0% found this document useful (0 votes)
101 views34 pages

Technology Radar Vol 24 en

Uploaded by

kalyk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
101 views34 pages

Technology Radar Vol 24 en

Uploaded by

kalyk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

TECHNOLOGY

RADAR
An opinionated guide
to technology frontiers

Volume 24

#TWTechRadar
thoughtworks.com/radar
Contributors
The Technology Advisory Board (TAB) is a group of 20 senior technologists
at ThoughtWorks. The TAB meets twice a year face-to-face and biweekly by
phone. Its primary role is to be an advisory group for ThoughtWorks CTO,
Rebecca Parsons.

The Technology Radar is prepared by the The TAB acts as a broad body that can look at topics that affect technology
and technologists at ThoughtWorks. With the ongoing global pandemic, we
ThoughtWorks Technology Advisory Board once again created this volume of the Technology Radar via a virtual event.

Rebecca Martin Fowler Bharani Birgitta Brandon Camilla Cassie


Parsons (CTO) (Chief Scientist) Subramaniam Böckeler Byars Crispim Shum

Erik Evan Fausto Hao Ian James Lakshminarasimhan


Dörnenburg Bottcher de la Torre Xu Cartwright Lewis Sudarshan

Mike Neal Perla Rachel Scott Shangqi Zhamak


Mason Ford Villarreal Laycock Shaw Liu Dehghani

TECHNOLOGY RADAR | 2
© ThoughtWorks, Inc. All Rights Reserved.
About
the Radar
ThoughtWorkers are passionate about
technology. We build it, research it, test it, open
source it, write about it and constantly aim to
improve it — for everyone. Our mission is to
champion software excellence and revolutionize
IT. We create and share the ThoughtWorks
Technology Radar in support of that mission.
The ThoughtWorks Technology Advisory
Board, a group of senior technology leaders at
ThoughtWorks, creates the Radar. They meet
regularly to discuss the global technology
strategy for ThoughtWorks and the technology
trends that significantly impact our industry.

The Radar captures the output of the


Technology Advisory Board’s discussions in a
format that provides value to a wide range of
stakeholders, from developers to CTOs. The
content is intended as a concise summary.

We encourage you to explore these technologies.


The Radar is graphical in nature, grouping items
into techniques, tools, platforms and languages
& frameworks. When Radar items could appear
in multiple quadrants, we chose the one that
seemed most appropriate. We further group
these items in four rings to reflect our current
position on them.

For more background on the Radar, see


thoughtworks.com/radar/faq.

TECHNOLOGY RADAR | 3
New

Radar at Moved in/out

a glance
No change

Our Radar is forward looking. To make


room for new items, we fade items that
haven’t moved recently, which isn’t a
reflection on their value but rather on
The Radar is all about tracking interesting our limited Radar real estate.
things, which we refer to as blips. We organize
the blips in the Radar using two categorizing
elements: quadrants and rings. The quadrants
represent different kinds of blips. The rings
indicate what stage in an adoption lifecycle we
think they should be in.
Hold Assess Trial Adopt Adopt Trial Assess Hold
A blip is a technology or technique that
plays a role in software development. Blips Adopt
are things that are “in motion” — that is we
find their position in the Radar is changing We feel strongly that the industry should
— usually indicating that we’re finding be adopting these items. We use them
increasing confidence in them as they move when appropriate in our projects.
through the rings.
Trial
Worth pursuing. It’s important to understand how
to build up this capability. Enterprises can try this
technology on a project that can handle the risk.

Assess
Worth exploring with the goal of
understanding how it will affect your enterprise.

Hold
Proceed with caution.

TECHNOLOGY RADAR | 4
Themes for this edition
Platform Teams Drive Consolidated Convenience Perennially “Too Discerning the Context for
Speed to Market over Best in Class Complex to Blip” Architectural Coupling

Increasingly, organizations are adopting a As engineering practices that feature In Radar nomenclature, the final status A topic that recurs virtually every meeting
platform team concept: set up a dedicated automation, scale and other modern after discussion for many complex topics (see “Perennially ‘Too Complex to Blip’”)
group that creates and supports internal goals become more commonplace with is “TCTB — too complex to blip”: items is the appropriate level of coupling
platform capabilities — cloud native, development teams, we see corresponding that defy classification because they in software architecture between
continuous delivery, modern observability, developer-facing tool integration on offer a number of pros and cons, a high microservices, components, API gateways,
AuthZ/N patterns, service mesh, and many platforms, particularly in the cloud amount of nuance as to the applicability integration hubs, frontends, and so on...
so on — then use those capabilities to space. For example, artifact repositories, of the advice or tool or other reasons pretty much everywhere two pieces of
accelerate application development, reduce source control, CI/CD pipelines, wikis, and that prevent us from summarizing our software might connect, architects and
operational complexity and improve similar tools were usually hand-picked by opinions in a few sentences. Frequently, developers struggle finding the correct
time to market. This growing maturity development teams and stitched together these topics go on to articles, podcasts, level of coupling — much common advice
is welcome and we first featured this à la carte. Now, delivery platforms such and other non-Radar destinations. Some encourages extreme decoupling, but
technique in the Radar in 2017. But with as Azure DevOps and ecosystems such of our richest conversations center that makes building workflows difficult.
increasing maturity, we’re also discovering as GitHub have subsumed many of these on these topics: they’re important but Coupling in architecture touches on many
antipatterns that organizations should tool categories. While the level of maturity complex, preventing a single succinct important considerations: how things
avoid. For example, “one platform to rule varies across platform offerings, the appeal point of view. Numerous topics recur are wired, understanding the inherent
them all” may not be optimal, “big platform of a “one-stop shop” for delivery tooling meeting after meeting — and, critically, semantic coupling within each problem
up front” may take years to deliver value is undeniable. Overall, it seems that the with several of our client engagements domain, how things call one another or
and “build it and they will come” might trade-off lies with having consolidated tool — that eventually fall to TCTB, including how transactionality works (sometimes
end up as a wasted effort. Instead, using stacks offer greater developer convenience monorepos, orchestration guidelines for in combination with other tricky features
a product-thinking approach can help and less churn, but the set of tools rarely distributed architectures and branching like scalability). Software can’t exist
you clarify what each of your internal represents the best possible. models, among others. For those who without some level of coupling outside of
platforms should provide, depending on wonder why these important topics don’t singular monolithic systems; arriving at
its customers. Companies that put their make it into the Radar, it’s not for lack the right set of trade-offs to determine
platform teams behind a ticketing system of awareness or desire on our part. Like the types and levels of coupling becomes
like an old-school operations silo find many topics in software development, a critical skill with modern architectures.
the same disadvantages of misaligned too many trade-offs exist to allow clear, We do see specific bad practices such as
prioritization: slow feedback and response, unambiguous advice. We sometimes do generating code for client libraries and
resource allocation contention and other find smaller pieces of the larger topics that good practices such as the judicious use
well-known problems caused by the we can offer advice on that do make it in of the BFF patterns. However, general
silo. We’ve also seen several new tools the Radar, but the larger topics remain advice in this realm is useless and silver
and integration patterns for teams and perpetually too nuanced and unsettled for bullets don’t exist. Invest time and effort
technologies emerge, allowing more the Radar. in understanding the factors at play when
effective partitioning of both. making these decisions on a case-by-case
basis rather than seeking a generic but
inadequate solution.

TECHNOLOGY RADAR | 5
The Radar
Techniques Tools
Adopt Adopt
1. API expand-contract 52. Sentry
2. Continuous delivery for machine learning (CD4ML)
3. Design systems Trial
4. Platform engineering product teams 53. axe-core
5. Service account rotation approach 54. dbt
55. esbuild
Trial 56. Flipper
6. Cloud sandboxes 57. Great Expectations
7. Contextual bandits 58. k6
8. Distroless Docker images 59. MLflow
9. Ethical Explorer 60. OR-Tools
33
10. Hypothesis-driven legacy renovation 61. Playwright
11. Lightweight approach to RFCs 62. Prowler
32
12. Simplest possible ML 63. Pyright
31 13. SPA injection 64. Redash
25 68 65. Terratest
24
26 14. Team cognitive load
69 70 71
15. Tool-managed Xcodeproj 66. Tuple
80
23 16. UI/BFF shared types 67. Why Did You Render
30
72
73
Assess Assess
22
17. Bounded low-code platforms 68. Buildah and Podman
16 54
29 21 15 57
74
18. Decentralized identity 69. GitHub Actions
12 53 56
58
19. Deployment drift radiator 70. Graal Native Image
13
75 20. Homomorphic encryption 71. HashiCorp Boundary
20 11 14 55
60 21. Hotwire 72. imgcook
59 76
28
22. Import maps for micro frontends 73. Longhorn
10 61
19 77 23. Open Application Model (OAM) 74. Operator Framework
5 63 24. Privacy-focused web analytics 75. Recommender
62
9 4 25. Remote mob programming 76. Remote - WSL
78
27
18 64 26. Secure multiparty computing 77. Spectral
3
7 8 66
78. Yelp detect-secrets
52 65 79 79. Zally
17 6 2 Hold
1 67 27. GitOps
28. Layered platform teams Hold
Hold Assess Trial Adopt Adopt Trial Assess Hold 29. Naive password complexity requirements 80. AWS CodePipeline
30. Peer review equals pull request
31. SAFe™
40 34 93
94
104 32. Separate code and pipeline ownership Languages &
81
82
92
33. Ticket-driven platform operating models Frameworks
41
103 Adopt
35
36
88 90 91 Platforms 81. Combine
42 87 82. LeakCanary
102 Adopt
86 89
43 101 Trial
Trial 83. Angular Testing Library
50 38 85 34. AWS Cloud Development Kit
37 83
84. AWS Data Wrangler
44 35. Backstage 85. Blazor
45 84
100
36. Delta Lake 86. FastAPI
39
37. Materialize 87. io-ts
99 38. Snowflake 88. Kotlin Flow
46 98 39. Variable fonts 89. LitElement
48
47 96 97 90. Next.js
Assess 91. On-demand modules
49 95 40. Apache Pinot 92. Streamlit
51 41. Bit.dev 93. SWR
42. DataHub 94. TrustKit
43. Feature Store
44. JuiceFS Assess
45. Kafka API without Kafka 95. .NET 5
46. NATS 96. bUnit
47. Opstrace 97. Dagster
48. Pulumi 98. Flutter for Web
49. Redpanda 99. Jotai and Zustand
100. Kotlin Multiplatform Mobile
Hold 101. LVGL
50. Azure Machine Learning 102. React Hook Form
51. Homemade infrastructure-as-code (IaC) products 103. River
New Moved in/out No change 104. Webpack 5 Module Federation

Hold
TECHNOLOGY RADAR

Techniques
Techniques 33
Adopt
1. API expand-contract
2. Continuous delivery for machine
learning (CD4ML)
32 3. Design systems
API expand-contract 4. Platform engineering product
Adopt 31
25 68 teams
26
24 69 70 715. Service account rotation approach
The API expand-contract pattern, sometimes 80
called parallel change, will be familiar to 23
30 Trial
many, especially when used with databases 72
6. Cloud
73 sandboxes
or code; however, we only see low levels of
22 7. Contextual bandits
adoption with APIs. Specifically, we’re seeing
21 15
16 54 8. Distroless
74 Docker images
complex versioning schemes and breaking 29 57
58 9. Ethical Explorer
changes used in scenarios where a simple 12 53
13 56 10. Hypothesis-driven
75
legacy
expand and then contract would suffice.
20 11 55 renovation
For example, first adding to an API while 14 60 11. Lightweight
28 59 76 approach to RFCs
deprecating an existing element, and then
10 12.
61 Simplest possible ML
only later removing the deprecated elements 19
13. 63SPA injection 77
once consumers are switched to the newer 5
62 14. Team cognitive load
schema. This approach does require 9 4
18 15. 64Tool-managed78Xcodeproj
some coordination and visibility of the API 27 3 16. UI/BFF shared types
consumers, perhaps through a technique 7 8 66
52 65 79
such as consumer-driven contract testing. 17 2
6 1 Assess
67
17. Bounded low-code platforms
Hold Assess Trial Adopt Adopt
Decentralized identity
18. Trial Assess Hold
Continuous delivery for 19. Deployment drift radiator
machine learning (CD4ML) 20. Homomorphic encryption
Adopt 94
40 34 21. Hotwire
93
104
22. Import maps for micro frontends
82
We see continuous delivery for machine challenge to deliver accessible and usable in product development because they allow 81 23. 92Open Application Model (OAM)
learning (CD4ML) as a good default products with consistent style.41This is teams to focus. They can address strategic 24. Privacy-focused web analytics
starting point for any ML solution that is 103
particularly true in larger organizations 35 challenges around the product itself without 25. Remote mob programming
88 90 91 multiparty computing
being deployed into production. Many with multiple teams working on different reinventing
36 the wheel every time a new 26. Secure
organizations are becoming more reliant on 42 87
products. Design systems define a collection visual component is needed. 102
ML solutions for both customer offerings of design patterns, component libraries 86 Hold
89
43 101
and internal operations so it makes sound and good design and engineering practices 27. GitOps
business sense to apply the lessons and that ensure consistent digital
50 products. Platform engineering
38 28. Layered platform teams
37 85
good practice captured by continuous Built on the corporate style guides of the44 83 29. Naive password complexity
product teams
delivery (CD) to ML solutions. past, design systems offer shared libraries requirements
45 Adopt 84
and documents that are easy to find and 39 30. Peer 100
review equals pull request
use. Generally, guidance is written down as As noted in one of the themes for this 31. SAFe™
99
Design systems code and kept under version control so that edition,
46 the industry is increasingly gaining 32.
98 Separate code and pipeline
Adopt the guide is less ambiguous and easier to experience with48 platform engineering 97 ownership
47 96
maintain than simple documents. Design product teams that create and support 33. Ticket-driven platform operating
As application development becomes systems have become a standard approach internal platforms. These
49 platforms are95 models
increasingly dynamic and complex, it’s a when working across teams and disciplines 51used by teams across an organization

8 | TECHNOLOGY RADAR
Techniques
and accelerate application development, maintenance complexity. We’re seeing that two things: the security and the size
reduce operational complexity and improve the tooling to do local simulation of cloud- of the image. Traditionally, we’ve used
time to market. With increasing adoption native services limits the confidence in container security scanning tools to detect
we’re also clearer on both good and bad developer build and test cycles; therefore, and patch common vulnerabilities and
patterns for this approach. When creating a we’re looking to focus on standardizing exposures and small distributions such as
Named after “bandits,” or platform, it’s critical to have clearly defined cloud sandboxes over running cloud-native Alpine Linux to address the image size and
slot machines, in casinos, customers and products that will benefit components on a developer machine. distribution performance. But with rising
this algorithm explores from it rather than building in a vacuum. We This will drive good infrastructure-as-code security threats, eliminating all possible
different options to learn caution against layered platform teams that practices as a forcing function and good attack vectors is more important than ever.
more about expected simply preserve existing technology silos onboarding processes for provisioning That’s why distroless Docker images are
but apply the “platform team” label as well sandbox environments for developers. There becoming the default choice for deployment
outcomes and balances
as against ticket-driven platform operating are risks associated with this transition, containers. Distroless Docker images
by exploiting the options models. We’re still big fans of using concepts as it assumes that developers will have an reduce the footprint and dependencies by
that perform well. from Team Topologies as we think about absolute dependency on cloud environment doing away with a full operating system
how best to organize platform teams. We availability, and it may slow down the distribution. This technique reduces security
(Contextual bandits) consider platform engineering product developer feedback loop. We strongly scan noise and the application attack
teams to be a standard approach and a recommend you adopt some lean governance surface. Moreover, fewer vulnerabilities
significant enabler for high-performing IT. practices regarding standardization of these need to be patched and as a bonus, these
sandbox environments, especially with regard smaller images are more efficient. Google
to security, IAM and regional deployments. has published a set of distroless container
Service account images for different languages. You can
rotation approach create distroless application images using
Adopt Contextual bandits the Google build tool Bazel or simply use
Trial multistage Dockerfiles. Note that distroless
We strongly advise organizations to make containers by default don’t have a shell for
sure, when they really need to use cloud Contextual bandits is a type of debugging. However, you can easily find
service accounts, that they are rotating reinforcement learning that is well suited debug versions of distroless containers
the credentials. Rotation is one of the for problems with exploration/exploitation online, including a BusyBox shell. Distroless
three R’s of security. It is far too easy trade-offs. Named after “bandits,” or Docker images is a technique pioneered by
for organizations to forget about these slot machines, in casinos, the algorithm Google and, in our experience, is still largely
accounts unless an incident occurs. This explores different options to learn more confined to Google-generated images.
is leading to accounts with unnecessarily about expected outcomes and balances it We would be more comfortable if there
broad permissions remaining in use for long by exploiting the options that perform well. were more than one provider to choose
periods alongside a lack of planning for how We’ve successfully used this technique in from. Also, use caution when applying
to replace or rotate them. Regularly applying scenarios where we’ve had little data to Trivy or similar vulnerability scanners since
a cloud service account rotation approach train and deploy other machine-learning distroless containers are only supported in
also provides a chance to exercise the models. The fact that we can add context more recent versions.
principle of least privilege. to this explore/exploit trade-off makes it
suitable for a wide variety of use cases
including A/B testing, recommendations Ethical Explorer
Cloud sandboxes and layout optimizations. Trial
Trial
The group behind Ethical OS — the
As the cloud is becoming more and more a Distroless Docker images Omidyar Network, a self-described
commodity and being able to spin up cloud Trial social change venture created by eBay
sandboxes is easier and available at scale, founder Pierre Omidyar — has released
our teams prefer cloud-only (as opposed to When building Docker images for our a new iteration called Ethical Explorer.
local) development environments to reduce applications, we’re often concerned with The new Ethical Explorer pack draws

TECHNOLOGY RADAR | 9
Techniques
on lessons learned from using Ethical problem. They then conduct iterative, time- be understood and operated, and with each
OS and adds further questions for boxed experiments to verify or disprove new tool added to the architecture this tax
product teams to consider. The kit, each hypothesis in order of priority. burden increases. In our experience, teams
which can be downloaded for free and The resulting workflow is optimized for often choose complex tools because they
folded into cards to trigger discussion, reducing uncertainty rather than following underestimate the power of simpler tools
has open-ended question prompts a plan toward a predictable outcome. such as linear regression. Many ML problems When it comes to legacy
for several technical “risk zones,” don’t require a GPU or neural networks. For modernization in single-
including surveillance (“can someone that reason we advocate for the simplest page apps (SPAs), instead
use our product or service to track or Lightweight approach to RFCs possible ML, using simple tools and models of wrapping the legacy
identify other users?”), disinformation, Trial and a few hundred lines of Python on the system we instead embed
exclusion, algorithmic bias, addiction, compute platform you have at hand. Only
As organizations drive toward evolutionary
the beginning of the
data control, bad actors and outsized reach for the complex tools when you can
power. The included field guide has architecture, it’s important to capture demonstrate the need for them. new SPA into the HTML
activities and workshops, ideas for decisions around design, architecture, document containing the
starting conversations and tips for techniques and teams’ ways of workings. old one and let it slowly
gaining organizational buy-in. While we’ve The process of collecting and aggregating SPA injection expand in functionality.
a long way to go as an industry to better feedback that will lead to these decisions Trial
represent the ethical externalities of our begin with Request for Comments (SPA Injection)
digital society, we’ve had some productive (RfCs). RfCs are a technique for collecting The strangler fig pattern is often the default
conversations using Ethical Explorer, context, design and architectural ideas strategy for legacy modernization, where the
and we’re encouraged by the broadening and collaborating with teams to ultimately new code wraps around the old and slowly
awareness of the importance of product come to decisions along with their context absorbs the ability to handle all the needed
decisions in addressing societal issues. and consequences. We recommend that functionality. That sort of “outside-in”
organizations take a lightweight approach approach works well for a number of legacy
to RFCs by using a simple standardized systems, but now that we’ve had enough
Hypothesis-driven template across many teams as well as experience with single-page applications
legacy renovation version control to capture RfCs. (SPA) for them to become legacy systems
Trial themselves, we’re seeing the opposite
It’s important to capture these in an audit “inside-out” approach used to replace them.
We’re often asked to refresh, update or of these decisions to benefit future team Instead of wrapping the legacy system, we
remediate legacy systems that we didn’t members and to capture the technical instead embed the beginning of the new
originally build. Sometimes, technical and business evolution of an organization. SPA into the HTML document containing
issues need our attention such as Mature organizations have used RfCs the old one and let it slowly expand in
improving performance or reliability. One in autonomous teams to drive better functionality. The SPA frameworks don’t
common approach to address these issues communication and collaboration especially even need to be the same as long as users
is to create “technical stories” using the in cross-team relevant decisions. can tolerate the performance hit of the
same format as a user story but with a increased page size (e.g., embedding a new
technical outcome rather than a business React app inside an old AngularJS one). SPA
one. But these technical tasks are often Simplest possible ML injection allows you to iteratively remove the
difficult to estimate, take longer than Trial old SPA until the new one completely takes
anticipated or don’t end up having the over. Whereas a strangler fig can be viewed
desired outcome. An alternative, more All major cloud providers offer a dazzling as a type of parasite that uses the host tree’s
successful method is to apply hypothesis- array of machine-learning (ML) solutions. stable external surface to support itself until
driven legacy renovation. Rather than These powerful tools can provide a lot of it takes root and the host itself dies, this
working toward a standard backlog, the value, but come at a cost. There is the pure approach is more like injecting an outside
team takes ownership of a measurable run cost for these services charged by the agent into the host, relying on functionality
technical outcome and collectively cloud provider. In addition, there is a kind of of the original SPA until it can completely
establishes a set of hypotheses about the operations tax. These complex tools need to take over.

10 | TECHNOLOGY RADAR
Techniques Team cognitive load UI/BFF shared types The problems we see with these platforms
Trial Trial typically relate to an inability to apply good
engineering practices such as versioning.
A system’s architecture mimics With TypeScript becoming a common Testing too is typically really hard. However,
organizational structure and its language for front-end development we noticed some interesting new entrants
Team interaction is one of communication. It’s not big news that we and Node.js becoming the preferred BFF to the market — including Amazon
the variables that impacts should be intentional about how teams technology, we’re seeing increasing use Honeycode, which makes it easy to create
speed and the ease with interact — see, for instance, the Inverse of UI/BFF shared types. In this technique, simple task or event management apps,
which teams deliver value Conway Maneuver. Team interaction is one a single set of type definitions is used to and Parabola for IFTTT-like cloud workflows
define both the data objects returned by — which is why we’re once again including.
to their customers. The of the variables for how fast and how easily
teams can deliver value to their customers. front-end queries and the data served bounded low-code platforms in this volume.
Team Topologies author to satisfy those queries by the back-
We were happy to find a way to measure Nevertheless, we remain deeply skeptical
developed an assessment end server. Ordinarily, we would be about their wider applicability since these
these interactions; we used the Team
for measuring these Topologies author’s assessment which cautious about this practice because of tools, like Japanese Knotweed, have a knack
interactions which we call gives you an understanding of how easy the unnecessarily tight coupling it creates of escaping their bounds and tangling
team cognitive load. or difficult the teams find it to build, test across process boundaries. However, everything together. That’s why we still
and maintain their services. By measuring many teams are finding that the benefits strongly advise caution in their adoption.
(Team cognitive load) team cognitive load, we could better advise of this approach outweigh any risks of
our clients on how to change their teams’ tight coupling. Since the BFF pattern works
structure and evolve their interactions. best when the same team owns both the Decentralized identity
UI code and the BFF, often storing both Assess
components in the same repository, the UI/
Tool-managed Xcodeproj BFF pair can be viewed as a single cohesive In 2016, Christopher Allen, a key
Trial system. When the BFF offers strongly typed contributor to SSL/TLS, inspired us
queries, the results can be tailored to with an introduction of 10 principles
Many of our developers coding iOS in the specific needs of the frontend rather underpinning a new form of digital identity
Xcode often get headaches because the than reusing a single, general-purpose and a path to get there, the path to self-
Xcodeproj file changes with every project entity that must serve the needs of many sovereign identity. Self-sovereign identity,
change. The Xcodeproj file format is not consumers and contain more fields than also known as decentralized identity,
human-readable, hence trying to handle actually required. This reduces the risk is a “lifetime portable identity for any
merge conflicts is quite complicated and of accidentally exposing data that the person, organization, or thing that does
can lead to productivity loss and risk user shouldn’t see, prevents incorrect not depend on any centralized authority
of messing up the entire project — if interpretation of the returned data object and can never be taken away,” according
anything goes wrong with the file, Xcode and makes the query more expressive. to the Trust over IP standard. Adopting
won’t work properly and developers This practice is particularly useful when and implementing decentralized identity
will very likely be blocked. Instead of implemented with io-ts to enforce the run- is gaining momentum and becoming
trying to merge and fix the file manually time type safety. attainable. We see its adoption in privacy-
or version it, we recommend you use respecting customer health applications,
a tool-managed Xcodeproj approach: government healthcare infrastructure
Define your Xcode project configuration Bounded low-code platforms and corporate legal identity. If you want
in YAML (XcodeGen, Struct), Ruby (Xcake) Assess to rapidly get started with decentralized
or Swift (Tuist). These tools generate the identity, you can assess Sovrin Network,
Xcodeproj file based on a configuration One of the most nuanced decisions facing Hyperledger Aries and Indy OSS, as well
file and the project structure. As a result, companies at the moment is the adoption as decentralized identifiers and verifiable
merge conflicts in the Xcodeproj file will of low-code or no-code platforms, that is, credentials standards. We’re watching this
be a thing of the past, and when they do platforms that solve very specific problems space closely as we help our clients with
happen in the configuration file, they’re in very limited domains. Many vendors their strategic positioning in the new era of
much easier to handle. are pushing aggressively into this space. digital trust.

TECHNOLOGY RADAR | 11
Deployment drift radiator Import maps for
Techniques
intermediate federated machine learning
Assess results. Moreover, most HE schemes are micro frontends
considered to be secure against quantum Assess
A deployment drift radiator makes version computers, and efforts are underway
drift visible for deployed software across to standardize HE. Despite its current When composing an application out of
multiple environments. Organizations limitations, namely performance and several micro frontends, some part of Organizations using
using automated deployments may require feasibility of the types of computations, HE the system needs to decide which micro automated deployments
manual approvals for environments that is worth your attention. frontends to load and where to load sometimes require
get closer to production, meaning the them from. So far, we’ve either built manual approvals for
code in these environments might well be custom solutions or relied on a broader environments that get
lagging several versions behind current Hotwire framework like single-spa. Now there
closer to production,
development. This technique makes this lag Assess is a new standard, import maps, that
visible via a simple dashboard showing how helps in both cases. Our first experiences
leading the code in
far behind each deployed component is for Hotwire (HTML over the wire) is a technique show that using import maps for micro these environments
each environment. This helps to highlight to build web applications. Pages are frontends allows for a neat separation to lag behind current
the opportunity cost of completed software constructed out of components, but unlike of concerns. The JavaScript code states development. A
not yet in production while drawing modern SPAs the HTML for the components what to import and a small script tag in deployment drift radiator
attention to related risks such as security is generated on the server side and then the initial HTML response specifies where makes this lag visible via a
fixes not yet deployed. sent “over the wire” to the browser. The to load the frontends from. That HTML
application has only a small amount of
simple dashboard.
is obviously generated on the server
JavaScript code in the browser to stitch the side, which makes it possible to use
(Deployment drift radiator)
Homomorphic encryption HTML fragments together. Our teams, and some dynamic configuration during its
Assess doubtlessly others too, experimented with rendering. In many ways this technique
this technique after asynchronous web reminds us of linker/loader paths for
Fully homomorphic encryption (HE) requests gained cross-browser support dynamic Unix libraries. At the moment
refers to a class of encryption methods around 2005, but for various reasons it never import maps are only supported by
that allow computations (such as search gained much traction. Chrome, but with the SystemJS polyfill
and arithmetic) to be performed directly they’re ready for wider use.
on encrypted data. The result of such a Today, Hotwire uses modern web browser
computation remains in encrypted form, and HTTP capabilities to achieve the speed,
which at a later point can be decrypted and responsiveness and dynamic nature of Open Application Model (OAM)
revealed. Although the HE problem was single-page apps (SPAs). It embraces simpler Assess
first proposed in 1978, a solution wasn’t web application design by localizing the logic
constructed until 2009. With advances to the server and keeping the client-side code The Open Application Model (OAM) is an
in computing power and the availability simple. The team at Basecamp has released attempt to bring some standardization
of easy-to-use open-source libraries — a few Hotwire frameworks that power to the space of shaping infrastructure
including SEAL, Lattigo, HElib and partially their own application, including Turbo and platforms as products. Using the
homomorphic encryption in Python — Stimulus. Turbo includes a set of techniques abstractions of components, application
HE is becoming feasible in real-world and frameworks to speed up the application configurations, scopes and traits,
applications. The motivating scenarios responsiveness by preventing whole page developers can describe their applications
include privacy-preserving use cases, reloading, page preview from cache and in a platform-agnostic way, while platform
where computation can be outsourced decomposing the page into fragments with implementers define their platform in
to an untrusted party, for example, progressive enhancements on request. terms of workload, trait and scope. Since
running computation on encrypted data Stimulus is designed to enhance static HTML we last talked about the OAM, we’ve
in the cloud, or enabling a third party to in the browser by connecting JavaScript followed one of its first implementations
aggregate homomorphically encrypted objects to the page elements on the HTML. with interest, KubeVela. KubeVela is close

12 | TECHNOLOGY RADAR
Techniques Layered platform teams
to release 1.0, and we’re curious to see if that protects privacy between parties
implementations like this can substantiate that do not trust each other. It’s aim is to Hold
the promise of the OAM idea. safely calculate an agreed-upon problem
without a trusted third party, while each The explosion of interest around software
participant is required to partake in the platforms has created a lot of value for
Secure multiparty Privacy-focused web analytics calculation result and can’t be obtained organizations, but the path to building a
computing solves the Assess by other entities. A simple illustration platform-based delivery model is fraught
problem of collaborative for MPC is the millionaires’ problem: two with potential dead ends. It’s common in
computing that protects Privacy-focused web analytics is a technique millionaires want to understand who is the excitement of new paradigms to see a
for gathering web analytics without the richest, but neither want to share resurgence of older techniques rebranded
privacy between parties
compromising end user privacy by keeping their actual net worth with each other nor with the new vernacular, making it easy to
that do not trust each the end users truly anonymous. One lose sight of the reasons we moved past
trust a third party. The implementation
other without involving a surprising consequence of General Data approaches of MPC vary; scenarios those techniques in the first place. For an
third party. Protection Regulation (GDPR) compliance is may include secret sharing, oblivious example of this rebranding, see our blip on
the decision taken by many organizations to transfer, garbled circuits or homomorphic traditional ESBs make a comeback as API
(Secure multiparty degrade the user experience with complex encryption. Some commercial MPC gateways in the previous Radar. Another
computing) cookie consent processes, especially when solutions that have recently appeared example we’re seeing is rehashing the
the user doesn’t immediately consent to the (e.g., Antchain Morse) claim to help solve approach of dividing teams by technology
“all the cookies” default settings. Privacy- the problems of secret sharing and secure layer but calling them platforms. In the
focused web analytics has the dual benefit of machine learning in scenarios such as context of building an application, it used
both observing the spirit and letter of GDPR multiparty joint credit investigation and to be common to have a front-end team
while also avoiding the need to introduce medical records data exchange. Although separate from the business logic team
intrusive cookie consent forms. One these platforms are attractive from a separate from the data team, and we see
implementation of this approach is Plausible. marketing perspective, we’ve yet to see analogs to that model when organizations
whether they’re really useful. segregate platform capabilities among teams
dedicated to a business or data layer. Thanks
Remote mob programming to Conway’s Law, we know that organizing
Assess GitOps platform capability teams around business
Hold capabilities is a more effective model, giving
Mob programming is one of those the team end-to-end ownership of the
techniques that our teams have found to We suggest approaching GitOps with a capability, including data ownership. This
be easier when done remotely. Remote degree of care, especially with regard to helps to avoid the dependency management
mob programming is allowing teams to branching strategies. GitOps can be seen headaches of layered platform teams, with
quickly “mob” around an issue or piece as a way of implementing infrastructure the front-end team waiting on the business
of code without the physical constraints as code that involves continuously logic team waiting on the data team to get
of only being able to fit so many people synchronizing and applying infrastructure anything done.
around a pairing station. Teams can quickly code from Git into various environments.
collaborate on an issue or piece of code When used with a “branch per environment”
without having to connect to a big display, infrastructure, changes are promoted from Naive password complexity
book a physical meeting room or find a one environment to the next by merging requirements
whiteboard. code. While treating code as the single Hold
source of truth is clearly a sound approach,
we’re seeing branch per environment Password policies are a standard default
Secure multiparty computing lead to environmental drift and eventually for many organizations today. However,
Assess environment-specific configs as code merges we’re still seeing organizations requiring
become problematic or even stop entirely. passwords to include a variety of symbols,
Secure multiparty computing (MPC) solves This is very similar to what we’ve seen in the numbers, uppercase and lowercase letters
the problem of collaborative computing past with long-lived branches with GitFlow. as well as inclusion of special characters.

TECHNOLOGY RADAR | 13
Techniques
These are naive password complexity Framework®), per Gartner’s May 2019 and a lack of development team ownership
requirements that lead to a false sense of report, is the most considered and most and involvement in deployments. One
security as users will opt for more insecure used enterprise agile framework, and since cause of this can clearly be the separate
passwords because the alternative is we’re seeing more and more enterprises team, another can be the desire to retain
difficult to remember and type. According going through organizational changes, we “gatekeeper” processes and roles. Although
to NIST recommendations, the primary thought it was time to raise awareness there can be legitimate reasons for using this Some organizations
factor in password strength is password on this topic again. We’ve come across approach (e.g., regulatory control), in general seem to think peer review
length, and therefore users should choose organizations struggling with SAFe’s over- we find it painful and unhelpful. equals pull request.
long passphrases with a maximum standardized, phase-gated processes. We’ve seen this approach
requirement of 64 characters (including Those processes create friction in the create significant team
spaces). These passphrases are more organizational structure and its operating Ticket-driven platform bottlenecks as well as
secure and memorable. model. It can also promote silos in the operating models
organization, preventing platforms from significantly degrade the
Hold
becoming real business capabilities quality of feedback.
Peer review equals pull request enablers. The top-down control generates One of the ultimate goals of a platform
Hold waste in the value stream and discourages should be to reduce ticket-based processes (Peer review equals pull
engineering talent creativity, while limiting to an absolute minimum, as they create request)
Some organizations seem to think peer autonomy and experimentation in the queues in the value stream. Sadly,
review equals pull request; they’ve taken teams. Rather than measuring effort and we still see organizations not pushing
the view that the only way to achieve a peer focusing on standardized ceremonies, forcefully enough toward this important
review of code is via a pull request. We’ve we recommend a leaner, value-driven goal, resulting in a ticket-driven platform
seen this approach create significant team approach and governance to help eliminate operating model. This is particularly
bottlenecks as well as significantly degrade organizational friction such as EDGE, as frustrating when ticket-based processes
the quality of feedback as overloaded well as a team cognitive load assessment to are put in front of platforms that are built
reviewers begin to simply reject requests. identify types of teams and determine how on top of the self-service and API-driven
Although the argument could be made that they should better interact with each other. features of public cloud vendors. It’s hard
this is one way to demonstrate code review and not necessary to achieve self-service
“regulatory compliance” one of our clients Scaled Agile Framework® and SAFe™ are with very few tickets right from the start,
was told this was invalid since there was trademarks of Scaled Agile, Inc. but it needs to be the destination.
no evidence the code was actually read by
anyone prior to acceptance. Pull requests Over-reliance on bureaucracy and lack
are only one way to manage the code review Separate code and of trust are among the causes of this
workflow; we urge people to consider other pipeline ownership reluctance to move away from ticket-based
approaches, especially where there is a need Hold processes. Baking more automated checks
to coach and pass on feedback carefully. and alerts into your platform is one way to
Ideally, but especially when teams are help cut the cord from approval processes
practicing DevOps, the deployment pipeline with tickets. For example, provide teams
SAFe™ and the code being deployed should be with visibility into their run costs and put in
Hold owned by the same team. Unfortunately, we automated guardrails to avoid accidental
still see organizations where there is separate explosion of costs. Implement security
Our positioning regarding “being agile code and pipeline ownership, with the policy as code and use configuration
before doing agile” and our opinions deployment pipeline configuration owned scanners or analyzers like Recommender to
around this topic shouldn’t come as a by the infrastructure team; this results in help teams do the right thing.
surprise; but since SAFe™ (Scaled Agile delays to changes, barriers to improvements

14 | TECHNOLOGY RADAR
TECHNOLOGY RADAR

Platforms

You might also like