five-star rating system under which users rank how much they like an application. And it’s also seen through the action of their peers and competitors, who are all striving to outperform each other on the grand stage of technology. This year’s SD Times looks at the best of the software development companies from how they performed in 2021 — a year like no other due to the lingering COVID19 pandemic, the fact of business shifting from central offices to remote locations, and the boon to our industry driven by the new types of tooling to enable this workfrom-home culture change. There are many familiar faces on this year’s list. Some have been industry stalwarts since the SD Times 100 began; others fell off the list in previous years and have managed to return by shifting to the new realities of software. And, for the first time, we are highlighting those companies that are new to the list, who — through hard work and innovation — have shown they belong among the best. In short, “We like them.. we really like them!” And we know you do too. z

012-15_SDT060.qxp_Layout 1 5/31/22 1:59 PM Page 15

www.sdtimes.com

June 2022

SD Times

15

012-15_SDT060.qxp_Layout 1 5/31/22 1:59 PM Page 16

16

SD Times

June 2022

www.sdtimes.com

012-15_SDT060.qxp_Layout 1 5/31/22 1:59 PM Page 17

www.sdtimes.com

June 2022

SD Times

17

Full Page Ads_SDT060.qxp_Layout 1 5/27/22 10:14 AM Page 27

We’ll Help You Keep It Clean Dealing with bad data is a task no developer needs on their checklist. Inaccurate, outdated, and duplicate records can build up in your database, affecting business decisions, the customer experience, and your bottom line. As the Address Experts, Melissa helps our customers improve operational efficiency with the best Address Verification, Identity Verification and Data Enrichment solutions available. We validated 30 billion records last year alone, which is why thousands of businesses worldwide have trusted us with their data quality needs for 37+ years.

BAD DATA BUILDUP

DATA CLEANLINESS

Returned Mail & Packages

Real-time Address Verification

Money Laundering & Fraud

Identity Resolution & Watchlist Screening

Decreased Customer Insight

Geographic & Demographic Data Appends

Test our APIs Today! Visit www.melissa.com/developer/ to get started with 1,000 Free Credits.

Trust the Address Experts to deliver high-quality address verification, identity resolution, and data hygiene.

Melissa.com

800.MELISSA (635-4772)

017_SDT060.qxp_Layout 1 5/27/22 4:14 PM Page 19

www.sdtimes.com

June 2022

SD Times

DEVOPS WATCH

JFrog brings native support for Terraform IaC files BY KATIE DEE

JFrog today announced native support for Terraform files, allowing users to maintain consistent workflows and processes across multiple cloud platforms. Terraform comes as an Infrastructure-as-Code (IaC) technology, which manages an application’s technology infrastructure as code via Terraform files. Due to the new Artifcatory support for Terraform, developers are enabled to manage IaC configurations with existing DevOps processes in order to manage shared binaries. With tools such as Terraform, DevOps teams are able to avoid drift or mismatches between applications and the configurations used to run them. “JFrog’s support for Terraform ensures developers can retain mecha-

nisms to centrally manage and share their applications’ cloud infrastructure, by utilizing JFrog Artifactory as a registry for Providers and Modules and as a reliable state back end,” said Yoav Landman, co-founder and CTO of JFrog. “Artifactory also acts as a local cache for other Terraform registries. This allows developers to use a single platform without the overhead of maintaining multiple systems, all while using robust and secure DevOps solutions they already utilize across their development pipelines.” According to JFrog, this added support makes the platform a one-stop choice for developers looking to ensure continuous delivery of software updates utilizing the binaries themselves or pairing them with the proper infrastructure configurations needed to run them. z

Opsera and Mindtree announce partnership BY KATIE DEE

Opsera, the continuous orchestration platform for DevOps, and the technology services company Mindtree are entering into a partnership to enable enterprises to increase scale, speed-tomarket, and customer satisfaction as they advance along their transformation journey. “We are confident that our partnership with Opsera will give our customers an even greater competitive edge in times of rapid change and transformation,” said Radhakrishnan Rajagopalan, global head of technology services at Mindtree. “No-code DevOps orchestration is a revolutionary approach to software delivery that ensures the strictest speed, quality and security standards until they are met. We look forward to bringing this solution to our customers and also providing Opsera’s customers with our own unique approach and capabilities

around digital transformation at scale.” According to the companies, in order to get the most out of the cloud and digital solutions, organizations need to successfully adopt DevOps practices and tools to maintain velocity, security, and quality of software development. With this collaboration, Mindtree users gain access to Opsera’s no-code DevOps orchestration platform that provisions engineering teams’ choice of CI/CD tools from a common architectural framework and builds declarative pipelines for several different use cases. Additionally, users of Opsera are able to take advantage of Mindtree’s engineering capabilities. “Partnering with Mindtree helps strengthen our collective approach to help engineering and IT organizations turn DevOps practices into improved business performance,” said Chandra Ranganathan, co-founder and CEO of Opsera. z

In other DevOps news Jellyfish announces benchmarks The newly announced Jellyfish Benchmarks enable engineering leaders to add context to engineering metrics and performance by introducing a method for comparisons. Jellyfish customers now have insight at the percentile level as to how they stack up against their peers since the complex nature of modern software engineering often fails to give engineers proper context, according to the company. Engineers who opt-in will have their data anonymized and added to the benchmarking Jellyfish customer pool. Among the key metrics are allocation, delivery, productivity, and collaboration.

A new spec for event data The CD Foundation has announced CDEvents, a vendor-neutral specification for defining the format of event data. A standardized set of specifications will enable an ecosystem of tools that can collect, store, visualize and analyze events across CD platforms to help measure DevOps metrics and performance and visualize end-to-end workflows. “CDEvents open the doors to scalable and decoupled integrations within the software supply chain and create the potential for greater visibility and measurability of continuous delivery workflows,” said Andrea Frittoli, open source developer advocate at IBM, cocreator of the CDEvents project, and member of the CDF Technical Oversight Committee.

Apollo GraphQL’s supergraph Apollo GraphQL today introduced the supergraph, a network of a company’s data, microservices, and digital capabilities that enables product and engineering teams to create a better experience for users. A supergraph works as a composition layer and facilitates collaboration between backend data services and front-end applications and devices. z

19

20

SD Times

June 2022

How www.sdtimes.com

BY KATIE DEE

games

the education

A

s young children, it’s normal to utilize games and playtime as a way to discover and learn about the world around us. The ways in which play relates to cognitive growth and development throughout childhood and beyond has been carefully studied in psychology — however, it remains vastly underused within the education system. With the majority of children having to adapt to online schooling in the wake of the pandemic, JD Calvelli, analyst at the University of Chicago’s Center for Radial Innovation for Social Change (RISC), began exploring the role that games and play can have in enriching a child's learning experience, especially in a remote setting. “I think in general, the education system hasn’t really caught up to the reality of today and the onset of modern technologies,” Calvelli said, “A lot of that became especially evident postpandemic when we had to rapidly adapt to this new reality of people being in their homes and having to learn through digital technology and we weren’t really ready for that.” He went on to explain that even though some of these technologies are not new, the education system has failed to take full advantage of them. He attributes this to the old school conception that work and learning are not meant to be fun, but rather, the antithesis of it. “We seemed to have arbitrarily decided at some point that after you’re a baby it’s no longer okay to learn through play… 76% of kids in the U.S. play video games, and so the gamification of learning is a way to introduce students to important concepts and meet them

where they are,” Calvelli explained. In pursuit of bringing games into the education sector, RISC, in partnership with educational consultants Enable Education, has created its own learning game, Algo-Rhythm. This data science, music-based game allows children to look deeper at the data behind several popular songs. With Algo-Rhythm, students can create playlists, explore how songs are made, and dance to the beat. Parents can also play along with their children and help them learn about today’s music and the way that data has helped to create it. Intended for late elementary- to early middle school-aged children, the game utilizes Spotify API in order to determine a few key data points about the songs. “Specifically, we focused on values that represented Danceability, Energy, and Tempo — which are each represented in the game as a number out of 10 whenever a player chooses a song in the playlist builder,” Calvelli explained, “Players are then tasked with building playlists, and later

responding to song requests, such that they fulfill specific asks.” Players are expected to use the data represented to them in order to make informed decisions about which songs to add to playlists, or which to use to fulfill certain song requests. The quicker a player is able to make these determinations, the more points they accumulate. Calvelli and his team hope that this game works to teach children two important fundamentals of data science: the fact that data can be found anywhere, and that it can be used to help make more informed decisions. “We really wanted to meet kids where they are, and try our best to give them an experience that would let them have a good time and, at the same time, teach them something or at least inspire them to look at the world in a way they didn't necessarily before,” Calvelli said. He explained that another hope for this game is to serve as an impetus to foster a greater interest in learning within students. He explained that by teaching important data science skills through a

018,19_SDT060.qxp_Layout 1 5/27/22 4:15 PM Page 21

are changing system

Enable Education, has created its own learning game, Algo-Rhythm. This data science, music-based game allows children to look deeper at the data behind several popular songs.

fun, interactive game, it is easier for children to become engaged in the topic and offers them the opportunity to learn about an important concept in a fun way. “Ultimately, we hope that this can serve as that catalyst. We’re not driven by profit motive… So ideally that means that we can create something that really only exists for the purpose of trying to teach someone,” Calvelli said. Another purpose Algo-Rhythm serves is to close the knowledge gap around data and the impact that it has on the world. Calvelli explained that not many people have a full grasp of what data actually means and the purpose that it serves. He hopes that introducing students to this concept in a way that feels accessible to them will work to solve this problem for the next generation. “We hope that Algo-Rhythm can be the start of that conversation like, ‘oh, data is important and we should be teaching students at a younger age

about it and it should be integrated into our school systems in a more direct way,’” he said. Calvelli also discussed that bringing technology and games into the classroom can be a really meaningful way to offer kids a heightened sense of agency over their own education and the way they learn. He spoke specifically about the beginning of the pandemic and how young children with active imaginations were expected to absorb important material through methods that failed to engage that imagination or even offer an outlet for much interaction. “In order for something to be a game, there has to be a mechanic, there has to be something that the player does. So, the reality in this post-pandemic world is that there is a perceived lack of agency on the part of the students and incorporating play can return that agency in a meaningful way,” Calvelli said. He also explained that with the emergence of the Metaverse there is even

www.sdtimes.com

June 2022

SD Times

more room for games to be brought into the education system in an immersive way. With the rise of virtual reality and the ability to fully bring students into these educational games, failing to do so would be a missed opportunity. Calvelli expanded on this saying that this technology still has a good amount of room to further grow and develop. However, he believes that the Metaverse should ultimately become an important mechanism in the education field. “If we conceptualize the Metaverse as an increasingly interactive, increasingly immersive, increasingly interconnected, virtual world… then the two most obvious benefits are that it opens up experiences and it shrinks distances,” he said. Based on that conceptualization, Calvelli believes that this technology will also serve as an equalizer of opportunity for students, making more sophisticated experiences more accessible to lower income students. “If you’re in a school system that wants to run chemistry labs but that cost is too high, theoretically, the Metaverse will allow you to have that lab without the need to pay for the resources,” he said. According to Calvelli, as of right now the gamification of learning remains an untapped market within the Metaverse, but hopefully as the technology comes to fruition, that will change. He said, “We are interested to see, as time goes on, how more companies and pioneers in the Metaverse come to engage with the agency aspect and how they use that to help students learn better.” Calvelli also stressed the fact that the current education system is in need of an upgrade because children today are not being set up for success in the digital world we live in. He believes that the system has been stagnant for many years and by giving it some much needed TLC, students will benefit greatly. “RISC believes that games and play are an important part of that new approach to education not only because it is engaging for students, but also because it has the potential to be a learning tool and to really break down the dichotomy that play and work need to be different,” he said. z

21

020-23_SDT060.qxp_Layout 1 5/31/22 3:07 PM Page 22

22

SD Times

June 2022

www.sdtimes.com

Stuck in the [DevOps] BY JENNA SARGENT

T

echnology is always changing, and thus the way organizations manage around technology is always changing. There are always new methodologies entering the field, promising various benefits if only you could adopt it correctly. Many of these fizzle out and remain nothing more than buzzwords, but according to Charles Betz, principal analyst at Forrester, DevOps has been an exception to this “IT fashion show.” Despite this, a majority of companies aren’t where they could be when it comes to their DevOps evolutions. According to Puppet’s 2021 State of DevOps report, the majority of companies practicing DevOps are stuck in the middle of their DevOps evolution. This has remained mostly consistent over the past few years, dropping just 1% since 2018, to 79% of companies. In 2021, Puppet found that 18% were at a high-level of evolution and 4% were at a low-level of evolution. Despite the percentage of companies in the mid-level of evolution, the percentage of those on the high or low end actually has shifted over the past four years of the study. By comparison, in 2018, only 10% were highly evolved while 11% were considered to be at the low portion of DevOps evolution. So what is keeping so many companies in the middle? And what exactly does it mean to be in “mid-level evolution?” Puppet’s report defines mid-level evolution as companies that “have introduced automated testing and version control, hired and/or retrained teams, and are working to improve their CI/CD pipelines. They’ve managed to start optimizing for individual teams, and if they’ve managed to avoid many of the foundational dysfunctions from which large organizations can suffer, they’re in a great position to start optimizing for larger departments, the ‘team of teams.’”

Betz argues that even though it might have stalled at a certain point in some organizations, DevOps as a practice in general has largely been a success. Rob Cuddy, global application security evangelist at HCL Software, agreed, adding that DevOps is a continual evolution of trying to deliver better quality software faster. “So, you’re always going to be improving, and looking to improve as you go,” he said.

DevOps targets keep moving Al Wagner, solution architect at HCL Software, added that changing technologies means that DevOps also has to continually change to keep up. It’s a moving target, not a stationary finish line where once you’ve crossed it, you’ve succeeded at DevOps. “As DevOps has grown, we discover new problems and new solutions to those problems, where every time we embrace something, if you think about cloud, it has only evolved post this term DevOps, and same with Kubernetes, Docker. So when people get stuck, the beauty of DevOps is it continually evolves and grows, and it's not locked down by a manifesto,” said Wagner.

Even so, there are some bottlenecks that companies run into when they’re trying to evolve their DevOps practice. Cuddy believes one bottleneck is a lack of understanding of what you’re doing. “The whole goal should be to improve the quality as it goes through the pipeline,” said Cuddy. “But if you're just running scans, or running tests for the sake of running them, and you're not doing anything with the results, well, great, you've added a lot of automation, but now you've created a ton of noise.” Paul Delory, VP analyst at Gartner, also defined three main reasons why he believes an organization might struggle to move forward with DevOps. First up is skills. Delory explained that a lot of initiatives get stuck because of a lack of talented people. Those few that do have the matching skillset you’re looking for don’t tend to stay on the market for very long, and they also get offered really high salaries, which might be difficult for all companies to match. When companies find themselves in this position, they must look to growing these skills internally instead. But this option is a longer process, so it injects

020-23_SDT060.qxp_Layout 1 5/31/22 3:07 PM Page 23

www.sdtimes.com

middle with you

further delays into their DevOps transformation. “I think that's a big part of the reason why a lot of people get stuck on this plateau,” said Delory.

Do you need DevOps everywhere? The second reason people stall out in their DevOps transformation is that they might not actually need DevOps in every aspect of their business. “If I look at the portfolio of applications that an IT department is asked to support. I think there are a lot of cases where essentially, you don't have the problem that DevOps solves,” said Delory. According to Delory, when talking about DevOps, we’re often speaking of fast moving, line of business applications that are directly impacting revenue. But not every application in the company is going to fit that bill, and thus, won’t really be an ideal candidate for DevOps. Delory gave the example of an employee phone directory as an application where applying DevOps wouldn’t make sense. “Your employee phone directory is probably a Ruby on Rails app that was

written in 2009, and nobody's touched it since,” said Delory. “Bringing in these kinds of DevOps transformation, cloud transformation, you could do that, but it's not really necessary, and I don't think you're going to see ROI on that in any reasonable time horizon.” The third factor that Delory thinks keeps people stuck in their DevOps transformation is politics and team structure. For example, organizing a central operations team is something that some developers might not be too thrilled about, while others are happy about the change. The developers who don’t want to have to manage their own infrastructure would be ready and willing to hand that over to someone else, and the developers who really like getting their hands dirty and being involved in that aspect would probably be the ones not too happy about having to adopt this new team structure. “In all of these conversations around redesigned team boundaries and roles, getting it right is critical. And if you don't get it right, then that can definitely be a barrier to adoption,” said Delory. Cuddy agrees with this sentiment,

June 2022

SD Times

and believes that the single biggest piece of DevOps is the people, not the tools or processes. “If you are not maintaining any kind of an organizational culture that supports DevOps that enables people that builds trust, that allows for flexibility, that allows room to fail fast and grow and learn, you're gonna get stuck eventually,” said Cuddy. Cuddy believes that in order to successfully change culture, you need leadership buy in so that change can be enacted not only bottom-up, but topdown. This idea has necessitated the need for value stream management. According to Wagner, when companies have been investing significantly in something like DevOps for years, they want to be able to see the relationship between their investments and business outcomes. “Leaders may not be seeing a return on investment, and perhaps there's not as much money coming back to the development teams to improve,” said Wagner. “So it's really finding those bottlenecks using things like value stream mapping, value stream management, prioritizing, working closer with the leadership, the stakeholders to make sure that we are linking and that the things we do in the product teams are directly contributing to the business.” z

How does HCL Software help companies evolve their DevOps practices? Nabeel Jaitapker, director of product marketing, at HCL Software In a modern secure DevOps culture, teams seamlessly collaborate to increase delivery and productivity. The top organizations continuously seek new areas of efficiency, and they know that secure DevOps is never done. These organizations often rise to the forefront of their industries, using it as the launchpad. HCL Software Secure DevOps is approaching this next decade strategically and with the full-cycle and scope of DevOps in mind, including development teams, IT and business units. Leveraging our comprehensive solution set and business leaders with decades of industry secure DevOps experience, we have created a solution as unique as your business. This means having the peace of mind knowing you have the tools you need with the leading experts in secure DevOps by your side. From idea to production, HCL Software Secure DevOps provides solutions for source control and work item management, continuous delivery and testing, security scans and value stream management. z

23

Full Page Ads_SDT060.qxp_Layout 1 5/27/22 11:18 AM Page 22

020-23_SDT060.qxp_Layout 1 5/31/22 3:07 PM Page 25

www.sdtimes.com

June 2022

SD Times

A guide to DevOps tools n

FEATURED PROVIDER n

n HCL Software: HCL Software is a division of HCL Technologies (HCL) that operates its primary software business. We develop, market, sell, and support over 30 product families in the areas of Customer Experience, Digital Solutions, Secure DevOps, Security and Automation. Our mission is to drive ultimate customer success of their IT investments through relentless innovation of our software products. n Atlassian offers tools like Jira and Trello, which can be used to make project management easier and enable cross-functional collaboration. Its solutions help companies stay on track as they work to deliver products. In addition to its offerings, it also believes that “great teamwork requires more than just great tools.” To that end, it promotes practices like retrospectives, DACI decision-making framework, defining clear roles and responsibilities, and developing objectives and key results (OKRs) n CircleCI is a continuous integration and delivery platform that enables teams to automate their delivery processes. It provides change validation at every step of the process so that developers can have confidence in their code. It also offers flexibility through the abilities to code in any language and utilize thousands of pre-built integrations. n CloudBees: The CloudBees Suite builds on continuous integration and continuous delivery automation, adding a layer of governance, visibility and insights necessary to achieve optimum efficiency and control new risks. This automated software delivery system is becoming the most mission-critical business system in the modern enterprise. n Codefresh is a GitOps-based continuous delivery platform that is built with Argo. It offers benefits like progressive delivery, traceability, integrations with CI tools like Jenkins and GitHub Actions, and a universal dashboard for viewing software deliveries. n Digital.ai: The company’s Deploy product helps organizations automate

and standardize complex, enterprisescale application deployments to any environment — from mainframes and middleware to containers and the cloud. Speed up deployments with increased reliability. Enable self-service deployment while maintaining governance and control. n GitLab allows Product, Development, QA, Security, and Operations teams to work concurrently on the same project. GitLab’s built-in continuous integration and continuous deployment offerings enable developers to easily monitor the progress of tests and build pipelines, then deploy with confidence across multiple environments — with minimal human interaction. n IBM: UrbanCode Deploy accelerates delivery of software change to any platform – from containers on cloud to mainframe in data center. Manage build configurations and build infrastructures at scale. Release interdependent applications with pipelines of pipelines, plan release events, orchestrate simultaneous deployments of multiple applications. Improve DevOps performance with value stream analytics. Use as a stand-alone solution or integrate with other CI/CD tools such as Jenkins. n JFrog’s DevOps platform offers endto-end management of software development. DevOps teams can control the flow of their binaries from build to production. Its DevOps portfolio includes tools like JFrog Artifactory for artifact management, JFrog XRay for security and compliance scanning, JFrog Distribution for releasing software, and more. n Micro Focus ALM Octane is an enterprise DevOps Agile management solution designed to ensure high-quality

app delivery. It includes Agile tools for team collaboration, the ability to scale to enterprise Agile tools, and DevOps management. n Microsoft’s Azure DevOps Services solution is a suite of DevOps tools designed to help teams collaborate to deliver high-quality solutions faster. The solution features Azure Pipelines for CI/CD initiatives; Azure Boards for planning and tracking; Azure Artifacts for creating, hosting and sharing packages; Azure Repos for collaboration; and Azure Test Plans for testing and shipping. n Octopus Deploy is an automated release management tool for modern developers and DevOps teams. Features include the ability to promote releases between environments, repeatable and reliable deployments, ability to simplify the most complicated application deployments, an intuitive and easy-to-use dashboard, and firstclass platform support. n Opsera provides continuous orchestration of development pipelines in order to enable companies to deliver software faster, safer, and smarter. Its offerings include automated toolchains, no-code pipelines, and end to end visibility. n Planview’s Enterprise Agile Planning solution enables organizations to adopt and embrace Lean-Agile practices, scale Agile beyond teams, practice Agile Program Management, and better connect strategy to Agile team delivery while continuously improving the flow of work and helping them work smarter and deliver faster. With Planview, choose how you want to scale and when. We’ll help you transform and scale Agile on your terms and timeline. n ServiceNow enables companies to do DevOps at scale. Developers are able to keep using the tools they love while still connecting with ServiceNow’s platform. The company enables automation of administrative tasks, while bringing together both ops and dev teams. z

25

024_SDT060.qxp_Layout 1 5/27/22 4:13 PM Page 26

26

SD Times

June 2022

www.sdtimes.com

Analyst View BY JOACHIM HERSCHMANN

Software quality with digital immunity Joachim Herschmann is a Senior Research Director at Gartner, Inc.

C

loud, social and immersive computing scenarios have raised expectations for application quality and delivery. Software and application engineers must deliver working solutions that offer a compelling user experience (UX), contribute to business value and minimize risk to the business. Yet few software engineering leaders feel that they can do that, in part because of antiquated development and testing approaches. Software engineering leaders are looking for new practices and approaches to mitigate these risks, improve software user experiences and deliver business value through applications. Digital immunity provides a roadmap to do so. Digital immunity comprises a set of practices and technologies to develop resilient software applications that offer superior UX. With this roadmap, software engineering teams can detect and respond to a wide variety of issues, from functional bugs to security vulnerabilities and data inconsistencies. Here are the three steps that software engineering leaders responsible for software quality improvement can take to build digital immunity.

A powerful vision statement can help build digital immunity.

Create a vision for digital immunity The fact that software has been tested creates a false sense of security, leading to the idea that “we have followed the process, so things must be okay — and if they aren’t, we can’t be blamed because we did what we were asked to do.” That is the wrong mindset. Instead, software engineering leaders must focus on what constitutes a compelling UX. This requires a mindset of innovation and a shift toward building quality into the product. A powerful vision statement can help build digital immunity by creating a frame of reference for defining the implementation strategy. It helps to align the organization and initiate actions to implement the vision, such as infusing quality in every step of the project process and allocating staff with the required skills for building resilient applications.

Build digital immunity To develop digital immunity, software engineering leaders must empower their teams to adopt the

five key elements of a digital immune system: 1. Autonomous testing. It extends beyond the automated execution of test cases to include fully automated planning, creation, maintenance and analysis of tests. It orchestrates those activities and enables independence and autonomy for them. 2. Chaos engineering. The use of experimental failure or fault testing to uncover software bugs and points of failure, among other weaknesses. A Gartner survey found that 18% of participants were using or planning to use chaos engineering. 3. Autoremediation. A software system or ecosystem is equipped to monitor itself and correct issues automatically without involving operations staff. Examples of issues that can be autoremediated include restarting an application that crashes or reverting a faulty configuration of an application to a previous configuration. 4. Observability. A characteristic of software and systems that allows them to be “seen” so that software developers and engineers can more quickly and confidently isolate the root cause of a problem. 5. Continuous validation. The ability to monitor the integrity of data and systems in a live environment with the goal of identifying inconsistencies or anomalous behavior before they create problems for the user.

Replace inefficient testing practices Faster delivery of customer value through a continuous flow of software deployed in production environments is at the core of DevOps. Increasing velocity requires DevOps teams to identify and remove their greatest constraint to deployment. In many organizations, testing is the greatest constraint, often because of a high ratio of manual testing. Software schedules for major applications are about 25% longer than they should be, due to poor-quality, expanding testing intervals. Evaluate the current state of manual tests and determine the most effective approach for transitioning these testing assets to increasingly autonomous levels of automated testing. With these three steps, software engineering leaders can create digital immunity that improves software quality for end-users and in turn, helps deliver upon business outcomes faster. z

025_SDT060.qxp_Layout 1 5/27/22 4:13 PM Page 27

www.sdtimes.com

June 2022

SD Times

Guest View BY SHANEA LEVEN

Don’t lose developers to bad culture S

oftware developers know their skills are hard to find, and they know how much they are worth. Demand is through the roof and there aren’t enough developers to go around. At the same time, COVID has shifted their priorities. Many now seek workplaces that permit flexible hours, opportunities to work-from-home, and more. And they’re not afraid to jump ship in search of greener pastures. If the Great Resignation has taught us anything, it’s that developers who are tired of workplace culture don’t stick around. Average tenure at some of the most prominent tech companies in the world is under two years, and when they leave, they often take valuable code, customer contact lists, patent applications and much more with them. For senior developers and team leaders, it’s a high price to pay when employees start sniffing around for other opportunities. Fortunately, you can take steps to reduce turnover, many of which aren’t complicated or time consuming. In today’s super-competitive environment, one of the best ways to make your company a great place to work — and to keep developers happy — is pretty straightforward. Just back off. Trust them to do their jobs well. This is key to building a supportive environment where developers feel comfortable voicing their ideas — particularly if those ideas are unpopular. Leaders have a responsibility to establish the kind of environment where values are reinforced, and to hire people who thrive within this framework. Even if that means they’re not always hiring the candidates who seem like an obvious fit.

Even dumb ideas can be valuable I know this because I have lots of dumb ideas. I’m thankful that, over the years, my colleagues have actively encouraged me to share those ideas. It taught me that I can build and foster a company culture where new ideas and new ways of thinking are valued, even if those ideas aren’t immediately well received. Something that might seem like a dumb idea at the time can actually evolve into something remarkable. By encouraging people to share their ideas, you can foster a sense of trust and innovation that leads to an explosion in creativity. It also

makes your organization stronger by reducing employee stress — stress which ultimately leads to burnout and turnover. People want to feel authenticity in where and how they work — that’s why it’s valuable to talk about new ideas (even dumb ones) to ultimately improve the company and its products. Fostering a supportive culture will likely lead to disagreements, but there are ways to offer opposing viewpoints without being a jackass.

Shanea Leven is CEO of CodeSee.

Sniff out the jerks in your applicant pool Some companies subscribe to the idea that if you’re a genius, it’s OK to treat people like garbage. We don’t. We’d rather have a decent developer who fits our culture and embodies selfreflection and humility, than a great developer who doesn’t support others. The same things we prioritize in our day-to-day operations are also reflected in hiring. There are easy-to-implement strategies to identify these qualities in potential new hires. Two of our standard questions are simple and straightforward. We ask candidates to define three strengths and weaknesses. Three is a big enough number so that it requires introspection, and it helps us gauge if developers have already identified strategies for personal growth. The second question we like to ask is: “what will your previous managers say about you when we talk to them?”

To keep developers happy... just back off. Trust them to do their jobs well.

Finding the right tools for success Providing the right tools is another way companies can foster a positive culture. Consider the responsibilities managed by today’s developers—especially those on teams who’ve implemented DevOps best practices. It’s not surprising that many are seeking tools to help them reduce time in tasks like project onboarding, feature planning, and code review; they’d rather focus on actual development. Ultimately, everyone needs developers, and they’ll be well compensated wherever they land. So, while some turnover is inevitable, a lot of it can be avoided if you’re intentional about crafting and maintaining a supportive work environment. And the creative energy you foster will help ignite product innovation. z

27

026_SDT060.qxp_Layout 1 5/31/22 3:18 PM Page 28

28

SD Times

June 2022

www.sdtimes.com

Industry Watch BY DAVID RUBINSTEIN

Cross-talk blurs value of VSM David Rubinstein is editor-in-chief of SD Times.

V

alue stream management has a messaging problem. That was a key takeaway from the recent {virtual} VSMcon 2022, hosted by SD Times last month. What is a value stream? What is value? Which metrics matter? Is it a tooling thing? A people thing? We empaneled some industry experts at the conference to look at the issue, and the consensus was that value stream management is indeed very useful in providing visibility into your processes, to eliminate bottlenecks and wasted time. It can save your organization time and money, keep your employees working on innovative projects rather than mundane tasks, and deliver engaging products that your customers actually want. There simply is an issue with the way people talk about value stream management — for solution providers talking to potential customers, and for the customers themselves to sell it internally. Part of the confusion comes from the fact that delivering software is not as straightforward as manufacturing, which is where value stream management got its start. On top of that, delivering software from ideation to release is not a straight line, and there are multiple value streams serving that delivery process. Where do they intersect? Where are the dependencies? One of the panelists, Scott Ambler, who’s vice president and chief scientist at the Project Management Institute, acknowledged that any definition of value is by its nature vague, because like beauty, value is in the eye of the beholder. “What is valuable to me is nothing to you, and vice versa. It’s a fuzzy world.” Ambler would define value as delivering a quality product to customers who want it. He explained: “I see too many people declaring value. ‘Oh, look at this really valuable thing we created,’ but nobody’s interested in it. So it’s valueless. There’s zero value there. Actually negative value there, because you spent all that money and you got nothing for it.” Then there is the question, “Are you managing value streams, or are you managing value?” This is something Lance Knight, president and COO of solution provider (and Charter Sponsor of VSMcon) ConnectALL, speaks about often. “If we understand

Any definition of value is by its nature vague, because like beauty, value is in the eye of the beholder.

the difference between value management, and value stream management, I also think we’ll find better success. So, I want to do value stream management, what am I purchasing? What am I going to get? What is my outcome? Here’s a fun one. What’s the value I’m gonna get by implementing value stream management? What’s going to come out of that for me? And so I think that’s why people are struggling with it.” Knight tries to keep the discussion simple. “Value stream management is pretty succinct and what that is and what it’ll do for you,” he said. VSM helps you find waste, remove it, and automate that process. But, he added, from the vendor side, “We’re all talking about other things that it can do as they try to spin it into what their solutions do. I look at the solution stack. Some of them are just giving metrics, and they’re saying that’s your value stream management solution.” Another large impediment to value stream adoption is that it’s not a tool you can buy and just plug in and immediately gain efficiencies. It’s about the people in your organization having a willingness to examine what they do and fix things that don’t work. Jim Benson, CEO of consulting firm Modus Cooperandi, told conference attendees that this is a huge hurdle to clear. “Asking people to do something is one of the best ways to get people to fire you. For me, coming from the Lean side, VSM is the exercise of a lot of interested stakeholders getting together and figuring out what are the steps that we’re taking to create this value? How do we define the value? How do we work together? How do we collaborate with each other to do that work, and then using that as your basis for how you build out your Obeya or your visual controls. So you now have a structure for your work, you have things that are supposed to happen, you know, what you can track, how you can track it and possibly even what some of those metrics should be. We keep selling people that there’s a solution that you can buy. And what VSM is, isn’t that. It’s the box of random Legos. And you have to build your solution out of it. But yeah, you know, you actually have to show up and do the work and that sentence upsets people.” To hear the rest of this conversation, you can listen to the panel, and all the other sessions from the conference, by registering at sdtimes.com/ vsmcon-2022/. z

Full Page Ads_SDT060.qxp_Layout 1 5/27/22 10:12 AM Page 16

Full Page Ads_SDT053.qxp_Layout 1 10/27/21 11:41 AM Page 24

The latest news, n news analysis and commentary delivvered to your inbox!

• Reports on the newest technologies affecting enterprise deve developers elopers • Insights into thee practices and innovations reshaping softw ware development • News from softtware providers, industry consortia, open n source projects and more m

Read SD Tim mes Daily to keep up with everything happening in the software devvelopment industry. SUB BSCRIBE TODA AY! Y!