News from TechBeacon
Share |

The 5 best tools for building progressive web apps fastOpen in a New Window

Progressive websites are rapidly growing in popularity as a way to build apps with JavaScript, CSS, and HTML that have a level of performance and usability that's nearly identical to native apps. While there are many “Introduction to progressive web apps” tutorials on the web, I want to dig a little deeper and offer suggestions for JavaScript tools and libraries you can use to start developing PWAs at a faster pace, and with minimum complexity.

There are critical capabilities that separate a progressive website from a traditional website. Progressive web apps must be able to do the following:

  • Work with most browsers and devices (mobile and desktop) with a progressive codebase
  • Fit all screen and form factors using a responsive design
  • Leverage service workers to enable offline connectivity (HTTPS required)
  • Provide an app-like experience that leverages re-engagement tools, such as push notifications
  • Leverage a web app manifest to describe the used resources

A good place to start if you are new to progressive web apps is Google's guide to building your first progressive web app. The goal of this article, however, is to assume that you have experimented with or completed your first progressive web app and are looking for tools that will let you to build out apps faster. Here, then, are the top tools my team uses to create progressive web apps.

Continuous testing: A practical guide

Building progressive web apps with React

The first step in building a progressive web app is to choose a core framework. There are many frameworks, and I encourage you to look at the choices, but for we use React, for two reasons:

  1. It's managed and supported by Facebook, which uses the framework on its sites and thereby demonstrates that the framework is rigorously tested with 1.18 billion users daily.
  2. React is the foundation for React Native, which lets you easily port apps built with React to native apps.

The appeal of ReactJS is its component-centered approach to development. Each component is built using JavaScript, and you can easily reuse it. Using JavaScript has its advantages:

  • We have many developers who already know JS, and so do not need to learn a new language.
  • Rich data can be quickly passed through the DOM layer.
  • ReactJS supports both raw and JSX JavaScript. JSX is an XML-like syntax for writing JavaScript.

The UI consists of components. Those components can render in the browser, on the server, using Node.js, and inside apps, using React Native. In this way, the challenges of managing apps that need to be delivered to many different operating systems, browsers, and devices are resolved.

Getting started: Using a Polymer template

You can significantly reduce the time required to setup a progressive web app by using Polymer as a template. This open source project by Google is frequently updated to keep it in sync with the open source projects the template leverages.

The Polymer templates use the PRPL pattern to optimize delivery of the app to the device. Use it to:

  • Push critical resources for the initial route
  • Render the initial route
  • Pre-cache the remaining routes
  • Lazy-load and create remaining routes on demand

You need to use an HTTP2 server to deliver on-demand resources. Also, the server will pre-cache resources that the service workers provide.  Design-wise, the Polymer template applies Google’s popular material design by default.

My team uses Polymer to quickly build prototypes. It enables them to immediately start on the important work (the code for the project) and rapidly bypass custom setup.

Managing dependencies with Webpack

While Polymer is great for getting started, there are times when my team will need to develop custom apps. To this end, we use Webpack—a module bundler for JavaScript applications.

Webpack makes creating dependency graphs much easier. A dependency graph removes the need for managed dependencies, meaning you no longer need to link to all those JS files at the bottom of an HTML web page. Moving to CommonJS or ES6 modules dramatically reduces the number of calls to and from a server, resulting in a faster app.

With Webpack, all non-code assets (images, CSS, fonts, etc.) can be called via JavaScript as objects that have significant speed benefits.

Webpack is not perfect. The learning curve is a little harsh (but manageable), and the documentation code is not great. But Webpack is essential for complex, front-end driven progressive websites.

Manage MVVM bindings between JS and HTML with Knockout

Sometimes you don't even need a versatile framework like React to build a progressive website. My team uses Knockout to build lightweight progressive apps.

They use it with JavaScript to handle Model-View-ViewModel (MVVM) bindings. Hre are the key benefits of Knockout that have kept it in our toolbox:

  • The library can be easily dropped into existing websites without an extensive rewrite.
  • The library is tiny (only 13KB).
  • While small, the library still offers a great deal of functionality.

We consider Knockout a great “go to” framework for a smaller projects, where speed of execution is paramount. We often use Knockout to develop proofs of concept during a design sprint. 

There are two reasons why we use Knockout for quick projects instead of React. First, we can use Knockout to extend HTML, which in turn makes it easier to learn, and it does not require JSX. The second reason is templating. Templating makes it easier to build complex apps, because it minimizes the duplication of DOM elements. The following example demonstrates how easily a template can be added to an HTML page:

<!DOCTYPE html>
<head>
   <title>KnockoutJS Templating - foreach used with Template</title>
   <script src="https://ajax.aspnetcdn.com/ajax/knockout/knockout-3.4.1.js" type="text/javascript"></script>
</head>
<body>
   <h2>Fruit List</h2>
   Here are the fruits from your list:
   <div data-bind="template: { name: 'displayFruit', foreach: fruit }"></div>
   <script type="text/html" id="displayFruit">
       <h3 data-bind="text: name"></h3>
       <p>Kingdom: <span data-bind="text: kingdom"></span></p>
       <p>Description: <span data-bind="text: description"></span></p>
   </script>
   <script type="text/javascript">
        function MyViewModelofFruit() {
            this.fruit = [
               {name: 'Strawberry', kingdom: 'Plantae', description: 'The garden strawberry (or simply strawberry; Fragaria × ananassa)[1] is a widely grown hybrid species of the genus Fragaria ... ' },
               {name: 'Apple', kingdom: 'Plantae', description: 'The apple tree (Malus pumila, commonly and erroneously called Malus domestica) is a deciduous tree in the rose family ...' }            ]
        }
   var vm = new MyViewModelofFruit();
   ko.applyBindings(vm);
   </script>
</body>
</html>

Knockout is easy enough for a junior developer to learn quickly, and it comes with many attributes that would otherwise need to be written in competing frameworks, such as Backbone.js

Check your code with Lighthouse

The final part of our progressive web app toolchain is Google’s PWA performance monitoring tool, Lighthouse, which installs as a plugin for Chrome. Go to the progressive website you want to run tests against, and click on the Lighthouse button in Chrome's toolbar once you've installed the plugin. The report you receive has a lot of detail in the report. The first section, "Progressive Web App", returns the following analytics:

  • App can load offline/flaky connections
  • Page load performance is fast
  • Site is progressively enhanced
  • Network connection is secure
  • User can be prompted to add to home screen
  • Installed web app will launch with custom splash screen
  • Address bar matches brand colors
  • Design is mobile friendly

Each of these sub-sections then breaks out specific technologies that you can add or modify to improve the performance of your progressive web app. For instance, the report for "App can load offline/flaky connections" provides details on:

  • Has a registered service worker (and describes what a service worker is)
  • URL responds with a 200 when offline

The second section, "Best Practices", provides details on the following:

  • Using modern offline features
  • Using modern Protocols
  • Using modern CSS
  • Using modern JavaScript features
  • Avoiding APIs that harm the user experience
  • Accessibility

The third section, "Performance", lists how fast it takes to load a single page from a responsive web app and how long each item in the page takes to load. It also includes tools to drill down into any issues causing slowdowns.

The final section, "Fancier Stuff," examines whether the latest HTML5/JS features are in use.

The goal with Lighthouse is to both test your site, and to give you the direction to fix the issues. 

Extra tools

The above tools are a selection of the many different progressive web application tools our team has reviewed. A few extra tools that you might want to consider in addition to (or as a replacement for) the tools above include:

  • AMP (Accelerated Mobile Pages)—Tools to guide image/JS compression to speed up your website. Google heavily supports AMP (even going as far as to highlight AMP-powered mobilewebsitess in search results). Google supports AMP Cache on the elements in AMP, which developers can leverage without any cost.
  • AngularJS—Google’s front-end JavaScript framework is more heavyweight than React, but also highly preferred among enterprise Java and .NET developers
  • Ionic 2—The AngularJS 2-based framework was released in early 2017 and looks, at first glance, like an attractive solution for building on the success of the original Ionic framework, released in 2015. Ionic is a good platform for developers moving from Cordova/PhoneGap to modern responsive web app solutions.

The bottom line is that the tools for progressive web apps are still maturing and changing at a rapid rate. Many of the leading browser vendors, specifically Apple (with Safari and mobile Safari), Google (with Chrome) and Microsoft (with Edge) provide regular updates every 1-3 months. We are always keeping a close eye on new solutions, and evaluating how or if we should be using them in our projects. The end goal is to increase the app-like experience using web technologies.

Continuous testing: A practical guide

Image credit: Flickr

 

10 monitoring talks that every developer should watchOpen in a New Window

You don’t want to annoy or lose customers with an outage. You want your software to respond to requests as quickly as possible. Any application that’s important to your cash flow needs to be monitored. Period.

For some organizations, monitoring is solely in the hands of operations, but recently the shift has been toward cross-discipline engineers who build, test, monitor, and are on call for their applications. In some cases, there are engineers who do nothing but monitor applications, and filter down issues to the developers of an offending application. These cross-discipline engineers are sometimes called DevOps engineers or site reliability engineers (SREs).

Monitoring is a critical component for any software company—or at least it should be. So what do experts from the most successful software companies say about the modern monitoring practices?

Top developers, reliability engineers, and monitoring tool makers including Allison McKnight, an SRE at Etsy, VividCortex CEO Baron Schwartz, and Torkel Ödegaard, creator of Grafana, shared their 10 most illuminating and useful presentations on monitoring. Nineteen more videos, arranged by category, are also included..

Continuous testing: A practical guide

Metrics, metrics, everywhere


(Slides)

From the presentation:

“As developers we have a mental model of what our code does ... we spend so much time inside our heads, it's very easy to mistake what's inside of our heads for reality (i.e. to mistake the map for the territory) … we can't know until we measure it”
Coda Hale, co-founder of Skyliner and creator of Dropwizard

While it’s true this 2011 talk is a little old, it’s certainly evergreen advice. Coda Hale’s “Metrics, Metrics, Everywhere” was the first talk that came to mind when I asked Baron Schwartz about his favorite presentations on monitoring. Developers have even written blog posts specifically to praise this talk's timeless lessons.

The lecture hits all the right notes, especially with its reference to John Boyd’s OODA loop, which is also a core guiding principle for Netflix. Hale explains how developers can use OODA’s “observe, orient, decide, and act” as a model for focusing on the right metrics that give engineers the ability to better observe and react to systems in production.

Crafting performance alerting tools


(Slides)

From the presentation:

"We have a saying that goes, 'If it moves, we'll track it.' And sometimes we'll monitor something even if it doesn't move, just in case it tries to make a run for it later."
Allison McKnight, performance engineer, Etsy

Etsy is known for its operational chops. This talk explores how they created tools on top of popular open source projects such as Nagios to detect performance slowdowns in their back end. The key theme here is that you can improve your tools by integrating the context that you need while you're using those tools. Good tools are contagious.

Better living through statistics: Monitoring doesn't have to suck


(Slides)

From the presentation:

“The standard practice for alerting is still to check the measurement at the time that it is taken, and it is this ‘check script’ model of monitoring that is long due for an overhaul.”
Jamie Wilkinson, Site Reliability Engineer, Google

This is a great video to start with if you’re new to monitoring or you need to learn more about relevant statistical methods that can help you improve your monitoring systems. It gives you a solid introduction to the basic concepts of common monitoring systems, and also shows you some simple mathematics—which you may or may not remember from high school—that can give you way more insight into what your infrastructure is actually doing.

What should I monitor, and how should I do it?

From the presentation:

“Graphs have no intrinsic meaning. Don’t stare at a graph and wonder what it means. That’s a backwards process.”
Baron Schwartz, CEO, VividCortex

Even though it’s a few years old, this talk is still fairly accurate regarding its criticisms of monitoring tools. Not only does it suggest more powerful ways to monitor your applications, it also explains why competition for great engineers is forcing sub-billion-dollar companies to do more monitoring with fewer people.

Monitoring is dead. Long live monitoring

(Video)(Slides)

From the presentation:

“A system is observable if and only if you can determine the behavior of the system based on its outputs. The manner in which a system acts is its behavior. The outputs of a system are concrete results of its behaviors. Monitoring is the action of observing and checking the behavior and outputs of a system and its components over time.”
Greg Poirier, Software Engineer, Stripe

From the dawn of systems administration to now, monitoring has focused on CPU, memory, disk, process aliveness, and system aliveness. Greg Poirier thinks it’s time the industry outgrows this focus, and we change the conversation around monitoring. His presentation is lively and humorous. This is another good introduction to the general principles of monitoring. It's also more recent than "Better Living Through Statistics: Monitoring Doesn't Have to Suck."

The evolution of monitoring systems at Google

(Video)

From the presentation:

“There’s a famous story of a high-ranking [Google] engineer who spent an entire day trying to debug a problem with their monitoring, and it came down to the fact that within his config, ‘a’ minus ‘b’ was actually an identifier, not an expression. Those sorts of faux pas are all over the place in DSLs, if you’re not careful.”
Tony Rippy, software engineer, Google

Tony Rippy’s session from Monitorama PDX 2015 is a revealing and entertaining trip down memory lane for those involved in monitoring systems at Google. Did you know, for example, that Google’s first monitoring program was a hilariously simple Perl script that ran on a developer’s desktop? Did you know they spent a lot of money and effort on a monitoring tool that almost no one could use? This presentation is not Tony Rippy’s story. Rather, it’s an aggregation of stories from hundreds of Google engineers over a 16 year period.

Monitoring at Spotify. When things go ping in the night


(Slides)

From the presentation:

“People didn’t care about monitoring until it started spamming them.” —Martin Parm, Infrastructure Engineer, Spotify

Want to see how Spotify’s monitoring evolved over the course of its history? You might be surprised to hear that this talk is much more about how monitoring affected the company culture and how its DevOps techniques evolved.

Building a culture of observability at Stripe

(Video)(Slides)

From the presentation:

“You will never fully replace and make these systems perfect. They require constant care, like a garden. So we’ve been able to switch most people over to the new systems, but the old systems still exist.”
Cory Watson, observability specialist and software engineer, Stripe

Stripe is a fairly new company that provides APIs for online payments. Like the Spotify talk, this session is more about people than tools and technology. It's a story about how Cory Watson came into the company to be a champion for creating a culture of observability and monitoring. You'll hear about the interesting, clever, and sometimes sneaky things he did to bring about this culture shift.

The art of performance monitoring

(Video)

From the presentation:

“You think to yourself, 'I had an incident, so I should make an alarm for that.' And you had another incident, and you should make a tool for that. At each step you’re making a rational choice, but you don’t realize that the cumulative effect is something that’s hard to maintain, and kind of unbearable.”
Brian Smith, production engineer, Facebook

In yet another talk from the trenches of a famous company, you’ll learn more specific technical ideas for tools and strategies that can improve monitoring. You’ll also hear about the monitoring mistakes Brian Smith sees developers making . There’s a high density of good ideas for you to digest in this video, and it wraps up in less than 20 minutes.

How monitoring works at scale: Monitoring tools, components, & mentality at Facebook


(Slides)

From the presentation:

“As a developer, if I’m not getting feedback from the code that I’m pushing and the changes that I’m making, I will be burned out immediately, and probably after a year I will leave the company. But the problem isn’t in the company; it’s in the relationship between the developer and production.”
Ran Leibman, production engineer, Facebook

This slide presentation discusses how Facebook handles the challenges of monitoring its massive-scale environment. Most apps don’t come close to the size of those of Facebook, but there is a lot of good advice for any development shop in this session. Its techniques for dashboards, alerts, monitoring data management, and tooling UX might give you some ideas for your own monitoring tools.

More talks

That's the end of the curated list of talks recommended by the experts, but I've added this categorized list of 19 extra monitoring videos, so read on.

Metrics and culture

How Metrics Shape Your Culture (Video) (Slides)
By Nicole Forsgren

What you decide to monitor and measure shapes who you are as a company. Since metrics shape behavior and incentives, and behaviors and incentives are the heart of culture, metrics inherently shape your culture.

Metrics are for Chumps: Understanding and Overcoming the Roadblocks to Implementing Instrumentation (Video)
By James Fryman

Spending time instrumenting code and tooling becomes a low priority for some teams in the same way that testing and documentation become low priorities—people say it's not important enough to spend time on it. Learn how and why metrics implementations fail.

Tools and data visualization

An Admin's Guide to Data Visualization  (Video) (Slides)
By Caskey L. Dickson

Learn how to turn a wall of numbers into a story. This talk covers techniques for mastering common and advanced graphs, and also explores the psychology of how people interpret visual data.

Grafana and the Future of Metrics Visualization (Video)
By Torkel Ödegaard

Grafana is a hot, fairly new open source graph and dashboard composer. This talk is not a tool pitch, though. Rather, it looks at the state of metric visualization and how you can better integrate metrics with alerting in general. If you’re interested in learning more about Grafana, there are more up-to-date talks by Ödegaard. Here are some presentations on Grafana 3.0 and Grafana 4.0.

Prometheus (Video) (Slides)
By Brian Brazil

Another hot technology, especially around microservices monitoring, is the open source monitoring system and time series database, Prometheus. It was originally developed at SoundCloud and is used by Google.

Data science and monitoring

Statistics for Engineers (Video) (Slides)
By Heinrich Hartmann

Much of the monitoring space is focused on code that collects, moves, stores, and displays metrics, but this talk is about the most important part—code that analyzes the meaning behind the metrics. This talk, and the companion article, focus on statistical methods that are relevant to operations. Some mathematical knowledge is required.

Data Science: The Solution to #monitoringsucks (Video) (Slides)
By Patrick Roelke

The #monitoringsucks hashtag kicked off a conversation about the state of monitoring tools in 2011, and Patrick Roelke still thinks today’s leading tools, such as New Relic, Loggly, and DataDog, haven’t given engineers the answers they need. For that, Roelke explores new monitoring tools that harness data science and machine learning.

Scaling monitoring

Scaling Pinterest’s Monitoring System (Video) (Slides)
By Brian Overstreet

Hear the story of how Pinterest scaled its monitoring systems early on, and how it faced many challenges. This presentation explains much about the various open source tools and techniques its engineers used.

Scalable Online Analytics for Monitoring (Video) (Slides)
By Heinrich Hartmann
This opinionated talk favors stateful online computations in monitoring architecture that enable machine learning on high-velocity data. The main components include alerting systems, event engines, stream aggregators, and time-series databases.

Testing in production

Production Testing Through Monitoring (Video) (Slides)
By Leon Fayer

Traditional testing methods can’t fix everything before production. Internet-scale, data-driven problems make it impossible to predict every edge case that can cause production issues, so teams need to be able to fix problems in their production environments quickly. This talk takes a real-world look at common testing inefficiencies, and offers recommendations for top-down metric instrumentation.

Testing in Production (Video)
By DevdasDevdas Bhagat

Just as behavior-driven development  (BDD) brings the business level into testing, this talk addresses how to bring the business level into monitoring. It explores strategies for business-level and functional monitoring, and also covers the tradeoffs from a development, test, acceptance, production (DTAP) model to continuous deployment.

Monitoring first

Monitoring As A Service (Video) (Slides)
By James Turnbull

It’s important to think about monitoring as a service that you provide to your teams, rather than just a collection of the latest tools. This talk will show you how to build or extend your monitoring environment to be customer-focused instead of infrastructure-focused.

Monitoring at Service Provider Scale (Video) (Slides)
By Chris Jackson

Every organization has different needs for monitoring, so it’s an incredible challenge for service providers to satisfy all of these unique use cases. This short video expresses Rackspace’s idea to build open monitoring stacks on a few fundamental principles. The first principle is that organizations are not snowflakes, so their monitoring doesn't need to be highly customized.

Monitoring as a First Step to a New Service (Video) (Slides)
By Darron Froese

Most organizations bolt monitoring onto the end of the software delivery process, but that’s not a good idea, says Darron Froese. You need to monitor at the beginning of the process, when each package is still in its repository. You should plan and implement monitoring before there’s even data. This talk goes into detail about how to start using monitoring as the first step, not the last one.

Site Reliability Engineering (SRE)

The Keys to SRE (Video)
By Ben Treynor

Google was one of the first companies to spread the idea of having site reliability engineers (SREs). Ben Treynor was at the center of that shift in Google’s operations, and this talk distils the practices of SREs down to the fundamentals. There's a good companion interview available as well.

Performance Checklists for SREs (Video) (Slides)
By Brendan Gregg

A senior performance architect at Netflix reveals how the company handles outages when minutes matter. They use the same tools as would be used in an aviation emergency: checklists.

Production Engineering, There Is No Spoon (Video) (Slides)
By Ran Leibman

Facebook has its own take on SREs, which it calls production engineers. These people work directly with software engineers, from road-mapping to being on call. Hear the inside story from one of Facebook’s production engineers.

Misconceptions & challenges

The Fallacy of Real-Time Analytics in Performance Monitoring (Video)
By Elizabeth Nichols

Real-time analytics are valuable, but only if you avoid a partial solution that merely produces noise and frustration. Check out this interesting vision for a more comprehensive real-time analytics monitoring platform.

Monitoring Challenges (Video) (Slides)
By Adrian Cockcroft

Adrian Cockcroft, former chief architect at Netflix looks forward to the latest architectures—like microservices and serverless—and how they’re creating interesting monitoring challenges. He explains why monitoring vendors keep being disrupted, and concludes with simulation testing and ideas for how to test serverless architectures.

Those picks are a great starting point. If you have found any other useful videos in the field of monitoring, metrics, and reliability, share them in the comments below. 

 

Rugged DevOps at RSA: 6 takeaways for security, ops teamsOpen in a New Window

More than 850 security and DevOps practitioners got together once again last week for the DevOps Connect track at the annual RSA Security Conference in San Francisco. Now in its third year, and with almost double the attendance of last year, the event puts security professionals in the same room as DevOps practitioners for a day to explore security's role in the DevOps movement, examine how to integrate software supply chains with continuous delivery pipelines, to make sense of what Rugged DevOps means in practice, and to answer that all important question: Should they call what they're doing DevSecOps? Or SecDevOps? Or maybe it's DevOpsSec?

The track featured 14 speakers from both ends of the DevOps and security spectrum who discussed everything from implementation strategies and technology/tools to how to bring it all together into a coherent culture that encompasses security, software development and operations.

For the DevOps crowd, it was a fascinating look into the state of the art in security. Security practitioners—the majority of attendees—were exposed to the current best thinking on bringing DevOps to the enterprise, an ecosystem within which many of them reside.

Here are the six biggest takeaways from this year's event.

What Is the True State of Security in DevOps?

Integrating security and DevOps requires changing the game

DevOps stalwart John Willis kicked off the event with a keynote on a topic that may not sound particularly relevant: Pareto Efficient Nash Equilibriums. But it turns out that if you work in an environment where it's hard to integrate the work your security engineers are doing with the work everyone else is doing, the problem may, in fact, be due to an effect economists have studied for years.

The relevance lies in the fact that organizations often create systems where the expected payouts are such that people are given incentives not only not to cooperate, but more perniciously: to not even consider cooperating because there's no rational reason to do so.  Solving this not only requires changing the game your teams play as they ship software, but understanding that just thinking of the game as zero-sum makes it more difficult for anyone in your company, much less everyone, to win.

Your organizational challenges aren't as unique as you might think

A potentially harsh message from Jez Humble and Dr. Nicole Forsgren, both longtime DevOps researchers, was that there's ample evidence that no matter what the makeup of your organization—startup or enterprise, public or private, regulated or not—the problems you're facing in software development, delivery, and security are no different from the organizations they've researched that have successfully addressed those problems.

No matter what your constraints might be, they have a body of scientifically vetted evidence from teams and companies with similar ones who, despite them, have made huge strides in a positive direction. As Humble put it: "You are not a snowflake... at least, no more than we're all snowflakes."

Security is a big data problem

With all the hype surrounding big data, Intuit's Shannon Leitz observed that many security practices are reducible to a big data problem. As you move more infrastructure into the cloud and give engineers more direct control over the environments they create (and, in some cases, make responsible for managing), the number of compute instances and the people with direct access to infrastructure increases. That, in turn, causes the attack surface to balloon.

Answering simple questions such as, "How many instances in my infrastructure are vulnerable to this OpenSSL exploit?" or "Who, exactly, has the ability to access what?" fit the description of a big data problem, which means addressing these questions with data science can be an extremely effective security practice.

Containers are useful, but often misused

While containerization and similar isolation techniques are important, the ways in which you use container technology may inhibit security, Leitz said. As an example, many organizations ship containers with entire operating system images in them, negating the isolation benefits that containers provide. Containers, too, contribute to an increased attack surface.

Many container management platforms have tools that can address these problems, but the industry has adopted containers at such a rapid pace that developers haven't caught up with best practices yet.

The security debt tsunami is coming

Josh Corman rattled the audience with a deep-dive into the Hollywood Presbyterian ransomware case, where a hospital was forced to pay attackers to release their IT systems in order to provide medical care to patients. Simply put "A tsunami of both technical and security debt is coming to crush us," Corman said, a point he accentuated with details on recent Internet-of-Things attacks, as well as attacks on industrial infrastructure, such as dams and power plants.

The takeaway: That unseen and underrated technical debt that people talk about is going to cause real damage in the coming decade. You'll do well to start thinking of the consequences today. This growing, but often hidden risk is the precise reason why integrating security into software delivery using DevOps practices is both critically important and compelling.

Security is still about empathy

After providing a reality check for the audience, Corman also noted that one of the core tenets of the DevOps community—empathy—is often in short supply when it comes to security. The conscious practice of empathy is one virus he hopes will infect security communities. The way that healthy organizations practicing DevOps have fostered empathy between development and operations teams that had been at each others' throats is a model for the security community.

At the end of the day, it was clearer than ever that security is another critical component of any organization's successful DevOps practice. The DevOps community is ecstatic about the force-multiplying potential of having security engineers hop on board software delivery pipelines, and the subsequent potential value for customers that brings.

As to the burning question of what the combination of security and DevOps should officially be labeled? The prevailing opinion: just keep calling it DevOps.

What Is the True State of Security in DevOps?

Image credit: Flickr

 

How LeanIntent can help you get more out of DevOpsOpen in a New Window

I first became excited about “lean” when I read Dean Leffingwell’s book Agile Software Requirements in early 2011. I knew a lean approach to IT value delivery was the future, and I entered into a business relationship with Dean to co-found Scaled Agile, Inc., from which emerged the Scaled Agile Framework, or SAFe.

After three years with Scaled Agile, I now work with companies undergoing lean transformations at the enterprise level. As I have studied my clients’ DevOps initiatives, it has become clear that they need an effective front-end to feed the processes involved. My question was, how does the DevOps pipeline receive its work? How fast and how often is the work made available, and how do we know we’re working on the right things?

Here's a new approach to applying lean principles that can help DevOps teams (executives, managers, developers, testers, integrators, or security engineers) achieve and exceed their essential objectives. 

World Quality Report 2016-17: The State of QA and Testing

Delivering value to users

Traditional product development environments simply cannot leverage the intrinsic benefits of experimentation, rapid development, and frequent code deployments that DevOps provides. Most enterprises are functionally structured, rather than value-oriented. By contrast, DevOps is all about delivering value very quickly to users and customers.

Lean thinking and lean behavior can fill that void. To successfully sustain the continuous flow of a DevOps organization, I believe that a lean front-end can fully realize the power and speed of DevOps.

In their book The DevOps Handbook, Gene Kim, et al. discuss DevOps in terms of lean concepts such as value streams, flow, short feedback and learning loops, and cross-functional organizations. Leveraging that view of lean, I created a unified body of work called Lean for the Intelligent Enterprise, “LeanIntent” for short. This open-source framework provides a global context for the lean approach, focused on what's needed to take full advantage of a DevOps implementation.

Introducing lean DevOps

DevOps is fundamentally changing how software-based products are designed, coded, and delivered. Continuous integration and continuous delivery of services to a production environment is how many organizations dominate or stay competitive in the marketplace (think Amazon and Salesforce).

So where does lean come in?

The paradigm shift from large batch development to single-unit delivery has created a modern software factory that operates on many of the same principles that traditional factories use to create tangible goods through assembly or processing (auto plants and oil refineries are classic examples).  Yes, factory-based practices can facilitate continuous software delivery. But to successfully sustain a DevOps model, I believe that the way companies fundamentally think, organize, and operate must also change.

The lean DevOps ecosystem

Compared to traditional companies, lean organizations realize significantly shorter lead times, which is the period from when a customer expresses a need (or a company sees an opportunity) to the deployment of capabilities or services and the collection of cash. A well-formed lean enterprise incorporates constructs such as flow-based prioritization and sequencing, face-to-face planning, theory of constraints, short queue lengths, and small batch sizes to create an optimized feeder for the CI/CD/microservices world.

When DevOps is understood and implemented within a holistic lean ecosystem, an organization realizes additional strategic benefits—such as improved predictability, faster time-to-market, and reduced software inventory (remember, non-production code is considered inventory, and in a lean world we strive to minimize inventory). What’s needed is a structure that fully supports and encapsulates the automation of the continuous deployment pipeline, nicely described by Viktor Farcic in The DevOps 2.0 Toolkit.

Lean for the intelligent enterprise

The newly released open, crowd-sourced framework and knowledge base—Lean for the Intelligent Enterprise or LeanIntent—helps DevOps become more fully assimilated and leveraged as part of a larger lean organization. Just as SAFe forever changed the agile development landscape, LeanIntent is intended as the foundational model for organizations to successfully employ DevOps. Perhaps LeanIntent will become to DevOps what SAFe became to agile.  

I’ve create LeanIntent as a free, newly-published body of work that includes a comprehensive set of thinking models, optimized patterns of organizational behavior, principles and techniques to streamline business operations, and guiding tenets for the people who do the work and run an organization.

Essentially, LeanIntent is a set of unified lean best practices that enhance enterprise-wide function and performance—it’s a clearinghouse of all things lean.

But first ... what is lean?

Lean emerged from the manufacturing world in the 1980s and 1990s, and the Toyota Production System (TPS) popularized the notion of lean manufacturing. In a factory environment, lean is defined as a systematic approach to “create more value for customers with fewer resources.” Others see lean as a “set of tools that assist in the identification and steady elimination of waste.”

But as LeanIntent defines it, lean is much more than applied tools and practices—it is a way of thinking, organizing, operating, and being. A lean intelligent enterprise integrates all of these facets as illustrated below. Understanding the diverse nature of a lean enterprise is the first step toward optimizing DevOps’ feeders.

DevOps is characterized by Wikipedia as a set of practices that emphasizes the collaboration and communication of both software developers and other information-technology (IT) professionals. But when DevOps is viewed as an enterprise strategic asset, its implications to business success extend beyond inter-IT communications.

How a lean enterprise works

In their seminal book Lean Thinking, James Womack and Daniel Jones state:

“Value is created by the producer, but it can only be defined by the ultimate customer.”

There is almost always some degree of disconnect between what a customer wants and what they get. But the attraction of lean DevOps is how rapidly customer feedback is communicated through the enterprise to developers and testers who improve and deploy the enhanced solution with a very short lead time (days versus months).

This is possible because lean establishments are organized around value streams—persistent activities that provide a continuous, sequential, cross-functional, serial flow of value creation, and delivery across the organization. As illustrated below in the Lean Value Map below, the production, delivery, and support processes (stages 7 – 9) of a value stream’s continuous flow mechanism is the perfect fit for a DevOps model, effectively consuming work from its optimized, sustainable input pipeline (stages 1 – 6).

 

As a strategic asset, DevOps should be visible to all levels of an organization, not just middle managers and IT workers. Executive leadership and senior management have a fiduciary responsibility to maximize value, not only to customers but to employees and shareholders as well, and as such should be part of the larger DevOps solution. Leadership, training, organizational structure, operational excellence, and opportunities for innovation and improvement are fundamental to a lean enterprise.

DevOps as a demand-driven lean factory

An ideal lean factory is a demand-driven, single-unit delivery pipeline; similarly, a lean intelligent enterprise is most effective when organized around value streams and a conduit of valuable small-batch deliveries with extremely tight feedback and learning cycles. This is what DevOps does best, successfully enabled through the continuous flow of input within a lean value stream. This is one reason I’m so excited about LeanIntent—it provides the context within which the DevOps pipeline is effectively fed the right amount of work, in the proper sequence, in direct support of enterprise goals and strategies.

DevOps is more than just the combination of development and operations; it is a strategic, continuous flow, technology-based delivery instrument for a lean intelligent enterprise. DevOps has a bright future as an efficacious delivery mechanism, and I’ve designed LeanIntent to provide the context within which DevOps can be more successfully reasoned, understood, and implemented.

I hope this framework helps you in your DevOps endeavors, and I welcome any feedback or ideas you may have that could benefit others. You can reach me at colin.oneill@leanintent.com. Share your thoughts about LeanIntent in the comments section below.

World Quality Report 2016-17: The State of QA and Testing

Image credit: Flickr

 

The best software testing and performance conferences of 2017Open in a New Window

Are you an IT professional working in the areas of software testing, quality assurance, performance monitoring and management, or other areas related to software user satisfaction? If so, you should consider attending a few conferences this year to learn how the experts, including your peers, are handling their constantly evolving job roles and demands.

Testing tools, processes, and expectations are constantly changing, and the conferences listed below can help you keep your skills and knowledge up to date.

TechBeacon sought out the best conferences, and ranked them in four categories:

  • Must-attend.
  • Worth attending.
  • Events with a broader scope, but have strong testing, QA, or performance management content.
  • Large, quasi-legendary conferences whose size and breadth makes them interesting to testing and performance professionals.

The world of testing and performance management is turning fast. DevOps, continuous delivery, agile, and other modern software practices are steadily replacing traditional waterfall methods. As a testing professional, you need to adapt to this new reality.

Testing and QA are interwoven into the development and delivery cycle in a tighter, more automated way, and testing pros need to stay on top of new products, technology changes, and business requirements, especially tighter software security, cost efficiency, and regulatory compliance.

Magic Quadrant for Software Test Automation

Must-attend testing, performance conferences

This year's must-attend list of testing, performance and QA conferences is based on high levels of interest among attendees, shown through year-over-year growth.

Agile Testing Days

Twitter: @AgileTD / #AgileTD
Web: agiletestingdays.com
Date: November 13-17
Location: Dorint Sanssouci, Potsdam/Berlin, Germany
Cost: Not available

Considered one of Europe’s main software testing events, Agile Testing Days is aimed at companies that want to in gain an edge through “early, rapid and iterative application releases.” Past attendees say that the conference offers a mix of fun interludes and serious sessions that make the experience both enjoyable and worthwhile.

"In short, this was an astounding event," wrote conference goer Pete Walen of the 2016 event. "I slept little and did much thinking and learning. Less drinking this year (good thing) but fantastic conversations that have impacted my thoughts more than any week I can recall in years and years. The information flow was non-stop. Oh, and there were really good conference sessions, too."

At most conferences, there are breaks between tracks and keynote sessions. Usually they're used to grab a beverage and head to the next event.  "That’s not what happens at ATD," writes Nathalie Rooseboom de Vries - van Delft, who attended the 2016 conference. "During these breaks, attendees gather and confer. I guess this is a combination of the type of people (active, engaged), the type of conference and content (living up the Agile manifesto ;-)), the size of the venue (not that massive) and the way ATD is really pampering their audience with snacks, fruit, food and different kinds of beverages."

Who should attend: Anyone involved with software testing—test managers, designers, analysts, consultants, architects, quality directors—as well as software architects, application developers, IT managers, CIOs, CTOs, software engineers.

Agile Testing Days USA

Twitter: @Agile_USA / #ATD_USA
Web: agiletestingdays.us
Date: [Cancelled] June 19, tutorials; June 20-21, conference
Location: Double Tree Hilton, Danvers, Massachusetts.
Cost: Tutorials, $799 each (through March 2), $849 (through May 1), thereafter $899; conference passes range from $899 for one day (through March 2) to $1,998 for two days.

Update: Unfortunately this conference (the first time Agile Testing Days was having a US event) was canceled recently due to the political situation in the US.

This event gives attendees an opportunity to learn best practices from testing leaders and practitioners, as well as network with peers, according to the conference organizers.

Tutorial sessions were slated to include Mob Programming Hands-On Workshop, by Woody Zuill; Leading Global Agile Adoptions Workshop, by Ray Arell; Lean Software Testing: Explained, by Matthew Heusser; and Agile Testing 101, by Janet Gregory and Lisa Crispin.

Who should attend (if there's a conference next year): Anyone involved with software testing—test managers, designers, analysts, consultants, architects, quality directors—as well as software architects, application developers, IT managers, CIOs, CTOs, and software engineers.

STAR Software Testing Conferences

Twitter: @TechWell / #StarEast / #StarWest / #StarCanada
Web: techwell.com/software-conferences/star-software-testing-conferences
Dates/Location:
Star East: May 7-12, Rosen Centre Hotel, Orlando, Florida
Star West: Oct. 1-6, Disneyland Hotel, Anaheim, California
Star Canada: Oct. 15-20, Hyatt Regency, Toronto, Canada

Cost: Star East, training and conference packages from $3,495 (through March 10) to $4,245; conference packages from $595 (testing and quality leadership summit only through March 10) to $3,295.  Star West, training and conference packages from $3,495 (through August 4) to $3,995; conference packages from $595 (testing and quality leadership summit only through August 4) to $3,295. Star Canada, training and conference packages from US$3,495 (through August 18) to $3,995; conference packages from $795 (one full or two half-day tutorials through August 18) to $2,495.

These conferences, organized by TechWell, designed specifically for testing and QA pros, dig into on topics such as test management and leadership, software testing techniques, mobile app testing, test automation, certifications, QA methodologies, tools, agile testing, performance testing, exploratory testing, DevOps and software testing, and QA tester careers.

Writing for TechBeacon, test architect Gerie Owen called the Star conferences “among the most prestigious QA and testing conferences in North America” and “suitable for junior-level testers as well as seasoned test professionals and test managers.”

The conferences are geared toward practical knowledge that attendees can apply immediately at work, and include short sessions, half- and full-day tutorials, multiple day in-depth training, and a leadership summit.

Who should attend: Software and test managers, IT directors, QA managers and analysts, test practitioners and engineers, development managers, developers, CTOs.

Google Test Automation Conference (GTAC)

Twitter: @googletesting
Web: developers.google.com/google-test-automation-conference
Dates: No 2017 date set yet
Location: London, United Kingdom
Cost: Free. By invitation only.

GTAC, first held in 2006, draws engineers from industry and academia. It focuses on the latest technologies and strategies in test automation and test engineering.

The event draws big names: 2016 speakers included Manasi Joshi, a senior staff engineer at Google; Hima Mandali, leader of the DevOps engineering teams at Capital One; Boris Prikhodky, leader of the QA Infrastructure team at Unity Technologies; Dan Hislop, an audio test engineer at Citrix; Yanbin Zhang, a senior software engineer in Intel's  Software and Services Group; Atif M. Memon, a professor in the Department of Computer Science at the University of Maryland; Taejun Lee, a software engineer on the productivity engineering team at Box; and David Buckhurst, an engineering manager at the BBC.

Writing about last year's conference, TOPdesk's Tobias Spöcker said: "All in all, it was a really cool conference with so many interesting and unique topics from all kinds of speakers. I really liked the broad variety of subjects and how they were presented, but that is not all such an event provides. It was really nice to meet so many people from around the globe who are equally enthusiastic about the field of automated testing. It was very enjoyable to get together with these guys and have some nice chats about problems we currently face at our companies, and share some tips and tricks that could possibly solve these issues."

Joe Nolan of SauceLabs called the 2016 GTAC " unique and engaging" for all types of test automators from both industry and academia. "Where else can you see a live demonstration of how a robot uses fake fingertips to test swiping a mobile phone, and then see how to component test soup dumplings?" he wrote.

Who should attend: QA and test pros.

STPCon Spring 2017

Twitter: @SoftwareTestPro / #STPCon
Web: stpcon.com
Date: March 14-17
Location: Renaissance Phoenix Downtown, Phoenix, Arizona
Cost: Ranges from $745 (one conference day) to $2,195 (conference and all workshops).

Organizers say that this conference, “designed by testers for testers,” focuses on testing management and strategy to help attendees improve their techniques, get up to speed on the latest tools and trends, improve processes, and better understand the testing industry.

Who should attend: QA and testing professionals.

Workshops and conference sessions have been posted posted online.

Monitorama

Twitter: @Monitorama / #monitorama
Web: monitorama.com
Date: May 22-24
Location:  Gerding Theater, Portland, Oregon
Cost: $400

As its name implies, Monitorama focuses strictly on software monitoring. It’s narrow in scope by design, with a single track, so that attendees have a cohesive, unified experience and don’t suffer from “choice overload,” as founder Jason Dixon explains. The conference strives to create an atmosphere of inclusiveness among attendees, all of whom Dixon wants to feel welcome.

“I know what it feels like to be an outsider at an event where you're not part of the inner circle, and I never want anyone else to feel that way at Monitorama,” he writes.

Mehdi Daoudi notes that his head was "spinning with all of the great content, amazing speakers, new tools and technologies that were covered at Monitorama 2016."

"One of the best themes for this year’s Monitorama is around the 'human' factor," he writes. "Placing a premium on the people that consume the monitoring data and implement monitoring tools. We need to do a better job in certain areas."

"I really enjoyed Monitorama 2016; it was my first time there, but certainly not my last," he adds. "I strongly encourage everyone to attend next year."

Apollo Catlin, a senior operations engineer at Threat Stack, says he learned a valuable lesson at last year's Monitorama: It has never been easier to monitor your infrastructure. "Not only have the tools come a long way in the last few years," he writes. "But the community and perspectives on monitoring have rallied as well, by focusing on the people who build and use monitoring systems."

Who should attend: Developers, operations staff, testers, QA pros.

EuroSTAR Software Testing Conference

Twitter: @esconfs / #esconfs
Web: eurostarsoftwaretesting.com
Date:  November 6-9
Location: Copenhagen, Denmark
Cost: Ranges from €865 to €2,310

EuroSTAR is Europe’s longest-running testing conference, with a rich history reaching back to 1993, when it first took place in London.

EuroSTAR's key strength is the community focus that drives it. Each year a newly selected Program Committee and 40-person panel of volunteers score upward of 500 submissions, selecting the best to create a comprehensive program that caters to a broad range of testing topics and specialties.

Daniel Knott, who describes himself as a passionate software tester, highly recommends EUROstar. "The EuroStar conference is one of the software testing conferences in Europe that every tester should try to attend," he writes. " It is a great conference to meet great software testers from all over the world to exchange and share your own knowledge and to learn something new."

EUROstar can be a very creative environment, maintains software test developer Kristoffer Nordström,  who conducted a workshop at the 2016 event. " It’s an open safe environment where ideas can flourish and come together with other ideas and problems, to form into something that is sometimes larger than the sum of the parts," he writes. "Going from the [2016] conference I already have new ideas and initiatives that I want to work on."

Who should attend: Software testers and test managers, test consultants, test analysts, senior IT managers, and software developers.

Worth attending

Some readers might describe many of the conferences in this category as “must attend,” especially those that appear to be growing in size each year. But these conferences are either smaller in attendance or targeted at specific industries.

Surge 2017

Twitter: @surgecon / #surgecon
Web: surge.omniti.com/2017
Date: Sept. 20-22
Location: Omni Shoreham Hotel, Washington, D.C.
Cost: $500-$750.

Surge is organized by OmniTi, a web app scalability and performance vendor, and features “practitioner-oriented sessions.”

Who should attend: IT Ops, infrastructure administrators, developers, QA pros.

Video of sessions from the 2016 event is available available online.

Perform 2017

Twitter: @Dynatrace / #dynatrace
Web: dynatrace.com/en/perform.html
Date: Feb. 6-9
Location: Las Vegas, Nevada
Cost: Not available

Application performance management vendor Dynatrace organizes this conference. Breakout sessions in 2017 included A Brand New Dimension to UX; The Coop Story: Still Re-inventing the Customer Experience 150 years on; Adobe's Operations Monitoring Transformation Story; Performance Engineering in a DevOps World; and Pushing the Limits of Visibility: How Improved Insight into Customer Experience Drives Digital Transformation.

Who should attend: Developers, IT Ops, testers, QA pros.

8th ACM/SPEC International Conference on Performance Engineering

Twitter: @spec_perf / #ICPE
Web: icpe2017.spec.org
Date: April 22-26
Location: L'Quila, Italy
Cost: Workshops and tutorials, €100-€250 (through March 24); thereafter, €200-€350

ACM/SPEC provides a forum for the “integration of theory and practice in the field of performance engineering,” say organizers. It draws researchers and practitioners who discuss research, ideas, and challenges to the performance engineering of software and systems.

Who should attend: Software and systems performance engineers.

American Software Testing Qualifications Board conference

Twitter: @astqb / #ASTQB
Web: www.astqb.org/certified-tester-resources/astqb-software-testing-conference
Date: September 15
Location: Irvine, California
Cost: Exam fees range from $150 to $375

This conference features tutorials, classes, keynotes, sessions, and networking opportunities, and is designed to teach attendees “practical, ready-to-use” software QA and security strategies so that they can improve the quality and security of software, and be more efficient.

Breakout sessions cover areas such as mobile, agile, security and performance testing, as well as test automation and business analysis/UAT.

Who should attend: QA pros, software testers, managers, directors, developers, security staff, CxOs, engineers.

QAI Quest 2017

Twitter: @QAIquest / #QUESTconf
Web: qaiquest.org/2017
Date: April 3-7
Location: Renaissance Chicago Downtown, Chicago, Illinois
Cost: Workshop, conference, expo combos range from $2,195-$2,895; single admission items range from $595-$1,945

Focused on software engineering, delivery, and testing, QUEST features classes, tutorials, sessions, hands-on workshops, discussions groups, an expo floor, and networking events. Topics covered include agile, test design, automation, performance, mobile, security, and DevOps.

Who should attend: Testers, QA pros, developers, IT Ops, software engineers, architects.

Mobile Dev + Test

Twitter: @techwell / #mobiledevtest
Web: mobiledevtest.techwell.com
Date: April 24 - April 28
Location: San Diego, California
Cost: conference, training, certification packages, $3,495 (through February 24) to $3,895; conference packages, $1,595 (through February 24) to $2,895.

This conference focuses on mobile development for iOS and Android as well as mobile testing, performance, design, user experience, smart technology, and security, according to its organizers. Topics include wearables, mobile security testing, and mobile app design.

Who should attend: iOS and Android developers, testers, UX designers.

Cross-discipline conferences

Conferences in this category are targeted at specific industries or technologies. Although they may not be exclusively about QA, monitoring, performance or testing, these events will be of interest to people who work in these fields.

Velocity Conference

Twitter: @velocityconf / @OReillyMedia / #velocityconf
Web:  https://conferences.oreilly.com/velocity/vl-ca
Date:  training, June 19-20; tutorials and conference, June 20-22
Location: San Jose, California. (Also New YorkAmsterdam and Beijing.)
Cost: Not available

O'Reilly says it's taking Velocity in a new direction in 2017. Originally focused on web performance and operations, the conference will now encompass a distributed systems stack spanning from the application layer all the way down to compute, storage and networking to the data center—whether in the cloud or not.  Presentations at the 2017 conference will cover everything from automation, containerization, continuous delivery and DevOps to orchestration and scheduling, security and serverless computing. Expect to experience a technical, performance-minded, operations-centric conference on which developers, operations, and designers converge.

Who should attend: Developers, operations specialists, IT Ops staff.

Video of 2016 keynotes and other information is available online.

BlackHat USA

Twitter: @BlackHatEvents / @ubm / BlackHat / #BHUSA
Web: blackhat.com
Date: July 22-27
Location: Mandalay Bay Hotel, Las Vegas, Nevada (Black Hat will also be held in London and Singapore in 2016)
Cost: Starts at $495 for a business pass, which includes access to the business hall, sponsored workshops, sponsored sessions, and the Arsenal; and goes up to $2,595 for a "Briefing" ticket. Training sessions are priced individually.

First held in 1997, Black Hat is one of the world’s biggest tech conferences, one that security professionals must attend or at least must follow closely from afar. It’s the preferred venue for researchers, security experts, vendors, and ethical hackers to disclose their latest vulnerability findings, the most dramatic of which become general-interest news globally.

For example, the 2015 conference exposed security gaps in cars that could let cyber criminals remotely disable key functions in moving vehicles, such as brakes. In 2016, a "danger drone" was aired that could hack into devices while flying over them, and a technique for planting ransomware on smart thermostats was discussed.

Black Hat features training sessions, a big expo floor, and A-list presenters and keynote speakers, as at many major tech conferences. But unlike other evens, Black Hat requires attendees to take precautions, as they’ll be surrounded by thousands of the world’s finest hackers, some of whom will be looking to play pranks, test their latest vulnerability discoveries in a real-world setting or,attempt criminal acts, such as stealing personal, governmental, or corporate data.

"I kind of like Black Hat better than the RSA Conference," wrote Jon Oltsik, Enterprise Strategy Group Senior Principal Analyst, after last year's Black Hat conference. "At Black Hat, you talk about the real challenges facing our industry, and discuss intellectual ways to overcome them. At RSA, everyone throws buzz words at you and tells you how they solve all your problems."

Attendees should be prepared for a large conference (more than 11,000 people attended in 2015), where revelations about security vulnerabilities will be detailed.

Who should attend: Security analysts, risk managers, security architects/engineers, penetration testers, security software developers, cryptographers.

RSA Conference

Twitter: @rsaconference / #RSAC
Web: rsaconference.com/events/us17
Date: February 13-17
Location: MosconeMoscone Center, San Francisco, California
Cost: Ticket prices vary widely, starting at $100 for an early-bird expo pass to $2,695 for a full-conference pass bought on site.

One of the world’s largest security conferences, RSA celebrates its 26th anniversary in 2017. RSA became part of Dell Technologies in September but the acquisition isn't expected to affect this year's conference or any future shows.

"Like many other exhibitors, I spent hours chatting with potential customers and technology partners," Tom Skeen, an IT, risk and security adviser with Safe-T Data, wrote about RSA 2016.

"Just about everyone had a common theme or two," he added. "What is the best way to protect information, at a reasonable cost and with the most operational supportability? This makes complete sense given the continued challenges around advanced cybercrime and hyper connectivity nowadays."

This is a very large event in terms of attendees, exhibitors, and sessions, which may signal robust growth in the IT security industry and just how dangerous the threat landscape has become.

Attendees should do their pre-conference homework and sketch out a game plan, since this is a very large conference. In 2016 there were more than 40,000 attendees and almost 700 speakers.

Who should attend: Security-minded testing professionals.

CanSecWest

Twitter: @CanSecWest / #CanSecWest
Web: cansecwest.com
Date: March 15-17, 2017
Location: Sheraton Wall Centre in Vancouver, British Columbia
Cost: Access to the conference ranges from CAD $2,100 to $2,500, depending on when the ticket is bought. Dojo registration, depending on when the ticket is bought, ranges from CAD $1,900 for one day to $7,400 for four days. Registration includes catered meals.  

"The technical depth and breadth of the research presented in Vancouver this year yet again lived up to expectations,"  Pieter Ockers, a senior security program manager at Adobe, wrote after CanSecWest 2016. 

"Of the security conferences that Adobe sponsors throughout the year, CanSecWest consistently draws a critical mass from the security research community, with offensive, defensive and vendor communities well-represented," he continued.

"The exposure to bleeding edge research presented by subject matter security experts, and the opportunity to forge new relationships with the security research community sets CanSecWest apart from the security conferences Adobe attends throughout the year," he said.

 Organizers describe CanSecWest as "the world's most advanced conference focusing on applied digital security," and they take pride in attracting “industry luminaries” as speakers and in fostering a relaxed environment for collaboration and networking.

Now in its 17th year, the three-day, single-track conference features one-hour presentations delivered by experts in a lecture theater setting, focused on sharing best practices and real-world experiences and detailing new vulnerabilities, attacks, and defenses. This year's presentations include Sandbox Escape with Generous Help from Security Software, Don't Trust Your Eye: Apple Graphics Is Compromised!, Bypassing Different Defense Schemes via Crash Resistant Probing of Address Space, and APT Reports and OPSEC Evolution: These Are Not the APT Reports You Are Looking For.

In addition to the presentations, CanSecWest features hands-on "Dojo" training courses from security instructors.

Who should attend: CISOs, CSOs, enterprise IT security pros and executives.

AppSecUSA

Twitter:  @appsecusa / #appsecusa
Web: 2016.appsecusa.org (2017 website coming soon)
Date: September 19-22
Location: Orlando, Florida
Cost: For the 2015 conference, regular admission is $995, with a variety of discounts available, including $80 tickets for full-time university students.

Focused on application security, this conference goes deep into topics such as DevOps, privacy, mobile security, secure development, app assessments, and cloud security. Highly technical, it is organized by the Open Web Application Security Project (OWASP), a nonprofit organization with 200 chapters in 100 countries that's devoted to improving app security from a vendor-neutral perspective.

AppSecUSA claims to be the largest conference solely dedicated to application security. Unlike similar conferences, which only offer speaker sessions, AppSecUSA also offers training by leaders in the field, opportunities for women and those transitioning from military service to network and develop their careers, and significant discounts for students to learn about security careers.

Headline speakers at the 2016 conference included novelist, activist and journalist Corry Doctorow, who discussed the intersection of DRM and security research; Samy Kamkar, a researcher, hacktivist and entrepreneur who discussed how he uses side channels, physics, and low-cost tools to employ powerful attacks against modern technology; and Casey Ellis, co-founder of Bugcrowd, who spoke about best practices for implementing an effective bug bounty program.

Who should attend: Developers, auditors, risk managers, technologists, and entrepreneurs.

Annual Computer Security Applications Conference

Twitter: @ACSAC_Conf / #ACSAC
Web: acsac.org 
Date: December 4-8
Location: San Juan, Puerto Rico
Cost: Not available (More details will be available in March.)

First held in 1984, ACSAC focuses on applied security, and draws security professionals from academia, government, and industry. Its target audience is people developing practical solutions for network, system, and IT security problems. Proceedings include in-depth tutorials, workshops, case studies, panel discussions, and a technical track about peer-reviewed papers.

Who should attend: Researchers and a broad cross-section of security professionals drawn from industry, government, and academia.

38th IEEE Symposium on Security and Privacy

Twitter: @IEEESSP / #IEEESSP
Web: ieee-security.org/TC/SP2017
Date: May 22-24 - symposium; May 25 - privacy workshops
Location: San Jose, California
Cost: Not available

The IEEE Symposium on Security and Privacy, first held in 1980, attracts both researchers and practitioners, and describes itself as the “premier forum” to present developments in computer security and electronic privacy.

Workshops this year will focus on privacy engineering; bio-inspired security, trust, assurance and resilience; language-theoretic security; mobile security technologies; technology and consumer protection; and traffic measurements for cybersecurity.

Who should attend: Researchers, security practitioners.

Fluent

Twitter: @fluentconf / @OReillyMedia / #FluentConf
Web: conferences.oreilly.com/fluent/fl-ca
Date: June 19-20, training; June 20-22, tutorials and conferences
Location: San Jose, California
Cost: Not Available.

First held in 2012, Fluent covers the “full scope of the Web platform,” according to organizers. It focuses on practical training in JavaScript, HTML5, CSS, and associated technologies and frameworks, including WebGL, CSS3, mobile APIs, Node.js, AngularJS, and ECMAScript 6. Keynote speeches at the conference last year addressed subjects such as making mobile apps as powerful as desktop apps, an introduction to the Seif project to transition the Web into an application delivery system, the two most important principles to being a better designer,  and using advanced browser features to build robust apps.

Who should attend: Web designers and developers, including mobile and web infrastructure teams, JavaScript developers, architects, UI/UX designers, and system developers.

Video of 2016 keynotes is available available online

OSCON (O'Reilly Open Source Convention)

Twitter: @oscon / @OReillyMedia / #Oscon
Web: conferences.oreilly.com/oscon/open-source-us
Date: May 8-9, training and tutorials; May 10-11, conference
Location: Austin, Texas
Cost: From $1,545 to $2,695 (through March 16).

In its explainer about the conference, O'Reilly notes that open source has moved from disruption to default. Its methods and culture made into commodities the technologies that drove the Internet revolution, and transformed the practice of software development. Collaborative and transparent, open source has become modus operandi, powering the next wave of innovation in cloud, data, and mobile technologies.

In its early days, OSCON was focused on changing mainstream business thinking and practices; today the event is about real-world practices and how to successfully implement open source in your workflow or projects.

A schedule of conference tutorials, keynotes, sessions and events is available available online.

Who should attend: Developers, programmers, software architects, designers, system administrators, entrepreneurs, CxOs.

QCon

QCon London
Twitter: @QCon / @qconlondon / #qconlondon
Web: qconlondon.com
Date: Conference, March 6-8; workshops, March 9-10
Location: Queen Elizabeth Conference Centre, London, United Kingdom
Cost: Pricing ranges from £475 for a one-day workshop to £1,650 for three-day conference pass.

QCon New York
Twitter: @QCon / @QConNewYork / #qconnewyork
Web: qconnewyork.com
Date: Conference, June 26-28; workshops, 29-30
Location: Marriott Marquis, New York City
Cost: Pricing ranges from $795 for one-day workshop to $2,650 for three-day conference pass.

QCon San Francisco
Twitter: @QCon / @QConSF / #qconsf
Web: qconsf.com
Date: Conference, November 13-15; workshops, November 16-17
Location: Hyatt Regency, San Francisco
Cost: Not available.

QCon's organizers say what distinguishes these events from others is the marriage of innovation with practical advice. QCon's workshops and conference sessions are conducted by engineers, practitioners and team leads and not evangelists, trainers/coaches and consultants. Topics focus on innovators and early adopters in software companies.

Who should attend: Technical team leads, architects, engineering directors, project managers.

GoTo Conference

Twitter: @GOTOcon / @GOTOchgo / #GOTOChgo E
Web: gotochgo.com
Date:  Conference, May 1-2; workshops, May 3-4
Location: Swissotel, Chicago, Illinois. (Also held in Amsterdam, Copenhagen and Berlin.)
Cost: pricing ranges from $750 for a one-day workshop and $1,195 for a two-day conference pass, to $2,695 for all conference and workshop days.

This is the fifth year for Chicago's GoTo Conference,  which organizers say was “created by developers, for developers," with an emphasis on what has recently become relevant and interesting for the software development community. This highly technical conference offers informal and easy contact with experts, as well as with fellow software and technology professionals.

Several tracks will be offered this year on topics such as microservices, security, deep learning analytics and DevOps. This year's lineup of speakers include Adrian Mouat, author of Using Docker; Brian Grant, technology lead at Morningstar; Brian Ray, cognitive computing team lead at Deloitte; Bridget Kromhout, co-host of the Arrested DevOps podcast; Chris Heilmann, senior program manager for developer experience and evangelism at Microsoft; and John Steven, CTO at Cigital.

Who should attend: Developers, , team leads, architects, and project managers.

DockerCon

Twitter: @DockerCon / #dockercon
Web: 2017.dockercon.com
Date: April 17-20
Location: Austin Convention Center, Austin, Texas
Cost: Full conference pass, $1150

The interest in containers—and in Docker especially—has gone from 0 to 80 mph in less than two years, which is why this conference has become one of the hottest gatherings in the IT industry.

For 2017, conference organizers promise ao offer a bigger and better program—one that reflects the diversity of the Docker ecosystem and community. This year's event, they say, will have sessions on use cases at large and innovative corporations, advanced technical talks, and hands-on lab tutorials. Each day starts with a general session, followed by breakout sessions. Among the speakers at this year's event will be Solomon Hykes, founder and CTO of Docker.

Last year, more than 4,000 people registered for the conference, with 500 on the waiting list. The gathering also attracted some 100 company sponsors, compared to 30 in 2014, when Docker debuted.

Who should attend: Developers, DevOps enthusiasts, IT executives.

Open Source Summits

Twitter: @linuxfoundation / #OSSummit
Web:
events.linuxfoundation.org/events/open-source-summit-japan events.linuxfoundation.org/events/open-source-summit-north-america
events.linuxfoundation.org/events/open-source-summit-europe

Date/Location:
May 31-June 2: Tokyo Conference Center Ariake, Tokyo, Japan
September 11-13: JW Marriott LA Live, Los Angeles, California
October 23-25: Hilton Prague, Czech Republic

Cost:
Japan, $350 (through April 16) to $500
North America, $800 (through June 18) to $1,100
Europe, $800 (through August 20) to $1,100

For2017, the Linux Foundation is combining three events—LinuxCon, ContainerCon and CloudOpen—into the Open Source Summits.  The North American and European conferences will include the Community Leadership Conference, which, according to the conference organizers, brings together leading practitioners who are building empowered and productive open source communities to share their experiences with others.

“In recent years, open source has expanded to be the default software in virtually every area of technology, so it is important that the broad community have a place to gather and exchange ideas,” Linux Foundation Executive Director Jim Zemlin said in a statement. “The Linux Foundation Open Source Summit will gather the best and brightest from every corner of open source technology together for an event where they can collaborate and share best practices.”

Who should attend: Software developers, programmers, core maintainers, Linux IT professionals, IT operations experts, system administrators, chief architects, corporate end users, senior business executives, legal counsel, students.

Other conferences to consider

This final category consists of conferences that are just too cool not to mention. If you’re planning your conference travel and budget around mobile and IoT shows, you might want to save a little room on your plate for one or more of the following events.

CES (Consumer Electronics Show)

Twitter: @CES / #CES2018
Web: cesweb.org
Date: January 9-12, 2018
Location: Las Vegas, Nevada
Cost: Not available.

The legendary and massive consumer electronics conference and expo covers a wide range of topics, some of which might be of direct or tangential interest to those involved with mobile and IoT, such as security, digital entertainment, e-commerce, gaming, robotics, storage, education technology, mobile apps, and networking.

Who should attend: Anyone interested in the latest and greatest consumer electronics.

SXSW (South By Southwest)

Twitter: @sxsw / #SXSW2017
Web: sxsw.com/schedule
Date: March 10-19
Location: Austin, Texas
Cost: Prices range from $495 to $1,550.

While music and film are key elements of SXSW, the event also has a strong technology component. Topics this year include startups, wearables, healthcare IT, virtual reality, IoT, smart cities, digital media, online marketing, software design and development, open source, mobile design, and user experience.

TechCrunch Disrupt

Twitter: @TechCrunch / #tcdisrupt
Web: techcrunch.com/event-info/disrupt-ny-2017/ and techcrunch.com/event-info/disrupt-sf-2017/
Date: May 15-17
Location: New York, New York
Date: September 18-20,
Location: San Francisco, California
Cost: Extra early-bird ticket for full, three-day access: $1,995. Other packages for exhibitors and individuals available.

Disrupt is the conference for anyone involved with or interested in startups, entrepreneurs, venture capital, and emerging technologies. It features hackathons, provocative panel discussions, and A-list speakers. Many established high-tech companies have used Disrupt as a springboard.

Gartner’s Symposium/ITxpo

Twitter: @Gartner_SYM / #ITxpo #GartnerSYM
Web: gartner.com/events/na/orlando-symposium
Date: October 30-November 2
Location: Gold Coast, Australia
Cost: Standard conference price is A$4,350. Public-sector price is A$3,575. Group discounts available.

The mother of all Gartner conferences, Symposium/ITxpo is aimed specifically at CIOs and technology executives. It addresses from an enterprise IT perspective topics such as mobility, cybersecurity, cloud computing, application architecture, application development, IoT, and digital business.

E3 Expo

Twitter: @E3 / #E32017
Web: https://www.e3expo.com/
Date: June 13-15
Location: Los Angeles, California
Cost: Not available

A massive gaming show that covers mobile, video and computer games, and related products, it covers topics of interest to software developers, buyers and retailers, distributors, entertainment industry executives, venture capitalists, manufacturers, and resellers.

Highlights of 2016 conference are available online.

Interop Las Vegas

Twitter: @interop #Interop
Web: interop.com/lasvegas/
Date: May 15-19
Location: Las Vegas, Nevada
Cost: Ranges from $249 (before April 1) to $3,299.

A venerable tech conference, Interop delves into topics such as applications, cloud computing, collaboration, networking, IT leadership, security, software-defined networking, storage, virtualization and data center architecture, and mobility.

Did we miss any conferences or events? We've done our best to compile a comprehensive list of the top mobile and IoT conferences to attend in 2017, but nobody's perfect. This is a list in progress, so please let us know in the comments below if there are any other events or conferences you think we should add.

The Mobile Analytics Playbook: A guide to better testing

Image credit: Flickr

Other conferences

Our final category consists of conferences that are just too cool not to mention. If you’re planning your conference travel and budget around mobile and IoT shows, you might want to save a little room on your plate for one or more of the following events.

CES (Consumer Electronics Show)

Twitter: @CES / #CES2018
Web: cesweb.org
Date: January 9-12, 2018
Location: Las Vegas, Nevada
Cost: Not available.

The legendary and massive consumer electronics conference and expo covers a wide range of topics, some of which might be of direct or tangential interest to those involved with mobile and IoT, such as security, digital entertainment, e-commerce, gaming, robotics, storage, education technology, mobile apps, and networking.

Who should attend: Anyone interested in the latest and greatest consumer electronics.

SXSW (South By Southwest)

Twitter: @sxsw / #SXSW2017
Web: sxsw.com/schedule
Date: March 10-19
Location: Austin, Texas
Cost: Prices range from $495 to $1,550.

While music and film are key elements of SXSW, the event also has a strong technology component. Topics this year include startups, wearables, healthcare IT, virtual reality, IoT, smart cities, digital media, online marketing, software design and development, open source, mobile design, and user experience.

TechCrunch Disrupt

Twitter: @TechCrunch / #tcdisrupt
Web: techcrunch.com/event-info/disrupt-ny-2017/ and techcrunch.com/event-info/disrupt-sf-2017/
Date: May 15-17
Location: New York, New York
Date: September 18-20,
Location: San Francisco, California
Cost: Extra early-bird ticket for full, three-day access: $1,995. Other packages for exhibitors and individuals available.

Disrupt is the conference for anyone involved with or interested in startups, entrepreneurs, venture capital, and emerging technologies. It features hackathons, provocative panel discussions, and A-list speakers. Many established high-tech companies have used Disrupt as a springboard.

Gartner’s Symposium/ITxpo

Twitter: @Gartner_SYM / #ITxpo #GartnerSYM
Web: gartner.com/events/na/orlando-symposium
Date: October 30-November 2
Location: Gold Coast, Australia
Cost: Standard conference price is A$4,350. Public-sector price is A$3,575. Group discounts available.

The mother of all Gartner conferences, Symposium/ITxpo is aimed specifically at CIOs and technology executives. It addresses from an enterprise IT perspective topics such as mobility, cybersecurity, cloud computing, application architecture, application development, IoT, and digital business.

E3 Expo

Twitter: @E3 / #E32017
Web: https://www.e3expo.com/
Date: June 13-15
Location: Los Angeles, California
Cost: Not available

A massive gaming show that covers mobile, video and computer games, and related products, it covers topics of interest to software developers, buyers and retailers, distributors, entertainment industry executives, venture capitalists, manufacturers, and resellers.

Highlights of 2016 conference are available online.

Interop Las Vegas

Twitter: @interop #Interop
Web: interop.com/lasvegas/
Date: May 15-19
Location: Las Vegas, Nevada
Cost: Ranges from $249 (before April 1) to $3,299.

A venerable tech conference, Interop delves into topics such as applications, cloud computing, collaboration, networking, IT leadership, security, software-defined networking, storage, virtualization and data center architecture, and mobility.

Did we miss any conferences or events? We've done our best to compile a comprehensive list of the best software testing and performance conferences to attend in2017, but nobody's perfect. This is a list in progress, so please let us know in the comments below if there are any other events or conferences you think we should add.

The Mobile Analytics Playbook: A guide to better testing

Image credit: Flickr

 

How zero-code can deliver more responsive appsOpen in a New Window

The way enterprise software is generally developed today is massively wasteful and shockingly ineffective. It takes too long, costs too much, and the results rarely meet expectations.

A thirst for greater speed and agility has ushered in a new set of methodologies and processes, but those don’t go far enough. A report from Forrester Research found that 88% of respondents agree or strongly agree that their business requires more frequent software updates and releases.

The software industry has dipped a toe in the water with continuous integration and release management. It has felt the benefits that automation can bring. Now it’s time to dive in. Zero-code development puts the end user in control, for smaller scale and enterprise-grade apps. Here's how.

Magic Quadrant for Software Test Automation

Failure has become the norm

More than half of all large IT projects with budgets exceeding $15 million go massively over budget, according to research conducted by McKinsey & Company. The average large IT project comes in 45% over budget and 7% over the allotted time. To make matters worse, the end product rarely lives up to expectations. Often, it is abandoned.

The sequential waterfall model doesn't work well for software. But have you stopped to analyze what the problem is?

Consider the way software is developed today. You have a user for whom you want to build software, so you get a business analyst to translate their wants into a set of requirements. Then you ask a team of programmers to interpret and code those requirements. Finally, you ask a team of testers to interpret the requirements again and check that the software fulfills its brief.

Only then do developers ask the user to try the software. And what happens? Invariably, they want changes. The software as presented doesn’t meet their expectations. Some things have been lost in the translation, and others weren't envisioned when the requirements were being gathered. Agile development methods were intended to solve this problem, but delivery performance statistics show that agile is not living up to that promise.

This state of affairs is not due to incompetence: The truth is that it’s far from easy to imagine a complete and final software product and describe it from scratch. Developers are also typically collecting requirements from one person, or a small group of people, who are assumed to be representative of all users. It’s naïve to think they can account for everyone’s needs.

Small steps in the right direction

The drive towards agile development, DevOps, continuous integration, and automated release management is all about reducing the problems and risks inherent in the traditional development model. Developers have recognized that cutting the time to a working product and establishing a feedback loop quickly is vital.

But that’s not enough.

In the recent report, Trends in DevOps, Continuous Delivery and Application Release Automation, Gatepoint Research found that 36% of companies still miss release dates occasionally to frequently, 69% run into problems with production application releases occasionally to frequently, and release stabilization has a wide window, taking hours (44%), days (20%), or even weeks (6%). Of those respondents who had release problems, 81% work in Fortune 1000 companies that have revenues over $1.5 billion.

When asked, what would have the most significant impact on their businesses, the top answer (55%) was reducing the time to deliver. So how do you do that?

Cut out the middlemen

If you accept that the user is never going to be very good at describing the software they need, then you need to cut down the distance between the development and the user. It's time to cut a few links out of the chain, and let them directly and quickly design software, try it out, and make changes.

The best way to do this is to automate the code by giving the end user the building blocks they need to design custom apps that align with their business goals. The complexity and value come from the way the user puts these blocks together, not from the underlying code. This is not just about cutting down the effect of filtering user requirements through a chain of different people, it’s also about ensuring that users see changes quickly.

To do this, decentralize the application development team and allow the application configurator to interact directly with the user.  Zero-code based development allows one application developer to complete micro sprints and expose the end user to the system two or three times per week instead of every two-to-five weeks.

Realizing the promise of zero-code development will lead to consistency, major efficiency gains, and much greater flexibility to design, build and reconfigure software rapidly, both for smaller scale apps and at enterprise-scale.

Enterprise apps ripe for low-code development

Many people believe that large-scale enterprise app development is too complex for a zero-code approach, but business processes are actually universal. They may look different on the surface, but under the covers, they’re exactly the same. You can break down the universal underlying structure of data and business processes so that these can be configured and reconfigured automatically, without coding.

Users can design workflows that define the data and the interactions they need. It could be an API talking to another system, or a user performing an action. What’s important is that you clearly define the data and the business rules that govern it.  You can automatically generate the database, user interface, business logic and the processes behind it from the workflow that the user has designed, and then reconfigure it quickly based on user feedback.

Is your organization considering low- or zero-code? Have you assessed how it would work? Share your thoughts or experiences in the comments section below.

Magic Quadrant for Software Test Automation

 

The best agile development conferences of 2017Open in a New Window

Agile sounds great in theory, with its promise to accelerate development, increase software quality, and foster collaboration among team members. But actually implementing and executing agile methodologies in your organization requires training and experience.

That's where the top agile conferences listed here come into play. Whether you're a software engineer,  IT operations professional, architect, or business stakeholder, you'll find something in these conferences for you.

How we organized the list:

  • Events we consider a must.
  • Others that are worth attending.
  • Events that, within their broader scope, have strong tracks and content related to agile.
  • A final group of large, quasi-legendary conferences whose size and breadth make them interesting to agile practitioners.
Agile Projects Are More Successful Than Hybrid Projects

As with DevOps, the agile devil is in the details

Agile development methods have risen in popularity over the past 15 years. And the related, and sometimes overlapping practices associated with DevOps, lean, continuous delivery, and other practices have put agile into a broader context.

Agile seeks "early and continuous delivery" of software, welcomes requests for changes, requires daily collaboration between business people and developers, promotes simplicity, values an iterative approach, and preaches constant communication among all involved in a project. Noble goals. But achieving them can be a challenge, especially for development teams that have been using the waterfall method for many years.

That's why it can be valuable to hear peers in other organizations describe how they approached the shift, what worked, what didn't, and what lessons and best practices they learned along the way.

Must-attend

This year's must-attend list of agile conferences is based on those events with highest growth in interest year-over-year.

Agile Alliance Agile2017

Twitter: @AgileAlliance / #Agile2017
Web: www.agilealliance.org
Date: August 7-11
Location: Rosen Shingle Creek, Orlando, Florida.Cost: Agile Alliance members: $1,649-$1,999; non-members, $2,399; academic, $999.

Agile2017 will mark the 16th year that Agile Alliance has hosted this international conference. After last year's sell-out, registration is being capped this year at 2,500 attendees.

With attendees from 40 countries in 2016, organizers claim this is the world’s largest agile conference. There'll be more 250 agile sessions at this year's conference, as well as keynote speeches and a many social and networking events.

Who should attend: Software project managers, product owners, practitioners

Global Scrum Gathering San Diego 2017

Twitter: @ScrumAlliance / #SGCAL
Web: scrumalliance.org/sgcal
Date: April 10-12
Location: Sheraton San Diego Hotel & Marina, San Diego, California
Cost: Member, $1,350; non-member, $1,600; trainers, coaches and rep owners, $950; academic and group discounts, 10 percent

Each session at 2017 GSG will be unique, the conference organizers promise, but they all have one common element: an opportunity for discovery. This year's gathering looks back to the early days of scrum in the 1990s, explores the ways it is used now, and looks to the future as industries and individuals find creative ways to use it.  A highlight of this year's gathering will be a keynote by one of scrum co-creator Jeff Sutherland. Newcomers to scrum will be able to get some extra hand-holding at the "Lifeguard Shack," where they can ask questions, share ideas, and learn about activities taking place before and after sessions.

Who should attend: Scrum and agile practitioners, agile enthusiasts, business leaders and managers

Agile and Beyond

Twitter: @AgileAndBeyond / #aab17
Web: agileandbeyond.com/2017
Date: May 4-5
Location: Eagle Crest Conference Center and Resort, Ypsilanti, Michigan
Cost: $229-$249

The all-volunteer AgileAndBeyond conference organizing committee says they're dedicated to bringing the best speakers and topics to the world of product development in the Midwest. The conference attracts around 700 agile enthusiasts, and sells out consistently. Headliners at this year's conference include Mike Cottmeyer, who will be talking about The Executive's Step-by-Step Guide to Leading a Large-Scale Agile Enterprise Transformation, and consultant Tom Churchwell.

Who should attend: Designers, developers, and executives interested in lean and agile

Agile Dev West and East

Twitter: @TechWell / #ADCEast / #ADCWest

Agile Dev West

Web: adcwest.techwell.com
Date:June 4-9
Location: Caesar’s Palace, Las Vegas, Nevada
Cost: Conference and training packages range from $3,495 tom $3,995; conference packages range from $595 to $3,295.

Agile Dev East

Web: adceast.techwell.com
Date: Nov. 5-10
Location: Hilton Orlando Lake Buena Vista, Orlando, Florida
Cost: conference and training packages range from $3,495 to $3,995; conference packages range from $595 to $3,095.

First held in 2007, Agile Dev focuses on the latest agile methods, tools, and principles with keynotes, case study sessions, technical sessions, tutorials, networking events, and conference classes. It also has a veddor expo floor.

This conference is aimed at both new and experienced agile practitioners. As noted on the Agile Dev website, “Whether you’re new to the agile process and need to get up to speed quickly, or you’re experienced and ready to take your team or organization to the next level, our hands-on, in-depth workshops have you covered. Plus, all Agile Dev Conferences are held in conjunction with Better Software Conferences and DevOps Conferences, allowing you to choose from three distinct programs.”

In other words, a ticket for Agile Dev East or West gives the attendee access to two other TechWell conferences happening there at the same time.

Who should attend: Software developers, product owners, scrum masters, QA professionals, and others interested in agile development techniques.

Worth attending

Some of our readers might describe many of the conferences in our second category as “must attend,” especially those that appear to be growing in size each year. But generally, these are conferences that are smaller in attendance or targeted at specific industries.

Lean Kanban North America

Twitter: @leankanbanna / #LKNA17
Web: lkna17.leankanban.com
Date: May 8-10
Location: Hyatt Regency, Tysons Corner, McLean, Virginia
Cost: Three-day all-access pass, $2,350 (through March 16) to $2,750; other options range from $2,195 to $4,090.

This is one of several conferences held around the world by Lean Kanban that aims to connect attendees with coaches and practitioners using the Kanban Method, giving them an opportunity to see how organizations are using Kanban for better results. You will learn how to achieve sustainable improvements in your organization. Interactive workshops answer questions and address challenges of conference goers, who have the opportunity to meet with Kanban product and service providers.

Among this year's keynote speakers are Lean Kanban Chairman David J. Anderson (The Alternative Path to Enterprise Agility),  psychologist Mihaly Csikszentmihaly (Achieving Business Flow), and CMMI Institute CEO Kirk Botula (Building Agile Capability).

Who should attend: Developers, software architects, CxOs, IT operations managers, and others interested in lean and Kanban

Agile Cambridge

Twitter: @acconf / #agilecam
Web: agilecambridge.net/2017
Date: Sept. 27-29
Location: Churchill College, Cambridge, United Kingdom
Cost:  £475.00, plus £95 VAT (through February 23).

Now in its seventh year, Agile Cambridge is described by its organizers as "a practical agile development conference" with a goal to let participants interact with and learn from each other and from industry leaders.

Who should attend: Agile practitioners looking for a small conference focused on hands-on training and learning

Cross-discipline conferences

Conferences in this category target specific industries or technologies—for example, DevOps, cloud computing, and open source. You won’t necessarily see “agile” in the conference titles here, but these gatherings should interest for many agile practitioners.

DockerCon

Twitter: @DockerCon / #dockercon
Web: 2017.dockercon.com
Date: April 17-20
Location: Austin Convention Center, Austin, Texas
Cost: Full conference pass, $1150

The interest in containers—and in Docker especially—has gone from 0 to 80 mph in less than two years—which might explain why this conference has become one of the hottest gatherings in the IT industry.

For 2017, the conference organizers promise a bigger, better program—one that reflects the diversity of the Docker ecosystem and community. This year's event, they say, will have sessions on use cases at large, innovative corporations, advanced technical talks, and hands-on lab tutorials. Each day starts with a general session, followed by breakout sessions. Among the speakers at this year's event will be Solomon Hykes, founder and CTO of Docker.

DockerCon has grown in popularity over the years. Last year, more than 4,000 people registered for the conference, with another 500 on the waiting list. The gathering also attracted about100 company sponsors, compared to 30 in 2014 when Docker debuted.

Who should attend: Developers, DevOps enthusiasts, IT executives

Velocity Conference

Twitter: @velocityconf / @OReillyMedia / #velocityconf
Web:  conferences.oreilly.com/velocity/vl-ca
Date: Training, June 19-20; Tutorials and conference, June 20-22
Location: San Jose, California (Will also be held in New York, Amsterdam and Beijing.)
Cost: Not available.

O'Reilly says it's taking Velocity in a new direction in 2017. Originally focused on web performance and operations, the conference will now encompass a distributed systems stack spanning from the application layer all the way down to through compute, storage and networking to the data center—whether in the cloud or not. 

Presentations at the 2017 conference will cover everything from automation, containerization, continuous delivery and DevOps to orchestration and scheduling, security, and serverless computing.

Expect to experience a technical, performance-minded, operations-centric conference on which developers,  operations managers, and designers converge.

Who should attend: Developers, operations specialists, IT operations staff

Video of keynotes and other material from the 2016 shows are available online.

DevOps Enterprise Summit

Twitter: @DOES_USA / #DOES17
Web: events.itrevolution.com/us
Date: Nov. 13-15
Location: San Francisco, California. (Conference also held in London.)
Cost: $1,225 (blind bird), $1,450 (early bird), and $1,800.

DevOps Enterprise Summit is a conference for the leaders of large, complex organizations implementing DevOps principles and practices, according to the event's organizers (see previous coverage from the 2015 and 2016 DOES shows on TechBeacon). They say event programming emphasizes both evolving technical and architectural practices, and the methods needed to lead widespread change efforts in large organizations. The goal is to give leaders the tools and practices they need to develop and deploy software faster, and to win in the marketplace.

Attendees can expect to see speakers from many large companies—IT pros from Target, Bose, Hewlett-Packard Enterprise, and Disney have spoken at DOES in the past—as well as engage in ad-hoc discussions and enjoy what some say is a great community and learning environment.

Who should attend: Developers, IT operations specialists, CxOs, software architects, systems and network admins

LISA

Twitter: @LISAConference / #LISA17
Web: https://www.usenix.org/conference/lisa17
Date: October 29 to November 3, 2017
Location: Hyatt Regency, San Francisco, California
Cost: Not available.

The (Large Installation Systems Administration (LISA ) conference positions itself as a vendor-neutral meeting place for the systems administration community, with a heavy training focus. It's organized by Usenix, the Advanced Computing Systems Association, LISA is focused on the design, building, and maintenance of critical systems.

Who should attend: IT operations, systems admins, systems engineers, network engineers, software architects.

Videos from Lisa16 are available online.

DevOps Days

Twitter: @devopsdays / #devopsdays
Web: devopsdays.org
Date: Not yet available
Location: Held throughout the year in multiple cities, mostly in the United States and Europe, sometimes in Asia, Africa, and Latin America.
Cost: Varies.

This conference series is run by volunteers whose target audience is front-line engineers and managers. A global core team includes such DevOps luminaries as Patrick Debois and Damon Edwards, who assist local organizers with their events worldwide.

Who should attend: Developers, IT operations staff and managers.

DevOps Docker Camp

Twitter: @Docker_Camp / #DockerCamp
Web: devops-training.de
Date: June 19-21
Location: Munich, Germany
Cost: Prices for a three-day ticket range from  €1,099 to €1,299; one- and two-day tickets range from €649 to €1,099.

This conference, held in Germany and designed for DevOps practitioners, systems administrators, and software and system architects, focuses on the basics of Docker, and touches on infrastructures for microservices, application development, container security, and best practices.

Who should attend: DevOps practitioners, systems administrators, and software and system architects.

DevOps Con

Twitter: @devops_con / #DevOpsCon
Web: devopsconference.de
Date: June 12-15
Location: Berlin, Germany
Cost: Prices ranges from €449 (through March 2) for a one-day pass to €1,949 for  a four-day pass.

This conference, held in German and English, includes an expo floor, and addresses topics such as continuous delivery, microservices, Docker, cloud computing, container technology, lean business concepts, and shorter delivery cycles.

Workshops, keynotes and sessions posted online include Application Load Testing with Open Source and the Cloud, Applying Behavioral Science and Instruments in DevOps Transformations, Empowering the People driving DevOps, and Docker Opens the Doors for IoT.

Who should attend: Software developers, architects, IT Ops, CxOs

Jax DevOps

Twitter: @jaxdevops / #jaxdevops
Web: devops.jaxlondon.com
Date: April 3-6
Location: Park Plaza Victoria, London, England
Cost: Prices range from €315 (through Feb. 23)  for a one-day power workshop to €1,399 for four days of conferences and workshops

Described by organizers as a “conference for continuous delivery, microservices, Docker, and clouds,” Jax DevOps focuses on accelerated delivery cycles and increased delivery quality.

The conference program sessions this year include DevOps Kaizen: Empowering Teams to find and fix their own Problems; The Seven (More) Deadly Sins of Microservices; Security Professional’s Toolbox: Semi-automated Pentesting with Open-Source Tools; and Scaling Up DevOps in the Enterprise.

Who should attend: Developers involved with DevOps, continuous delivery, microservices, Docker, and cloud computing

DevOps & Microservices Summit 

Twitter: @UNICOMSeminars / #unicomdevops
Web: devopssummit.com/devops-for-business-value
Date:  April 27
Location: London, UK. Also offered in Brussels on May 10 and Dublin on May 24
Cost: Prices range from £750 plus VAT for vendors and consultants to £275 for users

Organized by UNICOM Seminars, these conferences focus on how microservices and containers can be used refresh DevOps architecture to deliver on its speed-of-delivery promises. Topics to be covered include Changing culture to continuously deliver; Agility and speed of automation; Change with containers / Docker; Cloud and DevOps; Hybrid clouds and culture clash; Test automation; ChatOps & DevSecOps; Microservices architecture – Core concepts; Primary benefits, and drawbacks of the microservices architecture style; and Techniques for transforming to a microservices architecture.

Who should attend: Anyone in IT or lead roles interested in the business value of DevOps

Config Management Camp

Twitter: @cfgmgmtcamp / #cfgmgmtcamp
Web: cfgmgmtcamp.eu
Date: Feb. 6-7
Location: Gent, Belgium
Cost: Sold out.

Aimed at people interested in open-source configuration management, primarily open source developers, but also consultants, integrators, and industry analysts.

PowerShell and DevOps Global Summit

Twitter: @PSHSummit @PSHOrg
Web: powershell.org/wp/summit
Date: April 9-12
Location: Meydenbauer Center, Bellevue, Washington
Cost: $1,200 for three days; $1,500 for four days

This conference is all about Microsoft’s PowerShell automation and configuration tool. It features PowerShell product team members, Microsoft MVPs, engineers, developers, system administrators, PowerShell community members, and other experts who offer a deep dive on this topic and on DevOps principles and practices. It’s organized by PowerShell.org, which is part of the DevOps Collective nonprofit corporation.

Who should attend: Microsoft developers, designers, engineers, system admins

Fusion 17

Twitter: @itsmf_usa / @ThinkHDI / #SMFUSION
Web: servicemanagementfusion.com/default
Date: October 31-November 3
Location: Orlando, Florida
Cost: Passes range from free for expo only to $2,295 for an executive package; pre-conference workshops range from $1,695 to $2,895. Discounts available for ITSMF/HDI members.

This event covers IT service management (ITSM) topics; specifically the benefits and challenges associated with using ITSM when implementing virtualization, cloud computing, mobility, security, SaaS, and other technologies in the enterprise.  The agenda includes tracks devoted to DevOps and agile topics.

Who should attend: Service delivery managers, senior-level vice presidents and directors, CIOs and CTOs

Continuous Lifecycle London

Twitter: @ConLifecycleLon / #ConlifecycleLon
Web: continuouslifecycle.london
Date: May 17-19
Location: London, United Kingdom
Cost: Two-day conference pass, £664 plus £133 VAT; workshops on continuous delivery with Docker and theory, technology and practice of continuous delivery, £400 plus £80 VAT.

Conference organizers pledge a “holistic approach” to exploring continuous delivery and DevOps topics that addresses concepts, processes, and tools. It features “real-world experts” sharing practical experience. (This year's sessions lineup is available available online.)

Who should attend: Developers interested in continuous delivery techniques and tools

GlueCon

Twitter: @gluecon / @defrag / #gluecon
Web: gluecon.com
Date: May 21-26
Location: Omni Interlocken, Broomfield, Colorado
Cost: $795 for early-bird registration (end April 7).

GlueCon focuses on what the organizers considerto be the most important trends in technology, including cloud computing, DevOps, mobile, APIs, and big data, all from the perspective of developers, which organizers view as at the core of all these areas.

Who should attend: Developers

O'Reilly OSCON (Open Source Convention)

Twitter: @oscon / @OReillyMedia / #Oscon
Web: conferences.oreilly.com/oscon/open-source-us
Date: May 8-9, training and tutorials; May 10-11, conference
Location: Austin, Texas.Cost: From $1,545 to $2,695 (through March 16).

In its explainer about OSCON,  O'Reilly notes that open source has moved from disruption to default. Its methods and culture commoditized the technologies that drove the Internet revolution, and transformed the practice of software development. Collaborative and transparent, open source has become modus operandi, powering the next wave of innovation in cloud, data, and mobile technologies.

It adds that in the early days, OSCON focused on changing mainstream business thinking and practices, while today the event is about real-world practices and how to successfully implement open source in your workflow or projects.

A schedule of conference tutorials, keynotes, sessions, and events is available available online.

Who should attend: Developers, programmers, software architects, designers, system administrators, entrepreneurs, CxOs

QCon

QCon London

Twitter: @QCon / @qconlondon / #qconlondon
Web: qconlondon.com
Date: conference, March 6-8; workshops, March 9-10
Location: Queen Elizabeth Conference Centre, London, United Kingdom
Cost: Prices range from £475 for a one-day workshop to £1,650 for three-day conference pass.

QCon New York

Twitter: @QCon / @QConNewYork / #qconnewyork
Web: qconnewyork.com
Date: conference, June 26-28; workshops, 29-30
Location: Marriott Marquis, New York City
Cost: Ranges from $795 for a one-day workshop to $2,650 fora  three-day conference pass.

QCon San Francisco

Twitter: @QCon / @QConSF / #qconsf
Web: qconsf.com
Date:  November 13-15; workshops, November 16-17
Location: Hyatt Regency, San Francisco
Cost: Not available.

The sponsors of QCon say what distinguishes these events from others is the marriage of innovation with practical advice. Its workshops and conference sessions are conducted by engineers, practitioners, and team leads, rather than evangelists, trainers/coaches and consultants.  Topics focus on innovators and early adopters in software companies.

Who should attend: Technical team leads, architects, engineering directors, project managers

GoTo Conference

Twitter: @GOTOcon / @GOTOchgo / #GOTOChgo
Web: gotochgo.com
Date:  May 1-2; workshops, May 3-4
Location: Swissotel, Chicago, Illinois. (Also held in Amsterdam, Copenhagen and Berlin.)
Cost: $750 for a one-day workshop; $1,195 for a two-day conference pass; $2,695 for all conference and workshop days.

This is the fifth year of Chicago's GoTo Conference,  which organizers say has been “created by developers, for developers," with an emphasis on what has recently become relevant and interesting to the software development community. This highly technical conference offers informal, easy contact with experts in attendance, as well as with fellow software and technology professionals.

Several tracks will be offered at the event this year on topics such as microservices, security, deep learning analytics and DevOps. This year's lineup of speakers include Adrian Mouat, author of Using Docker; Brian Grant, technology lead at Morningstar; Brian Ray, cognitive computing team lead at Deloitte; Bridget Kromhout, co-host of the Arrested DevOps podcast; Chris Heilmann, senior program manager for developer experience and evangelism at Microsoft; and John Steven, CTO at Cigital.

Who should attend: Developers, team leads, architects, and project managers

Fluent

Twitter: @fluentconf / @OReillyMedia / #FluentConf
Web: conferences.oreilly.com/fluent/fl-ca
Date: June 19-20, training; June 20-22, tutorials and conferences
Location: San Jose, California
Cost: Not yet available

First held in 2012, Fluent aims to cover the “full scope of the Web platform,” according to its organizers. It focuses on practical training in JavaScript, HTML5, CSS, and associated technologies and frameworks, including WebGL, CSS3, mobile APIs, Node.js, AngularJS, and ECMAScript 6.

Keynote speeches at the conference last year touched on subjects such as making mobile apps as powerful as desktop apps, an introduction to the Seif project to transition the Web into an application delivery system, the two most important principles to being a better designer,  and using advanced browser features to build robust apps.

Who should attend: Web designers and developers, including mobile and web infrastructure teams, JavaScript developers, architects, UI/UX designers, and system developers

Video of keynotes from 2016 is available available online

JavaOne

Twitter:@JavaOneConf / #JavaOne
Web: oracle.com/javaone
Date: October 1-5
Location: San Francisco, California
Cost: Not available

First held in 1996 by Sun Microsystems, JavaOne, now organized by new Java owner Oracle, is billed as the largest conference for Java developers. Learning tracks include Java and security; Java, DevOps and the cloud, and Java and the IoT.

There was a lot of buzz during the 2016 event about  microservices, used to break down large applications into reusable but separate scalable services that are interconnected through protocol but don’t share data. " If that sounds like magic, it kind of is," wrote Treehouse developer Craig Dennis.

Last year's conference was more subdued than those in past years,  Cameron McKenzie wrote for TechTarget. " I hate to say it, but the opening ceremonies of this year's JavaOne conference fell a little flat," he said. "Not to take away from any of the people who presented, but there just didn't seem to be as much anticipation for what the overlords of the Java platform had in store for all the software developers in attendance."

JavaOne is held at the same time and place as Oracle’s big Open World conference, and attendees can get a pass for both conferences.

Who should attend: Java developers

Keynotes from the 2016 conference are available online.

DeveloperWeek

Twitter: @DeveloperWeek / #DVWK17
Web: developerweek.com
Date: February 11 to 16 (Hackathon February 11 to 12;  Workshop Day, February 13; Hiring Mixer, February 13;   Conference, February 13 to 15; Expo February 14 to 15)
Location: San Francisco, California
Cost: Prices range from $35 for an Expo pass to $1299 for a DeveloperWeek Pro Pass.

According to the conference organizers, DeveloperWeek 2017 is the world’s largest developer expo and conference series. It hosts more than 50 week-long events, including the DeveloperWeek 2017 Conference & Expo (8,000 attendees), the DeveloperWeek Hackathon (more than 1,000 attendees), Official Hiring Mixer (more than 1,000 hirable developers and over 50 hiring companies), and dozens of city-wide partner events.

Past event hosts and supporters of the event include Google, Oracle, Facebook, Yelp,  Rackspace, IBM, Cloudera, Red Hat, Optimizely, SendGrid, Blackberry, Microsoft, Neo Technology, Eventbrite, Klout, Built.io, Ripple, GNIP,  Tagged, HackReactor, and dozens of others

Who should attend: Developers, entrepreneurs, venture capitalists

Other conferences you should consider

The final category includes conferences that are just too cool not to mention. If you’re planning your conference travel and budget around agile shows, you might want to save a little room on your plate for one or more of the following important events.

SXSW (South By Southwest)

Twitter: @sxsw / #SXSW2017
Web: http://www.sxsw.com/schedule
Date: March 10-19
Location: Austin, Texas
Cost: There are a variety of ticket prices, ranging from $495 to $1,550.

While music and film are key elements of SXSW, the event also has a strong technology component, with topics this year including startups, wearables, healthcare IT, virtual reality, IoT, smart cities, digital media, online marketing, software design and development, open source, mobile design, and user experience.

TechCrunch Disrupt

Twitter: @TechCrunch / #tcdisrupt

New York

Date: May 15-17
Web: techcrunch.com/event-info/disrupt-ny-2017

San Francisco

Date: TBD
Web: techcrunch.com/event-info/disrupt-sf-2017
Location: San Francisco

Cost: Extra early-bird ticket for full, three-day access is $1,995. Other packages for exhibitors and individuals available

Disrupt is the conference for anyone involved with or interested in startups, entrepreneurs, venture capital, and emerging technologies. It features hackathons, provocative panel discussions, and A-list speakers. Many leading high-tech companies have used Disrupt as a springboard.

Gartner’s Symposium/ITxpo

Twitter: @Gartner_SYM / #ITxpo #GartnerSYM
Web: http://www.gartner.com/events/na/orlando-symposium
Date: October 30 to November 2
Location: Gold Coast, Australia
Cost: Standard conference price is AU$4,350. Public-sector price is AU$3,575. Group discounts available

Gartner Symposium/ITxpo is mother of all Gartner conferences. It's aimed at CIOs and technology executives, and addresses from an enterprise IT perspective topics such as mobility, cybersecurity, cloud computing, application architecture, application development, IoT, and digital business.

E3 Expo

Twitter: @E3 / #E32017
Web: e3expo.com
Date: June 13-15
Location: Los Angeles, California
Cost: Not yet available.

A massive gaming show that covers mobile, video and computer games, and related products, E3 Expo covers topics of interest to software developers, buyers and retailers, distributors, entertainment industry executives, venture capitalists, manufacturers, and resellers.

Highlights of the 2016 conference are available online.

Interop Las Vegas

Twitter: @interop #Interop
Web: interop.com/lasvegas
Date: May 15-19
Location: Las Vegas, Nevada
Cost: Ranges from $249 (before April 1) to $3,299.

A venerable tech conference, Interop delves into topics such as applications, cloud computing, collaboration, networking, IT leadership, security, software-defined networking, storage, virtualization, data center architecture, and mobility.

Did we miss any conferences or events? We've done our best to compile this comprehensive list of the top agile conferences to attend in 2016, but nobody's perfect. This is a "list in progress." Please let us know in the comments below if there are any other events or conferences you think we should add to our list.

Agile Projects Are More Successful Than Hybrid Projects

Image credit: Flickr

 

Bootcamps won't make you a coder. Here's what willOpen in a New Window

So you've completed a few free programming lessons online, and you've even written several working applications. Now all you have to do is complete one of those three-to-six-month coding bootcamps, and you'll be a professional developer, right? Not quite.

In a recent review of bootcamps, TechBeacon found that 17 of 24 programs claimed that 90% or more of their students got full-time programming jobs or freelancing positions within six-to-12 months of graduation. But those numbers can be misleading.

According to the Coding Bootcamp Market Sizing Report, the developer job market is flooded with bootcamp graduates, and that makes it hard for individual graduates to stand out. Negative bootcamp reviews show patterns of dissatisfaction with teachers, and volatility in the programs. And the "don't learn to code" backlash from the learn to code movement has also put a damper on the bootcamp party. 

Is a coding bootcamp the best option if you want to become a developer? That's been a hot topic of discussion recently.

There are vast amounts of free and low-cost resources available to teach yourself programming online. Educating yourself and building a portfolio without a degree is absolutely doable, professional developers say. Before you jump into a bootcamp that will separate you from your hard-earned money, however, consider the caveats below. And then consider teaching yourself to code.

Magic Quadrant for Software Test Automation

Bootcamp placement numbers can be misleading

Many bootcamps claim or imply that you can become a professional developer in three weeks, 12 weeks, or perhaps six months when you take their courses.

But most of these 90%+ job placement claims are largely unaudited. HackReactor, Turing School, and Lighthouse Labs are among the few that report student outcomes.

Course Report, a site that hosts reviews and resources for coding bootcamps, has conducted student surveys (with 1000+ respondents from many reputable in-person bootcamps) for the past three years through its annual Alumni Outcomes & Demographics Study. The 2014 report claims that no more than 75% of graduates of coding bootcamps gained employment as developers after graduation. In 2015 that number dropped to 66%. For 2016 it jumped back up to 73%.

Not all bootcamp attendees are starting from scratch. Some aren't there to get a developer job, and some students are already professional developers who are just trying to acquire new skills. While the study doesn't show us who went from "zero to developer," the surveys casts doubt on many programs' 90% job placement claims.

Quality complaints are common

It’s not hard to find a litany of litany of bad bootcamp experiences online. You can find plenty of positive reviews as well, on sites such as Course Report, but people considering bootcamps may not hear as much about negative experiences. Graduates cite several reasons for this. For example, they may not want to devalue something on which they spent so much time and money, or they don't want to get into a confrontation with the bootcamp provider after posting a negative review. 

Many of the negative reviews that do get posted are criticisms of teachers. Basel Farag, a TechBeacon contributor and iOS developer with experience as a bootcamp mentor, admits that finding good teachers is hard.  "You don't get paid much, so you have to really love doing it," he says. Although several schools have highly qualified, well-paid teachers, many bootcamps fill teaching assistant and mentor positions with less-experienced developers, says Farag.

The practice of bootcamps hiring their own graduates as mentors immediately after graduation is widespread, Farag claims. Not only does that help to fill a shortage of teaching assistants, but it's also an easy way for bootcamps to improve job placement stats. "It's a very common practice," he says, it's nothing new, and it's not restricted to bootcamps. "We see law schools doing this all the time." 

Another concern is that, when working with inexperienced teachers who don't have a lot of time to spare, there is always a danger that your bootcamp experience could resemble this anonymous reviewer's story:

"A few of our teachers hadn’t even been in tech longer than two years.  Their teaching skills lacked and they got increasingly frustrated when students didn’t understand the material." 

Because of their lower pay, mentors need to take on additional students (if they're paid by the number of students they mentor, as they were in the bootcamp I attended) or work at a second job. This can cause some of the mentors to make themselves less available to students, or to provide low-quality feedback, as some online reviews claim.

Get realistic about length of training time

Bootcamp students who come into programs as beginners are not prepared for a development job when they graduate. 

"It's possible that you might qualify for a junior developer or internship position after graduating from one of the more rigorous bootcamps," says Farag, "but it's going to be very hard to stand out from the increasing number of bootcamp graduates, and thousands of computer science graduates. You can't truly become a developer in three-to-six months."

The problem comes when companies interview graduates and find that their programming skills aren’t fundamentally sound. Even though developer interviews have problems of their own, Farag says that a technical interviewer will eventually find out if you can't implement some of the most basic algorithms. 

Many coding bootcamps don't spend much time on algorithms. And many courses focus on learning tools rather than programming. Ken Mazaika, co-founder and CTO of the Firehose Project, an online coding bootcamp, also sees this trend.

"The good coding bootcamps out there will cover CS topics around algorithms and data structures, but 9 out of 10 coding bootcamps won’t cover these topics at all because these topics can be difficult to teach."

Mazaika's view of the industry is particularly jaded, as the title of his 2015 post makes clear: The Dirty Little Secrets About The Worst Coding Bootcamps Out There: 9 out of 10 programs are outright scams.

Many of the top coding bootcamps teach frameworks, such as Ruby on Rails, that favor convention over configuration. That is, students learn the usage conventions for a specific tool, but not the fundamentals of how web development actually works across tools and technologies.

These frameworks give students just enough knowledge to start building simple web apps. After getting a handful of projects under their belts, many graduates believe they are ready to enter the job market. Unfortunately, they still lack a solid foundation.

Bootcamp grads have flooded the market

The probability of landing a junior development job after graduating from a bootcamp wash higher in 2013 than it is today because of an explosion of bootcamp graduates flooding the market, says Marcel Degas, QA Engineer at BlueRocket and General Assembly bootcamp graduate.

"With so many new coding bootcamps, and bootcamp grads hitting the job market over the past couple of years, finding a job as a junior software engineer in the Bay Area is not as easy as it once was," he says. 

What's more, hiring managers aren't as impressed by bootcamps as they were, says Ted Whang, a developer at Mazlo, and a 2014 coding bootcamp graduate. "You dropped everything in your life and dedicated three months straight to learning how to code? 'That’s amazing!' You won’t hear those kind words of praise anymore, except maybe from your mother," he says.

"The thing is… the more people can do something, that something becomes less impressive."

A few years ago, bootcamp entrepreneurs saw an opportunity when they noticed a shortage of developers. They thought they could close the gap by creating coding bootcamp businesses that train people in basic development skills. But professional developers, even junior ones, need experience in many different aspects of programming to be effective software engineering professionals.

If everyone could do it, there’d be no scarcity in the first place. Now hiring managers can choose from a large pool of programmer newbies straight out of coding bootcamps, but that doesn't solve the challenge of how to increase the number of highly qualified and experienced developers throughout the industry.

The 'don’t learn to code' backlash

When the learn to code movement arrived in 2012, the don’t learn to code movement followed. This blogging backlash by Farag, "Uncle Bob" Martin, and others might have seemed mean-spirited and egotistical, but some complaints about the programming profession raised legitimate concerns.

John Kurkowski, a user experience (UX) engineer at CrowdStrike, says programming isn’t an inviting field because even the most mature technologies have been roughly cobbled together over the years, and developers often spend much of their time hacking together libraries that were never meant to be used together. Maybe in ten years, he says, developers will have tools and platforms that work more elegantly, and are easier to work with.

But Mike Hadlow, a freelance C# developer with more than 20 years of software development experience, points out that software development is harder than people think. It's one of the few highly skilled occupations that requires no professional certification (although some believe it should), and it might just be the only highly skilled job where other workers in the industry give copious amounts of their free time and energy to help train people off the street.

That free entry is both good and bad, because, as Martin, author of the Clean Code Handbook, points out, the industry usually doesn’t benefit from hoards of novices, but needs carefully trained individuals. He compares good developer training to a flight school, adding that not many bootcamps are that intense, nor require as many hours of training.

Jeff Atwood, the co-founder of StackOverflow, perhaps sums it up best:

“While I love that programming is an egalitarian field where degrees and certifications are irrelevant in the face of experience, you still gotta put in your ten thousand hours like the rest of us.”

Ask yourself: Are you cut out for coding? 

You've felt that first sip of power that programming gives you. You finish your first program, then all of the syntax starts to make sense after you build a few more, and perhaps complete a course on Codecademy or Coursera. At that moment, you think: “I could do this for a living.”

But at this stage of the game you still have no idea what you're doing. You haven’t stayed up until 2 AM three nights in a row trying to fix a bug or solve a problem. You haven’t had to spend the rest of your day sorting out version control issues and getting stuck going down multiple rabbit holes. You haven’t had your app stop working, even though you're sure that you didn't change anything. 

You need an extreme level of commitment and patience to work all the way up to an entry level developer position, and exponentially more for the rest of your career. "It was—and is—that persistence that allows me to stay in this field," says Farag.

Going in, bootcamp students may not realize that computer science is actually a low-success educational field. And there’s plenty of evidence showing that computer science programs don’t have stellar graduation rates. Between 30 and 60 percent of first-year students in university computer science departments fail their first programming course. So why would anyone expect bootcamps to be significantly more successful?

What's more, developers who get computer science degrees say that they are largely self-taught, according to the 2016 Stack Overflow Developer Survey.  Even computer science departments can’t keep up with the rate of change in the industry. Developers can never stop learning.

Need any more discouragement? A 2008 survey of nearly 900 developers on Stack Overflow revealed that, if your interest in programming didn't start between the ages of 8 and 18, your chances of being motivated enough to become a developer are low.

Source: How old are you, and how old were you when you started coding?, Stack Overflow.

It’s still possible to become a programmer in your early twenties, of course; it’s just a lot harder when most of your time is spent working to support yourself.

All of this is why bad practices aren’t the only reason that coding bootcamps are failing to take many people from zero to developer in just a few months.

Programming is fundamentally hard, and people who are considering these bootcamps should be honest with themselves as to their level of commitment to programming. Software engineering is not an easy way to get rich quick. 

If you really want to find out if software development is the right career path for you, ask yourself these questions:

  • Am I willing to work hard for just the three months it takes to complete a bootcamp, or for the rest of my life? Even when it’s not my job? Even though I have to give up a lot of my leisure time in the early years of self-teaching?
  • Am I able to get unstuck on problems without the help of a mentor? Am I motivated enough to never give up on those problems?
  • Do I want to adopt programming as one of my main hobbies?

If you can say yes to all of the above, then you should be able to surmount the obstacles to becoming a developer without the help of a bootcamp.  You also won’t fall flat, as many students do after attending a bootcamp, because the class was the only thing pushing you to keep working.

Farag recommends coding bootcamps only to experienced developers looking to update their skills. For people who want to learn programming, he recommends community colleges (which can be much cheaper than bootcamps), or a four-year university program. 

DIY: Getting there without the bootcamp

There are plenty of people out there who have nothing but good things to say about their bootcamp experiences, and some landed jobs a few months after completion. But with a little extra time and more awareness of the resources at their disposal, those people probably could have succeeded without investing thousands of dollars in a bootcamp, says Farag.

Documentation for all of the open source tools, languages, and frameworks that bootcamps teach are available online. There are countless free online tutorials on just about any development technology that bootcamps will teach you. All you need to do is pick a technology and run a Google search. There's also this convenient list of links to several massively open online courses (MOOC’s) on programming.

If you don't know exactly what to do, try building a new application every day. Jennifer Dewalt, the founder of Zube, did this. With each new project, she added to her portfolio and gained new skills. Quantity trumps quality when you’re learning.  Just build things.

You can also follow the steps in this great post about becoming  a web developer from scratch, with no computer science degree. Low-cost coding lessons on Code School, Treehouse, NetTuts+, Udacity, Pluralsight, or Launch Academy are also a good option, and cost far less than does a bootcamp. And check out Codementor if you really need help getting unstuck, or need some learning advice.

If you're meant to be a programmer, you won’t give up. You will get frustrated, but if you're determined, you'll keep trying. A bootcamp can't give you that motivation.

I graduated from an online bootcamp, and I have two friends who completed online and in-person bootcamps. When we wanted to find jobs as junior programmers, we couldn't make the cut because, we were told, we still lacked real-world experience, and we had only had a handful of simple projects under our belts. What have been your experiences with coding bootcamps? Post your thoughts and experiences below, or Tweet me at @mpron.

Magic Quadrant for Software Test Automation

 

How to stop treating your app users like test subjectsOpen in a New Window

Want to improve the quality of your apps? Consider making changes to your processes and metrics. This might include a change of technology, but not necessarily. What you do before your next release depends on the needs of  your organization.

The goal of a winning organization shouldn’t be just to change the quality of an app, but to improve the overall customer experience. Digital user experience (UX) takes into account application performance, crashes or uptime. In a recent Dimensional Research User Experience survey of 522 IT professionals responsible for user experience, 75% cited “user complaint” as the primary way they learn about a problem.

There are better ways to manage digital UX than treating your customers like guinea pigs. Here's how.

Continuous testing: A practical guide

How do your peers understand digital UX?

Most respondents to this HPE-sponsored survey, defined digital UX as having to do with application performance, crashes or uptime. But some defined it as ease of use and navigation, user productivity, user behavior, and flows; while still others said it had to do with battery or cellular data consumption, or UI design appeal. The consensus is that there’s no clear consensus: The UX can cover almost all aspects of a customer’s engagement with a digital product.

Your users expect any engagement with your applications to be valuable, elegant, and useful. User experience is something that can be emotional, driven by how users think, perceive, and feel. Most importantly, users expect mobile apps to work seamlessly, regardless of their choice of technology, location, or context.

5 areas for digital UX improvement

If you want to improve how you currently manage the digital UX, here are several things you should consider.

Understand your users. Really.

This may sound obvious, but you need to gather hard data about your different user types and how they’ll be engaging with your app. This data should be constantly re-validated, because usage patterns change often.

Focus on the following factors:

  • Geo-location
  • Version adoption
  • Average usage time
  • Operating system
  • Device type
  • Connection type
  • Browser type
     

Measure what matters

When you truly understand your users and what’s important to them, you’ll know exactly which variables of the application UX to measure. You need to measure what matters from the user’s perspective—things like performance, stability, errors, battery usage, network consumption, and more.

Here are some of those related metrics:

  • UI response time by location
  • Search and display specific user visits
  • Holistic UX score
  • Performance
  • Stability
  • Resource usage
  • E2E operational data
     

Monitor the user experience over time

What’s needed is a lifecycle approach to monitoring the UX, including a process for resolving issues you identify. The term “monitor” should graduate to  “manage,” since the full process should be continuous and proactive for all key user interactions, devices, and so on, and should trigger alerts to DevOps teams when problems occur.

Ultimately, DevOps should implement a single measurement, to be determined by the organization, that encapsulates the overall user experience so that you can track it over time, and address issues continuously.

Experience is not a snapshot in time, but an evolving phenomenon. Key metrics include:

  • Common user flows in real time (click-stream data)
  • Emulation of common user actions & devices
  • Most used actions
  • App usage patterns
  • Transaction history
  • Reports of trends over time
  • Alerts
     

Correlate digital UX to backend services

Watch transactions from end-to-end. DevOps teams should be able to trace transactions from the point a user clicks, touches, or swipes; and follow the transaction all the way to the back-end services.

What does this require?

  • Trace transactions end-to-end
  • Correlate user actions to issues with back-end services
  • Store big data to establish trends over time
  • Submit issues to defect management tools
  • Agile closed-loop process for fixes
     

Improve integration in your UX technology stack

You know the parable of the blind men and the elephant, in which one man feels only the trunk, the other just a leg, another only the tail, and so on. The entire beast is never fully understood. This is also a parable about poor integration.

A similar fragmentation of processes and technologies underlies the confusion and mystery of the UX beast. An integrated set of UX-related technologies can help by:

  • Capturing both performance behaviors across the application infrastructure
  • Capturing behaviors of the users interacting with digital services
  • Supporting the full spectrum of UX and customer experience management stakeholders, including operations, development, IT service management teams, IT executives, and business stakeholders.

5 key findings from the digital UX survey

In addition to the general areas for improvement described above, findings from the Dimensional Research User Experience survey reveal a number of specific challenges in managing the digital user experience. In some cases, the behavioral changes required are easy to envision. In others, IT organizations will need to bring unique talent and creativity to make improvements in digital UX. Here are the five key findings:

Metrics and scores ultimately need to be vetted and correlated against feedback from users.

Survey data indicates that defining and measuring the user experience is rather complicated. No single metric defines the experience. In fact, those surveyed are currently selecting numerous metrics to represent application performance, availability, infrastructure reliability,and several other metrics.  As the graphic below shows, there are numerous metrics you can use to help define the user experience.
 


Most companies gather metrics to know whether a server is up or a service is running, but these provide little indication of  the actual user experience. Some companies use an equation to combine numerous metrics into a single UX score. However, metrics and scores ultimately need to be vetted and correlated against real feedback from users. 

The dangers of user abandonment are real

A previous Dimensional Research project found that 80% of users would only try a problematic app up to three times, and 49% of users expected a mobile app to respond in 2 seconds or less. Yet participants in this research, those who are directly responsible for the user experience, reported that only 9% of companies deliver with excellence in this category.

What's more, 39% confessed that their applications offer a substandard or poor user experience. This research illustrates the need for development organizations to move to an improved development and release process. Although DevOps is being heavily adopted, the research data indicates that organizations are still a long way from consistently delivering applications that users enjoy using. 

UX designers have low real-time visibility

Just 47% of those who design the digital UX actually have real-time visibility into their products in use. Given that, you have to wonder about the remaining 53%.  Part of any improvement process is the ability to gather and inject feedback into the beginning of the process. However, less than half of participants (47%) who design and build the UI and define the user experience have access to the user UX metrics needed as part of a feedback loop. Optimization requires that you have benchmark or threshold metrics to define the user experience so that all teams that design, build, test, deploy, and operate, including teams outside of IT can agree on what a positive user experience should be. The cliché, “you get what you measure,” has never been more true. 

Releasing apps that fail to meet UX objectives is risky

Participants offered disturbing insights as to why users encounter problematic applications. While 60% say they hold an app until it meets all user experience release criteria, the other 40% admit that they release applications that contain known user experience issues.

Actual user experience may be even worse when unknown bugs and defects are factored in, compounding the problem. Many organizations still follow the traditional practice of releasing buggy apps so long as the app offers some new, competitive feature. They believe that it's worth the risk of frustrating customers. But given the rate at which users abandon problematic applications, this type of quick release is a serious business gamble.  

Don’t rely on user complaints to learn about app issues

Perhaps one of the most shocking findings of this research is that customers are being used as guinea pigs. Nearly three quarters (72%) of companies find out about user experience only after customers complain. This is akin to finding out if something is hot by burning yourself. This approach means that your customers are already affected, have already had a bad experience, and then have to waste additional time to complain.

Only 26% of survey respondents said their teams proactively examine the user experience after the app is released to production. But the metrics that define a positive UX need to be monitored proactively to predict issues before they happen, and to provide the opportunity to resolve them before users report a negative experience. Your customers will turn to a competitor quickly if they feel neglected.

Get your UX act together

With many development teams increasing app delivery frequency toa daily or weekly cadence, the risk of poor user experience is growing. To mitigate this risk, define your UX attributes and metrics, and ensure that your teams are able to measure them.

The entire application lifecycle process must enforce measurement at each phase, and grant authority to halt development when user experience thresholds cannot be achieved. And once you release an app, proactively track user experience metrics in real time, and make that information available to all stakeholders to achieve a constant state of improvement.

Do this right, and your development team will have happy users, and capture market—and revenue—from competitors who continue to abuse their customers. 

Image credit: Flickr

Continuous testing: A practical guide

 

Remote vs. in-office software teams: Which is better?Open in a New Window

The increased acceptance of remote versus co-located teams and the availability of effective tools that enable it are among the most significant trends affecting technology industry employment today. The effect of these changes ranges from changes to the lifestyles of individual workers to potential disruption in the global economy.

As with most things in business, productivity and cost are the dominant factors when choosing between remote and co-located workplaces. But there's no one answer—what works for some firms doesn't work for others. 

Which is the better fit for your teams: fully or partially remote teams? Before delving into the research regarding remote vs. co-located decision, here's a review of the issues more broadly, as well as a look at how peers in the industry are dealing with the modern workplace.

Technology, Processes More Important Than People in Driving Development Success

Collaboration versus distraction

As companies transitioned from closed-door offices to open workspaces designed to foster collaboration (with the added benefit of being cheaper), it soon became evident that some types of work were less conducive to open office environments. While an office door can be viewed as a barrier to communication (or an aid in goofing off), they are also a reliable defense against distraction from noise and co-worker interruptions. 

Today’s discussions regarding the perceived value of face-to-face collaboration are typically met with rebuttals related to open-office environments, and the tradeoffs between collaboration and distraction.

Recently, Yahoo and Reddit made headlines for banning remote work, but the overall movement towards remote work has remained largely unaffected, and both firms were careful not to repudiate the practice when announcing the policy change.

While Yahoo's leaked announcement cited a need for better communication, stating that "some of the best decisions and insights come from hallway and cafeteria discussions," Reddit's then CEO took to Quora to explain that remote didn't work simply because "there were too many times when we just needed to be able to walk over and tap someone on the shoulder and discuss a complex issue in-depth, right away."

Neither announcement cited any data or research, and some people speculated that the decisions by both companies may have been more about layoffs than a desire to co-locate team members.

Of course, comparing the productivity of remote and co-located teams as a yes-or-no proposition ignores many other contributing factors. Where the work is done matters little if your development team is not equipped with solid requirements, proper tools, sound practices, and skilled workers. 

Remote vs. co-location: The data

Remote work is still an emerging field of study, and data on the effectiveness of distributed teams is largely anecdotal. But there's a substantial amount of research on open offices, which is the usual alternative to working remotely. Studies on open offices have ranged from the health and productivity impact of noise, to how noise may impair arithmetic ability, to basic employee satisfaction. However, those studies don't directly relate to software developers and other professionals in the software development lifecycle.

In his 2013 blog post, Programmer Interrupted, then Georgia Tech PhD candidate Chris Parnin cited a host of studies on how interrupted tasks lead to poor outcomes. After studying data from 10,000 recorded programming sessions, Parnin concluded that a programmer "takes between 10-15 minutes to start editing code after resuming work from an interruption."

"[And they are] likely to get just one uninterrupted 2-hour session in a day," he noted. Coders need to stay focused. But when you combine these two results, it's easy to see that the number of productive man-hours lost to largely avoidable distractions imposes a significant cost on a software engineer's productivity.

The irony of working remotely

In their book, "REMOTE: Office Not Required," Basecamp founders Jason Fried and David Heinemeier Hansson evangelize the merits of remote work and offer actionable advice to managers considering a change. The authors practice what they preach, having scaled Basecamp's remote workforce to more than 50 employees since founding the company in 1999. The book identifies risks that managers of co-located teams would be unlikely to consider.

Conventional wisdom suggests that remote workers will work less, due to their freedom from oversight and monitoring, but REMOTE warns managers that the bigger concern should be the inability to recognize burnout and overworking when the employee is not on-site. Fried calls this "the great irony of allowing passionate people to work from home". The authors suggest that managers set reasonable expectations for hours while asking employees to measure their productivity by asking themselves, "Have I done a good day's work?" Some studies suggest that workers are actually more productive when unsupervised.

Considerations regarding the relative productivity of remote developers often center around the effective use of collaboration tools and development methodologies, but there could be more obvious factors at play. Remote work is not always without distraction.

Commuting hours reclaimed  

Michael Swierczek, a remote software developer for Diio, says working from home “trades the distraction of being at home for the distraction of noise or intrusions at an office, and once you consider giving up your commute it's well worth it.”

Professionals living in congested regions where long commutes are common may be willing to extend their work hours in exchange for the greater convenience of working at home. In much of the country, a forty hour office-based work week may require being away from home for fifty or more hours. Removing that extra time burden could result in more productive hours.

Companies that evangelize remote work often promote the practice as a way to boost employee morale. "The Remote Manifesto," published by GitLab, lists eight principles for working remotely, starting with ,"Working remotely allows you to be there for the ones you love, and be more available for them."

Drew Blessing is a GitLab engineer living in Nebraska who would face a four-hour round-trip drive to big cities where he might have the best chance of finding work. He says he appreciates the company's commitment to its employees. "GitLab encourages work/life balance and family", Blessing says. "Most people work around 40 hours and we all try to keep a good balance." 

Remote productivity: Individuals vs. teams

ThoughtWorks’ Martin Fowler adds a wealth of anecdotal evidence to the debate. He believes that individuals are more productive in a co-located environment, but remote teams are often more productive than co-located teams. This seems counterintuitive, but Fowler argues that remote team have the advantage of hiring without geographic boundaries, and that enables employers to assemble world-class groups.

In theory, a team consisting of the best local talent available can’t compete when the filter of location is removed, unless that local talent has better chemistry. But logically, finding candidates more likely to have good chemistry with the team is also easier when you widen the net.

Zaarly, a Kansas City firm that built an online marketplace that connects local small businesses to customers, offers employees a "work from anywhere at any time" policy that values production over hours logged or attendance. However, the company's handbook also avows the importance of co-worker communication, and goes so far as to rank the company's preferred methods—with face-to-face communication listed highest, and email dead last.

Zaarly puts its money where its mouth is, adding they are "very happy to pay for plane tickets." Their attitude toward remote work is encapsulated in the handbook's final bullet point, which states: "Work happens anywhere, collaboration happens here, in the office we call home." 

There's an art to working from home

David Tate, a software consultant and writer living outside of Atlanta, is developing a personal guide for remote workers, The Art of Working From Home, that explains how to remain effective and overcome the unique challenges that accompany remote work.

Among the potential obstacles Tate identifies are social isolation, decreased collaboration, and a potential invisibility to co-workers and management that can negatively affect promotions and professional networking opportunities.

In-person conversations can "cover up many communication problems," Tate says. "A remote team has to work to establish clear, written methods of communication to prevent people drifting to their own misinterpretations of what should be done."

Stack Exchange (the people behind Stack Overflow) offers private offices to its co-located developers, and advocates and evangelizes remote work with a somewhat unique hybrid model that would likely be considered the best of both worlds, based on most programmer sentiments.

The new reality: Remote-first

The voices against open offices today are mostly drowning out those in favor, and the growing number of remote jobs has created a new remote jobs economy that consists of websites and marketplaces that connect employers to people in slippers and sweatpants.

The transparency surrounding the practices and policies of many remote-first employers now serves as a template by which established firms can transition to and startups can adopt. Hybrid office spaces that combine private areas for tasks that require concentration with airy zones for collaboration, are in vogue, and the digital nomad lifestyle has taken remote work to a new level.

What's next? What should your organization do? Well, the answer differs for every company, but these stories and trends should give you a framework to start thinking about the question.  The answer often isn't binary—remote-only or co-located only—but somewhere in between. 

Are your development teams mainly remote or co-located? What works for your organization? Share your experiences in the comments section below.

Technology, Processes More Important Than People in Driving Development Success

 

8 best practices for microservices securityOpen in a New Window

There is virtually no situation in software architecture that entirely frees you from security considerations. With microservices, some issues become more distinct and a lot harder. However, there are also a few features of microservices that can bolster security.

With microservices, the network is still a bottleneck. Things like access control, which the industry already understands thoroughly within the realm of monolithic applications, assumes a new, almost unexpected, level of complexity. This paves the way for debates and scrutiny over whether a microservices architecture actually solves more problems than it creates. Your decision to use microservices should always be conditional.

When you've done your due diligence and decided that microservices are right for you, it's time to make sure that all of your applications' security demands are met. Here are eight best practices for securing your microservices.

Application Security and DevOps

1. Use OAuth for user identity and access control

The overwhelming majority of applications are going to need to perform some level of access control and authorization handlingWhat you want to avoid here is reinventing the wheel. OAuth/OAuth2 is practically the industry standard as far as user authorization goes. While building your own custom authorization protocol is clearly an option, many out there don't recommend it unless you have strong and very specific reasons for doing so.

While OAuth2 isn't perfect, it's a widely adopted standard. The advantage of using it is that you can rely on libraries and platforms that will greatly accelerate your development phase. By the same token, several solutions for improving the security level of your OAuth-based authorization service have already been built by some of the biggest companies and smartest engineers around.

2. Use 'defence in depth' to prioritize key services

Assuming that a firewall on your network perimeter is enough to protect your software is a big mistake. "Defense in depth" is defined as "an information assurance concept in which multiple layers of security controls (defense) are placed throughout an information technology system."

In plain English, what you need to do is identify what your most sensitive services are, and apply a number of different layers of security to them, so that a potential attacker who is able to exploit one of your security layers will still have to figure out a way to beat all your other defenses on your critical services. This is by all accounts easier said than done, but several resources are available.

Security is typically a job better left to experts and not to amateurs. A proper defense in depth strategy is more likely to succeed if it's established by people who actually know what they're doing.

What's great about microservices is that they make it easier to adopt this strategy in a very granular and strategic way—by focusing your security efforts and resources on specific microservices. The architecture also makes it easier for you to diversify the layers of security you wish to adopt on each microservice. By so doing, an attacker who is able to exploit one of your services may not necessarily be able to figure out how to exploit the second one.

3. Don’t write your own crypto code

Over the years, many people have invested incredible amounts of money, time, and resources into building libraries that handle encryption and decryption. If you hired 10 smart and competent security people, put them all in a room and asked them to come up with the best possible library for encryption and decryption, I doubt they would come up with something as good as the best open source crypto libraries that are already out there.

Most of the time, when it comes to security you shouldn't try to roll your own new solutions and algorithms unless you've got strong and specific reasons to, and you've got people skilled enough to create something nearly as good as the open source tools already available (tools that have been heavily battle tested by the community).

In most cases, you should use NaCl/libsodium for encryption. It's been around for several and it's fast, easy to use, and secure. While the original implementation of NaCl is written in C, it also supports C++ and Python. And thanks to the libsodium fork, several adapters for other languages like PHP, Javascript, and Go are available.

This section wouldn't be complete without mentioning the wildly popular Bouncy Castle library. If you're working with Java or C#, your best bet is to go with this one. If you want to learn more about encryption, read this developer's guide.

4. Use automatic security updates

If you want your microservices architecture to be secure and scalable at the same time, it's a good idea—in the early development phase—to figure out a way to automate or at least keep all of your software updates under control.

High testing coverage here is more essential than ever. Every time a part of your system is updated, you want to make sure you catch any issue early enough and in as much detail as possible.

Make sure that your platform is mostly "atomic". What that means is that everything should be wrapped within containers so that testing your application with an updated library or language version is just a matter of wrapping a different container around it. Should the operation fail, reversing everything is fairly easy and, most importantly, can be automated.

CoreOS, RedHat's Atomic Linux, and Ubuntu's Snappy Core are also projects you want to keep an eye on, as they try to bring about the same concept on an OS level.

5. Use a distributed firewall with centralized control

For the most part, this is still uncharted territory, but I believe that a firewall that allows users more granular control over each and every microservice (as attempted by Project Calico) has got to be the way we build firewalls for microservices. If not now, at least at some point in the future.

6. Get your containers out of the public network

Amazon, with their AWS API gateway, probably made this whole notion more mainstream and easy to adopt than anyone else before.

An API gateway establishes a single entry point for all requests coming from all clients. It subsequently knows how to provide an interface for all of your microservices.

By using this technique you can secure all of your microservices behind a firewall, allowing the API gateway to handle external requests and then talk to the microservices behind the firewall.

Moreover, as the Netflix experience teaches us, using an API gateway is a great way to optimize requests based on the client, especially in the case of mobile devices.

7. Use security scanners for your containers

Within your automated testing suite, it would make sense to include periodic vulnerability and security scanning for your containers. The chief open source actor in this space appears to be Clair, from CoreOS. Docker Security Scanning and Twistlock are a couple of commercial options.

Something else to keep in mind here is that the container image itself may not necessarily be trusted unless its signature has been verified. rkt does that by default, while Docker introduced a similar feature a while ago after several security vulnerabilities were found.

8. Monitor everything with a tool

You can't afford to run a distributed system without a solid, advanced, and reliable monitoring platform. Several solutions are available out there, but the one that was built specifically with microservices in mind and has been around the block is Prometheus.

Built originally by engineers at SoundCloud, Prometheus is an open source monitoring platform and a part of the Cloud Native Computing Foundation. It's being supported and adopted by some of the biggest players in the industry, like SoundCloud themselves, CoreOS, and Digital Ocean.

Other monitoring solutions include InfluxDB, statsd and several well-known commercial platforms.

Don't reinvent the wheel

While the above is not intended to be an exhaustive list, it touches on the issues you are most likely to face when building applications based on a microservices architecture.

When it comes to security, reinventing the wheel is rarely a good idea. Always be researching the best practices adopted by the industry and suggested by experts.

Here are some additional resources I've bookmarked:

Share your best practices or resources on which you rely for securing microservices in the comments below.

Application Security and DevOps

 

Tech vs. team: Which is most important to software success?Open in a New Window

In the ongoing quest for effective ways to deliver great software, the age-old debate of people versus technology rages on. Conventional wisdom says that while automation and robust developer tools are integral for refining the delivery pipeline, nothing can beat smart people who work well together.

But as automation and continuous delivery tools improve, how true does that remain? Are people still the most important part of the equation, or have the sliders on the equalizer board shifted?

A just-released HPE Software-sponsored study by YouGov suggests that even though people-related factors are seen as most important for software delivery, technological and process factors may be better predictors of project success.

Conducted among 400 stakeholders in the development process, the survey asked respondents to rate their experience on 25 different performance considerations for the most important development project they worked on in the last year. These included items such as "automated testing," "competence/expertise of team members," "trunk development," and "high level of trust among team members."

Technology, Processes More Important Than People in Driving Development Success

When it comes to success, how can tech outrank people?

All of those factors were aggregated into two groups – technological/process factors, and people factors. When questioned generally, the overall satisfaction and perceived importance of the people factors predictably bubbled up to the top of the ratings.

Then the study organizers did something interesting. In addition to the factor considerations, respondents were asked to rate the project's outcome based on six measures:

  • Quality & performance
  • Time to market
  • Speed of delivery
  • Scope
  • Security
  • Cost/use of resources.

Those outcome ratings were then correlated to the performance considerations.

Analyzed in this way, a different picture started to emerge. When correlating the average of the outcome metrics to the performance metrics, the technology/process factors jumped ahead of the people factors. Drilling deeper into the data, the researchers ran six regression analyses using each of the outcome metrics.

For every outcome metric, technology/process factors ranked higher than people factors in illustrating the success of the project.

Basic patterns: A balance of people and automation

At first blush, that's a stunning result for an industry that has put the people-first mantra on the loudspeaker for so long now. However, most software experts say that this shouldn't necessarily change any paradigms, for several reasons.

It is crucial to remember that, in the end, it's people who are the ones deploying that automation and deciding how to use it to greatest benefit. There's always human cost and consideration in the care and feeding of a good automation tool set.

"Automation and tooling is only as good as the skills of the person implementing the automation," says Ryan O'Leary, vice president of the Threat Research Center for WhiteHat Security. "Technology is almost never an out-of-the-box setup. It requires a person, or teams of people properly documenting, implementing, adopting and fitting it into their own development and release processes. Big human capital must be spent if companies really do want to see the benefit of automation in their development."

For example, many bleeding-edge developers lean on predictive analytics and artificial intelligence to continuously update software based on market or other variables plugged into well-tooled algorithms. But even in this ultimate automation play, you still need great people to make it work.  

Software is not a driverless car

"You can have an algorithm that's perfectly tuned to the training data that it might have had, but once you let that algorithm loose onto the world, it can take an unexpected turn. If you're not continually monitoring that -– and it's people who are monitoring that -– you run the risk of a perfectly implemented algorithm doing something disastrous," says Malcolm Isaacs, a senior researcher for Hewlett Packard Enterprise Software's application delivery management team.

Software is not a driverless car that can simply be set to go to a particular location, says Mike Hughes, principal platform evangelist for OutSystems. In the end, the creation of software that serves a purpose for people needs to also be driven by people. "Automation cannot replace knowledge of business requirements, audience, and the creativity that leads to great user experiences," he says.

It's people who come up with the user stories, and put in the labor to satisfy the needs of the business, says Isaacs. 

"In Agile, you'll get the key people in the room around a whiteboard, and they'll determine the use case that needs to be delivered successfully and what the definition of done is," he says. "Automated testing and so on will ensure that the definition of done is more easily achieved, but you can't write automation that will achieve the definition of done for you."

Some things you simply can't measure 

More than anything else, people offer that certain je ne sais quoi of software development -– the creative spark that ignites the engine of innovation. This aspect of software delivery is highly subjective and extremely difficult to measure, which means that studies can rarely assign a number to it. That is why most people-versus-technology discussions usually sound more like religious debates than scientific comparisons.

Nevertheless, results such as those from most recent YouGov survey do hold value. Results such as these act as a valuable touchstone in reframing the debate and admitting that technology may have a bigger role than originally thought. Most important, great human resources don't mean much if they aren't being used effectively.

"Too often, the human factor in software development spends the bulk of development time hand-coding, wrestling with legacy integrations, testing, DevOps, and change management," says Hughes. "Automation can replace these time-consuming activities so that people are free to conceptualize, drag-and-drop components to solve business problems, and get great applications and software to market faster. Creativity, not mindless, repetitive tasks, is the main purview of people."

So the people, process, and technology trifecta still stands

The crucial thing to remember, says Isaacs, is that people, process, and technology are all important to success, no matter whether one element is more efficient than another. It may be best to think of software development in terms of chemistry. If any one of those three ingredients is missing, the eventual chemical byproduct can't be created. It's not the ingredients themselves that are important, but the reaction caused by their combination that's key.

The conclusion from the white paper that technology is more effective than people may be valid in some sense, but the appropriate action based on this conclusion might be counterintuitive, Isaacs says. That is, the gains made through technology can allow an organization to double-down on smart people.

"People are just as important as technology, but they are slightly less effective. Because you get more back from technology, you can afford to put slightly more of your resources into your people investments," he says.

Technology, Processes More Important Than People in Driving Development Success

 

The best mobile and IoT conferences of 2017Open in a New Window

Whether your customers are retail shoppers, electric utility clients, bank account holders, university students, or streaming media subscribers, they all expect to conduct business on their smartphones, tablets, wearables, and other mobile and Internet of Things (IoT) devices. Are you up to date on the latest techniques to support them and keep them from turning to your competition?

To keep up, consider attending one or more of the many conferences available this year that center on mobile development and connected devices. Not only will you find a wide variety of training and certifications, but there's no better way of meeting industry experts and peers in this rapidly evolving technology space.

Below you'll find our list of mobile and IoT conferences that will help executives, developers, designers, engineering team leads, IT operations managers, entrepreneurs, researchers, product managers, and anyone else involved with mobile computing and IoT better understand the latest technologies, trends, challenges, and opportunities.

We have ranked them in four categories:

  • Ones we consider a "must."
  • Others that are worth attending.
  • A third tier of events that, within their broader scope, have strong mobile or IoT tracks and content.
  • A final group of large, quasi-legendary conferences whose size and breadth makes them interesting to people involved with IoT and mobile.
The Mobile Analytics Playbook: A guide to better testing

What Mobile and IoT conferences offer

Mobile and IoT conferences offer great opportunities for practitioners to get ahead—and stay ahead. You'll find better ways to update your consumer mobile apps and services, as well as techniques for improving interfaces and your users' experience, and for tightening your app's security. In the IoT area, you'll find courses and tracks covering the latest trends, as well as practical guidance on the growing use of analytics and big data techniques.

Must-attend mobile and IoT conferences

We based this year's list of "must-attend" conferences in mobile and IoT primarily on the high interest among attendees,  year-over-year.

Mobile World Congress

Twitter: @GSMA / #MWC17
Web: mobileworldcongress.com
Date: February 27-March 2
Location: Barcelona, Spain
Cost: Exhibition Visitor Pass, €799; Silver Pass, €2,199; Gold Pass, €2,699l; and Platinum Pass, €4,999.

Described as a gathering for the entire mobile industry by its organizer, the MWC is owned by GSMA, an industry group made up of 800 mobile operators and 300 mobile ecosystem companies. It's a big conference: In 2016, the MWC in Barcelona, drew more than 100,000 attendees from 204 countries, and more than 2,200 exhibitors.

"This key global event — essentially a microcosm of the mobile advertising ecosystem —did not fail to live up to high expectations, and while trade visitors were making sense of a fractured mobile landscape, it was brought together seamlessly, allowing members to explore new products, partnerships and offerings," Scott O'Leary of MediaMath wrote of WMC16.

"Amongst the new innovations in mobile technology," he added, "there were a few key insights and learnings that caught our attention—noticeably how these advances are looking to change people’s personal and everyday lives through connectivity, as well as new services and apps, not to mention virtual reality headsets."

While newbies elbowed their way into last year's MWC, phone companies were still the headliners, said Maurizo Pesce of WIRED. "There's been real excitement in the air here at the Mobile World Congress as the industry gathers to debut the phones that will flood the market over the next few months," he wrote. " This year, the phone-makers have had to make room on the show floor for newcomers—Internet service companies, autonomous cars, tons of startups—but it’s still the mobile tech manufacturers who have managed to stay in the spotlight."

Keynote speakers at the 2017 MWC include Eugene Kaspersky, chairman and CEO of Kaspersky Lab; Takashi Niino, president and CEO of the NEC Corporation; Reed Hastings, founder and CEO of Netflix; John Hanke, creator of Pokemon GO and founder and CEO of Niantic; and Rajeev Suri, president and CEO of Nokia.

At this year's event it's expected that Blackberry will release a new smartphone based on Android; Motorola, now owned by Lenovo, will be announcing a new phone; flagship upgrades will be coming from Huawei, HTC and LG; and Nokia will introduce a flagship model

Who should attend: Anyone involved with the mobile industry — app developers, operators, equipment vendors, and professionals from the Internet, financial, marketing, and entertainment industries

Apple WWDC

Twitter: #WWDC17
Web:  developer.apple.com/wwdc
Date: June 5-9 (unconfirmed)
Location: San Francisco, California
Cost: $1,599 (2016 price)

Final information on Apple's WWDC usually isn't released until April but it's always held in San Francisco in June. The event is Apple’s biggest developer event so it attracts intense attention from the press, industry analysts, Apple customers, and MacOS and iOS developers.

Although it’s not an exclusively mobile-focused conference, mobile dominates the proceedings. That's not surprising, since iPhones generate most of Apple’s revenue and mobile is where most of Apple’s innovation and growth efforts are centered, in products such as Apple Pay, HealthKit, Apple Watch, and the iPad Pro.

Last year's conference was a scattershot event, said Roger Cheng, writing for c|net. "Steve Jobs probably would've hated this," he noted.

"The late co-founder was famously obsessed with simplicity," he continued. "Apple's Worldwide Developers Conference keynote on Monday was anything but, offering a dizzying list of features."

"[T]here's something to be said about the less-is-more approach, with few standout announcements emerging from the two-hour presentation," he added.

Among that dizzying list of announcements were a new name for OS X, MacOS; the porting of Apple Pay to the Web; a speed boost for Apple Watch; a mammoth upgrade of iOS, redesigns of Apple News and Music; management improvements in Photos; voice mail transcription; improvements in Apple TV; and opening up Siri to developers.

Rumors are still thin about the 2017 WWDC, but two that have started circulating are that a new iMac will be announced, as well as a group call feature for FaceTime in iOS 11.

If you’re unable to score a ticket and you’ll be in San Francisco anyway, several independent events occur simultaneously. One of the better-known ones is AltConf (Twitter: @AltConferenc), which is free.

Who should attend: iOS and MacOS developers.

Google I/O

Twitter: @googledevs / #GoogleIO2017
Web: events.google.com/io
Date: May 17-19
Location: Shoreline Amphitheatre, Mountain View, California
Cost: Not available

Google I/O, first held in 2008, has become one of the most important developer conferences in the world. Like Apple’s WWDC, Google I/O isn’t strictly about mobile, but the event is heavily focused on the Android OS and its ecosystem.

The conference also covers developer tools and APIs for other Google products, services, and platforms, including the enterprise Cloud Platform, consumer online services such as Google Play, products for publishers and advertisers, such as AdSense and Analytics, consumer devices such as the Cardboard virtual reality headset, and even some of the company’s “moonshot” projects.

While the public doesn't know yet what Google will be introducing at its developers' event, based on previous sessions there's a good chance they'll be a new version of Android—Android O—as well as an upgrade of Android Wear, Google Home and Google Assistant. You can expect some virtual and augmented reality announcements, too.

Who should attend: Developers working with Android and with the growing variety of Google web services, mobile apps, and hardware.

Videos from the 2016 sessions are available online.

360 iDev     

Twitter: @360iDev / #360iDev
Web: 360idev.com
Date:  August 13-16
Location: Grand Hyatt Hotel, Denver, Colorado
Cost:  $799 to $1,049 (military and student discounts available)

360 iDev positions itself as the smaller, more intimate, and independent alternative to Apple’s WWDC. Typically, around 400 people attend the event. Last year, the gathering had more than 50 sessions and over 40 speakers.

Bryan Giese, who attended 360 iDev 2016, wrote in his blog that he was drawn to the conference by word of mouth. " Friends have gone in past years, and it gave them a new perspective on the tech industry," he wrote. "They told me the speakers and sessions weren’t just about the code and optimization techniques –- there was always something more about how what developers create can have a larger impact beyond just their applications."

"Indie developers, like most freelancers or project-based talent, have a unique challenge.," he adds. "They need to excel at their main skill of coding and app creation, but they also need to be adept at many other skills, like project management, business development, and self-promotion. 360iDev is a conference that gives attention to all of those aspects, providing sessions that cover the spectrum of challenges a developer faces, whether they are independent or within a larger environment."

Who should attend:  iOS developers.

Videos from last year's sessions are available online.

AnDevCon

Twitter: @AnDevCon / #AnDevCon
Web: andevcon.com
Date: July 17-19
Location: Washington, D.C.
Cost: Depending on when purchased, tickets prices range from free exhibit-only passes to all-access passes for $1,095.

AnDevCon touts its practical, technical nature. Organizers also claim a complete focus on developers and software engineers building Android apps via training sessions, tutorials, and classes.

Some of the session titles for 2017 include An Introduction to RxJava, Android Push Messaging, Better Android Intents with Dart and Henson, Coding Augmented Reality for Android, Introduction to Google’s Daydream Platform, and Put Android and iOS on the Same Wavelength with Serverless Microservices.

Who should attend: Android developers.

Internet of Things World

Twitter: @Iotworldnews / #IoTW17
Web:  tmt.knect365.com/iot-world
Date:  May 16-18
Location:  Santa Clara Convention Center, Santa Clara, California.
Cost: Depending on when you purchase tickets, prices range from $895 to $2,895. Free tickets are available to attend the expo, which includes more than 250 exhibitors.

Internet of Things World is the largest IoT event, with the largest span of vertical and horizontal themes covered, according to the event's organizers. They expect more than 13,000 attendees at the event, which will have more than 300 speakers and over 200 sponsors and exhibitors.

New topics featured at this year's conference include machine learning and AI/VR/IoT in business and education. There'll also be an IoT Off the Grid area outside the convention center featuring interactive demos, connected cars, and IoT products of the future. In addition, some of the most innovative IoT tech around will be on display at Startup City, which will include more than 150 leading-edge companies.

Who should attend: Anyone with an interest in IoT who works in the technology/telecoms industry or a related field.

IoT Evolution Expo

Twitter: @IoTEvolution / #IoTEvolution
Web: iotevolutionexpo.com
Date:  February 7-10
Location: Fort Lauderdale Convention Center, Fort Lauderdale, Florida
Cost: Prices range from free for An Expo Plus Pass when purchased in advance ($100 at the expo) to $3,195 ($3,395 at the show) for the Diamond Group Plan that grants admission to all proceedings for three of your company's employees.

IoT Evolution Expo focuses on how IoT can drive business transformation in all industries through improved operational efficiencies, revenue opportunities, and problem solutions. It features track sessions, an exhibit floor, case studies, special events, networking opportunities, and other events.

Among the sessions at this year's conference are How Will We Particpate in the 4th Industrial Revolution?; IoT Development Plans: Why You Need to Accelerate the Move to LTE; You Want an IoT Strategy, Now What? A Practical Decision Making Framework for Designing a Flexible Enterprise IoT Deployment; Imagination to Integration - Role of IoT in Smart Factory Transformation; From Sensors to Cloud: Complete Smart Cities Solutions; and Machine Learning Impact on IoT.

Who should attend: Anyone who wants to understand how to evaluate, select, and implement IoT systems, including developers, IT executives, business executives, device manufacturers, transportation companies, supply chain and logistics pros, sensors and embedded systems companies, and systems integrators.

Industry of Things World USA 2017

Twitter: @IoTClan / #IoTClan
Web: industryofthingsworldusa.com/en
Date: February 20-21
Location: Hard Rock Hotel, San Diego, California
Cost: Options include Industry Delegate, $2,295 and Solution Provider, $3,495. Group discounts are available.

Organizers call this conference "the leading industrial IoT event for senior executives." Industry of Things World USA 2016 drew attendees from around the world who were interested in better understanding the business and technical issues related to industrial IoT.    

Topics covered in this year's conference include IoT and how it affects business models; monetizing the IoT in an industrial setting; effective product lifecycle management strategies; data-driven decision making with smart data analytics; legacy system and the new digital world; and the role of security in an IoT-connected world.

Who should attend: IoT specialists and strategists, IoT novices, cloud computing adopters, big data analytics experts, and anyone else involved in their business's digital transformation.

Sensors Expo & Conference

Twitter: @SensorsExpo / #Sensors17
Web: sensorsexpo.com
Date: June 27-29
Location: McEnery Convention Center, San Jose, California
Cost: Early-bird rates (through April 21) range from free expo hall passes to VIP conference passes for $1,149 ($1,549 after April 21).

Sensors Expo & Conference has been around for more than 30 years, always focusing exclusively on current and upcoming sensors and sensor-integrated systems.

"Clear and simple, Sensors Expo 2016 will offer a plethora of treasures for you to improve your work, accelerate it, ease your tasks, sharpen your skills, and put your shoulders to the wheel and do even more work," wrote Mat Dirjish in Sensors Magazine. "But there's a missing ingredient somewhat absent from all these career-focused promotions. The missing ingredient is fun."

"One way of looking at Sensors Expo 2016 is as one of the greatest toy shows around," he continued. "Keep in mind, you need these toys on display at Sensors Expo to make those bigger toys that people will be buying in the future."

Who should attend: Software engineers, scientists, researchers, academics, investors, corporate buyers.

Videos about products and technologies at the 2016 expo are available online.

Worth attending

Some readers might describe many of the conferences in our second category as “must attend,” especially the conferences that appear to be growing in size each year. Generally, these conferences are smaller in attendance or target specific industries.

Internet of Things Developers Conference

Twitter: @iotdevcon / #iotdevcon
Web: iot-devcon.com
Date: April 26-27
Location: Santa Clara Convention Center, Santa Clara, California
Cost: Pricing varies depending on when purchased, from $95 to $495.

Focused on solving the technical and business challenges of IoT, the Internet of Things Developers Conference features an exhibit floor, in-depth technical sessions, tutorials, business strategy, and hands-on demos.

Some of the sessions at last year's conference included IoT Driving the Need for More Secure Big Data Analytics; Charting a New Course for Semiconductors in the Era of the Internet of Things; Scalable Secure Identity for IoT; Standardizing Technology and Encouraging Collaboration to Drive the IoT; How do you Cut away the IoT Hype and Find the Revenue Opportunity?; Why the Need for Special Operating Systems for IoT and Wearable Devices?; Why Would One Need Multicore, Heterogeneous Processors for IoT Applications?; and Voice Biometrics are a Natural Fit for Controlling User Permissions in IoT and Mobile Devices.

The conference organizers say the 2017 conference will target technologies from the ultra-low power microcontrollers to the multicore-enabled aggregation hubs to the software and security infrastructure required for monitoring and management of the enormous bundles of data.

Who should attend: IoT developers.

GlueCon

Twitter: @gluecon / @defrag / #gluecon
Web: gluecon.com
Date: May 21-26
Location: Omni Interlocken, Broomfield, Colorado
Cost: $795 for early-bird registration (through April 7).

GlueCon focuses on what the organizers consider the most important trends in technology, including cloud computing, DevOps, mobile, APIs, and big data, all from the perspective of developers, which organizers view as being at the core of all of these areas.

Who should attend: Software engineers.

Embedded World Exhibition and Conference

Twitter: @embedded_world / #ew17
Web: embedded-world.de/en/conference/embedded-world-conference
Date: March 14-16
Location: Nuremberg, Germany
Cost: Conference blocks range from €335 to €835 (VAT included); classes are €400 for a half-day and €600 for a full day.

Founded in 2003, the Embedded World Conference is designed for developers and designers of embedded systems. Organizers say this is Europe's biggest conference devoted to embedded systems development, and it addresses all major topics in this sector, featuring papers and classes with a focus on concrete solutions.

The 2016 conference set new records for both exhibitors (939) and trade visitors (30,363).  In polls taken at the event, both exhibitors and conference goers said they were happy they attended the gathering. Some 93 percent of exhibitors rated the event a success, according to AudioExpress.com.  Similar attitudes were expressed by attendees, with 94 percent saying they'd recommend Embedded World to their business contacts and colleagues, and 96 percent saying they'd be back this year.

Who should attend: Developers and designers of embedded systems.

Internet of Things Applications Europe

Twitter: Not available
Web: idtechex.com/internet-of-things-europe/show/en
Date: May 10-11
Location: Berlin, Germany
Cost: Ranges from €99 for exhibition pass to packages as high €2,246.

Internet of Things Europe is collocated with seven other events with which it shares an expo floor and with which it's topically related, including Wearable Europe, and Sensors Europe. A ticket to any one conference grants attendees access to the others.

This event addresses the real opportunity for the Internet of Things, not hype, according to the event's organizers.  Business models, case studies, opportunities, and profitability are all covered. Specific market verticals are featured, in addition to emerging technologies.

Who should attend: IoT developers, IT pros, CxOs.

Cross-discipline conferences

Conferences in this category target specific industries or technologies, such as security, cloud computing, and open source. Although you won’t necessarily see “mobile” or “IoT” in the conference titles here, these gatherings are of interest for many software engineers.

Microsoft Build

Twitter: @msdev / #msbuild
Web: build.microsoft.com
Date: May 10-12
Location: Seattle, Washington
Cost: $2,195

Build is a massive conference for developers who build apps for Windows, Office 365, Edge/IE, SQL Server, Azure, Xbox, and HoloLens,using tools such as Visual Studio 2015, Visual Studio Code, ASP.NET vNext, and product-specific SDKs and APIs. Build is now also relevant for Android, iOS, and open-source developers, thanks to CEO Satya Nadella’s push for Microsoft to be more platform-agnostic  as it distance sitself from its old Windows-only strategy.

In 2016, Microsoft announced at Build that it was adding the Bash Unix shell to its Windows 10 Anniversary Update so that developers and power users could use open source command-line tools to manage projects. It also announced that it was making Xamarin, a cross-platform development platform, a free part of Visual Studio, and was making its SDK open source.

Who should attend: Windows developers, primarily Windows and Windows Mobile, and those using SQL Server, Azure PaaS, and tools such as Visual Studio and ASP.NET. More than ever, Build is also relevant for iOS, Android, and open-source developers.

Video of 2016 sessions are available online.

Fluent

Twitter: @fluentconf / @OReillyMedia / #FluentConf
Web: conferences.oreilly.com/fluent/fl-ca
Date: June 19-20, training; June 20-22, tutorials and conferences
Location: San Jose, California
Cost: Not Available.

First held in 2012, Fluent aims to cover the “full scope of the Web platform,” according to its organizers. It focuses on practical training in JavaScript, HTML5, CSS, and associated technologies and frameworks, including WebGL, CSS3, mobile APIs, Node.js, AngularJS, and ECMAScript 6.

Keynote speeches at the conference last year touched on subjects such as making mobile apps as powerful as desktop apps, an introduction to the Seif Project to transition the Web into an application delivery system, the two most important principles to being a better designer,  and using advanced browser features to build robust apps.

Who should attend: Web designers and developers, including mobile and web infrastructure teams, JavaScript developers, architects, UI/UX designers, and system developers.

Video of keynotes is available online.  

DeveloperWeek

Twitter: @DeveloperWeek / #DVWK17
Web: developerweek.com
Date: February 11-16 (Hackathon February 11-12;  Workshop Day, February 13; Hiring Mixer, February 13;   Conference, February 13-15; Expo February 14-15).
Location: San Francisco, California
Cost: Prices range from $35 for an Expo pass to $1299 for a DeveloperWeek Pro Pass.

According to the conference organizers, DeveloperWeek 2017 is the world’s largest developer expo and conference series. It offers over 50 week-long events, including the DeveloperWeek 2017 Conference & Expo (8,000 attendees), the DeveloperWeek Hackathon (more than 1,000 attendees), Official Hiring Mixer (more than 1,000 hirable developers and over 50 hiring companies), and dozens of city-wide partner events.

Past event hosts and supporters of the event include Google, Oracle,  Facebook,  Yelp,  Rackspace, IBM, Cloudera, Red Hat, Optimizely, SendGrid,  Blackberry,  Microsoft,  Neo Technology, Eventbrite, Klout, Built.io,  Ripple, GNIP, Tagged, HackReactor, and dozens of others.

Who should attend: Software engineers, entrepreneurs, venture capitalists.

IT/Dev Connections

Twitter: @devconnections / #ITDevConnections
Web: devconnections.com
Date: October 23-26
Location: Hilton Union Square, San Francisco, California
Cost: Early bird pricing through June 16, $1,299 and $2,099; thereafter, $1,799 and $2,699.

This conference, aimed at developers and IT professionals of all stripes, focuses on such topics as big data and business intelligence, virtualization, DevOps, enterprise management and mobility, cloud and data center, development platforms and tools, and enterprise collaboration. There's an emphasis on Microsoft products such as Azure, Exchange, SQL Server, and SharePoint, although other vendors are also discussed.

Who should attend: Developers, IT pros.

BlackHat USA

Twitter: @BlackHatEvents / @ubm / BlackHat / #BHUSA
Web: blackhat.com
Date: July 22-27
Location: Mandalay Bay Hotel, Las Vegas, Nevada (Black Hat will also be held in London and Singapore in 2016.)
Cost: Briefing prices, depending on when you register for the conference, range from $2095 to $2795. Business Hall pricing is $595 through July 21 and $695 thereafter.

First held in 1997, Black Hat has become one of the world’s biggest tech conferences, and one that security professionals either must attend or must follow closely from afar. It’s the preferred venue for researchers, security experts, vendors, and ethical hackers to disclose their latest vulnerability findings, the most dramatic of which become general-interest news globally.

For example, the 2015 conference exposed security gaps in cars that could let cyber criminals remotely disable key functions in moving vehicles, such as brakes. In 2016, a "danger drone" was aired that could hack into devices while flying over them, as well as a technique for planting ransomware on smart thermostats.

Black Hat features training sessions, a big expo floor, and A-list presenters and keynote speakers, as at many major tech conferences. But unlike most others, Black Hat requires that attendees keep certain precautions, given that they’ll be surrounded by thousands of the world’s finest hackers, some of whom will be looking to play pranks, test their latest vulnerability discoveries in a real-world setting or, at worst, attempt criminal acts, such as stealing personal, governmental, or corporate data.

"I kind of like Black Hat better than the RSA Conference," wrote Enterprise Strategy Group Senior Principal Analyst Jon Oltsik after last year's Black Hat conference. "At Black Hat, you talk about the real challenges facing our industry and discuss intellectual ways to overcome them. At RSA, everyone throws buzz words at you and tells you how they solve all your problems."

Attendees should be prepared for a large conference (more than 11,000 people attended in 2015), where exciting revelations about security vulnerabilities will be detailed.

Who should attend: Security analysts, risk managers, security architects/engineers, penetration testers, security software developers, cryptographers.

Cloud Computing Expo

Twitter: @CloudExpo / @SYSCONmedia / #CloudExpo
Web: cloudcomputingexpo.com
Date: June 6-8
Location: Javits Center, New York, New York
Date: October 31-November 2
Location: Santa Clara Convention Center, Santa Clara, California
Cost: Depending on when it’s bought, a Gold Pass, which gives attendees full access to the proceedings, ranges from $1,695 to $2,500.

This conference explores “the entire world” of enterprise cloud computing — private, public, and hybrid scenarios — and the latest on topics, including IoT, big data, containers, microservices, DevOps, and WebRTC via keynotes, general sessions, breakout sessions, panels, and an expo floor.

Who should attend: CEOs, CIOs, CTOs, directors of infrastructure, technology enthusiasts, etc.

RSA Conference

Twitter: @rsaconference / #RSAC
Web: rsaconference.com/events/us17
Date: February 13-17
Location: Moscone Center, San Francisco, California
Cost: Ticket prices vary widely, starting at $100 for an early-bird expo pass to $2,695 for a full-conference pass bought on site.

One of the world’s largest security conferences, RSA celebrates its 26th anniversary in 2017. RSA became part of Dell Technologies in September, but the acquisition isn't expected to affect this year's conference or any future shows.

"Like many other exhibitors, I spent hours chatting with potential customers and technology partners," Tom Skeen, an IT, risk and security adviser with Safe-T Data, wrote about RSA 2016.

"Just about everyone had a common theme or two," he noted. "What is the best way to protect information, at a reasonable cost and with the most operational supportability? This makes complete sense, given the continued challenges around advanced cybercrime and hyper-connectivity nowadays."

This is a very large event in terms of attendees, exhibitors, and sessions, which may signal robust growth in the IT security industry and just how dangerous the threat landscape has become.

Attendees should do their pre-conference homework and sketch out a game plan, as this is a very large conference. In 2016 there were more than 40,000 attendees and almost 700 speakers.

Who should attend: Security professionals.

CanSecWest

Twitter: @CanSecWest / #CanSecWest
Web: cansecwest.com/index.html
Date: March 15-17, 2017
Location: Sheraton Wall Centre in Vancouver, British Columbia
Cost: Access to the conference ranges from CAD $2,100 to $2,500, depending on when you buy a ticket. Dojo registration ranges from CAD $1,900 for one day to $7,400 for four days. Registration includes catered meals.

Organizers describe CanSecWest as "the world's most advanced conference focusing on applied digital security." They take pride in attracting “industry luminaries” as speakers, and in fostering a relaxed environment for collaboration and networking.

Now in its 17th year, this three-day, single-track conference features one-hour presentations, delivered by experts in a lecture theater setting, that focus on best practices, real-world experiences, and detailing new vulnerabilities, attacks, and defenses. This year's presentations include Sandbox Escape with Generous Help from Security Software, Don't Trust Your Eye: Apple Graphics Is Compromised!, Bypassing Different Defense Schemes via Crash Resistant Probing of Address Space and APT Reports and OPSEC Evolution: These Are Not the APT Reports You Are Looking For.

In addition to the presentations, CanSecWest features hands-on "Dojo" training courses lead by security instructors.

"The technical depth and breadth of the research presented in Vancouver this year yet again lived up to expectations,"  wrote Pieter Ockers, a senior security program manager at Adobe, of the 2016 event.  

"Of the security conferences that Adobe sponsors throughout the year, CanSecWest consistently draws a critical mass from the security research community, with offensive, defensive and vendor communities well-represented," he continued.

"The exposure to bleeding edge research presented by subject matter security experts, and the opportunity to forge new relationships with the security research community, sets CanSecWest apart from the security conferences Adobe attends throughout the year," he said.

Who should attend: CISOs, CSOs, enterprise IT security pros and executives.

AppSecUSA

Twitter: @appsecusa / #appsecusa
Web: 2016.appsecusa.org (2017 website coming soon)
Date: September 19-22
Location: Orlando, Florida.
Cost: Not available at time of publication. For the 2016 conference, regular admission was $995, with a variety of discounts available, including $80 tickets for full-time university students.

Focused on application security, this highly technical conference goes deep into topics such as DevOps, privacy, mobile security, secure development, app assessments, and cloud security. The event is organized by the Open Web Application Security Project (OWASP), a nonprofit organization with 200 chapters in 100 countries devoted to improving app security from a vendor-neutral perspective.

According to its blog posting, AppSecUSA is the largest conference solely dedicated to application security. Unlike similar conferences, which only offer speaker sessions, AppSecUSA also offers cutting-edge training conducted by leaders in the field, opportunities for women and those transitioning from military service to network and develop their careers, and significant discounts for students to learn about security careers.

Headline speakers at the 2016 conference featured novelist, activist, and journalist Corry Doctorow discussing the intersection of digital rights management and security research; Samy Kamkar, a researcher, hacktivist and entrepreneur who discussed how he uses side channels, physics, and low-cost tools to employ powerful attacks against modern technology; and Casey Ellis, co-founder of Bugcrowd, who talked about best practices for implementing an effective bug bounty program.

Who should attend: Developers, auditors, risk managers, technologists, and entrepreneurs.

Other conferences

Our final category consists of conferences that are just too cool not to mention. If you’re planning your conference travel and budget around mobile and IoT shows, you might want to save a little room on your plate for one or more of the following events.

CES (Consumer Electronics Show)

Twitter: @CES / #CES2018
Web: cesweb.org
Date: January 9-12, 2018
Location: Las Vegas, Nevada
Cost: Not available.

The legendary and massive consumer electronics conference and expo covers a wide range of topics, some of which might be of direct or tangential interest to those involved with mobile and IoT, such as security, digital entertainment, e-commerce, gaming, robotics, storage, education technology, mobile apps, and networking.

Who should attend: Anyone interested in the latest and greatest consumer electronics.

SXSW (South By Southwest)

Twitter: @sxsw / #SXSW2017
Web: sxsw.com/schedule
Date: March 10-19
Location: Austin, Texas
Cost: Prices range from $495 to $1,550.

While music and film are key elements of SXSW, the event also has a strong technology component. Topics this year include startups, wearables, healthcare IT, virtual reality, IoT, smart cities, digital media, online marketing, software design and development, open source, mobile design, and user experience.

TechCrunch Disrupt

Twitter: @TechCrunch / #tcdisrupt
Web: techcrunch.com/event-info/disrupt-ny-2017/ and techcrunch.com/event-info/disrupt-sf-2017/
Date: May 15-17
Location: New York, New York
Date: September 18-20,
Location: San Francisco, California
Cost: Extra early-bird ticket for full, three-day access: $1,995. Other packages for exhibitors and individuals available.

Disrupt is the conference for anyone involved with or interested in startups, entrepreneurs, venture capital, and emerging technologies. It features hackathons, provocative panel discussions, and A-list speakers. Many established high-tech companies have used Disrupt as a springboard.

Gartner’s Symposium/ITxpo

Twitter: @Gartner_SYM / #ITxpo #GartnerSYM
Web: gartner.com/events/na/orlando-symposium
Date: October 30-November 2
Location: Gold Coast, Australia
Cost: Standard conference price is A$4,350. Public-sector price is A$3,575. Group discounts available.

The mother of all Gartner conferences, Symposium/ITxpo is aimed specifically at CIOs and technology executives. It addresses from an enterprise IT perspective topics such as mobility, cybersecurity, cloud computing, application architecture, application development, IoT, and digital business.

E3 Expo

Twitter: @E3 / #E32017
Web: https://www.e3expo.com/
Date: June 13-15
Location: Los Angeles, California
Cost: Not available

A massive gaming show that covers mobile, video and computer games, and related products, it covers topics of interest to software developers, buyers and retailers, distributors, entertainment industry executives, venture capitalists, manufacturers, and resellers.

Highlights of 2016 conference are available online.

Interop Las Vegas

Twitter: @interop #Interop
Web: interop.com/lasvegas/
Date: May 15-19
Location: Las Vegas, Nevada
Cost: Ranges from $249 (before April 1) to $3,299.

A venerable tech conference, Interop delves into topics such as applications, cloud computing, collaboration, networking, IT leadership, security, software-defined networking, storage, virtualization and data center architecture, and mobility.

Did we miss any conferences or events? We've done our best to compile a comprehensive list of the top mobile and IoT conferences to attend in 2017, but nobody's perfect. This is a list in progress, so please let us know in the comments below if there are any other events or conferences you think we should add.

The Mobile Analytics Playbook: A guide to better testing

Image credit: Flickr

 

5 cloud priorities that will make your digital transformation successfulOpen in a New Window

In my travels across the world, I've been gathering the perspectives of numerous enterprise customers around their current level of automation and their use of new digital service delivery technologies. I've found that many organizations are grappling with similar issues in terms of how to deliver, manage, and finance cloud services in the digital age.

Application Migration to Cloud: Best Practices Guide

Here are five common themes that surfaced in my conversations that spell out the top priorities for achieving an effective digital transformation.

1. Cloud service delivery

Large enterprises are still struggling to build a strategy for their cloud service delivery model that enables digital transformation. To enable that, they need to think about the transition to transformation in a new way, asking questions such as:

  • What are the priorities?
  • How do we move to a structured, agile program?
  • Who do we need to get the work done?
  • What tools and capabilities do we need?

The answers to these questions can help organizations realize incremental value in their cloud investments over time.

When I use the Open Group IT4IT reference architecture to frame this new way of thinking, practitioner confusion begins to dissipate. IT4IT defines an orderly set of steps IT can follow to reach an expected outcome by focusing on the people, processes, and data that are needed to manage a service through its life cycle.

2. Shadow IT 

The stress of speed to market has driven the adoption of a new role—VP of digital business. This executive determines what mix of technologies and people will best be able to quickly iterate and deliver new applications.

It's common in many enterprises today to find a new generation of developers "geeking out" on open source tools, with no fear of breaking anything. While this approach can help organizations innovate rapidly, it can also threaten the ability of IT operations to retain full control of enterprise infrastructure and applications.

In meeting with IT organizations and business leaders, I have been talking an idea I have, which I call my "theory of "Y." See the figure below, which depicts a bimodal IT scenario.

On the upper portion of the "Y," the left side represents traditional/core applications and the right side represents fluid/cloud native applications. The stem of the "Y" represents IT operations. In some client organizations, the stem of the "Y" supports both core and fluid applications. But in others, an independent IT operations department is spun up to handle fluid applications. This shadow IT has inherent cost implications: as fluid development teams find a way to operate at a pace that meets business demands, they begin to build up a secondary IT operations capability to ensure service performance.

Why? First, cloud is being provisioned outside the norm via public and managed service providers. Second, the existing IT operations department is not able or willing to perform with the necessary agility and speed.

3. Demand for predictive capabilities

Enterprise IT leaders have a high expectation that technology can predict where and for how long a workload should live. This predictive, policy-based decision logic has become a top priority for more mature enterprises that are ready to use a hybrid service delivery capability and have the confidence to move application workloads to a public cloud or a managed provider.

Policies relating to security, cost, service level, regulatory compliance, and volume are all on the wish list.

4. Cloud finance

It has become clear to me that cloud finance is another top priority for enterprise business and IT leaders. Organizations want the ability to do chargeback—i.e., allocate the cost of cloud service to the departments and customers that use them—with an understanding of the total cost of the service.

The capability to provide usage metering and dynamic pricing against usage is "a must" now for service providers. Tools and services need to support the dynamic nature of changes in the market based on supply-and-demand theories.

5. Hybrid cloud

The need to provide public cloud services within the enterprise is another common theme that's emerging. Organizations must make big decisions regarding which workloads can run in the public cloud, and what type of model they will implement: Will they provide a self-service marketplace, or will they control and not expose the source of the service delivery? How will they control the portfolio, and who will make decisions regarding services and service delivery?

Many of these conversations lead back to the need to think about the cloud service delivery model in a new way. On-demand capacity and scalability are still top drivers for private cloud adoption.

Automation is key

Taking all of these factors into consideration, I believe that enterprises won't be able to make progress in any of the five areas outlined above without these core capabilities:

  • Portfolio management
  • Demand management
  • Capacity management
  • Availability management
  • Release management
  • Asset and configuration management
  • Event management
  • Security management

The path to realizing all of these capabilities is automation. Automating more than traditional runbook, patching, and compliance policies is a mandatory step for this new generation of hybrid service delivery. Complete service lifecycle management should be the ultimate goal for IT as part of the new digital business.

Application Migration to Cloud: Best Practices Guide

Image credit: Flickr

 

The best information security conferences of 2017Open in a New Window

Not all information security conferences are the same, so we've assembled a list of events that offer attendees high-quality content in a variety of venues and environments, with different areas of emphasis.

Some are very large, while others are more intimate. Some are loud and boisterous, while others are more formal, and toned down. Some focus on vendors and their latest products, and others focus on training and education. A few have a narrow scope, while others aim to be comprehensive.

To help you decide where to do, we've grouped these conferences in four categories:

  • Must-attend 
  • Worth attending
  • Events with strong security tracks and content.
  • Large, quasi-legendary conferences with a size and breadth that make them interesting to security enthusiasts.
What Is the True State of Security in DevOps?

Why you should attend security conferences

Governments and businesses find± themselves scrambling to stay up to date on the latest vulnerabilities, technologies, and defense and prevention strategies as cyber attacks become more common, stealthy, sophisticated, costly, and brazen.

Fortunately, all of the conferences below share a goal of making attendees better informed and more savvy about protecting their organizations against the cyber threats they face around the clock from malicious hackers, the myriad forms of ever-evolving malware, disgruntled insiders, and other IT security risks and dangers.

Must-attend security conferences

This year's must-attend list of security conferences is based primarily on the level of interest among attendees, year-over-year. Many of are large conferences that attract widely known hackers and other experts, and conference organizers post special precautions about safeguarding your own personal data.

RSA Conference

Twitter: @rsaconference / #RSAC
Web: rsaconference.com/events/us17
Date: February 13-17, 2017
Location: Moscone Center, San Francisco, California
Cost: Ticket prices range from $100 for an early-bird expo pass to $2,695 for a full-conference pass bought on site.

One of the world’s largest security conferences, RSA celebrates its 26th anniversary in 2017. RSA became part of Dell Technologies in September, but the acquisition isn't expected to affect this year's conference or any future shows.

"Like many other exhibitors, I spent hours chatting with potential customers and technology partners," Tom Skeen, an IT, risk and security adviser with Safe-T Data, wrote about RSA 2016.

"Just about everyone had a common theme or two," Skeen noted. "What is the best way to protect information, at a reasonable cost and with the most operational supportability? This makes complete sense, given the continued challenges around advanced cybercrime and hyper-connectivity nowadays."

This is a very large event in terms of attendees, exhibitors, and sessions, which may signal robust growth in the IT security industry, and just how dangerous the threat landscape has become.

Attendees should do their pre-conference homework and sketch out a game plan, since this is a very large conference. In 2016 there were more than 40,000 attendees and about 700 speakers.

Who should attend: Security professionals.

BlackHat USA

Twitter: @BlackHatEvents / @ubm / BlackHat / #BHUSA
Web: blackhat.com
Date: July 22-27
Location: Mandalay Bay Hotel, Las Vegas, Nevada (Black Hat will also be held in London and Singapore in 2017.)
Cost: Starts at $495 for a business pass, which includes access to the business hall, sponsored workshops, sponsored sessions, and the Arsenal, and goes up to $2,795  for "briefing ticket." Training sessions are priced separately and individually, as outlined in this list.

First held in 1997, Black Hat has become one of the world’s biggest tech conferences, and one that security professionals either must attend or must follow closely from afar. It’s the preferred venue for researchers, security experts, vendors, and ethical hackers to disclose their latest vulnerability findings, the most dramatic of which become general-interest news globally.

For example, the 2015 conference exposed security gaps in cars that could let cyber criminals remotely disable key functions in moving vehicles, such as brakes. In 2016, a "danger drone" was aired that could hack into devices while flying over them, as well as a technique for planting ransomware on smart thermostats.

Black Hat features training sessions, a big expo floor, and A-list presenters and keynote speakers, as at many major tech conferences. But unlike most others, Black Hat requires that attendees keep certain precautions, given that they’ll be surrounded by thousands of the world’s finest hackers, some of whom will be looking to play pranks, test their latest vulnerability discoveries in a real-world setting or, at worst, attempt criminal acts, such as stealing personal, governmental, or corporate data.

"I kind of like Black Hat better than the RSA Conference," wrote Enterprise Strategy Group senior principal analyst Jon Oltsik after last year's conference. "At Black Hat, you talk about the real challenges facing our industry and discuss intellectual ways to overcome them. At RSA, everyone throws buzzwords at you and tells you how they solve all your problems."

Attendees should be prepared for a large conference (more than 11,000 people attended in 2015) where exciting revelations about security vulnerabilities will be detailed.

Who should attend: Security analysts, risk managers, security architects/engineers, penetration testers, security software developers, cryptographers.

Gartner Security & Risk Management Summit

Twitter: @Gartner_Events / #GartnerSEC
Web: gartner.com/events/na/security
Date: June 12-15
Location: Gaylord National Resort & Convention Center, National Harbor, Maryland. (This conference will also be held in Tokyo in July, and in Mumbai, India in August.)
Cost: Early-bird price is $3,100 (April 14 deadline); standard price is $3,400; public-sector price is $2,900. Group discounts are offered.

After attending the 2016 summit, Arun Balakrishnan, then with Symantec, wrote: "The summit lived up to its promise to provide the proven practices and strategies that are needed to maintain cost-effective security and risk programs to support digital business and drive enterprise success. Its theme was to build the trust and resilience needed to seize opportunities, reduce risks and deploy new security models."

"It was a rallying cry," Balakrishnan continued, "not only for those attending the summit, but for all enterprises committed to protecting their operations without compromise."

The organizers of the conference say its agenda addresses the latest threats, flexible new security architectures, governance strategies, the chief information security officer role and more.

As with all Gartner conferences, Gartner analysts will feature prominently in keynotes, panels, roundtables, how-to workshops, and one-on-one meetings, but there will be end-user companies presenting case studies, and many opportunities to network with other attendees during breakfast, lunch, and receptions.

Tracks for 2017 will focus on the role of the chief information security officer, (CISO), IT security, security architecture, business continuity management, risk management and compliance and the security marketplace.

Several hot topics will be discussed, including cybersecurity; threat management and context-aware digital trust; enabling safer cloud computing; risks and opportunities of smart machines, artificial intelligence, the internet of things and operational technology; data security and risk governance; mobile security for digital business; protecting vital infrastructure; privacy and data security; informed risk governance; adaptive security architecture; people-centric security strategies; and agile strategies to secure digital business.

Who should attend: CISOs, CSOs, enterprise IT security pros and executives, CxOs, business continuity and disaster recovery managers, network security managers

CanSecWest

Twitter: @CanSecWest / #CanSecWest
Web: cansecwest.com
Date: March 15-17
Location: Sheraton Wall Centre in Vancouver, British Columbia
Cost: Access to the conference ranges from CAD $2,100 to $2,500, depending on when the ticket is bought. Dojo registration cost depend on when you buy a ticket, but ranges from CAD $1,900 for one day to $7,400 for four days. Registration includes catered meals.  

"The technical depth and breadth of the research presented in Vancouver this year yet again lived up to expectations," Pieter Ockers, a senior security program manager at Adobe, wrote after CanSecWest 2016. 

"Of the security conferences that Adobe sponsors throughout the year, CanSecWest consistently draws a critical mass from the security research community, with offensive, defensive, and vendor communities well-represented," Ockers continued.

"The exposure to bleeding-edge research presented by subject matter security experts, and the opportunity to forge new relationships with the security research community sets CanSecWest apart from the security conferences Adobe attends throughout the year," he added.

 Organizers describe CanSecWest as "the world's most advanced conference focusing on applied digital security," and they take pride in attracting industry luminaries as speakers and in fostering a relaxed environment for collaboration and networking.

Now in its 17th year, the three-day, single-track conference features one-hour presentations delivered by experts in a lecture theater setting, with a focus on sharing best practices and real-world experiences, and detailing new vulnerabilities, attacks, and defenses. This year's presentations include Sandbox Escape with Generous Help from Security Software, Don't Trust Your Eye: Apple Graphics Is Compromised!, Bypassing Different Defense Schemes via Crash Resistant Probing of Address Space, and APT Reports and OPSEC Evolution: These Are Not the APT Reports You Are Looking For.

In addition to the presentations, CanSecWest features hands-on Dojo training courses from security instructors.

Who should attend: CISOs, CSOs, enterprise IT security pros and executives.

SANS 2016

Twitter: @sansinstitute / #SANS2017
Web: www.sans.org/event/sans-2017
Date: April 7-14
Location: Hyatt Regency, Orlando, Florida. Remote access also available.
Cost: Courses range from $1,520 to $6,610.

SANS Institute, founded in 1989, focuses on security research and providing intensive, immersive security training via a variety of conferences, smaller events, and courses that reach about 165,000 security professionals around the world.

Its big annual event, SANS 2017, doubles as a conference, with keynote speakers and networking opportunities. SANS pledges that what people learn in its courses and events can be applied immediately once they get back to their workplaces.

Highlights of this year's event include more than 40 hands-on cyber security courses, Core and DFIR NetWars Tournaments, and a keynote by SANS Senior Instructor Eric Conrad on "Quality not Quantity: Continuous Monitoring's Deadliest Events."

The company also holds other big events, including SANS Security West in May, and SANSFire in Washington, D.C. in July.

SANS also offers even smaller, shorter events, as well as online training.

Who should attend: IT security pros, CxOs, network and system administrators, security managers.

Def Con 25

Twitter: @defcon #DEFCON
Web: defcon.org
Date: July 27-30
Location: Caesar's Palace, Las Vegas, Nevada.
Cost: TBD, cash only at the door. (Last Year: $230).

If history is any indicator, the 25th edition of this hackfest-par-excellence will feature recent, scary-as-hell computer system compromises affecting not only PCs and mobile devices but multiple other products not usually associated with digital intruders. These include cars—last year's Car Hacking Village was bigger than ever—Bluetooth low energy locks, solar arrays, seismic sensors and supervisory control and data acquisition (SCADA) controllers.

Def Con starts as soon as its Black Hat cousin ends in Las Vegas, so they share many topics and audiences, but Black Hat’s atmosphere is more polished, corporate, and professional, while Def Con is a wilder, more festive affair.

"I love Def Con because it's different," Jeff Moss, the hacker and entrepreneur behind both BlackHat and Def Con, told the International Business Times last year. "It's got a sense of fun but it's really about individual discovery."

Attendees should take extreme precautions to avoid getting hacked, as they’ll be surrounded by thousands of hackers. Last year 22,000 attended this large, informal conference with a party atmosphere. They should also be prepared to be approached by government headhunters looking for hacker talent for intelligence and law enforcement agencies.

Who should attend: Software developers, security administrators, hackers, researchers, government and law enforcement officials.

AppSecUSA

Twitter:  @appsecusa / #appsecusa
Web: 2016.appsecusa.org (2017 website coming soon)
Date: September 19-22
Location: Orlando, Florida
Cost: Conference regular admission is $995, with a variety of discounts available, including $80 tickets for full-time university students.

Focused on application security, this conference goes deep into topics such as DevOps, privacy, mobile security, secure development, app assessments, and cloud security. Highly technical, it is organized by the Open Web Application Security Project (OWASP), a nonprofit organization with 200 chapters in 100 countries devoted to improving app security from a vendor-neutral perspective.

In a blog post, AppSecUSA said it is the largest conference solely dedicated to application security. Unlike similar conferences, which only offer speaker sessions, AppSecUSA also offers cutting-edge training conducted by leaders in the field, opportunities for women and those transitioning from military service to network and develop their careers, and significant discounts for students to learn about security careers.

Headline speakers at the 2016 conference featured novelist, activist and journalist Corry Doctorow discussing the intersection of DRM and security research; Samy Kamkar, a researcher, hacktivist and entrepreneur who discussed how he uses side channels, physics, and low-cost tools to employ powerful attacks against modern technology; and Casey Ellis, co-founder of Bugcrowd, who talked about best practices for implementing an effective bug bounty program.

Who should attend: Developers, auditors, risk managers, technologists, and entrepreneurs.

Worth attending

The conferences here have a smaller attendance or target at specific industries. All are either directly aimed at security practitioners or focus on technologies and concepts that relate to security.

HPE Protect 2016

Twitter: @HPE / @HPE_Security / #HPEProtect
Web: h41382.www4.hpe.com/hpe_protect/
Date: September 11-13
Location: Washington Marriott Wardman Park, Washington, D.C.
Cost: Not available.

HPE’s largest security event of the year, Protect is a technical conference attended by about 2,000 people and designed for, among others, security professionals, infrastructure managers, IT/data center operations staff, network managers, and service, support, and delivery managers.

Last year's conference included several enlightening discussions, such as Encryption Myths Debunked by Federal Agencies, AppSec and DevOps: An Opportunity or Obstacle?, and Security Hold the Key to Fearless Innovation.

Who should attend: Security pros, infrastructure managers, IT/data center operations, network managers, project and portfolio managers, service, support and delivery managers, digital security stakeholders.

DerbyCon

Twitter: @DerbyCon / #DerbyCon
Web: derbycon.com
Date: September 20-24
Location: Hyatt Regency Hotel, Louisville, Kentucky
Cost: Not available.

DerbyCon bills itself as a friendly, fun technology conference that welcomes not just experts, but also hobbyists and regular folk interested in security, so that they can learn, share ideas, and party together. It’s smaller than, Black Hat or Def Con, but has a reputation for featuring quality presenters.

Who should attend: Security pros, penetration testers, application security specialists, threat intelligence analysts, system architects, researchers, system administrators, and students.

Usenix Security Symposium

Twitter: @USENIXSecurity / #USENIXSecurity
Web: usenix.org/conference/usenixsecurity17
Date: August 16-18
Location: Sheraton Vancouver Wall Centre Hotel, Vancouver, Canada.
Cost: Conference rates range from $915 (before July 25) to $1065 for non-members. Workshop rates range from $295 (before July 25) to $690. Discounts available for members and students.

This conference, celebrating its 26th year in 2017, is designed for researchers, practitioners, system administrators, system programmers, and others in similar roles who are interested in computer systems and network security. Over the three-day conference, speakers present papers, give talks, participate in panel discussions, display posters, and talk about works in progress. Collocated workshops precede the Symposium.

Last year, researchers at this conference made headlines with a paper about keyless car theft. 

Who should attend: Researchers, practitioners, system administrators, system programmers.

Annual Computer Security Applications Conference

Twitter: @ACSAC_Conf / #ACSAC
Web: acsac.org
Date: December 4-8
Location: San Juan, Puerto Rico
Cost: Not available

More details will be available in March

First held in 1984, ACSAC focuses on applied security, and draws security professionals from academia, government, and industry. Its target audience is people developing practical solutions for network, system, and IT security problems. Proceedings include in-depth tutorials, workshops, case studies, panel discussions, and a technical track about peer-reviewed papers.

Who should attend: Researchers and a broad cross-section of security professionals drawn from industry, government, and academia.

38th IEEE Symposium on Security and Privacy

Twitter: @IEEESSP / #IEEESSP
Web: ieee-security.org/TC/SP2017
Date: May 22-24 - symposium; May 25 - privacy workshops.
Location: San Jose, California.
Cost: Not available.

The IEEE Symposium on Security and Privacy, first held in 1980, attracts both researchers and practitioners and describes itself as the “premier forum” to present developments in computer security and electronic privacy.

Workshops this year focus on privacy engineering; bio-inspired security, trust, assurance and resilience; language-theoretic security; mobile security technologies; technology and consumer protection; and traffic measurements for cybersecurity.

Who should attend: Researchers, security practitioners.

ThotCon

Twitter: @THOTCON / #THOTCON
Web: thotcon.org
Date: May 4-5.
Location: Chicago, Illinois. (The exact venue is disclosed only to registered attendees and speakers one week before the conference.)
Cost: $158.

Organizers describe this event as a low-cost “hacking conference” with a nonprofit and noncommercial goal and a limited budget. It’s been held annually in Chicago since 2010, born from its organizers’ desire to host an affordable security conference for hackers who live in and around the Windy City. Proceeds are used for the following year’s conference.

The content is high quality, and the atmosphere is relaxed and social, leading to valuable ad-hoc hallway exchanges, according to a 2015 attendee from Cisco. A local TV channel reported that about 1,000 people attended last year, and most were white-hat hackers. A presentation at the 2014 event about vulnerabilities in hospital medical equipment drew media attention.

Who should attend: Hackers, especially those from the Chicago area.

Hack In The Box Security Conference

Twitter: @HITBSecConf / #HITBSecConf
Web: conference.hitb.org/hitbsecconf2017ams
Date: April 10-14.
Location: Amsterdam, Netherlands.
Cost: Training tickets range from €1,999 to €2,999, while conference tickets range from €299 to €1,499.

HITBSecConf, or the Hack In The Box Security Conference, held annually in Amsterdam and now in its seventh year, targets security researchers and professionals globally, and focuses on "next-generation" computer security issues. The event typically consists of two or three days of training, followed by two days of multitrack conference sessions. It includes a competition, technology exhibit, and "hackerspaces" for hackers, makers, and breakers.

"Those who routinely attend HITBSecConf value the event for the opportunities to network with other professionals, meet with leading security experts, and stay at the forefront of the computer security industry," noted information security firm Tripwire, which placed the Dutch conference in its Top 11 Information Security Conferences of 2016.

Who should attend: Security pros.

InfoSecurity Europe

Twitter: @Infosecurity / #Infosec17
Web: infosecurityeurope.com
Date: June 6-8.
Location: London, UK.
Cost: Not available

Organizers claim that this is Europe's “biggest and most-attended” information security industry event. They say that in 2016, 17,972 information security professionals, service providers, vendors, and thought-leaders networked, engaged and conducted business at the event. It boasts more than 160 hours of free education sessions and a big expo floor.

Who should attend: Security pros, executives, and managers.

Hack.lu

Twitter: @hack_lu / #hacklu
Web: 2016.hack.lu
Date: October 16-19.
Location: Luxembourg.
Cost: Not available.

Organizers claim that Hack.lu is one of the oldest and largest IT conferences in Europe. Here attendees discuss computer security, privacy, information technology, and its cultural/technical implication on society.

The 2016 presentations, workshops and lightning talks can be viewed as video or text.

Who should attend: Security pros.

ICS Cyber Security Conference

Twitter: #ICS
Web: icscybersecurityconference.com/singapore
Date: April 24-27.
Location: Singapore
Cost: Registrations range from SD$995 (before Feb. 1) to SD$1,095.00 (before March 1) to SD$1695.

Organizers claim that this is the longest-running cybersecurity-focused conference for the industrial control systems sector. Its target audience consists of the energy, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations. Most attendees are control systems users, working as control engineers, in operations management, or in IT.

Industrial control systems security topics addressed include protection for SCADA systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices.

Who should attend: Operations, control systems, and IT security professionals.

ASIS 2017

Twitter: @ASIS_Intl / #asis17
Web: securityexpo.asisonline.org
Date: September 25-28.
Location: Dallas, Texas.
Cost: Not available.

Organized by ASIS International, an industry organization of security management professionals founded in 1955, this conference covers the full spectrum of security topics, technologies, and issues, including data and infrastructure protection, loss prevention, cybersecurity, employee safety, counterterrorism, and facilities security.

In 2016, the conference attracted 22,000 security professionals from 109 countries. It featured keynotes by U.S. Homeland Security Secretary Jeh C. Johnson and FBI Director James B. Comey. Conference themes included the rise of lone wolf attacks, the risk of a cyberattack on critical infrastructure , and the need for greater public-private sector collaboration.

Who should attend: Security pros.

InfoSec Southwest 2017

Twitter: @InfoSecConf / #ISSW
Web: infosecsouthwest.com
Date: April 7-9.
Location: Austin Convention Center in Austin, Texas.
Cost: Tickets for the conference range from $100 to $160, depending on when you buy your tickets. Student tickets are $60 and military $80. Training sessions are extra.

InfoSec Southwest, held annually in Austin, was created with the local hacker community in mind, so part of its mission is to bring together security pros and hackers who live in and around the city of Austin. Organizers say the scope of topics covered is broad, and includes deep technical dives into cutting-edge research and the social and legal implications of hacker culture.

Who should attend: Hackers and security pros, especially from the Austin area.

InfowarCon

Twitter: @InfowarCon / #InfowarCon
Web: infowarcon.com
Date: April 24-26.
Location: Nashville, Tennessee.
Cost: $300, but in order to be invited, attendees must submit a few paragraphs explaining what value they would bring to the conference, because organizers want active participants. “No wallflowers allowed,” reads the registration page.

As its name implies, this conference focuses on cyber and information technology warfare topics, and on how the "weaponization" of technology affects national security, the global balance of power, private-sector intellectual property, and the well-being of individuals.

First held in 1994, InfowarCon has run in the United States and Europe, and its goal is to bring together attendees from the military, law enforcement, emergency management, intelligence, government, academia, and the private sector. Main topics at InfowarCon include cyberterrorism, infowar, policy, and homeland defense.

Who should attend: Government, law enforcement, academia, corporations, product vendors, and individuals interested in cybersecurity.

Network and Distributed System Security Symposium

Twitter: @internetsociety / #ndss17
Web: internetsociety.org/events/ndss-symposium/ndss-symposium-2017
Date: February 25-March 1.
Location: Catamaran Resort Hotel & Spa in San Diego, California.
Cost: Workshop fees range from $305 (by Feb. 3) to $370 ($220-$260 for students); Symposium fees range from $810 (by Feb. 3) to $1,075 ($455-$555 for students).

The Network and Distributed System Security Symposium caters to researchers and practitioners of network and distributed system security, with an emphasis on system design and implementation.

Who should attend: University researchers and educators, chief technology and privacy officers, security analysts, system administrators, and operations and security managers.

REcon 2016

Twitter: @reconmtl / #reconmtl
Web: recon.cx
Date: Conference, June 16-18; training, June 12-15.
Location: Hyatt Regency Montreal in Montreal, Quebec.
Cost: Available when CFP launches.

REcon is a computer security conference with a focus on reverse engineering and advanced exploitation techniques. It is held annually in Montreal.

Videos of the 2016 sessions are available at the Recon website.

Who should attend: Security pros.

ACM Conference on Computer and Communications Security

Twitter: @TheOfficialACM
Web:  www.sigsac.org/ccs/CCS2017
Date: October 30-November 3.
Location: Dallas, Texas.
Cost: Not available.

The primarily research-focused ACM Conference on Computer and Communications Security (CCS) is the flagship annual conference of the Special Interest Group on Security, Audit and Control (SIGSAC) of the Association for Computing Machinery (ACM).

Who should attend: Information security researchers, practitioners, developers, and users.

International Cryptographic Module Conference

Twitter: @CryptoModConf
Web: icmconference.org
Date: May 16-19
Location: Westin Arlington Gateway, Washington, D.C.
Cost: Tickets range from $300 (by April 4) to $1,370.

Conference agenda this year includes efforts to audit, improve and certify the security of the leading operating system crypto projects; CM products, certifications, and vulnerabilities for organizations that rely on crypto security; application of embedded encryption in specific industry verticals;  quantum computing threat and efforts to transition to quantum-safe algorithms; and balancing privacy rights and government access to encrypted communications.

The conference is aimed at those interested in developing, specifying, and procuring certified commercial off-the-shelf cryptographic modules; manufacturers of cryptographic modules compliant with FIPS 140-2 or ISO/IEC 19790 around the world; laboratories and government departments responsible for testing cryptographic modules against FIPS 140-2 or ISO/IEC 19790; key players and stakeholders in standards development; members of the academic community; embedded systems OEMs; and the side channel research community.

Who should attend: Those interested in commercial cryptography.

Hacker Halted

Twitter: @HackerHalted / #hackerhalted
Web: www.hackerhalted.com
Date: October 9-10.
Location: Atlanta, Georgia.
Cost: Conference, $199; ethical hacking courses, $2,999.

Organizers describe Hacker Halted as a global series of computer and information security conferences with the goal of raising international awareness regarding education and ethics in IT security. The theme for Hacker Halted in 2016 was the Cyber Butterfly Effect: When Small Mistakes Lead to Big Disasters.

Who should attend: Security pros.

BSides

Date: Multiple dates.
Location: Multiple locations.
Web: securitybsides.com/w/page/12194156/FrontPage
Cost: Free to $25.

Almost every week, there's a BSides conference taking place somewhere in the world. BSides describes itself as "a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time.  It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event, with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening."

"The best security conferences have two key elements: talks that inspire and challenge current thinking, as well as opportunities to connect with and learn from others," says Tripwire director of corporate communications Cindy Valladares. "Several of the BSides events that I've attended in the past have both of these elements."

Who should attend: Security pros and hackers.

Cross-discipline conferences

Conferences in this category are targeted at specific industries or technologies. Although you won’t see “security” in the conference titles here, these gatherings will hold interest for many security specialists and professionals.

JavaOne

Twitter: @JavaOneConf / #JavaOne
Web: oracle.com/javaone
Date: October 1-5.
Location: San Francisco, California.
Cost: Not available.

First held in 1996 by Sun Microsystems, JavaOne is billed as the largest conference for Java developers. At the 2015 conference in San Francisco, Oracle, which now sponsors this event, marked the 20th anniversary of Java’s creation, saying its popularity continues to grow. After all, it’s in use by about 10 million developers worldwide. The company pledged to continue developing Java, promising major improvements and innovations in Java 9 and beyond.

The conference consistently features important speakers from the Java world. The top 12 sessions from last year's conference have been posted online.

Who should attend: Java developers.

Fluent

Twitter: @fluentconf / @OReillyMedia  #FluentConf
Web: conferences.oreilly.com/fluent/javascript-html-us
Date: Training, June 19-20; Conference, June 20-22.
Location: San Jose, California.
Cost: Not Available.

Keynotes and additional material from last year's conference are available online.

Fluent aims to cover the "full scope of the Web platform," according to its organizers. Now in its fourth year, the conference focuses on practical training in JavaScript, HTML5, CSS, and associated technologies and frameworks, including WebGL, CSS3, mobile APIs, Node.js, AngularJS, and ECMAScript 6.

Because the conference was designed to attract people from across the web stack, Fluent has been described as a great way to get up to date with new techniques and ideas

Who should attend: Web designers and developers, including mobile and web infrastructure teams, JavaScript developers, architects, UI/UX designers, and systems developers.

Microsoft Ignite

Twitter: @MS_Ignite / #MSIgnite
Web: ignite.microsoft.com
Date: September 25-29.
Location: Orlando, Florida.
Cost: Not Available.

Video of last year's keynotes and sessions are available at the Ignite home page.

Microsoft created Ignite in 2014 to consolidate several smaller conferences into a big one: the Microsoft Management Summit, Microsoft Exchange Conference, SharePoint Conference, Lync Conference, Project Conference, and TechEd. It covers architecture, deployment, implementation and migration, development, operations and management, security, access management and compliance, and usage and adoption. It's organized by Microsoft and focuses on the company and its products, but the conference also draws more than 100 vendors that participate in the expo and as sessions speakers.

Agile Dev West and East

Twitter: @TechWell #BetterSoftwareCon
Cost: Ticket prices (for both East and West) range from $595 for the Agile Leadership Summit (before April 8) to $3,995 for five full days at the conference and three days of training.

Agile Dev West
Web: adcwest.techwell.com
Date: June 4-9.
Location: Las Vegas, Nevada.

Agile Dev East
Web: adceast.techwell.com
Date: November 5-10.
Location: Orlando, Florida.

The Agile Dev conferences focus on the latest agile methods, tools, and principles of interest to both new and experienced agile practitioners. These conferences are held in conjunction with Better Software Conferences and DevOps Conferences, giving attendees three programs to choose from.

Agile Testing Days

Twitter: @AgileTD / #agiletd
Web: agiletestingdays.com
Date: November 13-17.
Location: Potsdam/Berlin, Germany.
Cost: Not Available.

Agile Testing Days USA

Twitter: @Agile_USA / #ATD_USA
Web: https://agiletestingdays.us/
Date: Tutorials, June 19; conference, June 20-21.
Location: Boston, Massachusetts.
Cost: Tutorials, $799 each; conference, $1798 (two days), $899 (one day.)

Considered one of Europe’s main software testing events, this year Agile Testing Days will jump the pond and hold a New World version of its itself in Boston for North, Middle and South American software testers with an agile mindset. In the past, the German version of the conference has offered a mix of fun interludes and serious sessions that make the experience both enjoyable and worthwhile. The conference also features opportunities to learn by doing via DIY experiments and strives to offer a warm, collegial, friendly, and fun atmosphere.

Who should attend: Security pros, developers.

STAR Software Testing Conferences

Twitter: @TechWell
Web: techwell.com/software-conferences/star-software-testing-conferences
Dates and locations: 

Star East: May 7-12, Rosen Centre Hotel, Orlando, Florida.

Star West: October 1-6, Disneyland Hotel, Anaheim, California.

Star Canada: October 15-20, Hyatt Regency, Toronto, Ontario.

Cost: Star East prices range from $595 (before March 11) for the testing and quality leadership summit to $4,245 for three days training, ISTQB certification exam and five conference days. Star West has similar pricing, but top tier pricing is $3,295 and includes two tutorial days and five conference days. Star Canada pricing ranges from $795 (before August 19) for one tutorial day to $3,995 for three days of training and five conference days.

These conferences, organized by TechWell, are designed specifically for testing and QA pros. Conferences touch on topics ranging from test management and leadership, software testing techniques, and mobile app testing to test automation, certifications, QA methodologies, tools, agile testing, performance testing, exploratory testing, QA careers, and more.

Writing recently on TechBeacon, Gerie Owen, a test architect, called the Star conferences “among the most prestigious QA and testing conferences in North America,” and “suitable for junior-level testers as well as seasoned test professionals and test managers.”

According to the TechWell website, these are “the premier conferences for software testing and quality assurance professionals. Come away from a STAR conference ready to put your knowledge to work immediately. Our comprehensive program includes short sessions, half- and full-day tutorials, multi-day in-depth training, and a Leadership Summit.”

Who should attend: Security pros.

Gartner Catalyst Conference

Twitter: @Gartner_Events / #GartnerCATGartnerCAT
Web: gartner.com/events/na/catalyst
Date: August 21-24.
Location: Manchester Grand Hyatt San Diego, San Diego, California.
Cost: Standard conference price is $3,400 ($3100 before June 24); public sector price: $2.900,

Featuring more than 50 Gartner analysts, Catalyst promises a ”deep dive” into the digital enterprise’s architectural requirements, touching on areas such as mobility strategy and execution, cloud architecture, data analytics, enterprise-scale security and identity, software-defined data centers (SDDC), DevOps, and digital productivity via mobile and cloud.

Gartner describes Catalyst as "technically focused and committed to pragmatic, how-to content" so that attendees go back to their places of work "with a blueprint for project planning and execution."

Who should attend: Security pros.

Other conferences

Here are a few other conferences that you should know about as you plan your 2017 travel calendar. If you’re planning your conference travel and budget around security shows, you might want to save a little room on your plate for one or more of these events.

SXSW (South By Southwest)

Twitter: @sxsw / #SXSW2017
Web: http://www.sxsw.com/schedule
Date: March 10-19.
Location: Austin, Texas.
Cost: Prices range from $495 to $1,550.

While music and film are key elements of SXSW, the event also has a strong technology component, with topics this year including startups, wearables, healthcare IT, virtual reality, IoT, smart cities, digital media, online marketing, software design and development, open source, mobile design, and user experience.

TechCrunch Disrupt

Twitter: @TechCrunch / #tcdisrupt
Date: May 15-17.
Location: New York, New York.
Web: techcrunch.com/event-info/disrupt-ny-2017/
Date: September 18-20.
Location:  San Francisco, California.
Cost: Extra early-bird ticket for full, three-day access is $1,995. Other packages for exhibitors and individuals available.

Disrupt is the conference for anyone involved with or interested in startups, entrepreneurs, venture capital, and emerging technologies. It features hackathons, provocative panel discussions, and A-list speakers. Many established companies used Disrupt as a springboard.

Gartner’s Symposium/ITxpo

Twitter: @Gartner_SYM / #ITxpo #GartnerSYM
Web: http://www.gartner.com/events/na/orlando-symposium
Date: October 30-November 2.
Location: Gold Coast, Australia.
Cost: Standard conference price is A$4,350. Public-sector price is A$3,575. Group discounts are available.

The mother of all Gartner conferences, the Symposium/ITxpo is aime at CIOs and technology executives, addressing from an enterprise IT perspective topics such as mobility, cybersecurity, cloud computing, application architecture, application development, IoT, and digital business.

E3 Expo

Twitter: @E3 / #E32017
Web: https://www.e3expo.com/
Date: June 13-15.
Location: Los Angeles, California.
Cost: Not available.

Highlights of 2016 conference are available online.

A massive gaming show that covers mobile, video and computer games, and related products, it covers topics of interest to software developers, buyers and retailers, distributors, entertainment industry executives, venture capitalists, manufacturers, and resellers.

Interop Las Vegas

Twitter: @interop #Interop
Web: interop.com/lasvegas/
Date: May 15-19.
Location: Las Vegas, Nevada.
Cost: Ranges from $249 (before April 1) to $3,299.

A venerable tech conference, Interop delves into topics like applications, cloud computing, collaboration, networking, IT leadership, security, software-defined networking, storage, virtualization and data center architecture, and mobility.

Did we miss any conferences or events?

We've done our best to compile this comprehensive list of the top information security conferences to attend in 2017, but nobody's perfect. This is a list in progress.

Please let us know in the comments below if there are other events or conferences you think we should add.

What Is the True State of Security in DevOps?

Image credit: Flickr

 

How ChatOps can help you avoid a DevOps disasterOpen in a New Window

The scenario unfolds quickly. The production dashboard, displayed on a monitor in full view of the team, takes on a reddish hue. Graphs are flat-lining, and response times are through the roof. Team members’ smartphones start to buzz with WhatsApp, SMS, and email alerts.

It gets worse: Angry and frustrated customers start updating Twitter and Facebook with posts indicating that your site is down.

It doesn't have to be this way. DevOps not only changes how you develop and deliver software, it’s also changing the way you operate it. Of course, nobody’s perfect, and DevOps teams deliver their share of buggy changes to production. However, well-organized DevOps teams are able to identify and fix problems quickly, often within hours.

DevOps Mindset More Important Than Formality

What happens, for example, when a DevOps team encounters their worst fear of an application or site going down? Here's how and why communication with ChatOps, including automated communication with chatbots, is the key to a quick remediation.

Wake up teams before the nightmare begins

No one wants their customers to be the ones who alert them that the site is down. Which is why, in the DevOps world, the deployment pipeline and production systems are constantly monitored to ensure that they are working as expected. As soon as problems are detected, the whole team is updated--including developers--through automated alerts to ensure that the right people know that something has gone wrong.

Today, most DevOps teams embrace collaborative messaging platforms, such as Slack, to communicate with each other. And more and more teams are adopting ChatOps by introducing bots into their chatrooms. With ChatOps, the bots provide an interface to systems such as service desks, lifecycle management systems, and production monitoring systems to connect people directly to the continuous delivery pipeline. They allow for two-way communication, to bring information from the systems into the chatroom, and to execute instructions, such as to log a defect.

Proactive chatbots go one step further. When a production monitor detects a failure, the bot can automatically create a new chatroom dedicated to the problem, and pre-populate it with information about the problem. The bot will invite to the chatroom relevant team members who immediately see a description of the problem, the most recent changes that were deployed to production, and who was involved.

Understand the impact of a problem

In a traditional environment, the operations team will do an initial investigation to understand the scope of the problem. For example:

  • Is only one user, or just a few users, experiencing problems?
  • Maybe this isn’t a problem at all. Has downtime been scheduled?
  • Let's get the ops team to gather logs and see what errors appear.

Both DevOps and traditional environments typically employ continuous monitoring to detect problems as soon as possible.  In a DevOps scenario, each change can only reach production through the deployment pipeline, which makes it is very easy to know what changes were recently deployed into production prior to the problem, and who was involved in that change.

If the team uses chatbots, they can have that information as soon as they go into the chatroom. There’s a chance that one team member knows exactly what the problem could be, and could apply an immediate fix. As long as they deliver the fix via the pipeline and aren’t tempted to manually tweak a production setting "just this once," that fix could be the end of the problem.

Reassure your users

As soon as possible, make sure that you alert your users that you’re aware of the issue, and that you’re working to fix it. Users appreciate being updated and knowing that you’re not ignoring them.

You can update your site’s front page with a notice, or communicate via official channels or social media.

Come up with some hypotheses 

If it’s not a simple issue that can be fixed on the spot, think about possible causes:

  • It could be a bug in the application’s code.
  • It could be a change in configuration.
  • It could be a change in infrastructure, such as upgrade of a critical component or dependency.
  • It could be a security breach.
  • It could be a Distributed Denial of Service (DDoS) attack.
  • An external service might have gone down.
  • A license might have expired.
  • The mice have chewed through the network cables. Again.

Because, in a DevOps environment, the developers and the operations staff are working closely with each other, it’s easy for them to bounce ideas off one another. They can drill down into their systems to get more information by querying chatbots in their communications channels. Everyone on the team sees the same information, and have all the context they need to understand it.

As the team continues to investigate, they will share their findings with the rest of the team. But why, you might ask, can't you do this with simple email? Here's the problem: Email tends to encourage additional threads and side-discussions, resulting in everyone having a small part of the discussion, but no one having the whole picture. When it’s done through a chatroom, everyone has access to the discussion, and they can guide each other towards the solution. And the activities that used to happen behind each participant’s screen become visible to the whole team as they work to fix the problem.

Now...fix the problem

Once the cause of the problem has been found, it can be fixed. There is always the temptation to apply the fix immediately in the production system, but don’t do that. That approach violates the DevOps principle that any change to production is only allowed to get there via the deployment pipeline. This ensures that we have a record of the change, who was involved, what tests were run, and why it was introduced.

And don’t forget to inform your users

Once you’re confident that the fix has been applied, don’t forget to let your users know that you’re back in business. Be sure to thank them for bearing with you while you investigated and resolved the issue. Consider telling them what the problem was, why it happened, and how you fixed it.

Users appreciate transparency, and communication from you helps restore confidence after a downtime event. Make sure that you update all the channels used when the problem first appeared; this will maximize the reassurance you're providing to your users .

It’s all about communication

Olivier Jacques, Distinguished Technologist and DevOps strategist at Hewlett Packard Enterprise IT, notes that ChatOps is revolutionizing the way DevOps team members communicate with each other, by focusing their attention on the problem and reducing the overhead associated with email or misused ticketing systems.

DevOps doesn’t make us immune to production problems, but by having teams and bots working together, the team has more visibility into the systems involved, and can quickly get the information they need, and the context that goes with it, to solve the problem quickly and efficiently. ChatOps can be a very easy way to get Dev and Ops to work together, without a re-org.

DevOps Mindset More Important Than Formality

 

8 ways to integrate UX at the speed of DevOpsOpen in a New Window

User experience (UX)—the discipline devoted to designing and delivering enhanced digital experiences—is more important than ever. As technology products have become more commoditized, UX has become a competitive differentiator. IT leaders need to make sure design is front and center. The cultural shift toward agile and DevOps practices affords a great opportunity, but not if UX is left out of the loop. They are the voice of the user.

The practice is focused on more than the interface between user and system or establishing where to place the icon or button. Today, the value of the product is measured in the experience delivered and not just the functionality. To provide a good experience, the entire UX strategy should be defined with a clear understanding of the end goal we want to achieve.

DevOps and agile development provide many opportunities to improve the UX design process. Both approaches aim at delivering a better product and providing value faster to the end user. And though they provide many opportunities for the practice of UX, these increasingly popular approaches to system development also demand new approaches to UX.

DevOps Mindset More Important Than Formality

Here's the why and how of integrating UX into our DevOps and agile workflows.

How DevOps bolsters UX

One of the biggest challenges the UX professional faces is that time-proven techniques are no longer viable. Traditionally, UX professionals spent weeks or more defining and designing all aspects of the features, often in isolation. They then delivered their well-designed specs to the development team.

Inevitably, however, some of the design could not be implemented for various reasons, such as technical issues or deadline pressures. At that point, either the UX professionals would rework the design, or the development team would make adjustments to the system without UX input.

With a waterfall approach, a year or more could pass between the design of a new piece of software and its use. Regardless of how good the initial design is, things change over the course of a year, and the design may not be relevant by the time it reaches the end user.

Today's fast iterations provide great value to UX practitioners in terms of their ability to tailor the design to the end user.

DevOps is about delivering functionality in small batches and more interaction between the various teams that put together and manage a product. Small batches allow UX designers to quickly integrate user feedback and get it back to the end user's hands. Ongoing involvement with development teams results in fewer surprises—and a final user experience that better matches customer needs and includes fewer user experience sacrifices. UX professionals also get a better understanding of technical limitations, and application developers can be more involved in UX brainstorming.

UX no longer works in an isolated environment and has to constantly react to demands and changes brought up by customers and the R&D organization. Designers have to decide quickly—while still making sure everything is aligned with the strategy they defined beforehand.

Integrating UX into DevOps

While DevOps clearly benefits UX practices, it also requires UX professionals to change the way they work. In the past, we had more time for design and planning of the entire system concept. Rather than spending weeks on research and development and throwing the design over the wall, UX professionals in a DevOps environment must do more of their work concurrently with application development. This places more pressure on them to deliver quickly and gives them less time to flesh out their ideas.

The stronger UX professionals are able to quickly set core UX guidelines and update them as they progress to reach a better result than if they had planned everything beforehand. Rather than working mainly with the product owner, UX practitioners must work more closely with the developers, QA testers, and other IT and business professionals on the team. That requires the ability to communicate the benefits and importance of UX in terms that non-UX professionals can comprehend. It also makes the UX team an important hub in the development process.

8 best practices for UX

Here are eight steps IT organizations can take to make sure UX is an integral and effective component of DevOps and agile development teams.

  1. Get management buy-in. Incorporating UX into new development approaches requires cultural and process changes. Such transformation is most effective when driven from the top.
  2. Start UX planning early. The UX should provide guidelines at least a sprint ahead of development effort.
  3. It's all about collaboration. UX, product, engineering, and IT should be on the same page. Align agendas, which includes involving the development team in design. Ask them what they think. Let them be part of the decision-making. They have a lot of good input. And the moment they feel they have a say in UX they become more engaged.
  4. Drive smart prioritization. UX should insist on delaying new features until current ones are fixed—particularly in the early phases when the pressure to go fast is the greatest.
  5. Designers need visibility into the product backlog. Visibility allows designers to ensure that UX items aren't overlooked.
  6. Make sure UX participates at every stage. From definition and design to delivery, whether the MVP (minimal viable product) or new functionality,  UX should take part in making sure the deliverable is acceptable and usable.
  7. Stick to basic UX design, but remain agile. Even in short cycles the UX professional must continually conduct research and lay out core, basic strategies.
  8. Incorporate feedback quickly. DevOps increases the ability to push the latest versions to end users to get feedback. UX needs to validate all the time, get the right feedback, and make sure corrections are implemented.

UX practitioners are an important component of these teams, right alongside development, QA, product, operations, and business professionals. The benefits of integrating UX into the processes far outweigh the challenges: UX can serve the increasingly important role of voice of the user throughout development, making sure the team maintains focus on the value the system delivers to the customer.

DevOps Mindset More Important Than Formality

Image credit: Flickr

 

Efficient API testing: How to get started with REST AssuredOpen in a New Window

In a previous post on TechBeacon, I explained why writing automated tests at the API level offers the best of two worlds: 1) It gives you increased stability and speed of test execution compared to end-to-end tests driven through the user interface, and 2) it gives you increased scope and integration coverage compared with unit tests.

There is a wide range of tools available on the market that help you in creating automated API tests. These tools fall roughly into any of these categories: Open source, commercial, and custom.

In this post, let's take a deeper dive into API-level test automation to show you how to realize this within your own projects.  My tool of choice for this post: REST Assured, an open source Java-based Domain-Specific Language (DSL) that allows you to write powerful, readable, and maintainable automated tests for your RESTful APIs. (REST Assured does not handle SOAP-based APIs.)

Continuous testing: A practical guide

The benefits of REST Assured

There are three main aspects of REST Assured that make it a powerful library for API testing:

  • It removes the need for writing a lot of boilerplate code required to set up an HTTP connection, send a request and receive and parse a response
  • It supports a Given/When/Then test notation, which instantly makes your tests human readable
  • Since REST Assured is a Java library, integrating it into a continuous integration / continuous delivery setup is a breeze, especially when combined with a Java testing framework such as JUnit or TestNG

To illustrate the benefits of REST Assured, let's look at a simple REST Assured test. This test invokes a GET call to an API that, based on a zip code and a country code, provides some data on the location corresponding to that zip code. So, an example of the behavior of this API would look like this:

  • Given a specific country (in this case the United States) and zip code (in this case 90210)
  • When we perform a GET call to the RESTful API
  • Then the response returned indicates that the 90210 zip code corresponds to Beverly Hills

Translated to a REST Assured test, this looks as follows:

@Test
public void checkCityForZipCode() {
        
  given().
    pathParam("country","us").
    pathParam("zipcode","90210").
  when().
    get("http://api.zippopotam.us/{country}/{zipcode}").
  then().
    assertThat().
    body("places.'place name'[0]",equalTo("Beverly Hills"));
}
Note how the given, when, and then parts of the specification are directly translated to an executable REST Assured test. If you want an explanation for how exactly to deal with path and query parameters, and how to extract specific elements from a JSON or XML response as returned by an API, you should refer to the REST Assured usage guide.

Also note that the expressive power offered by REST Assured is demonstrated here through how the complete test (setup, execution, and assertion) is written using a single line of code.

Other REST Assured test writing features

REST Assured offers a number of other useful features for writing tests for RESTful APIs. Let's take a look at some of them.

Technical response data validation

In the example above, I verified that a particular element in the response body (the city name) was equal to a predefined expected value ('Beverly Hills'). Checking that an API works as intended, however, does not end with checking response contents. For the application or component receiving the response, it is also of vital importance that the response is technically sound: e.g., That the response has the right status code, the required header values and that it is formatted correctly.

These criteria can be checked using REST Assured. For example, if you want to check that the response for the previously executed API call has a status code of 200 (indicating that all is OK) and that the response header indicates that the body is to be interpreted as JSON, you can do as follows:

@Test
public void checkHeaderData() {
        
  given().
    pathParam("country","us").
    pathParam("zipcode","90210").
  when().
    get("http://api.zippopotam.us/{country}/{zipcode}").
  then().
    assertThat().
    statusCode(200).
  and().
    contentType(ContentType.JSON);
}

As you can see, with REST Assured, verifying technical response data is just as straightforward as checking response body contents.

Data-driven testing

Another feature of REST Assured that makes your API testing more powerful is the ability to create data-driven tests. Let's say you want to extend the zip code test created earlier with a second test case: you also want to check that zip code 12345 is associated with the city of Schenectady, New York. However, instead of simply copying the entire test and replacing the relevant parts, you would like to feed a single test with two different data records (a concept known as data-driven testing), because this reduces any potential maintenance efforts, while also making it easy to add even more tests.

To achieve this, you first need to create a test data set. In this example, I am going to use the DataProvider object that is offered by TestNG to do this:

@DataProvider(name = "zipcodes")
public String[][] createZipCodeTestData() {
        
  return new String[][] {
    {"us","90210","Beverly Hills"},
    {"us","12345","Schenectady"}
  };
}

Next, you create a data-driven REST Assured test that's associated with this test data set:

@Test(dataProvider = "zipcodes")
public void aZipCodeTest(String country, String zipcode, String city) {
        
  given().
    pathParam("country",country).
    pathParam("zipcode",zipcode).
  when().
    get("http://api.zippopotam.us/{country}/{zipcode}").
  then().
    assertThat().
    body("places.'place name'[0]",equalTo(city));
}
When you run this test, it'll be executed twice, once for each record in the test data set.

As you can see, creating data-driven tests in REST Assured is a very straightforward "next step" when you've already got tests in place for a single test data record. Note that I used TestNG to create the test data object and to associate it with the actual test, but you can easily do something similar if you're using JUnit.

Support for authentication mechanisms

A lot of RESTful APIs require a consumer to authenticate itself before it is allowed to interact with it. REST Assured supports a number of commonly used API authentication mechanisms, including Basic (username and a password in the header of every call) and OAuth 2.0 authentication. For example, here's how you can call an API that's secured using Basic authentication with REST Assured. 

@Test
public void checkBasicAuthentication() {

  given().
    auth().
    preemptive().
    basic("username","password").
  when().
    get("http://mysecureapi.com/basicauth").
  then().
    assertThat().
    body("authentication_result",equalTo("Success"));
}

Learn more REST Assured features

Apart from those covered in this post, REST Assured offers a wide range of other useful features that can create powerful automated tests for your RESTful APIs. You can read more about those in the usage guide.

If you're looking for more examples and some exercises to practice with REST Assured, I have published a workshop on REST Assured, which I have delivered several times, on my own GitHub page.

Continuous testing: A practical guide

 

The most popular JavaScript front-end toolsOpen in a New Window

Choosing a development tool based on its popularity isn’t a bad idea. Popular tools are usually more stable, and they often have more resources and community support than less popular tools. Developer satisfaction is another key indicator of a good tool, and for the JavaScript ecosystem, I'm going to show you some significant research on both of these criteria.

The list that follows contains all of the main tooling categories for a modern JavaScript developer. It includes the most popular tools for each category according to developer popularity and user satisfaction.

Each section reveals the most popular tool for that category and a runner-up, along with some context and citations from a few major JavaScript community surveys to prove each's popularity. You should have plenty of community support if you choose to use any of these tools and technologies.

Continuous testing: A practical guide

Language flavor

Most popular: ES5-based JavaScript

Runner-up: ES6 (ECMAScript 2015)

Recent versions of Safari, Edge, Firefox, and Chrome all have above 90% support for ES6, the new JavaScript standard. Although there are still more developers that use ES5-based JavaScript, that’s to be expected. Organizations are often slow to move to new language standards.

But ES6 will take over the top spot in 2017 as the annual releases of ECMAScript keep coming, and developers are more motivated to keep up. The State of JavaScript 2016 survey shows that nearly all of the developers who haven’t used ES6 are interested in learning it soon.

Front-end frameworks

Most popular: React

Runner-up: AngularJS 1.x

The JavaScript community is fickle, and has been surprisingly quick to abandon relatively new tools in order to gather around even newer tools that have stronger technical merits.

Five years ago, Backbone.js was the most popular framework for front-end JavaScript development. One year later,  Google’s AngularJS took the crown. Then React, the brainchild of Facebook, surpassed AngularJS. That happened around the same time that Google introduced changes in AngularJS 2 that made it no longer backward compatible with version 1.   

While React has the lead among JavaScript-focused developers, AngularJS maintains a strong lead among Java developers and among .NET developers. Interestingly, .NET developers tend to stick to their ecosystem’s vendors—they’re more likely to use TypeScript (a Microsoft creation) and NativeScript (a JS flavor from Telerik, a company that got its start as a .NET tooling vendor).

The State of JavaScript 2016 survey has a heatmap that confirms this Angular/TypeScript group, as well as an ES6/React stack group, and a plain JS/Backbone.js, or no framework group.

I did not include jQuery in this section, since it’s more of a library for unobtrusive JavaScript, and it doesn’t do the same things as React and AngularJS. jQuery is still widely used among existing web applications, but it’s less necessary for modern JavaScript front ends used in modern applications.

Task runners

Most popular: Gulp

Runner-up: Grunt

Task runners are the build tools for JavaScript applications. They automate tasks such as minification, unit testing, linting, compilation, starting servers, and other file modifications. For a while, Grunt was the most popular task runner as part of the Yeoman scaffolding, which made setting up various JS projects easy.

Now Gulp has passed Grunt in popularity, and Grunt is unlikely to recover. While many JavaScript developers have used Grunt, the State of JavaScript 2016 survey shows that most of the developers who have used Grunt don’t want to use it anymore. Among developers who haven’t used Grunt, most aren’t interested in learning it.

Module bundlers

Most popular: Webpack

Runner-up: Browserify

Webpack and Browserify also can preform the tasks of a task runner, but here they’re in a different section because they're primarily known as module bundlers. Module bundling is like a build process in which a group of modules and their dependencies get bundled into a file, or group of files. The demand for module bundlers is growing as JS developers break down more application functions into modules, creating a more resilient, loosely-coupled architecture.

In 2015, 46% of respondents in the State of Front-End Tooling used a module bundler in their workflow. In 2016, that number jumped to 68%. Most of that growth was due to Webpack, which was used by 41% of respondents, making it the clear leader over other module bundlers such as Browserify, which was used by 11% of respondents.

Package managers

Most popular: npm

Runner-up: Yarn

2016 was the year that Yarn emerged onto the scene as a new alternative client for the Node.js package registry. npm remains the default package manager for Node.js, but extreme growth is expected for Yarn. It seems to be on track to be the preferred client to the Node.js registry due to its performance, which is several times better than that of npm.

For now though, npm remains the de facto package manager for JavaScript, although it’s not the only game in town. Ryan Lewis, a Node.js committer, recently presented on the future of Node.js at the All Things Open conference. During the event, several developers asked whether the Node.js Foundation might make Yarn the new standard interface for the Node.js package registry.

His answer:  "Probably no,” since the foundation doesn’t want to do anything that might fragment the ecosystem. So while Yarn was talked down in a recent foundation meeting, the members did express interest in its performance gains. Lewis says a more likely outcome is that npm will begin incorporating Yarn’s features and remain the default path to the Node.js package registry.

Testing frameworks

Most popular: Mocha

Runner-up: Jasmine

Almost half of developers don’t use testing in JavaScript, according to the State of Front-End Tooling 2016 survey. The State of JavaScript 2016 survey has similar conclusions, showing that many developers aren’t satisfied with the state of JavaScript testing.  However, interest and satisfaction with Mocha and Jasmine are growing, and Mocha only has a slight edge on Jasmine. Also, new JS testing frameworks such as Enzyme and Tape show promise for helping to build a more vibrant JS testing ecosystem.

Mobile frameworks

Most popular: Native apps

Runner-up: Apache Cordova

While native apps still provide the most performant experience on mobile devices, some members of the JavaScript community believe that the emergence of Progressive Web Applications (PWAs) spells doom for native apps and the frameworks like Cordova that enable web-native mobile apps.

Maximiliano Firtman, author of High Performance Mobile Web, says PWAs will mean “the beginning of the end for most WebView-based apps, such as Apache Cordova and PhoneGap apps.”

So while these are the frontrunners for JS mobile frameworks for the moment, expect React and AngularJS to be here next year, when they will likely be the tools of choice for PWAs.

Linting tools

Most popular: ESLint

Runner-up: JSLint

Linting is a form of static code analysis that involves using an opinionated tool to prevent errors or usage of the “bad” parts of a language. Linting became popular in JavaScript when Douglas Crockford’s watershed book, JavaScript: The Good Parts, was published. JSLint is a linting tool based on the advice in that book.

While ESLint now takes the top spot because of recent upgrades to ECMAScript, JSLint still maintains a userbase. However, the second most popular answer for “What tool do you use to lint your JS?” was none. Almost one quarter of respondents don’t use a linting tool.

CSS preprocessors

Most popular: Sass/SCSS

Runner-up: LESS

While CSS preprocesors aren't technically JavaScript tools,  few JS developers don’t have their hands in CSS and HTML once in a while. As with linting tools, the second place winner in The State of Front-end Tooling 2016 for CSS preprocessors was none of the above: 13% of respondents didn’t use one. The runaway favorite for those who do, however, was Sass/SCSS, cited by 63% of respondents.

Editor

Most popular: Sublime Text

Runner-up: Atom

JavaScript developers don’t usually prefer a sophisticated IDE, as most Java and .NET developers do; lightweight text editors with a plugin system and syntax highlighting are all that most JS developers want. These are essentially the main features that Sublime Text and Atom have.

Watch this space

For more on these trends, be sure to read The State of JavaScript 2016, The State of Front-End Tooling 2016, and the Trending tech section of the Stack Overflow Developer Survey 2016. 

But remember, the JS ecosystem moves fast, so keep an eye on this list as it’s updated. Another framework or library could come out of nowhere, and suddenly everyone will be using it and tossing aside their old tools. Alternately, some of the best features of these tools and frameworks may be assimilated into JavaScript itself. Just look at all of the functions from jQuery that are now part of ES5, or the module importing and exporting from Require.js that’s now included in ES6.  

Is there any other recent JavaScript tooling research you’d like to add? Post your suggestions and opinions on the current tooling trends for JavaScript, and to keep up, be sure to follow TechBeacon's top 41 JavaScript experts on Twitter.

Continuous testing: A practical guide

Image credit: Flickr

 

30 essential container technology tools and resourcesOpen in a New Window

Instead of a tool for system administrators like virtualization, software container technology affects everyone from developers, testers, and operations to analysts and IT. The size and completeness of container packages allow team members to deploy complete environments in seconds.

It’s a wonderful tool that brings about an entire series of downstream decisions, including which standards to use, how to store the old versions and deploy the images, as well as how to manage them in production.

But how do you assemble the right mix of products and services to build, run and manage containers efficiently in your environment? To answer that question we've surveyed a wide ranges of container technology products and services so that you can gauge the options—spanning container architecture, cluster management and deployment, storage, security, operating systems, and deployment.

Magic Quadrant for Software Test Automation

Container runtimes

Despite its popularity as a de-facto standard, Docker is just one of a set of competing, lightweight virtualization tools for Linux from which you can choose.  Options include:

Docker

Docker's eponymously named open source containerization engine works with most of the products that follow, as well as many open-source tools.

Commercially Supported Docker Engine (CSDE)

This extension for Docker is proprietary, owned by Docker the company. CSDE enables support for running docker instances on modern windows servers.

rkt

Pronounced “rocket” and developed by CoreOS, rkt is the main competitor to Docker for containers. 

Solaris Containers

This container architecture for Solaris pre-dates Docker. IT organizations that have already standardized on Solaris may wish to explore this option.

Microsoft Containers

A competing alternative to Linux, Microsoft Containers can support Windows containers under very specific circumstances.

Cluster management and deployment

Your team can create images and pass them around from development to test and back. Now comes the hard part: supporting them in production. That means registering artifacts, deploying them to production as a system, and managing servers and collections of servers, including a collection of servers in the cloud, known as a “cluster.” Cluster management tools manage workloads, including moving instances from one virtual host to another based on load, and allocating resources, such as CPU and memory.

Kubernetes

While there is no standard for cluster management, Google’s open source product, Kubernetes, is the most popular. Supported by Amazon’s AWS, Google’s Cloud Engine (GCE) and Microsoft’s Azure Container service, Kubernetes is relatively portable, which helps to prevent vendor lock-in, and it can even run on a private cloud, such as OpenStack. Microsoft, Amazon, and Google all provide container services that run Kubernetes, with commercial support options available.

Apache Mesos

A tool for abstracting computing resources, Apache Mesos can run both Docker and rkt images side-by-side in the same cluster. DC/OS is a platform build on Mesos that functions as a datacenter operating system.

Docker Swarm

Docker’s free product for cluster management, Swarm runs from the command line, and comes bundled with Docker 1.12 and higher. Now it's just Docker's native orchestration capabilities.

Docker Data Center

A web-based dashboard that provides full management of docker, including a control panel, registry, monitoring, logging, and continuous integration, Docker Data Center runs Docker Swarm for cluster management. Although Docker the standard is free, the data center is a commercial product with commercial support. Of course, Docker Data Center embraces and extends the company's free, open source products: Docker and Swarm.

Storage containers

Containers are designed to be interchangable—even fungible, like currency. That works exceptionally well for web servers, where identical servers can be added to or removed from a cluster based on demand. Storage and databases, on the other hand, need persistent locations to house data, or at least a standard interface layer. Organizations that want to move to an all-container infrastructure need storage, and companies have appeared to meet that demand.

ClusterHQ

These tools help to put databases into containers.  Although the vendor that developed ClusterHQ went out of business last December, it left behind a great deal of free/open source software at github.com/ClusterHQ.

BlockBridge

BlockBridge, the “elastic storage platform” company, offers storage as a container using Docker, with options for OpenStack and software-defined secure storage.

EMC / lib storage

The EMC / lib storage system offers a code library to enable container storage that's, free and open.

Docker Plugins for Storage

EMC, NetApp, and others have created plugins to support storage, which Docker Inc. makes available for download.

Container security

Single sign-on, LDAP integration, auditing, intrusion detection and prevention and vulnerability scanning—all are pain points for organizations moving to containers. Even traditional devices and software can be hard, or impossible, to configure on container clusters. Fortunately, a handful of vendors is working to address this need. The space is so new, however, that two emerging companies do not yet have a shipping product offering.

Twistlock

You build Docker images out of components, such as an operating system, a web server, or a content management system. The problem is that unpatched or outdated software on an image could harbor security risks. Twistlock’s vulnerability scanner addresses that by comparing images against a database of known threats. This is an automated audit, against a database that's constantly updated. Other core features include more classic intrusion detection, and regulatory compliance systems.

Aqua Container Security

 Like Twistlock, Aqua focuses on the ability to create, monitor, and enforce policy for containers, along with integration with CI, running security checks on every build.

StackRox

Co-founded by Sameer Bhalotra, a former security executive at Google and senior director for cybersecurity at the Executive Office of the President of the United States, StackRox is preparing a similar product in this area. While the startup remains in stealth mode, with no product offering on its website as yet, the company is one to watch. 

Aporeto

Another stealth-mode startup, Aporeto was co-founded a former CTO at Nauge Networks. Based in San Jose, California, Aporeto says it will provide a "comprehensive cloud-native security solution for deploying and operating modern applications," microservices and containers.

Operating systems 

Most Linux operating system distributions are based on convenience, and include big, preinstalled packages, just in case the user might want them. Docker, in contrast, is designed for lightweight virtualization—to run many identical machines as possible with the least amount of overhead in terms of memory, disk, and CPU. In response, vendors have developed container-optimized builds of Linux that attempt to balance the capabilities teams might need in a Linux distribution with the minimalism that containers demand. Here are a few of the most popular ones:

RancherOS

Containing just the Linux kernel and Docker itself, the RancherOS system image fits into just 22 MB of disk space. RancherOS eliminates systemd, the service management system built into most versions of Linux, instead starting the Docker Daemon itself as the init, or “bootstrap” system.

CoreOS Container Linux

Designed to work with CoreOS Linux tools and systems, CoreOS Container Linux is preconfigured to run Linux containers. It also comes with automatic updates turned on; operating systems update themselves without any handling.

Ubuntu Snappy

Canonical, the parent company of Ubuntu Linux, claims that Snappy, its answer for containers, runs over seven times more docker containers than any other distribution. Snappy is designed to have high performance, a small footprint, and delta (differential) updates to operating system and applications, keeping downloads small.

Red Hat Atomic Host

These tools will let you host Linux containers in a minimal version of Red Hat Enterprise Linux. Organizations that run Red Hat enterprise and want to use containers will want to have their hosts run the Red Hat Atomic Host operating system.

Microsoft Nano Server

Nano Server is a small, remote-administered, command-line operating system designed to host and to run as containers, possibly in the cloud. Yes, Microsoft does have Windows Server-based container capability, and Nano is specifically built for that purpose. Other Microsoft operating systems that can host Windows Containers include Windows Server 2016 and Windows Pro 10 Enterprise.

VMware Photon

Weighing in at 220 MB on disk, Photon is a large container operating system than some others, although it's still only about one hundredth the size of the latest version of Windows. This Linux container host is designed to integrate with VMware's vSphere virtualization products.

Container events and sources for support

Once you've committed to containers, the hardest part will be implementing and supporting them. From conferences to support forums to commercial support, here are the resources you need.

DockerCon

This is the event to attend if your company is pursuing and all-Docker architecture, with the support of Docker Data Center, Swarm, and other products from Docker's business partners. DockerCon has seven tracks, ranging from introductory tutorials to tips and tricks and cutting-edge ideas.

Container Summit

This event is smaller than DockerCon, but has a much wider scope. In 2016, Container Summit held two big conferences, and 12 smaller ones in the US. Container summit is a good place to network with your peers who are working to implement and manage container technology.

ContainerCon

This is a larger event that features both thought leaders in the container space, and a broad variety of vendors. ContainerCon runs in parallel with LinuxCon and CloudOpen.

CoreOS Fest

This is CoreOS' answer to DockerCon. Attend CoreOS Fest for training, support, and information about the rkt/CoreOs technology stack.

StackOverflow

The largest programmer online Q&A site, StackOverflow offers plenty of information on deploying your applications in containers.

Docker Community Site

Docker’s curated community site provides Docker-centric information and forums.

CoreOS Community Site

CoreOS’S curated community site focuses on connecting people to experts by meetups and chat.

Go forth and containerize

The concept behind containers is simple: It's the implementation that's complex. If your technical team uses for containers strictly for builds and testing, your decision sare limited to choosing the right operating system and container type. But once the build system is creating an image for every build, why stop there?

Expanding past build/test means selecting a stack of technologies for operations, deployment, monitoring, support, security, and so on. CoreOS and Docker, both offer extensions and support that makes integration easier for their own product ecosystems. But if you'd prefer to roll your own environment, using Kubernetes for cluster management can prevent vendor lock-in, and every major cloud provider supports it.

That's my concise list of resources container resources, but I welcome yours. What did I miss? Feel free to add your tips and suggestions to this list by posting them below.

Magic Quadrant for Software Test Automation

Image credit: Flickr

 

Science of happy developers: How to boost your engineering team's mojoOpen in a New Window

"I've lost my mojo!" —Austin Powers

Losing your mojo is traumatic for everyone, but when it happens to your dev team, it might seem like Dr. Evil has got the best of you. Unfortunately, too many tech teams (and their leaders) start looking for a solution in the wrong places.  

Newer languages, tools, platforms and processes are where developers and managers usually look to get their mojo back. Unfortunately, these fail to deliver on the promise of optimizing for developer happiness, and only waste valuable time and resources.  

If you're thinking that moving your ASP.NET team to Node.JS, or your PHP team to Rails will improve their happiness, you're going down a dead-end road.

What's the answer? Thankfully sociologists have come to the rescue with research showing that your developer's job performance and job satisfaction are directly linked to their relationship with you. Here's how Leader-Member Exchange Theory (LMX Theory) can deliver for your team.

Continuous testing: A practical guide

Learning from LMX theory

In the early 1980’s, sociologists and organizational psychologists began to look at leadership from a new perspective. Traditional leadership theories have long been based on “Great Man theory,” attributing the team’s performance to qualities of the leader.

Setting this aside, these sociologists began to study how the quality of relationships between managers and employees affected outcomes.  This has evolved into an area of research known as LMX theory, which studies the effects of these key relationships on happiness, productivity, turnover, and motivation.

In short, Gerstner & Day, in an article in the Journal of Applied Psychology, found that:

The relationship with one’s boss is a lens through which the entire work experience is viewed.

Take a minute to re-read that. Your developers' entire work experience is viewed through you. You are their lens.

Researchers found a significant correlation between the quality of relationship that developers have with their manager, and performance and satisfaction in the job.  This agrees with Gallup’s finding that “managers account for 70% of variance in employee engagement.”  

This focus on the quality of the relationship between leader and employee, rather than only on the traits of the leader, provides hope for all managers who want to create high-performing teams. Instead of attempting to cultivate particular “great man traits” within themselves, managers who want happy developers should cultivate high-quality, individual relationships with their team members.

Know the ins and outs of your groups

LMX research found that all employees fall into one of two groups under their manager: an “in-group” and an “out-group.” Managers do not intentionally create these groups, but they form naturally as the manager builds relationships with individual team members. 

In-group members enjoyed more advancement opportunities, greater trust, more autonomy, and were happier and more productive than their out-group peers. They were able to negotiate tasks, and collaborate with their manager to find win-win outcomes.  They are generally motivated, happy, and satisfied with their jobs.  

Out-group members are the opposite. They are promoted less often, given less autonomy for how work is completed, and are less productive. Their job performance is lower. They often appear to be "9-to-5ers," doing only the minimum needed to get by, and may be seen as simply punching the clock. Instead of negotiating win-win outcomes with their manager, the get assigned tasks without any opportunity for discussion. Unsurprisingly, they are less motivated, happy and satisfied.  

What does this mean for you, the manager? First, you can start to identify your groups. How is the in-group composed? How do you feel differently about them? Do you see a difference in their happiness or job performance?

Next, think about why people are in these groups.  Do you have common sports or social activities, religious viewpoints, or world views?  Do your personalities just click?  Do you share the same communication style?  

You didn't intentionally create these groups, but they do exist. You might feel bad about this, but you shouldn't. It's completely natural. Instead, focus on building strong relationships with everyone on your team.

Two steps to create better relationships

Equal investment is the key to creating better relationships with everyone on your team. Often, the in-group gets the most attention and time, so you need to spread your investment evenly across the team. Here are a few tips:

Hire selectively, prioritize for soft skills

Keeping this in mind, managers should seek to hire programmers who understand and value strong relationships, and who have the soft skills necessary to participate in them. While hard technical skills are important, the soft skills are an important indicator of success in relationships with managers.

Many managers perform “culture fit” interviews, hoping to find programmers who will succeed at their companies. This is a good start, but adding questions that explore past managerial relationships, their abilities, and your willingness to give candid feedback and understand the importance of good relationships will help you find candidates who are ready to be in your in-group.

Hold weekly one-on-one meetings

In his book, The 27 Problems Managers Face, Bruce, Tulgan states, “When things are going wrong, the common denominator is unstructured, low-substance, hit-or-miss communication.” One-on-one meetings are the cornerstone practice that creates and sustains strong relationships between managers and developers. One-on-one meetings aren’t simply a status meeting, or a delegation meeting, or even a coffee meeting. Rather, these meetings provide a private, consistent place where leaders invest in their team, trust is built, feedback is given (and received) and the relationships deepens.

One-on-one meetings are an activity meant to build deep professional trust, reveal training and feedback opportunities, and allow the developer a safe place to give the manager the kind of candid feedback needed to improve.

When I was a new tech manager I didn’t understand the real purpose behind one-on-one meetings, viewing them as “busy work” to be minimized (allowing me to get back to the “real work” of coding!)  But that led to unwanted outcomes.

Frequency and consistency are key attributes of these meetings.  Managers who see one-on-ones as an investment understand that canceling a meeting sends the wrong message, and hurts the relationship. They choose a frequency, which they can commit to, and remain consistent in keeping and conducting the meetings.  

While not every meeting is the same, they ensure that time is given to discussing project impediments, giving affirming and corrective feedback, and asking for input and feedback on their own management practice.  Without this feedback, managers are driving blind,  without a way to understand what their teams need from them.

Some managers object to spending time this way, pointing to their “open door” policy as a better style of management. In Cancelling One-on-One Meetings Destroys Your Productivity, Elizabeth Grace Sounders writes, “When you cancel one-on-ones and compensate with an open-door policy, your time investment mimics that of a call center employee who takes requests in the order they are received, instead of an effective manager and executive who aligns his time investment with his priorities.”

Experienced managers also understand that team members are reluctant to use their open-door policy for fear of “wasting their managers' time.” Without a scheduled, consistent one-on-one meeting, managers are depending on developers to use their best judgment to decide when and on what to consult with their manager. This reluctance often leads to unnecessary miscommunication, incorrect assumptions, and frustration on both sides.

Get your mojo back, baby

It's tempting to think that new languages, platforms and tools can solve your mojo problems, but they won't. I've never met a developer who quit to get away from a technology, but plenty leave to get away from a manager.  

I've seen plenty of programmers working on old technology, with old processes, on old platforms, who love their jobs. When I ask them why, they tell me that they love their boss, company, and teammates. They feel their boss "has their back," and wants the best for them.

That only comes from great relationships, consistent time investment, and clear and direct bi-directional feedback.  

That's the kind of mojo you want for your software engineering team. Don't settle for anything less.

Continuous testing: A practical guide

Image credit: Flickr

 

5 proven techniques for scaling agile in the enterpriseOpen in a New Window

Agile methodology is the climbing framework for large-scale enterprises. But how can you transition your company into an agile framework?

Here are five simple and effective techniques for scaling agile methodology to your specific project, team—and enterprise.

Magic Quadrant for Software Test Automation

1. Start with an MVP

Continuous Delivery (CD) is a software development strategy that provides high-quality, accessible software to customers. The process of releasing a minimum viable product (MVP) is important for earning early feedback and tracking usage patterns to test hypotheses. An MVP will save wasted engineering time and preserve features such as gold plating among large software teams.

2. Create a single product backlog

An agile product backlog is the set of tasks to complete before you release code. Product managers should maintain one group backlog for all teams. Having one backlog lets you focus on high priority tasks while providing access to all contributors at all times. This prevents miscommunication and creates a collaborative project environment.

3. Build a collaborative culture

To enhance agile teamwork, consider hosting "three amigos" meetings that include the product owner, a developer and a tester to review requirements and test feature requests on the backlog. The product owner expresses the business need, the programmer explains implementation, and the tester considers potential problems. This encourages different viewpoints while providing group consensus on project status.

4. Use a large-scale agile framework

The three major frameworks used in large enterprises are the Scaled Agile Framework (SAFe), Disciplined Agile Delivery (DAD), and Large Scale Scrum (LeSS). With guided, multi-level training and certifications, these are ideal for small, expanding practices. Scrum of Scrums (SoS) is another popular approach due to its embrace of informal training. (See Richard Dolman and Steve Spearman's comparative matrix for different agile scaling approaches.)

One disadvantage is that these frameworks can lead to a rethinking of a hierarchical organization, which can be challenging for larger enterprises.     

The Scrum Process: All three scaled agile frameworks build upon techniques used in scrum and agile, team-oriented frameworks. Image source: SAFe

All three agile frameworks are based on ideas originating in scrum testing. The SAFe framework consists of between five and nine people and uses team, program and portfolio levels with two-week scrum processes in extreme programming (XP) methods. At the program level, each team’s scrum has between five and 10 SAFe teams as part of an “agile release train.” The portfolio level defines how executives and agile leaders can use processes like value streams to prioritize features.       

This SAFe “Big Picture” graphic shows the three levels of SAFe and the roles involved in SAFe. Image source: Scaled Agile Framework

DAD, created by Scott Ambler and Mark Lines, is built on existing agile techniques, and uses inception, construction, and transition phases. It helps in areas of architecture and design in the inception phase, and is ideal for deployment in the transition phase.

LeSS, by Craig Larman and Bas Vodde, consists of Framework-1 and Framework-2. Framework-1 is for smaller companies (10 Scrum teams with seven members each), while Framework-2 is for larger ones. LeSS puts several feature teams on a single product owner, expanding on the basic Scrum framework. LeSS is more flexible, non-proscriptive, and most effective in smaller projects.

5. Pursue training courses and certifications

The Scaled Agile Academy trains on team, program and portfolio phases of SAFe, with certifications for managers, executives, developers, testers, and consultants. For DAD, the Disciplined Agile Consortium trains and certifies people to become a Disciplined Agilist, Certified Disciplined Agilist or Certified Disciplined Agile Coach.

For training on LeSS, available certifications include Certified LeSS Practitioner, and Certified LeSS for Executives. Programs such as Certified ScrumMaster and Professional ScrumMaster help students review basic Scrum knowledge.

Magic Quadrant for Software Test Automation

Image credit: Flickr

 

Why hybrid agile-waterfall projects failOpen in a New Window

A recent HPE survey of 403 Development and IT professionals, performed by YouGov, revealed that pure agile projects are more successful than those that use a combination of agile and waterfall approaches. Of those surveyed, nearly one-third (32%) were using an agile-waterfall hybrid model.

While agile-only organizations rated themselves the highest, hybrid projects fared the worst on every measure. Why? Because the hybrid approach “straddles two development methodologies that naturally pull in different directions,” the report says. But that directly contradicts the results of a  report by CAST Software, which concluded that the hybrid approach leads to higher quality than either pure waterfall or pure agile.

If hybrid is such a bad idea, why did one-third of organizations surveyed follow the hybrid path? Why have so many organizations that followed the hybrid model failed to meet expectations? And what can organizations do to improve their chances of success, particularly when working with a hybrid model?

Agile Projects Are More Successful Than Hybrid Projects

Why so many organizations use a hybrid model

It’s no surprise that the survey results conclude that mixing agile and waterfall yields lower success rates than agile approaches.  Mixing the most popular agile framework, scrum, with waterfall, has been described with a variety of terms, including scrummerfall, water-scrum, and water-scrumfall. But whatever term you use, most agile experts strongly discourage the practice of mixing waterfall and agile. 

Why then, would organizations ignore these words of warning? One reason is that in a large enterprise, it’s very difficult to switch from traditional waterfall methodologies to a pure agile approach.

The survey targeted organizations with greater than 500 employees, and if these large organizations have established processes and tools that use traditional practices, it would take significant time and effort to switch to using only agile practices. Thus, many organizations start by introducing some pieces of agile without entirely letting go of many of the waterfall practices, resulting in this hybrid approach.

Malcolm Isaacs, an enterprise agile expert at HPE, says:

“For most of these organizations that take a hybrid approach, this is an interim step, and they intend to gradually expand their agile activities beyond the development and testing stages to the rest of the software development lifecycle.” 

Another reason that organizations may choose to use a hybrid model is to meet compliance and regulatory requirements, which require more rigorous documentation and governance than you get in a pure agile shop.

ReQtest chairman of the board Ulf Eriksson, in his post, Combining Agile and Waterfall Methodologies: Overkill or Genius Idea? recommends an 80/20 split with an emphasis on agile, but he still suggests retaining some of the documentation rigor used with waterfall methodology. In the post, he notes that a hybrid approach would allow for more predictability (from waterfall) as well as the ability to respond to feedback quicker (from agile).

Eriksson prefers a pure agile model whenever possible. But he acknowledges that many organizations are restrained by a waterfall project model, ITIL, or another framework that takes a long time to replace with agile methods.

"Companies have to fundamentally change the way they are working by making budgeting and business planning more agile. Until that point, many have to live with a blended environment.” —Ulf Eriksson

Donnie Berkholz, Research Director, Development, DevOps & IT Ops at 451 Group, agrees that the cultural change required is a big barrier to complete agile transformation. Combining waterfall and agile feels comfortable and doesn't require as many changes from a cultural perspective.  

"The shift in mindset and operating model required to move to a series of sprints rather than an end deadline, which is likely to run late and over budget even if the project does get completed, is one that many traditional companies find difficult.” —Donnie Berkholz

Why performance and success metrics are lower with hybrid

The HPE study asked teams to self-assess their performance across 25 recommended practices, such as “small team” or “good customer relationship.”  It defined project success using six metrics, including quality and performance, time to market, speed of delivery, scope, security, and cost/use of resources.

In the performance ratings, as well as the success metrics, the hybrid approach fared lower than the agile-only approach.

So why did a hybrid approach show lower success metrics than pure agile?  Isaacs sees a correlation between the performance ratings (the self-assessments on agile practices) and the project success metrics. “Hybrid organizations say that they do less automated testing and automated integration, and have little automated infrastructure. Performing these activities manually takes longer and is less consistent, particularly for repetitive tasks."

Of the 25 performance ratings, Isaacs says those related to automation are areas that can have a direct effect on success metrics. Indeed, many of the practices related to automation, such as continuous integration, originated from the agile framework XP (extreme programming), and have frequently come under the heading of “DevOps.”

Might it make sense then, for teams to just add DevOps practices to their waterfall methodology? While it’s possible to run DevOps practices in a waterfall environment, HPE technology evangelist John Jeremiah writes, “If you try to optimize delivery in a waterfall-siloed world, you'll exert lots of energy and feel like you're working hard, but you probably won't deliver the business results you could.” 

CAST counterpoint: Hybrid approach yields higher code quality

While it might seem obvious that pure agile is the preferred approach, a 2014 Research on Application Software Health report by CAST Software, a vendor of software analysis and measurement tools, found that a mixed waterfall/agile methodology yielded better code quality than either pure waterfall or pure agile methods.

Primary report author Dr. Bill Curtis, a senior vice president and chief scientist of CAST Software, says his assessment of the findings was that quality suffered under pure models. 

“Our research shows that applications produced using traditional agile or waterfall methods alone have more security vulnerabilities, more reliability and performance issues, and a higher cost to maintain than those produced with a mixed method.” —Dr. Bill Curtis

One reason for the perceived inconsistency between the HPE survey and the CAST report is that not all teams that claim to be agile are using the framework as intended. CAST executive vice president Lev Lesokhin, a co-author of the report, noted that many organizations claim agility, yet they just use it “as an excuse to do whatever they want and crank out code quickly.”

Lesokhin also cites the importance of a solid architecture up front. Some agile teams let the architecture emerge, which creates problems down the line, when refactoring is difficult. “It’s becoming increasingly important to secure your architectural quality and design before writing the first line of code,” he says.

What to do when you must take a hybrid approach

Large organizations are often forced to find ways to mix methodologies, or at least have them co-exist. Even those organizations attempting to transition to agile may be dependent on an infrastructure that has many complex dependencies on traditional methodologies, or they may be working with vendors using a waterfall framework.

Although faced with challenges that may seem futile to resolve, managers and teams can work toward improving their chances of success when managing agile and waterfall together. There are ways that waterfall and agile teams can successfully co-exist. Coordination and communication on a regular cadence, early and frequent integration, and remaining flexible to change, while accommodating and respecting differences in methodologies are all areas that can help improve success.

Berkholz says the most important agile practice is to connect business requirements to the end user.  If companies are doing agile only within the development organization, they’re missing out on the potential for improving product-market fit, he says. So even if your is technically a success, you might have built the wrong thing.

"Without testing on end users and iterating based on their feedback, it’s impossible to truly succeed.” —Donnie Berkholz

Isaacs recommends focusing on areas that are within your control, making team changes that will lead to short-term wins and improve the team’s metrics and deliverables. Sharing, mentoring, and helping others move towards agility will lead to improvements.

“You might not be able to change the model directly, but you may be able to influence it." —Malcolm Isaacs

Continuous improvement leads to success

Large-scale transformation to pure agile is difficult. Which agile practices will lead to success? You've heard a variety of answers from experts, but for teams to mature in agility and improve their chances for success, your organization needs to practice continuous improvement.

By including frequent and regular opportunities for the team to reflect and improve,they can determine its biggest issues, and work together toward improving those. As they adopt more agile practices, your team needs to let go of traditional practices that may conflict with the agile practices they’re adopting. 

Some teams make the mistake of adding agile practices while continuing to require all of the traditional practices as well. This leads to frustration, since it not only will require more time and effort than either pure waterfall or pure agile, but will cause confusion and delays when the practices are in conflict.

Practices that are required for compliance or for ensuring a high-quality and secure architecture can be done in a well-disciplined agile environment.

By remaining aware of the benefits that an agile approach will provide, and continually evaluating and improving, teams can ultimately improve their overall performance ratings and success metrics.

Agile Projects Are More Successful Than Hybrid Projects

 

4 forgotten code constructs: Time to revisit the past?Open in a New Window

Some things in the programming world are so easy to misuse that most people prefer to never use them at all. These are the programming equivalent of a flamethrower: You might rarely be in the position to really need one, but every once in a while it turns out that you need to take down a forest. In that case, there’s no easier way than going Rambo on your codebase.

“There is no programming language—no matter how structured—that will prevent programmers from making bad programs.” —Larry Flon

That's where a few of the old, forgotten code constructs come into play. Creative use of features such as goto, multiple inheritance, eval, and recursion may be just the right solution for experienced developers when used in the right situation.

In software development, one of the most important skills you can have is knowing how to evaluate tradeoffs. Once you get better at choosing the right way over the popular way, you'll gain a lot in code clarity, readability, and reduced development time

Sometimes the measure of a tool’s power lies more in the programmer's ability to use it properly than on the qualities of the tool itself. Most of these forbidden ideas have special cases where they are not only useful, but they are the best possible solution available. That's what they were made for. In those cases, you are missing out on a lot of power by not using them.

Continuous testing: A practical guide

Here are four forgotten code constructs that should be resurrected.

Goto

Old codebases used to be infested with goto statements. In those times, you could use it to jump to particular code lines directly, by number. This led people to write the most inscrutable code imaginable, filled with numerical line references, akin to assembly language.

Because it's so easy to misuse, it eventually started causing more problems than it solved. Then Edsger Dijikstra's famous paper: "Goto Considered Harmful" came out and the rest is history. These days, people look at you funny if you try to argue that it can be useful.

Despite goto's bad reputation, even today there are some popular projects using goto, including the Linux kernel itself. For example, look at this intro to kernel development where the audience has a collective gasp when they hear about it. And then there’s a classic Linus Torvalds rant speaking in its favor.

The appeal behind goto was being able to write very tight loops, but the perils of this construct were not universally understood. One common mistake was to jump backward in code which, although easy to write, made the logic almost incomprehensible.

Few modern languages support goto. Of the most popular ones, only C, PHP and C# have it. But there are a few practical cases where it leads to code that is maintainable and easy to read.

Goto the right way

The main place where it shines is in error handling code. Here's an example that can be a good alternative to having multiple consecutive if/else statements.


int result;
result = first_operation();
if(!result) {
    goto first_error;
}
result = second_operation();
if(!result) {
    goto second_error;
}

second_error:
    // ...
first_error:
    // ...
The reason why goto fits error handling well is that it gives you immediate visibility on the problem by flattening the code. The data handling and the clean-up code are separated and easy to see.

Bear in mind that this return value style with gotos is more suited for low-level code. In C++ you have the option of using RAII, and other high-level languages where return values are not common usually have exception support anyway.

Goto is also good for encapsulating repetitive return statements. Some methods have multiple exit paths that look very similar. In those cases, we can encapsulate the return statements and we’ll be able to easily change the output of the function without touching the data handling.

function isLeapYear($year) {
    if ($year % 400 == 0) {
        goto leap_year;
    }
    if ($year % 4 > 0) {
        goto common_year;
    }
    if ($year % 100 > 0) {
        goto leap_year;
    }
    goto common_year;

    leap_year:
        return true;
    common_year:
        return false;
}
You could also encapsulate using method calls. That's fine if your compiler inlines the resulting code, but as an added bonus in this case you also get to have the related code inside the same function instead of somewhere else in the file.

Multiple inheritance

This language feature lets you inherit a class from multiple parent classes to get functionality from all of them. Normally in OOP (Object-oriented programming) code you'll only inherit from one parent, but in some contexts it seems more natural to inherit from many.

The danger here is complexity. Since you might affect multiple modules in your app from the same parent classes, it's not that easy to reason about code changes. Any mistake could cause a chain reaction of bugs.

Unfortunately, misguided usage has made this once popular feature almost completely disappear. These days it's almost synonymous with complexity in OOP, and most of the new languages have dropped it altogether. It can only be found in C++, Python, Lisp, and some other functional languages.

My gripe with multiple inheritance is that it’s an easy way to break the single-responsibility principle. Each class should be responsible for one task only, and once you inherit from multiple parents, things start to get muddy. In my experience, this principle tends to be thrown out quickly when deadlines and hard times come knocking, so I wouldn't want to make that even easier.

Multiple inheritance the right way

On the other hand, sometimes you want to inherit from parents that are completely separate from each other. This is where multiple inheritance can become productive. Classes that have orthogonal behaviors are the best case scenario for multiple inheritance.

class Flyer:
  pass

class Swimmer:
  pass

class FlyingFish(Swimmer, Flyer):
  pass # can swim and
flyIn this example, Swimmer and Flyer are completely separate abstractions, so inheriting from both is not going to lead to a mix-up of responsibilities in the child class.

Another good case for multiple inheritance is when you inherit from multiple interfaces instead of classes. This case is less dangerous, as inheriting does not bring additional functionality to the base class—it just extends it's contract with the rest of the world.

I like to build interfaces that reflect a particular behavior. That works very naturally with multiple inheritance. For example, you can have a DatabaseDriver that is Queryable and Persistent, and maybe you're implementing it as a MysqlDriver which has both behaviors working together.

As long as you are careful in having your abstractions clearly defined, multiple inheritance can be another powerful tool at your disposal.

Eval

Eval is a tool some languages have that lets you run arbitrary code from a string. Most interpreted languages have it, such as JavaScript, Python, PHP, and Ruby.

It is by far the most dangerous tool here, and that's because you might accidentally give it a user's input, which will open your system up completely. A malicious user would be able to run code to delete files or otherwise take control of your machine.

Despite this, in some cases it can be a very productive tool. Some problems become much easier to solve with eval, such as parsing a dynamic number of input variables and parsing template languages.

Although wanting to apply simple solutions like that is laudable, the dangers are too great. It is close to impossible to properly sanitize random input so that the eval call is safe from abuse, so it's better to only evaluate code you've generated yourself.

Eval the right way

Evaluating your own code can still be very useful. Some examples include: interpreting JSON data, HTML templates, mathematical expressions, and detecting environment and language features.

Here's an example for detecting if your browser supports ES6-style generators.

try {
  eval("(function *(){})");
} catch(err) {
  console.log(err);
  console.log("No generators");
}

Recursion

More forgotten than forbidden, recursion is still highly praised in academic settings, but ask your teacher about practical applications and you'll often get blank stares.

Functional programmers love recursion. Some functional programming languages such as Haskell even downright force you to use it, but the truth is that recursion is not natural outside of that world.

There are ways to make it work in the iterative world, though. One such way is through tail recursion. Simply put, you leave the recursive call at the end of your method, and the compiler will then be able to optimize your method to avoid stack overflows.

Unfortunately, some languages have decided to not support tail-call optimization. This is often true of web-based languages. From what I've gathered, both Python and PHP don't support it, and JavaScript only does on ES6+ engines. In these cases, if you really need it, you can use something like trampolines to get around your environment's limitations, but I'd recommend just sticking to iterative programming.

Recursion the right way

Recursion offers great simplification and code reduction in some algorithms. Particularly if you're dealing with tree-based data structures and sorted lists, you'll find that it's much easier to implement solutions using recursion. In those cases, if you need simple code that works, go for it.

Performance-wise, it's generally best to convert recursive functions to their iterative versions. The code will not be as easy to understand, but it'll be more appropriate in production environments, as it will have more predictable performance.

Rediscover your language's forgotten constructs

Knowing your language well is important. Even if you don't plan on using these features, be sure to know the use cases where they are a good choice. Not only to have more options, but also to have a better grasp on the language itself.

Be pragmatic. If you haven't read it yet, check out The Pragmatic Programmer. Knowing your tools by heart and all of their trade-offs is one of the marks of the experienced and battle-hardened developer.

Continuous testing: A practical guide

 

5 ways to align security with your DevOps strategyOpen in a New Window

In 2016, DevOps reached a tipping point. Half of all organizations surveyed indicated that they are actively using it as a model for releasing and maintaining custom applications, according to the Gartner Research note DevSecOps: How to Seamlessly Integrate Security Into DevOps, September, 2016. Yet, about 80 percent of those organizations surveyed expressed concerns that information security policies and teams are preventing them from achieving the level of agility that DevOps promises.

Development, operations and security all want to see the business succeed, but they look at success—or more specifically, the metrics of success—from different perspectives. In our hyper-competitive world of digital business transformation, software is disrupting entire industries. Consider what Uber is doing to the taxi business, for example. Increasingly, the measure of success that matters is survival, which requires keeping pace with the business demands for innovation without introducing unnecessary risk.

Security teams, in some cases, are justifiably suspicious of DevOps. Can automated testing really make code more secure? Is the DevOps culture of failing fast compatible with good governance?

Rather than wait for security and compliance to find ways to support DevOps, the DevOps team should make the case that integrating automated security and regulatory controls into DevOps processes is in the best interest of the organization as a whole. In DevOps terms, here are five ways that organizations can incorporate the “shift left” of security.

What is the true state of security in DevOps?

If security is a bottleneck, expect to be avoided

There is no value in a DevOps program that does not increase release velocity. A core tenet of DevOps is to look for constraints that cause the backup of work in progress – security can expect to receive the spotlight as a result.

Traditional waterfall-style approaches of build it, test it, hand it over to the security team, and test it again are inefficient when compared to the continuous integration (CI) and continuous delivery (CD) approaches of DevOps.

Many DevOps initiatives have reduced delivery cycle time, but security practices and policies are becoming the bottleneck to rapid production delivery, much in the way that overblown release management practices were four orfive years ago.

If security resists participating in the DevOps program, the temptation to circumvent security testing and policy reviews will become overwhelming.

Automated testing is the backbone of DevOps—use it to security’s advantage

Testing custom code for vulnerabilities traditionally takes place after development is complete. But if thousands of checks take a week to run, you’re breaking CI/CD in DevOps. Instead, apply a small-batch testing philosophy to security testing, using as much automation of application security testing (AST) tools as possible.

The goal should be to deliver more secure code at the speed of business, rather than to patch or replace code reactively based on manual reviews or in response to breaches. In this way you can  avoid wasteful rework, which contributes to the business falling behind competitors.

While no automated testing is perfect, AST can look for known vulnerabilities, policy violations such as the use of prohibited libraries, and certificates that expose private keys, as examples. This contributes to more secure code before it is released.

A DevOps collaboration culture can make security more pervasive

Collaboration is a key part of DevOps culture. Developers and operations are closely connected, but there is room for security too. Security professionals should consider providing checklists for developers as they integrate their code. Provide training on policies to developers and operations staff, including explanations as to why those policies are in place.

Offer best practices to developing secure code that help to prevent typical attacks such as SQL injection, cross-site scripting, and buffer overflows. Help operations teams keep current with secure configurations for infrastructure, be it container-based, cloud, virtual or physical.

In return, security must embrace DevOps cultureas well. Keep in focus the goal of providing the business with agility as it relates to software. Practically, this results in activities such as blameless postmortems, where the goal is not to cast blame but to prevent recurring problems. It means organizing work through the use of Kanban boards, and leveraging lean manufacturing principles to drive efficiency. Study these techniques to participate more fully in DevOps, and find ways to embed security in them.

When vulnerabilities and violations are found, address them faster

The automation built into the DevOps platform makes code changes traceable, which can reduce the time required to find the source of a previously unknown vulnerability, thereby reducing exposure time and risk. Also, the smaller the batch size, the easier it is to trace.

From an operations perspective, using an infrastructure as code approach for provisioning operating systems, LDAP, and packages in code form makes the environment more reproducible and traceable. And you can share operational monitoring, used as a feedback loop for development, to provide feedback to security on unusual activity.

DevOps reduces the workload of compliance

Automation not only provides value by increasing the release velocity of business-enabling IT services, but also enforces the consistency of processes to reduce configuration mistakes, which can lead to vulnerabilities and compliance violations.

DevOps is based on auditable processes. These create a platform that you can test, allowing your organization to demonstrate to an auditor that the outcome is predictable. An auditor can trust the artifacts produced by the automation used in DevOps, while segregation of duties and access controls, including identity and access management, and privileged access management, can be built into the platform. This results in reduced workload to demonstrate that you are working according to your own policies and controls.

DevSecOps: The future of DevOps?

Perhaps the future of DevOps includes a name change to “DevSecOps,” or some derivation thereof. Regardless of what you call it, however, DevOps needs the support and participation of security and compliance to accomplish its goal of accelerating releases if it is to meet the needs of hypercompetitive business environments. Security, similarly, must take advantage of what DevOps can provide to support a more efficient security program.

What is the true state of security in DevOps?

Image credit: Flickr

Contact Us

Vivit Worldwide
P.O. Box 18510
Boulder, CO 80308

Email: info@vivit-worldwide.org

Mission

Vivit's mission is to serve
the Hewlett Packard
Enterprise User
Community through
Advocacy, Community,
and Education.