An Opinionated Guide to Technology Frontiers

TECHNOLOGYVOL. 21s RADAR An opinionated guide to technology frontier

thoughtworks.com/radar #TWTechRadar Rebecca Martin Fowler Bharani Erik Evan Parsons (CTO) (Chief Scientist) Subramaniam Dörnenburg Bottcher

Fausto Hao Ian James Jonny CONTRIBUTORS de la Torre Xu Cartwright Lewis LeRoy The Technology Radar is prepared by the ThoughtWorks Technology Advisory Board — This edition of the ThoughtWorks Technology Radar is based on a meeting of the Technology Advisory Board in San Francisco in October 2019

Ketan Lakshminarasimhan Marco Mike Neal Padegaonkar Sudarshan Valtas Mason Ford

Ni Rachel Scott Shangqi Zhamak Wang Laycock Shaw Liu Dehghani

ThoughtWorkers are passionate about ADOPT technology. We build it, research it, test it, 1 open source it, write about it, and constantly We feel strongly that the aim to improve it — for everyone. Our industry should be adopting mission is to champion software excellence these items. We use them and revolutionize IT. We create and share when appropriate on our the ThoughtWorks Technology Radar in projects. HOLD ASSESS support of that mission. The ThoughtWorks TRIAL Technology Advisory Board, a group of senior technology leaders at ThoughtWorks, 2 TRIAL ADOPT creates the Radar. They meet regularly to ADOPT Worth pursuing. It’s 108 discuss the global technology strategy for important to understand how 96 ThoughtWorks and the technology trends TRIAL to build up this capability. ASSESS 1 that significantly impact our industry. Enterprises can try this HOLD 2 technology on a project that The Radar captures the output of the 3 can handle the risk. 4 Technology Advisory Board’s discussions in a format that provides value to a wide range of stakeholders, from developers to CTOs. The content is intended as a concise 3 ASSESS summary. Worth exploring with the goal of understanding We encourage you to explore these how it will affect your technologies. The Radar is graphical in enterprise. nature, grouping items into techniques, tools, platforms and languages & frameworks. When Radar items could appear 4 HOLD in multiple quadrants, we chose the one that seemed most appropriate. We further Proceed with caution. group these items in four rings to reflect our current position on them. NEW OR CHANGED Items that are new or have had significant changes since the For more background on the Radar, see last Radar are represented as triangles, while items that have thoughtworks.com/radar/faq. NO CHANGE not changed are represented as circles.

Our Radar is forward looking. To make room for new items, we fade items that haven’t moved recently, which isn’t a reflection on their value but rather on our limited Radar real estate.

Cloud: Is More Less? security (Security policy as code) and the output of these models. While these — other governance mechanisms (Run cost improvements in interpretability are a step as architecture fitness function) protect in the right direction, explaining deep neural As the major cloud providers have achieved the important but not urgent parts of networks remains an elusive goal. For that near parity on core functionality, the software projects. This topic concerning reason, data scientists are beginning to competitive focus has moved to the extra policy, compliance and governance as regard explainability as a first class-concern services they can provide, encouraging code reappeared multiple times in our when choosing a machine learning model. them to release new offerings at breakneck conversations. We see a natural evolution speed. In their haste to compete, compete, in the software development ecosystem they release new services with rough edges of increasing automation: continuous and incomplete features. The emphasis on Software Development integration with automated testing, speed and product proliferation, through as a Team Sport continuous delivery, infrastructure as code, either acquisition or hastily created services, — and now automated governance. often results not merely in bugs but also in Since the early days of our Technology Radar, Building automation around cloud cost, poor documentation, difficult automation we’ve warned against tools and techniques dependency management, architectural and incomplete integration with vendors’ that isolate members of software teams structure and other former manual own parts. This causes frustration for teams from one another, hampering feedback processes shows a natural evolution; we’re trying to deliver software using functionality and collaboration. Often, when new learning how we can automate all important promised by the cloud provider yet specializations come along, practitioners, aspects of software delivery. constantly hitting roadblocks. Companies vendors and tools insist that some part of choose cloud vendors for a variety of factors development must be done in an isolated and often at a high level in the organization. environment, away from the chaos of Our advice for teams: don’t assume that all Interpreting the Black Box “regular” development. We reject that of your designated cloud provider’s services of ML claim and constantly look for new ways to are of equal quality, test out key capabilities — reengage software development as a team and be open to alternative open-source Machine learning often appears to discover sport. Feedback is critical when developing options or a polycloud strategy, if your own solutions to problems that humans can’t, something as complex as software. While time-to-market trade-offs merit the using pattern matching, back propagation projects increasingly require specialization, operational overhead of managing them. and other well-known techniques. However, we strive to fit them into regular despite their power, many of these models collaboration and feedback. We particularly are inherently opaque, meaning that their dislike the “10x engineers” meme and prefer Protecting the Software results can’t be explained in terms of logical to focus on creating and enabling “10x Supply Chain inference. This is a problem when humans teams.” We see this currently playing out in — have a right to know how a decision was how design, data science and security can be made or when there is a risk of introducing integrated into cross-functional teams and Organizations should resist ivory tower prejudice, sampling, algorithmic or other supported with solid automation. The next governance rules that require lengthy bias into the model. We’re now seeing the frontier is bringing more governance and manual inspection and approval; rather, emergence of tools such as What-If and compliance activities into the fold. automated dependency protection techniques such as ethical bias testing that (Dependency drift fitness function), help us find the limitations and predict

TECHNOLOGY RADAR | 4 © ThoughtWorks, Inc. All Rights Reserved. TECHNIQUES TOOLS ADOPT 1. Container security scanning ADOPT 2. Data integrity at the origin 51. Commitizen THE RADAR 3. Micro frontends 52. ESLint 4. Pipelines for infrastructure as code 53. React Styleguidist 5. Run cost as architecture fitness function 6. Testing using real device TRIAL 54. Bitrise 55. Dependabot TRIAL 7. Automated machine learning (AutoML) 56. Detekt 8. Binary attestation 57. Figma 9. Continuous delivery for machine learning 58. Jib (CD4ML) 59. Loki 10. Data discoverability 60. Trivy 28 11. Dependency drift fitness function 61. Twistlock 12. Design systems 62. Yocto Project 13. Experiment tracking tools for machine 64 ASSESS 27 learning 24 63. Aplas 63 65 14. Explainability as a first-class model 23 66 64. asdf-vm 67 selection criterion 22 77 15. Security policy as code 65. AWSume 66. dbt 68 16. Sidecars for endpoint security 67. Docker Notary 69 17. Zhong Tai 26 54 68. Facets 21 69. Falco 70 ASSESS 15 71 70. in-toto 17 56 57 18. BERT 16 55 19. Data mesh 71. Kubeflow 20 20. Ethical bias testing 72. MemGuard 14 72 73. Open Policy Agent (OPA) 12 13 21. Federated learning 11 58 73 74. Pumba 6 22. JAMstack 25 59 75. Skaffold 19 23. Privacy-preserving record linkage (PPRL) 10 5 74 76. What-If Tool 51 60 using Bloom filter 4 24. Semi-supervised learning loops 9 61 75 HOLD 18 8 3 77. Azure Data Factory for orchestration 52 HOLD 2 53 62 76 7 25. 10x engineers 1 26. Front-end integration via artifact HOLD ASSESS TRIAL ADOPT ADOPT TRIAL ASSESS HOLD 27. Lambda pinball 34 28. Legacy migration feature parity LANGUAGES & 85

29 95 FRAMEWORKS 35

84 ADOPT 36 83 94 PLATFORMS

37 TRIAL ADOPT 78. Arrow 38 30 93 79. Flutter 39 31 81 TRIAL 32 80. jest-when 79 82 29. Apache Flink 81. Micronaut 78 40 30. Apollo Auto 92 82. React Hooks 41 80 31. GCP Pub/Sub 83. React Testing Library 32. Mongoose OS 42 84. Styled components 43 91 33. ROS 90 85. Tensorflow 33 44 45 89 ASSESS ASSESS 96 34. AWS Cloud Development Kit 86. Fairseq 47 35. Azure DevOps 46 87. Flair 48 50 88 36. Azure Pipelines 88. Gatsby.js 49 37. Crowdin 89. GraphQL 87 86 38. Crux 90. KotlinTest 39. Delta Lake 91. NestJS 40. Fission 92. Paged.js 41. FoundationDB 93. Quarkus 42. GraalVM 94. SwiftUI New or changed 43. Hydra 95. Testcontainers No change 44. Kuma 45. MicroK8s HOLD 46. Oculus Quest 96. Enzyme 47. ONNX 48. Rootless containers 49. Snowflake 50. Teleport

HOLD TECHNOLOGY RADAR | 5

Container security scanning systems and teams are most intimately ADOPT 28 ADOPT familiar with their data and best positioned 1. Container security scanning to fix it at the source. Data mesh 2. Data integrity at the origin 64 architecture takes this one step further, 3. Micro frontends 27 The continued adoption of containers for 24 63 4. Pipelines for infrastructure as 23 65 66 deployments, especially Docker, has made comparing consumable data to a product, code 67 container security scanning a must-have where data quality and its objectives are 22 77 5. Run cost as architecture fitness technique and we’ve moved this technique integral attributes of every shared data set. 68 function 69 into Adopt to reflect that. Specifically, 26 54 6. Testing using real device 21 containers introduced a new path for 70 Micro frontends 15 71 security issues; it’s vital that you use tools TRIAL 17 56 57 ADOPT 16 55 to scan and check containers during 7. Automated machine learning 20 14 72 deployment. We prefer using automated (AutoML) 12 13 We’ve seen significant benefits from 11 58 73 scanning tools that run as part of the 8. Binary attestation 6 25 59 introducing microservices, which have 19 deployment pipeline. 9. Continuous delivery for 10 5 74 allowed teams to scale the delivery of machine learning (CD4ML) 51 60 independently deployed and maintained 10. Data discoverability 4 9 61 75 18 8 3 Data integrity at the origin services. Unfortunately, we’ve also seen 11. Dependency drift fitness 52 2 53 62 76 ADOPT many teams create a front-end monolith function 7 12. Design systems 1 — a large, entangled browser application HOLD ASSESS TRIAL ADOPT ADOPT TRIAL ASSESS HOLD that sits on top of the back-end services 13. Experiment tracking tools for Today, many organizations’ answer to 34 machine learning 85 unlocking data for analytical usage is to — largely neutralizing the benefits of 14. Explainability as a first-class 35 29 95 build a labyrinth of data pipelines. Pipelines microservices. Micro frontends have model selection criterion retrieve data from one or multiple sources, continued to gain in popularity since 36 84 15. Security policy as code 83 they were first introduced. We’ve seen 94 cleanse it and then transform and move 16. Sidecars for endpoint security many teams adopt some form of this 37 it to another location for consumption. 17. Zhong Tai This approach to data management often architecture as a way to manage the 38 30 93 39 31 81 complexity of multiple developers and 32 leaves the consuming pipelines with the ASSESS 79 82 teams contributing to the same user 78 difficult task of verifying the inbound data’s 18. BERT 40 92 integrity and building complex logic to experience. In June of this year, one of the 19. Data mesh 41 80 cleanse the data to meet its required level originators of this technique published 20. Ethical bias testing 42 43 91 of quality. The fundamental problem is that an introductory article that serves as a 21. Federated learning 90 the source of the data has no incentive reference for micro frontends. It shows 22. JAMstack 33 44 45 89 how this style can be implemented using 23. Privacy-preserving record 96 and accountability for providing quality 47 various web programming mechanisms linkage (PPRL) using Bloom filter data to its consumers. For this reason, we 46 strongly advocate for data integrity at the and builds out an example application 24. Semi-supervised learning loops 48 50 88 49 origin, by which we mean, any source that using React.js. We’re confident this style will 87 HOLD 86 provides consumable data must describe grow in popularity as larger organizations 25. 10x engineers its measures of data quality explicitly and try to decompose UI development across 26. Front-end integration via artifact guarantee those measures. The main multiple teams. 27. Lambda pinball reason behind this is that the originating 28. Legacy migration feature parity

TECHNOLOGY RADAR | 6 © ThoughtWorks, Inc. All Rights Reserved. Pipelines for infrastructure delivered; when they see deviations from required to produce high-performing TECHNIQUES as code what was expected or acceptable, they’ll machine learning models.” Blind trust in ADOPT discuss whether it’s time to evolve the automated techniques also increases the — architecture. The observation and calculation risk of introducing ethical bias or making The use of continuous delivery pipelines to of the run cost is implemented as an decisions that disadvantage minorities. While orchestrate the release process for software automated function. businesses may use these tools as a starting has become a mainstream concept. CI/CD point to generate useful, trained models, we Automated machine tools can be used to test server configuration encourage them to seek out experienced learning (AutoML) tools (e.g., Chef cookbooks, Puppet modules, Testing using real device data scientists to validate and refine the have emerged to fill the Ansible playbooks), server image building ADOPT results. gap between the supply (e.g., Packer), environment provisioning When adopting continuous delivery (CD) and demand for data (e.g., Terraform, CloudFormation) and the integration of environments. The use of successfully, teams strive to make the Binary attestation scientists that specialize pipelines for infrastructure as code lets various test environments look as close to TRIAL in ML. These tools are a you find errors before changes are applied production as possible. This allows them to useful starting point — to operational environments — including avoid bugs that would otherwise only show As the usage of containers, deployment but produce best results environments used for development and themselves in the production environment. of large fleet of services by autonomous when used by experts. testing. They also offer a way to ensure that This remains just as valid for embedded and teams and increased speed of continuous Internet of Things software; if we don’t run delivery become common practice for many infrastructure tooling is run consistently, our tests in realistic environments we can organizations, the need for automated (AutoML) using CI/CD agents rather than individual workstations. Our teams have had expect to find some bugs for the first time in deploy-time software security controls good results adopting this technique on production. Testing using real devices helps arise. Binary attestation is a technique to their projects. avoid this issue by making sure the right implement deploy-time security control; devices are available in the CD pipeline. to cryptographically verify that a binary image is authorized for deployment. Using Binary attestation Run cost as architecture this technique, an attestor, an automated is a technique to fitness function Automated machine learning build process or a security team signs off implement deploy- ADOPT (AutoML) the binaries that have passed the required time security control, TRIAL quality checks and tests and are authorized to cryptographically Automating the estimation, tracking and to be deployed. Services such as GCP Binary projection of cloud infrastructure’s run The power and promise of machine learning verify that a binary Authorization enabled by Grafeas, and tools cost is necessary for today’s organizations. has created a demand for expertise that such as in-toto and Docker Notary support image is authorized for The cloud providers’ savvy pricing models, outstrips the supply of data scientists who creating attestations and validating the image deployment. combined with proliferation of pricing specialize in this area. In response to this signatures before deployment. parameters and the dynamic nature of skills gap, we’ve seen the emergence of (Binary attestation) today’s architecture, can lead to surprisingly Automated machine learning (AutoML) tools expensive run cost. For example, the price that purport to make it easy for nonexperts Continuous delivery for of serverless based on API calls, event to automate the end-to-end process of machine learning (CD4ML) streaming solutions based on traffic or data model selection and training. Examples TRIAL processing clusters based on running jobs, include Google’s AutoML, DataRobot and all have a dynamic nature that changes over the H2O AutoML interface. Although we’ve With an increased popularity of ML-based time as the architecture evolves. When our seen promising results from these tools, applications, and the technical complexity teams manage infrastructure on the cloud, we’d caution businesses against viewing involved in building them, our teams rely implementing run cost as architecture fitness them as the sum total of their machine- heavily on continuous delivery for machine function is one of their early activities. This learning journey. As stated on the H2O learning (CD4ML) to deliver such applications means that our teams can observe the website, “there is still a fair bit of knowledge safely, quickly and in a sustainable manner. cost of running services against the value and background in data science that is CD4ML is the discipline of bringing CD

TECHNOLOGY RADAR | 7 © ThoughtWorks, Inc. All Rights Reserved. principles and practices to ML applications. partial metadata information from silos of Experiment tracking tools for It removes long cycle times between training application databases. machine learning TECHNIQUES models and deploying them to production. TRIAL CD4ML removes manual handoffs between — different teams, data engineers, data Dependency drift fitness The day-to-day work of machine learning scientists and ML engineers in the end-to-end function often boils down to a series of experiments process of build and deployment of a model TRIAL in selecting a modeling approach, the served by an application. Using CD4ML, network topology, training data and Deep neural networks our teams have successfully implemented Many teams and organizations have no various optimizations or tweaks to the have demonstrated the automated versioning, testing and formal or consistent way of tracking technical model. Because many of these models are remarkable recall and deployment of all components of ML-based dependencies in their software. This issue still difficult to interpret or explain, data accuracy across a wide often shows itself when that software needs applications: data, model and code. scientists must use experience and intuition range of problems. But as to be changed, at which point the use of an to hypothesize changes and then measure outdated version of a library, API or component the impact those changes have on the their use increases, so too Data discoverability will cause problems or delay. Dependency drift overall performance of the model. As these does the importance of TRIAL fitness function is a technique to introduce models have become increasingly common being able to explain how a specific evolutionary architecture fitness in business systems, several different decisions are reached. One of the main points of friction for function to track these dependencies over experiment tracking tools for machine data scientists and analysts, in their time, thus giving an indication of the possible learning have emerged to help investigators (Explainability as a first-class workflow, is to locate the data they need, work needed and whether a potential issue is keep track of these experiments and work model selection criterion) make sense of it and evaluate whether getting better or worse. through them methodically. Although no it’s trustworthy to use it. This remains a clear winner has emerged, tools such as challenge due to the missing metadata MLflow or Weights & Biases and platforms about the available data sources and Design systems such as Comet or Neptune have introduced lack of adequate functionality needed to TRIAL rigor and repeatability into the entire search and locate data. We encourage machine learning workflow. They also teams who are providing analytical data As application development becomes facilitate collaboration and help turn data sets or building data platforms to make increasingly dynamic and complex, it’s a science from a solitary endeavor into a team data discoverability a first-class function challenge to achieve the effective delivery sport. of their environments; to provide the of accessible and usable products that are ability to easily locate available data, detect consistent in style. Design systems define its quality, understand its structure and a collection of design patterns, component Explainability as a first-class lineage and get access to it. Traditionally libraries and good design and engineering model selection criterion this function has been provided by bloated practices that ensure consistency in the TRIAL data cataloguing solutions. In recent years, development of digital products. We’ve we’ve seen the growth of open-source found design systems a useful addition to Deep neural networks have demonstrated projects that are improving developer our toolbox when working across teams and remarkable recall and accuracy across a experiences for both data providers and disciplines in product development, because wide range of problems. Given sufficient data consumers to do one thing really well: they allow teams to focus on more strategic training data and an appropriately chosen to make data discoverable. Amundsen by challenges around the product itself without topology, these models meet and exceed Lyft and WhereHows by LinkedIn are among the need to reinvent the wheel every time human capabilities in certain select problem these tools. What we like to see is a change they need to add a visual component. The spaces. However, they’re inherently opaque. in providers’ behavior to intentionally share types of components and tools you use to Although parts of models can be reused the metadata that help discoverability create design systems can vary greatly. through transfer learning, we’re seldom in favor of discoverability tools that infer able to ascribe any human-understandable

TECHNOLOGY RADAR | 8 © ThoughtWorks, Inc. All Rights Reserved. meaning to these elements. In contrast, such circumstances, we apply two security TECHNIQUES an explainable model is one that allows principles early in implementation: zero trust BERT us to say how a decision was made. For network, never trust the network and always ASSESS — example, a decision tree yields a chain of verify; and the principle of least privilege, inference that describes the classification granting the minimum permissions necessary BERT stands for Bidirectional Encoder process. Explainability becomes critical in for performing a particular job. Sidecars for Representations from Transformers; it’s certain regulated industries or when we’re endpoint security is a common technique we a new method of pretraining language The complexity of the concerned about the ethical impact of a use to implement these principles to enforce representations which was published by technology landscape decision. As these models are incorporated security controls at every component’s researchers at Google in October 2018. BERT today demands we treat more widely into critical business systems, endpoint, e.g., APIs of services, data stores has significantly altered the natural language security policy as code; it’s important to consider explainability as or Kubernetes control interface. We do this processing (NLP) landscape by obtaining state-of-the-art results on a wide array of NLP define and keep policies first-class model selection criterion. Despite using an out-of-process sidecar — a process their power, neural networks might not be or a container that is deployed and scheduled tasks. Based on Transformer architecture, it under version control, an appropriate choice when explainability with each service sharing the same execution learns from both the left and right side of a automatically validate requirements are strict. context, host and identity. Open Policy Agent token’s context during training. Google has them, automatically and Envoy are tools that implement this also released pretrained general-purpose deploy them and monitor technique. Sidecars for endpoint security BERT models that have been trained on a large their performance. Security policy as code minimize the trusted footprint to a local corpus of unlabelled text including Wikipedia. Developers can use and fine-tune these pre- TRIAL endpoint rather than the network perimeter. trained models on their task-specific data and (Security policy as code) We like to see the responsibility of sidecar’s Security policies are rules and procedures security policy configuration left with the team achieve great results. We talked about transfer that protect our systems from threats and that is responsible for the endpoint and not a learning for NLP in our April 2019 edition of disruption. For example, access control separate centralized team. the Radar; BERT and its successors continue to policies define and enforce who can access make transfer learning for NLP a very exciting which services and resources under what field with significant reduction in effort for Zhong Tai is an approach circumstances; or network security policies can Zhong Tai users dealing with text classification. to delivering encapsulated dynamically limit the traffic rate to a particular TRIAL business models. It’s service. The complexity of the technology designed to help a new landscape today demands treating security Zhong Tai has been a buzzword in the Data mesh breed of small businesses policy as code: define and keep policies under Chinese IT industry for years, but it has yet to ASSESS deliver first-rate services version control, automatically validate them, catch on in the West. At its core, Zhong Tai automatically deploy them and monitor their is an approach to delivering encapsulated Data mesh is an architectural paradigm without the costs of performance. Tools such as Open Policy Agent, business models. It’s designed to help a that unlocks analytical data at scale; rapidly traditional enterprise or platforms such as Istio provide flexible policy new breed of small businesses deliver first- unlocking access to an ever-growing infrastructure. definition and enforcement mechanisms that rate services without the costs of traditional number of distributed domain data sets, for support the practice of security policy as code. enterprise infrastructure and enabling a proliferation of consumption scenarios (Zhong Tai) existing organizations to bring innovative such as machine learning, analytics or services to market at breakneck speeds. The data intensive applications across the Sidecars for endpoint security Zhong Tai strategy was originally proposed organization. Data mesh addresses the TRIAL by Alibaba and soon followed by many common failure modes of the traditional Chinese Internet companies, because their centralized data lake or data platform Many of the technical solutions we build business model is digital native, making it architecture, with a shift from the centralized today run in increasingly complex polycloud suitable to replicate for new markets and paradigm of a lake, or its predecessor, or hybrid-cloud environments with multiple sectors. Nowadays, more Chinese firms the data warehouse. Data mesh shifts distributed components and services. Under are using Zhong Tai as a lever for to a paradigm that draws from modern digital transformation.

TECHNOLOGY RADAR | 9 © ThoughtWorks, Inc. All Rights Reserved. distributed architecture: considering algorithm runs. This becomes particularly domains as the first-class concern, applying problematic when the training data consists Privacy preserving record TECHNIQUES platform thinking to create a self-serve data of personally identifiable information. We’re linkage (PPRL) using Bloom infrastructure, treating data as a product encouraged by the emergence of federated filter — and implementing open standardization learning as a privacy-preserving method for ASSESS to enable an ecosystem of interoperable training on a large diverse set of data relating distributed data products. to individuals. Federated learning techniques Linking records from different data providers allow the data to remain on the users’ device, in the presence of a shared key is trivial. We’re encouraged by the under their control, yet contribute to an However, you may not always have a shared emergence of federated Ethical bias testing aggregate corpus of training data. In one such key; even if you do, it may not be a good learning as a privacy- ASSESS technique, each user device updates a model idea to expose it due to privacy concerns. preserving method for Privacy-preserving record linkage (PPRL) using independently; then the model parameters, training on a large diverse Over the past year, we’ve seen a shift in rather than the data itself, are combined into Bloom filter (a space-efficient probabilistic interest around machine learning and deep a centralized view. Network bandwidth and data structure) is an established technique set of data relating to neural networks in particular. Until now, device computational limitations present that allows probabilistic linkage of records individuals. tool and technique development has been some significant technical challenges, but we from different data providers without driven by excitement over the remarkable like the way federated learning leaves users in exposing privately identifiable personal data. (Federated learning) capabilities of these models. Currently control of their own personal information. For example, when linking data from two though, there is rising concern that these data providers, each provider encrypts its models could cause unintentional harm. For personally identifiable data using Bloom filter example, a model could be trained to make JAMstack to get cryptographic linkage keys and then profitable credit decisions by simply excluding ASSESS sends them to you via a secure channel. JAMstack can provide disadvantaged applicants. Fortunately, we’re Once data is received, the records can be rich user experiences to seeing a growing interest in ethical bias testing The trend that started as backend as a service linked by computing similarity scores between that will help to uncover potentially harmful for native mobile apps many years ago is now sets of cryptographic linkage keys from each web applications that rely decisions. Tools such as lime, AI Fairness 360 becoming popular with web applications. provider. Among other techniques, we found mostly on APIs and SaaS or What-If can help uncover inaccuracies We’re seeing frameworks such as Gatsby.js PPRL using Bloom filters to be scalable for offerings. that result from underrepresented groups in that combine static site generation and client- large data sets. training data and visualization tools such as side rendering with third-party APIs. Referred (JAMstack) Google Facets or Facets Dive can be used to to as JAMstack (the JAM stands for JavaScript, discover subgroups within a corpus of training API, and Markup), this approach can provide Semi-supervised learning loops data. However, this is a developing field and rich user experiences to web applications ASSESS we expect standards and practices specific to that rely mostly on APIs and SaaS offerings. ethical bias testing to emerge over time. Because the HTML is rendered either in the Semi-supervised learning loops are a class web browser or at build time, the deployment of iterative machine-learning workflows that model is the same as fully statically generated take advantage of the relationships to be Federated learning sites, with all its benefits: the attack surface found in unlabeled data. These techniques ASSESS on the server is small and great performance may improve models by combining labeled can be achieved with low resource usage. and unlabeled data sets in various ways. In Model training generally requires collecting Such deployments are also ideal for a content other cases they compare models trained on data from its source and transporting it to a delivery network. In fact, we toyed with the different subsets of the data. Unlike either centralized location where the model training idea of labelling this technique as CDN first unsupervised learning where a machine applications.

TECHNOLOGY RADAR | 10 © ThoughtWorks, Inc. All Rights Reserved. infers classes in unlabeled data or supervised buckets and queues as requests bounce TECHNIQUES techniques where the training set is entirely Front-end integration via around increasingly complex graphs of cloud labeled, semi-supervised techniques take artifact services. Typically they’re hard to test as units, — advantage of a small set of labeled data and HOLD and the application needs must be tested as a much larger set of unlabeled data. Semi- an integrated whole. One pattern we can use supervised learning is also closely related to When teams embrace the concept of micro to avoid these pinball architectures is to draw active learning techniques where a human frontends they have a number of patterns at a distinction between public and published In our experience, great is directed to selectively label ambiguous their disposal to integrate the individual micro interfaces and apply good old domain engineers are driven not data points. Since expert humans that can frontends into one application. As always boundaries with published interfaces between by their own individual accurately label data are a scarce resource there are antipatterns, too. A common one in them. output, but by working in and labeling is often the most time-consuming this case is front-end integration via artifact. For each micro frontend an artifact is built, (and working to create) activity in the machine-learning workflow, semi-supervised techniques lower the cost of usually an NPM package, which is pushed Legacy migration feature parity amazing teams. training and make machine learning feasible into a registry. A later step, sometimes in a HOLD for a new class of users. different build pipeline, then combines the (10x engineers) individual packages into a final package that We find that more and more organizations contains all micro frontends. From a purely need to replace aging legacy systems to keep 10x engineers technical perspective this integration at build up with the demands of their customers (both HOLD time results in a working application. However, internal and external). One antipattern we integrating via artifact implies that for each keep seeing is legacy migration feature parity, The old term 10x engineer has come under change the full artifact needs to be rebuilt, the desire to retain feature parity with the old. scrutiny these past few months. A widely which is time consuming and will likely have We see this as a huge missed opportunity. shared Twitter thread essentially suggests a negative impact on developer experience. Often the old systems have bloated over time, companies should excuse antisocial and Worse, this style of integrating frontends also with many features unused by users (50% damaging behaviors in order to retain introduces direct dependencies between the according to a 2014 Standish Group report) engineers who are perceived as having micro frontends at build time and therefore and business processes that have evolved immense individual output. Thankfully, causes considerable coordination overhead. over time. Replacing these features is a waste. many people on social media made fun Our advice: Convince your customers to take of the concept, but the stereotype of the a step back and understand what their users “rockstar developer” is still pervasive. In our Lambda pinball currently need and prioritize these needs experience, great engineers are driven not by HOLD against business outcomes and metrics — individual output but by working in amazing which often is easier said than done. This teams. It’s more effective to build teams of We’ve been building serverless architectures means conducting user research and applying talented individuals with mixed experiences on our projects for a couple of years now, modern product development practices and diverse backgrounds and provide the and we’ve noticed that it’s quite easy to rather than simply replacing the existing ones. right ingredients for teamwork, learning and fall into the trap of building a distributed continuous improvement. These 10x teams monolith. Lambda pinball architectures can move faster, scale more quickly and are characteristically lose sight of important much more resilient — without needing to domain logic in the tangled web of lambdas, pander to bad behaviors.

Apache Flink the Apollo-based autopilot system. Apollo 28 TRIAL also provides an evolutionary architecture ADOPT approach to adopt advanced features 64 27 TRIAL 24 Apache Flink has seen increasing adoption gradually, which enables us to integrate 63 29. Apache Flink 23 65 66 since our initial assessment in 2016. more sensors and functions in an agile, 67 30. Apollo Auto 22 77 Flink is recognized as the leading stream- iterative way. 31. GCP Pub/Sub 68 processing engine and also gradually 32. Mongoose OS 69 26 54 matured in the fields of batch processing 33. ROS 21 and machine learning. One of Flink’s GCP Pub/Sub 70 15 71 TRIAL 17 56 57 key differentiator from other stream- ASSESS 16 55 processing engines is its use of consistent 34. AWS Cloud Development Kit 20 14 72 checkpoints of an application’s state. In the GCP Pub/Sub is Google Cloud’s event 35. Azure DevOps 12 13 11 58 73 streaming platform. It’s a popular 6 event of failure, the application is restarted 36. Azure Pipelines 25 59 19 and its state is loaded from the latest piece of infrastructure for many of our 37. Crowdin 10 5 74 architectures running Google Cloud 51 60 checkpoint — so that the application can 38. Crux 4 continue processing as if the failure had Platform, including mass event ingestion, 39. Delta Lake 9 61 75 18 8 3 40. Fission 52 never happened. This helps us to reduce communication of serverless workloads 2 53 62 76 7 the complexity of building and operating and streaming data-processing workflows. 41. FoundationDB 1 external systems for fault tolerance. We One of its unique features is support of 42. GraalVM HOLD ASSESS TRIAL ADOPT ADOPT TRIAL ASSESS HOLD pull and push subscriptions: subscribing 43. Hydra 34 see more and more companies using Flink 85 to receive all published messages available 44. Kuma to build their data-processing platform. 35 29 95 at the time of subscription or pushing 45. MicroK8s 46. Oculus Quest 84 messages to a particular endpoint. Our 36 83 47. ONNX 94 teams have enjoyed its reliability and scale Apollo Auto 48. Rootless containers 37 TRIAL and that it just works as advertised. 49. Snowflake 38 30 93

50. Teleport 39 31 81 32 Once exclusive to tech giants, self-driving 79 82 78 Mongoose OS 40 technology isn’t rocket science anymore, HOLD 92 as demonstrated by Apollo Auto. The goal TRIAL 41 80 42 of the Baidu-owned Apollo program is to 43 91 Mongoose OS remains one of our 90 become the Android of the autonomous 33 driving industry. The Apollo platform preferred open-source microcontroller 44 45 89 96 has components such as perception, operating systems and embedded firmware 47 development frameworks. It’s worth 46 simulation, planning and intelligent control 48 50 88 noting that Mongoose OS fills a noticeable that enable car companies to integrate 49 87 their own autonomous driving systems into gap for embedded software developers: 86 their vehicles’ hardware. The developer the gap between Arduino firmware community is still new but with a lot of suitable for prototyping and bare-metal vendors joining to contribute more ports. microcontrollers’ native SDKs. Our teams One of our projects helped our client to have successfully used Cesanta’s new complete self-driving license exams with end-to-end device management platform,

TECHNOLOGY RADAR | 12 © ThoughtWorks, Inc. All Rights Reserved. mDash, for small-scale greenfield hardware is still needed to ensure deployments remain Crowdin PLATFORMS projects. Major Internet of Things (IoT) easy to understand and maintain. Given that ASSESS cloud platform providers today support support for C# and Java is coming soon and — the Mongoose OS development framework ignoring for now some gaps in functionality, Most of the projects with multilingual for their device management, connectivity, we think AWS CDK is worth watching as an support start with development teams and over-the-air (OTA) firmware upgrades. alternative to other configuration file–based building features in one language and Since we last reported on Mongoose OS, approaches. managing the rest through offline Apache Flink is the leading the number of supported boards and translation via emails and spreadsheets. stream-processing engine microcontrollers has grown to include Although this simple setup works, things and is also maturing STM, Texas Instruments and Espressif. We Azure DevOps can quickly get out of hand. You may have in the fields of batch continue to enjoy its seamless support for ASSESS to keep answering the same questions processing and machine OTA updates and its built-in security at the for different language translators, sucking individual device level. Azure DevOps services include a set of learning. the energy out of the collaboration managed services such as hosted Git repos, between translators, proofreaders and

CI/CD pipelines, automated testing tooling, the development team. Crowdin is one (Apache Flink) ROS backlog management tooling and artifact of a handful of platforms that help in TRIAL repository. Azure DevOps Pipelines have streamlining the localization workflow of been maturing over time. We particularly your project. With Crowdin the development ROS (Robot Operating System) is a set like its ability to define Pipelines as code team can continue building features and of libraries and tools to help software and its ecosystem of extensions on the the platform streamlines the text that The goal of the Baidu- developers create robot applications. It’s Azure DevOps marketplace. At the time needs translation into an online workflow. owned Apollo program is a development framework that provides of writing, our teams are still running into We like that Crowdin nudges the teams to to become the Android of hardware abstraction, device drivers, a few immature features, including lack continuously and incrementally incorporate the autonomous driving libraries, visualizers, message-passing, of an effective UI for pipeline visualization translation rather than managing them in package management and more. Apollo and navigation and the inability to trigger a large batches toward the end. industry. Auto is based on ROS. In our other ADAS pipeline from artifacts or other pipelines.

simulation project, we’ve also used ROS’s (Apollo Auto) messaging system (bag). The technology Crux isn’t new, but it has regained developers’ Azure Pipelines ASSESS attention with the development of ADAS. ASSESS Crux is an open-source document database Azure Pipelines is a product of Azure with bitemporal graph queries. Most database AWS Cloud Development Kit DevOps that offers cloud-based solutions systems are temporal, meaning they help ASSESS to implement pipelines as code for projects us model facts along with the time at which hosted in Azure DevOps Git server or other they occurred. Bitemporal database systems For many of our teams Terraform has Git solution such as GitHub or Bitbucket. let you model not just the valid time the fact become the default choice for defining The interesting part of this solution is the occurred but also the transaction time when cloud infrastructure. However, some of our ability to run your scripts in Linux, MacOS it was received. If you need a document teams have been experimenting with AWS and Windows agents without the overhead store with graph capabilities for querying the Cloud Development Kit (AWS CDK) and they of managing a virtual machine on your content, then give Crux a try. It’s currently in like what they’ve seen so far. In particular, own. This represents a big step forward, alpha and lacks SQL support, but you can they like the use of first-class programming especially for teams that work on Windows use a Datalog query interface for reading and languages instead of configuration files environments with .NET Framework traversing relationships. which allows them to use existing tools, test solutions; we’re also assessing this service approaches and skills. Like similar tools, care for continuous delivery in iOS.

TECHNOLOGY RADAR | 13 © ThoughtWorks, Inc. All Rights Reserved. Delta Lake store, which provides strict serializability fully compliant open-source OAuth2 server ASSESS transactions. One of the interesting aspects and OpenID connect provider — quite PLATFORMS of FoundationDB is its concept of layers to useful. We really like that Hydra doesn’t Delta Lake is an open-source storage offer additional models. These layers are provide any identity management solutions — layer by Databricks that attempts to bring essentially stateless components built on out of the box; so no matter what flavor of transactions to big data processing. One top of the core key-value store, such as identity management you have, it’s possible of the problems we often encounter when the Record layer and the Document layer. to integrate it with Hydra through a clean using Apache Spark is the lack of ACID FoundationDB sets a high standard with API. This clear separation of identity from GraalVM has generated transactions. Delta Lake integrates with the its Simulation testing where they run daily the rest of the OAuth2 framework makes a lot of excitement in the Spark API and addresses this problem by tests simulating various system failures. it easier to integrate Hydra with an existing Java community, and a its use of a transaction log and versioned With its performance, rigorous testing and authentication ecosystem. host of Java frameworks Parquet files. With its serializable isolation, easy operability, FoundationDB is not just (including Micronaut, it allows concurrent readers and writers to a database but can also be used by those Quarkus, and Helidon) are looking to build distributed systems where Kuma operate on Parquet files. Other welcome already taking advantage features include schema enforcement on they can use FoundationDB as a core ASSESS write and versioning, which allows us to primitive on which to build their system. of it. query and revert to older versions of data if Kuma is a platform-agnostic service mesh necessary. We’ve started to use it in some of for Kubernetes, VMs and bare metal (GraalVM) our projects and quite like it. GraalVM environments. Kuma is implemented as a ASSESS control plane on top of Envoy and as such can instrument any Layer 4/Layer 7 traffic Fission GraalVM is a universal virtual machine by to secure, observe, route and enhance ASSESS Oracle for running applications written in connectivity between services. Most of the Kuma is a platform- JVM languages, JavaScript, Python, Ruby and service mesh implementations are targeted agnostic service mesh for Kubernetes’s serverless ecosystem is R, as well as C/C++ and other LLVM-based natively at the Kubernetes ecosystem Kubernetes, VMs and bare languages. At its simplest, GraalVM can be which in itself is not bad but hinders the growing. We talked about Knative in a metal environments. previous Radar; now we’re seeing Fission used as a more performant VM for JVM and adoption of service mesh for existing non-

gaining traction. Fission lets developers other supported non-JVM languages. But it Kubernetes applications. Rather than waiting (Kuma) focus on writing short-lived functions and also allows us to write polyglot applications for large platform transformation efforts to map them to HTTP requests while the with very little performance impact; and its be complete, you can now use Kuma and framework handles the rest of the plumbing Native Image utility (currently only available modernize the network infrastructure. and automation of Kubernetes resources as an Early Adopter Technology) lets us behind the scenes. Fission also lets you compile Java code ahead of time to stand- compose functions, integrate with third- alone executables for faster startup and less MicroK8s party providers via web hooks and automate memory use. GraalVM has generated a lot of ASSESS the management of the Kubernetes excitement in the Java community, and a host infrastructure. of Java frameworks (including Micronaut, We talked about Kubernetes in the past Quarkus, and Helidon) are already taking and it continues to be the default choice advantage of it. for deploying and managing containers in FoundationDB production clusters. However, it’s getting ASSESS increasingly difficult to provide a similar Hydra experience offline for developers. Among FoundationDB is an open-source multimodel ASSESS other options, we’ve found MicroK8s to be database, acquired by Apple in 2015 and quite useful. To install the MicroK8s snap, then open-sourced in April 2018. The core Not everyone needs a self-hosted OAuth2 pick a release channel (stable, candidate, of FoundationDB is a distributed key-value solution, but if you do, we found Hydra — a beta or edge), and you can get Kubernetes

TECHNOLOGY RADAR | 14 © ThoughtWorks, Inc. All Rights Reserved. running with a few commands. You can these tools aren’t compatible, we need to Snowflake PLATFORMS also keep track of mainstream releases and implement and maintain messy convertors ASSESS choose to upgrade your setup automatically. to make the models compatible. The Open — Neural Network Exchange format ONNX We often relate data warehousing to a addresses this problem. In ONNX, the central infrastructure that is hard to scale Oculus Quest neural networks are represented as graphs and manage with the growing demands ASSESS using standard operator specifications, around data. Snowflake, however, is a The interoperability and together with a serialization format for new SQL Data Warehouse as a Service between tools and We’ve long tracked AR/VR (Augmented/ trained weights, neural network models can solution built from the ground up for frameworks in the neural Virtual Reality) in our Radar, but its be transferred from one tool to another. the cloud. With a bunch of neatly crafted networks ecosystem has appeal has been limited to specific This opens up lots of possibilities, including features such as database-level atomicity, been a challenge. ONNX platforms and tethering options. The Model Zoo, a collection of pretrained structured and semi-structured data Oculus Quest changes the game, models in ONNX format. can help. support, in-database analytics functions becoming one of the first consumer and above all with a clear separation mass-market standalone VR headsets of storage, compute and services (ONNX) that requires no tethering or support Rootless containers layer, Snowflake addresses most of the outside a smartphone. This device opens ASSESS challenges faced in data warehousing. the door for a huge jump in potential exposure to VR applications, whose Ideally, containers should be managed demand will in turn drive the market and run by the respective container Teleport Teleport is a security toward more aggressive innovation. We runtime without root privileges. This ASSESS gateway for remotely applaud the democratization of VR this is not trivial but when achieved, it accessing cloud native device helps usher in and can’t wait to reduces the attack surface and avoids Teleport is a security gateway for remotely infrastructures. see what’s on the horizon. whole classes of security problems, accessing cloud native infrastructures. notably privilege escalation out of the One of Teleport’s interesting features container. The community has discussed (Teleport) is its ability to double as a Certificate ONNX this as rootless containers for quite Authority (CA) for your infrastructure. ASSESS a while, and it is part of the open You can issue short-lived certificates and container runtime specification and its build richer role-based access control The tools and frameworks ecosystem standard implementation runc, which (RBAC) for your Kubernetes infrastructure around neural networks have been evolving underpins Kubernetes. Now, Docker (or for just SSH). With increased focus on rapidly. The interoperability between them, 19.03 introduces rootless containers infrastructure security it’s important to however, has been a challenge. It’s not as an experimental feature. Although keep track of changes. However, not all uncommon in the ML industry to quickly fully functional, the feature doesn’t yet events require the same level of auditing. prototype and train the model in one tool work with several other features such as With Teleport you can stick with logging and then deploy it in a different tool for cgroups resource controls and AppArmor for most of the events but go the extra inference. Because the internal format of security profiles. mile by recording the user screen for more privileged root sessions.

Commitizen has gained traction in the industry, and this28 ADOPT is illustrated by the TypeScript team’s move ADOPT to support and work with ESLint rather than 64 27 investing in TSLint. 24 51. Commitizen Commitizen is a simple tool to help 63 65 23 66 52. ESLint streamline the commit process when using 67 22 77 53. React Styleguidist Git. It prompts you to provide any required 68 fields and also formats your commit React Styleguidist 69 TRIAL ADOPT 26 54 message appropriately. It supports different 21 54. Bitrise conventions for describing the required 70 15 71 55. Dependabot React Styleguidist is a development 17 56 57 check-in formats, and you can add your 16 55 56. Detekt own via an adapter. This simple tool saves environment for React20 components. It 14 72 57. Figma time and avoids later rejections from a includes a dev server with hot reloading12 13 58. Jib 11 58 73 6 commit hook. capabilities25 and generates an HTML 59 59. Loki 19 style guide for sharing with teams.10 5 74 60. Trivy 51 60 The style guide shows a live version 4 61. Twistlock of all components in one place with9 61 75 62. Yocto Project ESLint 18 8 3 52 ADOPT documentation and a list of their props. 2 53 62 76 7 We’ve mentioned React Styleguidist as a 1 ASSESS ESLint is being used as a standard in many UIHOLD dev environmentASSESS before,TRIAL and over time ADOPT ADOPT TRIAL ASSESS HOLD 63. Aplas it has become34 our default choice among 64. asdf-vm of our projects. As a linting tool for JavaScript 85 similar tools in this space. 65. AWSume it has multiple rule sets, recommended 35 29 95 66. dbt rules and plugins in order to extend to 84 67. Docker Notary 36 83 frameworks or JavaScript flavors. We’ve 94 Bitrise 68. Facets seen it leveraged heavily to help teams 37 69. Falco create and enforce norms in their code by TRIAL 38 30 93 70. in-toto

allowing for real-time analysis of code during 39 31 81 71. Kubeflow 32 development. It can be used to standardize Building, testing and deploying mobile 79 82 72. MemGuard 78 applications entails 40complex steps, coding practices by enforcing best practices 92 73. Open Policy Agent (OPA) 41 and code styling, and identify vulnerabilities especially when we consider a pipeline 80 74. Pumba 42 in your code. It does so by integrating well from source code repository to43 app stores. 91 75. Skaffold 90 with most IDEs and giving live feedback All of these steps can be automated with 33 76. What-If tool scripts and build pipelines in generic44 45 CI/ 89 while coding. It’s styling rules in particular 96 will automatically fix the linting errors, CD tools. However, our teams have found 47 HOLD Bitrise, a domain-specific CD tool for 46 77. Azure Data Factory for making the process seamless and effective 48 50 88 orchestration without incurring additional development mobile applications, useful for mobile 49 87 cost. Developers can quickly get up to speed applications when there was no need to 86 with the rules thanks to the community integrate with build pipelines for back- documentation, which does a good job end systems. Bitrise is easy to set up and of explaining coding patterns. As ESLint provides a comprehensive set of prebuilt becomes more common and powerful, it steps for most mobile development needs.

TECHNOLOGY RADAR | 16 © ThoughtWorks, Inc. All Rights Reserved. collaboration capabilities. Our teams find Trivy TOOLS Dependabot Figma very useful, especially in remote and TRIAL TRIAL distributed design work enablement and — facilitation. In addition to its collaboration Build pipelines that create and deploy Keeping dependencies up to date is a chore, capabilities, Figma also offers an API that containers should include container security but for security reasons it’s important to helps to improve the DesignOps process. scanning. Our teams particularly like Trivy, a respond to updates in a timely manner. vulnerability scanner for containers, because Figma has the same You can use tools to make this process it’s easier to set up than other tools, thanks functionality as other as painless and automated as possible. Jib to it shipping as a stand-alone binary. Other design programs such as In practical use our teams have had good TRIAL benefits of Trivy are that it’s open-source Sketch and Invision, but it experiences with Dependabot. It integrates software and that it supports distroless enables you to collaborate with GitHub repositories and automatically Building containerized applications containers. with another person. checks dependencies for new versions. can require complex configurations in When required, Dependabot will open a pull development environments and on build

request with upgraded dependencies. agents. If you’re building a Java application Twistlock (Figma) and use Docker, you might consider using TRIAL Google’s Jib. Jib is an open-source plugin Detekt supporting both Maven and Gradle. The Jib Twistlock is a commercial product with TRIAL plugin uses information from your build config build-time and run-time security vulnerability to build your application directly as a Docker detection and prevention capabilities. These If you’re building a Java Detekt is a static code analysis tool for image without requiring a Dockerfile or capabilities span protecting VMs, container application and using Kotlin. It provides code smell analysis Docker daemon. Jib optimizes around image schedulers and containers to various Docker, you might and complexity reports based on highly layering, promising to speed up subsequent registries and repositories that applications consider using configurable rule sets. It can be run from builds. rely on. Twistlock has helped our teams Google’s Jib. the command line and, using plugins, via accelerate development of regulated Gradle, SonarQube and IntelliJ. Our teams applications, where application infrastructure have found great value in using Detekt to Loki (Jib) and architecture require compliance maintain high code quality. When analysis TRIAL with, for example, Payment Card Industry and report generation are integrated into a (PCI) standards and the Health Insurance build pipeline, it’s obviously important that Loki is a visual regression tool that Portability and Accountability Act (HIPAA). the reports are checked on a regular basis works with Storybook, which we Our teams have enjoyed the developer and the team sets aside time to act on the mentioned previously in the context of experience that Twistlock provides: the findings. UI dev environments. With a few lines of ability to run provisioning as code, the easy configuration, Loki can be used to test all integration with other common observability UI components. The preferred mode of platforms, and the out-of-the-box Figma operation is using Chrome in a Docker benchmarks to measure the infrastructure TRIAL container as this avoids one-pixel differences against industry-consensus best practices. when tests are run in nonidentical We run Twistlock with regular runtime One of the great pain points in interaction environments. Our experience has been scans over our cloud-native applications, and visual design is the lack of tools built for that the tests are very stable, but updates particularly when regulatory compliance is collaboration. This is where Figma comes to Storybook tend to cause tests to fail with required. in. It has the same functionalities of design minor differences. It also seems impossible programs such as Sketch and Invision, but to test components which use position: by being able to collaborate with another fixed but you can work around that by person at the same time, it helps you wrapping the component with a fixed. discover new ideas together with real-time

TECHNOLOGY RADAR | 17 © ThoughtWorks, Inc. All Rights Reserved. Understanding which systems talk to other or feeding machine-learning models. dbt Yocto Project systems via which technology is another is an open-source tool and a commercial TOOLS TRIAL problem we often face and Aplas can SaaS product that provides simple and visualize it for us. effective transformation capabilities for — Increasingly we’re seeing powerful Internet data analysts. The current frameworks and of Things devices that run Linux rather than tooling for data transformation fall either a special embedded OS. In order to reduce asdf-vm into the group of powerful and flexible — resource usage and decrease the attack ASSESS requiring intimate understanding of the The Yocto Project has surface, it makes sense to build a custom programming model and languages of the renewed relevance as Linux distribution that only contains the asdf-vm is a command-line tool to manage framework such as Apache Spark — or a tool to create a Linux tools and dependencies needed to run the runtime versions of multiple languages, in the group of dumb drag-and-drop UI distribution tailored to the software on the device. In this context the per project. It’s similar to other command- tools that don’t lend themselves to reliable needs of a specific case, Yocto Project has renewed relevance as a engineering practices such as automated line version management tools, such as such as Internet of Things tool to create a Linux distribution tailored RVM for Ruby and nvm for Node.js, with testing and deployment. dbt fills a niche: it to the needs of a specific case. The learning the advantage of an extensible plugin uses SQL — an interface widely understood devices. curve is steep and due to its flexibility, it can architecture to handle multiple languages. — to model simple batch transformations, be easy to do the wrong thing. However, over Its list of current plugins include many while it provides command-line tooling that (Yocto Project) the many years of its existence, the Yocto languages as well as tools such as Bazel or encourages good engineering practices Project has attracted an active community tflint, whose runtime version you may need such as versioning, automated testing and that can help. Compared to similar tools, it’s to manage per project. deployment; essentially it implements SQL- easier to integrate into a CD workflow and, based transformation modeling as code. dbt unlike Android Things or Ubuntu core for currently supports multiple data sources, Aplas is a new software example, it’s not tied to a specific ecosystem. AWSume including Snowflake and Postgres, and mapping tool that ASSESS provides various execution options, such as can be used to create Airflow and Apache’s own cloud offering. Its visualizations of our Aplas AWSume is a convenient script to manage transformation capability is limited to what ASSESS AWS session tokens and assume role SQL offers, and it does’nt support real-time software landscapes in credentials from the command line. streaming transformations at the time the form of maps. It’s often very difficult to get a handle on We find AWSume quite handy when we of writing. our software estates as they grow ever deal with multiple AWS accounts at the (Aplas) more complex. Aplas is a new software same time. Instead of specifying profiles mapping tool that can be used to create individually in every command, the script Docker Notary visualizations of our software landscapes reads from the CLI cache and exports them ASSESS in the form of maps. The tool works by to environment variables. As a result, both ingesting metadata about your existing the commands and AWS SDKs pick up the Docker Notary is an OSS tool that enables systems and then displaying a map over right credentials. signing of assets such as images, files and which various views can be projected. containers. This means that the provenance Ingestion is either a manual process of assets can be asserted which is superuseful or one that can be automated via APIs. dbt in regulated environments and better practice We’re pretty excited to see this product ASSESS everywhere. As an example, when a container evolve and to see what’s possible with is created, it’s signed by a private key and a the automated collection of metadata. It Data transformation is an essential part hash, tied to the publisher’s identity, stored as should be possible, for example, to expose of data-processing workflows: filtering, metadata. Once published, the provenance of architectural fitness functions such as run grouping or joining multiple sources into the container (or other asset) can be checked cost to create visualizations of how much a format that is suitable for analyzing data is being spent on cloud infrastructure.

TECHNOLOGY RADAR | 18 © ThoughtWorks, Inc. All Rights Reserved. using the image hash and the publisher’s underlying host or Kubernetes orchestrator another. Kubeflow consists of several TOOLS public key. There are publicly available, itself. We like Falco’s capability to detect components, including Jupyter notebooks, trusted registries such as the Docker Trusted threats without injecting third-party code or data pipelines, and control tools. Several — Registry, but it’s also possible to run your own. sidecar containers. of these components are packaged Our teams have reported some spiky edges as Kubernetes operators to draw on running local Notary servers and suggest Kubernetes’s ability to react to events using a registry that includes Notary in-toto generated by pods implementing various With increased adoption where possible. ASSESS stages of the workflow. By packaging of Kubernetes as the individual programs and data as container orchestrator, We’re seeing increased use of Binary containers, entire workflows can be ported the security toolset Facets attestation for securing the software from one environment to another. This around containers and ASSESS supply chain, particularly within regulated can be useful when moving a useful but computationally challenging workflow Kubernetes is evolving industries. The currently favored approaches Given the growing amount of weighty seem to involve either building a custom developed in the cloud to a custom rapidly. Falco is one decisions that are derived from large data system for implementing the binary supercomputer or tensor processing such container-native sets, either directly or as training input for verification or relying on a cloud vendor’s unit cluster. tool aimed at addressing machine learning models, it’s important to service. We’re encouraged to see the open- runtime security. understand the gaps, flaws and potential source in-toto enter this space. in-toto is a biases in your data. Google’s Facets project framework for cryptographically verifying MemGuard (Falco) provides two helpful tools in this space: every component and step along the path ASSESS Facets Overview and Facets Dive. Facets to production for a software artifact. The Overview visualizes the distribution of values project includes a number of integrations If your application handles sensitive for features in a data set, can show training into many widely used build, container information (such as cryptographic and validation set skew and can be used to auditing and deployment tools. A software keys) as plain text in memory, there’s compare multiple data sets; Facets Dive is supply chain tool can be a critical piece of a high probability that someone could for drilling down and visualizing individual an organization’s security apparatus, so we potentially exploit it as an attack vector data points in large data sets, using different like that as an open-source project, in-toto’s and compromise the information. Most visual dimensions to explore the relationships behavior is transparent, and its own integrity of the cloud-based solutions often use between attributes. They’re both useful tools and supply chain can be verified by the hardware security modules (HSM) to in carrying out ethical bias testing. community. We’ll have to wait and see if it’ll avoid such attacks. However, if you’re in gain a critical mass of users and contributors a situation where you need to do this to compete in this space. in a self-hosted manner without access Falco to HSMs, then we’ve found MemGuard ASSESS to be quite useful. MemGuard acts as a Kubeflow secured software enclave for storage of With increased adoption of Kubernetes ASSESS sensitive information in memory. Although as container orchestrator, the security MemGuard is not a replacement for HSMs, toolset around containers and Kubernetes Kubeflow is interesting for two reasons. it does deploy a number of security tactics is evolving rapidly. Falco is one such First, it is an innovative use of Kubernetes such as protection against cold boot container-native tool aimed at addressing Operators which we’ve spotlighted in attacks, avoiding interference with garbage runtime security. Falco leverages Sysdig’s our April 2019 edition of the Radar. collection and fortifying with guard pages Linux kernel instrumentation and system Second, it provides a way to encode to reduce the likelihood of sensitive data call profiling and lets us gain deep insights and version machine-learning workflows being exposed. into system behavior and helps us detect so that they can be more easily ported abnormal activities in applications, containers, from one execution environment to

TECHNOLOGY RADAR | 19 © ThoughtWorks, Inc. All Rights Reserved. Open Policy Agent (OPA) as delays, packet loss and bandwidth rate they still require a deep understanding of ASSESS limits. Pumba uses the tc tool for network the mathematics and theory behind the TOOLS emulation which means it needs to be models. It is a tool for data scientists to gain Defining and enforcing security policies available in our containers or we need to deeper insights into model behavior. Naive — uniformly across a diverse technology run Pumba in a sidecar container with tc. users shouldn’t expect any tool to remove landscape is a challenge. Even for Pumba is particularly useful when we want the risk or minimize the damage done by a simple applications, you have to control to run some automated chaos tests against misapplied or poorly trained algorithm. What-If Tool helps data a distributed system running on a bunch of access to their components — such as scientists to dig into a container orchestrators, services and containers locally or in the build pipeline. data stores to keep the services’ state — Azure Data Factory for model’s behavior and using their components’ built-in security orchestration to visualize the impact policy configuration and enforcement Skaffold HOLD various features and data mechanisms. ASSESS sets have on the output. Azure Data Factory (ADF) is currently We’re excited about Open Policy Agent Google brings us Skaffold, an open-source Azure’s default product for orchestrating (What-If Tool) (OPA), an open-source technology that tool to automate local development data-processing pipelines. It supports data attempts to solve this problem. OPA lets workflows, including deployment on ingestion, copying data from and to different you define fine-grained access control Kubernetes. Skaffold detects changes in storage types on prem or on Azure and and flexible policies as code, using the source code and triggers workflows to executing transformation logic. While we’ve Rego policy definition language. Rego build, tag and deploy into a K8s cluster had a reasonable experience with ADF for enforces the policies in a distributed including capturing application logs back simple migrations of data stores from on and unobtrusive manner outside of the to the command line. The workflows prem to cloud, we discourage the use of application code. At the time of writing, are pluggable with different build and Azure Data Factory for orchestration of OPA implements uniform and flexible deployment tools, but this comes with an complex data-processing pipelines. Our policy definition and enforcement to opinionated default configuration to make experience has been challenging due to secure access to Kubernetes APIs, it easier to get started. several factors, including limited coverage microservices APIs through Envoy sidecar of capabilities that can be implemented and Kafka. It can also be used as a sidecar through coding first, as it appears that ADF to any service to verify access policies or What-If Tool is prioritizing enabling low-code platform filter response data. Styra, the company ASSESS capabilities first; poor debuggability and behind OPA, provides commercial solutions error reporting; limited observability as ADF for centralized visibility to distributed The machine learning world has shifted logging capabilities don’t integrate with other policies. We like to see OPA mature emphasis slightly from exploring what products such as Azure Data Lake Storage or through the CNCF incubation program models are capable of understanding to how Databricks, making it difficult to get an end- and continue to build support for more they do it. Concerns about introducing bias to-end observability in place; and availability challenging policy enforcement scenarios or overgeneralizing a model’s applicability of data source-triggering mechanisms only such as diverse data stores. have resulted in interesting new tools such to certain regions. At this time, we encourage as What-If Tool (WIT). This tool helps data using other open-source orchestration tools scientists to dig into a model’s behavior and (e.g., Airflow) for complex data pipelines and Pumba to visualize the impact various features and limit ADF for data copying or snapshotting. ASSESS data sets have on the output. Introduced We’re hoping that ADF will address these by Google and available either through concerns to support more complex data- Pumba is a chaos testing and network Tensorboard or Jupyter notebooks, WIT processing workflows and prioritize access to emulation tool for Docker. Pumba can kill, simplifies the tasks of comparing models, capabilities through code first. stop, remove or pause Docker containers. slicing data sets, visualizing facets and Pumba can also emulate networks and editing individual data points. Although WIT simulate different network failures such makes it easier to perform these analyses,

Arrow jest-when 28 TRIAL TRIAL 64 27 24 Arrow is a functional programming jest-when is a lightweight JavaScript library 63 23 65 66 ADOPT 67 library for Kotlin, created by merging two that complements Jest by matching22 mock 77 existing popular libraries (kategory and function call arguments. Jest is a great tool 68 TRIAL funKTionale). While Kotlin provides building for testing the stack; jest-when allows you to 69 78. Arrow 26 54 blocks for functional programming, expect specific arguments for21 mock functions 79. Flutter Arrow delivers a package of ready-to-use and thus lets you write more robust unit tests 70 15 71 80. jest-when 17 56 57 higher-level abstractions for application of modules with many dependencies. 16 55 81. Micronaut developers. It provides data types, 20 82. React Hooks 14 72 type classes, effects, optics and other 12 13 83. React Testing Library 11 58 73 6 functional programming patterns as well Micronaut25 59 84. Styled components 19 as integrations with popular libraries. TRIAL 10 5 74 85. Tensorflow 51 60 Our initial positive impressions of Arrow 4 were confirmed when using it to build 9 61 75 ASSESS Micronaut is a JVM18 framework8 for building 3 52 86. Fairseq applications that are now in production. services using Java, Kotlin or Groovy. 2 53 62 76 7 It distinguishes itself through a small 1 87. Flair memoryHOLD footprintASSESS and shortTRIAL startup time; it ADOPT ADOPT TRIAL ASSESS HOLD 88. Gatsby.js 89. GraphQL Flutter achieves these34 improvements by avoiding 85 90. KotlinTest TRIAL runtime reflection for dependency29 injection 95 35 91. NestJS (DI) and proxy generation, a common 84 92. Paged.js 36 83 Several of our teams use Flutter and really shortcoming of traditional frameworks, 94 93. Quarkus like it. It’s a cross-platform framework and instead uses37 a DI/AOP container which 94. SwiftUI that enables you to write native mobile performs dependency injection at compile 38 30 93 95. Testcontainers apps in Dart. It benefits from Dart and time. This makes it attractive not just for 39 31 81 32 can be compiled into native code and standard server-side microservices but 79 82 HOLD 78 40 communicates with the target platform also in the context of, for example, the 92 96. Enzyme without bridge and context switching. Internet of Things, Android41 applications 80 42 Flutter’s hot-reload feature is still and serverless functions. Micronaut43 uses 91 90 impressive and provides superfast visual Netty and has first-class support for reactive 33 feedback when editing code. We’re programming. It also includes features44 45 such 89 96 confident in recommending that you try as service discovery and circuit breaking 47 46 Flutter on one of your projects. that make it cloud-native friendly. Micronaut 48 50 88

49 87 86

TECHNOLOGY RADAR | 21 © ThoughtWorks, Inc. All Rights Reserved. is a very promising entrant to the full-stack Styled components Keras as the single high-level API. While LANGUAGES & framework for the JVM space, and we’re TRIAL these changes modernize TensorFlow’s seeing it in more and more projects in usability and make it more competitive with FRAMEWORKS production, prompting us to move it to Trial. Using tagged template literals styled PyTorch, it is a significant rewrite that often components make it possible to put the breaks backward compatibility — many tools — CSS needed to style a React component and serving frameworks in the TensorFlow React Hooks directly into the JavaScript code that creates ecosystem won’t immediately work with the TRIAL the component. This greatly reduces the new version. For the time being, consider whether you want to design and experiment Micronaut is a JVM pain with managing CSS and obviates the Earlier this year, React Hooks were need for naming conventions or other in TensorFlow 2.0 but revert to version 1 to framework for building introduced to the popular JavaScript means of avoiding naming conflicts in CSS. serve and run your models in production. services using Java, Kotlin framework. They make it possible to use Developers can see the styling when looking or Groovy. It distinguishes state and other React features without at the component definition, and they itself through a small writing a class, offering a cleaner approach don’t have to memorize several megabytes Fairseq memory footprint and than higher-order components or render- worth of CSS. Of course, placing the CSS ASSESS props for use cases. Libraries such as short startup time. into the JavaScript code can make it harder Material UI and Apollo have already to get a consistent view across the styling Fairseq is a sequence-to-sequence

switched to using Hooks. There are some of different components, which is why we modelling toolkit by Facebook AI Research (Micronaut) issues with testing Hooks, especially recommend understanding the trade-offs that allows researchers and developers with Enzyme, which contributed to our with this approach. to train custom models for translation, reassessment of Enzyme as the tool of summarization, language modeling and choice. other NLP tasks. For users of PyTorch, this Tensorflow is a good choice. It provides reference The React Testing TRIAL implementations of various sequence-to- Library has eclipsed the React Testing Library sequence models; supports distributed alternatives to become TRIAL With its 2.0 release, TensorFlow retains training across multiple GPUs and the sensible default when its prominence as the industry’s leading machines; is very extensible; and has a bunch of pretrained models, including testing React-based The JavaScript world moves pretty fast, machine learning framework. TensorFlow and as we gain more experience using a RoBERTa which is an optimization on top frontends. began as a numerical processing package framework our recommendations change. that gradually expanded to include libraries of BERT.

The React Testing Library is a good example supporting a variety of ML approaches (React Testing Library) of a framework that with deeper usage has and execution environments, ranging from eclipsed the alternatives to become the mobile CPU to large GPU clusters. Along Flair sensible default when testing React-based the way, a slew of frameworks became ASSESS frontends. Our teams like the fact that tests available to simplify the tasks of network written with this framework are less brittle creation and training. At the same time, Flair is a simple Python-based framework than with alternative frameworks such as other frameworks, notably PyTorch, offered for NLP processing. It allows users to do Enzyme because you’re encouraged to an imperative programming model that standard NLP tasks such as named entity test component relationships individually made debugging and execution simpler recognition (NER), part-of-speech tagging as opposed to testing all implementation and easier. TensorFlow 2.0 now defaults to (PoS), word-sense disambiguation and details. imperative flow (eager execution) and adopts classification and performs well on a range

TECHNOLOGY RADAR | 22 © ThoughtWorks, Inc. All Rights Reserved. of NLP tasks. Flair presents a simple and including GraphQL for server-side resource Paged.js unified interface for a variety of word and aggregation. That said, we’ve concerns ASSESS LANGUAGES & document embeddings, including BERT, about misuse of this framework and some Elmo and its own Flair embeddings. It also of the problems that can occur. Examples When using HTML and related technologies FRAMEWORKS has multilingual support. The framework include performance gotchas around N+1 to produce books and other print output, the itself is built on top of PyTorch. We’re using queries and lots of boilerplate code needed question of pagination must be considered. — it in some of our projects and like its ease of when adding new models, leading to This includes page counters, repeated use and powerful abstractions. complexity. There are workarounds to these elements in headers and footers, as well as gotchas such as query caching. Even though mechanisms to avoid awkward page breaks. it’s not a silver bullet, we still think it’s worth Paged.js is an open-source library that Gatsby.js is a framework Gatsby.js assessing as part of your architecture. implements a series of polyfills for the Paged to write web applications ASSESS Media and Generated Content for Paged in an architectural style Media CSS modules. It is still experimental but known as JAMstack. It Gatsby.js is a framework to write web KotlinTest fills an important gap in the “write once, publish provides code and data applications in an architectural style ASSESS everywhere” story for HTML. splitting out of the box to known as JAMstack. Part of the application is generated at build time and deployed KotlinTest is a stand-alone testing tool for minimize load times and as a static site, while the remainder of the Kotlin ecosystem that our teams have Quarkus speeds up performance the functionality is implemented as a come to like. It allows property-based ASSESS when navigating the progressive web application (PWA) running testing, a technique we’ve highlighted in the application by prefetching in the browser. Such applications work Radar before. Key advantages are that it Quarkus is a cloud-native, container-first resources. without code running on the server side. offers a variety of testing styles in order to framework by Red Hat for writing Java Usually, though, the PWA makes calls to structure the test suites and that it comes applications. It has a very fast startup (Gatsby.js) third-party APIs and SaaS solutions for with a comprehensive set of matchers, time (tens of milliseconds) and has low content management, for example. In the which allow for expressive tests in an memory utilization which makes it a good case of Gatsby.js, all client and build time elegant internal DSL. candidate for FaaS or frequent scaling up code is written using React. The framework and down in a container orchestrator. Like includes some optimizations to make the Micronaut, Quarkus achieves this by using web application feel fast. It provides code NestJS ahead-of-time compilation techniques to and data splitting out of the box to minimize ASSESS do dependency injection at compile time load times and speeds up performance and avoid the runtime costs of reflection. when navigating the application by NestJS is a server-side Node.js framework It also works well with GraalVM’s Native prefetching resources. APIs are called written in TypeScript. By integrating the Image which further reduces startup time. via GraphQL and several plugins simplify rich ecology of the Node.js community, Quarkus supports both imperative and integration with existing services. NestJS provides an out-of-the-box reactive models. Along with Micronaut application architecture. The mental and Helidon, Quarkus is leading the model to develop NestJS is similar to the charge on the new generation of Java GraphQL server-side version of Angular or the frameworks which attempt to address ASSESS TypeScript version of Spring Boot, so the startup performance and memory without learning curve for developers is low. NestJS sacrificing developer effectiveness. It’s We’ve seen many successful GraphQL supports protocols such as GraphQL, gained a lot of community attention and is implementations on our projects. We’ve Websocket and ORM libraries. worth keeping an eye on. seen some interesting patterns of use too,

TECHNOLOGY RADAR | 23 © ThoughtWorks, Inc. All Rights Reserved. LANGUAGES & SwiftUI Testcontainers Enzyme FRAMEWORKS ASSESS ASSESS HOLD Apple has taken a big step forward Creating reliable environments for running We don’t always move deprecated tools to — with their new SwiftUI framework for automated tests is a perennial problem, Hold in the Radar, but our teams feel strongly implementing user interfaces on macOS particularly as the number of components that Enzyme has been replaced for unit and iOS platforms. We like that SwiftUI that modern systems depend on keeps testing React UI components by React Testing moves beyond the somewhat kludgy increasing. Testcontainers is a Java library Library. Teams using Enzyme have found Quarkus is a cloud-native, relationship between Interface Builder and that helps mitigate this challenge by that its focus on testing component internals container-first framework XCode and adopts a coherent, declarative managing dockerized dependencies for leads to brittle, unmaintainable tests. by Red Hat for writing Java and code-centric approach. You can now your tests. This is particularly useful for applications. It has a very view your code and the resulting visual spinning up repeatable database instances fast startup time and low interface side by side in XCode 11, making or similar infrastructure, but it can also be memory utilization. for a much better developer experience. used in web browsers for UI testing. Our The SwiftUI framework also draws teams have found this library to be helpful

inspiration from the React.js world that for making integration tests more reliable (Quarkus) has dominated web development in recent with these programmable, lightweight and years. Immutable values in view models disposable containers. and an asynchronous update mechanism make for a unified reactive programming model. This gives developers an entirely native alternative to similar reactive frameworks such as React Native or Flutter. Although SwiftUI definitely represents the future of Apple UI development, it is quite new and it will take time to smooth out the rough edges. We look forward to improved documentation and a community of developers who can establish a set of practices for testing and other engineering concerns.

TECHNOLOGY RADAR | 24 © ThoughtWorks, Inc. All Rights Reserved. We’re a global software consultancy and community of passionate, purpose-led individuals. We think disruptively to deliver Want to stay up-to-date with all technology to address our clients’ toughest challenges while seeking to revolutionize the IT Radar-related news and insights? industry and create positive social change. Follow us on your favorite social channel or become a subscriber. Founded 25 years ago, ThoughtWorks has grown to a company of over 7,000 people, including a products division that subscribe now makes pioneering tools for software teams. ThoughtWorks has 43 offices across 14 countries: Australia, Brazil, Canada, Chile, China, Ecuador, Germany, India, Italy, Singapore, Spain, Thailand, the United Kingdom and the United States.

thoughtworks.com