SD Times July 2022 by d2emerge

FC_SDT061.qxp_Layout 1 6/22/22 1:57 PM Page 1

JULY 2022 • VOL. 2, ISSUE 61 • $9.95 • www.sdtimes.com

IFC_SDT054.qxp_Layout 1 11/17/21 11:09 AM Page 2

Instantly Search Terabytes

www.sdtimes.com EDITORIAL EDITOR-IN-CHIEF David Rubinstein drubinstein@d2emerge.com NEWS EDITOR Jenna Sargent jsargent@d2emerge.com MULTIMEDIA EDITOR

dtSearch’s document filters support: popular file types emails with multilevel attachments

Jakub Lewkowicz jlewkowicz@d2emerge.com SOCIAL MEDIA AND ONLINE EDITOR Katie Dee kdee@d2emerge.com

a wide variety of databases

ART DIRECTOR

web data

Mara Leonardi mleonardi@d2emerge.com CONTRIBUTING WRITERS

2YHU VHDUFK RSWLRQV LQFOXGLQJ efficient multithreaded search

Jacqueline Emigh, Elliot Luber, Caryn Eve Murray, George Tillmann CONTRIBUTING ANALYSTS Enderle Group, Gartner, IDC, Intellyx

HDV\ PXOWLFRORU KLW KLJKOLJKWLQJ forensics options like credit card search

CUSTOMER SERVICE SUBSCRIPTIONS subscriptions@d2emerge.com ADVERTISING TRAFFIC Mara Leonardi mleonardi@d2emerge.com

Developers: 6'.V IRU :LQGRZV /LQX[ PDF26

LIST SERVICES Jessica Carroll jcarroll@d2emerge.com

&URVV SODWIRUP $3,V FRYHU & -DYD and recent NET (through NET 6)

)$4V RQ IDFHWHG VHDUFK JUDQXODU GDWD FODVVLILFDWLRQ $]XUH $:6 DQG PRUH

REPRINTS reprints@d2emerge.com ACCOUNTING accounting@d2emerge.com

ADVERTISING SALES

Visit dtSearch.com for KXQGUHGV RI UHYLHZV DQG FDVH VWXGLHV IXOO\ IXQFWLRQDO HQWHUSULVH DQG developer evaluations

PUBLISHER David Lyman 978-465-2351 dlyman@d2emerge.com MARKETING AND DIGITAL MEDIA SPECIALIST Andrew Rockefeller arockefeller@d2emerge.com

The Smart Choice for Text Retrieval® since 1991

dtSearch.com 1-800-IT-FINDS

PRESIDENT & CEO David Lyman

D2 EMERGE LLC www.d2emerge.com

CHIEF OPERATING OFFICER David Rubinstein

003_SDT061.qxp_Layout 1 6/22/22 1:56 PM Page 3

Contents

VOLUME 2, ISSUE 61 • JULY 2022

FEATURES

NEWS 4

News Watch

Service virtualization:

Solving the issues with current documentation practices

A continuous life cycle technology

page 8

Modern app dev is about more than tools, platforms and languages

Broadcom acquires VMware for $61 billion

GitLab 15.0: Container scanning, workflow improvements

Transferring workload automation is one of the most difficult parts of cloud migration

COLUMNS 29 GUEST VIEW by Aaron Upright Five steps to battle service outages

30 ANALYST VIEW by Rob Enderle In-person events: In flux and in trouble

page 18

BUYERS GUIDE Combating burnout in development

page 22 page 24 Software Development Times (ISSN 1528-1965) is published 12 times per year by D2 Emerge LLC, 2 Roberts Lane, Newburyport, MA 01950. Periodicals postage paid at Newburyport, MA, and additional offices. SD Times is a registered trademark of D2 Emerge LLC. All contents © 2022 D2 Emerge LLC. All rights reserved. The price of a one-year subscription is US$179 for subscribers in the U.S., $189 in Canada, $229 elsewhere. POSTMASTER: Send address changes to SD Times, 2 Roberts Lane, Newburyport, MA 01950. SD Times subscriber services may be reached at subscriptions@d2emerge.com.

004,5_SDT061.qxp_Layout 1 6/16/22 2:12 PM Page 4

SD Times

July 2022

www.sdtimes.com

NEWS WATCH Kotlin 1.7.0 adds K2 compiler alpha The goal of the new K2 compiler is to speed up development of new features in the language, unify the platforms Kotlin support, and provide an API for compiler extensions. In its current form, it is only available for the JVM and none of the compiler plugins are functional yet. Incremental compilation now supports cross-module changes, and support for compilation avoided also was improved. According to JetBrains, Kotlin developers who use the build cache or are often making changes in nonKotlin Gradle modules will see the most benefit from these updates. Kotlin 1.7.0 also introduces an underscore operator that can be used to automatically infer a type argument when other types have been specified.

As of this release, developers will also be able to utilize implementation by delegation to create lightweight wrappers that usually don’t allocate memory. This release also brings a number of existing features to “stable” status, including optin requirement annotations, definitely non-nullable types, and builder inference.

Apple unveils next-gen chips Apple announced its M2 Silicon chip built using secondgeneration 5-nanometer technology in the new MacBook Air and 13-inch MacBook Pro. The new chip offers an 18% faster CPU than the M1, a 35% more powerful GPU, and a 40 percent faster Neural Engine. It also offers 50% more bandwidth than the M1, and up to 24GB of fast unified memory. The 25% higher transistor

People on the move n Christian Hernandez is moving to GitOps company Codefresh as its new head of developer experience and community management. In this role he will lead open-source innovation and collaboration initiatives, including focusing on delivering contributions to the Argo project, which Codefresh runs on. He previously spent eight years at Red Hat, most recently on the Hybrid Platforms team. n Low-code company Mendix has promoted Tim Srock from CFO to CEO, replacing the company’s cofounder, Derek Roos. Srock is focusing on leading the company into a phase of hypergrowth and placing Mendix in the center of the low-code ecosystem by driving hyperautomation and hyper-personalization for customer experiences. n API company Agora has announced multiple executive leadership appointments from within the company. These include Stanley Wei as chief strategy officer, co-founder Tony Wang as chief revenue officer, and Virginia Liu as chief experience officer, which is a new role within the company. Agora is also bringing in Roger Hale, who will serve as chief security officer.

count in the M2 improves performance across the entire chip, including the memory controller. The greater CPU performance can more easily handle CPU-intensive tasks such as creating music with layers of effects or applying complex filters to photos. M2 also features Apple’s next-generation GPU with up to 10 cores that offers a larger cache and higher memory bandwidth than the max 8 cores in the M1. The higher performance per watt from M2 enables systems to have exceptional battery life, and run cool and quietly, even when playing graphics-intensive games or editing massive RAW images.

Contrast Security offers new free code scanning tool Contrast Security, the code security company that enables developers to secure while they code, unveiled a new code scanning tool, CodeSec. The tool is free to use and provides developers with a self-service, enterprise-tested application security solution. With CodeSec developers can scan code and serverless environments in order to secure their code in under five minutes. According to the company, CodeSec brings 10x faster and more accurate scanning results for code and serverless applications directly to the developer’s laptop. CodeSecScan provides code security for Java, JavaScript, and .NET with heighted speeds and actionable remediation in a command-line interface. CodeSec-Serverless works to detect serverless security vulnerabilities instantly while

also providing guidance for remediation in a simple command-line interface.

MobileTogether 8.0 released Altova announced the release of MobileTogether 8.0, a rapid app development platform for building enterprise solutions and native apps for iOS, Android, and Windows. The new release adds new features such as a new way of interacting with relational databases, support for modularization, and more. MobileTogether 8.0 offers a new Database Wizard and support for hierarchical read and write. Previously, developers had to manually write SQL to perform commonly required tasks when working with backend data. Version 8.0 introduces the ability to modularize the app design file so that multiple developers can work on the same project. Also, Server Libraries are a new type of MobileTogether design file that enables a quicker roll-out of app updates and changes and eliminates the need for apps to be resent through the app store approval process. Developers have the option to create a classic MobileTogether solution or to start with Altova RecordsManager when they open the MobileTogether Designer. RecordsManager has a visual interface for quickly building business database apps for desktop and mobile users with no coding necessary.

No-code experiments come to WebPageTest The digital experience monitoring company Catchpoint

004,5_SDT061.qxp_Layout 1 6/16/22 2:12 PM Page 5

www.sdtimes.com

.NET MAUI is now available .NET MAUI was first introduced in 2020 as a step in unifying .NET development across devices and platforms. MAUI stands for “Multi-platform App UI,” and enables developers to build crossplatform applications from a single C# codebase. “The thin and decoupled UI and layout architecture of .NET MAUI together with single project features enable you to stay focused on one application instead of juggling the unique needs of multiple platforms,” David Ortinau, principal product manager for .NET MAUI at Microsoft, wrote in a blog post. According to Microsoft, the main goal of .NET MAUI is to “enable you to deliver the best app experience as designed specially by each platform (Android, iOS, macOS, and Windows), while enabling you to craft consistent brand experiences through rich styling and graphics.” Each platform looks and acts the way you would expect without needing to add additional widgets or styling. With .NET MAUI, developers will have access to a toolkit containing over 40 controls, layouts, and pages. In addition, it supports multi-window desktop applications and menu bars, as well as new animation capabilities, borders, corners, shadows, and graphics. To support Microsoft’s accessibility goals, .NET MAUI comes with semantic services for controlling automation properties, screen readers, focus, and properties like description, hint, and heading level. announced that it will be expanding its open-source web performance testing suite, WebPageTest. The new Opportunities and Experiments are intended to help teams code with confidence, instantly provide actionable insights, and provide automated experiments for implementing best practices and building strong websites. These new features work to automatically generate and test performance tweaks in order to eliminate blocking scripts, optimized image rendering, and minimize layout shifts with no code changes. According to Catchpoint, with WebPageTest Opportunities IT teams have access to suggested best practices like deferred or async JavaScript, right-sized images, and security fundamentals. With this feature, teams can create fast and aesthetic websites that serve to entice more users. WebPageTest Experiments

works to provide users with custom and automatically generated tests that point out areas where their website could benefit from specific improvements with zero code changes to the database. Without the need to alter any code, developers are able to gauge the potential success level of their performance tuning, improving the pace of development and increasing the ability to produce code confidently.

MongoDB reveals developer data platform vision MongoDB introduced its developer data platform vision with several new capabilities at the annual MongoDB World conference. These announcements are intended to empower developers to innovate faster by addressing more use cases, servicing more of the data lifecycle, optimizing for mod-

ern architectures, and implementing sophisticated levels of data encryption. MongoDB time series collections make it faster, simpler, and cheaper to build apps to monitor physical systems, track assets, or deal with financial data. This feature will be available in the upcoming MongoDB 6.0 release and it will support secondary indexes on measurements, and feature read performance improvements and optimizations for sorting time-based data quicker.

New course looks at ethics in open-source The free online course is designed for developers looking to apply ethics to their coding practice, and for product managers looking to incorporate ethics-by-design technology into their workflows. According to the Linux Foundation, developers aren’t always thinking through how a

July 2022

SD Times

piece of code could be used by a bad actor or how an algorithm might affect different classes of people. They explained that this is why it is important to include ethical principles like transparency and accessibility in open source. After this course, students should be able to assess technology for ethical blind spots, apply ethical critical thinking techniques, understand the Ethics Journey Cycle in opensource development, and utilize ethics as a decision-making tool for risk mitigation. They will also be prepared for roles like a Responsible Technologist or Ethics Developer Lead.

JetBrains updates Datalore Enterprise JetBrains announced the launch of Datalore Enterprise 2022.2, an update to its collaborative data science and BI platform for teams, available on-premises and in the private cloud. The new version can be set up in AWS, GCP, Azure or an on-premises machine with the new Docker-based installation. Users can also migrate to Kubernetes later on or right away. Datalore also offers the ability to connect authentication modules, set up internal usage plans, and customize environments to cover teams’ specific needs. Datalore 2022.2 also added collaboration on attached files to get a fully collaborative experience by editing Python scripts and database integrations have been improved to include the ability to limit DB’s schema for introspection to speed up the initial introspection and make schema navigation easier. z

006,7_SDT061.qxp_Layout 1 6/21/22 11:33 AM Page 6

SD Times

July 2022

www.sdtimes.com

BY KATIE DEE

hen working on a development team, transparency and knowledge sharing are essential in order to keep track of changes in the code and limit vulnerabilities. This is why creating proper documentation should be considered a top priority for all developers. It is also why the consequences of missing or inadequate documentation can impede application updates or new feature additions that can adversely affect both the end user (by delivering a buggy product that the missed delivery deadline) and the organization itself. However, even knowing this, the tech industry is still facing the ongoing issue of poor documentation practices. Steve Brothers, president of the arti-

Solving the issues with current ficial intelligence software company, Phase Change Software, attributes this to a lack of interest on the developer’s part. “They don’t feel like they’re paid to do it, so they don’t see the value of it in large part,” he said. “Some do, but most just don’t seem to.” Frédéric Harper, director of developer relations at the API-based product organization, Mindee, also touched on this point, saying, “The thing is… developer documentation is often an afterthought… Many [developers who don’t document] do not think a lot about the end users, they don’t explain enough, there's a lack of consistency… and that doesn't make for a super good experience for end users.” On top of that, Brothers explained that even when developers do put comments in a line of code, they are oftentimes inaccurate. This can result in an unintended downstream effect that will negatively impact the next developer’s ability to contribute to the project. According to Brothers, failing to propagate changes to the documentation limits the amount of information that the rest of the developers working on the project have access to and, therefore, can result in slower and slop-

pier development. This leads to the question: knowing that there are so many negative side effects, why are developers still not taking an interest in documentation? Brothers inferred that time constraints may be to blame. “The pressure is not on putting comments in code, so maintenance is not a thing… It is more important to get the job that’s in front of you done in a timely manner. Frequently, organizations do not want to pay that time price,” he said. He also spoke about how there are some developers that assume nobody else will be working on their code and so explanatory documentation feels unnecessary. “From that standpoint, there is no motivation to do it if I’m the one who is going to be maintaining it. Obviously, to the organization there is a benefit if somebody else is going to be maintaining the code, because regardless of how complex it is, those comments would be beneficial to somebody who has never seen the code before,” Brothers explained. On the other hand, there are those who don't partake in proper documentation because they think that their

code is so elegant and clean that even if another developer had to read it, it would be easily understandable. Harper also spoke about this, saying, “It could also be a little bit of pretentiousness, like ‘I’m good so everybody should understand it,’” Having either of these mindsets can lead to inaccurate, incomplete, or missing documentation which can cause the whole organization to suffer. “You end up with fixes being wrong, and that consequence results from the documentation not directing the developer to go to the right place to fix something. Those are standard market failures,” Brothers said. He went on to explain that the repercussions of these failures can range from bringing a system down, to missing the regulatory requirements in the code, to a severe loss of time, and therefore, suffering productivity. “There is no question that the amount of time it takes to identify the code you’re looking for, which is what you have to do if you’re going to fix a bug, that is 80% of a developer’s time right there… and all that does is get exacerbated if there are no comments or the comments are wrong,” Brothers explained.

006,7_SDT061.qxp_Layout 1 6/21/22 11:33 AM Page 7

www.sdtimes.com

to another product, so that creates a missing opportunity for the company to gain and retain more users,” he said. Brothers also pointed out that having proper documentation helps tremendously down the line because the requirements for code are unpredictable and can change at any time depending on the wants of the product owner. When it comes to fixing these issues and ensuring that documentation is top of mind, Brothers said that making it a part of code reviews is a possible answer. “If you’re an Agile development shop, you certainly could make comments a part of the acceptance criteria for the completion of a story, so that when the work is completed it has to have comments in it,” he said. Brothers also explained that there are tools coming onto the market now

July 2022

SD Times

“What our tool does is automate the developer’s thinking process,” he said. “We’ve taken a collaborative AI approach for this tool to work with the developer so that when they describe the behavior… what our tool does is return only the code that is relevant.” According to Brothers, this tool works to eliminate the need for documentation altogether because the user is not actually reading any code. With COBOL Colleague, the developer would no longer have to search through several different lines of code, but rather they would only be presented with the code that matters as well as any other helpful data. This tool and others like it also help businesses maintain the necessary knowledge about the code even if the developer that originally wrote it leaves the organization. According to Brothers, when documentation is done the right way, information does not leave with the developer. Outside of investing in tools though, Harper said that investing in people could work to solve these issues. He said, “I really think that you should hire a technical writer or at least a developer advocate that is going to take on maintaining documentation as a big part of their job… Because in the end, the product and the documentation go together and one cannot live without the other.” z

documentation practices Additionally, Harper said that incorrect or missing documentation can harm a company’s reputation in the industry. This is particularly true when other developers are the target audience for the end product. Harper explained that developers are usually more sensitive to the experience they have when using a product for the first time, and so the impacts of poor documentation practices will be felt particularly hard. “Developers are really quick to move

that would work to automatically generate documentation so that all the developer would have to do is make sure that it’s correct. These tools would ensure that documentation is present while also accommodating the time pressure that developers feel to deliver projects on time. Brothers also discussed PhaseChange’s AI documentation tool, COBOL Colleague, which is intended to tackle this issue by mimicking the cognitive efforts of developers.

mentation to those rare developers who have a knack for it. However, while doing this ensures that code has the proper comments, it also works to breed underskilled writers and that could also have detrimental impacts to the organization. Downard then stressed the importance of making documentation an organization-wide priority. He suggested supplying developers with a “needs improvement” example as well as a “top notch” example so that developers can measure their own documentation against the two. “But it’s also not enough to simply throw it over the wall and be like ‘we need to write better docs so definitely start doing that.’ And if it’s something you really want to improve on, you have to measure it. Because if you’re measuring the number of MRs that get merged or story points or whatever, and writing documentation isn’t included on any of those things, no one will ever write it,” he said. z

‘Productize’ documentation In an SD Times-led conversation on the Dev Interrupted Discord server, Chris Downard, VP of engineering at GigSmart, weighed in on why he feels documentation often slips through the cracks of the development process. Downard explained that the majority of developers write average to weak documentation because it is not part of the actual feature delivery scope, and so, they do not see the value that it has. “In a perfect world documentation should be part of the deliverable and it should be ‘productized’ meaning it’s treated like a product,” he explained. “Users (your other devs and product delivery members) can actually use it to answer questions before they go to ask others. But until your docs are good enough and discoverable enough to do that, it won’t happen.” Downard also touched on the possibility of offloading docu-

008-11_SDT061.qxp_Layout 1 6/22/22 12:38 PM Page 8

SD Times

July 2022

www.sdtimes.com

Service virtualization: A continuous life cycle technology BY DAVID RUBINSTEIN

008-11_SDT061.qxp_Layout 1 6/22/22 12:38 PM Page 9

www.sdtimes.com

ervice virtualization has helped countless organizations perform tests on application components that live outside their development organizations, or that are not available to the tester when needed to complete their tests. Virtualization enables organizations to put up a virtual service more easily than they can “yank a box on an Amazon server,” explained Shamim Ahmed, DevOps CTO and evangelist at Broadcom. Yet today, service virtualization (SV) can be seen as a life cycle technology, empowering what Ahmed calls continuous virtualization. This, he said, “enables even developers doing parallel development right now, just for testing. That’s on the left-hand side. And on the right-hand side, we’ve seen extremes, like customers using service virtualization for chaos testing.” SV helped early-adopting organizations to decouple teams, said Diego Lo Giudice, vice president and principal analyst at Forrester, so that you could decouple customer with client. But, he noted, “with organizations being broken up into small teams, and parallelizing, the work with Agile became very hard. Project managers thought they could manage that. And there’s no way

you can really manage a bunch of small agile teams working; making sure that you synchronize them through project management is impossible. And so service virtualization was kind of used a bit to decouple, at least from the testing perspective.” So, where is service virtualization being used beyond testing?

Service virtualization use cases Lo Giudice said SV remains mainly a testing capability, though he said he is seeing an accelerated use of SV in the API world. “I haven’t really gotten, you know, beyond the typical use cases of testing unreachable or expensive thirdparty resources,” he said, noting that the biggest use case he keeps seeing is virtualizing mainframe environments. “I love the example a CEO gave me that he was saving a lot of money with service virtualization simply because one of his teams, for testing purposes, couldn’t access the mainframe. They only had a window of 30 minutes a month, and they had to wait every time for those 30 minutes. With service virtualization, they were able to virtualize that access to the mainframe, and therefore the team now kind of had the virtual access to the mainframe available all the time.”

Continuous virtualization

Virtualization is not something you do before you do testing any longer. From the time you start to do your backlog and your design, you have to think about what services you need, and how you design them correctly. Then, according to Broadcom’s DevOps CTO and evangelist Shamim Ahmed, you have to think about how to evolve those services. “We think of service virtualization evolving and on the continuum,” he said. “You start with something simple we call a synthetic virtual service that can be created very easily — not using the traditional record-response mechanism.” He noted that the old way of creating a virtual service relied on the fact that the endpoint already exists. That’s what enabled record and replay, but in today’s development environment, the endpoint may not exist — all you might have is an API specification, and you might not even know whether the API has been implemented or not. “You need to have new ways of creating a virtual service, a very simple, lightweight service that can be created for something like a Swagger definition of an API. Developers need that when they’re doing unit testing, for example. The way we look at this is what we call progressive virtualization — that simple thing that we created can now evolve, as you move your application from left to right in the CI/CD life cycle.”

July 2022

SD Times

Using service virtualization with APIs, Lo Giudice said, is “just one of the types of testing that needs to be done; integration tests, that activity that can be automated, software delivery pipelines. I see it a lot there.” Among other areas where service virtualization is being seen is to create employee onboarding environments. Alaska Airlines uses Parasoft’s virtualization solution for its training, according to Ryan Papineau, a senior software engineer at the airline. With virtualization, he said, “we’re able to scale the amount of people that we have go through our training program.” While there are typically no test cases, Alaska Airlines can use the environment to see if the users can perform certain tasks, but none of that gets recorded or impacts the production environment.

Service virtualization and test data management But perhaps the biggest area of SV growth is in the test data management (TDM) testing space — a term that Papineau said is “kind of messy, because it can mean a lot of things.” It has become, in a word or two, a catchall buzzword. continued on page 11 >

He offered the example once that application gets to the stage of integration testing, you perhaps need to enhance that synthetic virtual service with some more behavior. So more data is added, and then when you get to system testing, you need to replace that synthetic virtual service with the real recording, so it becomes progressively realistic as you go from left to right. “There’s a whole life cycle that we need to think about around continuous virtualization that talks about the kind of virtual servers needed to do integration testing, or build verification,” Ahmed said. “And of course, all the other kinds of tests — func- Shamim Ahmed tional, performance and even security testing — virtual services are just as applicable for those things… because if you think about the number of third-party systems that a typical application accesses in this API-driven world, you simply can’t run many of your tests end-to-end without running into some kind of external dependency that you do not control, from the perspective of functional, performance and security testing. So you can start to emulate all of those characteristics in a virtual service.” z —David Rubinstein

Full Page Ads_SDT061.qxp_Layout 1 6/17/22 10:54 AM Page 10

008-11_SDT061.qxp_Layout 1 6/22/22 12:38 PM Page 11

www.sdtimes.com

July 2022

SD Times

as opposed to using the more tradition- in 2022, I think the system integrators” “We’ve been screening some new al test data mechanisms, particularly so are the only ones for whom this is key. automation engineers, and they’ll put for API-based systems.” “It’s actually very useful” in integratest data management on their resume. He noted that the use of SV reduces tion projects, Lo Giudice said. “If you But you’ll never see any concept of any “the tedium burden,” because creating think about Lloyds Banking, a custools or techniques listed,” Papineau the test data for a live application versus tomer that’s got a complex landscape of said. “What I believe that to be is they’re creating the test data for an emulator is apps, and you’re doing integration listing it, to say ‘Hey, I use datawork with good partnerships driven tests and had Excel,’ and going on,” service virtualizaI’m like, that’s not what I’m looktion can be quite beneficial. ing for. I’m looking for data “If you’ve got an app and it structures and relationships and interfaces another 10 big databases. And that life cycle of apps, you’d better use service creation to modification to delevirtualization to automate that tion. And using an ETL tool, or integration,” he said. custom scripts, which we use Integration projects separately.” between assets held onIt’s in the offerings. Papineau said that Parasoft’s premises and those residing in Commercial service virtualization offerings are more solution essentially uses data the cloud caused some hardsophisticated, enabling tasks like ensuring the virtual assets and iterates it over APIs, get swapped out with the real one right before you deploy ships for Alaska Airlines, Paprecords it and creates the rela- into production, or adding access to virtual assets that go ineau said. The problem, he tionships with the data. Pap- beyond the REST API or SoapUI web testing protocols. said, stemmed from internal ineau said, “You get this nice permissions and controls into Lo Giudice recalled that one vendor early on said they exploded, fancy UI that has all would only use service virtualization in the digital world — the cloud. One of their develthe relationships and you can REST APIs or SoapUI, and they had to change their mind, opers was taking older data drill down and do cloning and because customer journeys go across different platforms and repository methods and subsetting, so it has a lot of the different technologies. “So therefore, you need all these differ- deploying in the cloud, and old traditional test data manage- ent converters,” he said. The vendor SV solutions offer a rich- struggled with the internal ment aspects to it, but all within ness of converters and an authoring environment that is easier permissions between on-prem to use and includes versioning capabilities. their context.” and the cloud.” FInally, the commercial tools are “quite sophisticated in Broadcom’s Ahmed added Papineau said organizathat his company, which simulating the asset that you want to simulate, close to what tions have to understand their the real thing is,” he said. acquired the Lisa SV software firewalls and the access to Using open-source tools such as Mockito, Mockable and developed by iTKO through its servers. “Are your server and WireMock would make it hard for users to perform those tasks, purchase of CA Technologies, according to Diego Lo Giudice, vice president and principal client both in local? Are they is seeing much more synergy analyst at research firm Forrester. “Mocking is just like really both in cloud order, and does between servers, virtualization writing a stub and generating a stub quite static,” he said. “The one have to transverse and test data management. (vendor) tools add some dynamic capabilities in terms of between the other,” Papineau “When we acquired Lisa, TDM switching between the (virtual) assets and the real.” z said. “So what we did there is was not that big. But now with —David Rubinstein we stumbled on getting the all this GDPR, and all the other firewall rules exposed, regulations around data privacy, TDM a much lower amount of TDM burden because now all of these different is really hard. And it’s one of the for the testers and everybody else.” clients are trying to talk to this virtual biggest problems the customers are server. And so it’s like, ‘Oh, you got this System integrations grappling with.” one going up. Now you need to do Ahmed believes SV and TDM go While much about service virtualization another firewall request for this one?’ hand-in-glove. “The way they work has gone unchanged over the last years, And I am not kidding you. When we together, I think, is another key evolu- much has changed, according to Lo did the Virgin (Atlantic) acquisition, tion of how the use of service virtualiza- Giudice. Developers are choosing open firewall requests were the largest tion has evolved,” he said. “Using SV is source more, deciding they don’t need nightmare in the longest time. So that’s actually one of the easier ways to do test all the sophistication vendors are pro- why it’s an internal problem we strugdata management. Because, you know, viding. “I’ve got data that shows the gled with and just gave up on it like, you can actually record the test data by adoption of service virtualization has No, this is just taking too much time. recording the back and forth between a never really gone over 20%,” he said. This should not be this hard. This literclient and a server. So that gives you an “When you ask developers and testers, ally is a firewall overhead problem that opportunity to create lightweight data, what is it that you’re automating around we ran into.” z

< continued from page 9

The differences between mocking and service virtualization

012,15_SDT061.qxp_Layout 1 6/22/22 12:36 PM Page 12

SD Times

July 2022

www.sdtimes.com

Modern app dev is about more than tools, platforms and languages T

oday’s application development is a complex landscape of services, integrations and architectures. In fact, most developers today spend more time writing API calls and finding open-source projects — and maintaining those applications once they’re created — than they do writing code for innovative new features. It looks nothing like “your father’s app dev,” which involved a code editor, compiler, and few other tools. In today’s world, we see developers struggling under the weight of an ever-expanding toolbox now required to bring products to life. According to Andrew Manby, AVP of Product Management, HCL Volt MX, among the drivers behind modern development are the needs of businesses to satisfy customers, and overcoming the effects of the COVID-19 pandemic to be able to continue to deliver fixes and new features at speed. “We did a survey late last year with Forrester, and in our survey, 78% of respondents said they’re prioritizing improving the ability to innovate and really reach their customers,” Manby said. And for businesses to survive the pandemic, businesses had to rely on that old Yankee spirit and ingenuity, he said. “I think businesses could make do or innovate. Almost like having their own Apollo 13 moment, to fix the problem, to be able to continue to reach the customer, adding buy online, pick up in store, things like that. I was that sort of duct tape and air filter moment, for a lot of organizations.” Piecing together tools for collaboration, development and deployment to a remote workforce has been made a lot

BY DAVID RUBINSTEIN easier with cloud computing — no more creating VPNs, unless organizations have specific regulations or security needs they must follow. However, the cloud doesn’t really help address issues such as culture change and the move towards delivering products instead of projects.

Agile and culture change Agile development is one of those areas where scaling up has been a thorny issue for many organizations. Agile, according to Forrester vice president and analyst Diego Lo Giudice, is not “just a bunch of practices.” Some think going to Scrum training and bringing what you know back to the organization will have everyone working in an Agile way. But Lo Giudice said shifts to Agile and other methodologies requires a cultural and behavioral change. “Think about your IT that has been owning the projects, and now suddenly they say we’re going to move to products and you’re going to have a product owner from the business side. And he or she is going to tell you what are the most important things you need to implement. It’s kind of losing power for project managers that used to

manage these … projects.” Another issue Lo Giudice pointed out is integrating all of it throughout the organization. “Everybody thinks SAFe is saving the world. I get lots of clients who tell me, ‘we’re replacing the old bureaucracy with a new type of bureaucracy here. Cultural and behavioral change is really tough for organizations.” Further, he said, these product owners from the business don’t have the skills to think in terms of how project managers in modern development think about minimum viable features and minimum viable products. “They still think in terms of big releases,” he said. Also, he added, business-side product owners “are not even committed to Agile. It’s like, ‘We want to do Agile, but you do it, I’m not going to get involved.’ But that’s not the way agile works.” But because of this drive to modern application development, organizations are starting to think seriously about what agility, responsiveness and velocity reality mean to them. “It comes down to the business problem,” HCL’s Manby said. “I think CIOs are still faced with the same thing — at the end of the day, they still need to modernize their application inventory, they need to move to the cloud because they want to obfuscate some of the risks that they have in their data center. And they want to move that off to other vendors, they want to make the portfolio of applications more modern.” Another aspect of modern development to think about has nothing to do with tools or programming languages. It’s the difficulty organizations are havcontinued on page 15 >

Full Page Ads_SDT061.qxp_Layout 1 6/22/22 2:04 PM Page 13

S RE HA

MOD

Full Page Ads_SDT061.qxp_Layout 1 6/16/22 2:14 PM Page 14

EN G AGE

Modeling and Design Tools for Changing Worlds sparxsystems.com

NEW Enterprise Architect Version 16

012,15_SDT061.qxp_Layout 1 6/22/22 12:37 PM Page 15

www.sdtimes.com

July 2022

SD Times

MAD about development The baseline activities of modern application development, as defined by research firm Forrester, are ideate, design, build and deliver. According to an August 2021 report on MAD, Forrester said organizations augment these activities with value stream management, collaborative work management, low code and continuous testing. The design phase includes developing a prototype, then a minimum viable product. In its report, Forrester notes that experimentation can begin in this phase, using feature management (such as flags) to let developers turn those features on or off as the product makes its way toward full release. But at the core of all this is business value, and Forrester’s MAD model says that everything developers create must “ultimately be in service of value streams.” Value streams and management of those streams is how organizations can raise their Agile and DevOps practices by gaining insights into the processes used to create and deliver quality software that customers want. Determining what the business wants, and why, should be the first step in the process of creating software products. Collaborative work management, according to Forrester, “supports the confluence of project and process work by allowing users to create personal and team workspaces,” according

< continued from page 12

ing in attracting and retaining developer talent. “People, given this day and age, are more mobile — not in the physical sense, but more willing to swap” one job for another, Manby said. “Developers want to do meaningful work, they want to be in an engaging work environment, and they want to use the cool tools. But they also want to use the stuff they learned in college, or in their experience. But there’s the old guard who know how to do things in a certain way. They’re used to using WebSphere and db2 and Oracle, and Siebel. And the new generation is coming in, and they’re all React and Angular and all container ready and Git friendly. It’s not the culture clash, but the organizations that haven’t shifted are finding it more difficult to get to containers and the cloud. The smarter organizations are bringing in more of the influx of those newer developers and the new-wave IT people to help push that acceleration along, to use those new types of tools.”

A place for low-code tools With different languages and platforms for creating or importing pieces of code to create modern applications,

to the report, while low code expands development outside of IT. Meanwhile, continuous testing is required to ensure the accelerated pace of software creation and delivery does not impact the quality of the product. z

Manby said “we’ve probably got as much fragmentation now from an application developer standpoint as we’ve ever had.” He went on to say that the rate of change has gotten faster as well. “Angular 1, Angular 2, React, Flutter. There’s almost like there’s a faster inertia,” he said. “And there’s a concern about obsolescence. If you have to look after a piece of code that’s got Dojo in it, when you give that to a new developer, they say, what’s this stuff? That’s a challenge. But at the same time, in its day Dojo was modern and exciting for folks.” This, Manby believes, is where low code is trying to come from. “The appeal of the platform is, whatever framework you may be using, if we as a vendor do this the right way, then whether it’s Angular or React or whatever, we’re going to insulate you from those sorts of challenges,” he said. “But we’re still going to give you something that’s not going to dumb down the skills that you’ve learned but also allows you to be a superhero, and do some cool stuff without boxing you in.” Low code has become a modern de rigeur term, and represents a way to apply rigor to development and

—David Rubinstein

deployment, Manby said. “Low code is applied to DevOps pipelines, it’s applied to data integration. You could apply the principles of anything, which gives you a visual model, a model-driven approach. You can say that no code or low code makes [development] go faster, when it comes back down to pure developer productivity.” When it comes to professional development, low code is not removing tools, Manby said. “It’s providing pieces to try and make those developers’ lives simple. If you can simplify how you aggregate data across multiple systems, or provide you with an orchestration layer so you can orchestrate a series, a more complex workflow with parallel looping. Do you want your developers to create that from scratch, and then have to maintain it? Or do you want to use a tool to enable you to do that?” As for testing, Manby said a lowcode tool can generate the test case automatically and continually test the applications as they evolve, which saves developers time. “It’s not about removing things,” he said. “It’s just trying to make you more productive.” z

Full Page Ads_SDT061.qxp_Layout 1 6/16/22 2:14 PM Page 16

017_SDT061.qxp_Layout 1 6/20/22 12:20 PM Page 17

www.sdtimes.com

July 2022

SD Times

DEVOPS WATCH

Broadcom acquires VMware for $61 billion BY KATIE DEE

Broadcom, a semiconductor and infrastructure software solutions company, and VMware, a virtualization company, today announced that they have entered into an agreement under which Broadcom will take ownership of all of the outstanding shares of VMware. This will take place as a cash-andstock transaction that values VMware at around $61 billion. With this, Broadcom will also acquire $8 billion of VMware net debt. Upon the closing of this transaction, the Broadcom Software Group will be rebranded and operate as VMware, adding Broadcom’s infrastructure and security software solutions to an expanded VMware portfolio. Raghu Raghuram, chief executive officer of VMware, said, “VMware has been reshaping the IT landscape for the past 24 years, helping our customers become digital businesses. We stand for innovation and unwavering support of our customers and their most important business operations and now we are extending our commitment to excep-

tional service and innovation by becoming the new software platform for Broadcom. Combining our assets and talented team with Broadcom’s existing enterprise software portfolio, all housed under the VMware brand, creates a remarkable enterprise software player. Collectively, we will deliver even more choice, value and innovation to cus-

build, run, manage, connect, and protect applications at scale across diversified, distributed environments, regardless of where they run. “Building upon our proven track record of successful M&A, this transaction combines our leading semiconductor and infrastructure software businesses with an iconic pioneer and

Combining our assets and talented team with Broadcom’s existing enterprise software portfolio, all housed under the VMware brand, creates a remarkable enterprise software player. —Raghu Raghuram

tomers, enabling them to thrive in this increasingly complex multi-cloud era.” This combination works to provide enterprise customers with an expanded platform of essential infrastructure solutions intended to accelerate innovation as well as address several information technology infrastructure needs. According to the companies, this acquisition will allow customers to enjoy greater choice and flexibility to

innovator in enterprise software as we reimagine what we can deliver to customers as a leading infrastructure technology company,” said Hock Tan, president and chief executive officer of Broadcom. “We look forward to VMware’s talented team joining Broadcom, further cultivating a shared culture of innovation and driving even greater value for our combined stakeholders, including both sets of shareholders.” z

GitLab 15.0: Container scanning, workflow improvements BY KATIE DEE

GitLab has announced the release of GitLab 15.0. With this, users gain access to container scanning in all tiers, internal notes, better links to external organizations and contacts, breaking changes, and more. Also included in this release are improvements intended to speed up the user’s workflow in the WYSIWYG Markdown editor for their wikis. According to the company, there will be no more un-styled, monochrome code blocks. Users will choose from 100+ languages in the dropdown list above the code block so the CSS, YAML, and Python code are separate from each

other with accurate syntax highlighting. Editing links and images in the WYSIWYG editor has also become easier with a new popover menu that appears when the user selects a link or attached image. Additionally, Advanced Search is now compatible with the open-source Elasticsearch fork, OpenSearch, allowing customers to take full advantage of OpenSearch for Advanced Search. GitLab 15.0 also brings the ability for a group to manage several sets of concurrent iterations with iteration cadences. This works to allow each team to have control over the start day and duration of each iteration in their iteration cadence.

Another key feature is internal notes that enable teams to redact certain discussions containing internal or customer data that should only be visible to specific users, while keeping the core details about the issue public. Internal notes in issues or epics can be seen only by the issue author, assignee, and group or project members with at least the Reporter role. This release also offers users the capability to use nested CI/CD variables with environments in pipeline configuration. Users can nest variables inside other variables and have them all expand in the way they expect, increasing the flexibility of dynamic environments. z

018-20_SDT061.qxp_Layout 1 6/21/22 11:31 AM Page 18

SD Times

July 2022

www.sdtimes.com

018-20_SDT061.qxp_Layout 1 6/21/22 11:32 AM Page 19

www.sdtimes.com

July 2022

SD Times

BY JAKUB LEWKOWICZ

nterprises need workload automation to connect all of the business processes of an organization together, but tool overlap has resulted in a complicated web that is difficult to break free from when trying to migrate. While workload automation is one of the older categories within automation, the space is now evolving towards more consolidation as a result of this complexity, according to Cem Dilmegani, founder and chief customer officer at AIMultiple, an AI industry analyst firm. He added that large companies have many different enterprise resource planning (ERP) setups on cloud or hybrid models. ITOps then has to rely on different vendor solutions and internally modified tools to keep the whole patchwork together. “The more tools that you have, the more complexity you have not only in terms of contracting but also in terms of training and getting the team to use the tool effectively,” Dilmegani said. “To be able to capture new crowds, vendors are adding new functionality and using new terminology in their marketing, but most of the time, because one of the primary benefits of this is getting to consolidate your ITOps automation at scale, we don't see companies say ‘OK, for this specific batch of tasks I'm gonna use this and for this other batch, I'm gonna use this.’ They try to go after one vendor that offers them all sorts of capabilities.” Previously, organizations used some sort of workflow orchestration or automation capabilities but haven't used the tools to their full potential, he said. “To have an enterprise, you pretty much need to be running these sorts of operations and in terms of the industry penetration of typical workload automation, I'm not sure I would expect penetration levels to be on the higher side,” Dilmegani added. “But what I also see is enterprises are transitioning from some complicated setup to a simpler setup and they are working with fewer vendors and fewer internally developed technologies and migrating to a place where they can pretty much offload much of the complex things to a new piece of software. So there is an opportunity for the simplification of versatile automation environments.” Once workload automation is set up correctly, enterprises can benefit from a wide range of

tasks from copying files from one location to another, to more complex tasks like provisioning and configuring new servers. The business tasks can then be viewed through a single application that can be managed by IT departments across physical, virtual, and cloud environments.

Slipping over to SOAPs Because traditional job scheduling and automation tools failed to keep pace with the complexity of digital businesses, workload automation now has shifted over to Service Orchestration and Automation Platforms (SOAPs), according to BMC Software in a blog post. Gartner predicts that “through 2024, 80% of organizations using workload automation tools will switch to SOAPs to orchestrate cloud-based workloads” in the Market Guide for Service Orchestration and Automation Platforms. SOAPs offer application workflow orchestration to create and manage workflows across multiple applications, event-driven automation to simplify IT processes, self-service automation, and many more capabilities. The field of workload automation can be rather complex to grasp as vendors are using new terminology to describe similar technologies. There are tens of categories of automation tools and their capabilities tend to overlap, Dilmegani said. Although it bears many names, IT-based workload automation technologies are different from things like robotic process automation (RPA). While both aim to automate work, RPA is typically used to automate tasks within a single application, while workload automation is used to automate tasks across multiple applications. It’s built to handle much more complex tasks and architectures that have spawned as a result of the move toward microservices and Kubernetes. Leveraging workload automation for ETL processes reduces time spent on repetitive data processes, and minimizes human intervention, reducing subsequent data errors. Also, automating data warehouse management through workload automation tools increases the transparency of compliance reports as all processes are recorded and have a detailed audit trail. Lastly, it reduces the number of FTEs hired to complete repetitive tasks, according to Dilmegani. continued on page 20 >

018-20_SDT061.qxp_Layout 1 6/21/22 11:30 AM Page 20

SD Times

July 2022

www.sdtimes.com

< continued from page 19

“The ultimate goal of the workload automation is to eventually have endto-end control over processes that involve different types of IT or business tasks,” said Alexandra Thurel, the director of product management for automation and solutions at HCL.

A critical piece of transformation The workload automation tool is now considered a critical element of the infrastructure that is moving to the cloud or Kubernetes architecture during digital transformation, according to Thurel. “[Companies] look at evolving from on-premises complex application and rehosting or rewriting their application in the cloud, and they need to have the layer that helps orchestrate those new applications with the rest of the world because not all applications are going into the cloud at the same time,” Thurel said. “So they will need to ensure that some file transfer or database inventory that still runs on-premises is connected with the processes that are newly created in the cloud. They need to manage entry points and exit points between the processes.” Companies that are looking towards digital transformation are either still investing in legacy systems that can be distributed, or they’re looking to readjust and re-architect with a lift-and-shift type of approach to the different applications to run on the cloud, or are looking to rebuild and reinvent their applications to become cloud-native. All three of these strategies have one thing in common. They all have business processes that interconnect with different platforms and heterogeneous systems that bring together challenges and risks. These application workloads are no longer sitting in predefined data centers and are now spread across multiple clouds which is where workload automation becomes essential, according to Thurel. Organizations need to embrace a systematic approach, avoiding islands

of automation where each context is being managed by a different tool. Organizations also need to manage their data flows as more data becomes available. Here, the file transfer capability that workload automation excels at is becoming more important. Some of the workload automation tools out today leverage historical workload execution data with AI to expose observable data and provide an enhanced operational experience. For example, HCL Workload Automation can optimize data transfers and processing by leveraging a single point of control and integration for MFT, RPA, and big data applications.

Expanding automation tasks When done right, companies often find that workload automation doesn’t just stop being useful at one specific task. They initially look at specific objectives such as improving a paycheck process or improving inventory management with workload automation, but then they soon realize that they can expand those processes within the ecosystem of applications that flow around that application, Thurel added. Their needs are changing too. Previously, companies wanted to have a control point that ran on-premises in their data center and today people want to have that control closer to their new

application. Their workload automation now helps them gain observability into their cloud environment, or even against Kubernetes standards to allow for more flexibility, more scalability, and higher speeds. Vendors now offer new orchestration flexibilities that enable users to define very precise modeling of their processes and users can define where they want to have the point of control. Workload automation can map automation on specific control points that matter for the business. Then if a job fails, there is an action that can quickly fix that problem and continue to execute business processes. The tool can suggest to users where executions have a high risk of failing because it takes data from the millions of jobs that are executed every day. If there’s an anomaly, the intelligent system can inform the user how to act preventatively. Despite the benefits, moving to a new platform along with workload automation is not an easy task. If a company makes mistakes during reporting, it could be getting taxed higher, or it could be reporting lower revenues along with all sorts of issues. And then there could be outages on the ITOps side which could break the business if the issues are not reported in a timely fashion. Workload automation is one of the most difficult things about migrating to different platforms and is therefore one of the biggest obstacles, according to Dilmegani. “The workflow automation domain is much more at the core of your business. And, it’s also a bit less known because it's sort of done in a back office,” Dilmegani said. “But it’s stuff that shouldn't break, and that brings some risk aversion with that, which is why you are ending up with a complex landscape. Today, there are plenty of opportunities for most companies to simplify.” z

Full Page Ads_SDT061.qxp_Layout 1 6/16/22 2:13 PM Page 21

022-23_SDT061.qxp_Layout 1 6/20/22 4:35 PM Page 22

SD Times

July 2022

www.sdtimes.com

Combating burnout in BY JENNA SARGENT Burnout is a major issue in tech, and it’s one that needs addressing. After two and a half years (or more) of remote work, poor work-life balance, lack of flexibility and more, it’s no wonder that the Great Resignation is happening and that so many developers are reporting that they’re burned out. Forty-nine percent of respondents to a 2021 McKinsey survey said they feel at least some level of burnout. McKinsey believes that this might be an underestimate though, given that employees who are experiencing burnout might be less likely to respond to a survey and that the most burned out workers might have already left the workforce. In 2019, burnout was officially added to the 11th Revision of the International Classification of Diseases (ICD-11) as an “occupational phenomenon.” They define it as “a syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed.” In ICD-11 burnout also is characterized by three factors: 1. Fatigue or exhaustion 2. Increased mental distance from one’s job, or negativity towards one’s job 3. Reduced efficiency at work According to Monica Bundy, a stress and wellness coach, burnout comes from a mixture of work and personal stress. And it does not happen overnight. Bundy explained that there are five stages of stress, and burnout is the fifth and final stage. Before that comes fight or flight, damage control, recovery, and adapting. She has seen an increase in burnout since the start of the pandemic, and believes it is a result of the combining of work and home life, and this breakdown of the line between the two. If someone was struggling with issues at home, going to the office might have

been a way for them to get away from that for a bit, but then that outlet was taken away. “Stress that they already had at home is now being connected to work because you’re working in the stress that you fail to manage, or you’ve kind of adapted to it … And the last one, after we’ve taught ourselves to adapt to it, is burnout. And so, like you say, relationship issues, financial issues, having to worry about or deal with childcare, health, family health, like all of that, essentially, if we don’t recharge ourselves, if we don’t find ways to really cope with it in a healthy way — because avoidance is unhealthy — eventually our body is like, ‘I can’t take it no more,’” she said. According to Bundy, there are a number of physical symptoms to look out for when trying to self-diagnose burnout, such as fatigue, inability to sleep at night, headache, digestion issues, hair loss and skincare issues. But she also advises people to pay more attention to how they’re feeling in regards to fulfillment, contentment, and happiness. She explained that if you’re constantly feeling unfulfilled or you don’t want to be around other people and are starting to self-isolate, that’s step four in the stress life cycle: adaptation. “Like I said earlier, we can’t allow

that to become our new normal, we can’t adapt to it, and we should seek help,” she said.

Detecting burnout is harder when remote Hybrid and remote work may make it more difficult for managers or coworkers to recognize when something is wrong. Josep Prat, open-source engineering manager at data infrastructure company Aiven, explained: “When we were going to the offices, sometimes you were seeing the faces of people and you could see, oh, something’s wrong with you, shall we go for a coffee? And those conversations were really useful and really needed.” Now, those conversations can still happen, but it’s more complicated and we need to put in more of an effort to create those opportunities that previously just happened by chance. Prat doesn’t believe companies have really come up with a total solution for replicating this in a remote environment just yet. “Of course, we can have regular catchups with webcams and all that stuff,” said Prat. “But we’re missing part of the nonverbal communication and probably need to overcome this by having more open sharing of what’s going on from both sides.” Managers can facilitate this openness by ensuring that there is a relationship and a trust between them and the

022-23_SDT061.qxp_Layout 1 6/22/22 2:13 PM Page 23

www.sdtimes.com

development people they’re managing. Both sides have to agree and understand that it’s a safe space. This gives an opportunity for people to be more open about what’s bothering them. Prat also noted this can be an opportunity to not just discuss what’s not working, but what is working and what good things are happening.

Management should lead by example Another way management can be involved in a positive way is by leading by example. “A message needs to come from leadership that it’s okay to take time off, to take care of yourself, to recharge,” said Christine Spang, CTO and co-founder of communications API provider Nylas. For example, if you have a vacation policy, but no one, especially leadership, is actually taking advantage of that and taking that time off, then that sends a message that no one can. “It definitely starts from the top,” said Spang. “Overwork is not always the problem when it comes to burnout, but it is a factor. And so I think having a supportive management environment where people can talk about what they need, and make sure to take regular time off and unplug” is healthy. “It’s not healthy to always be glued to your phone and getting 1000 Slack messages, and that’s kind of the status quo for how work works today. But, it’s important that people spend Saturday not on their phones, you know, take a week-long vacation sometime throughout the year, spend time with your families, and have a more balanced life.” Nylas is combating burnout in their employees by providing them with greater autonomy and automating workflows whenever possible. Spang believes that burnout can be attributed to people feeling like they don’t have enough agency at work, which is why at Nylas they focus more on output rather than on how much time peo-

ple are spending at their computers. In addition to being beneficial in reducing burnout cases, being outputfocused is also just a better management style. “Nobody wants to be super micromanaged or to be doing activities day to day that don’t seem like they tie back to the results that you’re trying to drive for your job,” said Spang. “And so really focusing on that output or orientation really aligns the incentives all around. Most people find it really meaningful to accomplish things at work, like work is like a big part of what drives meaning in people’s lives. But what drives burnout is people feeling like they’re working and working and working towards a goal, but they’re not actually accomplishing that output, or they don’t have agency on the actual end results.” Automation can also help reduce the amount of mundane tasks that developers have to do. According to Spang, there has been a big focus lately on not just customer experience, but developer experience. If you have to go through 20 steps and coordinate between lots of different teams then the build process gets very long and the developers aren’t going to ever have the satisfaction that comes with having shipped something and having produced some output, she explained.

Offering support as a company perk Companies can also offer mental health resources as one of their benefits to help combat burnout and help employees find ways to manage stress. This is optional to take advantage of, but it would be there for the employees if needed. “Sometimes you want to talk not to your boss or to your manager, but you want to talk to somebody external to give you a complete outsider view of the problem,” said Prat. “And probably we can start doing those things in a more generalized way, having more companies

July 2022

SD Times

caring about them and putting some office services at their disposal so people can use them if they feel like.”

Balance between complex and easy work Another thing that can be beneficial is for companies to ensure that their developers aren’t developing 100% of the time. A study from vouchercloud that included responses from nearly 2,000 office workers in the UK found that the average worker was only productive for 2 hours and 23 minutes per day. “You cannot just be sprinting all the time and you probably don’t want to be working all the time,” said Prat. “So you might want to have a combination of both. You need to have tasks that maybe stimulate you and ask you to give your 100%. But then you need to also have time to basically not do this thing and try to have some things that are more mundane or more repetitive.”

How technology can help Reducing the stress of actually doing your job is also helpful, and implementing certain technologies can help. For example, Spiros Xanthos, VP and general manager of observability company Splunk, explained that if you’re always dealing with incidents and are finding it hard to keep up with the complexity of your systems, that can be very stressful to deal with. So as the complexity of your systems grows, adopting observability tools can ensure that you have visibility into your systems so you have that understanding and can also cut down on the number of incidents, and thus, stress. This is especially beneficial for reducing burnout among on-call workers. “Imagine being on call, and how highly stressful that can be if something is going on, and you have no idea where to look, or where to start to isolate the problem,” said Xanthos. “So it is a very stressful job, especially for people who follow a DevOps model to try to keep the systems up and running.” Implementing easy to use tools to deal with complexity or things that workers don’t really want to be dealing with helps to cut down on negative feelings at work. z

SD Times

July 2022

BY KATIE DEE

www.sdtimes.com

n the past, the CI/CD pipeline was simply a place to integrate code. Developers would write their code in GitHub, pass it through the pipeline, and then deploy it. However, with the emergence of shift left security and newer automation practices, the pipeline has become a much more critical piece of the software delivery lifecycle. According to Tim Johnson, senior product marketing manager at the DevOps solution provider CloudBees, there are two different aspects to the changes being seen within the pipeline. “One is the extent or breadth of what it does… and the other is the importance of what it does,” he said. He explained that when the end user’s experience with an organization is primarily determined by the quality of software, delivering that is of the utmost importance.

“So the CI/CD pipeline has become that much more important… it has to work, you have to get the software out the door and so the importance of that has grown and the breadth and complexity of what the pipeline is being called upon to do has also grown significantly,” Johnson said. He went on to say that while ensuring that features are delivering the expected value continues to be crucial, keeping security and regulatory standards in mind has

024-27_SDT061-4 pages.qxp_Layout 1 6/21/22 1:51 PM Page 25

www.sdtimes.com

Buyers Guide

July 2022

SD Times

How does your solution facilitate the tasks that need to be done inside the pipeline? There are a few different task types: integrations with other tools, scripts, deployments, and manual tasks. Integration steps will interact with the third-party services using API calls. Scripts, on the other hand, will run on an agent. You can target a specific agent or a pool of agents with the required dependencies installed. Deployment tasks will often run on the target deployment environment, optionally using a utility agent to offload any heavy lifting. And manual tasks will notify the assigned person of their task, optionally including a set of instructions. When a task is run, the data from the event is stored and can be referenced from any task further in the pipeline. This allows you to build automated workflows based on data between different services. You group the tasks into stages with entry and exit gates determining when the pipeline can run the tasks within the stage. The gate rules can evaluate data from any task, such as the results from a security scan. Or it can be a manual approval where a particular person or team is tasked with approving it. Once you build your ideal pipeline, it can easily be shared and reused by exporting it into DSL code and adding it to the self-service catalog. With a service catalog full of content, you can provide the organization with a set of compliant workflows where anyone with permissions can generate their instance of a workflow. z

—Drew Piland, Product Manager, CloudBees

only grown in importance as the pipeline has evolved. “The delivery of the software through the pipeline also has to be secure and compliant,” said Johnson. “As well as what it is doing beyond just the simple CI aspect of it. So now you get into things like security and testing automation, software composition analysis, static analysis, dynamic analysis, and all these other things that have to be done to get that software through.”

An end-to-end process According to Gartner research, security in the CI/CD pipeline needs to be an end-to-end process with certain team members responsible for monitoring potential problem areas in order to ensure code compliance.

This leads to the question of whether or not the software has passed these tests. Johnson explained that in order to deliver secure software through the pipeline, an organization now also has to worry about tracking and evidencing standards and exceptions in order to be sure that drift does not happen. This results in increased complexity within the pipeline as keeping track of who accepts risks and makes changes as well as the reasons behind these choices has become paramount to the delivery of secure software. “And then you can’t just go out and throw a party like ‘we deployed, yay it’s all over’ right? You have to keep track of what is going on in production. So, that requires an integration of not only tools, but teams and responsibilities,” said Johnson. He also explained that as an organization works towards progressive delivery and looks at more features, micro components, and micro services, having that view into production is no longer a want, but a need.

Complexity in pipeline grows According to Johnson, the need to make sure that the final product is

performing the way it was intended to grows as the level of complexity within the pipeline does. “The whole thing has gotten so much more complex, and there’s so many more stakeholders involved, and there’s so many more things that have to happen for this to come to market,” he said. “At the same time, the pressure on the market is constantly going up.” Johnson also mentioned that there is a rising pressure to deliver to market quickly that has come with this consistent strain that the market is under. All this to say that the need to innovate quickly in order to keep up combined with the complexities being added into the CI/CD pipeline has caused the software delivery process to change significantly in recent years.

The need for automation Another change that has been made to the CI/CD pipeline is the need for automation. According to Johnson, automation is the essence of repeatability, predictability, and auditability and in order for automation to work properly, the whole organization has to be on the same page about those principles. continued on page 27 >

Full Page Ads_SDT061.qxp_Layout 1 6/17/22 2:09 PM Page 26

;;7 ;Ѵr -m-]bm] +o u ;mhbmv® at Scale? DOWNLOAD THE EBOOK

Ѵo 7 ;;v omঞm o v m|;]u-ঞom -m ;Ѵr +o Ĺ

!;7 1; 7lbmbv|u-ঞ ; ;u_;-7

Build More Safely

Simplify management across controllers, onboard easily b|_ ! ķ -m7 1omC] u; it all as code.

bѴ|Ŋbm v;1 ub| -m7 compliance for hardened ;mhbmv ouhYo vĺ

Jenkins® bv - u;]bv|;u;7 |u-7;l-uh o= _-ubঞ;v m1ĺ š ƑƏƑƑ Ѵo 7 ;;vķ m1ĺ

Automate at Scale Eliminate endless u;Ŋv1ubrঞm]ĺ !;r;-|-0bѴb| ; ;u ঞl;ĺ

024-27_SDT061-4 pages.qxp_Layout 1 6/21/22 1:52 PM Page 27

www.sdtimes.com

July 2022

SD Times

How shift left security is changing the pipeline Shift left security has been a widely discussed issue within the software industry. Whether you like it or not, this practice has changed the way that software is developed and delivered, and therefore, the pipeline it is delivered through. In regards to this, Tim Johnson, senior product marketing manager at CloudBees, said, “I think it has done a major disservice to the industry and to the community… if you look at shift left from the standpoint of a last year solution to a this year problem, it is a disservice.” He went on to say that placing security in the hands of the developers alone can ultimately end up hurting productivity and JOHNSON adding more complexity to the delivery pipeline. This is because developers often do not have the skills needed to ensure that code is compliant. A recent report published by Gartner echoed Johnson’s thoughts, saying, “Do not strive for the mythical DevOps team where the developer is also your security engineer. The basis for DevOps to succeed is not freedom, but rather, rules that need to be followed meticulously.” Johnson explained that because developers lack certain security skills, they may also lack the ability to prioritize security issues and failed tests, which could detrimentally impact developer productivity as well as the organization as a whole. “Saying ‘let’s just dump this all on the developers because

< continued from page 25

He explained that if there is a disconnect or a lack of proper communication on different organizational processes, automation cannot happen. “You can automate bits of it and make incremental microcosm improvements and it’ll work a little better, but it’s still not going to be as fast and as responsive as it needs to be,” Johnson said. He expanded on this saying that any time that there are gaps or missing pieces, more of a burden ends up being placed on the organization’s developers and shared services people to deal with these issues, leading to increased friction and a slowing of velocity. Additionally, Johnson emphasized that when all of these new elements are done correctly, having them in the pipeline can be an overall positive change.

we need to detect this stuff earlier’... negatively impacts the developer experience because they want to write code, they want to innovate,” Johnson said. “They don’t want to deal with risks and technical debt and other zero value adding things, you’re paying them to develop innovation, so let them do that.” Another issue with this practice that he touched on is the fact that it is a “point-in-time” view of the development process. According to Johnson, totally shifting security left can lead to code that was compliant in the beginning of the development process to fail security tests later on down the pipeline. “Someone has to be able to attest and even put their personal liberty at risk to show that we did everything in our control to ensure that this is secure and compliant,” he said. “If you’re just doing it on the left, you can be more secure and compliant than you were in the past, but it is not a guarantee that you are compliant right now.” Johnson said that the best way to approach security is to have checks built all along the delivery pipeline in order to implement a culture of security rather than just making it the developers problem. “It can’t be an afterthought in order for you to be sure that you are secure and compliant…so, instead of shift left, we prefer the term ‘shift security everywhere,’” he said. z — Katie Dee

However, due to the inevitable increase in complexity, the need for every part of the organization to be on the same page has increased tenfold. As far as the negative components of these additions, Johnson warned that organizations should be prepared for a rise in technical debt. “Even though you may have your little bit of the world working well, there’s stuff that you haven’t done… and that is compounded by all of the other departments and all of the other stakeholders in the chain and the technical debt that they have yet to deal with,” he said. On top of that, Johnson said that organizations run the risk of trying to implement these additions too quickly without thinking through how they will function within the context of the rest of the pipeline. With this, he also mentioned that running a modern CI/CD pipeline

requires a fair amount of courage from an organization. “As problems arise, they need to have the courage to figure out how to deal with those, and not in the classic ‘shoot the messenger’ way. You have to have that culture that we are here to improve things… and it is everybody’s responsibility to pull the chain,” Johnson said. This courage and bravery comes from different members of different teams not being afraid to mention when they notice an issue. According to Johnson, not making problems known is a much bigger time waster than the alternative. “Even after you’ve detected the problem, there’s this gap until you fix it… do you have mechanisms in place to turn [the broken feature] off or roll it back, and do you have the bravery to do that?” he said. “You have to have that bravery, because the consequences are so serious for something like that.” z

SD Times

July 2022

www.sdtimes.com

A guide to CI/CD tools n

FEATURED PROVIDER n

n CloudBees: CloudBees provides the leading software delivery platform for enterprises, enabling them to continuously innovate in a world powered by the digital experience. CloudBees enables organizations with highly-complex environments to deliver scalable, compliant, governed, and secure software from the code a developer writes to the people who use it. The platform connects with other best-of-breed tools, improves the developer experience, and enables organizations to bring digital innovation to life continuously to unlock business outcomes that create market leaders and disruptors.

n Atlassian offers tools like Jira and Trello, which can be used to make project management easier and enable crossfunctional collaboration. Its solutions help companies stay on track as they work to deliver products. In addition to its offerings, it also believes that “great teamwork requires more than just great tools.” To that end, it promotes practices like retrospectives, DACI decision-making framework, defining clear roles and responsibilities, and developing objectives and key results (OKRs). n CircleCI is a continuous integration and delivery platform that enables teams to automate their delivery processes. It provides change validation at every step of the process so that developers can have confidence in their code. It also offers flexibility through the abilities to code in any language and utilize thousands of pre-built integrations. n Codefresh is a GitOps-based continuous delivery platform that is built with Argo. It offers benefits like progressive delivery, traceability, integrations with CI tools like Jenkins and GitHub Actions, and a universal dashboard for viewing software deliveries.

n Digital.ai: The company’s Deploy product helps organizations automate and standardize complex, enterprise-scale application deployments to any environment — from mainframes and middleware to containers and the cloud. Speed up deployments with increased reliability. Enable selfservice deployment while maintaining governance and control. n GitLab allows Product, Development, QA, Security, and Operations teams to work concurrently on the same project. GitLab’s built-in continuous integration and continu-

ous deployment offerings enable developers to easily monitor the progress of tests and build pipelines, then deploy with confidence across multiple environments — with minimal human interaction.

n HCL Software is a division of HCL Technologies (HCL) that operates its primary software business. We develop, market, sell, and support over 30 product families in the areas of Customer Experience, Digital Solutions, Secure DevOps, Security and Automation. Our mission is to drive ultimate customer success of their IT investments through relentless innovation of our software products.

n IBM: UrbanCode Deploy accelerates delivery of software change to any platform — from containers on cloud to mainframe in data center. Manage build configurations and build infrastructures at scale. Release interdependent applications with pipelines of pipelines, plan release events, orchestrate simultaneous deployments of multiple applications. Improve DevOps performance with value stream analytics. Use as a stand-alone solution or integrate with other CI/CD tools such as Jenkins.

n JFrog’s DevOps platform offers end-toend management of software development. DevOps teams can control the flow of their binaries from build to production. Its DevOps portfolio includes tools like JFrog Artifactory for artifact management, JFrog XRay for security and compliance scanning, JFrog Distribution for releasing software, and more. n Micro Focus ALM Octane is an enterprise DevOps Agile management solution

designed to ensure high-quality app delivery. It includes Agile tools for team collaboration, the ability to scale to enterprise Agile tools, and DevOps management.

n Microsoft’s Azure DevOps Services solution is a suite of DevOps tools designed to help teams collaborate to deliver high-quality solutions faster. The solution features Azure Pipelines for CI/CD initiatives; Azure Boards for planning and tracking; Azure Artifacts for creating, hosting and sharing packages; Azure Repos for collaboration; and Azure Test Plans for testing and shipping. n Octopus Deploy is an automated release management tool for modern developers and DevOps teams. Features include the ability to promote releases between environments, repeatable and reliable deployments, ability to simplify the most complicated application deployments, an intuitive and easy-to-use dashboard, and first-class platform support.

n Opsera provides continuous orchestration of development pipelines in order to enable companies to deliver software faster, safer, and smarter. Its offerings include automated toolchains, no-code pipelines, and end to end visibility.

n Planview’s Enterprise Agile Planning solution enables organizations to adopt and embrace LeanAgile practices, scale Agile beyond teams, practice Agile Program Management, and better connect strategy to Agile team delivery while continuously improving the flow of work and helping them work smarter and deliver faster. With Planview, choose how you want to scale and when. We’ll help you transform and scale Agile on your terms and timeline. n ServiceNow enables companies to do DevOps at scale. Developers are able to keep using the tools they love while still connecting with ServiceNow’s platform. The company enables automation of administrative tasks, while bringing together both ops and dev teams. z

029_SDT061.qxp_Layout 1 6/21/22 10:15 AM Page 29

www.sdtimes.com

July 2022

SD Times

Guest View BY AARON UPRIGHT

Five steps to battle service outages A

s an industry, software development teams continue to embrace cloud-based toolchains. This trend makes a ton of sense for companies trying to drive development productivity, efficiency, and velocity in the era of hybrid and asynchronous work. But as we’ve seen with Jira’s recent outage, relying on a cloud-based tech stack creates risk. I’m not pointing fingers here. My own company offers a cloud-based productivity platform, and we, like every other cloud provider, have experienced outages. These events are inevitable, so as we become more reliant on the cloud-based software model to run our businesses, it’s essential for teams to understand what steps they need to take to cope with outages when they happen. Not all outages are created equal. Jira’s was high in severity but low in terms of customers impacted. The reverse could be true for the next one you may experience. This is why it’s essential to consider the possibility of outages when selecting your software providers. There are multiple important considerations to keep in mind. We’ve boiled it down to three different primary considerations. Prepare for the inevitable. If you use a cloud-based solution, you know an outage is coming, but it’s impossible to know when, so build a plan. Internally, that means establishing a single point person — an incident manager — that helps coordinate activity during the event, documents important information, and more. Getting buy-in from all stakeholders across your organization is key when an outage hits, so everyone will be in agreement on the next steps to solve the issue as fast as possible. Have a workaround (to the extent possible). Having a viable alternative available when an outage hits is nice, but obviously not always possible, but striving to provide some level of productivity will, at the very least, help to mitigate some of the lost progress when an outage occurs. Speaking from personal experience, my team has dealt with outages from GitHub multiple times. Knowing these will happen, we work to provide a workaround to enable our team to get something done in the interim. Prior to this happening, you should ask if there is a self-hosted possibility to

get the benefits of the cloud without being Aaron Upright is co-founder dependent on the infrastructure. and head of strategic accounts at ZenHub. Choose a cloud-based provider that communicates status updates clearly and regularly. Due to the nature of cloud-based software, it would likely be impossible to choose a company that’ll never experience an outage. However, you can look into how companies have handled outages in the past, how reliable their software is, and what their usual response time is. The SaaS industry is small, so don’t hesitate to ask around your network about their experience with different companies and how they handle outages. Opt for organizations that are quick to document an outage, provide regular and transparent updates, and take these service interruptions seriously. Communicate status updates to internal stakeholders clearly and regularly. In addition to your own team, internal stakeholders and upstream managers need to understand what’s happening with the outage as well. They should not have to ask your team if there is a problem when something’s not working as it should. It’s possible they are the first to know, but more often than not, the organization experiencing the outage should be communicating first on what’s happening. There should be a single source of truth that delivers all your official communications on the event. This is ok if it's multi-channel, but it should be coming from one source to ensure consistency and accuracy of information. Take note of what you’d do differently. Dealing with an outage that negatively impacts your team’s productivity can be frustrating. Especially if all you can do is wait until it’s fixed. However, these outages present a great opportunity to reflect on what your company would do in the event of your own outage. As we mentioned before, outages are a hazard of doing business in the SaaS industry, and we can learn a lot from how our peers handle these situations. Whether it’s good — or bad — take notes on how you felt as a customer navigating the situation and adopt it when your product experiences its own outage. z

It’s essential for teams to understand what steps they need to take to cope with outages when they happen.

030_SDT061.qxp_Layout 1 6/21/22 10:13 AM Page 30

SD Times

July 2022

www.sdtimes.com

Analyst View BY ROB ENDERLE

In-person events: In flux and in trouble Rob Enderle is a principal analyst at the Enderle Group.

he 2022 tech event season started out with CES trying to overcome its disastrous 2021 remote conference by going back to the in-person model. The result was another disaster because attendance was extremely low. Dell Technologies World a few months later was very well-attended but many people got sick and likely regretted their attendance. More recently, Microsoft’s Build event was entirely remote, well-attended, and well-executed but lacked the social benefits of an in-person show. Of all these shows, Microsoft did the best job at hosting a remote event overall, and CES came off as the worst, with its attempt at a hybrid event that neither met the needs of those that were remote or who attended in person. Overall, the event industry is struggling to deal with the new hybrid normal, but event tools still haven’t evolved to truly provide a remote experience strong enough to overcome a lack of the social nature of inperson events. The promise of the metaverse is that it could step in and provide the perfect remote experience that could be as good or better than in-person, but outside of simulations where it is performing well, the Metaverse is still hampered by expectations that are decades ahead of where the technology is now. Let’s explore the train wreck of the events industry now and why we may eventually pivot back to in-person events as a result.

The concept of the metaverse as a virtual environment that is indistinguishable from reality is attractive but not yet available.

The problem Keynotes and product presentations can be done better remotely than in person. In fact, many attendees would go to their hotel rooms and stream them because taking notes remotely is far easier than in person. Microsoft has showcased the advantage of having its own video production capabilities because those virtual events in terms of targeted content, entertainment value, and execution exceed most others I’ve seen so far this year. But as good as product presentations and oneto-many events are virtually, the problem that hasn’t been effectively addressed is how to build relationships. The most beneficial part of in-per-

son events are often the social events that surround the shows, which allow people to meet vendors and peers and create new relationships that can assist them in their jobs and careers.

Metaverse promise As I said earlier, the concept of the metaverse as a virtual environment that is indistinguishable from reality is attractive but not yet available. In addition, the typical hardware you need for the experience (two controllers and VR headset) don’t feel real, and the next generation of hardware, which includes haptic gloves and higher resolution headsets, is still far removed from the level of reality the metaverse promises. In addition, the avatar technology is on the wrong side of the uncanny valley. The uncanny valley refers to an image that closely mimics a human but appears just enough off to be disturbing. Having a conversation with someone that looks like a mannequin has not created the collaborative relationship-building experience that the market hoped for. We are technically capable of creating photorealistic avatars, we just can’t yet do that at scale, and the use of headsets and other prosthetics to interact with the metaverse doesn’t yet feel real either. While metaverse shops like Meta are building their platforms, they seem to be ignoring this problem and are rushing to market with inadequate virtual solutions that are almost certain to miss expectations and still fall short of the organizational needs for relationship-building. Ironically, Meta, which was previously known as Facebook, is the most powerful social media company, but it still doesn’t get what social media is supposed to be, that it isn’t just an ad platform.

Wrapping up: The bigger problem Cisco and Dell stand out as the most aggressive at attempting to solve the problem of social engagement. Cisco is instrumenting its workers by providing information to managers that help them better address remote worker concerns and shortcomings. Dell has put in place managers who are focused on assuring employees who are coming into the office will have at least some peers there at the same time for personal interaction and to reconfirm these employees are valued. z

Full Page Ads_SDT053.qxp_Layout 1 10/27/21 11:41 AM Page 24

The latest news, n news analysis and commentary delivvered to your inbox!

• Reports on the newest technologies affecting enterprise deve developers elopers • Insights into thee practices and innovations reshaping softw ware development • News from softtware providers, industry consortia, open n source projects and more m

Read SD Tim mes Daily to keep up with everything happening in the software devvelopment industry. SUB BSCRIBE TODA AY! Y!

047_SDT032.qxp_Layout 1 1/17/20 5:23 PM Page 1

Reach software development managers the way they prefer to be reached A recent survey of SD Times print and digital subscribers revealed that their number one choice for receiving marketing information from software providers is from advertising in SD Times. Software, DevOps and application development managers at large companies need a wide-angle view of industry trends and what they mean to them. That’s why they read and rely on SD Times.

Isn’t it time you revisited SD Times as part of your marketing campaigns? For advertising opportunities, contact SD Times Publisher David Lyman +1-978-465-2351 • dlyman@d2emerge.com

SD Times July 2022

Articles inside

ANALYST VIEW by Rob Enderle

Modern app dev is about more than tools platforms and languages