SD Times May 2023

Page 1

MAY 2023 • VOL 2, ISSUE 71 • $9 95 • www sdtimes com

www.sdtimes.com

EDITORIAL

EDITOR-IN-CHIEF

David Rubinstein drubinstein@d2emerge com

NEWS EDITOR

Jenna Sargent Barron jsargent@d2emerge.com

MULTIMEDIA EDITOR

Jakub Lewkowicz jlewkowicz@d2emerge com

SOCIAL MEDIA AND ONLINE EDITOR

Katie Dee kdee@d2emerge com

ART DIRECTOR

Mara Leonardi mleonardi@d2emerge com

CONTRIBUTING WRITERS Vadym Novakovskyi

CONTRIBUTING ANALYSTS Enderle Group, Gartner, Intellyx

CUSTOMER SERVICE

SUBSCRIPTIONS subscriptions@d2emerge.com

ADVERTISING TRAFFIC

Mara Leonardi mleonardi@d2emerge com

LIST SERVICES

Jessica Carroll jcarroll@d2emerge com

REPRINTS reprints@d2emerge com

ACCOUNTING accounting@d2emerge com

ADVERTISING SALES

PUBLISHER

David Lyman

978-465-2351 dlyman@d2emerge com

MARKETING AND DIGITAL MEDIA SPECIALIST

Andrew Rockefeller arockefeller@d2emerge com

PRESIDENT & CEO

David Lyman

CHIEF OPERATING OFFICER

David Rubinstein

dtSearch.com 1-800-IT-FINDS The Smart Choice for Text Retrieval® since 1991 dtSearch’s document filters support: popular file types emails with multilevel attachments a wide variety of databases web data Developers: and current .NET Visit dtSearch.com for developer evaluations efficient multithreaded search forensics options like credit card search
Terabytes ®
Instantly Search
D2 EMERGE LLC www d2emerge com
NEWS 4 News Watch 10 How the RESTRICT Act could impact the sof tware ecosystem 15 CloudBees announces integration with Argo Rollouts to improve Kubernetes deployments 15 GitLab announces new AI-powered capabilities Contents page 6 Software Development Times (ISSN 1528-1965) is published 12 times per year by D2 Emerge LLC, 2 Roberts Lane, Newburyport, MA 01950 Periodicals postage paid at Newburyport, MA, and additional offices SD Times is a registered trademark of D2 Emerge LLC All contents © 2023 D2 Emerge LLC All rights reserved The price of a one-year subscription is US$179 for subscribers in the U S , $189 in Canada, $229 elsewhere POSTMASTER: Send address changes to SD Times, 2 Roberts Lane, Newburyport, MA 01950 SD Times subscriber services may be reached at subscriptions@d2emerge com FEATURES page 16 Tools are now critical to implementing Agile successfully Are CI/CD pipelines bursting at the seams? The cloud testing revolution VOLUME 2, ISSUE 71 • MAY 2023 MARKET FORECAST COLUMNS 24 GUEST VIEW by Nancy Kastl Test automation goes codeless 25 ANALYST VIEW by Jason English Patch the cloud native development talent gap with platform engineering page 20 page 12

Google expands Bard development capabilities

Bard is Google’s conversational artificial intelligence chatbot. It now has the ability to help users with programming a n d sof twa re d eve l o p m e n t tasks such as code generat i o n , co d e d e b u g g i n g , a n d code explanation

These features have been launched in over 20 different p ro g ra m m i n g l a n g u a g es, i n c l u d i n g C + + , G o, J ava , Javascript, Python, and Typescript Users can also export Python code to Google Colab without needing to copy and paste.

Ba rd ca n a l so n ow h e l p w r i te f u n c t i o n s fo r G o o g l e Sheets and help explain code s n i p p e t s fo r t h e c u sto m e r. This update also enables Bard to help with the debugging of co d e, eve n co d e t h a t Ba rd wrote itself

According to Google, if the user receives an error message, they can inform Bard that “this code didn’t work, please fix it,” and the tool will help debug

In some instances, the tool can also help improve code by making it quicker or more efficient. Users can make this h a p p e n by res p o n d i n g to B a rd ’s i n i t i a l o u t p u t w i t h “could you please make that code faster?” or “find error h a n d l i n g ca u ses yo u m i g h t have missed ”

Android 14 Beta 1 shows new back arrow for gesture navigation

Th e A n d ro i d d eve l o p m e n t team at Google is ready with t h e f i rst b e ta ve rs i o n of Android 14. Beta 1 is available

Slack’s new platform makes it easier for developers to build and distribute

Slack has launched its next-generation platform with new fea and capabilities to make it easier for developers to build and tribute apps on the Slack platform.

The platform includes modular architecture grounded in b ing blocks like functions, triggers, and workflows. They’re re able, reusable, and hook into everything flowing in and out of S

It also includes new tools such as the Slack CLI and TypeS SDK that simplify and clarify the most tedious parts of building on top of Slack. Developers can eas ily share what they built anywhere in Slack. With a link trigger, the workflow becomes portable and can be shared in a message, added in bookmarks, put in a canvas, and more.

Lastly, developers now have access to Secure deployment, data storage, and authentication powered by Slack-managed serverless infrastructure. And a fast, Deno-based TypeScript runtime keeps you focused on your code and your users.

Overall, the next-gen platform aims to provide a more seamless and streamlined experience for both developers and Slack users.

for developers enrolled in the Android Beta program.

In this release, developers can expect updates to the syste m U I , a d d i t i o n a l g ra p h i cs capabilities, and privacy and security features

The UI has been updated with a more prominent back arrow when using gestures to navigate and the ability to add c u sto m a c t i o n s to syste m sharesheets.

One of the graphics updates is that you can now query the path API to discover what is inside of paths. The API was also updated so that you can interpolate between paths with matching structures.

This release also adds the accessibilityDataSensitive attribute, which allows apps to limit visibility of specified views to accessibility services According to the team, this attribute can be used to protect user data and prevent critical actions from being unintentionally executed, such as transfering money or checking out in a shopping app

Even though this is just the first beta of many, the Android team recommends developers

begin testing their apps for compatibility with Android 14

Atlassian Intelligence provides developers a virtual teammate

Atlassian released a new AI to o l , At l a ss i a n I n te l l i g e n ce, designed to understand how teams work and to help accelerate software delivery.

The company has mined 20 years of data on how software, operations and business teams plan, track and deliver work to give Atlassian Intelligence a “unique understanding of teamwork,” according to a company blog announcing the new tool. It is that understanding upon which a te a mwo r k g ra p h i s b u i l t a ro u n d b o t h se r v i ce - b a se d work and project-based work.

Atlassian Intelligence is a part of the Atlassian platform, and on the service side of t h i n g s, i nte g ra tes w i t h J i ra Service Management to help u se rs reso l ve i ss u es m o re quickly, by using large language models to gain context a b o u t a n d i n te n t of e a c h request. An acquisition last

year of percept ai, along with a pa r t n e rs h i p w i t h O p e n A I , has helped Atlassian power up its virtual agents with greater understanding by combining the company’s internal models with OpenAI models

On the project side, Atlassian Intelligence can help resolve issues across all Jira Cloud products, such as requesting to see which mobile features are blocking an upcoming launch, by translating a natural language query to Jira Query Language The results of that query, pulled from Atlassian and third-party tools, can be visualized and analyzed by the newly GA Atlassian Analytics BI reporting tool to provide insights into the progress of work

Version 1.0 of SLSA provides specifications for security

Th e O p e n S o u rce S e c u r i ty Fo u n d a t i o n (O p e n SS F ) h a s announced the release of the first version of its supply chain se c u r i ty l a n g u a g e, S u p p l ychain Levels for Software Artifacts (SLSA). The project pro-

4
N E W S WATC H N E W S WATC H
SD Times May 2023 www.sdtimes.com

vides specifications for software supply chain that have been established by community consensus.

SLSA’s framework is split into several different levels that describe increasing security severity so users can feel confident that software has not been tampered with and ca n b e t ra ce d b a c k to i t s source.

“The OpenSSF is working hard to put more rigor into t h e sof twa re d eve l o p m e n t process,” said Brian Behlendorf, general manager of the OpenSSF. “The stable release of SLSA v1.0 is an important milestone in improving softwa re s u p p l y c h a i n se c u r i ty and providing organizations with the tools they need to protect their software.”

Node.js 20 released with new experimental permission model

Th e n ew p e r m i ss i o n m o d e l was designed to provide better security It allows developers to restrict access to certain resources during program execution This can include restricting access to the file syste m a n d s p aw n p ro cess and restricting the ability to create worker threads

According to the feature roadmap, upcoming additions to the permission model will include adoption on package m a n a g e rs, s u p p o r t fo r path resolve in C++, support fo r k F i l e Syste m a s a THROW IF INSUFFICIENT PE RMISSIONS argument, and the a b i l i ty to re a d p e r m i ss i o n s from a configuration file

Another big change in this release is that the V8 engine has been updated to version 11 3, which brings with it five n ew fe a t u res : St r i n g p ro to -

type.isWellFormed and toWellFormed, methods that change Array and TypedArray, resizable ArrayBuffer and growable SharedArrayBuffer, RegExp v flag with set notation and properties of strings, and WebAssembly Tail Call.

Amazon CodeWhisperer brings AI-assisted development to AWS

CodeWhisperer uses AI-genera te d s u g g est i o n s to h e l p d eve l o p e rs m a i n ta i n t h e i r focus and stay productive by allowing them to write code quickly and securely without disrupting their workflow by leaving their IDE to look up information

The tool is especially useful for creating code for routine and time-consuming tasks, and working with unfamiliar APIs or SDKs It makes correct and effective use of AWS APIs and common coding scenarios such as reading and writing files, image processing, writing unit tests, and more

“Helping to keep developers in their flow is increasingly important as, facing increasing time pressure to get their wo r k d o n e, d eve l o p e rs a re often forced to break that flow to turn to an internet search, sites such as StackOverflow, or their colleagues for help in co m p l e t i n g ta s ks,” Steve Roberts, a senior developer advocate focused on NET and PowerShell development on AWS “Instead, CodeWhisperer meets developers where they are most productive, prov i d i n g re co m m e n d a t i o n s i n real time as they write code or comments in their IDE ”

O n t h e se c u r i ty f ro n t, Co d e W h i s p e re r f i l te rs o u t code suggestions that might be considered biased or unfair,

and it can filter or flag code suggestions that may resemb l e p a r t i c u l a r o p e n - so u rce training data. The AI companion includes security scanning fo r f i n d i n g a n d s u g g est i n g remediations for hard-to-find vulnerabilities.

It can be used with Python, Java, JavaScript, TypeScript, C # , G o, R u st, P H P, R u by, Kotlin, C, C++, Shell scripting, SQL, and Scala.

Syncfusion Essential Studio 2023 V.1 adds

3 .NET MAUI controls

According to the company, the main highlights in this release a re n ew co n t ro l s fo r N E T MAUI, promotion of 10 MAUI co m p o n e n t s to p ro d u c t i o n status, improvements to the PDF Viewer, and more accessib i l i ty fe a t u res i n t h e P D F

Library

The new controls in NET MAUI include the input control, Masked Entry; the alert control, Popup; and loading indicator, Shimmer

Ones that are now produc-

People on the move

t i o n - re a d y i n c l u d e Fu n n e l Charts, Pyramid Charts, Maps, Backdrop, Text Input Layout, Calendar, Autocomplete, ComboBox, DataForm, and Rating.

“We are kicking off our first major release of the year with a generous batch of updates for the cross-platform .NET MAUI framework,” said Daniel Jebaraj, CEO of Syncfusion. “We want mobile developers to have a healthy variety of production-ready tools they can use across every platform they can target.”

PDF Viewer improvements span text search, document link and hyperlink navigation, RTL support through the UI, and localization.

There are also new Cartesian char t types suppor ted, such as range column, bubble, stacked column, and waterfall, which are useful for developers working in data visualization.

Access i b i l i ty i m p rovements to PDF Library include the ability to extract PDF tags f ro m a ta g g e d d o c u m e n t, which is useful for those using screen readers z

n GitHub has announced that Kyle Daigle is stepping into the role of chief operating officer He has been with the company for 10 years He started off as a senior software engineer and then was promoted to VP of Strategy & Chief of Staff to the CEO His main focus as COO will be driving the company’s remote-first mission

n MariaDB has made Conor McCarthy its new chief financial officer Previous roles include CFO at Ideanomics, OS33, and Intent Media Inc He has over 30 years of experience leading financial teams, and will bring that experience to inform his work at MariaDB

n Rick Fitz is joining Contrast Security as its new CEO Alan Naumann, the CEO that Fitz will replace, plans to stay on the company’s board as an advisor and will also remain President while Fitz onboards into his new role Previously, he was at Splunk as senior vice president and general manager of the company’s IT operations and application development market group

5
www.sdtimes.com May 2023 SD Times

In the last few years, the CI/CD pipeline has undergone an evolut i o n A s m o r e d e v e l o p m e n t processes are shifted left, and additional tasks get pushed into the pipeline, the limits of how much it can handle have been tested

With the need to continuously integrate that comes along with modern application development, the pipeline has had to expand in order to account for tasks like low-code development, security, and testing while teams are still trying to prioritize the acceleration of releases

How it was vs. how it is

“Early CI/CD was really about how you build and package an application, and then the CD portion came in and it became how you get this application out to a place,” said Cody De Arkland, director of developer relations at cont i n u o u s d e l i v e r y p l a t f o r m p r o v i d e r

By pushing

testing, security and more, the tradeoff between speed and quality can

LaunchDarkly “But now in the modern world you have all of these declarative platforms like Kubernetes and other cloud native things where we ’ re not just dropping a set of files onto a server anymore, we ’ re going through and building this self-contained application stack ”

He explained that although the addition of declarative platforms and the repeatable process offered by the cloud has, overall, made CI/CD more simple, teams have also had to manage added complexities because developers now must be sure that the application or feature they have built also has all of the necessary aspects for it to run

To account for the potential for heightened complications, De Arkland said that CI/CD tools have greatly matured, particularly in the past four years.

“A lot of these concepts have become much more first class… As the space has evolved and UX has become more

important and people have become more comfortable with these concepts a lot of the sharp edges are being rounded out and CI/CD tooling has gotten to a place where so much of this is so much easier to implement,” he said

According to Andrew Davis, senior director of methodology at the DevOps p l a t f o r m c o m p a n y C o p a d o , a n o t h e r one of the ways that CI/CD practices have evolved is in the way that developers are spending their time

He explained that one of the key demands of modern development is for teams to respond to the need for bug fixes or incremental updates incredibly quickly so that end users experience minimal negative effects

“There’s an expectation to use the developer’s time in the most efficient way possible, so continuous integration puts a lot of energy into making sure that developers are all staying in sync with each other,” Davis said.

SD Times May 2023 www sdtimes com 6
in

He went on to say that with the increased prevalence of CI/CD, there has been a spike in the need for developers to hone specialized skills and techniques to address the entirety of modern application development needs

These skills include things like new options for building infrastructure in the cloud and managing it in the CI/CD pipeline, and managing the development process for low-code applications and SaaS platforms

Cloud native CI/CD

Despite the need to master new skills, De Arkland said that the move to cloud native has made organizations’ ability to adopt newer CI/CD processes much simpler due to the repeatable nature of the cloud

He said that with the cloud, templated configurations are usually default, and when you can apply these configurations through a template, it becomes an artifact that exists next to the application code, making it much easier to replicate.

“It’s less about cloud itself making it

compromise flow

easier and more that when you do it in cloud, you get to lean on the same ‘declarative’ approaches that many other platforms align with CTOs and CIOs are a great example, they understand the ground floor concepts of the container, but they don’t understand the deeper underpinnings,” he said “When you have predictability, that makes enterprises a little bit less scared to adopt these things ”

He explained that while cloud native C I / C D p r o c e s s e s s t i l l r e q u i r e t h e i m p l e m e n t a t i o n o f c e r t a i n c r u c i a l checks, the removal of the unknown variables equips organizations with a n e w s e n s e o f c o n f i d e n c e i n t h e i r processes and, therefore, the product they are delivering to end users.

H o w e v e r, d e s p i t e t h e n u m e r o u s b e n e f i t s , c l o u d n a t i v e C I / C D a l s o comes with heightened risks, according to David DeSanto, chief product officer at GitLab. This is because organizations

may move into the cloud without realizing that the public nature of the cloud could expose their intellectual property or their artifacts He cited an example of this happening a few years ago, when a security company was inadvertently releasing early versions of its products because they didn’t realize that the package was public on the internet

Stretching the pipeline

Furthermore, CI/CD processes have had to mature in order to accommodate the needs of shifting left, which has put some strain on the pipeline

D e S a n t o e x p l a i n e d t h a t a s m o r e advanced capabilities have been added into the pipeline, not only has the pipeline itself had to evolve, but the capabilities too

“If you take a traditional application security scanner and you put it in a CI/CD pipeline, it could make the pipeline take hours, if not days or a week to complete,” DeSanto said. “And obviously, if your goal is to reduce time to market, you can’t have your pipeline taking longer than you have to push out whatever change you ’ re looking to do.”

He expanded on this, saying that security and testing companies looking to be accepted into the CI/CD space have had to reevaluate their tooling so that these features can be introduced into the pipeline without irreparably impacting efficiency

Copado’s Davis went on to say that although testing has always been a part of the pipeline in one way or another, now developers are being tasked with examining their tests and determining w h e r e i n t h e p r o c e s s c e r t a i n t e s t s should be run in order to maintain quality and efficiency

“The expectation is that you have a full battery of tests, so that means that you have to begin to triage your tests in terms of which can run quickly and up front versus which are the more comprehensive tests [to run later],” said Davis.

To make this choice, Davis explained that developers must assess different aspects of the tests. The first being the risk associated with each test. He said that areas that directly impact revenue

or cause the most damage to end users are where the priority should be placed.

Next, he said that the order of tests should be determined based on the relevance to the area of the application that is being changed

“And the way that would work is if the developer is making a change in a particular aspect of the code base, you can identify which tests are relevant to that and which ones are fast to run, ” Davis said “Then you run the tests that are most likely to detect an error in the development and the ones that run quickly, immediately to get very fast feedback and then changes can be made immediately ”

He also went on to explain that he believes the shifting left of security processes and the security controls that have been embedded into the pipeline as a result are both wholly positive changes.

L a u n c h D a r k l y ’ s D e A r k l a n d a l s o touched on this, saying that in the past, security had been viewed as something adjacent to the pipeline rather than something that is inherent to it.

He explained that as the concept of DevSecOps has become a more firstclass conversation, the CI/CD space has become cognizant of these concepts as well

De Arkland said that the conversation around which stage of the pipeline should interface with security tooling and how organizations can update communication rules to take the way a container or platform is operating into account have been major talking points around the integration of security into the pipeline

“Whereas CI/CD used to be just about building software and dropping it on a place, it is really now becoming all of these adjacent tasks that have also lived alongside of it,” he said

Speeding up delivery

Davis also said that while they can result in an initial slowing down of processes as team members get the hang of things, including well done security controls in the CI/CD pipeline allows developers to get feedback on continued on page 8 >

www.sdtimes.com May 2023 SD Times 7

< continued from page 7

code more quickly, therefore, accelerating the remediation of issues

Even with this, though, the addition of all of these extra tasks may lead to organizations struggling to accelerate the delivery of their products due to unforeseen bottlenecks arising in the pipeline

Davis said that the tension that exists between the desire to deliver more quickly and the need to be thorough with all of the necessary security checks and tests has become increasingly more prevalent as the pipeline has matured

“It is effectively impossible to prevent all risks, and so you need to understand that each of those compliance controls are there to reduce risk, but they come at a cost,” he explained “You have to balance that goal of risk reduction with the cost of speed, and as a result, the cost to innovation.”

The most secure option is oftentimes not the one that can deliver the most speed, and so striking that balance where both sides can be satisfied is key to a successful CI/CD pipeline.

DeSanto Then explained that organizations need to be approaching CI/CD in a way that prioritizes balancing the overall risk against the reward This means that companies need to be able to determine if it is too risky to run a certain test or scan on the feature branch or the developer’s branch, and if it is, these should only be run as the changes are merged in

He continued, saying that finding the right tools makes a world of difference when it comes to pipeline evolution “You may have a security scanner or a load testing tool or a unit testing tool that maybe is not meant for the way you ’ re now operating, and it could be as simple as swapping out that tool,” DeSanto said

De Arkland also believes that as artificial intelligence technology continues to advance, more organizations may start turning to AI tools to find this balance, and make it sustainable. He said that while it is not fully here today, he can see a future where someone tells a system the desired steps to execute and the AI delivers an asset that represents

of DevOps

Cody De Arkland, director of developer relations at LaunchDarkly, also spoke about platform engineering, and how its emergence has changed CI/CD processes.

He explained that, particularly in terms of the different interaction points between systems, platform engineering teams can help when it comes to applications that span several different areas inside of an organization.

“As we have applications spanning things like security and run time and build time and doing software releasing as opposed to just CI/CD builds, you need to be able to respond to that across all of these domains,” he said. “I think platform engineers are really the ones who are going to help stitch that all together… and really understand the context of managing all those things across.”

David DeSanto, chief product officer at GitLab, added that platform engineering plays an enormous role in an organization's approach to a multi-cloud or multi-platform strategy because it allows for the creation of a unified platform that is agnostic to the cloud platform.

He explained that this gives organizations flexibility, transparency, and the ability to follow regulatory compliances more easily.

“There is a lot of movement in Fintech and financial regulations that they cannot be single cloud, and without a good platform engineering strategy that could mean that you’re building two completely separate CI/CD pipelines,” DeSanto said.

Andrew Davis, senior director of methodology at Copado did, however, stress that the claim that DevOps has died and platform engineering is its successor is a bit of an overstatement.

He said that platform engineering can make it simpler for organizations to adopt CI/CD processes and spin up pipelines that include whatever quality and compliance controls are necessary, but its purpose is not to replace DevOps as a whole.

“I would tend to think of CI/CD as one of the critical capabilities offered by development platforms and platform engineering,” Davis said. “So the platform engineering team makes sure that if a new team is spinning up, they can easily create their own CI/CD pipeline, and they can automate the process of plugging into a company’s security controls.”

He said that by treating these different development tools as products that the company is investing in, it has the potential to reduce the burden placed on the individual developer to figure these things out for themselves. z

that pipeline

“A good example of this is building APIs using OpenAI’s AI engine You don’t write the API calls, you just give i t t h e i n t e n t i o n s , ” D e A r k l a n d explained “Then, it gives you back a spec that you would implement in your application so I think we ’ re close to a time when pipelines are treated the same way. ”

This isn’t to say that AI would be replacing the need for human developers in this process; rather, it could work i n c o n j u n c t i o n w i t h t h e m t o w o r k towards optimal delivery time.

DeSanto also said that with generative AI becoming more commonplace, some organizations have already found a place for it in their pipelines He noted that AI is already being used to automate the process of getting a pipeline configuration created, identifying where configuration mistakes may lie, and analyzing logs to seek out certain patterns

He also stated that AI has great potential to change the DevSecOps space, as it can be applied to observability tools and make it so organizations can sniff out an issue much earlier in their processes. z

8 SD Times May 2023 www.sdtimes.com
Platform engineering is helpful, but not the death

We’ll Help You Keep It Clean

Dealing with bad data is a task no developer needs on their checklist. Inaccurate, outdated, and duplicate records can build up in your database, affecting business decisions, the customer experience, and your bottom line. As the Address Experts, Melissa helps our customers improve operational ef ciency with the best Address Veri cation, Identity Veri cation and Data Enrichment solutions available. We validated 30 billion records last year alone, which is why thousands of businesses worldwide have trusted us with their data quality needs for 37+ years.

BAD DATA BUILDUP

Returned Mail & Packages

Money Laundering & Fraud

Decreased Customer Insight

DATA CLEANLINESS

Real-time Address Veri cation

Identity Resolution & Watchlist Screening

Geographic & Demographic Data Appends

Test our APIs Today! Visit www.melissa.com/developer/ to get started with 1,000 Free Credits.

Trust the Address Experts to deliver high-quality address verification, identity resolution, and data hygiene.

Melissa.com 800.MELISSA (635-4772)

How the RESTRICT Act could impact the software ecosystem

Last month, legislation was proposed in the United States that could have potential impacts on the software ecosystem.

Sponsored by Sens. Mark Warner (D-Va.) and John Thune (R-S.D.), the RESTRICT Act is a bipartisan piece of legislation with the goal of “Restricting the Emergence of Security Threats that Risk Information and Communications Technology,” thus the name.

The general public may be familiar with it as the act aiming to ban TikTok, but it’s broader in scope than that.

According to Min Hwan Ahn, lawyer and founder of EZ485, the law would give the U.S. Commerce secretary the ability to “review transactions involving information and communications technologies products or services (ICTS) connected to foreign adversaries.” The bill in its current state labels six countries as foreign adversaries: China, Cuba, Iran, North Korea, Russia, and Venezuela.

“Today, the threat that everyone is talking about is TikTok, and how it could enable surveillance by the Chinese Communist Party, or facilitate the spread of malign influence campaigns in the U.S.," Warner said in a statement. "Before TikTok, however, it was Huawei and ZTE [that] threatened our nation’s telecommunications networks. And before that, it was Russia’s Kaspersky Lab, which threatened the security of government and corporate devices,” Warner said. “We need a comprehensive, risk-based approach that proactively tackles sources of potentially dangerous technology before they gain a foothold in America, so we aren’t playing Whac-A-Mole and scrambling to catch up once they’re already ubiquitous.”

According to Warner, in a document announcing the act, individual agencies have tried to step in to address those threats over the years, but efforts were disjointed and under-suited to the complexity and interconnectedness of the

global technology supply chain. Therefore, he set out to create a new approach with this RESTRICT Act.

The bill obtained bipartisan support in Congress, but within the tech industry there is a lot of debate on whether or not this would be a good thing.

“Some argue that it is necessary to protect national security interests and prevent adversaries from exploiting vulnerabilities in our digital infrastructure,” said Ahn. “They believe that increased oversight is crucial for safeguarding sensitive data and maintaining the integrity of our democratic processes. On the other hand, critics argue that the Act may have unintended consequences, such as stifling innovation and hindering collaboration between developers across borders.”

Andrew Pickett, lead trial attorney at Andrew Pickett Law, is on the side of being opposed to the bill, stating that it’s just too broad in scope. “Before taking such drastic measures, the government should provide specific evidence showing a real problem and a narrowly tailored solution. It’s important to remember that the internet is a global network that enables people to exchange ideas and access information freely,” he said.

He also said that he is concerned by the fact that the law also provides criminal penalties of up to 20 years in prison

for those trying to evade the ban. Though not explicitly mentioned in the bill, many have taken this to mean that using a VPN might land you in trouble.

A spokesperson for Warner has said: “The bill is squarely aimed at companies like Kaspersky, Huawei and TikTok that create systemic risks to the United States’ national security, not individual users.”

Will LaSala, field CTO of security company OneSpan, believes the ability of TikTok to “collect any and all data from a device is dangerous,” but that this law banning it is just a Band-Aid and not a real solution.

According to LaSala, app developers have the ability to better protect user data, but may not have implemented the technology to do so, which opens up the possibility of data leakage and bad actors misusing user data.

Instead of a ban, app developers should be making use of the security tools that are available, security vendors should make sure their tools aren’t causing negative user experiences, and operating systems manufacturers should implement controls that mitigate risks.

“Users should be able to quickly see what data is being collected, when it is being collected and for what purpose, and should be able to shut off the stream of a specific type of data in real time at any time,” said LaSala.

Ahn believes that it will be important for lawmakers to strike the right balance to ensure the law meets its objectives without causing unnecessary harm. Doing so might require refining some of the provisions of the bill, increasing transparency of enforcement mechanisms, and including safeguards for protecting individual rights and promoting innovation.

There has already been a congressional hearing with the CEO of TiKTok, but as of this writing there has been no indication about when, or if, the RESTRICT Act will be brought to a vote. z

SD Times May 2023 www.sdtimes.com 10

The second installment in the Improve series, Improve : Data is a one -day vir tual event that will focus on how organizations can best use the data they collect by improving where and how it is stored, enabling analysis, ML and AI, and using the data to make better business decisions .

Sample topics include :

The use of authentication and permissions to protect data

Data-driven continuous improvement

The role of value streams in continuous improvement

Metrics – Which are impor tant and why

O vercoming data integration challenges

Data – Get it right the first time

Presented by

Upcoming online events in the Improve Conference series :

October 18

November 15

S E C U R I T Y
P R O D U C T I V I T Y Data
REGISTER NOW
Wed, August 30, 2023 9:00 AM - 3 :00 PM (EST ) FREE Online Event

Tw e n t y - t w o y e a r s a g o , a t a s k i r e s o r t i n U t a h , 1 7 t e c h n o l o g y

thought leaders came together and drafted an Agile Manifesto, a set of principles for a new approach to software development Unlike the traditional “waterfall” approach that had been popular, this new approach would focus on iterative improvements and constant innovation

S i n c e t h a t f a t e f u l n i g h t , t h i s methodology has become a stronghold of software development In Digital ai’s most recent State of Agile report, 94% of respondents were practicing Agile, and 32% have been doing so for at least 5 years

The original Agile Manifesto contained a list of four values:

“1 Individuals and interactions over processes and tools

2 Working software over comprehensive documentation

3. Customer collaboration over contract negotiation

4. Responding to change over following a plan”

In recent years, one of the biggest shifts in how companies practice Agile is, unsurprisingly, having to accommodate a whole new style of working

According to Digital ai’s survey, only 3% said they planned to return to the office full time 25% said they will remain fully remote and 56% will use a hybrid approach where people will be in the office some of the time, but not all

“In last year ’ s survey we found fewer w h o a r e c o m p l e t e l y r e m o t e t h a n planned, but still about half of respondents are mostly remote,” said Wing To, vice president of engineering for value stream delivery platform & DevOps at Digital ai “Expect some adjustments over the next few years as leaders try different approaches ”

According to Aaron Morris, owner of the educational platform agile-innovations tech, the early days of Agile required teams to be located in the same place because there would need to be a daily stand-up meeting and a shared board to track sprints, which was often just a whiteboard on a wall.

“Since then, technology has advanced so much that distributed teams are no

Tools are now critical to implementing Agile

longer a big deal Stand-up meetings happen over MS Teams or Zoom, and the team board is hosted in a shared cloud app like Jira,” said Morris “I once worked on a team where our developers were distributed across Pennsylvania, Ohio, Illinois, Brazil, Turkey, and Russia but we worked from the same sprint board and met every day at 10am Eastern.”

So, while the Agile Manifesto may favor “individuals and interactions over processes and tools,” tools have become quite a necessity to facilitate the communication and collaboration needed to do Agile correctly these days.

“Communication is important,” said Raveesh Dewan, CEO of Joget, an open-source low-code platform “Not just verbal, but what you are doing in the tools is equally important ”

Dewan’s team is fully remote, so it’s absolutely crucial that everyone is providing updates into the tools so that everyone is on the same page and they can track progress An example he gave is if there are 10 user stories on your plate and you have only finished five within the planned time frame, then you have a better sense of the actual velocity of the project

“That’s pretty much it, there is no rocket science behind it, there is no mantra behind it that ‘thou shalt do it this way ’ It is just a matter of being disciplined and making sure that I have given my updates today,” he said

According to Digital.ai’s survey, the most common types of tools that people use include Kanban boards, taskboards, spreadsheets, agile project management tools, bug trackers, and wikis.

include Atlassian Jira, Azure DevOps, Broadcom Rally, Trello, and even just Google Docs According to the survey, 48% of respondents are using Google Docs for Agile planning

It’s also important to keep the people aspect front and center when worki n g r e m o t e l y F o r e x a m p l e , Ye m i s i Iyilade, product management coach and educator, said that at her company there is a rule to always have your camera on She believes there’s a lot of communication that happens just in your body language, and you would miss out on that if you were only communicating through voice

“Even if your little child is there, it’s okay… because we understand that you are a person before your work,” she said.

Speaking on the importance of people, she also highlighted that it’s important that all employees feel appreciated and valued. This can be accomplished

SD Times May 2023 www sdtimes com 12
P o p u l a r t o o l s t o u s e f o r A g i l e

through regular one on one meetings

Another thing many companies do to accomplish this is to provide flexibility around work hours “Some companies now have a few hours in the day as mandatory hours,” she said “This means that those are the only hours, maybe four hours out of the seven or eight hours, that you are mandated to be online The other hours, you can spread it according to your own personal day ”

Agile moves beyond software development

While Agile was originally developed as a way to improve software development, it’s actually moving out of software development teams and all sorts of business teams are experimenting with and using

Agile

According to the Digital ai survey, 86% of respondents used Agile in their software development teams. But 63% use it in IT, 29% use it in operations, 17% use it in marketing, 17% use it in s e c u r i t y, 1 6 % u s e i t i n h u m a n resources, 11% use it in sales, and 10%

use it in finance. And 52% say that a majority of their company ’ s teams have adopted Agile.

Morris explained that for quite a long time, Agile was viewed suspiciously by business managers, especially in r e g u l a t e d i n d u s t r i e s H e r e c o u n t e d how when he was first starting out as a developer, he worked for a medical device company and his team spent six months persuading their manager to let them even try a few Scrum sprints

“Now, agile development is a common practice in most industries,” he said “And even in regulated industries where waterfall development is still king there’s a s t r o n g m o v e m e n t t o w a r d s agile, and much fewer people view it with the same suspicion as 10+ years ago ”

Encourage a culture of failure

Another side effect of the COVID-19 pandemic is the need to be ready to innovate, always. This includes encouraging a culture of failure, according to Iyilade.

This doesn’t mean that you necessarily want things to fail, but that you want to be able to try new things without the fear of failure

“The reality is innovation is saying ‘ we don’t know how to do this Let’s try And we tried it, and this is what we got And it’s okay The next time we’ll do it better, doesn’t mean we failed It means we ’ ve learned something new, ’” she said

As an example, Iyilade said to imagine a team that wants to develop a dashboard to view the status of a project or product The first iteration may have a bit of risk associated with it, but by the second iteration, the team has learned from whatever went wrong on the first try and can do those things differently on the next go

“We want to focus on the new learnings, the creative ideas that just came out, the new knowledge that came out,” she said.

The emergence of value stream management

Another methodology that has sprung up in the past few years that ties in

nicely with Agile is value stream management.

According to Cameron van Orman, chief strategy officer at Planview, value s

because it provides a holistic view of the whole value chain and can help identify areas that could be improved

It can be used to help create a culture of transparency, break down silos, and align business goals

“With a focus on delivering value to customers and shifting from project to product, the entire organization can work towards a common goal and align business objectives As Agile continues evolving and gaining popularity, organizations must continuously refine their Agile practices to meet changing circumstances,” he said

According to van Orman, newer Agile frameworks like the Scaled Agile Framework (SAFe) work well with value stream management too. He said that combined, they offer “ a solid foundation for organizations to succeed in remote and hybrid environments.”

Low-code and Agile make a perfect pair

As mentioned earlier, the first value of the original Agile Manifesto of “individuals and interactions over processes and tools,” has sort of fallen off Lowcode is another example of this, as it really enables people to think in a more Agile way and promotes experimentation

According to Dewan, the ability to quickly drag and drop components enables you to go faster and try more things out

“Low-code takes it to a different level because it makes everything visual,” he said “You can drag and drop while collaborating, while having the conversation, so cycles of iterations go faster ”

This iterative approach with lowcode becomes even more powerful when combined with fusion teams: separate teams in the business working with IT. “It can quickly show them t h e s e a r e t h e o p t i o n s , a n d i t e r a t e through those options much faster than traditional application development,” said Dewan. z

www.sdtimes.com May 2023 SD Times 13
t r e a m m a n a g e m e n t i s i m p o r t a n t
successfully

5th Sponsors

Media Sponsors

A Event

CloudBees announces integration with Argo Rollouts to improve Kubernetes deployments

CloudBees, a software delivery platform for enterprises, introduced the integration of its continuous delivery a n d r e l e a s e o r c h e s t r a t i o n s o l u t i o n

CloudBees CD/RO with the Kubernetes controller Argo Rollouts

T h i s i n t e g r a t i o n i s g e a r e d a t strengthening a user ’ s ability to deliver high quality software quickly and at scale in cloud-native environments

CloudBees customers gain access to Argo Rollouts’ deployment capabilities, allowing them to promote new application versions with reduced downtime, distribute controlled software updates, and test new versions of code in real-

world environments prior to release

Additionally, Argo Rollouts is compatible with existing manifests and CRDs so that users do not have to change any tools in order to use these deployment strategies

“This integration of CloudBees CD/RO with Argo Rollouts is a continuation of our commitment to best-in-class opensource tools that empower our customers in their software delivery journey,” said Shawn Ahmed, chief product officer at CloudBees. “We strive to meet our customers where they are with our open platform strategy, and are confident this integra-

tion will provide them with better control and visibility over the deployment process for cloud-native applications ” Other key benefits of this i n t e g r a t i o n i n c l u d e a c c e s s t o real-time information about app versions in a range of environments; increased visibility into the state of an application duri n g r e l e a s e ; a n d a c c e s s t o deployment analytics such as frequency, duration, and success rates.

L a s t l y, t h i s i n t e g r a t i o n p r o v i d e s users with security policies that permit o n l y a u t h o r i z e d u s e r s t o p r o m o t e releases to production. z

GitLab announces new AI-powered capabilities

GitLab announced that it has been expanding support for Code Suggestions, has added a new level of visibility with Value Stream Dashboard, and has added a new and improved license compliance scanner along with license approval policies

T h e c o m p a n y ’ s a i m b e h i n d t h e improvements is to help fill the skills gap since security engineers are outnumbered and 85% of respondents to a 2 0 2 3 G i t L a b G l o b a l D e v S e c O p s R e p o r t : S e c u r i t y Wi t h o u t S a c r i f i c e s report said their security budgets are flat or reduced

“We believe in a simple mantra: Velocity with guardrails Artificial intelligence technologies and automation solutions accelerate code creation and, when paired with a comprehensive DevSecOps platform, create the security and compliance guardrails that every company needs,” GitLab stated in a blog post.

Code Suggestions, which can improve

developer productivity without context switching and within a single DevSecOps platform, is free for all Ultimate and Premium Customers in the Beta

The recently introduced Value Streams Dashboard offers decisionmakers valuable insights into metrics that can help them recognize patterns and trends, enabling them to optimize software delivery The dashboard takes into account the DORA metrics and tracks the flow of value delivery across various projects and groups, providing strategic insights that can aid in improving the overall software delivery process

In addition to other features, users of GitLab can establish license policies and examine software licenses for compliance The scanner tool can retrieve license information from packages that a r e d u

licenses that apply. Moreover, it can identify more than 500 types of licenses, which is a significant improvement from the previous capability of identify-

ing only 20 types of licenses

With the help of license approval policies, organizations can minimize the risk of using unapproved licenses, which can save them time and effort that would otherwise be needed to manually ensure compliance

GitLab also stated that it now automatically revokes PATs leaked in public GitLab repositories to mitigate the risk of a developer mistakenly committing a PAT into their code Leaked secrets in public projects can be responded to by revoking the credential or notifying the vendor who issued it

The company said that there will be more guardrails coming in 2023 One is group and subgroup dependency lists that provide users with a simple way to view their projects’ dependencies. Other capabilities will include continuous container and dependency scanning, management tools for compliance frameworks, and SBOM ingestion to import CycloneDX files from third-party tools. z

www.sdtimes.com May 2023 SD Times 15
l i c e n
e d o r h a v e m u l t i p l e
a l -
s
D E V O P S WATC H D E V O P S WATC H

Re c e n t l y, C h a t G P T p a s s e d a Google coding challenge. So, AI practically got a job at one of the tech giants Copywriters, teachers, and lawyers are afraid to lose their jobs Now, programmers are scared, too We know ChatGPT can write code, but is it enough to become at least a satisfactory junior Java developer in real life? Should we fear ChatGPT replacing developers shortly? Or should we happily embrace this new technology due to its valuable features? I’m a mentor at CodeGym Java University, and my students who learn Java are worried about their perspectives So, I decided to test ChatGPT’s coding abilities myself, and I’m ready to share my conclusions

Round One: A Snake Game

C h a t G P T i s n ’t v e r y h u m b l e w h e n describing its coding style (see the top screenshot) But any developer knows that bragging is one thing, and

SD Times May 2023 www sdtimes com 16
Vadym Novakovskyi is a senior Java developer and a mentor at CodeGym Java University

delivering is entirely different. So, let’s see if AI tells the truth!

To make the process more comprehensive, I’ve been experimenting with both free and paid versions of ChatGPT I started with quite a simple task: I asked ChatGPT to write a simple Snake game It’s beginner level, and any junior Java developer can solve it ChatGPT generated a solution, too, but I noticed a problem quite often, it d i d n ’t f i n i s h t h e c o d e E v e n a f t e r upgrading to the paid version, the problem remained (although AI started typing much faster)

Whenever it stopped, I asked it to proceed, and ChatGPT would resume writing the game Still, some small parts of the code (a few lines or half of a line) were missing anyway If you ’ re not an experienced programmer, you may not notice it and will get code that doesn’t work

At this point, I started doubting that ChatGPT can write a big program If it has trouble writing 200 lines of code (as in the Snake game), how can it handle thousands of lines, like in a typical program?

Also, during the first attempt, ChatGPT wrote the Snake game using just

the method main() without dividing the code into several methods It’s a bad approach even for junior developers I checked the code manually and with the static code analyzer (Sonar Lint) and found some other minor flaws

I decided to ask ChatGPT why it chose such an unfortunate approach. It turned out, it had an answer! It explained its logic and suggested another solution (see the screenshot at bottom left) But what if I didn’t ask, as a junior developer probably wouldn’t do?

So, I believe it’s naïve to expect C h a t G P T t o r e p l a c e e v e n a j u n i o r developer anytime soon If you ’ re not a p r o g r a m m e r, y o u w o n ’t b e a b l e t o understand if the resulting quality is good enough. And nobody wants to buy a pig in a poke.

Let’s imagine that a company decided to cut back on several Java trainees o r j u n i o r s a n d “ h i r e d ” C h a t G P T instead. Still, it will need a senior developer to do code refactoring, i.e., clean

and improve the code It’s hard to say if it makes sense in terms of cost optimization

We can safely say that ChatGPT loses the first round It can’t replace a good Java junior developer, and who needs another bad one?

Round Two: Autotesting

In the second part of my experiment, I decided to see if ChatGPT could help with testing the code or at least do the basic testing I asked it to write unit tests for the Snake game solution it provided before, and it did it (see screenshot below).

For an untrained eye, the tests ChatGPT created looked okay But for a senior developer not so much Again, don’t expect anything above the junior level here. The code that ChatGPT generated wouldn’t go into production w i t h o u t s e r i o u s i m p r o v e m e n t . A n d , frankly speaking, a junior who wrote it wouldn’t last in my team for long.

continued on page 18 >

www.sdtimes.com May 2023 SD Times 17

Round Three: Interview Preparation

My third hypothesis was that ChatGPT could help you prepare for job interviews For example, you can ask it to generate technical and non-technical questions (see screen at right) for junior/middle/senior developer interviews. I did that, and some questions were pretty good (although some weren’t) Still, AI suggested only four blocks of questions, and it’s definitely not enough to conduct an interview properly

S o m e o f t h e t e c h n i c a l q u e s t i o n s f o r a m i d d l e J a v a d e v i n t e r v i e w a r e o u t o f d a t e

So, in the third round, ChatGPT didn’t impress me, too You may use it to generate some interview questions, but you need to know what parts are essential for a good job interview.

On the Bright Side

At this point, I was a bit disappointed (“give me back my $20” even crossed m y m i n d ) . B u t i f C h a t G P T c a n ’t

replace programmers yet, it doesn’t mean they can’t benefit from this cutt i n g - e d g e t e c h n o l o g y. I c o n t i n u e d experimenting and eventually found it to be quite useful. What can ChatGPT help you with?

First, it can teach you program-

ming basics and tell you what to learn. For example, I asked ChatGPT to teach me Java, and it generated a list (see screen at bottom left) of necessary topics such as lambda expressions, functions, data structures, etc., and examples. So, it can be your Java or other programming language manual But unlike a book, it can answer your questions And unlike some teachers, it can explain a concept to you as many times as you need to grasp it without getting annoyed

Second, it can provide samples For instance, if a junior developer doesn’t know how to do the unit testing of the code, they can ask ChatGPT to show them simple examples and explain the basic ideas (like I did in the screenshots, at right)

My everyday work is tightly connected to architectural solutions That’s why I decided to use ChatGPT’s help here For example, I asked if it knows what AWS (Amazon Web Service) is, and yes, it does Then, I told it that I needed to create an EC2 (Elastic Compute Cloud) in China, and ChatGPT suggested a relevant list of steps for it.

I t o f f e r e d m e e x a m p l e s w h e n I needed them and even warned me about the limitations of AWS in China.

W h e n I a s k e d C h a t G P T f o r m o r e details, it provided adequate informa-

18
SD Times May 2023 www.sdtimes.com < continued
from page 17

tion I was pleasantly surprised and concluded that ChatGPT’s great for finding the answers to architectural, highlevel questions For instance, in my case, about microservices, sending messages between services, etc

Moreover, it can answer specific questions like “What’s the better message broker?” and offer information about each option Finding such information online would take quite a long time If I googled the same question, I’d get dozens of links and spend hours browsing them

I noticed some of the answers weren’t complete, so I had to ask for additional details To do it, you need to deeply understand what you ’ re talking about That’s why I see ChatGPT as an assistant for a person who’s already a professional, who can assess the answers, get into more profound matters, etc

Frankly speaking, for me, ChatGPT is like Stack Overflow (or Google) on steroids After doing my research and experimenting, I’m sure that ChatGPT isn’t a tool for codegenerating. But as a Google replacement that saves time, it serves pretty well. Developers, we are safe (for now).

Also, I think we shouldn’t neglect ChatGPT’s help for learning and other types of assistance. If it can’t replace us, it still can be a useful tool for developers. z

‘Flow Triangles’ help teams work together

There are people who believe that software development is pure art And there are people who believe that it is basically manufacturing The reality, of course, is that it’s somewhere in the middle

Because of that, before you can even begin to measure how your team is performing, it’s critically important to understand your organization’s approach to development and how the teams are structured to maximize that effort

“Finding good metrics, like flow metrics, end up being a balance between do you treat what developers are doing as a manufacturing process? Or do you treat it more as a creative process?” said Jeremy Freeman, co-founder and CTO at Allstacks, providers of value stream intelligence software

Freeman referred back to the “Iron Triangle” approach to software development quality, which states that you can either develop things quickly, cheaply or at high quality, and everything between them is a tradeoff.

This approach, he said, can also apply to flow metrics.

Organizations can optimize more toward speed and predictability, or they can optimize toward data science and problem-solving. “These types of tradeoffs actually permeate all of your business decisions as technology leaders,” he said. “Do you focus on fixing quality? Or do you focus on fixing or shipping new features? And the flow metrics that are now a core component of the SAFe Framework end up having their own sorts of these ‘Flow Triangles ’ There’s your velocity, cycle time and team load You always want to have really high-velocity routines And that is intimately linked to how long it takes you to do things, and how many things are being worked on at once ”

Many high-functioning organizations have different teams working at different speeds, using different processes and tools, so coordinating that work is critical “If you imagine a team working on delivering a sprint goal, then you take a step back and think about how the collection of teams is working against shipping a major feature You have to think about how fast things are getting delivered, and how that impacts your ship time,” Freeman said “Are the levers you have to play with as a leader right? So these metrics are really helpful, and flow is really apt ”

Freeman recommends that organizations first figure out where their problems are, with the development team and all stakeholders Then you can start measuring some coarse things around outcomes, and as you start identifying potential solutions, then you can get tighter and tighter with what you ’ re measuring

In a pull request example, Freeman said, “Maybe we’ll go from measuring your request cycle time to measuring how long it takes to get your first review, to know how long it takes you to actually complete any review cycle. And as you build those metrics up, you’ll actually get better information and start to pinpoint and solve problems.” z

19
www.sdtimes.com May 2023 SD Times

In order to ensure the success of any technology company, a strong investment in testing tools and processes must be a top priority

An organization is nothing without its customer base, and a customer base won’t come or stick with you if software is continuously being pushed to production with unresolved bugs or security vulnerabilities

This is why the process of software t e s t i n g i s s o c r u c i a l , a n d w i t h t h e emergence of cloud technologies, this process has been evolving.

The growth of cloud testing

Gevorg Hovsepyan, head of product at the intelligent test automation company mabl, explained that with the cloud and technology revolution we have seen, organizations have been enabled to accelerate innovation

“If you accelerate the innovation, you obviously want to make sure that you are delivering high quality software, ” Hovsepyan said “So, cloud testing enables quality team professionals to meet that speed demand and make sure that as we accelerate our innovation, we do not reduce the quality of our software.”

Joachim Herschmann, senior director analyst at Gartner, said that cloud

testing has seen a decent amount of growth in recent years as organizations begin to move further away from onprem processes

“If you ’ re moving your applications to the cloud, it makes perfect sense to use a cloud testing capability for various reasons, ” Herschmann said “Your users a r e m o s t l i k e l y d i s t r i b u t e d , m a y b e across the globe, but at the very least across a certain region, so testing capabilities need to be able to cater for that ”

He went on to say that the cloud testing space has also seen an influx of ‘ new players’ beginning to offer testing t o o l s a s l a r g e r c l o u d i n f r a s t r u c t u r e companies have begun to put out their own tools.

20 SD Times Market Forecast

Herschmann explained that this is because if a company is using AWS or Microsoft, for example, then they will want something to test performance on that infrastructure specifically

Although the cloud testing space has seen consistent growth, he also emphasized that some of this maturation is hidden

“In the past when we had pure, onpremise load testing so you could query the vendors and say ‘how many licenses did you sell and how much is the growth?’ and it was easy, ” Herschmann said “Today, a lot of that is not explicitly visible ”

The testing evolution

Tr a c y R a g a n , c r e a t o r a n d C E O o f DeployHub, explained that a major upside of the shift to cloud testing is the lack of on-prem server racks that organizations used to need to worry about

continued on page 22 >

How

the CI/CD pipeline can help achieve cloud testing

Tracy Ragan, creator and CEO of DeployHub, explained that continuous delivery and cloud testing should go hand-in-hand in an organization

“The question really becomes: how can the continuous delivery pipeline help testers and DevOps engineers understand what they’re testing and what the versions of the components are that they’re testing,” she explained

Specifically in a microservice environment, Ragan said that the continuous delivery (CD) pipeline should be working to bring forward necessary information to testers and SREs

She compared managing the CD pipeline to managing a set of legos with several separate parts that are constantly moving and changing

“The conversation around continuous delivery and testing needs to do with getting more information from the testing teams and the testing market and what problems they are really seeing in a truly decoupled, cloud-native environment, and how can the pipeline change that and make the world easier for them,” Ragan said

She went on to say that the only way for organizations to begin tracking these releases that are constantly in flux is through a strong integration between testing tools and the data coming out of the CD pipeline

Ragan gave the example of an organization having a login routine that was written by the security team and then used by a large number of applications within the enterprise When that login routine is updated, certain applications will be impacted

Because of this, she said that cloud testing tools need to start learning what is impacted when updates are made to a microservice as well as what testing CD pipeline should automatically be kicked off when these updates are made

“If I know that I am impacting these fifteen applications, then these fifteen application teams need to now test with the new version of this microservice,” she explained “What we do today is more input/output testing and point testing but that may not be enough, and in most cases it’s not ” z

21 SD Times Market Forecast

maintaining.

“What cloud testing does is it creates an environment where you have all these different browsers to test and potential different endpoints to test, without having an internal staff to keep that up, ” Ragan said “So, it is hard to create an on-prem environment that is as broad as a cloud environment that somebody else is hosting for you ”

Fatih Degirmenci, executive director of the Continuous Delivery Foundation, also pointed out that, in the past, if an organization lost the person who was hired to maintain and update these on-prem servers, testing would suffer

D e g i r m e n c i e x p l a i n e d t h a t c l o u d testing allows for a wider range of people to be provisioning and managing the test environment, because cloud testing in a DevOps environment is repeatable.

In addition to this enhanced provisioning, Hovsepyan said that another key benefit of cloud testing is that it gives testers back a good amount of their time so that they can focus more intentionally on quality assurance.

The future of cloud testing

According to Herschmann, the future of cloud testing comes down to providing users with enhanced ease of use. He explained that the kind of “ease” clients are looking for exists in a few different areas, including the actual technology as well as pricing and packaging.

On the tech side of things, he said that the hope for the future is for clients to have very little to set up for cloud testing. Herschmann stated that this is already one of the benefits of the cloud in general.

He explained that with on-premise testing, the installation of the test tool and the administration interface was required before testing can even begin, whereas cloud testing eliminates that set up

“The other aspect of ease of use would certainly be around pricing and packaging,” Herschmann said “As a client, you want full transparency and visibility into the potential cost clients are looking for this to become easier so they don’t run into a cost trap or potentially run into debt ” z

“This revolution with the cloud testing space has also enabled companies like mabl to offer a more modern solution based on cloud providers that we have in the market,” he explained “This allows us to be able to accelerate the testing cycles as well as enable us to innovate in this space as a whole.”

However, Degirmenci also stressed that the presence of cloud testing does not mean that testing on premise is no longer important.

“Some of these activities need to be done on specialized hardware or soft-

ware, and some of those things are not available on the cloud,” he said “So you now need to manage both the cloud and on-prem, which may make things a bit complicated as well ”

What kinds of tests are ideal for the cloud?

Ragan went on to say that multi-tenancy tests are an example of the kind of test that would be better suited for the cloud because it is more similar to the environment that would be run in production.

22
< continued from page 21 SD Times Market Forecast
An interview with Gevorg Hovsepyan, head of product at test automation company mabl

AI and cloud testing

Gevorg Hovsepyan, head of product at mabl, stated that AI has already begun to prove useful in the cloud testing space, particularly when it comes to ensuring software quality.

“For example, at mabl we have this capability called Auto Healing which tracks all of your interface changes and different fields in your DOM object and when you introduce a new change in your product, the Auto Healing capabi tries to learn and predict whether this change will affect the test and whether we can fix the test without any human interaction,” he explained.

According to Joachim Herschmann, senior director analyst at Gartner, the role of AI and ML in cloud testing will only increase in the future. He explained that this technology has the potential to change cloud testing in several ways, such as optimizing test execution to capture failed or flaky tests so that they can be prioritized next time to ensure that these tests are passed before running remaining tests.

“And then if those flaky tests fail, they fail early on and I can stop and not run these other 800 tests… I can prioritize and restructure my tests and I can also use AI and ML to simplify because sometimes large test files could potentially create duplicates and this technology can be used to reduce that,” Herschmann said.

He went on to say that AI and ML tools can also help testers bundle insights and perform an analysis to determine why a certain group of tests may have failed.

This reduces the amount of effort needed from testers, heightening the overall ease of use for clients engaging with this technology.

Even with all of this AI advancement, Hovsepyan still believes that the cloud testing space should and will remain heavily reliant on human intervention and the human capacity for empathy.

He emphasized that while AI is good at automating simple tasks, the technology is not good at fully understanding what it is that the human user is trying to achieve, and that understanding is essential to ensure high-quality software. z

Furthermore, she cited security testing as being fit for the cloud because it avoids the predetermined guardrails that may exist in on-prem testing

“I would say for now, people are thinking about scalability and doing specific tests like multi-tenant testing, but security is probably something that they should be thinking about in the future as a pretty important piece of the puzzle in cloud testing,” Ragan said

According to Herschmann, functional testing is another type of testing that organizations could benefit from moving into the cloud He said that while functional testing has historically taken place on-premise, cloud testing might actually be more useful since most modern applications are webbased or mobile-based.

He explained that a big thing organ-

izations are testing for is the diversity in different browsers and browser versions as well as a browser version paired with a particular operating system The cloud can help make that process more efficient

“If we have mobile tests that we need to run against the fifty most popular devices, and you go to a cloud testing vendor that has those devices either as a physical device hooked up to some of their data centers, or a simulated device you can use the cloud to cover the breadth of end-user devices that you need to test against, and that is one of the biggest growth areas that we have seen in the last few years, ” Herschmann explained.

Degirmenci also stated that more generic tests, such as static analysis or unit tests, would also be well suited for

a cloud testing environment because they do not require any special hardware or software.

Additionally, he explained that moving these kinds of tests into the cloud servers can help developers who have been tasked with provisioning certain tests in an effort to shift-left, as well as improve overall productivity

This is because they will not need to spend time bringing up new test envir o n m e n t s l o c a l l y, d e c r e a s i n g t e s t i n g time and increasing productivity

Security and cloud testing

Herschmann went on to say that, while moving to cloud testing is not totally free from challenges, a fair amount of t h e i n i t i a l c o n c e r n s h a v e b e e n addressed

These include latency, in terms of the time that it takes to substantiate the virtual devices as well as establish a network connection, and security as organizations send mass amounts of important data to the cloud.

“And there are still certainly things like governance and making sure that I have the right controls in place to know who can run the tests and who has access to the data, but it is not necessarily that different than if you were running it on-premise,” Herschmann said “The problem is more associated with the fact that a lot of organizations don’t have something in place in general, and it gets exposed more so when you are moving to the cloud ”

Because of this, he said that the cloud can oftentimes act as a driver to help expose certain shortcomings that exist in an organization, rather than being the actual root cause of them

On the contrary, Hovsepyan believes that moving testing into the cloud can actually bring about several security benefits One of the key security perks is the delegation of infrastructure management to the cloud testing provider

“We manage the infrastructure and we manage your data and we manage the security aspect of all of that,” he explained. “We go through reports and gain insights so that we take that burden off of you and you can focus on what is important for your end users. ” z

23
SD Times Market Forecast

Test automation goes codeless

The use of low code and no code gained traction in recent years as demand continues to rise for faster and more efficient application development To keep pace with the influx of newly built applications, many IT leaders are investing in testing automation a market that’s projected to show a compound annual growth rate of 16 4% through 2027

Software development engineers in test (SDETs) have historically relied on coded test automation as the go-to approach for quality assurance However, coded test automation calls for extensive coding that’s resource-intensive and challenging to maintain Although it’s based on free, open-source frameworks, coded test automation requires skilled labor that’s scarce and costly constraints that hamstring overburdened tech teams.

Fortunately, not all testing requires coded automation. New advancements in test automation are emerging, and codeless platforms present a key opportunity to streamline software testing

Coded automation not the only option

Coded test automation still plays an important role in scenarios like unit testing and component-level testing But the development arena has changed in the last 20 years, underscoring the fact that coded test automation isn’t an optimal approach to quality assurance for certain use cases like functional testing

Coded test automation requires skilled SDETs or software developers to not only write hundreds of lines of code, but also maintain them That’s increasingly difficult to accomplish with engineers stretched thin and employers facing ongoing talent shortages As a result, many development teams lack the resources to maintain copious amounts of code once an application is deployed Supporting code for coded test automation is also expensive, especially if the test framework requires regular updates or modifications.

It’s clear that new testing approaches are needed to maintain software quality and keep pace with technological advancements. And codeless test automation is gaining momentum fast.

Revolutionize testing with codeless automation

Codeless automated testing platforms are now available in the commercial marketplace, eliminating the need to write code for automated tests With these tools, quality assurance (QA) professionals who lack coding skills can develop automated tests alongside SDETs and developers

Some developers may hesitate to lean on codeless automation After all, many developers have spent the lion’s share of their careers writing lines of code But coded test automation isn’t going away it’s just becoming one of several approaches developers can turn to

However, for functional testing, end-to-end testing, data validation, and regression testing, codeless platforms offer a streamlined approach for both user interface (UI) and application programming interface (API) testing that can cut costs and reduce time-to-market.

Consider the benefits that codeless automation can provide:

Reduced reliance on technical expertise: Codeless testing platforms enable developers to shift testing responsibilities to QA teams, who can focus solely on testing rather than coding and debugging Codeless platforms also help free up developers’ time and empower them to focus on new technologies and complex software development

Accelerated development cycles: Codeless platforms enable QA teams to use pre-built and visual components to develop automated tests, which is a much faster process than writing net-new code This enables testers to create more test cases in a fraction of the time, which increases test coverage and results in higher quality software An added bonus? Shorter development cycles also reduce costs

Easier maintenance: Codeless testing eliminates the need for programming skills that are typically required to maintain and update coded test suites This makes maintenance faster and easier when an application changes Some codeless automation platforms even have self-healing capabilities that enable the testing tool to automatically fix test scripts or test cases when a test fails or the software changes.

There’s always a learning curve when adopting a new approach. But the barrier to entry is low and the rewards are high when it comes to deploying codeless test automation tools. z

24
View B Y N A N C Y K A S T L
Guest
Nancy Kastl is executive director of Testing Services at SPR
SD Times May 2023 www.sdtimes.com
New advancements in test automation are emerging, and codeless platforms present a key opportunity.

Patch the cloud native development talent gap with platform engineering

Cloud native technologies with their malleable, modular microservice architectures quickly generate transformative digital innovations that deliver high-demand customer capabilities and operational value breakthroughs

But wait, how many Kubernetes experts do we have? We’ve got an industry-wide shortage of skilled software development and operations talent and the complexity of cloud native development is exacerbating the problem We’re not going to hire our way out of this mess!

Skill shortages stymie cloud native innovation

Even non-technical executives now understand the basic benefits of cloud native software. They know it has something to do with Kubernetes pushing out containers, so the resulting applications are more modular and take advantage of elastic cloud infrastructures.

There’s way more to it than that The cloud native landscape is a beehive of open-source projects for configuration, networking, security, data handling, service mesh at various maturity stages There are also hundreds of vendors offering their development, management and support tools atop this ever-moving CN raft

The only way to sustainably grow is through building cloud native development talent and capabilities from within, following the introduction and maturation of the space, as well as keeping tabs on the vendor and end user community at large

Smaller and leaner teams are expected to deliver twice the output with half the people The need for specialized skill positions only increases as concepts like event-driven architecture, data lakehouses, real-time analytics, and zero-trust security policies turn into production-grade requirements

Why platform engineering matters

No matter what target environment they are contributing to, developers still spend most of their time coding within an IDE. Over the years, vendors have tried everything from low-code tools to process toolkits to lower the skills bar, but the pipelines don’t translate into easy wizards.

Complex open-source tooling, third-party service APIs, and code that is being mixed and matched from GitOps-style repos are driving cloud native development teams toward a new platform engineering approach

Platform engineering practices seek to create shared resources for development environments encouraging code, component, and configuration reuse

Common platform engineering environments can be represented within a self-service internal development portal or an external partner marketplace, often accompanied by concierge-style support or advisory services from an expert team that curates and reviews all elements in the platform.

It’s critical to govern the platform’s self-service policies for access permissions, code, logic, data, and automation at just the right level of control for the business it supports

Speedy innovation through infrastructure abstraction

Refreshingly or maddeningly there’s no single right way to ‘do’ cloud native

As an open-source movement, the CNCF purposely leaves the future approach open to interpretation by the community It doesn’t dictate a particular language, or even a specific piece of infrastructure

That’s excellent, but it also leaves short-handed dev teams managing complex plumbing and experimenting with integration options, rather than building better functionality That’s where platform engineering practices can save the day

The decision to create a platform is a commitment to help developers of varying skill levels abstract away the complexity of underlying cloud native architectures with interfaces and tools atop readily configured environments.

A platform engineering approach must offer ease of use, elimination of toil, and reduced cognitive load for development teams helping orgs attract and retain the best talent. z

25 Analyst View B Y J A S O N E N G L I S H
www.sdtimes.com May 2023 SD Times
The only way to sustainably grow is through building cloud native development talent and capabilities from within.
Jason English is Principal Analyst & CMO, Intellyx

•Reports on the newest technologies a

The latest news, n ffecting

enterprise developers

• News from soft reshaping softw

vered to your inbox! news analysis and commentary consortia, open

deliv

everything happening i im Read SD T SUB

tions n the software dev mes Daily to keep BSCRIBE TODA

• Insights into the deve n source projects and m tware providers, indust ware development e practices and innova elopers more ry . velopment industry up with AYY! !

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.