JANUARY 2023 • VOL 2, ISSUE 67 • $9 95 • www sdtimes com
www.sdtimes.com
EDITORIAL
EDITOR-IN-CHIEF David Rubinstein drubinstein@d2emerge.com
NEWS EDITOR Jenna Sargent Barron jsargent@d2emerge com
MULTIMEDIA EDITOR Jakub Lewkowicz jlewkowicz@d2emerge.com
SOCIAL MEDIA AND ONLINE EDITOR Katie Dee kdee@d2emerge.com
ART DIRECTOR Mara Leonardi mleonardi@d2emerge com
CONTRIBUTING WRITERS Jacqueline Emigh, Elliot Luber, Caryn Eve Murray, George Tillmann
CONTRIBUTING ANALYSTS Enderle Group, Gartner, IDC, Intellyx
CUSTOMER SERVICE
SUBSCRIPTIONS subscriptions@d2emerge com
ADVERTISING TRAFFIC Mara Leonardi mleonardi@d2emerge com
LIST SERVICES Jessica Carroll jcarroll@d2emerge com
REPRINTS reprints@d2emerge com
ACCOUNTING accounting@d2emerge.com
ADVERTISING SALES
PUBLISHER David Lyman 978-465-2351 dlyman@d2emerge com
MARKETING AND DIGITAL MEDIA SPECIALIST Andrew Rockefeller arockefeller@d2emerge com
PRESIDENT & CEO David Lyman
D2 EMERGE LLC www d2emerge com
CHIEF OPERATING OFFICER David Rubinstein
dtSearch.com 1-800-IT-FINDS The Smart Choice for Text Retrieval® since 1991 dtSearch’s document filters support: popular file types emails with multilevel attachments a wide variety of databases web data Developers: and recent .NET (through .NET 6) Visit dtSearch.com for developer evaluations efficient multithreaded search forensics options like credit card search Instantly Search Terabytes ®
NEWS 4 News Watch 10 The biggest security challenges of 2023 15 Copado launches new DevOps marketplace for plug-and-play integration solutions 15 OpsMx announces sof tware and services extensions to Argo 19 WebAssembly finds second home in the cloud Contents page 6 page 12 Software Development Times (ISSN 1528-1965) is published 12 times per year by D2 Emerge LLC, 2 Roberts Lane, Newburyport, MA 01950 Periodicals postage paid at Newburyport, MA, and additional offices SD Times is a registered trademark of D2 Emerge LLC All contents © 2023 D2 Emerge LLC All rights reserved The price of a one-year subscription is US$179 for subscribers in the U S , $189 in Canada, $229 elsewhere POSTMASTER: Send address changes to SD Times, 2 Roberts Lane, Newburyport, MA 01950 SD Times subscriber services may be reached at subscriptions@d2emerge com FEATURES page 16 page 20 The perfect SRE doesn’t exist, but the right one might already be in your organization Value stream management provides predictability in unpredictable times VOLUME 2, ISSUE 67 • JANUARY 2023 MARKET FORECAST COLUMNS 26 GUEST VIEW by Michael Schmid Developers shouldn’t have to learn K8s 27 ANALYST VIEW by Rob Enderle ARM puts its future at risk
1Password focuses on code security
According to 1Password, the new features, including the CI/CD integrations and 1Passwo rd S h e l l P l u g i n s, offe r developers the opportunity to secure their code by managi n g keys, c re d e n t i a l s, a n d secrets as projects move from one environment to another
With 1Password Shell Plugins, developers are enabled to sign into any CLI with a fingerprint, by keeping their API access keys in 1Password This works to allow users to sync c re d e n t i a l s i n e n c r y p te d va u l t s a c ross d ev i ces a n d eliminates the need to store plaintext keys on disks
Ad d i t i o n a l l y, 1 Pa sswo rd ’s CI/CD integrations help develo p e rs se c u re se c re t s a n d allow them access to them directly within CI/CD environments with pre-built integrat i o n s fo r C i rc l e C I , G i t H u b Actions, and Jenkins
Lastly, Git Commit Signing enables developers to sign their Git commits as well as receive a “verified” badge on GitHub and GitLab through SSH keys that are integrated, configured, and stored in 1Password
Meta unveils PyTorch 2.0
According to Meta, PyTorch 2.0 is the initial step towards the next-gen 2-series release of PyTorch.
This release is intended to improve performance speed as well as add support for Dynamic Shapes and Distributed while still maintaining the same eager-mode development and user experience.
PyTorch 2.0 also introduces `torch.compile`, a new capability that improves PyTorch
Google: Allo yDB for PostgreSQL no w is GA
The solution is a fully managed, PostgreSQL-compatible database service that enables organizations to modernize database workloads The preview was announced earlier this year at Google Cloud I/O According to the company, when compared with standard PostgreSQL, AlloyDB was faster for both transactional workloads and analytical queries In addition, it was also faster than Amazon’s comparable service for transa “Developers have many choices for migrating their applications AlloyDB pelling relational database option with ibility, great performance, availability a We are really excited to co-innovate wi now benefit from enterprise grade fe cost-effectively modernizing from leg etary databases,” said Bala Natarajan director of data Infrastructure and clo engineering at PayPal
performance and starts the m ove fo r pa r ts of P y To rc h from C++ back into Python
Drupal 10 improves authoring experience
D r u p a l 1 0 d e b u t s t h e n ew Claro administration theme, w h i c h re p l a ces t h e S eve n theme, and the Olivero default f ro n t- e n d t h e m e, w h i c h replaces the Bartik theme
Claro was part of Drupal’s Admin UI & JavaScript Mode r n i s a t i o n p ro j e c t, w h i c h aimed to re-imagine the content authoring and site administration experience of Drupal
O l i ve ro i n c l u d es m o d e r n design elements and support fo r co m m o n l y u se d D r u p a l features like second-level navigation, embedded media, and layout builder
Drupal 10 also introduces CKEditor 5, which includes an i m p rove d a u t h o r i n g ex p e r ience and more modern editing capabilities
O t h e r u p d a tes i n c l u d e replacement of some jQuery co m p o n e n t s w i t h m o d e r n J ava S c r i p t co m p o n e n t s, Th e m e Sta r te r k i t to o l s fo r bespoke theme creation, and re p l a ce m e n t of Sy mfo ny 4
with Symfony 6
Th e re a re a l so two i ndevelopment features that will be added to Drupal 10 as contributed modules when they are ready These include Autom a t i c U p d a tes a n d P ro j e c t Browser
Automatic Updates applies patches to Drupal core in a s a n d b oxe d ve rs i o n of yo u r website, which enables developers to keep their site running until deployment time This allows them to detect and re p o r t p ro b l e m s a t eve r y sta g e of t h e d e p l oy m e n t process, rather than having to wait until an update is live to discover problems
Project Browser is a repository for modules and themes t h a t e n a b l es d eve l o p e rs to easily add them to their sites
Linux Foundation launches RISC-V certification exam
Th e ce r t i f i ca t i o n i s b e i n g offered in collaboration with RISC-V International, the global open hardware standards organization
According to the companies, this release is designed to test functional knowledge
of the RISC-V instruction set architecture
The RVFA exam is intended for anyone pursuing a career a s a n e m b e d d e d syste m s e n g i n e e r, RT L d es i g n e n g ineer, design verification engineer, software developer, or documentation engineer
Ad d i t i o n a l l y, i n te reste d ca n d i d a tes s h o u l d a l re a d y h ave a k n ow l e d g e of g i t, advanced programming languages, debuggers like GDB, and system architecture (ISA)
Snyk gets $196.5M Series G investment
The round was led by Qatar Investment Authority with participation from new investors Evolution Equity Partners, G Squared, and Irving Investors as well as existing investors boldstart ventures, Sands Capital, and Tiger Global
According to the company, this comes after a year of rapi d c u sto m e r a d o p t i o n fo r Snyk, with over 2,300 users who have fixed more than 5 2 million vulnerabilities over the last year
Snyk has also released successful cross-portfolio deployments, with over 70% of users
4
E W S
N
WATC H N E W S WATC H
SD Times January 2023 www.sdtimes.com
c u r re n t l y l eve ra g i n g S ny k’s Developer Security platform. Snyk believes that this reveals an increase in the desire to shift from legacy approaches and the hardships of managing several security vendors.
JetBrains previews
Qodana Cloud
Q o d a n a C l o u d i s a c l o u dbased extension of the code quality platform Qodana.
According to the company, Qodana Cloud collects data from Qodana linters and gathers them in a single place, which allows developers to dive deeper into particular issues
J et B ra i n s ex p l a i n e d t h a t having to switch between linters can slow down the code rev i ew p ro cess, so Q o d a n a Cloud will eliminate some of that friction
Teams can use the new so l u t i o n to d i scove r t re n d s and patterns in code across all projects, which will give them a more complete understanding of how their projects and teams are performing
Th e p l a tfo r m offe rs t h e a b i l i ty to c re a te se p a ra te o rg a n i za t i o n s, te a m s, a n d projects, and assign a single team to several projects
Each project also displays the history of previous checks, which allows you to compare quality checks across commits
Similar to Qodana, users can open issues right from the IDE, enabling them to fix server-side errors from the editor, the company explained
Fu tu re re l ea ses w i l l a d d role-based access control to enable teams to create permissions based on what a user needs to complete their job They are also working to add a d d i t i o n a l se c u r i ty co n t ro l s and enable quick fixes for certain issue types
Ease of use key in Apache Cassandra 4.1
The 4 1 release is the first version that follows the new yearl y re l e a se c yc l e t h a t wa s implemented last year The release will be supported for three years Apache Cassandra is a distributed NoSQL d a ta b a se, a n d i s a n o p e nso u rce p ro j e c t u n d e r t h e Apache Software Foundation
Ecosyste m i m p rove m e nts i n A p a c h e Ca ss a n d ra 4 1 include a new Memtable API that provides pluggable pers i ste n t m e m o r y, i m p rove d Lightweight Transaction performance via Paxos v2, pluggable external schema manager services, and pluggable SSLContext creation
According to a blog post, t h e Pa xos o p t i m i za t i o n s improve latency and halve the number of round trips needed to achieve consensus It also g u a ra n te es l i n e a r i za b i l i ty across range movements that are similar to what would be ex p e c te d f ro m a d a ta b a se with strong consistency
“Apache Cassandra is open source technology at its best It exceeds our database performance goals and is a critical database we are using for providing a seamless streaming experience to our customers worldwide,” said Vinay Chella, Senior Engineering Leader at Netflix.
Updates pertinent to Cassandra Query Language (CQL) developer include the ability to group by time range, the ability to use CONTAINS and CONTAINS KEY conditions in conditional updates, and the ability to use IF EXISTS and IF NOT EXISTS in ALTER statements.
Cassandra operators can look forward to updates like co nfi g u ra b l e syste m l eve l guardrails, a partition denylist-
ing tool, improved syntax to cassandra.yaml, new systems tables, the ability to monitor to p pa r t i t i o n s by s i ze, a n d i m p rove m e nts to n o d eto o l , backup and restore.
CompTIA introduces Job Posting Optimizer
Th e O p t i m i ze r w i l l h e l p e m p l oye rs ex p a n d t h e i r pipelines and seek out overlooked or untapped talent.
The free, web-based platform offers a range of tech job te m p l a tes a n d d a ta to o l s intended to optimize postings for skills, qualifications, and inclusivity oriented to the U S labor market
According to the company, of the over 500,000 job postings for entry-level tech positions in 2022, 57% of employe rs l i m i te d t h e i r sea rc h to candidates with a four-year degree or higher
People on the move
Additionally, for employers looking to fill entry-level cybersecurity roles the number one listed industry-recognized certification is a managerial-level credential that requires advanced experience.
GitLab launches beta of new Web IDE
According to GitLab, this new Web IDE is more user-friendly and efficient. It combines VS Co d e’s co re fe a tu res a l o n g with heightened performance a n d t h e a b i l i ty to se cu re l y connect to a remote developm e n t e nv i ro n m e n t st ra i g h t from the Web IDE
Fo r se l f- m a n a g e d u se rs, the Beta version will be available as a part of the GitLab 15 7 release, which is coming on December 22, 2022 It will be behind a feature flag that can be enabled by administrators on an instance-level z
n GitHub has announced that Inbal Shani has been appointed as its Chief Product Officer. Before joining GitHub she was a general manager at AWS in their ECS service. She has also held leadership roles at Microsoft and TomTom.
n The mobile testing company Kobiton announced the appointment of Sean Barry to the role of CEO He was previously the COO of Rent, which was a company owned by real estate company Redfin Before that he worked at Updater, Bridgevine, and Allconnect
n Dan Isaacs has been announced as Chief Strategy Officer at the Object Management Group (OMG) He is also general manager and CTO for the Digital Twin Consortium, which is oart of OMG He will continue his work there As Chief Strategy Officer, Isaacs will develop a strategy for unifying OMG’s consortia and expanding the global ecosystem
n Dr. Jisheng Wang is joining API security and observability company Traceable as Head of Artificial Intelligene and Machine Learning and VP of Engineering. He was previously the senior director of engineering at Juniper Networks, where he led R&D for the networking AIOps solution Marvis.
5
www.sdtimes.com January 2023 SD Times
Nick Durkin, Field CTO, Harness
Measuring developer effectiveness in 2023
In 2023, we will see a major shift in how businesses measure he effectiveness of developers’ work. I believe that compaes will start analyzing developer activities and outputs, similar to how sales teams are evaluated, and that an element of gamification may come into play as well. With businesses now able to access critical tools that measure employee performance across departments, developer teams will be able to showcase the invaluable work they are doing, and how they are achieving those outcomes. I think this will be a positive shift in the way businesses run their tasks and teams because it will advocate for the most critical facets of the company, like engineering and development.
ob Zuber, CTO, CircleCI Software teams that embrace failure in 2023 will come out on top.
My biggest piece of advice for other leaders is to create a ulture that embraces failures. The richest information about an organization can be improved comes when things go wrong. For software engineering teams especially, having a blameless culture builds the trust teams need to solve problems quickly and avoids time wasted worrying about the perceptions of others.
Alexander Lovell, Head of Product, Fivetran Data teams: Put up or shut up
2023 will be put up or shut up time for data teams. Companies have maintained investment in IT despite wide variance the quality of returns. With widespread confusion in the my, it is time for data teams to shine by providing actionable insight because executive intuition is less reliable when markets are in flux. The best data teams will grow and become more central in importance. Data teams that do not generate actionable insight will see increased budget pressure.
teve Wood, SVP of Product, Platform, Slack Low code as we know it is dead.
As the nature of low-code apps continues to evolve, the lines between the consumer (what we think of as the user) and he producer (typically the builder) will become increasingly red, and the actual “building” of an app will increasingly merge with the “using” of an app. With that, as we enter 2023, we’re seeing a more focused phase of low-code apps one that’s template, solution, and outcome driven. In the year ahead, we’ll see the next phase of low code become hyper-focused on identifying actual business use cases and giving users the tools to act on them by simply using these apps and without having to build at all. Low-code platforms will have to know, or be able to predict, what the most common use cases are and provide customers with a ready-made solution.
al Lev-Ami, CTO and co-founder,
Cloudinary
The adoption of new video and image codecs. Developers must hoose wisely when it comes to image mats–the wrong format could allow immersive experiences to sink a site’s load time and reliability JPG is no longer king– major improvements have been made to compress assets more effectively while offering more features that will optimize the web experience WebP adoption has grown since 2019 and is on track to overtake PNG as the second most frequently used format JPEG XL is roughly 60% more efficient than JPEG In March 2022, the JPEG XL specification was published as an ISO standard.
Haoyuan Li, Founder and CEO, Alluxio
More large-scale analytics and AI workloads will be containerized n the cloud-native era, Kubernetes has me the de facto standard, with a variety of commercial platforms available on the market. Organizations are increasingly deploying large-scale analytics and AI workloads in containerized environments. While containers provide many benefits, the transition to containers is very complex. As a result, in 2023 the main bottleneck to container adoption will be the shortage of talent with the necessary skill set for tools like Kubernetes.
SD Times January 2023 www sdtimes com 6
2022 saw business and technology come together under the banner of value stream management, more uptake in microservices and other cloud-native technologies, and a greater emphasis on software quality and security.
What will 2023 bring? These industry experts share their thoughts.
assius Rhue, VP, Customer Experience, SIOS
Technology Site Reliability Engineering Increases Need for High Availability for Critical Applications
With large organizations now managing many hunds of servers and cloud VMs, all requiring increased availability, means that incorporating HA into Site Reliability Engineering principles will become a standard part of DevOps projects Using SRE, DevOps teams will standardize on HA tools that are capable of decreasing complexity, increase availability and reliability, and automate application aware failovers The vendors who have products that support multiple OS versions, clouds, applications, and databases will be baked into vendor best practices
abriel Aguiar Noury, Robotics Product Manager, Canonical The rise of social robots
hris Gladwin, CEO, and Co-founder
of Ocient Hyperscale Will Become Mainstream
Data-intensive businesses are moving beyond big data into the realm of hyperscale data, which is xponentially greater. And that requires a reevaluaof data infrastructure. In 2023, data warehouse vendors will develop new ways to build and expand systems and services.
It’s not just the overall volume of data that technologists must plan for, but also the burgeoning data sets and workloads to be processed. Some leading-edge IT organizations are now working with data sets that comprise billions and trillions of records. In 2023, we could even see data sets of a quadrillion rows in data-intensive industries such as adtech, telecommunications, and geospatial.
In 2023, social robots will be back Late in 2022, we saw companies like Sony unveiling robots like q This set the stage for a new wave of social robots Powered by natural language generation models like GPT3, robots can create new dialogue systems This will improve the robot’s interactivity with humans, allowing robots to answer any question Social robots will also build narratives and rich personalities, making interaction with users more meaningful GPT-3 also powers Dall-E, an image generator But, this is not only about the novelty effect Dall-E will keep pushing research to help robots define their behaviour based on their surroundings As image detection and context generation merge, robotics scene awareness and social intelligence will take a new leap. By generating a detailed textual description of an image, robots will soon be able to understand the room they are in or what people are doing. This is another step towards real autonomy.
rateek Kapadia, Chief Technology Officer at Flytxt
An emergence of low-code CX
The past few years have highlighted the need for nterprises to pivot to meet the ever-shifting scape of customer needs efficiently. Next year, we’ll see an increase in user-friendly, low-code processes and systems to create a seamless customer experience across a myriad of touchpoints and systems. Vendors will embrace Industry-standard APIs to allow enterprises to integrate their CX ecosystem connecting internal and external systems painlessly.
continued on page 8 >
ukmini Reddy, SVP of Engineering, Platform, Slack DevOps teams will need to get creative
As we head into 2023, which is increasingly likely o be defined by the effects of an economic down, DevOps teams will need to get creative and do more with less. There will be a focus on maximizing the ROI of professional developers, who are some of the most expensive assets for businesses. It will be imperative to ensure the developer experience is as seamless as possible, minimizing the amount of time spent switching between multiple, disparate and sometimes inefficient tools. With focus shifting to developer productivity, I expect tightening purse strings to act as a catalyst for teams to adopt more efficient practices when it comes to developing and shipping code. We’ll see more reliance on tools like software development kits and pre-baked code that can be reused and repurposed to slash cycle times and deliver secure, impactful code as quickly as possible.
rian Anderson, CEO, Nacelle Headless commerce becomes the go-to
After years of gaining traction among early adopters, in the coming years, headless will truly ecome the norm. According to a Salesforce Comce Cloud survey, 80% of all online merchants are either already or plan to be headless over the next two years. Headless commerce offers a competitive advantage to those who embrace it. Specifically, merchants who are headless see increases in conversion rates, average order values, engineering productivity, and website change velocity. When one competitor in a vertical goes headless, a technology adoption race occurs as others scramble to upgrade and keep pace. Headless implementation in isolation will be deemed foolish so in 2023, top merchants will look at headless within the context of their broader company vision and technology strategy.
Sune Engsig, VP of Product Development at Leapwork
Test automation has struggled to capture a user nterface element a button, an input field, or a ll in a complicated table and find it again later even when things change. It’s why UI test automation is often referred to as 'fragile.' 2023 will get closer to training ML to predict what to use as reference points and how to build recipes to find any type of UI elements, based on content and structure.
ean Hager, CEO, Jamf Education technology can help students beyond remote learning.
Historically, some teachers viewed technology as isruptive in the classroom. During the pandemic, hnology was needed to keep classes in session. As it turns out, the need to deploy technology that supports distance learning has had an impact that will change the classroom forever Many technology-resisting teachers now realize that technology doesn’t disrupt the classroom If deployed effectively, it enhances both teaching and learning
Danny Sandwell, Senior Solutions Strategist, Quest
New data sovereignty laws will spur businesses to make data more visible and interperable. We expect to see businesses take a proactive role in creating their own data governance policies amid the current wave of regulatory action. The current global patchwork of data sovereignty and privacy laws has made it more complicated than ever for businesses to create consistent policies on data sharing, integration and compliance. This will continue to have a significant impact on organizations’ ability to maximize the use of data across their IT infrastructure, unless they put together clear plans for data integration and governance. In 2023, the passing of more data sovereignty and sharing laws will spur businesses to invest in getting visibility into their data and creating clear plans for sharing and integration across their IT landscape.
Zohar Bronfman, co-founder and CEO of Pecan AI
Customer retention will be the primary focus for business leaders in 2023
hey will double down on their efforts to engage their customer base more deeply. Whether they’re seeking to increase retention, grow their share of wallet, or win back customers, leaders know that these customers are their greatest asset, especially during challenging economic times. And, importantly, they already have all the customer data they need to help understand and predict what they’re likely to do, fueling their ability to personalize offers and outreach. That knowledge of future customer behavior will drive successful retention strategies next year.
sko Hannula, Sr. VP of Product Management at Copado DevOps backlash
After years of DevOps fever, criticism towards DevOps is going to grow, for two different reasons. t, many businesses fail to reap the benefits because they have just implemented tools without changing their working practices. Second, many corporations have, and will continue to, reduce IT operations personnel assuming that Ops would somehow happen by itself in DevOps. Nevertheless, DevOps will continue to deliver success and gain popularity among those that implement it right and, despite temporary hiccups, the crowd of successful DevOps adopters keeps growing.
8
SD Times January 2023 www.sdtimes.com < continued from page 7
sparxsystems.com R E NGA M A E GE O L SH DE Modeling and Design Tools for Changing Worlds Enterprise Architect Version 16 NEW UML ® | BPMN ® | BPSim | BPEL | DMN ™ | Google ® & AWS ® Icon Sets | TOGAF ® | Zachman ® XSD | ArchiMate ® | MARTE | SysML | NIEM ™ | BABOK ® | BIZBOK ® | BMM ™ | CMMN ™ | Code | DataBase | IFML ™ | GML ODM ™ | Schema | SoaML ™ |SOMF ™ | SPEM ™ | UAF | UBL | UPMC | VDML ™ | *More
BY J E N N A SA R G E N T BA R R O N
Se c u r i t y w i l l c o n t i n u e t o c a u s e
headaches in 2023 Not only will companies have to continue dealing with the normal issues like supply c h a i n s e c u r i t y a n d p r e v e n t i n g r a nsomware, which they’ll continue to deal with, but a number of companies see other issues on the horizon for 2023
Supply chain attacks are ones in which the attackers are targeting something within the business that the business depends on In the context of software security, this usually means parts of the development toolchain are being targeted
For example, a major instance of a supply chain vulnerability you might be familiar with is the one in the Apache Log4j library, which is a Java library for logging in applications that is widely used
According to Matthew Appleton, ecommerce manager of candy company Appleton Sweets, supply chains can be really complex and challenging to comprehend, which makes them hard to manage.
“Any entity’s security (and resilience) depends on the security (and resilience) of all of the hardware, software, people, procedures, etc. that it depends on because of the many interdependencies between them Despite the fact that third-party audits, data security agreements, and standards all might be helpful, the issue is extremely complex and is likely to continue,” said Appleton Jeff Williams, co-founder and CTO of Contrast Security, agrees that supply chain security will continue to be an issue
H e n o t e d t h a t t h e r e a r e o n l y a “handful of security researchers” who w o r k o n a n a l y z i n g o p e n s o u r c e libraries He predicts that at least two or three significant zero day disclosures will happen next year
“Attackers will leverage these vulnerabilities not only to steal data, but also to install malware, run ransomware, and mine cryptocurrency,” he said
Impacts of the economy and government regulations
Tech companies haven’t been immune from the economic downturn that the US has been experiencing for the past
several months. A number of companies big and small have laid off large portions of their workforce.
For example, Meta recently laid off 11,000 employees, Amazon is reportedly planning to lay off up to 10,000 corporate employees, Stripe laid off 1,100 employees, and so on
These layoffs have Justin Foxwood, solution engineer at IT services company TBI, predicting that the biggest challenge in 2023 will be keeping up with security measures amidst budget cuts
“Businesses of all sizes are continuing to experience breaches and cyberattacks, so it’s never been more important to have the proper measures in place However, when tougher economic times are on the horizon, it can be easy to cut some security measures that companies may not think are necessary In 2023, we’ll see an increase in all types of cyberattacks from DDoS to Malware, so businesses need to remain vigilant. Cutting security employees will prove to be a costly mistake as companies will need to continue updating software and making any necessary patches as breaches become more complex,” he said.
SD Times January 2023 www sdtimes com 10
Fortunately there will be some pressure on companies to be more secure in order to meet the recent measures set by the White House to improve security.
For example, last year President B i d e n s i g n e d a n e x e c u t i v e o r d e r “Improving the Nation’s Cybersecurity,” which sets strict guidelines on software developed for the federal government It requires software bill of materials (SBOMs), establishes a zero trust strategy, improves remediation capabilities after data breaches, and more
“By the end of 2023, we know that any company building software will have to publicly attest to their software security practices and create SBOMs u n d e r t h e C y b e r s e c u r i t y E x e c u t i v e O r d e r a n d O M B r e g u l a t i o n s , ” s a i d Williams “In 2023, organizations will adopt new technologies to track appsec test results, appsec processes, development of SBOMs, and runtime protection We’ll see folks get much smarter around the management of the information.”
Other priorities for 2023
In addition to the big challenges of reducing supply chain and ransomware
attacks, a number of companies have other priorities for the coming year.
Human Error
Another area companies will need to continue focusing on is training their employees to follow best practices
Security tools can only do so much, and good security training can help reduce the risk of someone accidentally clicking on a phishing email or falling victim to some other sort of social engineering attack
Gilad Zilberman, CEO of ticketing company SeatPick, plans to invest more heavily in security training for its personnel, with a particular emphasis on its IT and security employees In addition, to test the effectiveness of the training, they’ll run breach tests to see how employees respond after the training
“Minimizing human error is one of the best ways to secure your company in 2023, and we will be working full speed to tackle this challenge,” said Zilberman.
Shif t Smart
Contrast Security’s Williams believes companies need to do away with the notion of shifting left Rather, they will need to instead “shift smart ”
“In 2023, more organizations will realize that they need to stop naively shifting everything left without considering where security can be done most accurately and cost-efficiently Shifting smart takes advantage of additional c o n t e x t a v a i l a b l e a s s o f t w a r e g o e s through a development pipeline,” said Williams
According to Williams, not every issue can even be addressed early on in the life cycle There are many issues that will require additional context to deal with and thus they should be dealt with later in the life cycle when that context is available
Remote Work
Though remote work is not new at this point, Evgen Verzun, founder of crypto company Kaizen.Finance, believes it will be a concern in the coming year from a security perspective.
Hackers will become more innova-
tive in their approaches to targeting remote workers. Businesses are also s t r u g g l i n g w i t h e n s u r i n g p r i v a c y a s their teams become more scattered
“ R e m o t e e m p l o y m e n t f r e q u e n t l y results in an increase in ransomware, p h i s h i n g , a n d s o c i a l e n g i n e e r i n g attacks To address attacks related to remote workplaces, businesses must adopt a zero-trust policy, assuming that every device and user is a possible attacker,” he said
Zero Trust
According to Verzun, in zero trust envir o n m e n t s , d a t a a n d r e s o u r c e s a r e unreachable by default Using leastprivilege access, users can only gain access to data under certain conditions
Zero trust is a relatively new practice, but it is gaining traction, and is one of the key points of the executive order on reducing cyberattacks.
“Zero-trust technologies will continue to be deployed across the U.S. government. We should see a rise in the t e s t i n g o f z e r o t r u s t d e f e n s e s a n d r e p o r t s t o C o n g r e s s i n c l u d i n g through hearings about the U.S. government’s increasing cybersecurity effectiveness Congress should push to h o l d t h e U S f e d e r a l g o v e r n m e n t accountable for real progress over the c o m i n g y e a r, ” p r e d i c t e d J o n a t h a n Reiber, vice president of cybersecurity strategy and policy at risk company AttackIQ, and former chief strategy officer for cyber policy in the Office of the U S Secretary of Defense in the Obama administration
Gartner predicts that by 2025, 60% of “organizations will embrace zero trust as a starting point for security ”
Tr a v i s L i n d e m e o n , m a n a g i n g d i r e c t o r o f N e x u s I T G r o u p , a n I T s t a f f i n g c o m p a n y, s a i d : “ T h e Z e r o Tr u s t c l o u d s e c u r i t y a r c h i t e c t u r e i s o n e o f t h e m o s t s i g n i f i c a n t i n n o v a t i o n s i n c l o u d s e c u r i t y i n r e c e n t y e a r s T h i s d e s i g n a s s u m e s t h a t a n a t t a c k h a s a l r e a d y o c c u r r e d i n t h e n e t w o r k . E v e r y o n e h a s c o m p l e t e a c c e s s t o a l l s y s t e m s a n d i n f o r m a t i o n . M a n y p r o bl e m s t h a t p e o p l e a n d b u s i n e s s e s e x p er i e n c e i n t h e p r e s e n t a r e m i t i g a t e d b y z e r o - t r u s t a r c h i t e c t u r e . ” z
www.sdtimes.com January 2023 SD Times 11
to prevent the spread of a d e a d l y v i r u s C O V I D - 1 9 M a n y thought this would be a short, temporary thing
They were wrong
The remainder of 2020 and 2021 were spent trying to figure out how to g e t a n e n t i r e w o r k f o r c e t o w o r k remotely, while still being able to collaborate and innovate Sales of cloud solutions soared Much of the new software companies invested in required training just to get up to speed
But training in the form of in-person conferences ceased to exist, and organizers sought to digitalize the live experience to closely resemble those conferences
Fast forward to 2023 The software and infrastructure organizations have put in place enabled them to continue to work, albeit not necessarily at peak performance. Most companies today have figured out the ‘what’ of remote work, and some have advanced to the ‘how.’
But this move to a digital transformation has provided organizations with tools that can help them work even more efficiently than they could when tethered to an on-premises data center, and are only now just starting to reap the benefits
Thus, the editors of SD Times have determined that 2023 will be “The Year of Continuous Improvement ” It will, though, extend beyond 2023
Bob Walker, technical director at continuous delivery company Octopus Deploy, said, “The way I kind of look at that is that you have a revolution, where everyone's bought all these new t o o l s a n d t h e y ’ r e s t a r t i n g t o i m p l e m e n t e v e r y t h i n g T h e n you have this evolution of, we just adopted this brand new CI tool, or this brand new CD tool, whatever the case may be. And then you have this evolution where you have to learn through it, and everything takes time.”
Development managers, or a team of software engineers, or QA, have to
BY DAV I D R U B I N ST E I N
worry about making sure they’re delivering on goals and OKRs, to ensure the software they deliver has value. So, Walker noted, “it’s a balance between ‘what can we do right now ’ versus ‘what can we do in a few months’ time’? What do we have right now that is ‘good enough’ to get us through the next couple of weeks or the next couple months, and then start looking at how we can make small changes to these other improvements? It can be a massive time investment ”
Show me the metrics
Continuous improvement begins with an understanding of what’s happening in your product and processes There are DevOps and workflow metrics that teams can leverage to find weaknesses or hurdles that slow production or are wasteful time sucks, such as waiting on a pull request
Mik Kersten, who wrote the book “Project to Product” on optimizing flow, holds the view that continuous improvement needs to be driven by data “You need to be able to measure, you need to understand how you ’ re driving business outcomes, or failing to drive business outcomes,” he said. “But it’s not just at the team level, or at the level of the Scrum team,
or the Agile team, but the level of the organization.”
Ye t , l i k e A g i l e d e v e l o p m e n t a n d DevOps adoption, there’s no prescription for success. Some organizations do daily Scrum stand-ups but still deliver software in a “waterfall” fashion. Some will adopt automated testing and note that it’s an improvement. So, this begs t h e q u e s t i o n : I s n ’t i n c r e m e n t a l improvement good? Does it have to be an overarching goal?
Chris Gardner, research analyst at Forrester, said data bears out the need f o r o r g a n i z a t i o n - w i d e i m p r o v e m e n t efforts, so that as they adopt things like automated testing, or value stream management, they can begin to move down the road in a more unified way, as opposed to simply being better at testing, or better at security
“When we ask folks if they’re leveraging DevOps or SRE, or platform methodologies, the numbers are usually pretty high in terms of people saying they’re doing it,” Gardner said “But then we ask them, the second question is, are you doing it across your organization? Is every application being supported this way? And the answer is inevitably no, it’s not scaled out. So I believe that continuous improvement also means scaling out success, and not just having it in pockets.”
r
Ma
c h 1 3 , 2 0 2 0 . F r i d a y t h e 1 3 t h . T h a t ’ s w h e n a l a r g e n u m b e r o f c o m p a n i e s s h u t their offices
SD Times January 2023 www sdtimes com 12
2023: YEAR OF CONTINUOUS IMPROVEMENT
For Gardner, continuous improvement is not just implementing new methodologies, but scaling the ones you have within your organization that are successful, and perhaps scaling down t h e o n e s t h a t a r e n o t . “ N o t e v e r y approach is going to be a winner,” he said.
Eat more lean Agile programming, DevOps and now value stream management are seen as the best-practice approaches to continuous improvement These are based on l e a n m a n u f a c t u r i n g p r i n c i p l e s t h a t advanced organizations use to eliminate process bottlenecks and repetitive tasks
Value stream management, particularly, has become a new driver for continuous improvement
According to Lance Knight, presid e n t a n d C O O o f V S M p l a t f o r m provider ConnectALL, value stream management is a human endeavor performed with a mindset of being more efficient “When you think about the Lean principles that are around value stream management, it’s about looking a t h o w t o r e m o v e n o n - v a l u e - a d d e d activities, maybe automate some of your value-added activities and remove costs and overhead inside your value stream.”
Value stream management, he noted, is a driver of continuous improve-
ment. “You’re continually looking at how you ’ re doing things, you ’ re continually looking at what can be removed to be more efficient,” he said Knight went on to make the point t h a t y o u c a n ’t s i m p l y d e p l o y v a l u e stream management and be done “It’s a human endeavor, people keep looking at it, managing it, facilitating it to remove waste,” he said So, to have a successful implementation, he advised: “Learn lean, implement, map your value stream, understand systems thinking, consistently look for places to improve, either by changing human processes or by using software to automate, to drive that efficiency and create predictability in your software value stream ”
At software tools provider Atlassian, they’re working to move software teams t o m a s t e r y b y o f f e r i n g c o a c h i n g “Coach teams help [IT teams] get feedback about their previous processes and then allow for continuous improvement,” said Suzie Prince, head of product, DevOps, at Atlassian. In Compass, Atlassian’s developer portal that provides a real-time representation of the e n g i n e e r i n g o u t p u t , t h e y ’ v e c r e a t e d CheckOps, which Prince described as akin to a retrospective. “You’re going to look at your components that are in production, and look at the health of them every day And this will give you
a long time. We want to use automation to reduce that as well. All which I think fits in the same set of continuously improving ”
Key to it all is automation
Automation and continuous improvement are inexorably tied together, heard in many conversations SD Times has had with practitioners of the course of the year It is essential to freeing up high-level engineers from having to perform repetitive, mundane tasks as well as adding reliability to work processes
So whether it’s automation for creating and executing test scripts, or for triggering events when a change to a code base is made, or implementing tighter restrictions on data access, automation can make organizations more efficient and their processes more reliable
insights into what that health looks like and allow you again to continuously improve on keeping them to the certain bar that you expect ”
A n o t h e r d r i v e r o f c o n t i n u o u s improvement, she said, is the current economic uncertainty With conditions being as they are, she said, “We know that people will be thinking about waste and efficiency. And so we also will be able to provide insights into things like this continuous flow of work and reducing the waste of where people are waiting for things and the handoffs that are
When starting to use automation, according to John Laffey, product strategy lead at configuration management company Puppet (now a Perforce company), you should first find the things t h a t i n t e r r u p t y o u r d a y. “ I T a n d DevOps staffs tend to be really, really interrupt-driven, when I got out and talk to them,” he said. “I hear anything from 30% to 50% of some people’s time is spent doing things they had no intention of doing when they logged on in the morning That is the stuff you should automate ”
By automating repetitive little things that are easy fixes, that’s going to start freeing up time to be more productive and innovative, Laffey said On the other hand, he said there’s not point in automating things that youre going to do once a month, “I once had a boss that spent days and days writing a script to automate something we did like once a quarter that took 15 minutes.
There’s no return on investment on that. Automate the things that you can do and that others can use. ” z
www.sdtimes.com January 2023 SD Times 13
‘I hear anything from 30% to 50% of some people’s time is spent doing things they had no intention of doing when they logged on in the morning. That is the stuff you should automate. ‘
John Laffey, product strategy lead, Puppet
Introducing “Improve , ” the Continuous Improvement Conference series focusing on how organizations can gain process efficiencies, create secure , higher qualit y software and deploy more frequently and with confidence. Rapid release c ycles, automation and process data give organizations the oppor tunit y to continuously improve how they work and deliver software. This conference series will evaluate how the pieces are put into place to enable continuous improvement . Join us on Februar y 2 2 for the first event in this series : Testing
August 30 DATA October 18 S E C U R I T Y November 15 P R O D U C T I V I T Y TESTING Wed, Feb 2 2 , 2023 9:00 AM - 3 :00 PM (EST ) FREE Online Event REGISTER NOW Upcoming online events in the Improve Conference series : Presented by
Copado launches new DevOps marketplace for plug-and-play integration solutions
BY J E N N A SA R G E N T BA R R O N
The low-code DevOps company Copado is launching a new marketplace to help companies find pre-built solutions from itself, its partners, and the Copado community These solutions can be used to extend the features of Copado’s DevOps platform for Salesforce Companies can benefit from the existing expertise of experts who have already solved DevOps challenges and are now sharing that knowledge.
The DevOps Exchange is launching with over 40 listings, and more will be added. The company hopes that the marketplace will serve as a one-stop shop for customers who are looking to “accelerate their digital transformation
journey
”
The company also explained that solutions within the cloud can help with even the most complex situations, such as end-to-end business processes that span multiple clouds.
“The Copado DevOps Exchange can unlock an organization’s potential to a u t o m a t e a n y t h i n g i n t h e s o f t w a r e
delivery lifecycle The possibilit i e s a r e e n d l e s s , ” s a i d D a v i d Brooks, senior vice president of product strategy at Copado
Simon Whight, platform technical architect for Zen Internet, which uses Copado, added: “The main driver for us to work with Copado was that it allowed us to a c h i e v e m o u s e - c l i c k d e p l o yments If anything requires a command line interface, I prefer it to sync with Copado to keep the technology barrier a c c e s s i b l e a t a n a d m i n l e v e l . Wi t h Copado’s DevOps Exchange, I’m excited to have access to a one-stop shop to find complementary DevOps products that are compatible with the Copado platform.” z
OpsMx announces sof tware and services extensions to Argo
BY JA KU B L E W KOW I C Z
T h e i n t e l l i g e n t c o n t i n u o u s d e l i v e r y solution provider, OpsMx, announced n e w s o f t w a r e m o d u l e s a n d s u p p o r t services for Argo that make it faster, easier, and safer for companies to use Argo in production, according to the company
New automated analysis capabilities can increase the speed and accuracy of complex progressive deployments A unified view and centralized audit of activity across distributed Argo clusters is also now available from a new management dashboard
O n e o f t h e a d d - o n c a p a b i l i t i e s , OpsMx Delivery Intelligence, provides advanced analytics and machine learning capabilities to help teams identify and resolve application issues faster and more efficiently. It helps teams understand the performance of their
applications across multiple environm e n t s , i n c l u d i n g t h e i r p r o d u c t i o n , s t a g i n g , a n d d e v e l o p m e n t e n v i r o nments It also provides teams with detailed insights into the root cause of any issues that may be occurring The c a p a b i l i t i e s a r e d i r e c t l y i n t e g r a t e d with Argo Rollouts as well as existing a p p l i c a t i o n l o g g i n g a n d a p p l i c a t i o n performance management tools
Also, OpsMx Audit and Visibility n o w p r o v i d e s a s i n g l e , c e n t r a l i z e d dashboard, and permanent record of a p p l i c a t i o n d e l i v e r y a c r o s s A r g o instances
Lastly, OpsMx Policy and Govern a n c e i n t e g r a t e s a d v a n c e d d e l i v e r y controls into Argo. The no code integrations connect directly with existing enterprise DevOps toolchains.
“Argo and GitOps are exciting for developers because they make software
delivery so much easier and faster, but these automated releases can be scary for the rest of the organization that is responsible for the uptime, performance, and security of critical applications,” said Gopal Dommety, the CEO and co-founder of OpsMx “Our new software and services insert visibility and control into Argo environments without breaking the developer experience that makes Argo so powerful This is a true game changer for developer productivity ”
The new capabilities come as Argo is becoming a preferred tool for softw a r e d e p l o y m e n t s o n K u b e r n e t e s According to the CNCF in a post, Argo usage has seen an increase of 124% since Argo joined CNCF. However, OpsMx says it can be difficult to fit into e x i s t i n g m a n a g e m e n t , s e c u r i t y, a n d operations practices. z
www.sdtimes.com January 2023 SD Times 15
D E V O P S WATC H D E V O P S WATC H
BY JA KU B L E W KO W I C Z
SD Times January 2023 www sdtimes com 16
The perfect SRE doesn’t exist, but the right one might already be in your organization
There’s been an explosion of interest in SRE over the last 18 months and a lot of this has been from companies that are looking at scaling their DevOps or DevSecOps initiatives to look at the reliability concerns of their customers
Vendors are recognizing this and a lot of general software interfaces (GSIs) and Managed service providers (MSPs) are offering some form of SRE-as-aservice, according to Brent Ellis, senior analyst at Forrester
Since the role emerged at Google in 2003 to build reliable and high-quality services while reducing costs, it has since evolved, according to Narayanan Raghavan, senior director of site reliability engineering at Red Hat
“I think the core SRE function, in many ways, becomes a foundation and then you build on top of it So as the teams that focus on SRE capabilities start to mature, you get into ‘how do I g e t i n t o r o b u s t C I / C D p r a c t i c e s ? ’ ” Raghavan said. “How do I build capabilities for my development teams to onboard quickly and easily because it then makes my life easier as an SRE, it m a k e s t h e d e v e l o p e r s ’ l i v e s e a s i e r because they don’t have to worry about things like observability, logging, metrics, alerting They don’t need to think about disaster recovery, incident management, or incident rehearsals ”
For SRE to work in an organization, other teams also need to be receptive to the input that SREs offer and the level of role and this responsiveness differs based on the maturity of the organization This level of engagement can be divided into three different buckets, according to Raghavan
One is that toil for SREs should become tech debt for development almost immediately so as to avoid a separate quote prioritization process
The second is that when developers actually start to architect a component that’s completely new, they need to pull in the SREs and engage with SREs up front, according to Raghavan. This is so the SREs can participate and think about how to scale that particular component. In mature organizations, this becomes an important bucket in which
developers start to engage out of their own volition instead of being told that they have to do something.
Then, the third bucket is that as the SRE practice matures and is creating the building blocks that matter to all teams (observability, logging, metrics, and alerting) it’s also engaging development teams up front
“That becomes important because it’s the development teams that are then adopting those self- service capabilities that SREs are putting out,”
Raghavan said
SREs can also lead things like blameless post-mortems in which they’ll look to get to the bottom of what caused the problem They won’t blame any person, but will look at the processes or the technology that enabled that to take place, according to Daniel Betts, senior director analyst at Gartner
“If you want to get full value from your SRE, try not to use them as a developer resource, ” Betts said. “They should be more of like a reliability focused engineer who’s looking at the overall picture of what’s going on across the product or service that you have.”
SREs often come in at the beginning
of the product life cycle and work to help the product team or the platform engineering teams build a product that is very reliable and robust, that meets the customers’ needs, he added From there, they can perform tasks across the whole development life cycle
“They can be involved throughout the life cycle to the point where the actual product is highly automated and incredibly reliable It’s now running that product quite maturely and it has very effective automation, monitoring, and observability in place,” Betts said “The SRE may actually just be keeping an eye on or looking after that product from a standpoint of the dashboards or monitoring tools or observability tools to see if it’s doing what we expect it to do It doesn’t need that much attention anymore They can now focus on other solutions to help with the automation and improvement of those.”
Unleash the SRE from within
With potential hiring freezes and budget cuts looming, organizations often try to look for to-be SREs already within their company.
Gear up your SRE
Here are some of the tools to help gear the SRE up for battle as provided by Forrester’s report “Role Profile: Site Reliability Engineer”:
n Automation: SREs will need to use scripting, code, or orchestration tools to manage a system or environment. This can include tools like Ansible, CircleCI, GitLab, Jenkins, and Google Cloud Build.
n App modernization: This can be used to migrate legacy applications to newer ones through revising the code base or rewriting the code using Docker, Git, Google Cloud Run, Kubernetes, and more.
n Chaos engineering: SREs can use this method to find faults in a system by injecting specific faults in a testing or production environment using Chaos Machine, Chaos Mesh, Chaos Monkey, Chaos Toolkit, and more.
n Networking: This is all about Analyzing the communication process among various computing devices or computer systems using Nagios, Netdata, SolarWinds, Terraform, and more
n Observability: SREs need to manage observability to monitor and generate insights about a platform, site, or environment under management using DataDog, Dynatrace, Google Error Reporting, New Relic, and a host of others
n Security: SREs also take part in safeguarding an environment through strategies, policies, processes, and technology at every part of the life cycle using tools like Chef InSpec, Google Cloud Audit Logs, Sysdig, and Virus Total z
17
www.sdtimes.com January 2023 SD Times
continued on page 18 >
Platform engineering vs. SRE
Although the roles of the SRE and site platform engineer share some similarities and are at times conflated, they’re still distinct.
Platform engineers are responsible for designing, developing and maintaining the underlying platform that the application runs on including the infrastructure, operating systems, databases and other components that enable the application to function. SREs, on the other hand, focus on the reliability, scalability and performance of the application itself.
“The self-serviceability aspect comes under the realm of a platform engineering team that is trying to provide self-service capabilities for product teams to consume,” said Daniel Betts, senior director analyst at Gartner. “SRE is going to be involved in looking at some of the tools that are used to help with that, but their focus is very much on removal of repeatable manual tasks that could potentially go wrong.”
However, SREs can be placed within platform engineering teams to help with some of the tasks.
“As the SRE teams mature, they get into the platform side of the business where they’re actually calling out gaps in the selfservice capabilities so the development teams and the product teams can fix it and benefit from it,” said Narayanan Raghavan, senior director of site reliability engineering at Red Hat.
While in large organizations, there’s a division between the two roles, the more resourceconstrained ones might have the same person performing both roles, according to Brent Ellis, senior analyst at Forrester. z
“The perfect SRE is a myth. That perfect SRE would get bored a month, two months down the road, they’d say ‘been there, done that, give me something else, give me something new, I want to learn something different ’ So I am generally looking for people with potential,” Red Hat’s Raghavan said “And when I say potential, these are people that are, in some cases, traditional software engineers ”
T h e s e s o f t w a r e e n g i n e e r s w o u l d already have a systems mindset with which they can think about systems at scale and approach problems that way A good pool of potential SREs can also exist with systems engineers that can understand software engineering principles
“So I am from a hiring practice perspective looking for people that fall in that bucket specifically, because then I know that I can invest in them. And as I invest in them, and as they learn the space, they invest back into the company and back in the team,” Raghavan said. “So I am not looking for a perfect fit. I’m in fact, looking for people who
are, in many ways eager to learn, can understand technology and understand how to pick up different spaces quickly.”
It’s also important to assign new SREs to a production process early on and to have a mentor guide them
Gartner’s Betts sees that some organizations that want to start an SRE practice just wind up rebranding an existing I T operations team or person in that role which is the wrong approach
“An SRE is giving value not just by focusing on things like incident problems, operational improvements, monitoring, and being able to have better insights,” Betts said “It’s also looking at how we can take some of that softw a r e e n g i n e e r i n g o r e n g i n e e r i n g mindsets to the world of infrastructure operations and look at how we can have reusable modules, efficient infrastructure delivery, efficient response to incidents, and being able to scale capacity.”
In their day to day work, SREs are often embedded into a product team like a development product team where they’ll act as a reliability consultant to inform the team of expectations around
reliability in the organization, help to look for some of the toil, and will look to automate some of those practices as part of the backlog in that product team, according to Betts
“In the early maturity stages, having a c o m p l e t e l y d e c e n t r a l i z e d m o d e l makes a lot of sense, because you ’ re a lot more nimble and agile But as the product matures, having a more central function to think about reliability at scale becomes important,” Red Hat’s Raghavan continued
SRE…the social butterfly?
One skill set that often goes overlooked for this role is soft skills, which should instead be called ‘critical skills’, according to Gartner’s Betts
SREs need to be great communicators because part of the job function is to communicate effectively, both in terms of data that they see with service level objectives (SLOs), budgets, and other things. They also need to show that they can empathize with customers and talk about specific things that are impacting customers’ experience. The SREs are often the ones interacting with customers, partners, development teams, product managers, and more
“So if you ’ re talking to maybe a product owner or a strategy person, you take it to a higher level, you ’ re talking to someone that’s in the team, as an engineer or a developer, you need to get maybe down into the depths and talk a little bit more detail with them,” Betts said
R e d H a t ’ s R a g h a v a n a d d e d t h a t these soft skills are even more important for an SRE than the technical skills This is because technical skills are trainable, but it’s often much harder to find people with both soft skills and technical skills
“That mindset and the ability to articulate that is absolutely vital for a r e l i a b i l i t y e n g i n e e r i n g f u n c t i o n , because then we start to look at if something really matters to the customer, you should probably be looking at the specific causes that matter and therefore the symptoms that show up to the customer and what it is that we need to get alerted on, ” Raghavan said. z
18
SD Times January 2023 www.sdtimes.com <
continued from page 17
WebAssembly finds second home in the cloud
Play-Doh may be a favorite toy from your past, but its creators never set out with the goal of making a toy It was originally marketed as a tool for cleaning your wallpaper before it found its way into the toy aisle
Many other inventions started off aiming to solve one problem only to find themselves becoming known for a n entirely different use case And WebAssembly, or wasm, may be on a similar path
WebAssembly is a bytecode format that code can compile to and it enables different programming languages to run in the browser, explained Liam Randall, CEO of Cosmonic, which is a WebAssembly PaaS.
“WebAssembly has huge implications for the web platform it provides a way to run code written in multiple languages on the web at near native speed, with client apps running on the web that previously couldn’t have done so, ” the Mozilla WebAssembly documentation states
Beyond the browser, people have been using it with great success in the cloud, containers, and the edge WebAssembly is polyglot, portable, and interoperable Because of these capabilities, developers can pick and choose from applications written in a variety of languages
“Just like an electrical outlet, which enables you to turn on a light without knowing where the power comes from, contracts will deliver what they say they’ll deliver Look for GitHub to be used to distribute libraries as WebAssembly LEGO, where developers select contracts to pull and maintain large pieces of code that can run in any cloud, and any edge environment,” said Randall
This LEGO concept works also to enable contributions from users. For example, there are many places where someone might want to add something to an existing application as a plugin. A company like Shopify or a game like
BY J E N N A SA R G E N T BA R R O N
Microsoft Flight Simulator might want to allow users to submit code to customize their experience According to Randall, this is exactly what people are doing with WebAssembly
Randall believes that in cloud environments WebAssembly can be really powerful because most of today’s business logic is on the server side, running in public clouds and in data centers
“The ability for us to put applications that run or to create applications that can seamlessly run anywhere across that spectrum, is really powerful,” Randall explained.
Adobe’s WebAssembly success story
For example, Adobe Photoshop’s codebase was started in the ’80s, but it was able to be recompiled to run right in the web browser using WebAssembly
“As Wasm has standardized with features such as threads, and developer tooling for Wasm has improved, we have continued this journey to the web, culminating in our new web-based Photoshop experience Wasm allows us to keep the same core C++ code base compiled to the desktop, mobile and browser,” Sean Isom, engineering manager at Adobe, and Colin Murphy, senior engineer at Adobe, wrote in a blog post
Isom was on a mission to improve the efficiency and performance of the company ’ s infrastructure, while lowering costs The company runs 90% of its containers in Kubernetes, and recently he shared details about how they were a b l e t o c o m b i n e K u b e r n e t e s w i t h WebAssembly.
Some of the use cases Adobe has a c h i e v e d i n c l u d e s r u n n i n g e x i s t i n g functions in wasmCloud and running wasmCloud as a service in Kubernetes clusters.
WasmCloud is an open-source project for building distributed applications using WebAssembly that is currently housed under the Cloud Native Computing Foundation as a sandbox project The project was a big focus at this y e a r ’ s K u b e C o n N A , w h e r e C l o u d Native Wasm Day took place to offer up sessions on using WebAssembly in cloud-native use cases
“I love WebAssembly,” Isom told SD Times in an interview “It’s been a large lift and shift initially to get stuff working in this, but I have been working on developer experience tooling for years now And I’ve seen us come so far in the past year, even just in the last few months, it’s becoming easier and easier. And I’m really excited to get this over the hump where it’s going to be a really repeatable thing that lots and lots and lots of the services that the teams can use in the coming years. ”
WebAssembly causing quite the disruption in the ecosystem
Randall said that it is on the app platf o r m s i d e w h e r e We b A s s e m b l y i s “poised to make the biggest disruption” because it is so small and fast Containers, even highly optimized ones, can take a few seconds to start up, while WebAssembly offers applications a cold start time of less than a millisecond
“When we think about how logically containers really powered this great lift and shift into the cloud, but WebAssembly is poised to enable the buildout of complex capabilities across the distributed ecosystem of today,” Randall said
In fact, in 2019 when the WebAssembly system interface WASI was announced, Docker creator Solomon Hykes tweeted: “If WASM+WASI existed in 2008, we wouldn’t have needed to have created Docker. That’s how important it is. WebAssembly on the server is the future of computing.” z
www.sdtimes.com January 2023 SD Times 19
Value stream management provides predictability in unpredictable times
SD Times Market Forecast
20
BY J E N N A SA R G E N T BA R R O N
In 2019, most business leaders probably wouldn’t have predicted the changes that would be coming their way in early 2020 thanks to a global pandemic If they had, perhaps they would have been able to make decisions more proactively and wouldn’t have had to scramble to convert their workforce to remote, digitize all their experiences, and deal with an economic downturn
Now, the country is in another period of uncertainty You’ve read the headlines all year: The Great Resignation, layoffs, a possible recession, Elon Musk’s takeover of Twitter shaking up marketing spending, introductions of things like GitHub Copilot and ChatGPT having workers worrying about their future job security, and more The list could go on and on, but one thing that would help people through these times is knowing they’ll make it out okay on the other end.
Unfortunately that level of predictability isn’t always possible in the real world, but in the business world, value stream management can help you with it.
A c c o r d i n g t o L a n c e K n i g h t , p r e s i d e n t a n d C O O o f
ConnectALL, the information you can get from value stream management can help you with predictability. This includes things like understanding how information flows and how you get work done
“You can’t really be predictable until you understand how things are getting done,” said Knight
He also claimed that predictability is a more important outcome of value stream management than the actual delivery of value, simply because of the fact that “ you can’t deliver value unless you have a predictable system ”
Derek Holt, general manager of Intelligent DevOps at Digital.ai, agreed, adding “If we can democratize the data internally, we can not only get a better view, but we can start to use things like machine learning to predict the future Like, how do we not just show flow metrics, but how do we find areas for flow acceleration? Not just what are our quality metrics, but how do we drive quality improvement? A big one we ’ re seeing right now is predicting risk and changing risk How do you predict that before it happens?”
Knight also said that a value stream is only as effective as the information that you feed into it, so you really need to amplify feedback loops, remove non-value-added activities and add automation. Then once your value stream is optimized, you can realize the benefit of predictability.
If you ’ ve already been working with value streams for a while then it may be time to make sure all those pieces are run-
SD Times Market Forecast 21
continued on page 22 >
ning smoothly and look for areas where there is waste that can be removed Knight also explained the importance of embracing the “holistic part” in value stream management What he means by this is not just thinking about metrics, but thinking about how yo can train people to understand Lea principles so that they can understan how the way they develop software w meet their digital transformation need
Challenges companies face
Of course, all that is easier said than done There are still challenges that companies face after adopting value stream management to actually get to the maturity level where they gain that predictability
One issue is that there is confusion in the market caused by vendors about what value stream management actually is. “Some people think value stream management is the automation of your DevOps pipeline. Some people think value stream management is the metrics that I get. And there’s confusion between value management and value continued on page 25 >
What sets successful value stream management practices apart
1. Use of AI/ML to predict end dates. According to Condo, development teams with access to predictive capabilities are able to use them to create timelines that are more likely to be met He noted that the successful teams don’t replace estimates produced by people on their team, but rather augment those estimates with machine estimation.
2. Bottleneck analysis. Teams can use value stream management to discover what the real cause of their bottlenecks is “When it comes to VSM, too many clients put the cart before the horse, thinking that they need a high-performing DevOps culture and tool chain to effectively use VSM. None of this could be further from the truth,” said Condo.
3. Strong metrics and KPIs. Development leaders want these metrics if they are going to be putting money into value stream management, so look for vendors that can provide excellent metrics z
SD Times Market Forecast
22 < continued from page 21
An interview with Lance Knight, president and COO of ConnectALL
Chris Condo, principal analyst at Forrester, last month wrote a blog post where he laid out the three qualities that set successful value stream management practitioners apart.
stream management,” said Knight.
Knight wants us to remember that value stream management isn’t anything new; It can trace its origins back to Lean Manufacturing created by Toyota in the 1950s in Japan
And ultimately, value is just the delivery of goods and services Putting any other definition on it is just the i n d u s t r y b e i n g c o n f u s e d , K n i g h t believes
“So people who are trying to implement value streams are getting mixed messages, and that’s the number one challenge with value stream management,” said Knight
D i g i t a l a i ’ s H o l t e x p l a i n e d t h a t another challenge, especially for those just getting started, is getting overwhelmed
“Don’t be paralyzed by how big it seems, ” said Holt. He recommends c o m p a n i e s h a v e e a r l y c o n v e r s a t i o n s a c k n o w l e d g i n g t h a t t h e y m i g h t g e t things wrong, and just get started.
Where has value stream been? Where is it headed? In our last Buyer’s Guide on value
K EY TA K E AWAYS
development efforts or outcome-based development efforts,” said Holt.
Holt also noted that in Digital ai’s recently published 16th annual State of Agile report, around 40% of respond e n t s h a d a d o p t e d o n e o f t h e s e approaches, and that was significantly up from the previous year
He went on to explain that companies investing in value stream management want to be sure that their investments are actually paying off, especially in the current economic climate
stream management, the theme was that it aligns business and IT Holt has seen in the past year that c o m p a n i e s a r e a d o p t i n g m e n t a l i t i e s that are less about that alignment Now the focus is that software is the business and the business is software
In this new mentality, metrics have become crucial, so it’s important to have a value stream management system in place that actually enables you to track certain metrics.
“ T h i n g s l i k e O K R s c o n t i n u e d t o kind of explode as a simple means to drive better outcome-based alignment … simple KPIs around objective-based
He also said value streams can help organizations make small, evolutionary improvements, rather than one big revolution
“ Va l u e s t r e a m m a n a g e m e n t i s b u i l d i n g o n s o m e o f t h e c o r e t r a n s f o rm a t i o n s t h a t h a p p e n e d b e f o r e , ” s a i d H o l t “ Wi i t h o u t t h e A g i l e t r a n s f o r m at i o n , t h e r e w o u l d h a v e b e e n n o D e v O p s , a n d w i t h o u t A g i l e a n d D e v O p s , t h e r e p r o b a b l y w o u l d n ’t b e a n a b i l i t y t o t a l k a b o u t v a l u e s t r e a m m a n a g e m e n t . ”
So value stream management will continue to build on the successes of the past, while also layering in new trends like low code, explained Holt. z
25
< continued from page 22
SD Times Market Forecast
An interview with Derek Holt, general manager of Intelligent DevOps at Digital.ai
1. Predictability is the key outcome for value stream management
2. Value stream management is a continuous process of improvement
3. Metrics are key to prove that value stream management is adding value
Michael Schmid is co-founder and CTO at amazee io, a Mirantis company
Guest View
B Y M I C H A E L S C H M I D
Developers shouldn’t have to learn K8s
There’s no way around it: Kubernetes is a game-changer for today’s businesses, and everyone wants their IT teams to use it Kubernetes has changed the way we ’ re able to operate and run applications But unfortunately, the tasks related to Kubernetes have made developers’ daily lives and work slightly nightmarish
My good friend Karla was once a front-end developer who loved what she did Her boss asked her to learn Kubernetes and even sent her to a dedicated program to do so She was excited to learn such a cool new skill, and she attended day one of the program hopeful and optimistic
Today, Karla works as a realtor Six months after trying to learn Kubernetes, she decided to quit being a developer entirely. She felt that this wasn’t what she signed up for, and she lost all joy in the profession of developer. She wanted to create applications, sites, and code, and i n s t e a d w a s h a s s l i n g w i t h I P addresses, networking, and storage. But the latter is what she ended up doing It took its toll
Six months after trying to learn Kubernetes, she decided to quit being a developer entirely.
This is the future we face if we continue to ask developers to learn Kubernetes, or anything that isn’t their job
Developers shouldn’t bear the burden of learning and doing Kubernetes, because it’s not their job to do so It’s another beast entirely
The truth is, this situation isn’t new Developers have always felt this burden to be more than they are when being a developer itself should be “good enough ” Most developers I know push themselves to try and be the rare “full stack” developer who can do front end, back end, data engineering, storage, security, and more
Why?
It all began with the dream of DevOps, which was born in the hopes that combining two critical functions development and operations could skyrocket productivity for tech teams When development and operations were siloed, independent from each other, madness ensued, and nothing got done.
So, naturally, pushing them together seemed like the most logical explanation. But eventually, more and more started to be asked of developers.
What about Kubernetes?
This leads me into why developers shouldn’t have to learn, know, practice, or work with Kubernetes It’s not their area of expertise
Everybody wants developers; they’re a hot commodity But then, once they’re hired, many developers will be told something like this: “Welcome to our team, we ’ re doing DevOps H e r e ’ s y o u r AW S a c c o u n t , n o w c r e a t e s o m e K u b e r n e t e s c l u s t e r s a n d d e p l o y a p p l i c a t i o n s ” Assumptions are being made that might be inaccurate even damaging
This isn’t commonly seen in other professions, but for developers, leaders just keep adding to an already tall order. To give you a few examples: A race car driver has a whole team of mechanics to work on the car. A chef works with a butcher to buy meat from, they also don’t hunt their own deer. Baristas don’t pick coffee beans.
Being a developer is already hard…
Development becomes more complex every year. As technology evolves every year, more and more complexities build up Developers are asked to know more languages, have more technical skills, and to gain familiarity with a plethora of new systems all the time Most developers are already drinking from the firehose, but when you add operations, infrastructure, and desired Kubernetes skills on top of that, it may as well be the ocean They’re fighting a losing battle that will likely end in burnout
The best solution to a problem like this is to balance teams with critical skills, not assume that preexisting employees can take on new learning burdens like Kubernetes
B u t y o u a l s o d o n ’t w a n t a m a s s i v e t e a m , a n d r e s e a r c h s h o w s t h a t s m a l l e r t e a m s p e r f o r m b e tt e r To k e e p t e a m s s m a l l b u t a l s o a d d n e w l a y e r s o f s k i l l , m y s t r o n g e s t e n c o u r a g e m e n t f o r t e a m s w o u l d b e t o l o o k i n t o p l a t f o r m e n g i n e e r i n g A d d i n g p l a t f o r m s o r s t r a t e g i c t o o l i n g t o t e a m s c a n h e l p i n f u s e t h e m w i t h t h e m i s s i n g ( y e t n e c e ss a r y ) s k i l l s t h e y n e e d t o s u c c e e d , w h i l e a t t h e s a m e t i m e k e e p i n g t h e c o r e t e a m s m a l l a n d f u n ct i o n a l .
Developers CAN learn Kubernetes if they want to. But if they don’t want to, that’s okay too. z
26
SD Times January 2023 www.sdtimes.com
Analyst
ARM puts its future at risk
Alot of us have been looking at ARM more closely since litigation with Qualcomm started To refresh you on that situation, that litigation appears to be an effort to get Qualcomm to pay significantly more for licenses for PCs than it does for smartphones, even though the PC effort has yet to be successful That effort likely won’t be successful until 2024 but only if Qualcomm invests a massive amount of cash – which, if ARM’s litigation is successful, Qualcomm wouldn’t have The litigation is not only counter to the contract between Qualcomm and ARM, it places a cloud over ARM, and it appears to be increasing a migration of developers from ARM to RISC-V To me, it reads like extortion, but at best it is premature because the product ARM is attempting to get more money for doesn’t exist in market yet, so, getting a higher percentage of nothing is still nothing.
So why is ARM so hard-up for cash that it’s willing to put its future at risk in what looks like an effort to get Qualcomm to pay it more while putting QUALCOMM’s PC effort at greater risk of failure and clearly increasing the motivation to move to RISC-V (with Apple apparently hedging back in 2021)?
Let’s explore this
ARM needs cash. Why?
The legal dust-up caused the industry to look at why ARM needs this cash, and we initially determined it was likely because the NVIDIA acquisition fell through That acquisition would have provided SoftBank, which owns ARM, with cash and given ARM access to NVIDIA’s huge R&D war chest But that effort failed, partially due to Qualcomm, but also partially because governments, particularly the U S government, doesn’t want big tech to get bigger (it is really hard to do mergers right now; ask Microsoft which just got sued to block it from doing one that gaming platforms have been doing without problems for decades)
Two things have subsequently been discovered One is that SoftBank’s boss owes the company a whopping $4.7B and, most recently, the company is the focus of a probe by the U.S. Securities and Exchange Commission for misleading investors, an investigation that puts the firm at additional financial risk. This probe will make it nearly impossible for
SoftBank to do an IPO until the problem is resolved, and finally, SoftBank had to write down a $100M investment in FTX (which is under bankruptcy protection and also under investigation) Finally, the head of SoftBank has been aggressively using SoftBank funds to buy out investors in order to take over full and absolute control of the company in order to potentially take the company private (estimated cost is $50B or around twice the massive cost of the Dell buyout that nearly failed) but also significantly reducing the firm’s cash reserves in the process
This all means there is little free cash to invest in things like ARM market development or R&D This showcases a risk to SoftBank and ARM that is extreme, but there’s a chance that a Qualcomm-led consortium that took ARM from SoftBank and potentially better funded ARM might fix the problem. Still, it would be wise to hedge with RISC-V development for when Apple, which is likely to fight this consortium approach, and others d e c i d e t o a b a n d o n A R M ’ s l i c e n s i n g f o r R I S C - V ’ s m o r e favorable approach
Recommendation:
I think this all means that while moving from ARM to RISC-V may be premature, it wouldn’t be premature to begin developing RISC-V skills, particularly if you are developing on Apple products Even if the Qualcomm Consortium approach works, Apple is likely to move to RISC-V in the next two to five years But given the SEC investigation on SoftBank and the discoveries so far, it is likely there is other dirty laundry yet to be discovered that could put both the IPO and the acquisition at greater risk as well as other questionable executive financial decisions (the investment in FTX is troubling, as is the stock buyback plan which appears to benefit the head of SoftBank more than it does SoftBank)
And even if ARM pulls out of this mess, the momentum to the better RISC-V model may be unstoppable at this point, further justifying developing RISC-V skills because the market may have already gone too far to stop its pivot. In short, ARM is increasingly looking like the damage done by SoftBank may be unrecoverable, making a hedge on, or move to, RISC-V the safer choice. z
27
View B Y R O B E N D E R L E
www.sdtimes.com January 2023 SD Times
While moving from ARM to RISC-V may be premature, it wouldn’t be premature to begin developing RISC-V skills.
Rob Enderle is a principal analyst at the Enderle Group
SD Times offers in-depth features on the newest technologies, practices, and innovations affecting enterprise developers today Containers, Microservices, DevOps, IoT, Artificial Intelligence, Machine Learning, Big Data and more. Find the latest news from software providers, industry consortia, open source projects and research institutions Subscribe TODAY to keep up with everything happening in the ever-changing world of software development! Available in two formats print or digital. Discovery. Insight. Understanding. SD Times subscriptions are FREE! Sign up for FREE today at www.sdtimes.com.