tech predictions - jaxenter · context of devops, is that it separates dev and ops (although last...

The digital magazine for enterprise developers

Issue February 2019 | presented by www.jaxenter.com #67

Is DevOps going to eat the world? Seven predictions for the year ahead

Five tech trends we’ll see in 2019 Living the world of tomorrow – today

© Inked Pixels/Shutterstock.com

Crystal ball tech predictions

How to bring serverless to Kubernetes with Knative Mitigate the pain of monolith migrations

Editorial

www.JAXenter.com | February 2019 2

We started the year with a series of tech nightmares to keep you on your toes, but now it’s time to have a look at the most promising trends for 2019. And since we’ve made a habit of creating a DevOps goody bag at the beginning of each year, 2019 will be no exception.

This time, we’ve decided to ring in the new year with pre-dictions from the tech industry’s finest. We talked to Abby Kearns, executive director at Cloud Foundry Foundation about her DevOps predictions for 2019, what we got right and where we went wrong, we asked Michiel Rook, an in-dependent Continuous Delivery and DevOps coach to write down his continuous delivery predictions for the year ahead and we discussed with Jussi Nummelin, Developer Advocate at Kontena, some of the ways Kubernetes might go main-stream in the coming year. Hubert Stroebitzer, founder of IaaM (Infrastructure as a Meetup) in Linz, Austria will show you how to bring serverless to Kubernetes with Knative and

Ring in the new year with tech predictions

Inde

x

John Gray, co-founder of Infiniti, now an InterVision Com-pany, asks (and answers) a very important question: Will serverless computing replace containers in 2019?

Since this magazine issue is all about crystal ball tech pre-dictions, we’re looking at data security, DevOps, DevSecOps, CI/CD, cloud computing, containers and serverless, all wrapped up in nostalgic reflections and hopeful predictions.

Fun fact: Most of the articles included in the current issue are written by JAX DevOps (https://devops.jaxlondon.com) speakers so if you want to find out more about the topics presented in this JAX Magazine, you’ll have to attend their sessions. There’s still time to secure a spot in their talks; there are several different kinds of tickets available, so no matter what your needs are, there is sure to be a deal that fits you.

I wish you a happy reading!

Gabriela Motroc, Editor

Top 10 DevOps topics to look for in 2019 4Helen Beal

Five tech trends we’ll see in 2019 7Todor Gigilev

Decision- making: Data security in 2019 9Ralf Huuck

Is DevOps going to eat the world? 11Abby Kearns

Embracing DevSecOps in 2019 12Tim Mackey

Continuous delivery in 2019 14Michiel Rook

Five tips for utilizing CI/CD for 19microservices Nir Koren

What more to expect from CI/CD in 2019? 20Ambreen Sheikh

Cloud computing in 2019 22Daniel Bryant

What 2019 will bring for the cloud 24Jeff Keyes

Ten directions for Kubernetes to go in 2019 25Andrew Martin

Reaching for the stars with Kubernetes 28in 2019 Jussi Nummelin

Bringing serverless to Kubernetes 30with Knative Hubert Ströbitzer

Will serverless replace containers in 2019? 32John Gray

Three tips for serverless success in 2019 33Richard Seroter

Serverless is here to stay 35Nate Taggart

How to succeed in tech: Tips and tricks 36Profile: Isabel Muñoz Vilacides

https://devops.jaxlondon.com

Hot or Not


End of the line for Java 8 public updates Public updates for Java 8 will remain available for individual, personal use through at least the end of 2020 but business users aren’t that lucky – the “public updates” tap has been turned off a few weeks ago. If you’re a commercial user, you probably chose between the two existing options: you either updated to a newer Java version or chose a Java SE Subscription. The next update of Java 8, scheduled for April 16, 2019 (8u211 and the related 8u212 Patch Set Update), will be made available under a new license.

Assembly is crowned the language with the steepest learning curveA couple of months ago, we asked you to give your opinion on which program-ming language has the steepest learning curve and the results are in: Assembly is the hardest language to learn on a beginner level, closely followed by Haskell. Scala occupies the fourth position while Java is the 6th most difficult language to learn.

Containers and serverless are des-tined to dominate 2019The JAXenter community has spoken: 27 % of those who partic-ipated in our latest poll stated that containers are the technologies that will dominate 2019, followed by serverless with 25 %.

TIOBE crowns Python as the programming language of 2018What programming languages did we fall in love with in 2018? TIOBE knows the score – Python is their programming language of 2018! Its immense breadth and sustained growth are quintessential reasons why this programming language have earned it the top honors for 2018!

Jenkins community survey: Kubernetes usage rises by 235%The latest DevOps and Jenkins Community Survey offered very interesting insights into some key trends among the Jenkins community. The one thing that became evident from the participants’ responses is that cloud is skyrocketing with 78 % of respondents reporting that they are now using cloud services to host Jenkins. Anoth-er huge trend that we observed in the report is the tremendous growth of Kubernetes with a usage increase of 235 % since 2017!

A look into 2019 tech trends


by Helen Beal

Happy New Year one and all! Whilst time, or at least the Gregorian calendar, may be a human construct, I do enjoy the annual opportunity for navel gazing and setting intentions for a new dozen of months. I’ll be working with Zen Koans daily in 2019 as part of my evolving interests in meditation and the brain. This however, represents my thoughts about the world of DevOps in the coming year, and is also a reflection on my thoughts on the same a year ago.

The key DevOps topics I think we at Ranger4 will be tack-ling in 2019 are:

1. The demise of the DevOps team2. The rise of the DevOps dashboard

3. The DevOps target operating model4. AIOps5. Extension across the enterprise and leadership6. Value stream mapping and flow7. Value realisation8. Ending project-based funding9. Reversing outsourcing and avoiding a skills war10. DevSecOps and software liabilities11. Let’s have a look at each of them in some more detail.

1. The demise of the DevOps teamIn my 2018 predictions (check out number 7), I said that we’d see a dip in the number of DevOps teams reported. Whilst there wasn’t a decrease, for the first time since The State of

Incoming challenges

Top 10 DevOps topics to look for in 2019 In this article, JAX DevOps speaker Helen Beal shares her thoughts about the world of DevOps in the coming year and offers a reflection on the same topics for the past year.

© k

ikk/

Shu

tter

stoc

k.co

m



DevOps annual surveys and reports began, we didn’t see an increase but a flat 27 % year on year. We think this is good news as an indicator that the message is spreading that Dev-Ops is everyone’s job.

2. The rise of the DevOps dashboardWe’ve been thinking about DevOps Dashboards for a long time at Ranger4 and helping our clients build them according to the measurements their current fluency indicates are best to learn from using the systems they already have like Azure DevOps and Grafana and some have adopted Hygieia for this purpose. The outcome we are looking for is enterprise wide capability to measure to improve value realisations and the enablers are visible, accurate and real-time metrics. It’s tough to do though with the multitude of tools available and legacy systems not following the ‘telemetry everywhere’ principle. From the back end of 2017 though, we saw vendors such as XebiaLabs and ElectricCloud starting to use their tools as a kind of data fulcrum that we believe will ultimately make it easier for people to curate, share and act on the intelligence their DevOps toolchains are generating. The constraint is that organisations typically won’t access these dashboards if they are not already using the vendors’ products. We’d love to see a truly independent, accessible and configurable DevOps dashboard in 2019 that makes it quick and easy for teams and global organisations to measure their improvements. Please do let us know in the comments section if you believe you have one.

3. The DevOps target operating modelAs organisations adopt DevOps practices and seek to break down silos and dependencies, there is a realisation, that the traditional hierarchies and organisational structures present a constraint. As we work to distribute authority and drive autonomy and empowerment, it becomes increasingly ap-parent that layers of reporting lines and management are a command and control constraint. Whilst we move towards product centric, autonomous team models the challenge posed is how to get from where we are now, to where we want to be.

4. AIOpsLast year I mentioned AI and called it a red herring. I’ll stick with that as we haven’t seen any of the organisations we work with reach a level of fluency where they are using AI on a day to day basis. 2018 did see, particularly towards the latter part of the year, an increase in noise around AIOps. The noise is coming from vendors like Moogsoft, StackState, OpsRamp and Splunk. A Gartner term defined by BMC as: “multi-lay-

ered technology platforms that automate and enhance IT op-erations by 1) using analytics and machine learning to analyze big data collected from various IT operations tools and devic-es, in order to 2) automatically spot and react to issues in real time.”, I think we could see organizations with higher fluency picking up these tools by the back end of 2019, particularly if their existing vendor partners, like Dynatrace, make it easy for them to access and consume.

What concerns me most about this trend though, in the context of DevOps, is that it separates Dev and Ops (although last year I said we would see more ops in DevOps – see num-ber 4 – and in my mind this capability should be part of a DevOps Dashboard.

5. Extension across the enterprise and leadershipThis theme has come up everywhere all the time in 2018. The core challenge is that agile, DevOps and digital ‘transforma-tions’ (we really prefer the word ‘evolution’) are being driven by technology teams in order to better serve the business (and ultimately the customer). The problem with this is that the business often doesn’t know why we are doing it or some-times that we are doing it at all. This means that when we ask them to provide product owners or work with us on a prod-uct backlog we see scenarios where product owners ‘have a day job’, requirements are still sent through in large batch-es with milestones and deadlines and project-based funding (see 8). The improvement is what I called BizIT in last year’s predictions.

Exacerbating this is a conflict at the leadership level. Whilst teams can be commanded to be empowered (an oxymoron, I know), they need to be helped to unlearn the behaviours they have practiced for many years. This requires a certain kind of enlightened leader and our experience with leaders is that many consider themselves superior to learning and find it hard to coach – their ingrained behaviour is to tell others what to do. Since we are mainly reliant on these leaders to take the DevOps message organisation wide, we need to tool them up too.

6. Value stream mapping and flowLinked to 5 is this – helping organisations and individuals to collaborate to visualise the flow of work through their value stream, and by doing so identify constraints, waste and bot-tlenecks, is a foundation stone to engaging across the whole enterprise. This does require socialisation of the idea that Dev Ops is concerned with the end to end value stream – not simply starting at the point at which an idea hits a product backlog and moves into development – in order to get the req-uisite people into the room. It also requires time commitment

As organsiations adopt DevOps practices, there is a realisation, that the traditional hierarchies and organisational structures present a constraint.



from all participants into the process and recognition going into the facilitated exercise that this is the start of an ongoing improvement cycle where all will take accountability for the changes agreed as a group – not a one-off event that people participate in for a couple of days and then wander off and forget all about.

7. Value realisationLinking to 6 then is this – the focus on the realisation of the value in the customer’s hands and the fast flow of that value. Organisations with lower DevOps fluency continue to be fo-cused on uptime and number of defects as the key measures of their success to their ‘business’; by having all working togeth-er on a single value stream allows us to refocus efforts on val-ue flow cycle times and make more meaningful improvements and decisions. This brings us right back around to DevOps dashboards as what we want them to show is the business value of the user stories delivered, compared to their project-ed value. This closes the feedback loop and gives us a view on end to end flow and enables humans to make informed, evidence based, decisions about what to do next.

8. Ending project based fundingOkay, so I’m probably being way too ambitious and opti-mistic here for this to happen in 2019, but seriously people, we got to stop. When we think about the DevOps target op-erating model, broadly described as cross-functional, auton-omous and product centric teams, to have them effectively work in small increments off a product backlog means that requirements need to arrive in small, frequent batches (just like how we want to deliver them) – not large batches driven by a project mindset. This means that we need our funding models to align too – they need to be continuous and capacity based. This is a major mind shift that requires true end to end value stream coordination, collaboration and trust. At the moment, I’m reading Mik Kersten’s book ‘From Project to Product’ which uses case stories from Nokia (bad) and BMW (good) to show how and why this is essential as we all go through this period of evolution – it’s my recommended read for 2019. Along with ‘Where the Crawdads Sing’ from Delia Owens if you want something completely different and un-connected to the technology industry.

9. Reversing outsourcing and avoiding a skills warThe 2018 Accelerate State of DevOps Report uncovered a negative correlation between outsourcing and organisational performance – one we have observed for quite some time, but, as ever, it’s extremely useful to have the data as evidence. Whilst we understand that, as with the siloing of IT organi-sations in order to manage cost centres, that outsourcing pre-sented a logical choice for managing the technology spend in an organisation, the movement now to a digitised world and the recognition that technology is not a cost centre but the strategic enabler, demands that we strategically invest in engineering.

There are many problems with outsourcing in a DevOps world, mainly around contractual commitments, bureaucrat-ic processes, colocation, cultural and linguistic translation and longevity of people in roles that all lead us to a point where many major enterprises are openly reversing this trend and planning to reinvest in their own, internal engineering expertise. Whilst we support this as the preferred direction of travel, there are also a finite number of resources available, so we could see the start of a war over skills in local regions where skills are in high demand. We have already noted this on the ground, particularly in some of the large cities in the north of England. Perhaps there is room for a new model where organisations take their DevOps target operating mod-els to some of the lower cost geographical locations and invest in building local teams and cells and collaborative technology solutions on a global basis.

10. DevSecOps and software liabilitiesThe subject of DevSecOps became very much alive in 2018; in the UK we saw the inaugural DevSecOpsDays event in London and we saw an increase in our customers getting infosec, security and dev and ops in a room and an uptick in all levels of organisations adopting DevSecOps automa-tion. We are hoping to see this trend continue through 2019; security has felt like the last bastion from both a cultural and automation perspective so getting these guys on board represents some serious constraint smashing. Meanwhile, the conversation around software liability keeps on getting louder pushing DevSecOps from afterthought to legal im-perative.

So, there we have it. I’ll put my crystal ball away for now and get on with the doing. See you back here next year. Thanks for reading and I hope you have a DevOpstastic 2019.

“Business and Company Culture” track

Looking for more insight into the science that is company cul-ture? Helen Beal will be giving a talk at JAX DevOps 2019. Her talk, titled “DevOps culture: The neuroscience of behavior” is part of the Business & Company Culture track which offers a sneak peek into the changes that have shaped the corporate culture and a helping hand with the process of becoming fully agile. Join us at JAX DevOps in London this May!

Helen Beal is a DevOpsologist – coach, consultant, trainer, games lead-er for Ranger4. She is also a Product Owner for the DevOps Institute, as well as a DevOps Editor for InfoQ.

https://devops.jaxlondon.com/business-company-culture/devops-culture-the-neuroscience-of-behavior/



by Todor Gigilev

Staying on top of technology trends has never been harder. From Chinese scientists executing the first quantum teleporta-tion to astronomers finding how gold and platinum has been formed, the universe we knew at the beginning of 2018 has drastically changed. In this article, I will try to show you what to look for in 2019. Hopefully, this advice will help you build up your own pile of gold and platinum.

DIY gene editing at homePreviously the realm of science fiction, we witnessed the first biohacker using CRISPR to change his genome in 2017. Tu-ring your eyes from brown to blue might not be that near, but using the technology for altering wrong genes to prevent forming of syndromes [1] is something that could drastically change the lives of many.

There are already DNA CRISPR kits for sale. CRISPR is currently the most promising DNA editing technique; it in-

serts bacterial protein that matches certain DNA code (just like writing a RegEx), cuts and replaces it with a new one. In 2019, we might witness CRISPR kits that allow you to program at home and decide which genes to edit. For exam-ple, you might want to go diving and enable your cells to live longer without oxygen so you can stay beneath the sur-face without much trouble. You might want to program your brain to consume less energy so you need less sleep and be more productive for longer periods. Or alternatively you can enhance your PDSS2 gene, which is associated with caffeine metabolism.

Blockchain will kill notaries and change how we keep public dataFrom my experience as a CEO at a custom software develop-ment company [2], cryptocurrencies are just one application of the blockchain technology. In fact, this proves that if mon-ey could be based on blockchain, then all public data could be there.

Living the world of tomorrow – today

Five tech trends we’ll see in 2019 Although it might feel like something out of science fiction, modern technological advances are pushing the boundaries of science in new and exciting directions. Todor Gigilev of Dreamix explores five different ways that technology will advance in the coming years, from gene editing to autonomous vehicles.

© R

M S

tudi

o/S

hutt

erst

ock.

com



This will significantly change how we interact as citizens and with the government. With blockchain, we no longer need the government to act as a “centralized database of pub-lic ledger”. Imagine what will happen when:

• Selling or buying property – you will no longer need the property deed, rather than just authorizing the transaction of the property-blockchain.

• Issuing new driving license or residency – there will be no centralized database of country citizens, rather a block-chain of citizens.

• Verifying if someone has graduated a university – in fact there are already blockchain products like this!

Moreover, if we have smart contracts as the core of Ethereum protocol, we might not need any notary services anymore. People will be able to settle contract and deals using block-chain portals.

Banks added value and PSD2Banks are in fact one of the first adopters of blockchain. Early in 2017, major European banks like Deutsche Bank, HSBC, KBC, Natixis, Rabobank, Société Générale and UniCred-it started a consortium with IBM [3] in order to adopt the blockchain technology. This blockchain technology promises to speed up transactions and lower the cost to operate the payment infrastructure. Asia has not lagged behind; twen-ty banks have joined the Hong Kong-Singapore blockchain partnership [4].

Although this is a big step forward, banking will keep changing. With PSD2 regulations, banks will be more and more open. Now customer-facing solutions like an online shop can obtain information about its customer banking ac-counts and even withdraw money from there, all after user authorizes the request, of course.

Additionally, people will choose their bank not only by the interest rate, but for the value added service. Take banks like Barclays, MetroBank and ABNAmro, for example. These banks have implemented digital banking solutions such as BackBase [5], which enables their customers to have “person-al assistant” on their mobile phones. This personal assistant uses machine learning and data science techniques to let the end users make informed decisions and also execute cumber-some tasks like signing for insurance on a newly bought item with your credit card.

Autonomous vehiclesForget about wasting time going around showrooms to choose a new car. Once you have seen everything on the car market with your home VR headset, you can pay via your mobile banking and sign insurance for the car. Then, you can register your car in the public car-blockchain. And not only that – your new car will come to your home by itself!

But this is only if you really want to have your own car – the question is do you need to own a vehicle, when you can al-ways have one at your disposal only with a tap of your finger? Self-driving vehicles will change the way we know cars. You no longer need it parked in your garage during the night – you

need it parked in front of your house or office just a few min-utes before your trip! Once you jump in the car, you can relax and put your VR headset to enjoy a nice movie while your car drives to the seaside.

Space and the micro satellite invasionThe demand for high-bandwidth low-latency communication will be higher and higher. Although we are impressed with Mars missions and research of outer space, we have still not tamed the power of Earth’s low and mid orbit.

In the past two years, we’ve seen the rise of microsatellites and CubeSats. These are satellites that are 10 x 10 x 10 cm in size and weigh 1 to 2 kilos. The huge benefit of these satellites is that they are relatively cheap and allow make it possible to easily deploy communication modules, cameras, or GPS sys-tems in space. EnduroSat [6] has even taken it a step further, as you can buy CubeSats directly from their online shop [7]! Who would have thought you could buy a satellite, equip them with your own gadgets, pay SpaceX to put one of these on their shuttle, and launch it to mid-orbit!

Not sci-fi but realityThe technologies of now will bring countless opportunities in the future. I have been convinced not once or even twice that if you want to be successful you have to be on top of the latest trends. Always. The world is constantly changing with tremendous speed. New technologies will benefit the way we live, communicate, and work as well as the way we manage data and resources. These tech trends are not a science fiction story, but the reality in which we live in. What’s more, they have a huge impact not only on business and science, but on almost every aspect of our society like communications, fi-nances, education, health care, commerce and many more. In a few years from now, we will wonder how we ever lived without them.

Todor Gigilev is the CEO of Dreamix, a custom software development company. He has extensive knowledge in entrepreneurship, consulting and delivery of Webcenter, ADF, SOA Suite, BPM and Java EE solutions. He is eager to help innovative companies and startups develop sales strategies, business models, improve their value proposition as well as

design and develop their products.

References

[1] https://www.sciencemag.org/news/2017/11/human-has-been-injected-gene-editing-tools-cure-his-disabling-disease-here-s-what-you

[2] https://dreamix.eu

[3] https://www.fnlondon.com/articles/banks-partner-with-ibm-for-blockchain-backed-trade-finance-20170627

[4] https://cointelegraph.com/news/twenty-banks-join-hong-kong-singapore-blockchain-partnership

[5] https://backbase.com

[6] https://www.endurosat.com

[7] https://www.endurosat.com/cubesat-store/

https://www.sciencemag.org/news/2017/11/human-has-been-injected-gene-editing-tools-cure-his-disabling-disease-here-s-what-you

https://www.sciencemag.org/news/2017/11/human-has-been-injected-gene-editing-tools-cure-his-disabling-disease-here-s-what-you

https://dreamix.eu

https://www.fnlondon.com/articles/banks-partner-with-ibm-for-blockchain-backed-trade-finance-20170627

https://www.fnlondon.com/articles/banks-partner-with-ibm-for-blockchain-backed-trade-finance-20170627

https://cointelegraph.com/news/twenty-banks-join-hong-kong-singapore-blockchain-partnership

https://cointelegraph.com/news/twenty-banks-join-hong-kong-singapore-blockchain-partnership

https://backbase.com

https://www.endurosat.com

https://www.endurosat.com/cubesat-store



by Ralf Huuck

There are a lot of high-quality and security solutions avail-able on the market. Each one comes with its own purpose, strength, and data generated, whether we’re talking about penetration testing, log monitoring and intrusion detection, or automated application security testing solutions. While capabilities and technologies advance, they also create dis-proportionately more information and data points. It is easy to drown in this sea of information and lose sight of the es-sentials. As such, the key will be to fuse that data for making risk- and business-based decisions. The challenge is to find

the needle in the haystack and to combine data from different methods and domains to obtain a holistic view.

In 2019, we don’t need more data. We need better decision making support.

Security fatigueSecurity has been a hot topic for years. At the same time, data breaches have become more common; by this point in time, most people have already signed up with one organization or another that has been breached. The initial shock and con-cern has slowly moved to acceptance and shoulder-shrugging. However, if we do not care enough about our security and

Keeping your data safe in the new year

Decision- making: Data security in 2019In this article, Ralf Huuck goes over his predictions for how the field of data security will shake out in the new year. What’s in store for 2019? Hopefully, more standardization within the field and less data breaches overall.

© d

eepa

desi

gns/

Shu

tter

stoc

k.co

m



privacy, it is unlikely that corporations will continue their effort and investment protecting our data. As a result, easier and more common targets will appear with more severe im-plications. Currently, autonomous technology and IoT infra-structure appear to be at high risk.

We won’t see fewer breaches in 2019, but we might care less until more physically evident disasters strike.

Security by design and standardsSoftware is still largely written without formal standards and processes behind it. Unlike building bridges, software devel-opment is not a standardized, repeatable job. Open source has been on the rise for a long time and is now commonplace. One can imagine that more trust will be placed in common building blocks based around open source software. More-over, vertical software development standards will appear stronger. Safety critical systems for cars and aircrafts are self-evident. When lives depend on correct software execu-tion, then more effort will be placed on standards, audibility, and accountability. These standards may evolve bottom-up or will be government regulated. Potential new verticals on the rise for this are financial services, solutions around block-chain, and security around mobility solutions.

We might see a rise of consortia within verticals to estab-lish more domain-specific security standards, improving trust and interchangeability. Much of this might be built on open source components.

As Gary McGraw, Vice President of Security Technol-ogy at Synopsys, said, “DevOps is great, except for when it comes to secure design. We’ve been automating security analysis at the code level and pen testing at the application level for over a decade, and that automation is perfectly suit-ed for DevOps. The same cannot be said for design analysis, also called threat modeling. The lack of automation for ar-chitectural risk analysis will mean that in many cases it is conveniently left out (oops, we’ll just sweep that under the rug). This is becoming a more tangible problem as DevOps adoption progresses.”

Software design flaws are the new targetAll of this means that software design flaws will be on the rise as targets of attack. Witness the recent Facebook and Google+ attacks that led to massive data loss impact. Design flaws are much harder to find and fix than simple bugs. As a result, even very strong software security groups sometimes miss them during review. In my experience, flaws and bugs as software defects split around 50/50. Once the really dumb bugs are gone, that leaves the flaws hanging out there ripe for attack.

In general, software will continue to grow as an attack vec-tor, second only to humans. Software, software, software. As

the pile of software grows and its distributed nature becomes even more so, the attack surface grows as well. We are not making less software these days, we’re making more. Now that software has worked its way into the lifeblood of society, we have a bigger problem than when it was only the domain of geeks.

For example, your IoT stuff has lots of software in it. We then have to ask, “How secure is your IoT stuff?” When it comes to security, devices, gadgets, and consumer electronics are not secure by default. If your gizmo maker does not men-tion security, do not assume the thing you bought is secure.

IoT remains a security disaster waiting to happen. One of the main problems is that there is no way to update the broken software and hardware running inside of IoT devices when new security problems are discovered. IoT needs to be secure by design and secure by implementation. Firewalls on the network will not fix this problem.

In fact, IoT represents only part of the problem. With cloud architecture, the inventory problem is getting worse. The “in-ventory” problem (that is, what is running where, who made it, what its constituent parts are) is exacerbated by the move to the cloud and massively distributed architectures. Gary McGraw explains why this is such a problem in his article, “The New Killer App for Security: Software Inventory” [1]. Unfortunately, the bad news is that things are going in the wrong direction.

Should we despair?No! Software security is growing. The BSIMM shows that software security is growing as a field. Many companies are catching on and making progress. Even retail is in the game now. We know what to do. Now, we just have to do it.

Ralf Huuck is a Director and Senior Architect with Synopsys’ Software Integrity Group driving next-generation technology for practical and ac-tionable software security and compliance tools. He advocates automa-tion and applicability by non-experts for scaling to everyday production demands. Prior to joining Synopsys, Ralf served as the CEO with security

solution company Goanna Software and as Principle Researcher with R&D lab NICTA. He is an Adjunct Associate Professor in Computer Science with UNSW, Australia.

Software is written without formal standards; unlike building bridges, software development is not a standardized, repeatable job.

References

[1] https://www.garymcgraw.com/wp-content/uploads/2018/03/inventory-ieee18.pdf

https://www.garymcgraw.com/wp-content/uploads/2018/03/inventory-ieee18.pdf

https://www.garymcgraw.com/wp-content/uploads/2018/03/inventory-ieee18.pdf



by Abby Kearns

We’ve seen a number of significant changes over the last few years when it comes to DevOps – most obviously, the devel-opment of a DevOps culture in place of siloed teams. Cloud native technologies are often found at the root of this shift as they empower teams to work collaboratively with agility and flexibility previously thought impossible. I expect to see a DevOps culture continue to flourish in the coming year – and that’s not all.

These are just some of my predictions for 2019 based on the chatter I hear around me and the research we’ve done at

the Cloud Foundry Foundation. I look forward to all that is to come and can’t wait to see what pans out!

Expectation Reality

Kubernetes is going to eat the world. Kubernetes is a super exciting technology, but it’s not a silver bullet, and I believe more and more companies will realize they need to employ a multi-platform solution to keep up in today’s rapidly innovating world. Containers, and container schedulers, alone are not enough. They are necessary tools in the new cloud native architectures, but they are not the whole toolbox.

No one is going into the office anymore. I can speak from experience and state this is largely true -- the ability to work remotely is getting easier and easier, especially when everything is cloud native! As convenient as this is, I think folks will start to crave fellowship in their work, and co-working spaces will proliferate, even as traditional offices diminish.

DevOps culture will continue to take hold in small and large enterprises alike.

I believe this shift is absolutely essential to staying relevant and powerful in today’s rapidly chang-ing cloud native market. However, companies -- especially large companies -- are steeped in habit and this culture change may happen more slowly than needed.

China’s rapid momentum around AI and cutting edge cloud technologies will chal-lenge the rest of the world to keep up.

China’s technological revolution is well underway, but the political situation may hold enormous sway over how quickly that spreads to the rest of the world.

2019 is going to be the year of restruc-turing.

Based on 2018’s acquisitions, I predict we’ll see a steady rollout of acquisitions in the next 12-18 months, as major enterprise tech companies rush to get a piece of the latest cloud native and open source innovations.

Multi-platform, multi-cloud, multi-lingual. We live in a world with so many options now, and companies do not want to be locked in by a single vendor. Businesses will continue to choose multiple cloud native solutions to meet their needs, rather than electing to use a single technology, and they will choose technologies that give their de-velopers freedom to code in any language and deploy across multiple clouds.

The cloud industry is going to become more diverse.

This is happening -- but much more slowly than I’d like to see. We are working as an industry to pro-mote equity, but we have a long, long way to go.

Table 1: Expectations vs. reality for DevOps

Expectations vs. reality

Is DevOps going to eat the world? DevOps adoption is at an all-time high. It’s time to take a step back and see how some of those early predictions have panned out. Here, Abby Kearns of Cloud Foundry Foundation goes over seven predic-tions about DevOps, exploring what we got right and where we went wrong.

With nearly twenty years in the tech world, Abby Kearns is a true veteran of the industry. Her lengthy career has spanned product marketing, prod-uct management and consulting across Fortune 500 companies and start-ups alike. As Executive Director of Cloud Foundry Foundation, Abby helms the ecosystem of developers, users and applications running on Cloud

Foundry, and works closely with the Board to drive the Foundation’s vision and grow the open source project. Prior to Cloud Foundry Foundation, Abby focused on Pivot-al Cloud Foundry as part of the Product Management team at Pivotal. She spent eight years at Verizon where she led Product Management and Product Marketing teams dedicated to the early days of cloud services. In her free time, Abby enjoys indulging in food and wine, and spending time with her husband and son.

@ab415.

https://twitter.com/ab415

DevOps trends to watch out for


by Tim Mackey

2018 saw many organizations in the news for all the wrong reasons and chief among them were security related issues. The number of large scale data breaches remained high – de-spite GDPR becoming effective in May. Organizations such as Under Armour, Quora, Novotel, Twitter, Ibis, Facebook, and Marriott all reported what can be best described as “me-ga-breaches” – a term coined by Ponemon in their 2018 Cost of Data Breach Report to describe any breach with extreme

impact. With increasing regulatory oversight, it’s clear we have a key problem when it comes to securing the digital data we all depend upon.

Wildly important goals for security in 2019In the spirit of annual predictions, I’d like to add my voice to the discussion – starting with some utopian wishes. These rep-resent areas of data privacy and security I wish would come to fruition. In my opinion, these represent wildly important goals we should be striving for as security professionals.


Embracing DevSecOps in 2019 Security issues made headlines last year in the worst way. How will we keep our data secure in 2019? Tim Mackey goes over some of his dreams for DevSecOps for the year ahead, along with some prag-matic recommendations for developers to follow.

© s

deco

ret/

Shu

tter

stoc

k.co

m



1. Organizations will adopt user centric data collection and disclosure policies which provide opt-out mechanisms from data sharing. With greater transparency and control over our individual data, we as creators of the data can begin to take control over our digital identity in our new data-driven economy.

2. Service providers will become more transparent about the measures taken to protect data during API calls. Trust is key to any successful relationship; most APIs in use are governed by an API license agreement which disclaims liability and represents the API service as potentially unre-liable. While major service providers will have an industry recognizable certificate covering their IT operations, the certification process often lacks sufficient depth as to discover issues in API governance.

3. Organizations experiencing breaches will become more transparent about the exploits used in the attacks. The reality is that most organizations experiencing a breach wish to minimize any negative publicity resulting from the incident. In minimizing negative press, they are simultane-ously enabling the attacker to repeat their proven attack techniques against other organizations.

4. A standardized location will emerge from which users can request and obtain the data an organization has collected on them. While GDPR affords a right to access, anyone attempting to obtain their personal data from a data col-lector quickly finds the process varies by organization and the data provided can be far from readable.

5. Organizations will create and update threat models with each new feature, API, and iteration of their application. While it’s relatively common to create a threat model when major functional changes occur, that threat model can quickly become dated as the application evolves. As the model ages, a false sense of security emerges until an incident occurs. With an obsolete model, impact assess-ments become more difficult and time consuming.

Crystal ball predictions for 2019While I believe these wishes represent important security and data protection targets for us to aim for, they are also unlikely to come to fruition in 2019 without significant effort. Putting a more pragmatic hat on, my crystal ball for 2019 shows a far more negative view of our industry. I predict that:

1. At least one senior executive of an organization will face jail time resulting from a data breach.

2. The US Congress will follow the EU and introduce legisla-tion at the federal level protecting consumer data.

3. A major IoT vendor will experience a security breach which exposes consumer devices to compromise.

4. At least one serverless cloud provider will embed security testing into the publishing process for applications.

5. Product safety regulators will issue a product recall for a software security issue present in a home automation or wearable device.

Pragmatic recommendations for 2019With these utopian goals and pragmatic predictions, it’s im-portant to look at what each of us can do to keep our em-ployers out of the news for security incidents. The easiest way forward is to embrace the wealth of tooling available to gain security visibility into every aspect of software throughout its lifecycle.

• Automate security testing using threat model derived test cases for internally developed applications.

• Validate the security any libraries, applications, or pack-ages used in the creation of your applications or deployed within your organization.

• Create a process to continuously monitor for new security issues impacting libraries, applications, packages or third party APIs your software stack depends upon.

The “Sec” in DevSecOps demands us all to embrace security in what we create, deploy, and depend upon. As applications become more distributed in their dependencies, creating and applying security templates at all stages allows for rapid inno-vation without sacrificing security.

With greater transparency and control over our individu-al data, we as creators of the data can begin to take control

over our digital identity in our new data-driven economy.

Tim Mackey is a technical evangelist for Black Duck by Synopsis, which helps organizations to locate, manage and secure their open source soft-ware. Tim’s role is one of engaging with technical communities to best understand how Black Duck can solve their application security problems today, and learn what bleeding edge security concerns are top of mind in

order to feed them back into the development team. He is well versed in open source application security, data center security, containers, virtualization, and cloud tech-nologies. Tim has spoken at many events including OSCON, CloudOpen, Interop, CA World, Cloud Connect and the CloudStack Collaboration Conference. Tim is a pub-lished O’Reilly Media author.



by Michiel Rook

Some of you know me as an active conference speaker, shar-ing my knowledge of continuous delivery and other topics at conferences around the world, including JAX DevOps and JAX London. During some of these sessions, I talked about how CD can significantly improve the time to market, soft-ware quality, and speed of delivery. Indeed, continuous de-livery is by now recognized as a pillar of modern software development.

Indeed, as research and market reports have shown, teams that apply continuous delivery in their work enjoy significant-ly lower change failure rates and faster time to recover from outages, when compared to teams that don’t. By deploying far more frequently and automating the entire build and deployment pipeline, these teams get fast feedback on their changes and are able to spend more time on actual work.

Even though the guidelines and principles that form con-tinuous delivery have been spreading in the industry for years, it’s only now that they have really permeated into the enterprise software space. There’s a still lot of work to do though!

JAXenter asked me to write down my predictions for 2019 about continuous delivery. I’ve divided my predictions into a set of wishes (some perhaps more hopeful than others!), and a set of somewhat more realistic expectations.

Let me know what you think about these predictions, and please send me your own. Here’s to an exciting and interest-ing year!

Michiel Rook is a very experienced, passionate and pragmatic freelance IT consultant from the Netherlands. Working as a coach, software devel-oper & architect, and a strong leader, he considers it his mission to help companies significantly improve their software quality and delivery pro-cess. Currently, he focuses on adopting Continuous Delivery & DevOps

principles, culture and tooling, legacy software transformations, and cloud migrations. Michiel is a regular speaker at international conferences and events. When he’s not thinking about continuous deployment, DevOps or event sourcing he enjoys music, cars, sports and movies.

Wishes Expectations

The “this isn’t possible with our application” discussions will finally come to an end.

Applications and systems will see an increased focus on reliability and observability.

Unwieldy monoliths around the world will enjoy fast pipe-lines and at-least-daily deploy-ments to production.

“Pipeline as a Service” products become ubiquitous and even more accessible.

Long-lived feature branches will become known as “that thing we used to do”.

More and more organizations will embrace the continuous delivery principles.

Automated security scanners and other tooling become more tightly integrated into CI/CD pipelines.

CD is recognized as a crucial corner-stone of DevOps.

Table 1: Wishes and expectations for CD


Continuous delivery in 2019 Is 2019 the year when continuous delivery is recognized as a cornerstone for DevOps? In this article, JAX DevOps speaker Michiel Rook shares some of his expectations and wishes for contin-uous delivery for the coming year.

“Continuous Delivery” track

Interested in applying the practices and principles of continuous delivery into an existing application? Michiel Rook will be at JAX DevOps in May 2019. His talk “Beyond Continuous Delivery: Learn, adapt, improve” is a part of the Continuous Delivery track, which imparts practical knowledge on how to automate software delivery and boost productivity. Join us at JAX DevOps in London this May!

https://devops.jaxlondon.com/continuous-delivery/beyond-continuous-delivery-learn-adapt-improve/

The Conference for Continuous Delivery,

Microservices, Docker & Clouds

Business & Company Culture

Continuous Delivery

devops.jaxlondon.com

Cloud Platforms & Serverless

Docker & Kubernetes

VERY

EARLY BIRD

Register by

Feb 21 and

save up to

£ 200!

May 14 – 17, 2019Expo: May 15 – 16, 2019

Park Plaza Victoria, London

https://devops.jaxlondon.com/


Only till February 21: Arduino Starter Kit or Nintendo Classic Mini for free Save up to £ 200 Group Discount

JAX DevOps – for Continuous Delivery, Microservices, Clouds & the Kubernetes Ecosystem

Create. Innovate. Code.

JAX DevOps is a four-day conference for software experts featuring in-depth knowledge of the latest technologies and methodologies for lean businesses. Join the software delivery revolution for accelerated delivery cycles, faster changes in functionality and increased quality in delivery.

Taking Back Software Engineering – Craftsmanship is not enoughDave Farley ( Continuous Delivery Ltd)Would you fly in a plane designed by a crafts-

man or would you prefer your aircraft to be designed by engineers? Engineering is the application of iterative, empirical, practical science to real-world problems. Crafts-manship is a wonderful thing, and as a reaction to the terrible abuses of the term Engineering in software devel-opment, Software Craftsmanship has helped in our learn-ing of what really works. The term “Software Engineering” has gained a bad reputation. It implies big up-front design and mathematically provable models in place of working code. However, that is down to our interpretation, not a problem with Engineering as a discipline. In recent years, we have discovered what really works in software develop-ment. Not everyone practices approaches like Continuous Delivery, but it is widely seen as representing the current

state-of-the-art in software development. This is because at its root, CD is about the application of an iterative, prac-tical, empirical, maybe even science-based approach to solving problems in software development. Is this a form of Software Engineering? Software isn’t bridge-building, it is not car or aircraft development either, but then neither is Chemical Engineering, neither is Electrical Engineering. Engineering is different in different disciplines. Maybe it is time for us to begin thinking about retrieving the term Software Engineering, maybe it’s time to define what our Engineering discipline should entail.

Dave Farley, founder and director of Continuous Delivery Ltd, is a thought-leader in the field of Continuous Deliv-ery, DevOps and Software Development in general. Dave is co-author of the Jolt-award winning book ‘Continuous Delivery’ a regular conference speaker and well known blogger.

KEYNOTES (Excerpt)

CONFERENCE OVERVIEW

TuesdayMay 14, 2019

FridayMay 17, 2019

Sessions and KeynotesContinuous DeliveryDocker & Kubernetes

Cloud Platforms & ServerlessBusiness & Company Culture

POWER WORKSHOPS

Organization Design Workshop

Continuous Delivery Workshop

POWER WORKSHOPS

Kubernetes Workshop

Web Security Workshop

Expo

Main Conference

WednesdayMay 15, 2019

ThursdayMay 16, 2019

Main conference with Sessions and Keynotes Expo with renowned companies Power Workshops for practical Training



IMPRESSIONS OF JAX DEVOPS

Organization design Organization Design

Workshop

for fast flow using Team Topologies

Manuel Pais (Independent Consultant), Matthew Skelton (Conflux)Based on the forthcoming book by Matthew Skelton and Manuel Pais, “Team Topologies: Organizing Business and Technology Teams for Fast Flow” this workshop guides attendees through the many different aspects of modern organization design for software delivery. We look at the constraints imposed by Conway’s Law and how we can turn these into a strategic advantage, what happens when we take a team-first approach to organization design (and what this is a big win for every organization), how to simplify and enhance the intercommunication between teams, how to choose team types to accelerate and sus-tain safe, high-speed software delivery, how to evolve team structures depending on internal and external stimuli, and more. How to design your organization using team-first techniques for sustainable software delivery: Benefits: Turn the design of your organization into a strategic advantage through the Team Topologies approach of team-first inter-actions, homomorphic mirroring, and high-fidelity sensing & feedback loops. Output: Structured, practical techniques for effective organization design based on team-first so-cio-technical principles, Conway’s Law, well-defined team APIs, and Cybernetic sensing & control. Audience: CTO/CIO and other leaders, Head of Department, software architects, systems architects, managers, team leaders, engineers.

Kubernetes production Kubernetes Workshop

debuggingAndrew Martin (ControlPlane)Debug broken Kubernetes clusters and appli-

cation failures as you compete to resolve the production outage first! This entertaining and frenetic workshop is designed to provide the kind of experience you only get when production goes down. In this workshop, you will be presented with various broken Kubernetes cluster scenar-

ios as well as application failure scenarios. You will be split into teams of varying levels of experience and compete over who can resolve the production outage the fast-est. This work shop emphasizes collaboration and commu-nication, which are key to getting through any outage as a team. Previous experience with Kubernetes is required.

From Zero to Continuous Continuous Delivery

Workshop

Integration and Continuous DeliveryNir Koren (LivePerson)

Continuous Integration (CI) and Continuous Delivery (CD) are development practice of applying small code changes frequently. It’s well known that it becomes more and more essential to any agile-based organization. This workshop will help you to understand the CI/CD concepts, mindset, and how to implement the practices that help to form the DevOps culture to implement CI/CD for software development.

How to master your Web Security Workshop

offensive security toolstackChristian Schneider (Schneider IT-Security)In this hands-on penetration testing workshop,

we’ll attack the training web app to take on the role of a pen tester one step at a time. You’ll learn how to work with professional security tools through a range of practical tasks. You'll also learn pen testers’ general approach for at-tacking web apps. Of course, we’ll also deal with defensive measures for protecting the security holes found. Howev-er, our focus will remain on the systematic use of profes-sional hacking tools for carrying out security analyses. As a second objective of this workshop, you will learn what type of security checks can be automated and how this DevOps-style automation of security checks within build chains is best done. Once you’ve completed this workshop, you’ll have practical experience of carrying out manual and automated attacks on web apps. You can transfer these skills to your own software development work and increase the security of your projects in the long-term.

WORKSHOPS (Excerpt)



DevOps and Everyone Else – How to Support More Collaboration Across TeamsJames Mountifield (Sumo Logic)

Taking the scissors away: Make your Kubernetes cluster safe for DevOpsJussi Nummelin (Kontena Inc.)

Going FaaSter: Cost-performance optimizations of serverless on KubernetesErwin van Eyk (Platform9)

In Search of the Perfect Cloud-Native Developer ExperienceDaniel Bryant (Big Picture Tech)

Deploy code changes to production with confidence using Consumer Driven ContractsHenrik Stene (Knowit)

Containers on AWS: What to use and when?Philipp Garbe (Scout24)

Rethinking the architecture & design of your Continuous Delivery pipelinesAmbreen Sheikh (Diabol AB)

Are you deploying and operating with security in mind?Steve Poole (IBM)

CI/CD for microservices: Rule them allNir Koren (LivePerson)

The state of your supply chainAndrew Martin (ControlPlane)

Beyond Continuous Delivery: Learn, adapt, improveMichiel Rook (Independent Consultant)

DevOps culture: The neuroscience of behaviorHelen Beal (Ranger4)

It's not just Lambda: The economics behind serverlessChristian Bannes, Vadym Kazulkin (ip.labs GmbH)

Boost your AWS infrastructurePhilipp Garbe (Scout24)

Getting started with KnativeHubert Ströbitzer (Freelancer)

Delivery patterns for rapid and reliable releasesManuel Pais (Independent Consultant)

Scaling engineering by hacking Conway's LawAviran Mordo (Wix.com)

Serverless operations: From development to productionSoam Vasani (Platform9)

Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and LatencyHenning Jacobs (Zalando SE)

Seven security sins: The seven biggest security problems of Agile projectsChristian Schneider (Schneider IT-Security)

SESSIONS (Excerpt)

PRICE OVERVIEW

1-DAY PASS ....................................................................... £ 399 £ 449

2-DAY PASS ...................................................................... £ 699 £ 799

3-DAY PASS ...................................................................... £ 999 £ 1199

4-DAY PASS ..................................................................... £ 1199 £ 1399

+ Arduino Starter Kit or Nintendo Classic Mini or for free

VERY

EARLY BIRD

Register by

Feb 21 and

save up to

£ 200!

https://devops.jaxlondon.com/tickets/

EditorialDevOps trends to watch out for


by Nir Koren

I have witnessed the growth of CI/CD pipelines for microservices. Here are five concepts which I think are crucial for managing proper and robust CI/CD pipelines. Hopefully, we’ll see better implementations in 2019!

• Control your CI/CD processes for all services. Make sure you provide the right tools and features! You should always know what is going on in your CI/CD infrastructure, so you can change and enhance anything you want on the spot.

• Make all CI/CD processes for all services are unified as much as possible. It’s important that all services have the same build, deployment, and tests skeleton. The logic should be implemented specifically in the service build configurations (POM, build.gradle, package.json, etc.), but the processes should remain the same. In that way, your Ops will be able to support each service CI/CD process without getting into it too deeply.

• Enforce governance outside the service code. Write the tools and code that make some post build actions like static code analysis, DB save, or security scans, so developers won’t be able to mark steps unintentionally. In that way, you can fulfill mandatory standards and corporate rules.

• Hold all CI/CD configurations in a single location and make sure all services inherit from this location. Every plugin, version, and release behavior should be stored in a single location. If you add a new behavior, upgrade a dependency or plugin version, then you should do it from a single location. That way, it will be implemented to all services instantly.

• If you cannot find the perfect tool, take control and devel-op it. If your organization deploys in a different way or maintains a specific style, it’s likely that you won’t be able to find the right tools for the problem. Develop it yourself instead. Maven plugins, Node.js plugins, and any other packages can ensure unified way all services are running in the same way exactly as you need and in that way – Ops can support all services.

Feel free to join my session at JAX DevOps 2019 London and see how we manage CI/CD pipelines in a microservices environment!

Nir Koren is a Senior CI/CD DevOps engineer for LivePerson Israel. He has been dealing with CI/CD and DevOps more than ten years.

Tips and tricks

Five tips for utilizing CI/CD for microservices Are you trying to integrate a CI/CD pipeline into your microservices project? Here are five useful tips from JAX DevOps speaker Nir Koren. Protip: Your pipelines will be more robust than ever as long as you can unify and control CI/CD processes.


Interested in integrating a CI/CD pipeline for your microservices environment? Nir Koren will be at JAX DevOps in May 2019. His talk “CI/CD for microservices: Rule them all” is a part of the Continuous Delivery track, which is all about practical knowledge on how to automate software delivery and boost productivity. Join us at JAX DevOps in London this May!

https://devops.jaxlondon.com/continuous-delivery/cicd-for-microservices-rule-them-all/



by Ambreen Sheikh

Continuous integration and delivery is a software develop-ment process and a mindset that helps an organization deliver quality product in short cycles. When an organization pro-claims that they want to implement CI/CD, this is what they intend to achieve in terms of outcome:

• deploy/release more frequently• work in smaller batches• build quality in software through automation• faster feedback to pursue continuous improvement• process based responsibility

When any revision of the software goes through the contin-uous integration and delivery processes, it comes out on the other end in a state that is ready to be deployed or is already deployed to production. CI/CD process usually consists of

multiple stages and, depending on the type and state of the product, these stages are executed as shown in figure 1.

Continuous integration and delivery has come a long way in the past few years. Not long ago, it was a distant dream for most organizations. Technical decision makers talked about


What more to expect from CI/CD in 2019? The CI/CD mindset has matured quite well in a very short period of time, however, there is still a long way to go. In this article, Ambreen Sheikh shares some of her ‘wishful thinking’ on how CI/CD will evolve this year.


Interested in learning more about Continuous delivery? Ambreen Sheikh will be at JAX DevOps in 2019. Her talk “Rethinking the architecture and design of your Continuous Delivery pipelines” is part of the Continuous Delivery track which offers valuable prac-tical knowledge on how to automate the software delivery and boost productivity. Join us at JAX DevOps in London this May!

© E

lnur

/Shu

tter

stoc

k.co

m

https://devops.jaxlondon.com/continuous-delivery/rethinking-the-architecture-design-of-your-continuous-delivery-pipelines/



it, but it was not clear to anyone in terms of what it is and how to get started. What we now take for granted because of the prevalence of CI/CD in modern tech companies would have been considered ludicrous and even impossible only a decade ago. The point being, CI/CD mindset has matured quite well in a very short period of time, however, there is still a long way to go.

Expectations vs. realityThe evolution, maturity, and phasing out of a concept, a pro-cess or a tool is much faster in tech compared to other indus-

Expectations Reality

Scope of automation: In a CI/CD process in terms of automation, most of the focus is still very much on automating testing procedures. I expect to see this scope widen and encompass most manual processes that exist in backlog management, infrastructure deployment etc.

Manual processes: Even with intense focus on automation in the tech industry, we are still far from the idea where the reli-ance on manual processes will be minimum. There is and will be a constant struggle in organizations to prioritize automation.

Better Monitoring and Visualization: Monitoring and visualization is a way for any CI/CD process to communicate with humans. I see room for significant im-provements in this area as still there are times when a CI/CD process is not able to communicate and visualize the granularity of problems in the system.

Meaningful visualization: There is significant amount of tooling available for creating visualization of CI/CD processes, but or-ganizations still struggle with creating meaningful dashboards, charts and metrics.

Analytics for Failure Management: Failure management of the CI/CD pro-cesses themselves will become a necessity. Analytics will be the key, as they can provide monitoring on the health of the CI/CD pipelines and can also help to measure and predict the confidence in a release.

DevSecOps: There will not be a desire but a dire need to pri-oritize security, where everyone in an organization will have to come together to create and deploy secure software.

Security as combined responsibility: Security should never be a single person or team’s responsibility. I expect to see developers, managers and everyone else in an organization take the combined responsibility of writing and managing not only secure software but also creating secure processes and assist each other in this journey.

Predictive Analytics: This is an evolutionary requirement, there is data that is gathered while executing CI/CD processes and that data will be used to improve the stability of pipelines and increase the confidence in releases.

Cloud agnostic Architecture: CI/CD processes will move away from architec-tures that are locked into a specific vendor. This is hard to achieve at this time but is something we should prepare the organizations to move towards.

Complexity of CI/CD: In reality, when an organization starts rely-ing more and more on CI/CD pipelines, the complexity of them will grow significantly. If not designed and managed properly, a fully mature pipeline may become too long and complex and come as a blow to the idea of faster and reliable deliveries.

Service Granularity in Software Design: Microservices are already popular, better definition and finer granularity will assist significantly in reducing the release time. I expect that an organization should be able to see the chang-es they make to a product almost instantaneously.

Tooling: There is an influx of tools when it comes to CI/CD. Selecting the right tool for the right job and for the right type of culture has become an intense challenge which sometimes result in chaos, detours and detracks. I expect to see some clear winners in CI/CD tooling.

Culture comes first: An organization can have all the right ingredients for delivering quality code faster; but without prioritizing and addressing the cul-tural issues the outcome is never as impactful. I expect better prioritization in this area.

Table 1: Expectations vs. reality for CI/CD

tries. That makes it incredibly hard to predict how the technical landscape will be terraformed by the development community. Nevertheless, I have listed a few of my expectations when it comes to CI/CD processes and pipelines, and next to it how I see the reality playing out.

ConclusionThere are challenges ahead and the industry is going through a phase shift in terms of faster release cycles and better product quality, but on the bright side, things are moving fast and

in most cases in the right direction. As long as people and organizations continue to challenge the status quo and don’t forget the tedious six-month long release cycles that started this phase shift in the first place, I have no doubt in my mind that mature and reliable CI/CD processes will be a standard in the future.

Ambreen Sheikh is passionate about delivering quality software with some style. She has been a developer for almost 12 years now and re-cently started speaking at different conferences. Now she wants to share her findings and experiences with the people who enjoy working with CI/CD pipelines.

Figure 1: CI, CD, CD

Most promising trends for 2019


by Daniel Bryant

2018 was another interesting year for cloud computing. Func-tion-as-a-Service (FaaS) started to gain more traction alongside classical PaaS and container technology, cloud vendors added more fully-managed data store services to their seemingly nev-er-ending list of offerings, and end-user organizations focused on developing both internal cloud expertise and creating deci-sion making frameworks for which workloads to move to the cloud. But what will 2019 hold?

Reaching for the cloudsHere is my cloud computing wish list for 2019:

• Engineers start to focus more on their organization’s busi-ness problems, rather than getting distracted playing with cool cloud technologies “just because”. (Yes, I’ve been guilty of this in the past!)

• Following some discontent around the current open source licensing models [1] and how they are being used/exploited by cloud vendors to offer paid-for services, I would like to see more contributions to core open source projects by these organizations. I’m hopeful here, because: Ŋ Google already releases quite a bit of their core tech via open source (e.g. Kubernetes [2], Istio [3], gvisor [4], etc.);

Ŋ Microsoft are big contributors to many open source technologies [5], such as Kubernetes [6] (and they are also embracing Linux!); and we’re starting to see Amazon talk about their work in this space via the AWS Open Source team [7] (e.g. s2n [8], Corretto [9], Firecracker [10], etc.).

• I would also like to see increased interoperability (or con-solidation) between serverless offerings. I think this not only relates to projects like the serverless framework [11] and the Cloud Events [12] spec, but also in finding a cloud-agnostic way to define middleware and data stores as is being ex-plored by Pulumi [13], Crossplane [14], and others. Ŋ The trend of increasing merger and acquisition activity of cloud business is sure to continue next year as the industry consolidates. These mergers may help with some aspects of interoperability. For example, with IBM acquiring Red Hat, OpenWhisk will most likely become more integrated into OpenShift [15] as this platform’s FaaS implementation of choice.

• I would be keen to see more investment in the cloud native “developer experience” [16] like workflows and tooling, as well as continuous delivery automation space. Building

and deploying applications in containers or via FaaS typ-ically requires new processes and tooling, whether this is baked into your platform or implemented separately. Ŋ Organizations like Atomist [17], Datawire [18] (where I currently work), and Garden.io [19] are leading the way here. There are also lots of interesting developments in open source [20].

Ŋ I believe we will also see more investment in training and certifications in this space; for example, I found the AWS certification [21] training very useful for understanding how the core pieces of the platform fit together. I’m also hearing good things about the CNCF’s Kubernetes certification [22].

• My final wish is closely related to the previous point, in that I hope debugging and observability tooling catches up with the changes in architectural styles (microservices, events, etc.) and deployment models (ephemeral containers and FaaS). Ŋ Companies like LightStep [23], Honeycomb [24], Hu-mio [25], and Grafana [26] are making great progress here.

A more realistic approachHere is my more pragmatic list:

• The distance between containers and VMs will get smaller. We can see some of this in the release of AWS Firecrack-er [27], with support for “microVMs”, and projects like Kata containers [28].

• Security becomes a bigger focus. Infrastructure as Code [29] is a fantastic paradigm, but it requires a new software-focused approach to security. With the currently complicated exposure of cloud functionality like IAM and security groups, it is easy to make mistakes. As Jessie Fra-zelle has hinted at [30], we may also see proof of concept state sponsored attacks on the underlying cloud fabric. Ŋ In regards to network and perimeter security, un-derstanding “zero trust networks” and Google’s BeyondCorp model [31] is recommended. At Datawire, we’re helping engineers secure the edge of systems [32] deployed via Kubernetes using our open source Ambas-sador API gateway [33], which is based on Envoy [34].

Ŋ I’m following the work on HashiCorp’s Sentinel “Pol-icy as Code” framework [35] and Open Policy Agent (OPA) [36] closely, as the ideas here for defining security policies are very interesting.

Ŋ Concepts like chaos engineering [37] will become more important. I’m also following closely what the Gremlin


Cloud computing in 2019It’s an exciting time to be working with cloud technologies. JAX DevOps speaker Daniel Bryant shares his wish list for cloud computing and a more pragmatic list for this essential technology in 2019.



team [38] is up to, as they have very interesting products and training material available in this space.

Ŋ Organizations like Aqua [39] and Synk [40] also provide great security tooling for developers.

• I think we’ll see increasing friction between public cloud vendors and commercial entities [41] with an “open core” business model based on open source.

• The use of hybrid cloud will continue to increase, as the “early majority” understands their workloads and data better and the “late majority” arrives with more risk-averse requirements. Ŋ Because of this, I think we’ll see more development of multi-cloud control planes and APIs (think Open-Stack [42], but with a narrow focus). Kubernetes and Envoy are emerging as the main cloud native operating systems, so expect more projects like Crossplane [43] to target this level of abstraction for multi-cloud.

• Increased use of “edge computing”, particularly for IoT devices and machine learning. We’ve already heard about Chick-fil-A running a Kubernetes cluster [44] in each of its restaurants. PaaS vendors like Rancher [45] and Section.io p [46] are building business models around this mode of operation.

So, that’s my list of predictions for 2019. There has never been a better time to get involved with cloud technologies, but there is a lot to learn. If you’re focusing on developing Java applications for cloud platforms, can I shamelessly rec-ommend the book that I have just published with Abraham Marin-Perez, “Continuous Delivery in Java” [47]? You can find us on the road at various conferences and meetups!

Daniel Bryant works as an independent technical consultant, and cur-rently specializes in enabling continuous delivery within organizations through the identification of value streams, creation of build pipelines, and implementation of effective testing strategies. His technical expertise focuses on DevOps tooling, cloud/container platforms, and microservice

implementations. He also contributes to several open source projects, writes for In-foQ, O’Reilly, and Voxxed, and regularly presents at international conferences such as OSCON, QCon, and JavaOne.

References

[1] https://www.infoq.com/news/2018/12/confluent-license-changes

[2] https://kubernetes.io

[3] https://istio.io

[4] https://github.com/google/gvisor/

[5] https://www.infoworld.com/article/3253948/open-source-tools/who-really-contributes-to-open-source.html

[6] http://stackalytics.com/?project_type=kubernetes-group&metric=commits&module=kubernetes&company=microsoft

[7] https://aws.amazon.com/opensource/

[8] https://github.com/awslabs/s2n/

[9] https://www.infoq.com/news/2018/11/amazon-corretto-java

[10] https://www.infoq.com/news/2018/12/aws-firecracker

[11] https://serverless.com

[12] https://github.com/cloudevents/spec/

[13] https://www.pulumi.com

[14] https://crossplane.io

[15] https://github.com/apache/incubator-openwhisk-deploy-openshift/

[16] https://www.slideshare.net/dbryant_uk/velocity-ny-2018-the-cloud-native-developer-workflow

[17] https://atomist.com

[18] https://www.datawire.io

[19] https://garden.io

[20] https://blog.hasura.io/draft-vs-gitkube-vs-helm-vs-ksonnet-vs-metaparticle-vs-skaffold-f5aa9561f948

[21] https://aws.amazon.com/certification/

[22] https://www.cncf.io/certification/cka/

[23] https://lightstep.com

[24] https://www.honeycomb.io

[25] https://www.humio.com

[26] https://grafana.com

[27] https://aws.amazon.com/blogs/aws/firecracker-lightweight-virtualization-for-serverless-computing/

[28] https://katacontainers.io

[29] http://shop.oreilly.com/product/0636920039297.do

[30] https://twitter.com/jessfraz/status/1080160254669795329

[31] https://beyondcorp.com

[32] https://www.getambassador.io/user-guide/oauth-oidc-auth

[33] https://www.getambassador.io

[34] https://www.envoyproxy.io

[35] https://docs.hashicorp.com/sentinel/concepts/policy-as-code

[36] https://www.openpolicyagent.org

[37] https://www.infoq.com/minibooks/emag-chaos-engineering

[38] https://www.gremlin.com

[39] https://www.aquasec.com

[40] https://snyk.io

[41] https://www.infoq.com/articles/will-cloud-computing-kill-open-source

[42] https://www.openstack.org

[43] https://www.infoq.com/news/2019/01/upbound-crossplane

[44] https://medium.com/@cfatechblog/edge-computing-at-chick-fil-a-7d67242675e2

[45] https://rancher.com/blog/2018/2018-12-11-kubernetes-on-the-edge/

[46] https://www.section.io

[47] http://shop.oreilly.com/product/0636920078777.do

“Cloud Platforms & Serverless” track

Interested in creating an effective developer workflow using a platform based on Kubernetes? Daniel Bryant will be at JAX Dev-Ops in May 2019. His talk, “In Search of the Perfect Cloud-Native Developer Experience”, is a part of the Cloud Platforms & Server-less track, which offers insight into the newest approaches for setting up cloud-based or even cloud-native applications. Join us at JAX DevOps in London this May!

https://devops.jaxlondon.com/docker-kubernetes/in-search-of-the-perfect-cloud-native-developer-experience/




Businesses that implement cloud technology are going to save lots of money through this investment.

Saving money – By moving data to the cloud, where there’s hundreds of terabytes of storage available, businesses will be able to retire their older SANs, NASs, etc. and the maintenance that traditionally goes with these. However, once the bill for their cloud services comes in, businesses may feel as locked in as they did before. Combine this with various teams expanding their data footprint without good governance of how much data they can actually put into the cloud, and IT leaders will find themselves backpedalling to reduce the total storage spend to a more realistic level.

Building cloud native applications will be much easier than previous alternatives.

Cloud native applications – While building cloud-based applications can be great, often they need to be able to interconnect with any existing infrastructure, applications, security, data and so on. The process to add these integrations to cloud applications increases the complexity of the overall task – it also increas-es the attack surface area so there’s the potential for more errors and inaccuracies to occur.

The cloud will provide better se-curity measures that businesses can trust.

Security – The security of applications in the cloud is certainly stronger; however, the integrations will likely include VPNs and specific APIs, which can be tricky to manage. Also, every cloud provider will create se-curity alerts for the different potential threats that must be monitored and managed, again increasing the complexity. Despite these measures, most of security concerns will remain the same – how to deal with personally identifiable information (PII), HIPAA requirements, data at rest/data in motion, etc.

IT teams will be able to forget about having disaster recovery because the application is in the cloud.

Disaster recovery – The hope of not needing to worry about disaster recovery will remain a hope for the foreseeable future. What businesses will find it is that instead of managing a backup/replication scheme, they will now have to manage snapshots in the cloud. This means that teams will still need to work through potential scenarios for corruption, geographical outage, etc. to ensure that these incidents can be dealt with sufficiently should they occur.

Once businesses have rewritten applications and development pipelines in containers, there won’t be a need to manage sys-tems or environments or worry about infrastructure.

Less management – Infrastructure is not the biggest task to tackle when moving to the cloud. While patch-es for operating systems are no longer an issue, businesses will now have the challenge of managing ap-plication dependencies, application updates, and middleware. Overall there is unlikely to be any reduction in workforce, but the existing workforce will become better focused.

Table 1: Expectations vs. reality


What 2019 will bring for the cloudMoving to the cloud is by no means a new venture, but there are still many businesses that are yet to fully make the transition. In this article, Jeff Keyes shares his thoughts on what decision-makers should expect from the cloud in 2019.

by Jeff Keyes

As we move into a new year, IT decision-makers looking to invest in innovative technology need to have a clear under-standing of the biggest trends expected in 2019. Moving to the cloud is by no means a new venture, but there are still many businesses that are yet to fully make the transition, or that will consider moving more of their workloads onto the cloud this year. To be certain of this decision, IT leaders should be sure that they temper their high expectations with reality.

The cloud is definitely an optimal choice for many business-es, and those that have yet to move any of their applications

to the cloud would likely see a range of benefits from migrat-ing. However, it’s important to understand that the reality for the cloud may not in fact live up to every team’s expectations, and therefore they should go into the process of choosing a cloud service with their eyes open.

Jeff Keyes is the Director of Product Development at Plutora. Keyes has spent his career writing code, designing software features and UI, running dev and test teams, consulting and evangelising product messaging. Out-side of six years at Microsoft, he has primarily focused on growing startup companies.



by Andrew Martin

Kubernetes has continued its meteoric rise in 2018, with 83 % of CNCF survey respondents [1] using it to run their workloads. But with so many interested participants in the ecosystem, it can be difficult to separate the signal from the noise. Here are some wishes and expectations for the future of the Kubernetes ecosystem in 2019.

WishesHosted services catch up with GKE: Google’s eponymous Kubernetes Engine (GKE) has been ahead of the competition since launch and it continues to ship features faster with host-ed Istio recently hitting beta. Microsoft’s Azure is a strong competitor with node auto-scaling and network policy both launching in late 2018.

By contrast, Amazon has been notably slow to deliver a hosted Kubernetes solution in favor of its own ECS service. However, the Elastic Kubernetes Service (EKS) has finally launched. Along with the eksctl tool [2], EKS now provides a viable alternative to user-provisioned masters on EC2. Digital Ocean now has a managed offering, too. As these managed services converge, we can hope to see wider feature sets, deep-er service integrations like AWS’s Service Operator [3], and tighter default security profiles for these services.

Noncontainer (VMbased) isolation improves: Containers revolutionized web application development and deployment, stealing market share from Virtual Machines with faster start-up and smaller footprints. Now, the circle is closing. With projects like Kata Containers [4], NABLA Containers [5], Google’s gVisor [6], and AWS’s Firecracker [7], container -compatible virtual machines are fighting for market share.


Ten directions for Kubernetes to go in 2019 Kubernetes’ explosive growth continued in 2018; where will this essential tech go in 2019? In this article, JAX DevOps speaker Andrew Martin explores some of his hopes and dreams for Kubernetes in the next year, as well as some more grounded expectations.

© c

drin

/Shu

tter

stoc

k.co

m



Relying on virtual machines for isolation requires fine-tun-ing of start times, security settings, and developer experience to match what we have become used to in containers. As the projects mature, Kubernetes should be able to orchestrate VMs transparently to the end user. Projects such as Kube-Virt [8] and firecracker-containerd [9] have begun this pro-cess already. The option to wrap processes in whichever isolation technology is most appropriate to their workload may greatly enhance security without compromising usability and performance. The holy grail!

The tangle of YAML unravels: Kubernetes requires a lot of YAML to configure; the difficulty of taming this complexity has spawned various different approaches and tools.

Helm is the most used [10] and the most flexible templat-ing solution, but its in-cluster Tiller component has had some security issues. Ksonnet [11] offers a hierarchical method for templating that favors inheritance. At the other end of the spectrum, users are using tools like Ansible [12] and Terra-form [13] to deploy applications, which are arguably the wrong abstractions for the job.

But now Kustomize [14] has been merged into Kubectl [15] – and with it yet another YAML format for gen-erating Kubernetes resources. As applications tend to choose a single templating tool to deliver YAML, I hope to see some standardization across these tools, or possibly a mechanism to transform between them.

Image and build metadata security matures: Supply chain security – compromising an upstream supplier and using the target’s trust in them to compromise the target – is gaining recognition as an easy attack vector. The Petya ransomware attack on the Ukrainian government affecting Maersk [16], Magecart’s attacks on TicketMaster’s and BA’s suppli-ers [17], and the NPM event-stream module poisoning [18] all suggest attackers are looking to exploit the supply chain in 2019.

Fortunately, Kubernetes and container supply chains have been the subject of scrutiny in recent years. Tools such as No-tary [19] (ensuring images match their expected content with side-channel GPG signatures using TUF [20]), Grafeas [21] (Google Cloud’s Binary Authorization [22] technology ex-posed as an open source project), and in-toto [23] (pipeline metadata security and policy control) all expose admission controllers to validate images as they are deployed to Kuber-netes.

These tools dramatically increase an organization’s com-promise resilience. They can be used to limit supply chain attack vectors in build pipelines and for images deployed to Kubernetes. These tools need greater awareness as projects start to distribute signed software, which ultimately leads to increased trust in Kubernetes workloads.

Rootless container runtimes become standard: The oldest criticism of Docker is that its daemon runs as root, so an es-cape from a container via the container runtime can potential-ly gain root on the host. The last few years have seen progress in some of the challenges of integrating user namespaces to allow running unprivileged containers.

LXC [24] already solves some of these problems, but it is not supported by Kubernetes. However, an experimental binary distribution of Kubernetes called usernetes [25] runs rootless Moby (Docker) and CRI-O runs without root privi-lege by using user namespaces. If this approach gains traction we will see a dramatic improvement in the safety of contain-erized workloads, and therefore Kubernetes itself.

ExpectationsStandardization at all layers of Kubernetes deployments: 2018 saw the Cluster API [26] introduce an API for machine and cluster provisioning, the kubeadm control plane provi-sioner reach general availability [27], and the GitOps [28] application deployment pattern rise as the logical progression of infrastructure as code.

Each of these projects addresses a deployment problem end users have struggled with at different layers from deployment of machines to the Kubernetes control plane and application workloads. We will continue to see adoption of these projects as they reach maturity.

Notably absent is the Federation v2 SIG, which is based on the lessons learned implementing cluster Federation v1. The complexity of herding distributed systems has yielded some valuable lessons, but the project may need more than a year to ensure sufficient testing for production readiness.

Service meshes will see widespread adoption: Service mesh-es hijacked KubeCon Austin in 2016 and again in Copen-hagen and Seattle in 2017 with the Kubernetes-native Istio and Linkerd 2 as the front-runners. Envoy, the proxy that powers Istio, has already won the hearts of the cloud native community with its snappy performance, container-friendly immutable configuration model, and hot reload capability.

Commercial entities are building around Envoy (includ-ing Tetrate [29], Solo [30], and Octarine [31], AWS’s App Mesh [32], Hashicorp’s Consul Connect [33], and a slew of others [34]), whilst Google’s Knative [35] has launched a full developer-focused platform on top of Istio.

The steep learning curve will begin to be outweighed by the security, availability, and observability guarantees of stable service meshes. Expect to see general adoption by high com-pliance enterprises that would otherwise have to manage their own network encryption and policy.

Rootless build systems will replace Docker socketsharing: Rootless container image builds (as distinct from rootless container runtimes) have been on the horizon for a couple of years with orca-build [36], BuildKit [37], and img [38]

“Docker & Kubernetes” track

Interested in learning how to resolve Kubernetes production out-ages? Andrew Martin will be leading a workshop at JAX DevOps in May 2019. His workshop, “Kubernetes production debugging”, is a part of the a part of the Docker & Kubernetes track, which is all about exploring best practices for working with these technolo-gies. Join us at JAX DevOps in London this May!

https://devops.jaxlondon.com/docker-kubernetes/workshop-kubernetes-production-debugging/



proving the concept. They allow container images to be built without exposing the Docker socket, which can be used to es-calate privilege. They are also probably a backdoor into most Kubernetes-based CI build farms.

With a slew of new rootless tooling emerging including Red Hat’s buildah [39], Google’s Kaniko [40], and Uber’s Makisu [41], we will see build systems that will eventually support building untrusted Dockerfiles, although there are outstanding issues that prevent these tools achieving that to-day.

FaaS adoption will continue to increase: Serverless offer-ings, also referred to as Function as a Service, will continue to fight for market share. There is obvious interest in the prom-ises of reduced resource utilization and pay-per-use compu-tation.

The original managed services that triggered the trend have seen huge adoption. AWS’s Lambda has finally introduced a layered ZIP format [42] that allows the same type of compo-sition as Docker images. The Kubernetes-hosted equivalents OpenFaaS [43], Knative [44], Kubeless [45], and Fission [46] will battle to deliver the smoothest developer experience and greatest feature set.

Kubernetes operators and CRDs will explode in popularity: Now that Kubernetes 1.13 supports multi-version Custom Resource Definitions (CRDs) and conversion via webhooks, the reimplementation of Third Party Resources (deprecated in 1.7) is complete. CRDs allow extension of the Kubernetes API, or the ability to add entirely new APIs.

As databases such as Vitess, Oracle, and MongoDB launch operators that manage their products at runtime using CRDs, application developers will follow, utilizing application scaf-folding like the Operator Framework [47] to manage Kuber-netes native applications and decrease the operational burden on SREs.

ConclusionThe Kubernetes community continues to innovate and in-spire, driven as much by open source interests as commercial entities. The work done behind the scenes by SIG leads, devel-opers, community and conference organizers, and end-users has been invaluable to the growth of the ecosystem. With the predicted growth in 2019, it’s hard to see an end in sight.

Andrew Martin has a strong test-first engineering ethos gained architect-ing and deploying high-traffic web applications. Proficient in systems de-velopment, testing, and operations, he is comfortable profiling and securing every tier of a bare metal or cloud native application, and has battle-hardened experience delivering containerized solutions to enter-

prise clients. He is a co-founder at https://control-plane.io.

[3] https://aws.amazon.com/blogs/opensource/aws-service-operator-kubernetes-available/

[4] https://katacontainers.io

[5] https://github.com/nabla-containers/

[6] https://github.com/google/gvisor/

[7] https://aws.amazon.com/blogs/aws/firecracker-lightweight-virtualization-for-serverless-computing/

[8] https://github.com/kubevirt/kubevirt/

[9] https://github.com/firecracker-microvm/firecracker-containerd/

[10] https://kubernetes.io/blog/2018/04/24/kubernetes-application-survey-results-2018/

[11] https://ksonnet.io

[12] https://www.ansible.com

[13] https://www.terraform.io

[14] https://github.com/kubernetes-sigs/kustomize/

[15] https://github.com/kubernetes/kubernetes/pull/70875

[16] https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine?oldformat=true#Affected_companies

[17] https://tech.newstatesman.com/security/magecart-ba-ticketmaster

[18] https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502

[19] https://github.com/theupdateframework/notary/

[20] https://theupdateframework.github.io

[21] https://grafeas.io

[22] https://cloud.google.com/binary-authorization/

[23] https://in-toto.github.io

[24] https://linuxcontainers.org

[25] https://github.com/rootless-containers/usernetes/

[26] https://github.com/kubernetes-sigs/cluster-api/

[27] https://kubernetes.io/blog/2018/12/04/production-ready-kubernetes-cluster-creation-with-kubeadm/

[28] https://www.weave.works/blog/what-is-gitops-really

[29] https://www.tetrate.io

[30] https://www.solo.io

[31] https://www.octarinesec.com

[32] https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-aws-app-mesh---service-mesh-for-microservices-on-aws/

[33] https://www.consul.io/docs/connect/index.html

[34] https://www.envoyproxy.io/community

[35] https://cloud.google.com/knative/

[36] https://github.com/cyphar/orca-build/

[37] https://github.com/moby/buildkit/

[38] https://github.com/genuinetools/img/

[39] https://github.com/containers/buildah/

[40] https://github.com/GoogleContainerTools/kaniko/

[41] https://github.com/uber/makisu/

[42] https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html

[43] https://www.openfaas.com

[44] https://cloud.google.com/knative/

[45] https://kubeless.io

[46] https://fission.io

[47] https://github.com/operator-framework/operator-sdk/

References

[1] https://www.cncf.io/blog/2018/08/29/cncf-survey-use-of-cloud-native-technologies-in-production-has-grown-over-200-percent/

[2] https://github.com/weaveworks/eksctl

https://aws.amazon.com/blogs/opensource/aws-service-operator-kubernetes-available

https://aws.amazon.com/blogs/opensource/aws-service-operator-kubernetes-available

https://katacontainers.io

https://github.com/nabla-containers

https://github.com/google/gvisor

https://aws.amazon.com/blogs/aws/firecracker-lightweight-virtualization-for-serverless-computing

https://aws.amazon.com/blogs/aws/firecracker-lightweight-virtualization-for-serverless-computing

https://github.com/kubevirt/kubevirt

https://github.com/firecracker-microvm/firecracker-containerd

https://kubernetes.io/blog/2018/04/24/kubernetes-application-survey-results-2018

https://kubernetes.io/blog/2018/04/24/kubernetes-application-survey-results-2018

https://ksonnet.io

https://www.ansible.com

https://www.terraform.io

https://github.com/kubernetes-sigs/kustomize

https://github.com/kubernetes/kubernetes/pull/70875

https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine?oldformat=true#Affected_companies

https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine?oldformat=true#Affected_companies

https://tech.newstatesman.com/security/magecart-ba-ticketmaster

https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502

https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502

https://github.com/theupdateframework/notary

https://theupdateframework.github.io

https://grafeas.io

https://cloud.google.com/binary-authorization

https://in-toto.github.io

https://linuxcontainers.org

https://github.com/rootless-containers/usernetes

https://github.com/kubernetes-sigs/cluster-api

https://kubernetes.io/blog/2018/12/04/production-ready-kubernetes-cluster-creation-with-kubeadm

https://kubernetes.io/blog/2018/12/04/production-ready-kubernetes-cluster-creation-with-kubeadm

https://www.weave.works/blog/what-is-gitops-really

https://www.tetrate.io

https://www.solo.io

https://www.octarinesec.com

https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-aws-app-mesh---service-mesh-for-microservices-on-aws

https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-aws-app-mesh---service-mesh-for-microservices-on-aws

https://www.consul.io/docs/connect/index.html

https://www.envoyproxy.io/community

https://cloud.google.com/knative

https://github.com/cyphar/orca-build

https://github.com/moby/buildkit

https://github.com/genuinetools/img

https://github.com/containers/buildah

https://github.com/GoogleContainerTools/kaniko

https://github.com/uber/makisu

https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html

https://www.openfaas.com

https://cloud.google.com/knative

https://kubeless.io

https://fission.io

https://github.com/operator-framework/operator-sdk

https://www.cncf.io/blog/2018/08/29/cncf-survey-use-of-cloud-native-technologies-in-production-has-grown-over-200-percent

https://www.cncf.io/blog/2018/08/29/cncf-survey-use-of-cloud-native-technologies-in-production-has-grown-over-200-percent

https://github.com/weaveworks/eksctl



by Jussi Nummelin

We have seen an exponential adoption of Kubernetes in 2018. The entire ecosystem around Kubernetes has grown tremen-dously, bringing more and more building blocks into the landscape. This has also created some turmoil in the commu-nity, as the range of different solutions can especially feel a bit overwhelming for newcomers to the world of Kubernetes. Many cloud providers built up their KAAS (Kubernetes as a

Service) offerings in 2018, which can be seen as probably one of the big factors boosting the adoption rates.

There have been also some interesting technology devel-opments around container runtimes, some of which we’ll see moving to more mainstream use cases with Kubernetes. There seems to be some traction towards more security and better isolation focusing runtimes. Although these use cases are not typically meant to be seen by the Average Joe, it’s still good to keep an eye out on these.

Expectation vs. reality

Reaching for the stars with Kubernetes in 2019 Kubernetes has been experiencing rapid growth in the past few years. Can it keep up the pace in 2019? In this article, JAX DevOps speaker Jussi Nummelin explores some of the ways Kubernetes might go mainstream in the coming year.

© K

rist

ina

Biruk

ova/

Shu

tter

stoc

k.co

m



The following table outlines my predictions for the Kuber-netes ecosystem in 2019. As my crystal ball has been wrong before, these are divided into two categories: expectations and reality. The expectations are more of stretch goals or wishes, while reality is something that I think will likely happen. As the development in the Kubernetes and container ecosystem is still in such a speedy phase, it was super hard to pick only a few items on each list. I could think of several dozens of developments that might happen.

In conclusionIn 2019, we’ll continue to see the adoption of Kubernetes to grow almost exponentially. The increase in higher-level appli-cation constructs being developed on top of Kubernetes may even help the adoption rate grow. The growth will not happen without any pain, though; some of the complexity around Ku-bernetes may backfire a bit. In 2019, this might mean heated dis-cussions or debates around various concepts such as API design, cluster simplification, or operator overflow. One interesting dis-cussion has already started to raise its head: hyper-converged vs. bare-bones clusters. There seems to be two “camps” on this, as some prefer to run their clusters as bare bones and keep the functionality to a minimum “just schedule my pods”. Others build storage, networking, and some higher level operators into the cluster to have everything available within the cluster for applications. Only time will tell on this matter

Jussi Nummelin has architected and operated numerous software plat-forms and applications during his 15+ year career. Having worked for companies ranging from mobile operator Elisa to telecom systems and mobile phone provider Nokia to systems integrator Digia, Jussi has gained deep and wide experience in creating and running highly scalable fault

tolerant systems. Having boldly gone to production with the Docker 0.6 release at his previous company and being hard headed, Jussi stayed in the container business and is now one of the core engineers building container orchestration tools at Kon-tena, Inc.

“Docker and Kubernetes” track

Interested in integrating the best security practices to your Ku-bernetes clusters? Jussi Nummelin will be at JAX DevOps in May 2019. His talk “Taking the scissors away: Make your Kubernetes cluster safe for DevOps” is a part of the Docker and Kubernetes track, which is all about exploring best practices for working with these technologies. Join us at JAX DevOps in London this May!

Expectation Reality

Kubernetes goes mainstream

We’ve already started to see this happening; even the most rigid and traditional technology late adopters are looking to Kubernetes to provide a “standard” runtime for applications. There are numerous examples where communications providers are looking to push Kubernetes to the network edge, while banking and financial organizations are looking to push Kubernetes to traditional private bare-metal environments.

More CVEs found As the adoption and usage of Kubernetes grows, we’ll probably unfortunately see more CVEs also surfacing. This means that organizations using and deploying Kubernetes clusters will need better tooling to manage the full lifecycle of the clusters if they want to patch things quickly.

Pet vs. cattle clusters With VMs and cloud based infrastructure, many organizations have used VMs like cattle: never updating them, just throwing away old ones, and create a new one whenever they needed. We’ve already started to see organizations to use this pattern for entire Kubernetes clusters and I think this pattern will grow. It also means that organizations will need to have good tooling and automation over the cluster creation and management.

Kubernetes goes bare-metal

We’ll see more and more solutions where Kubernetes clusters can be created on top of bare-metal more easily and dynamically. Features such as iPXE boots for cluster nodes, network level load balancers, and such will make bare-metal clusters feel like in feature parity with cloud provided clusters.

Kubernetes is not the end-game by itself

People start to actually understand what Kubernetes is. More importantly, they figure out how all these technologies and solutions that are currently marketed or labeled as “Kubernetes” actually fit together on conceptual level to cre-ate the Kubernetes we all want to talk about.

Table 1: Expectations vs. reality for Kubernetes

Some of the complexity may backfire a bit and mean heated discussions or debates around various concepts such as API design, cluster simplification, or operator overflow.

https://devops.jaxlondon.com/docker-kubernetes/taking-the-scissors-away-make-your-kubernetes-cluster-safe-for-devops/



by Hubert Ströbitzer

The rapid-fire pace of new open source projects for Kuber-netes can be challenging for developers. Last year at Google Next, Google announced that Google Istio had reached ver-sion 1.0 as well as a new open-source project called Knative. Knative is, at the time of writing, in version 0.2.

Many older companies are struggling to migrate their legacy products into cloud-native tools and microservices. However, migrating an aged monolith into 12-factor micro-services takes time. Most migration projects underestimate the increase of operational tasks. Operating a monolith is

easier than having hundreds of microservices with multiple databases, message brokers, build pipelines, and more. Un-fortunately, customers do not care about these burdens.

Serverless promises to take away some operational tasks. Older developers may remember the NoSQL hype. In the end, NoSQL found its place besides traditional SQL databases. In the same fashion, serverless will also find its place. Serverless will be a great tool for some problems, but likely not for all problems. As it always goes in our business: it depends!

Knative brings in serverless on top of Kubernetes. The good news is that Knative is not intended to be used by business feature developers. Knative is used by tool providers to create


Bringing serverless to Kubernetes with Knative Mitigate the pain of monolith migrations with serverless tools! In this article, JAX DevOps speaker Hubert Ströbitzer explains how Knative allows developers to leverage the power of serverless technol-ogies on top of existing Kubernetes implementations. Does expectation meet reality? In this case, it often does!

© W

asili

yMay

/Shu

tter

stoc

k.co

m



their serverless or CI/CD products. A business feature devel-oper doesn’t have to know the YAML syntax to write Kna-tive’s CRDs. Companies like Google, IBM, Pivotal, Red Hat, and SAP are adding Knative directly into their products to provide a higher level of abstraction. Today, there are many cloud providers offering managed Kubernetes services. Kna-tive makes it possible to avoid a vendor lock-in for serverless products from cloud providers.

Serverless can be seen as the antithesis of the DevOps move-ment. It promises to take away operational tasks from busi-ness feature developers. These operational tasks are executed by the cloud provider. Of course, this is not doable in all con-texts for technical or legal reasons. Knative gives developers some interesting options. Of course, owning a data center just for serverless tasks sounds weird, but regulatory frameworks do not care about technical meaningfulness.

In 2019, more products will pop up, allowing developers to perform faster. There won’t be a need to care about machines, VMs or even containers. All of these tasks will be done by

“Cloud Platforms & Serverless” track

Interested in bringing serverless to your Kubernetes clusters? Hubert Ströbitzer will be at JAX DevOps in 2019. His talk “Getting started with Knative” is a part of the Cloud Platforms & Serverless track, which is all about insights into the newest approaches to set up cloud-based or even cloud native applications. Join us at JAX DevOps in London this May!


Cross-cloud serverless prod-ucts appear based on Knative.

Cross-cloud serverless products appear based on Knative.

Cloud-native CI/CD product vendors base their products on Knative.

CI/CD product vendors stay away from having a standardized way of building things.

Knative Is optional on hosted Kubernetes products.

Some cloud vendors stay away from supporting Knative on their hosted Kubernetes products in favor of their successful serverless products in their portfolio.

The community brings in support for a broader set of programming languages into Knative-based-serverless.

The community brings in support for a broader set of programming languages into serverless based on Knative.

Knative gets released in a ma-jor version.

Knative gets released in a major version.

Table 1: Expectation vs. reality for Knative

serverless products based on Knative. Instead, the question will be if the abstraction layers are done right and if devel-opers can deliver customer value faster. If so, software com-panies will be able to outsource a piece of their value-added chain.

Kubernetes does a great job in its scope and is a huge suc-cess. Istio and Knative stand on the shoulders of this giant, trying to bring the developer onto the main stage again while staying open source and vendor-neutral. Hopefully, cloud vendors will not misuse their market position and try to lock in their customers in their proprietary serverless products.

Hubert Ströbitzer is the guy who supports Devs to get into DevOps mode. He is responsible to keep a Microservice stack up and running and there-fore uses Docker, Kubernetes and Ansible on a daily basis. Having a strong Java and Spring coding background he tries to fill the gap between Dev and Ops and hopes to become obsolete as soon as possible. Hubert is

the founder of the IaaM (Infrastructure as a Meetup) in Linz, Austria [1]. He loves going deep into technical concerns and to discuss cultural aspects of our business. Recently he grew a strong affinity for monitoring.

References

[1] http://iaam.at

Knative can be seen as the antithesis of the DevOps move-ment. It takes away operational tasks from business feature developers. These tasks are executed by the cloud provider.

http://iaam.at

https://devops.jaxlondon.com/cloud-platforms/getting-started-with-knative/



by John Gray

Serverless computing has gained considerable attention in the IT industry. The value proposition is compelling – users can run code for virtually any type of application or backend ser-vice, all with zero administration. Just upload the code and the serverless environment takes care of everything required to run and scale code with high availability. Compared to containers (e.g. Docker), serverless computing is inexpensive, flexible, simple, and fast.

AWS Lambda is the best-known serverless platform. Launched in 2014, Lambda automatically runs code without requiring the user to provision or manage servers. Applica-tions are automatically scaled by running code in response to each trigger. Users are charged for every 100 ms their code executes and the number of times their code is triggered. AWS is now processing trillions of executions every month with Lambda. They have significantly invested in new releases to improve Lambda functions using Lambda Layers and the ability to create, share, and use custom runtimes. Google and Microsoft have also launched their own versions of serverless computing.

Containers vs serverlessAre containers going away? Absolutely not! Containers can still do many things better than serverless functions. For ex-ample, refactoring very large monolithic applications is still better suited for containers. Placing this type of application into serverless production environment contains many more pieces than with legacy monolithic applications. Containers also provide developers with more control over the virtual environment. It may take years before it becomes feasible for bigger apps to be rolled out to serverless.

In addition to the increased number of application com-ponents, many of them are only running for an instant,

which makes application monitoring and troubleshooting significantly more difficult. This difficulty will be overcome by DevOps teams integrating leading-edge application per-formance monitoring tools into these next-generation ap-plications.

A blocker for the adoption of serverless architectures is the millions of lines of existing code that organizations have which must be entirely refactored. However, for start-up companies, there is a great opportunity to use a serverless architecture from the very beginning and be able to undercut a competitor’s cost, evolving much more quickly.

Refactoring applications with containers and serverlessMany of today’s DevOps teams have sufficient real experi-ence with containers, microservices, and serverless to allow them to completely refactor applications. I predict DevOps team will utilize a combination of these technologies in 2019 and beyond. Containers-based applications combined with serverless provide the best of both worlds. This will lead to much more agility, reduced costs, and paying only for com-puting resources consumed.

Which technology will prevail?

Will serverless replace containers in 2019? While containers are now an integral part of the modern internet, serverless applications are becoming even more popular. In this article, John Gray takes a look at both technologies and compares how dif-ferent applications might benefit from one over the other.

John Gray is a co-founder of Infiniti, now an InterVision Company. John has almost 30 years of experience aligning business strategy and IT op-erations across a wide spectrum of industries. He has worked in progres-sive technology environments from mainframe to the cloud and everything in between. John has designed numerous application and systems inte-

gration architectures as part of multi-million dollar initiatives for public and private sector organizations. John grew up and went to college in the UK and he now resides in the greater Sacramento region. John has his AWS Solution Architect and PMP des-ignations and is routinely sought out for strategic advice on technology design, ar-chitecture and implementation of large complex cloud and on-premise systems. InterVision helps IT leaders transform their IT operations by solving for the right tech-nology, deployed on the right premises and managed through the right model.



By Richard Seroter

Let’s cut through the noise. The “serverless” label is slapped onto an ever-growing number of products nowadays, but there are a couple of characteristics that should always hold true: anything that qualifies as serverless computing must have utilization-based (not allocation-based) billing and re-move all need for infrastructure pre-provisioning or manage-ment. That means your application isn’t running (or incurring charges) when idle, and that you aren’t exposed to any aspect of server setup or maintenance. Think Azure Functions [1] or Amazon Aurora Serverless [2] database.

What should you do in 2019 as you evaluate and start using serverless products? Let’s look at three action items.

1. Have a conversation about “and” not “or”Your team just started deploying Kubernetes and seriously using public cloud infrastructure, and now you’re feeling the

heat to start exploring serverless, too? It’s a lot. The key thing to know: serverless platforms complement what you have; they won’t replace every other application host. Don’t think of it as “use containers OR functions.”

It’s additive. You’ll introduce serverless platforms to aug-ment (and selectively replace) what’s already there. Also, you’ll find serverless computing a natural extension of your already-underway technology efforts to build microservices, deploy an event-driven architecture, establish a DevOps cul-ture, and initiate continuous delivery. By itself, serverless can be just another way to build the wrong thing, faster. Com-bined with other efforts to get better at software, serverless is an accelerator.

One big reason you won’t switch to running entirely serverless systems anytime soon is all the software architec-tural changes required. You can’t “cheat” like you did when moving physical boxes to virtual machines, or from virtual machines to a platform-as-a-service. It was entirely possible

All you need to know

Three tips for serverless success in 2019 Are you looking into serverless adoption? In this article, Richard Seroter of Pivotal shares three tips on what should you do in 2019 before you start using serverless products.

© w

hite

Moc

ca/S

hutt

erst

ock.

com



to adopt those platforms without changing the workload at all.

Not so with serverless. Virtually nothing in your app port-folio lifts-and-shifts to a serverless platform. Rather, you’ll need to refactor or rewrite software to accommodate the scale-to-zero, event-driven nature.

2. Think of functions as the glue connecting managed servicesSo what will run in these new serverless platforms? Lots of things. You may serve up static sites, create lightweight APIs that return data from line-of-business systems, or handle webhooks.

What’s important to recognize, though, is that serverless platforms aren’t just another home for your code. Rather, they’re about limiting the code you’re writing in the first place! Don’t decompose an existing application into a set of a few dozen functions and try to stitch them back together in a function-as-a-service environment. That approach will in-crease your complexity and operations cost, without return-ing much benefit.

Rather, return to the initial business problem, replace code with managed services wherever possible, and write the glue-code necessary to connect it all. What kind of man-aged services am I talking about? User management systems, messaging, data synchronization, and more. For instance, you might continue to use a Spring Boot web application to collect data from customers, but leverage managed services to authenticate users, transmit data to downstream services, and send real-time notifications when a product ships. In that architecture, you might convert your stateful inventory processing app written in .NET to a series of lightweight functions that respond to state changes in the system of re-cord.

When building brand new applications with serverless sys-tems, follow the same ideas. Build as little code as possible, use managed services, optimize for quick learning, and don’t create technical debt by over-engineering your solution.

3. Embrace the immaturity, but isolate your riskIt’s hard to find a technology domain evolving faster than serverless. The three major cloud providers keep introducing new capabilities to their function platforms: AWS Lambda now supports more runtimes [3] and managed service inte-grations [4]; Microsoft’s been adding new languages [5] and robust support for stateful functions [6]; and Google’s Fire-base [7] keeps getting better for mobile developers. Don’t overlook the novel distributed serverless approach by Cloud-flare [8].

Recently at Kubecon, a host of software vendors took the wraps off their software-based function platforms, most based on the Google-led Knative [9] project: Pivotal took the wraps off the multi-cloud Pivotal Function Service [10]; IBM, Red Hat, SAP [11] and GitLab [12] also shared Kna-tive-powered products; and Oracle announced a new cloud-based service, Oracle Functions [13], based on the OSS Fn project. Note that all of these are at various levels of maturity and readiness. But between these commercial products and

the variety of open source projects, the landscape of choices is undeniably wider.

What questions should you ask yourself when deciding how deep to wade into this pool? Here are a few to keep in mind:

• How will you connect functions together into an “applica-tion”?

• What’s the right way to track dependencies and keep your functions up-to-date and secure?

• How are your datastores evolving to deal with short-lived, stateless services?

• How do you monitor and trace a distributed mesh of func-tions?

• What operational aspects “work” with a dozen functions, but collapse when you have a few hundred?

• Where can I experiment and learn about these platforms without prematurely making business changes that add significant risk?

In 2019, take a serious look at the business and technical im-plications of adopting a serverless platform (and mindset!). See this as initially complementary to what you’re already doing, while recognizing the inevitable march towards con-necting on-demand managed services together. If 2019 is the year that you commit to getting better at delivering software, serverless is part of the equation.

Richard Seroter is the VP of Product at Pivotal, an 11-time Microsoft MVP for cloud, an instructor for developer-centric training company Pluralsight, the lead InfoQ.com editor for cloud computing, and author of multiple books on application integration strategies. As VP of Product Marketing at Pivotal, Richard heads up product, partner, customer, and technical

marketing and helps customers see how to transform the way they build software. Richard maintains a regularly updated blog on topics of architecture and solution design.

seroter.wordpress.com @rseroter

References

[1] https://azure.microsoft.com/en-us/services/functions/

[2] https://aws.amazon.com/rds/aurora/serverless/

[3] https://aws.amazon.com/blogs/aws/new-for-aws-lambda-use-any-programming-language-and-share-common-components/

[4] https://aws.amazon.com/blogs/aws/new-compute-database-messaging-analytics-and-machine-learning-integration-for-aws-step-functions/

[5] https://azure.microsoft.com/en-us/blog/azure-functions-gets-better-for-python-and-javascript-developers/

[6] https://docs.microsoft.com/en-us/azure/azure-functions/durable/durable-functions-overview

[7] https://firebase.google.com

[8] https://www.cloudflare.com/de-de/products/cloudflare-workers/

[9] https://github.com/knative/

[10] https://content.pivotal.io/blog/the-first-open-multi-cloud-serverless-platform-for-the-enterprise-is-here-try-out-pivotal-function-service-today

[11] https://www.nextplatform.com/2018/12/10/red-hat-google-ibm-and-sap-go-knative-for-serverless/

[12] https://about.gitlab.com/2018/12/11/introducing-gitlab-serverless/

[13] https://blogs.oracle.com/developers/announcing-oracle-functions-v2



by Nate Taggart

Unless you have your head in the sand, you’ve probably been hearing a lot about serverless – and are likely already using it whether you realize this or not. Serverless adoption exploded in 2018 with many independent studies finding that it’s the fastest growing infrastructure pattern, the most loved devel-oper technology, and has already eclipsed container adoption levels. Serverless has reached the mainstream and it’s here to stay. Stackery has had front row seats to this transformation and we’re laying out our expectations for what’s ahead in serverless for 2019.

There’s still some confusion around serverless, thanks in no small part to its stupid name. But, in 2019 people will generally get over that mental hurdle and embrace it broadly for the genuine trajectory-changing improvements it makes to engineering velocity and the company’s bottom line. In short: 2019 is the year we’ll look back on and say, “that’s when serverless took off.”

Nate Taggart is an accomplished software industry leader with a track record of building successful enterprise developer products. Nate was the second Product Manager at New Relic, where he first started working with Chase. After New Relic’s IPO, and prior to founding Stackery, Nate led the Data Science program at GitHub.

What we’d like to see What we expect to see

“Serverless” will be broadly understood to mean “managed ser-vices”, not “FaaS” (Functions as a Service).

There will probably continue to be a little over-emphasis on the FaaS com-ponent of serverless, but the managed service definition will be the broad implementation pattern.

The bottom’s up, developer-led adoption of serverless will be augmented with top-down serverless-first strategy from engineer-ing leadership.

The velocity of early serverless projects will lead to executive buy-in and sup-port for future serverless-first approaches.

The false “containers vs. serverless” narrative will finally end. The holy war will wage on, but shift away from “containers vs. serverless” to a more mature discussion of who should manage orchestration – you or your cloud provider? Hint: the cloud provider will be the winning answer.

The IT Industrial Complex will throw massive FUD (Fear, Uncertainty, and Doubt) at serverless to defend their trillion-dol-lar industry, but it won’t matter.

FUD will indeed fly, but it will peak in 2019 as companies find undeniable success and dramatically increased velocity when they stop worrying about F5 load balancers and focus on their core business.

Serverless tech will continue its impressive history of steady ad-vancements and we’ll see fewer and fewer use cases that don’t fit this model.

There will continue to be some use cases where serverless has limitations, but the main-street enterprises adopting serverless will rarely (if ever) hit them.

Table 1: Expectations vs. reality


Serverless is here to stay While we are strolling into 2019, we asked a number of experts to share their pre-dictions for 2019 – what they wish to happen vs. what’s most likely to happen. In this article, Nate Taggart of Stackery talks about serverless.

https://www.ncwit.org/sites/default/files/resources/impactgenderdiversitytechbusinessperformance_print.pdf


https://www.cloudbees.com

Women in tech


A research study by The National Center for Women and In-formation Technology [1] showed that “gender diversity has specific benefits in technology settings,” which could explain why tech companies have started to invest in initiatives that aim to boost the number of female applicants, recruit them in a more effective way, retain them for longer, and give them the opportunity to advance. But is it enough?

In 2017, we launched a diversity series aimed at bringing the most inspirational and powerful women in the tech scene to your attention. Today, we’d like you to meet Isabel Muñoz Vilacides, Director of Productivity and Quality Engineering at CloudBees

What got you interested in technology?When I was three years old, my dad started to teach me to read just to be able to program with him on his MSX com-puter. Sometime later I experienced the excitement of writing some simple directives on the computer and then things mag-ically came together.

But what really got me into Computer Engineering were numbers. I loved Math and wanted to become a mathema-tician, but at that time mathematicians were not known for earning a high salary. This made my working-class parents encourage me to pursue another career, so I looked for an-other mathematics-centric degree and Computer Engineering was the best one.

I started working while I was studying to be able to pay my college tuition. I started as a developer and spent some years building websites to pay my bills. Then I changed companies

as a developer and my new employer thought I had an eye for quality and processes and offered me the chance to build a QA department. At that time, I didn’t even know what QA stood for, but they were offering me a raise with it, so why not?

I had to teach myself everything about testing: from manual testing, to using recorders, to building frameworks and get-ting continuous integration practices in engineering. It was a long ride, almost four years of my career, but it was incredibly fun.

Portrait

Isabel Muñoz Vilacides started her career as a developer but ended up managing quality engineering teams which she has continued doing for the last ten years. Since then she has helped different companies to reach continuous delivery by improving their development, testing and release processes through automa-tion and risk analysis: the biggest Spanish social network Tuenti, Rakuten video-on-demand service, the JIRA Cloud and Infrastruc-ture Services divisions at Atlassian. Currently, Isabel is an Engi-neering Director at CloudBees [2] where she is responsible for the Jenkins foundations development division.She believes in giving back to the community and is, therefore, a frequent speaker at testing meetups like After Test and Agile Barcelona, and she has also spoken at international conferences such as Devops Days, itSMF and expoQA where she has also formed part of the selection committee.

Women are underrepresented in the tech sector – myth or reality? In 2017, we launched a diversity se-ries aimed at bringing the most inspirational and powerful women in the tech scene to your attention. Today, we’d like you to meet Isabel Muñoz Vilacides, Director of Productivity and Quality Engineering at CloudBees

Isabel Muñoz Vilacides, CloudBees

How to succeed in tech: Tips and tricks

Women in tech


A strong support systemMy parents always supported me, but some friends and rel-atives kept asking me why I wanted to study something so complicated. “Get into business like your brother”, they said.

My dad showed me how rewarding programming could be, my mum taught me I could do anything I wanted, that nothing was impossible. My parents support combined with my own experiences and mistakes that I learnt from, got me to where I am now.

It is interesting that I went from a girls-only school to a male-dominated university, and on to an equally male-domi-nated workplace. I think that helped me to not feel the need to conform. I developed a pretty strong personality among other women and when I reached high education, I knew who I was and what path I wanted to take in life.

Looking back at my career and all the different roles I have held, I feel very fortunate for all the opportunities I have been given. I have been able to learn, teach, experiment and grow as a professional with every challenge and mistake made, and I am sure there is more to come.

But it was not an easy path. Every time I was given a new role, a promotion, more responsibility, I had to prove myself more than my male colleagues. This is a burden other people do not have, which makes the journey more difficult and un-balanced.

There have been circumstances where colleagues have tak-en credit for my ideas or achievements, but over time peo-ple realise who really gets things done. But the grey area in between is always uncomfortable; the awkward silences in meetings when you say something, and no one supports it and five minutes later someone else says the same and everybody is supportive. You have to be true to who you are and grow a thick skin to speak up or not care. I am sure any female colleagues reading this now will relate.

A day in Isabel’s lifeI work at CloudBees as a Director in Engineering focusing on the foundations of Jenkins, the #1 continuous integration and delivery tool in the market.

CloudBees is a distributed company which means that I get to work with people from all around the world. That makes my schedule a bit challenging sometimes, but it’s totally

worth it given all you can learn and achieve working in such an environment.

There are very few routines that I have for every workday apart from the development team rituals:

• Coffee• Setting goals for the day, both the unrealistic and realistic

ones• Trying to get things done between meetings while I listen

to music. Hopefully, you won’t be around on the days on which I sing while I work

• Wrapping up the day and seeing what I have achieved. This is my favourite and most important one. As a director in Engineering it is sometimes difficult to measure your im-pact and progress, so keeping track of daily achievements and not only team goals, helps one see the daily impact you are having.

Why aren’t there more women in tech?There are two sides to this coin: getting more women in tech, and once they are in, keeping them.

There is a cultural aspect that cannot be solved by the tech industry alone. Gender roles are part of the values that are taught to little boys and girls at home, and that is how we are losing most of the potential women in tech. This is why when I lived in Australia I became a mentor at a boys’ school. You would wonder, why a boys’ school? Well, I wanted them to meet me, see that our interests were similar, that being a software engineer was not only about wearing black t-shirts, and most importantly, that I could teach them and help them achieve their goals to become engineers as well.

There are not many women in the recruitment pipelines. “It is difficult to hire”, we keep saying, but what are compa-nies doing to make sure, that once they find talented women, they do not leave? If you do not feel cared for and you do not have a sense of belonging, you will eventually pursue another career.

Women in STEMDiversity, in general, makes the products you build richer, and women are a part of that diverse picture. Being around people who are different from us makes us more creative

“It is difficult to hire”, we keep saying, but what are companies doing to make sure, that once they find talented women, they do not leave? If you do not

feel cared for and you do not have a sense of belonging, you will eventually pursue another career.

Women in tech


PublisherSoftware & Support Media GmbH

Editorial Office AddressSoftware & Support MediaSchwedlerstraße 860314 Frankfurt, Germanywww.jaxenter.com

Editor in Chief: Sebastian Meyen

Editors: Jane Elizabeth, Eirini Papadopoulou, Gabriela Motroc, Hartmut Schlosser

Authors: Helen Beal, Daniel Bryant, Todor Gigilev, John Gray, Ralf Huuck, Abby

Kearns, Jeff Keyes, Nir Koren, Tim Mackey, Andrew Martin, Jussi

Nummelin, Michiel Rook, Richard Seroter, Ambreen Sheikh, Hubert

Ströbitzer, Nate Taggart, Isabel Muñoz Vilacides

Copy Editors: Jonas Bergmeister, Jasmin Höhl, Frauke Pesch

Creative Director: Jens Mainz

Layout: Dominique Kalbassi

Sales Clerk:Anika Stock+49 (0) 69 [email protected]

Entire contents copyright © 2019 Software & Support Media GmbH. All rights reserved. No part of this publication may be reproduced, redistributed, posted online, or reused by any means in any form, including print, electronic, photocopy, internal network, Web or any other method, without prior written permission of Software & Support Media GmbH.

The views expressed are solely those of the authors and do not reflect the views or position of their firm, any of their clients, or Publisher. Regarding the information, Publisher disc-laims all warranties as to the accuracy, completeness, or adequacy of any information, and is not responsible for any errors, omissions, in adequacies, misuse, or the consequences of using any information provided by Pub lisher. Rights of disposal of rewarded articles belong to Publisher. All mentioned trademarks and service marks are copyrighted by their respective owners.

Imprint

and diligent which also feeds into inclusion, acting as a cat-alyst.

We shouldn’t forget that our customers are also diverse and that we are building our products for all of them. Diversity is not only about development teams but about the audience we are building products for: left-handed, elderly people, wom-en, men …

Challenges women in tech faceWomen and minorities in tech are victims of other people’s biases. That is a pretty big entry-level challenge. The fact that when I meet engineers at conferences, they always think I am a designer, a marketer or even part of the staff of the con-

ference, is a clear example of how unexpected it is to have a skilled female engineer.

Going back to the point about minorities, the second big-gest challenge I see is the sense of belonging. As a woman in tech for over 12 years, I have almost always been the only woman in the room. You are different, you feel different and you don’t feel that you belong in the group. That happens even in healthy groups, boys’ clubs aside.

Luckily there are companies that proactively support fe-male talent like CloudBees where I have the pleasure to work with very talented women in product management, engineer-ing management and development.

Tips and tricksMeasure, measure, and measure. It is important that you have clear measurable goals so that you can get things done and back your impact with data. That way the burden on our-selves to prove that we are good enough disappears.

Women and minorities in tech are victims of other people’s

biases. That is a pretty big entry-level challenge.

References

[1] https://www.ncwit.org/sites/default/files/resources/impactgenderdiversitytechbusinessperformance_print.pdf

[2] https://www.cloudbees.com



https://www.cloudbees.com

tech predictions - jaxenter · context of devops, is that it separates dev and ops (although last...

Documents