SD Times October 2022

Page 26

OCTOBER 2022 • VOL. 2, ISSUE 64 • $9.95 • www.sdtimes.com

www.sdtimes.com

EDITORIAL

EDITOR IN CHIEF David Rubinstein drubinstein@d2emerge com

NEWS EDITOR

Jenna Sargent Barron jsargent@d2emerge com

MULTIMEDIA EDITOR Jakub Lewkowicz jlewkowicz@d2emerge com

SOCIAL MEDIA AND ONLINE EDITOR Katie Dee kdee@d2emerge com

ART DIRECTOR Mara Leonardi mleonardi@d2emerge com

CONTRIBUTING WRITERS Jacqueline Emigh, Elliot Luber, Caryn Eve Murray, George Tillmann

CONTRIBUTING ANALYSTS Enderle Group, Gartner, IDC, Intellyx

CUSTOMER SERVICE

SUBSCRIPTIONS subscriptions@d2emerge com

ADVERTISING TRAFFIC Mara Leonardi mleonardi@d2emerge.com

LIST SERVICES Jessica Carroll jcarroll@d2emerge com

REPRINTS reprints@d2emerge com

ACCOUNTING accounting@d2emerge com

ADVERTISING SALES

PUBLISHER David Lyman 978 465 2351 dlyman@d2emerge.com

MARKETING AND DIGITAL MEDIA SPECIALIST Andrew Rockefeller arockefeller@d2emerge com

PRESIDENT & CEO David Lyman

dtSearch.com 1-800-IT-FINDS The Smart Choice for Text Retrieval® since 1991 dtSearch’s document filters support: popular file types emails with multilevel attachments a wide variety of databases web data Developers: and recent .NET (through .NET 6) Visit dtSearch.com for developer evaluations efficient multithreaded search forensics options like credit card search Instantly Search Terabytes ® CHIEF OPERATING OFFICER David Rubinstein D2 EMERGE LLC www d2emerge com

NEWS 4 News Watch 17 OASIS panel works on value stream standards 17 DevOps Institute introduces educational website Contents page 7 Software Development Times (ISSN 1528 1965) is published 12 times per year by D2 Emerge LLC, 2 Roberts Lane, Newburyport, MA 01950 Periodicals postage paid at Newburyport, MA, and additional offices SD Times is a registered trademark of D2 Emerge LLC All contents © 2022 D2 Emerge LLC All rights reserved The price of a one year subscription is US$179 for subscribers in the U S , $189 in Canada, $229 elsewhere POSTMASTER: Send address changes to SD Times, 2 Roberts Lane, Newburyport, MA 01950 SD Times subscriber services may be reached at subscriptions@d2emerge com FEATURES Low code doesn’t necessarily mean low security risks page 14 page 18 Communication, collaboration key to hybrid work page 10 Web3 and Web 3.0: Two different ideas that can coexist VOLUME 2, ISSUE 64 • OCTOBER 2022 BUYERS GUIDE COLUMNS 26 GUEST VIEW by Hope Lynch Sof tware delivery: A hidden DX power 27 ANALYST VIEW by Rob Enderle It’s time to consider RISC V Release automation: Key to winning the time-to-market race page 20

Sumo Logic updates portfolio

The monitoring company Sumo Logic announced new capabili ties that will provide developers with the ability to get faster insights into the performance of their applications.

These updates are being spread across a number of S u m o Lo g i c ’s offe r i n g s, including Real User Monitor ing, Unified Entity Model, and Intelligent Alert Management

Re a l U se r M o n i to r i n g updates include insights relat ed to user actions on a page, long task delay metrics that indicate if the main browser interface has been locked for long periods of time, better dashboard visualizations, and ca p t u r i n g a n d d i s p l ay i n g browser errors in the log index and dashboards

Unified Entity Model adds Database Entities, which auto matically detects data, delivers a user friendly grouping of database entities, and displays them, giving developers a more holistic view of data Sumo Log

People on the move

ic Entity Inspector also now dis plays related APM Entities on the Infrastructure Entity dash board, which will make it easier to switch between contexts Intelligent Aler t Manage m e n t i n t ro d u ces I n te l l i g e n t Alert Grouping, which simpli f i es a l e r t m a n a g e m e n t by allowing developers to specify conditions for which alerts are generated

Rust establishes security team

The dedicated security team will be underwritten by the OpenSSF’s Alpha Omega Ini tiative as well as the Rust Foundation’s newest platinum member, JFrog.

“There’s often a mispercep tion that because Rust ensures memory safety that it’s one hundred percent secure, but Rust can be vulnerable just like any other language and war rants proactive measures to protect and sustain it and the community,” said Bec Rumbul, executive director at the Rust Foundation. “With the establish

ment of the Rust Foundation Security Team, we will be able to support the broader Rust com munity with the highest level of security talent and help ensure the reliability of Rust for every one Of course, this is just a start. We hope to continue to build out the team in the coming months and years.”

Acco rd i n g to t h e R u st Foundation, the investments from Alpha Omega and JFrog include staff resources that allow the foundation to imple ment best security practices

The new security team will work to undertake a security a u d i t a n d t h re a t m o d e l i n g exercises in order to identify how to economically maintain security going forward The team will also advocate for se c u r i ty p ra c t i ces s pa n n i n g the Rust landscape, including Cargo and Crates io

PyTorch joins the Linux Foundation

PyTorch is transitioning away f ro m M eta a n d j o i n i n g t h e foundation where it will exist u n d e r t h e n ew l y fo r m e d PyTorch Foundation.

one of the five fastest growing open source software projects in the world,” said Jim Zemlin, executive director for the Linux Foundation “Bringing PyTorch to the Linux Foundation where its global community will con tinue to thrive is a true honor We are grateful to the team at Meta where PyTorch was incubated and grown into a massive ecosystem for trusting the Linux Foundation with this crucial effort.”

Under the Linux Foundation, PyTorch and its community will gain access to many programs and suppor t infrastructure such as training and certifica tion programs, research, and local and global events

Additionally, the LFX col laboration portal will enable t h e P y To rc h co m m u n i ty to identify future leaders, locate potential hires, and observe shared project dynamics

Lightbend switches Akka license to Business Source 1.1

n Kate Johnson has been announced as the new CEO and president of Lumen Technologies She will also serve on the Board of Directors Starting Nov 7, she will replace current CEO Jeff Storey, who is retir ing, and he will remain on board through the end of the year to ensure a smooth transition Johnson has previously held leader ship roles at Oracle, General Electric, and Microsoft

n Insurtech company Accelerant has appointed Pete Horst as its new chief technology officer In this role, Horst will lead global platform strategy and development Prior to joining Accelerant, he was vice president of engineering for Qlik He has also held engineer ing roles at IBM and Cognos

n It has been announced that Simon Bennetts is joining Jit to continue developing OWASP Zed Attack Proxy (ZAP), an open source web app security scan ner that he created ZAP is one of the underlying scanning technologies for Jit Jit also announced a $38 million seed funding round in June 2022

According to the PyTorch maintainers, since its inception back in 2016, the PyTorch machine learning framework has been adopted by over 2,400 contributors and 18,000 organizations to be used in both academic research and production environments

The Linux Foundation has said that it will be working with project maintainers, its developer community, and the founding members of PyTorch in order to properly support the ecosystem.

“Growth around AI/ML and Deep Learning has been noth ing short of extraordinary and the community embrace of PyTorch has led to it becoming

Lightbend announced that it is switching the license for Akka, a set of open source libraries for designing scala b l e, res i l i e n t syste m s t h a t span cores and networks

The project ran on the Apache 2 0 license which has become increasingly risky when a small company solely carries the maintenance effort even though it is still the de fac to license for the open source community, according to Jonas Bonér, CEO and founder of Lightbend in a blog post

The new license, Business Source License (BSL) v1.1, freely allows for using code for devel opment and other non produc tion work such as testing Pro duction use of the software now requires a commercial

4
N E W S WATC NH E W S WATC H SD Times October 2022 www.sdtimes.com

license from Lightbend, the company behind Akka

Bonér added that BSL v1.1 provides an incentive for large businesses to contribute back to Akka and to Lightbend

Adobe to acquire Figma for $20B

Ad o b e h a s a n n o u n ce d i t s intention to acquire the popu lar design platform Figma for $20 billion

S i n ce m u c h of Ad o b e’s b u s i n ess revo l ves a ro u n d helping people create digital content, the addition of Figma will help them “usher in a new era of collaborative creativi ty,” Adobe said

Figma was founded in 2012 by Dylan Field and Evan Wal lace, and today it is used by people who design mobile and web applications It enables collaboration through multi player workflows, sophisticat ed design systems, and a rich developer ecosystem.

Adobe believes that Figma’s capabilities will accelerate delivery of Adobe’s Creative Cloud technologies on the web in order to democratize the creative process by making it available to more people

OpenText targets Micro Focus for acquisition

Both companies’ boards have re a c h e d a n a g re e m e n t o n what the terms of the acquisi tion would be

O p e n Tex t’s C EO M a r k J Barrenechea commented that this acquisition will position the company as one of the biggest software and cloud companies in the world as it will already have a large cus tomer base, global scale, and go to market capabilities.

Heroku to stop offering free plans

Heroku stated that it will stop offering free product plans on November 28th and that it is planning to shut down free dynos and data services

Also, accounts that have been inactive for over a year and their associated storage will be deleted starting on October 26th this year

“Our product, engineering, and security teams are spending an extraordinary amount of effort to manage fraud and abuse of the Heroku free product plans In order to focus our resources on delivering mission critical capabilities for cus tomers, we will be phasing out our free plan for Heroku Dynos, free plan for Heroku Postgres, and free plan for Heroku Data for Redis, as well as deleting inactive accounts,” Bob Wise, Heroku General Manager and Salesforce EVP, stated in a blog post

Heroku also announced the launch of its interactive prod uct roadmap for Heroku on GitHub and encourages feedback and an upcoming program to support students and nonprofits in conjunction with its nonprofit team.

Heroku will continue to contribute to open source projects such as Cloud Native Buildpacks and will be offering Heroku credits to select open source projects through Salesforce’s Open Source Program Office.

For context, Micro Focus earns $2.9 billion in annual revenue, generates revenue in 180 countries, and 40% of its employees focus on R&D

In addition, customers of t h e co m p a n i es w i l l b e n e f i t from the deal and be able to accelerate their digital trans formations through the new ca p a b i l i t i es t h a t w i l l b e unlocked, Barrenechea added.

Perfecto supports integration testing for Flutter

F l u tte r i s a n o p e n so u rce f ra m ewo r k by G o o g l e t h a t enables Dart developers and programmers to build, test, and deploy mobile, web, desk top, and embedded apps from a single codebase

Pe r fe c to n ow s u p p o r t s integration testing, otherwise known as end to end or GUI testing and is one of three types of testing for Flutter

apps. It’s done through a con figurable Gradle plugin that allows users to install and run the iOS and Android tests in parallel and at scale

Developers will have access to AI powered reporting that enables users to quickly identi fy and fix issues in their Flutter integration tests

Aqua Security adds CSPM capabilities to open-source Trivy

Aqua Security has updated its open source project Trivy to include cloud security posture management (CSPM) capabili ties

Trivy is a code scanning tool that looks through con tainer images, file systems, and Git repositories for securi ty vulnerabilities

Now, the tool can be used with AWS, and Aqua Security said that support for other cloud providers is upcoming.

AWS users can use Trivy to scan their account for miscon figurations and insider threats. This enables users to more eas ily meet security standards and comply with the CIS bench marks.

Users can define their own rules or use Trivy’s community catalog, which likely wouldn’t be an option if using the built in cloud tool They can also keep consistent rules across IaC definitions and production environments.

Another benefit of this inte gration is users will be able to identify issues in AWS even when the infrastructure is defined from another tool, like Terraform or CloudFormation

Progress updates include launch of ThemeBuilder Pro

Th e sof twa re co m p a ny Progress has announced the release of updates to several of its major tools, including P ro g ress Te l e r i k , P ro g ress Kendo UI, and Progress Telerik Test Studio as part of its R3 2022 release

t a

so

n c h of P ro g ress Th e m e B u i l d e r P ro, w h i c h a l l ows developers and designers to implement design systems in web applications

l a

According to the company, implementation of application design can require significant coding work that can result in mistakes, or there could be mis alignment between the goals or developers and designers

W i t h Th e m e B u i l d e r P ro, designers and developers can create their own design sys tem in a visual interface using Material, Bootstrap, or Fluent design. Then they can imple ment it across their web apps using their UI components z

5
I
l
a n n o u n ce d t h e
u
www.sdtimes.com October 2022 SD Times

Low code has many benefits, and they’ve been widely discussed in numerous articles in SD Times, but one area in which they don’t really have an edge is security.

It’s not that low code is more risky than traditional code, but the same risks are there, Jeff Williams, co founder and CTO of Contrast Security explained These include things like authentica tion, authorization, injection, encryp tion, logging, and more

Even developers who spend their entire days writing code have, for the most part, very little security training, and often they don’t even have much communication with the security team One main difference between the two groups is that citizen developers might be more likely to accidentally introduce a security risk, explained Williams.

“I would expect citizen developers will make a lot of the basic mistakes such as hard coded and exposed cre dentials, missing authentication and authorization checks, disclosure of PII, a n d e x p o s u r e o f i m p l e m e n t a t i o n details,” said Williams.

According to Mark Nunnikhoven, distinguished cloud strategist at Lace work, access to data is also a big issue to consider, especially when you ’ re giving citizen developers access to data in sys tems they hadn’t previously encoun tered It’s important to both restrict access to only what is needed and to teach citizen developers the appropri ate use of the data connections they access. “We don’t teach you like, ‘hey, you ’ ve got access to all of our Salesforce information and here’s what appropri ate use looks like.’ We just say, ‘oh,

you ’ re in sales or in marketing, and you should have access to that, so here you go. ’”

Nunnikhoven explained that this is a huge problem in low code develop m e n t b e c a u s e s u d d e n l y l o w c o d e developers have the ability to access and manipulate data and connect to other systems, and if they don’t under stand the appropriate use of that, they won’t understand the inappropriate use of it either

“I think that’s the real challenge w i t h t h e s e p l a t f o r m s , ” s a i d N u n nikhoven “It’s exposing a gap in our information management or our infor mation security programs that we don’t o f t e n t a l k a b o u t , b e c a u s e w e ’ r e s o focused on the cybersecurity and the nuts and bolts of how we secure digital

continued on page 8 >

page

systems, not the information in those systems ”

Jayesh Shah, SVP of customer suc c e s s a t Wo r k a t o , a l s o a d v i s e s c u s tomers to develop a certification pro gram specific to the low code platform that will be in use. This is so that the people who will be working with it understand the capabilities and can more easily stay within the company ’ s policies and guardrails.

Process of security doesn’t change much

Even though the way of building the application is different when you ’ re talking about low code versus tradition ally coded apps, the process of security should be the same

“Fundamentally the challenge for companies of all sizes is to define their specific level of security, test against that definition, and fix problems,” said Williams.

He recommends that companies set guidelines for exactly how they will use the platform. For example, how should users be authenticated? How is input validated? How are credentials stored?

After setting these guidelines, it’s important to test to ensure that devel opers are implementing them These tests can be automated using interac tive application security testing (IAST), which analyzes the entire application as it is assembled Methods like static application security testing (SAST) and dynamic application security testing (DAST) might miss real issues and r e p o r t f a l s e p o s i t i v e s , Wi l l i a m s explained.

In addition to having good policies within your company, the low code platform itself can also minimize secu rity risks For example, according to Shah, the platform can incorporate its own security controls, such as requiring citizen developers to work in sandbox environments or limiting their options

According to Shah, one area in which low code may have the edge over traditional code is that when a new vul nerability is discovered by the security community, custom software isn’t likely to be updated in a timely manner, while a low code platform could be updated

by the vendor to minimize or remove that vulnerability, Shah explained

“The low code platform can ensure that the platform components it pro vides do not have security vulnerabilities and are patched and updated as neces sary to benefit all users globally,” he said Shah added that while traditional

development might offer greater flexi bility in terms of what can be created, that freedom also brings a broader level of responsibility Custom software often incorporates third party or open source components, which are notorious for being weak points for vulnerabilities, he noted. z

OWASP Top 10 expands to low code

The OWASP Top 10 is a list of the ten most common security vulnerabilities in code. Recently, work began on an OWASP Top 10 list specifically for low code, with the same idea as the original guide but focused specifically on low code risks.

“You as an organization that is adopting low code/no code should be able to look at the OWASP Top 10 and say, ‘Here are the main security concerns, as agreed by the experts in the community, how am I going to address these within my environ ment?’” said Nunnikhoven.

Here are the top 10 risks specified by the guide at the time of this writing:

1 Account impersonation

2. Authorization misuse

3. Data leakage and unexpected consequences

4. Authentication and secure communication failures

5. Security misconfiguration

6. Injection handling failures

7. Vulnerable and untrusted components

8. Data and secret handling failures

9. Asset management failures

10. Security logging and monitoring failures

In theory the OWASP list would give companies a set of items to focus on in their security strategies, but Williams, who created the original guide back in 2003, said that’s not really the case, unfortunately He said that’s what he thought would hap pen when he wrote the guide, but that he’s “still waiting” for that

He added: “I think OWASP helps to raise awareness and understanding around risks, but it doesn’t seem to translate into a significant decrease in vulnerabilities I think it only really works if platform vendors take the advice and build better guardrails into their own specific environments ” z

SD Times October 2022 www sdtimes com8
< continued from
7

Communication, collaboration key to hybrid work

And the rise of cloud-based tools

Over the last nearly three years, questions surrounding hybrid and remote work have circulated in the business world. People want to know if this new way of working is here to stay, if it causes productivity to suffer, how to combat the dis connection that it could bring, and really, just how to cope with all the changes

we have seen now is that the governance has come in that enables people to move things to the cloud with a little bit more security and less risk.”

In an attempt to answer these questions and solve the challenges that they bring, several companies have adopted cloud tools and technologies in order to fully transition their work into the cloud and make this new working world easier for employees to adjust to

The influence of the pandemic on cloud adoption

David Williams, VP of product strategy at the cloud and DevOps automation company Quali, said that this push to move to the cloud has resulted in things that used to be on the back burner now taking center stage.

“The front end, consumer based applications that have come to fruition in regards to how we interoperate with the consumer world have always been out there,” he said. “What

According to David Torgerson, VP of infrastructure and IT at the collaboration company Lucid Software, with the pandemic being the driving factor behind the transition into the cloud, a great deal of velocity was needed early on This caused some companies to thrive while others did not

“So many companies, if not all companies, had one day where they just decided that tomorrow they’re not going to come back into the office so that digital transformation was really forced upon everybody,” said Torgerson

Williams also touched on the pandemic’s influence on the rate of cloud adoption He said, “The pandemic came in and was really what put an emphasis on leveraging the cloud It had multiple impacts and one of them was the higher priority given to the legacy applications that were on the back burner until a year and a half ago. ”

Adam Preset, VP analyst at Gartner, emphasized this point. He explained that throughout 2020 and 2021, the vol ume of questions that organizations had surrounding cloud

SD Times October 2022 www sdtimes com10

cloud tools and technologies right at the start of the pandemic

According to Ozdemir, companies that already had this cloud infrastructure in place were the ones who were really able to keep up with the pace demanded of them

Torgerson also said that the main struggle that many com panies faced with the initial transition to hybrid work was finding a way to maintain team collaboration and lose as little productivity as possible. This is where cloud tools really worked to pick up the slack.

“What we ran into was a full industry of people who didn’t have much experience interacting with each other without that in person piece,” he said. “So, Zoom’s stock skyrocketed and Teams and Slack and other communication tools just really took off because of that necessity to maintain some of that in person experience even in a hybrid environment ”

Now it’s interpersonal

Ozdemir went on to explain that many organizations had to go through two transformations while adapting to the cloud

The first took place as they tried to replicate the collabo ration available in an office setting and the second was the technology transformation needed to enable that interper sonal collaboration.

“You can almost look at this as a human transformation vs. infrastructure and technology transformation. For the compa nies that already had those tools, it was really just scaling and training while others had to spend months to implement them first,” he said

Even so, Williams expressed that not all developers in an organization need access to the same collaborative cloud tools He said that it is highly dependent on the type of development being done

has facilitated this new WFH normal

collaboration tools increased exponentially

Preset attributed this to companies realizing that on premis es collaboration tools came with several limitations around where employees had to work and how they can access the technology they need.

Implementing collaboration cloud technology

Cenk Ozdemir, cloud and digital lead at the consulting com pany PwC, spoke about how the companies that did well with this forced transition are the ones that proactively had some kind of investment in cloud technology and tools

He said, “Many companies had to find new customers and channels during the pandemic, and what we ’ ve seen is that the companies that had been pre invested in cloud architecture have been able to innovate much faster than those that weren’t on the cloud.”

Lucid’s Torgerson then explained that in order to adapt to remote and hybrid work well, companies had to move quickly and implement a new work from home strategy that utilized

“DevOps, for example, is about smaller teams, and those smaller teams are using communication platforms like Slack and they use this sort of communication to update each other on a regular basis,” Williams said. “I think that the methods of DevOps, and the ability for the cloud to support that type of application collaboration, has really been what’s driven the cloud adoption ”

He also said that since a hybrid environment means there is less accidental communication, cloud tools help to foster more intentional and meaningful interactions between team members, as long as everyone uses them to their fullest potential

Cloud adoption and developer satisfaction

Williams believes that the benefits outweigh the challenges He said, “When it comes to building product The cloud enables developers and remote workers to spin up instances very quickly without having to go to IT and waste all that time.”

www.sdtimes.com October 2022 SD Times 11
D e s p i t e t h e s e f e w p i t f a l l s , t h o u g h , Q u a l i ’ s
continued on page 12 >

Overcoming cloud hurdles

While collaboration tools for software devel opment are extremely helpful, they are not a magic bullet

Lucid Software VP of Infrastructure and IT David Torgeson explained that once cloud tools are implemented, getting employees on board and using the tools correctly was another pain point early on

He pointed out that one of the main issues was the employees’ instinct to keep their cam eras turned off during meetings This severely limited the amount of non verbal communica tion that teams can engage in and led to heightened amounts of miscommunication.

“Those short communication styles where you can use facial expressions to really convey a meaning just disap peared… and that’s where visual communication really comes into play,” Torgerson explained.

He also said that another way that cloud tools can fall short of their full potential is when organizations only look at them as purely technical, rather than as human centric, communica tion tools.

Creating new tool silos

David Williams, VP of product strategy at the cloud and DevOps automation company Quali, pointed out that a downside to transitioning to the cloud when working remotely is the risk of creating silos in an organization.

“There is an awful lot of fragmentation that exists in the mar ket today because most people will look at the benefits of pro ductivity gains and the idea that you can offer much more visi bility for developers as consumers use the product, giving them

from page 11

Additionally, Torgerson said that the overall happiness and satisfaction level of remote and hybrid developers went up exponentially after implementing cloud technology.

“The experience of using these digi tal tools for things that we have done for decades prior is just better,” he explained “Now that we are in a hybrid environment We have found that even when people are in the office they do not prefer to use a whiteboard any more because these collaborative tools let you share ideas and they allow you to go back and create revisions and his tories and create action items and link it directly to Jira or Asana so it does more than what the traditional whiteboard e v e r c o u l d … T h e w o r l d h a s j u s t changed for the better.”

On top of these benefits, PwC’s

a greater ability to innovate But the ying to the yang is that you need more skills if you’re going to be starting to do that,” he said

He explained that communication needs to be mandated in a way that focuses on strengthening productivity rather than get ting too caught up with too many different cloud tools

With so many options on the market now, as well as new open source tools being released everyday, Williams said that if a certain tool is not mandated in an organization, everyone may just end up using whatever they want This ultimately hurts productivity and leads to that fragmentation he mentioned earlier.

“If you and I are developing something and we decided to use something different to provision infrastructure, then if I were to hand something to you, you wouldn’t be able to take it very read ily without having to reinvent the infrastructure using your tool. So the fragmentation is quite an inhibitor,” he explained.

For Cenk Ozdemir, cloud and digital lead at the consulting company PwC, the biggest downside to transitioning into the cloud is the up front costs that a business has to toll out.

He explained that implementing and scaling these tools to house every employee at an organization was just one part of the overall cost.

“Plus the cost of enabling employees by sending them mon itors and keyboards and cameras and lights and all other kinds of personal technology enablement,” he said. “It’s probably the smaller cost but you have to recognize that working from home is more than just putting a laptop in front of you for ten hours a day ” z Katie Dee

Ozdemir credited the increase in devel oper satisfaction to the fact that it gives developers and engineers a lot of their personal time back.

“Engineers were enabled to remote ly collaborate… and in other locations like India, it did cut down a significant amount of commute time in some of these countries,” he said “So our engi neers, to a large extent, were probably one of the most satisfied in the move ”

Williams also touched on the overall effect on developer satisfaction with cloud tools, but he had a different take

He pointed out that adding cloud tools into an organization has the poten tial to increase complexity for developers and, therefore, make their jobs harder if they are not implemented properly.

“I think we ’ re the only industry that when it comes to making things simpler a n d e a s i e r, w e a d d s o m e t h i n g , ” h e

explained “So I think developers are happier than they were, but they’re still not fully happy ”

Even with Williams’ assessment, the developer response has been mostly positive. Because of this, Torgerson posits that even though the pandemic was the catalyst for hybrid work, its end does not mean that organizations will be going back into an office full time any time soon

“If companies force their employees to go back into an office then they are ignoring the advancements that have been so great,” he said “I think that communication happens by accident in an office and I think in the coming years we will see a pivot from accidental communication to organizations recog nizing that they need to help facilitate some intentional interactions [via cloud tools].” z

12
SD Times October 2022 www.sdtimes.com
< continued

needs on their checklist. Inaccurate, outdated, and duplicate

in

database, affecting business decisions, the customer

As the Address Experts, Melissa helps our customers improve

Address Veri cation, Identity Veri cation and Data Enrichment solutions

We

30 billion records last year alone, which is why thousands of businesses worldwide have

with their data quality needs for 37+ years.

Melissa.com 800.MELISSA (635-4772) Trust the Address Experts to deliver high-quality address verification, identity resolution, and data hygiene. We’ll Help You Keep It Clean Dealing with bad data is a task no developer
records can build up
your
experience, and your bottom line.
operational ef ciency with the best
available.
validated
trusted us
Test our APIs Today! Visit www.melissa.com/developer/ to get started with 1,000 Free Credits. BAD DATA BUILDUP Money Laundering & Fraud Returned Mail & Packages Decreased Customer Insight Real-time Address Veri cation Identity Resolution & Watchlist Screening Geographic & Demographic Data Appends DATA CLEANLINESS

It seems that every day in the tech world we hear about the salvation that the new era of the web will bring by taking away mega corporations’ hold on user data and giving control back to the people (at least some of it).

But it isn’t until we read into the mat ter further that we see the terms Web3 and Web 3.0 thrown around, seemingly synonymous yet quite different

Web3 is the more commonly referred to aspect of the new web world and it incorporates concepts such as decentral i

token based economics

On the other hand, Web 3 0 is other wise known as the Semantic Web cham pioned by father of the web, Sir Tim Berners Lee, in an effort to correct his brainchild that has been led astray His Solid project will have private informa tion stored in decentralized data stores called pods that can be hosted anywhere the user wants. The project also relies on

existing W3C standards and protocols as much as possible, according to Solid’s MIT website

When asked about whether he aligns with Web3’s version of the future at TNW’s 2022 Conference, he said, “ nope ” adding that “when you try to build those things on the blockchain, it just doesn’t work” referring to the aspects of the web that would give power over data and identity back to the people

Web 3.0 holds promise in linking data together

The goal behind Web 3 0 has been to make data as machine readable as possi ble

The rules laid out for Web 3 0 as to how to link data are like the rules for writing an article, and how you should use links so that machines can read that information and understand the connec tion between different topics so that crawlers can learn effectively from that,

SD Times October 2022 www sdtimes com14
z a t i o n , b l o c k c h a i n t e c h n o l o g i e s , a n d

Two different ideas that can coexist

according to Reed McGinley Stempel, co founder and CEO at Stytch, a devel oper platform for authentication

“I feel like when I interpret that today, as someone that has been trying to go really deep on a lot of the stuff that OpenAI has been doing, like GPT 3 and DALL E 2, it feels like Tim Berners Lee was way ahead of his time in terms of predicting that as you build smarter ML and AI, it would be really valuable if you had the context in a machine readable form of what articles or content related to each other on the web,” Reed said

The two ideas for the new web differ in this regard, because the Semantic Web focuses mostly about how to actu a l l y p r e s e n t i n f o r m a t i o n a t t h e machine readable level on a website On the other hand, the blockchain Web3 is much more focused on what is the back end data structure for how this data is readable.

However, this idea of data discover ability can be possible in some regards in Web3, according to Reed “ I f y o u g o t o t h e h e a r t o f a b l o c k c h a i n , w h i c h i s o p e n d a t a b y default, obviously, there is some overlap here. Data discoverability mattered a lot to Tim Berners Lee and his concept, and that can exist on the blockchain, because anything you do with your Ethereum wallet, or any smart contract t h a t y o u i n t e r a c t w i t h , i s n a t u r a l l y searchable and discoverable Though I think the intent for that data discover ability is different than that of Tim Berners Lee,” Reed said

Similar goal, but a different way to get there B r u n o Wo l t z e n l o g e l P a l e o , S T E M

Lead at Dtravel, a native Web3 travel ecosystem that provides property hosts and hospitality entrepreneurs with the infrastructure to accept on chain book

ings, said that there are many articles that present Web3 and Web 3 0 as opposites, whereas they’re both just actually addressing different aspects of what people want to have from whatev er follows Web 2 0

“I think it’s perfectly possible for these ideas to coexist,” he explained, adding that they can even be comple mentary. “The Web3 notion coming from blockchain and cryptocurrency can contribute a lot to the economic incentives aspect, whereas the Web 3 0 idea from the Solid project can con tribute a lot to the data storage and data ownership aspect ”

What people want from the new web is more participation and owner ship over their data, more privacy over the data, and less dependency on third parties and intermediaries The selling of user data for advertising has eroded the trust that people have in Web2.

“The current technical solution from Web3, which in practice is Web2 plus b l o c k c h a i n s , c r y p t o c u r r e n c i e s a n d smart contracts, doesn’t deliver the lat ter aspect yet,” Paleo said “Tim Bern ers Lee’s notion of Web 3 0 is very interesting and I think it addresses this need for data privacy and data owner ship better than the approaches that currently exist in the blockchain space ”

Any kind of data can be stored in a Solid Pod: from structured data to reg ular files that you might store in Google Drive or Dropbox folders, and people can grant or revoke access to any piece of their data as needed.

All data in a Solid Pod is stored and accessed using standard, open, and interoperable data formats and proto cols Solid uses a common, shared way of describing things that different appli cations can understand This gives Solid the unique ability to allow different applications to work with the same data, according to the Solid project

There’s a challenge to monetize Web 3.0 However, Paleo said that he doesn’t see anything in Web 3 0 to address the eco nomic incentives.

“It’s not only a matter of finding a solution that allows people to easily

www.sdtimes.com October 2022 SD Times 15 continued on page 16 >

own their data and migrate the data,” Paleo said “There’s also an economic problem that people don’t want to store their own data and then, for somebody else to store their data, let’s say for Facebook or Google to store the data, there has to be some economic incen tive and in Web 2.0 the incentive is the monetization of that data. But in the Web 3.0 idea, I just don’t see how he’s proposing any alternative to that mone tization of data being proposed ”

On the other hand, Web3 has the profit motive because Web3 companies can provide services or tokenize their business model

back end of an application, they’ll also have to consider the smart contract lay er and then the communication with the blockchain

“It’s challenging to decide what parts of an application logic should go into the smart contract, and what parts should be handled by the back end, for instance,” Paleo said. “And just because you ’ re using smart contracts, it doesn’t necessarily mean that magically you will gain the benefits from blockchains.”

Developers have to design in very specific ways to gain benefits from blockchain

“When people use blockchain, they typically talk about less reliance on trust

which is a big challenge for developers in Web3 ”

Because tokenomics might open up new revenue streams that don’t involve selling user data, holding users ’ data may become a liability or a risk that is best avoided so it’s in the interest of compa nies to not hold onto data anymore.

Paleo said that there are some inter esting approaches such as the IPFS (interplanetary file system), Filecoin, and the Web 3.0 idea of Tim Berners Lee that can help solve this problem

Web3 adoption in practice

Currently, a lot of Web3 adoption is driven by Web2 companies wanting to add Web3 native features into their products, according to Reed For exam ple, Twitter allows users to link their NFT to their Twitter profile

Challenges for developers in Web3

While Web3 is poised to disrupt the web as we know it, it’s important for developers to understand that they’re not moving away from Web 2 0 but rather will continue to use the usual software development tools and add some extra components from Web3, according to Paleo

“This is not something that’s going to happen over the next five years, or probably even 10 years, but maybe even longer as infrastructure develops and becomes easier for people to store their own data or to hold on to it,” said Cynthia Huang, head of growth of Dtravel

A big thing that developers have to watch out for is that some types of data are best not stored on the blockchain Because transparency is really key to blockchains, and to Web3, it doesn’t really work well for data that you don’t want to be public For example, if you have medical records, it doesn’t make sense for you to store that on the blockchain, Huang explained.

Another challenge is that developers not only have to consider the front and

and more independence from third par t i e s a n d i n t e r m e d i a r i e s , b u t i f y o u implement a smart contract in such a way that you have absolute power to modify the smart contract anytime you want, then your users are still depend ent on you as a third party and interme diary,” Paleo said “So you must imple ment smart contracts in ways that really deliver those goals of immutability and reduction of the need for trust ”

Many people are still not familiar with cryptowallets

Also, many people are still not used to using noncustodial crypto wallets like MetaMask, and are still used to the Web2 way of paying for services with credit cards

“If you want to make a project that is crypto native that is purely Web3, then to pay for things on your website, users would have to connect their MetaMask wallet and they would have to fund that MetaMask wallet with the base curren cy of some blockchain to pay for gas f e e s , ” P a l e o s a i d . “ S o t h i s c r e a t e s entrance barriers for the users and fric t i o n f o r u s e r s w h o a r e n e w t o b l o c k c h a i n s a n d c r y p t o c u r r e n c i e s ,

“The most traction we ’ re seeing with Web3 use cases are offerings within Web2 use cases that already have distri bution. I think a lot of Web3 apps are still trying to prove why should you use this app over Twitter, Uber, Lyft, Face book, or Google, because I think there are real UX questions about whether it’s worth the tradeoff at this point, which is why it seems to be that the hybrid approaches are gaining more traction from our vantage point,” Reed said

Also, not everyone wants the trade offs that Web3 would bring if it means sacrificing UX

The origin story of the Web3 idea is that people didn’t want to be locked into a walled garden of large Web2 plat forms that have immense control over everyone ’ s digital lives. But, a lot of users don’t want to purely exist in a world where there’s bad UX, but you have complete control of your data

“A lot of companies think there are interesting technical pieces and cultural t r e n d s c o m i n g u p w i t h We b 3 , a n d they’re interested to adopt that They’re not immediately running everything on the blockchain They see tons of value in their core Web2 platform and prod ucts And they see value and also being able to appeal to the users that are very interested in when Web3 NFTs. And so they just see it as another feature they can offer,” Reed said. z

What people want from the new web is more participation and ownership over their data [and] more privacy over the data...
16
SD Times October 2022 www.sdtimes.com < continued from page 15

OASIS panel works on value stream standards

Goal is to bring increased interoperability between tools for sharing data

In order to facilitate the development of standards for sharing data across differ ent platforms within the value stream, a new technical committee has sprung up from within OASIS Open, which is an open source and standards consortium

According to the committee, organi zations typically employ a number of different tools to measure software per formance in order to maximize innova tion, drive growth, and add value

Led by Helen Beal, chair of the Value Stream Management Consortium and chief ambassador at the DevOps Insti tute, and Kelly Cullinane, director of energy and federal services at Copado, the Value Stream Management Interop erability (VSMI) Technical Committee aims to bring increased interoperability between these tools

A c c o r d i n g t o B e a l , v a l u e s t r e a m management (VSM) is the next evolu tion of DevOps, and “pivotal to that is the DevOps tool chain and at the Con

sortium, we talked about the need for a common data model,” she said

She said that one challenge to getting companies to adopt VSM is the complex ity of getting data out of the toolchain

W h i l e v a l u e s t r e a m m a n a g e m e n t isn’t necessarily a new concept, Beal said it is going through a bit of a renais sance as companies try to use it with the massive amounts of data they have.

“We’ve never had the ability to access data and make data and insights driven decisions like we can now, ” said Beal “For example, value stream mapping has traditionally always been a very physical manual exercise with a group of people in a space, very opinion driven building, you know, visual collaboration of the work that they’re doing What we can do with DevOps toolchains now is effec tively automate the value stream map, or actually abstract that to another layer, and automate insights into the value stream map. We’ve not been able to do that before.”

As the VSMI committee is still in its early stages, much of the current work to be done relates to actually getting togeth er and developing these standards Culli nane explained that this includes things like defining the key components of a value stream, or looking at the tools com panies are using and figuring out what is the same and what is different.

“When you ’ re developing language and terminology and common vocabu lary, it’s really important to have people from different industries as well as differ ent types of vendors or government, aca demia, and consultants,” said Carol Gey er, chief development officer at OASIS “And so we are actively trying to wel come new members into OASIS I’m actively looking to companies to let them know this is going on and encourage them to be part of this, and have some body on this technical committee I think standards are always stronger when everyone has a seat at the table when we are trying to make that happen.” z

DevOps Institute introduces educational website

DevOps Institute, the learn ing community that serves to enable those who work in DevOps to advance career development and upskill for enterprise transformation by offering resources, guidance, a

d

SKILup IT Learning, a sub scription based online edu cation website

d

SKILup IT Learning is a self direct e d

entirely on DevOps and Digital Trans formation.

U

SKILup IT Learning+, an upgraded

paid subscription that includes an expanding portfolio of certi f

a

p

p a

a t

o n v i d e o training courses; SKILup IT L

SKILup IT Learning offers a unique solution to this huge challenge by mak ing practical education from recognized thought leaders.”

a

g ,

e g u l a r p a i d subscription; or the free Com munity Membership for limit ed access

“SKILup IT Learning is the IT professional’s one stop desti nation for continuous learning on topics relevant to DevOps and Digi tal Transformation,” said Jayne Groll, CEO at DevOps Institute “The 2022 Upskilling IT Report findings clearly prove that upskilling IT resources and skills shortages are a major issue for organizations and individuals alike.

According to the company, SKILup IT Learning provides subscribers of any level with access to focused content, practical education, and a wide range of knowledge that is not easily accessible on other learning platforms

SKILup IT Learning is also under p i n n e d b y S K I L u p D i s c u s s i o n s , a n interactive chat platform that offers t o p i c s p e c i

i c c h a n n e l s t o d i s c u s s , share, ask questions, and network with other SKILup IT Learning subscribers, industry thought leaders, and commu nity members. z

Jayne Groll, CEO at DevOps Institute.
www.sdtimes.com October 2022 SD Times 17
n
e x p e r t s , a n n o u n c e
l e a r n i n g p l a t f o r m t h a t f o c u s e s
s e r s h a v e t h e c h o i c e o f e i t h e r
i c
t i o n
r e
r
i
e
r n i n
t h e r
f
D E V O P S WATC DH E V O P S WATC H

Complexity.

That’s the word that comes to mind first when discussing modern software applications. Development teams have to innovate, and quickly, to keep pace with business needs, all while needing to ensure quality and security within those applications.

It’s that word complexity that the companies below are addressing in their offerings. Whether in sup port of digital transformation, cloud adoption, coding practices or application security, these are the companies our editors have selected to keep an eye on in 2023.

Bridgecrew

WHAT THEY DO: Cloud native security

WHY WE’RE WATCHING: Bridegecrew acquired by Palo Alto Networks in 2021 offers a way to embed security into a devel opment team’s tools and workflows, as part of the company’s Prisma Cloud’s Cloud Native Security Platform The Bridgecrew solution offers Infrastructure as Code security, software compo sition analysis and supply chain security

ClickUp

WHAT THEY DO: All in one project management

WHY WE’RE WATCHING: Billing itself as “one app to replace them all,” ClickUp’s tools can create dashboards that bring all reporting into one place, automate routine tasks and assign work, and enables collaboration from ideation through project development And, if you don’t want to abandon all the tools you’re now using, ClickUp can integrate with them and provide the needed data

Coherent

WHAT THEY DO: Software as a service

WHY WE’RE WATCHING: Coherent’s Spark solution can transform business logic locked in spreadsheets into no code APIs, enabling business teams to more easily collaborate with IT to create value with internal systems, partners and new market opportunities Coherent Spark transforms business logic into APIs that can inte grate with virtually any platform

Jellyfish

WHAT THEY DO: Bridge business and IT

WHY WE’RE WATCHING: On its website, Jellyfish wants “every engineering leader to become a business leader ” Its solution ensures the engineering organization is focused on what mat ters most to the business, and enables clear communication with senior stakeholders both within and outside of the engineering organization for contributing to the product strategy and com pany direction

LinearB

WHAT THEY DO: Continuous improvement

WHY WE’RE WATCHING: LinearB’s solutions provide developers with DORA metrics to see what’s going on in their pipeline, and shows you how to improve the quality of your code through automations of pull requests and merges The company believes that with the right data, software development teams can speak a common language with business leaders, team leads can remove delivery bottlenecks and ship faster and devs can help their teammates more and be happier at work

SD Times October 2022 www.sdtimes.com18

OctoML

WHAT THEY DO:

Automated ML model deployment

WHY WE’RE WATCHING: Spun out of the University of Washington by the creators of Apache TVM an open source stack for ML portability OctoML makes AI more sustainable through efficient model execution and automation to scale servic es and reduce engineering burden In June, the company announced an update that enables app developers and IT oper ations teams to transform trained ML models into agile, portable, production ready software functions that easily inte g ra te w i t h t h e i r ex i st i n g a p p l i ca t i o n stacks and DevOps workflows

OpenAI

WHAT THEY DO:

Artificial intelligence R&D

WHY WE’RE WATCHING: OpenAI is a research laboratory that has created an API that provides access to GPT 3, for per fo r m i n g n a t u ra l l a n g u a g e ta s ks ; a n d Codex, which translates natural language to code. It has created DALL E (like the artist Dali), an AI system that can gener ate original images and artwork from a natural language description; and Whis per, a neural network that approaches human level robustness and accuracy on English speech recognition.

Prefect

WHAT THEY DO: Data flow automation

WHY WE’RE WATCHING: Prefect’s plat form allows companies to streamline their workflows and schedule when applica tions run Most applications have a preset schedule to run which at times does not correlate with what a company is using it for and Prefect can help cus tomize when it runs and make sure it is taking in all the data it should

Secure Code Warrior

WHAT THEY DO: Code security

WHY WE’RE WATCHING: Development teams learn while they code to prevent security issues before they happen Its secure coding skills platform gives devel opers the training they need as security “shifts left” into software architecture a n d d eve l o p m e n t Th e co m p a ny ’s approach to learning combines defensive and offensive, framework specific coding challenges and hands on missions to rap idly build your security posture

Stytch

WHAT THEY DO: Authentication for developers

WHY WE’RE WATCHING: Stytch’s plat form enables developers to add authenti cation in minutes with out of the box solu t i o n s. Wi t h Sty tc h’s A P I s a n d S D K , developers can use the auth platform to h e l p t h e i r o rg a n i za t i o n s st rea m l i n e onboarding and authentication, drive user engagement, and increase conversion.

Torc

WHAT THEY DO: AI driven on demand developer marketplace

WHY WE’RE WATCHING: Founded Septem ber 2021 by the C suite that put Topcoder on the map, Torc's intelligent talent market place matches remote software developers with jobs at global enterprises across every vertical Torc provides unlimited career growth opportunities for their developer community, as well as a scalable, secure, AI driven talent sourcing experience for com panies worldwide In 12 months, Torc’s com munity, customers, job opportunities and bookings have more than doubled each quarter, making Torc a preferred platform for on demand technical talent

Wilco

WHAT THEY DO: Developer upskilling

WHY WE’RE WATCHING: By unbundling professional development from employ ment, Wilco aims to reduce that gap and give everyone the chance to both gain new skills and master existing ones at an accel erated pace. The company released the first live version of its software in June, with comic book looking ‘quests’ that develop ers can go on and learn from those tasks.

YourBase

WHAT THEY DO: Software test acceleration

WHY WE’RE WATCHING: The company’s package installs into the codebase and plugs into existing CI workflows to deliver test results faster. Underlying the software is a dependency graph that traces the code base to understand the execution paths that tests take, and only runs the tests whose paths overlap with the code changes being evaluated. As a result, builds that took up to an hour or more finish in seconds or a few minutes every time. z

www.sdtimes.com October 2022 SD Times 19

Release automation: Key to winning the time-to-market race

As the number of components that organizations have to man age throughout their applica tion delivery process grows, companies are looking to get more from their application release automation (ARA) platforms These platforms can help organizations automate the process of releasing software applications and may i n c l u d e t o o l s f o r m a n a g i n g c o d e changes, deployments, testing, and oth er aspects of the release process.

Today, nearly all (90.5%) organiza tions are releasing features with a lead t i m e o f a m o n t h o r l e s s , w h i c h increased by 26 percentage points from 2020 In addition, organizations that are delivering features in 1 2 weeks dou bled between 2020 and 2021, according to IDC’s U S Accelerated Application Delivery Survey from January 2022

Pushing applications through to pro duction has led to many difficulties for organizations, from consuming a lot of time to resulting in a lot of errors, espe cially when there are a lot of applica tions to release.

“ E n t e r p r i s e s a r e n o w l o o k i n g t o automate the deployment of applica tions that have a hybrid tech stack, as well as multiple microservices with h e a v y v e r s i o n d e p e n d e n c i e s , ” s a i d R y l e y R o b i n s o n , p r o d u c t m a r k e t i n g manager at HCL Software “For exam ple, this can be a single application with s o m e o n p r e m d e p l o y m e n t s , l e g a c y d e p l o y m e n t s o n m a i n f r a m e s , I B M iSeries, and some cloud deployments across different hyper scales ”

On top of that, enterprises want to d o a l l o r n o n e , c a n a r y, b l u e g r e e n , rolling, and/or A/B deployments all from a single ARA solution.

O r g a n i z a t i o n s h a v e a u t o m a t e d

most of their deployment processes, but they still need to understand that organizations always go through mod ernization initiatives on their business critical applications to remove the tech nical debt and to get the benefit of the latest innovations in the technology

w o r l d , ” R o b i n s o n s a i d “ S o , r e l e a s e automation is not something that is ‘done once and forget it ’ It is an ongo ing process that evolves every week, every month. It is still automated, but there is still a lot to do.”

Three areas to start ARA

Despite its name that suggests its posi tion at the end of a pipeline, release automation can excel in three different areas, according to Colin Bowern, sen ior vice president of product at Octopus Deploy

The first is the whole non produc tion flow, which is where a lot of people get started with release automation Errors here will have a minimal impact if one gets it wrong.

“This is stuff that you do on a very regular basis, and if you ’ re coming from a world of manual steps, or fragile scripts, it’s like, boy, it would be a whole lot easier if every time I commit a c h a n g e t o s o u r c e c o n t r o l , i t g e t s deployed out to a test environment,” Bowern said “So for a lot of folks, this is the safest way that you can get started ”

Production, on the other hand, tends to be the second stage, but it’s also where the greatest ROI on release automation comes from, according to Bowern

Before release automation, all of an application’s stakeholders had to be on deck for the release in case something went wrong.

The goal of ARA is to make applica

tion releases as orderly and stress free as possible After all, the process used to deploy to production is the same as the one used to deploy to non produc tion environments,, Bowern added.

ARA can automate all of the things that happen on an ad hoc or scheduled basis around an environment, such as running the troubleshooting, resetting databases, or running scripts

While adoption of ARA still has a long way to go, many organizations that d e c i d e t o l e a v e t h e i r m a n u a l w a y s behind first have a bad deployment and realize that they’re down in the pit with a n h o u r s l o n g , h u m a n e r r o r p r o n e process and think there has to be a bet ter way, Bowern said

Others decide that they can just use t h e i r C I w o r k f l o w a u t o m a t i o n t o o l because it does the builds and the tests. “While it’s a great place to get started when things are very simple,

20 SD Times October 2022 www.sdtimes.com

C I t o o l s d o n ’t u n d e r s t a n d e n v i r o n ments They don’t understand how to d o r o l l b a c k s To w o r k a r o u n d t h i s , teams will kind of get some consisten cy by creating reusable workflows, but all of that custom logic and variables and stuff like that creeps in, and it becomes really hard to reuse across projects and is hard to maintain,” Bow ern added

The third scenario is that people come from stack specific CD tools such as Kubernetes or Argo, or any tools that were purpose built for an environment and do it really well

“These are great quickstarts to help you do the right thing early inside your stack, but they were designed for that stack and that stack alone, and if you want to deploy your wider enterprise portfolio of apps, you won’t do that on Argo, or if you do, you’ll have to hack around it to make it happen,” Bowern said

Many organizations have to juggle multiple tech stacks, data centers, and multiple cloud providers, so ARA helps to work around some of those stack specific tools and ensure compliance on deployment type, whether it’s NET, Java, node, VMs, containers, or server less, Bowern explained

“You can find out whether you need to improve flow just by going and talk ing to the engineers on the team The

Buyers Guide

question I love to ask is if I needed you t o d e p l o y s o m e t h i n g t o p r o d u c t i o n today, a small change that was blocking the business, is that a big deal?,” Bow ern said “If the answer is yes, which you’d be surprised to find can be ‘I have to go sign off on this form’ or ‘I have to schedule this window,’ that’s the thing you need to first get rid of so you don’t have that friction and can go on your improvement journey ”

Moving forward, ARA vendors are looking to incorporate or expand on existing AI/ML to handle tasks ranging from automatic code generation with tools like GitHub’s Copilot to testing a n d d e p l o y m e n t t o h e l p a d d r e s s increased software velocity and the complexity of multi modal deployment platforms, according to Melinda Carol B a l l o u , r e s e a r c h d i r e c t o r o f A g i l e ALM, Quality, and Portfolio Strategies at IDC

How microservices affect ARA

ARA has turned out to be particularly useful alongside the growth of microser vices, Octopus’s Bowern explained

on page 22

ARA tools come with some challenges

There is a lack of standardization in the field and no one size fits all release automation tool Each organization has different needs, and no one tool can meet all of them

Companies that have stalled in the middle of their DevOps journey have failed to address or understand the cultural, orga nizational, and process changes required to adopt a new way of working with technology.

These companies invested in automation, with 67% of mid evolution respondents to Puppet’s 2021 State of DevOps report saying their team has automated most repetitive tasks. But, as an organization, they haven’t addressed the silos and mis aligned incentives around deploying software to production that gave rise to the DevOps movement, since 58% of companies reported that multiple handoffs between teams are required for deployment of products and services.

However, the biggest barriers are often cultural and organi zational, because effective release automation demands a transition to continuous, agile approaches to development and release management, according to IDC’s Ballou.

“That transition involves a significant shift in how people do what they do, and human beings are way more wired for con sistency than we are for change," Ballou said "The coordina

tion between business stakeholders and those creating the software enabled by effective agile approaches brings greater relevance to what is deployed ”

DevOps engineers have to get the balance right

Whereas developers are usually at the forefront of adopting ARA on the non production side, when things get more compli cated with the service management system, that’s when DevOps engineers typically come onto the scene.

“They’re a little bit developer and a little bit SRE and their job is to come in and be those experts that help teams go faster on this because teams aren’t used to automating, they’re just used to cutting code,” Octopus Deploy’s Bowern said. “So the DevOps engineers have the kinds of skills that say that my job now is not to understand how to architect applications, but how to get things moving faster.”

Many organizations have a centralized DevOps Center of Excellence (CoE) that maintains the templates for different ARA strategies and the individual application teams benefit from these templates with enough space to do their customization when needed There is also a huge benefit in sharing the learn ing across teams in an enterprise and CoEs help with that z

21
www.sdtimes.com October 2022 SD Times continued
>

How does your solution enable release automation?

Ryley Robinson, product marketing manager at HCL Software

HCL Accelerate with HCL Launch is an enterprise grade continuous release orchestration solution within the powerful HCL DevSecOps tool chain HCL Accelerate is the Value Stream Management product with broad release management capabilities With HCL Accelerate’s plugins that can integrate to any deployment solution through native plugins or through API driven pipeline, enterprises can easily orchestrate their complex releases through HCL Acceler ate As enterprises break their monolithic applications into cloud native microservices, it becomes even more important to have the releases orchestrated through a release management product like HCL Accelerate that can understand the depend encies, complexities, and all or nothing deployment strategies

HCL Accelerate provides the automated governance for the release orchestration with data driven insights Accelerate as a Value Stream Management tool and as a release orchestrator has deep insights into DevOps processes and can help enter prises to identify the bottlenecks even before individual teams realize the pain HCL Accelerate provides visibility of the entire pipeline and provides a bird’s eye view of where and when the changes that would hugely impact the business are in the deliv ery pipeline Accelerate also provides full visibility for develop ers on the impact of the changes that they are working on

HCL Accelerate working with HCL Launch provides the best in class release management / deployment automation solution out there. With HCL Launch’s “deploy from anywhere to any where” capabilities, enterprise DevOps teams are delighted to find they can automate deployments to a broad mix of environ

< continued from page 20

“We’ve certainly observed and we hear this because teams started asking us for dependency management, ‘How do I make sure project A doesn’t go out the door before project B?’ And so we see people struggling as they adopt microservices to get that true inde pendence model, and they end up try ing to orchestrate different compo n e n

, ” Bowern said Microservices need the concept of snapshots where different versions of different microservices are grouped a n d t e s t e d A g o o d A R A s o l u t i o n should be able to guarantee that a snapshot containing dependent ver sions of microservices gets deployed properly and should also be able to assure that what is tested together is deployed together, according to HCL’s Robinson.

ments such as mainframes, microservices, on prem, public, pri vate, and hybrid cloud

Colin Bowern, senior vice president of product at Octopus Deploy

Octopus Deploy is the universal deployment auto mation company. We help software teams deploy software in a continuous and stress free way.

Octopus simplifies complex deployment processes allowing software solutions to be delivered faster and in a unified way to various deployment environments. Octopus Deploy addresses the needs of enterprise organizations which no longer need to choose between the speed and the quality of their software deployments. It also provides robust permission and auditing capabilities to ensure internal and external compliance. Octo pus Deploy integrates out of the box with leading CI/CD solu tions to streamline deployment pipelines and to provide addi tional value to organizations’ existing systems, such as ITSM services such as Jira and ServiceNow.

Based on its work with more than 350,000 IT professionals, Octopus Deploy has seen firsthand how the success of DevOps aligns with great deployment automation practices It helps enterprise DevOps teams deploy software more effectively by eliminating error prone manual processes associated with soft ware change management and provides insights into DevOps performance based on the four DORA metrics

Octopus Deploy is offered as both a self hosted and SaaS offering As part of the growing trend toward moving to SaaS in the DevOps tooling space, the company is committed to mak ing Octopus trustworthy, secure and scalable z

ARA is a process within continuous deployment

The process of ARA is a vital part of continuous deployment, which should be treated as a set of philosophies and principles, Octopus Deploy’s Bowern said.

Continuous delivery is all about not letting changes sit idly so that they build up into big batches It says that you ’ re reducing risk by releasing regularly into the various environments along the way and getting changes moving

“And so if you take that as a philoso phy, release automation is a really criti cal tool in that, because you can’t get that speed and do it manually,” Bowern said “We continually hear from cus tomers that it takes them hours to deploy because it’s not just copying a binary to a server.

It’s all the steps you need to do to migrate to the database, or bring a load

balancer down, and these are all the same things you did last week, or yes terday, or last month And so automa tion is truly a part of living that philoso phy of continuous delivery, not whether you deploy to production every day.”

Effective ARA relies on visibility into what’s happening in requirements, development and testing, according to HCL’s Robinson On top of that, teams need data from quality assurance prod ucts like functional, performance, and application security

A strong set of plugins can help release managers make the go/no go decisions Instead of having multiple manual checklists in spreadsheets, if the release management solution can p r o v i d e a u t o m a t i c g a t i n g b a s e d o n quality criteria by pulling data from multiple sources, it makes it easy to r e l e a s e s o f t w a r e w i t h c o n f i d e n c e , Robinson added. z

22
t s s h i p p i n g a t d i f f e r e n t t i m e s
SD Times October 2022 www.sdtimes.com

Stack Overflow standardizes on a version-controlled CI/CD pipeline for their enterprise solution.

product line.

Solution and Results

• Maturing their CI/CD pipeline: deployment process. They’re using this approach for more projects.

• Speed of deployments: to execute and manage.

• Enabling better development experiences: teams are shifting projects to have all source code and resources stored in a single software repo.

• Customize Octopus to suit their team. dashboards to suit its needs using the Octopus API.

• Getting the support they needed: offered by Octopus has been excellent as compared to other vendors. They had tried

“CaC allowed us to create our change we made”.

“It brought to life the most valuable part of version controlling deployments, which is the iteration process (via branching) that it allows users to have”.

Visit Octopus.com to learn more.

“Octopus closed the gap for us, so we can now deploy to both our data center and cloud service providers”.

Want to see how Octopus can evolve your deployments?

A guide to release automation tools

FEATURED PROVIDERS n

n HCL Accelerate is a data driven value stream manage ment platform that automates the delivery and interpretation of data so busi nesses can make faster, more strategic decisions and streamline processes By integrating with the tools you’re already using, HCL Accelerate aggregates data from across your DevOps pipeline to give you actionable insights so you can get the most out of your DevOps investments HCL Accelerate is part of HCL Software DevOps, a comprehensive DevOps product suite comprised of powerful, industry proven software solutions.

HCL Accelerate:

Octopus Deploy:

n Octopus Deploy sets the standard for deployment automation for DevOps We help software teams deploy freely when and where they need, in a streamlined, routine way. More than 3,000 organizations and 350,000 users worldwide use its universal deployment automation tool and framework to make their complex deployments easy From modern con tainers and microservices to trusted legacy applications, Octopus orchestrates software delivery in data centers, multi cloud, and hybrid IT infrastructure.

n Atlassian: Bitbucket Pipelines is a modern cloud based continuous delivery service that automates the code from test to production Bamboo is Atlassian’s on premises option with first class sup port for the “delivery” aspect of Continu ous Delivery, tying automated builds, tests and releases together in a single workflow

n CA Technologies, A Broadcom Com pany: CA Technologies’ solutions address the wide range of capabilities necessary to minimize friction in the pipeline to achieve business agility and compete in to d ay ’s m a r ket p l a ce Th ese so l u t i o n s include everything from application life cycle management to release automa tion to continuous testing to application monitoring and much more

n Chef: Chef Automate, the leader in Continuous Automation, provides a plat form that enables you to build, deploy a n d m a n a g e yo u r i nf ra st r u c tu re a n d applications collaboratively Chef Auto m a te wo r ks w i t h C h ef ’s t h re e o p e n source projects; Chef for infrastructure a u to m a t i o n , H a b i ta t fo r a p p l i ca t i o n automation, and Inspec for compliance automation, as well as associated tools

n C l o u d Be es : Th e C l o u d Be es Su i te builds on continuous integration and continuous delivery automation, adding

a l aye r of g ove r n a n ce, v i s i b i l i ty a n d insights necessary to achieve optimum efficiency and control new risks This automated software delivery system is becoming the most mission critical busi ness system in the modern enterprise.

n D i g i ta l . a i : Th e co m pa ny ’s D e p l oy product helps organizations automate a n d sta n d a rd i ze co m p l ex , e nte r p r i se scale application deployments to any environment from mainframes and middleware to containers and the cloud. Speed up deployments with increased re l i a b i l i ty. E n a b l e se l f se r v i ce d e p l oy ment while maintaining governance and control

n GitLab: GitLab’s built in continuous integration and continuous deployment offerings enable developers to easily monitor the progress of tests and build pipelines, then deploy with confidence across multiple environments with minimal human interaction.

n IBM: UrbanCode Deploy accelerates delivery of software change to any plat form from containers on cloud to main frame in data centers Manage build con figurations and build infrastructures at scale Release interdependent applica tions with pipelines of pipelines, plan release events, and orchestrate simultane ous deployments of multiple applications

n LaunchDarkly: is a feature manage ment platform that empowers all teams to safely deliver and control software through feature flags. By separating code d e p l oy m e n t s f ro m fe a t u re re l e a ses, L a u n c h D a r k l y e n a b l es yo u to d e p l oy faster, reduce risk, and iterate continu ously Over 1,500 organizations around the world including Atlassian, IBM, and Square use LaunchDarkly to con trol the entire feature lifecycle from con cept, to launch, to value.

n Micro Focus: ALM Octane provides a f ra m ewo r k fo r a q u a l i ty o r i e n te d a p p ro a c h to sof twa re d e l i ve r y t h a t reduces the cost of resolution, enables faster delivery, and enables adaptability at scale Deployment Automation seam l ess l y e n a b l es d e p l oy m e n t p i p e l i n e automation reducing cycle times and providing rapid feedback on deployments and releases across all your environ ments

n Microsoft: Microsoft’s Azure DevOps S e r v i ces so l u t i o n fe a t u res A zu re P i p e l i n es fo r C I /C D i n i t i a t i ves ; A zu re Boards for planning and tracking; Azure Artifacts for creating, hosting and shar ing packages; Azure Repos for collabora tion; and Azure Test Plans for testing and shipping

n Puppet: Puppet Pipelines provides developers with easy to use, self service workflows to build containers, push them to any local or remote registries, build and deploy Helm charts, and deploy con tainers to Kubernetes in under 15 min utes, while providing governance and vis ibility into the entire software delivery pipeline and the status of every deploy ment

n VMware: With VMware Tanzu, you can automate the delivery of containerized workloads, and proactively manage apps in production It’s all about freeing devel opers to do their thing: build great apps. Enterprises that use Tanzu Advanced benefit from developer velocity, security from code to customer, and operator effi ciency z

24 SD Times October 2022 www.sdtimes.com
n

Guest

Y H O P E LY N C H

Sof tware delivery: A hidden DX power

In today’s business landscape, it seems like every company has undergone or is in the process of a digital transformation, DX is a necessity for enter prises as they look to remain competitive in the software first environment

To keep up with the competition, it’s essential to digitally transform and to do it correctly in order to avoid becoming one of the 70% of digital transformations that fail to reach their objectives

D X i s e s t i m a t e d t o r e p r e s e n t 5 5 % o f a l l i n f r a s t r u c t u r e a n d c o m m u n i c a t i o n s t e c h n o l o g y s p e n d i n g b y 2 0 2 4 Wi t h t h i s l e v e l o f i n v e s t m e n t , c o m p a n i e s h a v e a s i g n i f i c a n t i n t e r e s t i n u n d e r t a k i n g s u c c e s s f u l t r a n s f o r m a t i o n s T h a t s a i d , s o m e t i m e s t h e h a r d e s t p a r t o f a t r a n s f o r m a t i o n i s k n o w i n g w h e r e t o s t a r t . To d o b e t t e r b u s i n e s s i n t o d a y ’ s d i g i t a l l a n d s c a p e , i t ’ s i m p o r t a n t t o f i r s t e v a l u a t e t h e c o m p a n y ’ s t e c h n o l o g y s t a n c e , m e a n i n g t h e b e s t p l a c e t o g e t s t a r t e d i s w i t h i m p r o v i n g y o u r s o f t w a r e d e l i v e r y

Digital transformation

Let’s start by defining DX, as there are varying definitions out there Digital transformation is a holistic approach to the strategic adoption of digi tal technologies Typically, the goal is to drive the adoption of new technology and change within an enterprise to deliver an improved customer or e m p l o y e e e x p e r i e n c e , s t r e a m l i n e p r o c e s s e s , enhance productivity, manage risk, and control costs. While oftentimes leaders are looking for immediate results with these changes, rushing on implementations can ultimately affect their suc cess Organizations with a holistic approach to DX and a realistic understanding of the time it takes to realize value are better positioned to see signifi cant, lasting business results

Software delivery is a significant part of any company, and transformation efforts can be posi tively impacted by improving the software devel opment and delivery process Done correctly, soft ware delivery can create important drivers to create better business outcomes and be a force multiplier for value derived from your efforts. It can help speed time to market, save time and money, mitigate risk, improve your security and

compliance posture, and provide visibility into the velocity of the organization overall.

Sof tware delivery and digital transformation

How do software delivery and digital transforma tion work together? On the most basic level, they help get your technology to market faster by improving release velocity and quality at scale

With effective software delivery principles, you can begin to automate steps throughout the soft ware delivery lifecycle and increase integration to improve both velocity and quality as the organiza tion grows This is possible because effective soft ware delivery practices like value stream manage ment provide greater transparency and control for releases across the entire landscape.

Software delivery and digital transformation can also save enterprises both time and money while reducing risk. By combining continuous integra tion and continuous delivery practices, feature flagging, and source code management, progres sive delivery provides you with more granular con trol of your releases at scale Additionally, the com b i n a t i o n o f t h e s e D e v O p s t o o l s e m p o w e r s developers to ensure the highest quality code reaches their users as quickly as possible

Lastly, by building continuous security and compliance into your delivery process, you can improve your security and compliance posture w h i l e r e d u c i n g i n v e s t m e n t i n t h e s e e s s e n t i a l areas. Especially in a time where cyberattacks are growing more common and compliance regula tions are growing more complex, continuous com pliance and security is essential Making this part of your company ’ s digital transformation strategy will help with staffing, prioritization of innova tion, and business acumen while maintaining a focus on security and meeting shifting regulatory requirements Baking this into the transformation changes it from a choice between security/com pliance and business value, to an option to do both well

If you are still planning your company ’ s DX, or are looking to retool your transformation process, your software delivery process may just be a hid den but powerful driver of business value. It may be what sets your company apart from the compe tition in today’s digital landscape. z

Hope Lynch is senior director, platform, at CloudBees
Done correctly, software delivery can create important drivers to create better business outcomes.
26
View B
SD Times October 2022 www.sdtimes.com

Analyst View

It’s time to consider RISC-V

Over the last months, ARM has pulled licenses from the ARM server focused company, Nuvia, because of Qualcomm’s acquisition of that company. Then, recently, it sued Qualcomm to block the use of Nuvia’s solutions, effectively restricting Qualcomm from benefiting from that acquisition

This suit made little sense on the surface because ARM is not a player on servers, so you’d think it would support any of its licensees going into that market But another aspect of this is that the joint development of a PC part by these two companies would, at least on paper, create a better solution than Apple’s M1 processor, also operating under an ARM license, which may have caused Apple to force ARM to block Qualcomm from cre ating a Windows ARM part that would outperform Apple’s MacOS alternative.

Regardless of why this lawsuit was filed, a licensing vendor suing a licensee for doing some thing the license appears to allow is not only unprecedented but suggests an unusual amount of control by one or more vendors on the ARM plat form It also indicates that ARM is moving into a period where it may become financially unviable and thus unable to resist becoming a competitive pawn for a powerhouse like Apple

It may be time to hedge ARM development with RISC V

ARM’s coming problem

What makes ARM appear to be vulnerable to pres sure such as what Apple may be applying is that its IPO won’t provide the operating capital it will need post IPO Back when ARM was going to be acquired by NVIDIA, the money for the purchase would have flowed to Softbank, which owns ARM, but NVIDIA had pledged to fund the company after that at competitive levels The IPO, in con trast, just provided the money to Softbank and doesn’t seem to provide much in the way of signif icant operating capital to ARM

ARM is already downsizing in anticipation of that problem with 15% of its staff or up to 1,000 jobs expected to be laid off Layoffs like this tend to reduce productivity substantially.

Because they tend to be done in a rush, layoffs can and have removed critical employees and incent ed high value employees to leave because they right

ly anticipate that layoffs can lead to a company death spiral where the layoffs do execution damage, which cuts income and then justifies subsequent layoffs.

In short, this litigation looks desperate, and that desperation may be a combination of Apple pres sure, the layoffs and a poorly conceived IPO that doesn’t appear to provide needed operating capital to the coming independent (from Softbank) ARM

RISC-V

While RISC V’s encroachment into the ARM space has mostly been with embedded systems to date, there is a reasonable chance that with the concerns for ARM’s long term viability increasing, an open source, non proprietary solution could be better long term than the proprietary solution from ARM.

RISC V is open source, an approach far more popular with developers and large scale users than ARM’s closed source. Com panies like Qualcomm pro vide much of the value to the ARM technology they devel op and sell, and this same c a p a b i l i t y c o u l d b e t r a n s ferred to RISC V, which has much lower licensing fees attached to it and poten tially far more flexibility Effectively, licensees can do what they want with RISC V cores

The reason that RISC V has been growing and replacing ARM in the embedded market also sup ports the move from ARM to RISC V on smart phones. The licensing issues with ARM are largely not a problem for RISC V licensees. A company works with RISC V International and licenses or works with another licensee to create a solution, something that ARM is currently objecting to Qualcomm doing, even though Qualcomm pur chased Nuvia, making them one company now Both Intel and NVIDIA work with RISC V; Intel to help populate its FABs, and NVIDIA as an alter native to ARM that will likely get more focus now that its attempt to buy ARM has fallen through One company, Microchip, has gone on record saying it made the move from ARM to RISC V because it had lower development and licensing costs, better long term outlook and more flexibility. In short, RISC V better met their short term needs, and particularly their low risk, long term needs. z

Rob Enderle is a principal analyst at the Enderle Group
Wth the concerns for ARM’s long-term viability increasing, an open source, non-proprietary solution could be better.
27
www.sdtimes.com October 2022 SD Times
sparxsystems.com R E NGA M A E GE O L SHDE Modeling and Design Tools for Changing Worlds Enterprise Architect Version 16 NEW UML ® | BPMN ® | BPSim | BPEL | DMN ™ | Google ® & AWS ® Icon Sets | TOGAF ® | Zachman ® XSD | ArchiMate ® | MARTE | SysML | NIEM ™ | BABOK ® | BIZBOK ® | BMM ™ | CMMN ™ | Code | DataBase | IFML ™ | GML ODM ™ | Schema | SoaML ™ |SOMF ™ | SPEM ™ | UAF | UBL | UPMC | VDML ™ | *More

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.