SD Times Open-Source Project of the Week: Twilio CLI

In an effort to help its developers be more productive, Twilio has announced the beta version of Twilio CLI. It is an open-source command line interface that enables developers to access Twilio through their command prompt.

“It’s hard to beat the flexibility and power that a CLI provides at development time. Until now, there was no CLI designed for typical communications requirements,” Ashley Roach, the product manager for developer interfaces at Twilio, wrote in a post

The Twilio CLI allows users to access all of Twilio’s APIs, tail logs, send emails via SendGrid and manage phone numbers. In addition, users can access even more commands through $ twilio help. 

The project’s pluggable architecture also allows developers to extend their toolchains and use other plugins such as the serverless toolkit plugin to build and deploy Twilio functions. 

The post SD Times Open-Source Project of the Week: Twilio CLI appeared first on SD Times.

via Click on the link for the full article

Report: Majority of websites are inaccessible to blind users

Despite efforts to make the web more accessible for people with disabilities, cognitive impairments and vision/hearing difficulties, there is still a digital divide. A new report from accessibility software company Deque Systems and conducted by Nucleus Research found that Internet websites in certain industries are largely inaccessible to people who have trouble with vision. 

RELATED CONTENT: 
Progress releases Web Accessibility Guidebook for developers
Getting started on the accessibility track

After interviewing 73 blind adults, the researchers found that around 70 percent of e-commerce, news and information and government categories had significant accessibility issues, prompting users to take their business to rival sites. 

The research also found that Internet users who are blind abandon two Internet transactions a month because of inaccessibility, call a company’s customer service department once a week to navigate around the accessibilities, and that fewer than one in three  websites had clear contact information or means for a consumer who is blind to report accessibility challenges or request.

According to Deque, this divide results in a $6.9 billion missed opportunity market. While many people with these disabilities use screen readers or screen magnifiers to navigate websites, many websites are not built with accessibility in mind and aren’t optimized to work with those, the company explained. 

The report did find that well known companies such as Amazon, Best Buy and Target excelled in fixing accessibility issues in the ecommerce space. 

“A focus on accessibility needs to be a core part of the website design and development process,” said Preety Kumar, the CEO of Deque Systems. “Considering accessibility as early as the conception phase, and proactively building and testing sites for accessibility as they move towards production, is significantly more effective than remediating it later, helping organizations save significant time and resources while avoiding unnecessary customer grievances.”

Other findings of the report included 7 out of 10 blind persons are unable to access information and services through government websites, 8 out of 10 news sites have accessibility issues.

“Besides the moral dilemma and legal risk, businesses with inaccessible websites are missing a huge revenue opportunity by ignoring an untapped market,” said Kumar. “Among internet retailers specifically, two-thirds of the top ten online retailers had serious accessibility issues, meaning they are leaving $6.9 billion in potential North American e-commerce revenues on the table.”

The full report can be viewed here

 

The post Report: Majority of websites are inaccessible to blind users appeared first on SD Times.

via Click on the link for the full article

The feature launch in 5 key phases: A DevOps cheat sheet

The process of launching a new feature has changed a lot over the last decade. Ten years ago, a feature launch was commonly tied to code release. This meant that when the release branch was merged into master and pushed to production, new features riding on that branch would be launched to customers. 

RELATED CONTENT: 
Going ‘lights-out’ with DevOps
Feature flags simplify feature development and testing for Dev teams and QA

This all changed with the introduction of feature flags. Feature flags meant that DevOps teams were able to separate code release from new feature launches by putting a new feature behind a flag and then allowing the feature to be slowly released to a certain demographic of users until it was ready to be fully released. The addition of feature flags meant that the flag was able to be completely off, completely on, or partially on (allowing a certain segment or percentage of users to experience the new feature).

This revolutionized the industry, allowing engineers to test the scalability of systems that support the feature and product managers to tie metrics to every feature launch and better track it. But these new possibilities raised some questions. Many DevOps teams were stuck wondering how many steps are required in this ramp and how long they should spend on each step.

The steps taken for a feature launch using a feature flag should be chosen with care. Taking too many steps or taking too long at any step can slow down innovation. Taking big jumps or not spending enough time at each step can lead to suboptimal outcomes. As daunting as this may seem, approaching your feature launch in the following five key phases will help ensure that it runs smoothly. 

The first of these phases is known as the dogfooding phase. The purpose of this phase is to detect any integration bugs, get feedback from team members on the design and feel, ensure that the production gets certified by Quality Assurance, and conduct training for the sales and support team. This step should be quick, as it is not part of the process where performance challenges are identified, or the impact of the feature is measured.

The next phase is the debugging phase. The goal of this phase is to reduce any risk of obvious bugs or bad user experience. Ensure that any UI component renders correctly, and that the system can take the load of the feature. This phase should be conducted via a few quick ramps (i.e. 1 percent, 5 percent, or 10 percent of users) lasting no more than a day, and the focus should not be on the feature impact on user experience but on debugging the feature.

The phase after that is the maximum power ramp (MPR) phase. Once the feature has been debugged and the risks have been significantly reduced, the new goal is decision-making. This is the part of the process where you determine whether or not the new feature is positively impacting the metrics it is supposed to enhance. At this point, you should release the feature to 50 percent of the users; this is the quickest way to collect the customer impact data. 

Next comes the scalability phase. The previous phase should have provided data on whether the feature was successful and, assuming it was, the next step would be to release the feature to all users. However, concerns about the ability of the system to deal with 100 percent of users having access to the new feature may be something to consider. The resolution for this worry about the operational scalability is to increase the release of the feature from 50 percent to 75 percent and leave it there for about one day of peak traffic to ensure confidence that the system will be able to handle the new feature.

The last phase of the feature launch is the learning phase. This phase is to understand the long-term impact of the features on users. For example, if your platform uses advertisements, did the new feature cause long-term ad blindness? The way to address these concerns is by holding back the new feature from 5 percent of the users for about a month. This will enable you to better analyze the long-term impacts and give you time to fix them. 

Overall, remember that the dogfooding phase is for internal feedback, the debugging and scalability phases are meant for risk mitigation, and the MPR and learning phases are meant to speed up learning and decision-making.

The introduction of feature flags has enabled DevOps teams to take more control of the process and significantly reduce the odds of “failed” launches along the way. While feature flags can pose a lot of new questions, implementing these five phases, while having specific objectives for each, will help ensure your launch goes off without a hitch.

The post The feature launch in 5 key phases: A DevOps cheat sheet appeared first on SD Times.

via Click on the link for the full article

SD Times news digest: Instana’s pipeline feedback integration, Pivotal in discussions with VMware on business combination, and WebKit tracking prevention policy

Instana, provider of automated Application Performance Management (APM), announced the release of Instana Pipeline Feedback designed to enable users to track and analyze applications. 

“Instana Pipeline Feedback tracks and isolates application release performance, notifying developers and DevOps of issues within seconds,” said Pete Abrams, co-founder and COO of Instana. 

The APM solution discovers application service components and application infrastructure, including Jenkins, Kubernetes and Docker and detects changes in the application environment in real time. 

Instana explained that Pipeline Feedback isolates each new service or piece of code, builds application performance reports, and compares service and application health to pre-release health and performance.

Pivotal is in discussions with VMware on business combination
Cloud-native platform provider Pivotal Software confirmed that it is in discussions with VMware, Inc. regarding a possible business combination. 

In the potential combination, VMware would acquire all of the outstanding shares of Class A common stock of Pivotal for cash at a per share price equal to $15.00.

“Pivotal does not intend to provide any further information as to developments, if any, in its discussions with VMware regarding a business combination unless and until a definitive agreement is executed,” the company wrote in a statement. 

WebKit tracking prevention policy released
WebKit released its Tracking Prevention Policy, explaining that it will work to prevent all covert tracking and all cross-site tracking.

WebKit said in the policy that it will limit the capability of using techniques that can’t be completely prevented without doing user harm. If even limiting the capability of a technique is not possible without preventing user harm, WebKit will ask for the user’s informed consent to potential tracking.

In addition, WebKit said it treats circumvention of shipping anti-tracking measures with the same seriousness as exploitation of security vulnerabilities.

Xamarin updates in Visual Studio 2019 
Microsoft released Visual Studio 2019 version 16.3 Preview 2 and Visual Studio 2019 for Mac version 8.3 Preview 2 with improvements for mobile developers. 

The improvements include XAML Hot Reload for Xamarin.Forms to allow users to make changes to their XAML UI and see them reflected live, Android Q Beta 4 Final APIs within Xamarin.Android, XAML Previewer for Xamarin.Forms, and constraint editing in the iOS designer.

The detailed list of improvements is available here.

The post SD Times news digest: Instana’s pipeline feedback integration, Pivotal in discussions with VMware on business combination, and WebKit tracking prevention policy appeared first on SD Times.

via Click on the link for the full article

DevOps World | Jenkins World: CircleCI orbs, DevOps Institute’s Ambassador Program, and Codefresh Marketplace

DevOps and Jenkins is on full display this week at CloudBees’ DevOps World | Jenkins World taking place in San Francisco. In addition to the DevOps thought leaders and community members coming together to learn, explore and help shape the next generation of Jenkins and DevOps, a number of organizations took the opportunity to reveal new products.

RELATED CONTENT: CloudBees tackles software delivery management at DevOps World | Jenkins World

CircleCI orbs released to better secure the CI/CD pipeline
CircleCI announced that it is releasing orbs that allow users to easily add integrations to tools and services to address security best practices for CI/CD.

According to the company, orbs are reusable and shareable open-source packages of CircleCI configurations that enable the integration of services for the three important categories of security for CI/CD. These include securing the pipeline configuration, securing code and Git history analysis, and enforcing security policy.

“To secure your pipeline, let your team take advantage of third-party services and eliminate the need for in-house development. With orbs, your team only needs to know how to use those services, not how to integrate or manage them,” CircleCI wrote in a blog post. Orbs include Alcide, Anchore, Aqua Security, Contrast Security, Snyk and Twistlock. 

SmartBear announces latest CI/CD pipelines capabilties
SmartBear revealed TestEngine, a new solution designed to automate test execution in CI/CD environments. In addition, the company announced ReadyAPI 2.8 to accelerate functional, security and load testing of RESTful, SOAP, GraphQL and other web services. The new tools are aimed at accelerating API delivery. 

Users can now execute ReadyAPI, SoapUI Pro and SoapUI Open Source tests simultaneously on a central source that’s integrated into their development processes. This tackles the challenges that Agile and DevOps teams have such as complex deployments, large regression suites, and global development teams, according to SmartBear in a post

“Coordinating and managing test execution and reporting are a hassle for Agile and DevOps teams. They’re hampered by complex deployments, large regression suites, and global development teams. It’s hard to efficiently run tests, not to mention effectively manage all of the organization’s growing testing needs. TestEngine fixes all of this, and it’s a package that can empower the most efficient software teams, even those distributed across the globe.” said Gail Shlansky, director of products at SmartBear. 

Codefresh updates open source marketplace 
Kubernetes-native CI/CD solution provider Codefresh announced that it has improved its Codefresh Marketplace that was originally launched in 2018, 

The company explained that the marketplace is designed to make it easier for code developers to find commands without having to learn a proprietary API. Now, the marketplace has an expanded set of pipeline steps provided by Codefresh and its partners for Kubernetes, Aqua security scanning, and Helm package and deployment.

“Our steps Marketplace provides building blocks for your pipelines. It is very easy to search for a keyword and see if there is a step for that method,” said Dan Garfield, chief technology evangelist for Codefresh. 

DevOps Institute announces ambassador program 
The DevOps Institute announced its Ambassador Program, a volunteer-based program that connects industry leaders with DevOps Institute community members through the SKIL Framework.

Ambassadors can offer contributed content, participate in forums and online groups, organize local community events known as SKILups, and create other avenues to engage learning pathways within the community.

“We are really excited that each Ambassador will be contributing significantly to advance our new and existing community members with relevant and broad skill sets, knowledge, ideas & learning with the human-centered SKIL Framework,” said Dheeraj Nayal, global community ambassador at DevOps Institute. 

OverOps announced new CI/CD integrations
Software data optimization platform provider OverOps announced new CI/CD integrations and added support for Jenkins, TeamCity and Bamboo. According to the company, these new integrations are meant to help enterprises shift left by detecting code-level issues earlier in the SDLC.  

OverOps analyzes code at runtime to identify all new, increasing, resurfaced and critical errors in a release, even those missed by test automation. OverOps then generates a code quality report that takes into account all severe issues with the potential to impact functionality, the company explained.

The full details of the new integrations are available here

The post DevOps World | Jenkins World: CircleCI orbs, DevOps Institute’s Ambassador Program, and Codefresh Marketplace appeared first on SD Times.

via Click on the link for the full article

When does SCA replace SAST or DAST?

The short answer is never. There, I just saved you enough time that you can go and do the right thing and run SAST and DAST and work on hardening your code, instead of trying to test security into your application.

Look, every time a new technology, process, or technique comes along there are some people that think that it’s the answer to everything. It’ll solve software security, save development and testing time, and maybe even eliminate world hunger while it’s at it. Ok, I made that last one up. But saying that SCA is eventually going to replace SAST is essentially saying that because you’re looking for known vulnerabilities in other people’s code, you no longer have to check your own. 

RELATED CONTENT: 
4 best practices to build more perfect software, faster
Report: Organizations fail to remediate app security vulnerabilities

SCA is Software Composition Analysis, and is certainly a valuable part of your toolkit for securing your software systems. Theoretically it works hand-in-hand with a software bill-of-materials (something that currently mostly doesn’t exist) and keeps track of the other libraries and components that are used in your application. 

These tools mostly just scan the open-source components for your application and don’t necessarily work with a bill-of-materials. (NOTE: some of these tools also perform other functions, like look for cut-paste snippets from OSS projects, or identify and manage OSS license issues. Both are interesting and important, but still not a replacement for what SAST is doing.) 

One main function of SCA is to check components in your application for known vulnerabilities. This is important so you can avoid zero-day issues, as well as to address the problem that you might not have source for some components and therefore you’re unable to utilize SAST for them.

The popular and useful security organization known as the Open Web Application Security Project (OWASP) has even added this concept to the latest iteration of the popular OWASP Top 10 list of the most critical security risks today. It appears as item A9 – Using Components with Known Vulnerabilities. If you’re not using OWASP, you probably should. If you’re not checking your application for known vulnerabilities against the CVE and NVD databases, you should. Such sources keep track of real attacks happening and what patches and other remediations are available. OWASP has been built a tool called OWASP Dependency Check that can do this work for you. Like all that OWASP has to offer, it comes without cost.

 Supply chain assurance
I must admit that not too many years back, software supply chain was a mostly overlooked topic. Some key individuals, many of them part of the Software Supply Chain Assurance Forum (SSCA), worked hard to highlight this weakness in application security by focusing not just on your code, but on your supply chain. In fact, SSCA forum, which is hosted by the U.S. Department of Defense (DoD), Department of Homeland Security (DHS), General Services Administration (GSA), and the National Institute of Standards and Technology (NIST), was formerly called the Software Assurance Forum (SwA) and they changed the name to help put more focus on the supply chain. But the intent was to expand the focus, not move it from your code to someone else’s.

In practice, SCA is a testing activity – making sure that your application is checked against a list and is in conformance with that list (such as known vulnerabilities like NVD). Conversely, SAST is primarily NOT a testing function (heresy, I know…) but rather an engineering function. The smallest value of SAST is to find a weakness or vulnerability earlier than pen-testing would. The greatest value of SAST is to guide you to harden your code in the first place. 

Stop trying to plug leaks and build code that won’t leak in the first place. It’s the only way to get ahead of the curve in application security. If you do it perfectly, you’ll still need SCA, because you still have the problem of all those components in your application, as well as other programs it interacts with and the OS itself. If you do SCA well, you still need SAST because while you’ve fixed problems in other people’s code, you’ve done nothing for your own. The purposes complement each other, not replace each other.

In summary, SCA is great, you want it, in fact you need it. I’m happy that it’s getting more attention than it has in the past. But saying it will replace DAST or SAST is like saying you have a hammer and don’t need a screwdriver.

The post When does SCA replace SAST or DAST? appeared first on SD Times.

via Click on the link for the full article

CloudBees tackles software delivery management at DevOps World | Jenkins World

CloudBees today announced its vision for software delivery management (SDM) at its annual DevOps World | Jenkins World conference in San Francisco. SDM is an ongoing trend that aims to help organizations connect their entire business through delivery, teams, tools and technologies.

“It is something that is super important in our current era. We keep saying that software is eating the world, and yet we don’t really have a way to manage the delivery of software much like we have software to manage things like sales, marketing or finance. We don’t have that for software delivery. What we are observing in organizations is a lot of them have acquired a lot of different systems to develop and deliver better and different teams have different needs and that leads to a lot of silos among those teams and even within teams,” said Sacha Labourey, CEO and founder of CloudBees.

RELATED CONTENT: Going ‘lights-out’ with DevOps

As a result, the company announced the early preview version of its CloudBees SDM Platform. The platform is designed to tie together all of the artifacts, data and events within an organization’s DevOps toolchain and bring them together in a unified system of record.

“There are many things you want to know about your organization. Sometimes you want to know why it is not working. Why it is not working fast enough. Where are the bottlenecks. How can you do things better. We are building this SDM that is essentially a data backend. It makes it possible to aggregate all the data from those different systems and have a unified data model for all of DevOps,” said Labourey.

Bringing all the data together will make it possible to extract insight that can be extremely useful in unlocking value for the business, seeing where the bottlenecks are and understanding why you are not getting the outcomes you are looking for, Labourey explained.

In addition, Labourey said the SDM platform is not just a dashboard for viewing everything in one place, but it also helps connect common processes and data within the software delivery life cycle. Features include a product hub, policy engine, efficiency dashboard, contributions dashboard, real-time value stream management and integrated feature flag management.

Additionally, the company announced updates to its Application Release Orchestration platform and CloudBees Accelerator at the conference.

Version 9.1 of the CloudBees Flow platform features release command center customization, data archiving, visibility into how a release is progressing, release portfolio feedback and release pipeline execution.

CloudBees Accelerator version 11.1 aims to cut build and test cycle times. Features include support for SSL and TLS cryptographic protocols, improvements to CloudBees Electrify, enhancements to the Linux Foundation’s Yocto project, and improvements to out-of-the-box CloudBees Accelerator support.

The post CloudBees tackles software delivery management at DevOps World | Jenkins World appeared first on SD Times.

via Click on the link for the full article

SD Times news digest: SnapLogic announces August 2019 release, Crystal 0.30.1, and CodeStream is now available on premise

SnapLogic announced the latest release of its Intelligent Integration Platform, adding new AI capabilities that recommend completed pipelines from within an organization or from the SnapLogic Patterns Catalog. 

The August 2019 release also includes enhanced search capabilities through the Iris AI that now directs users to project spaces containing the pipelines that are most relevant for them; a new API developer portal; SnapLogic eXtreme; and Azure Databricks support for customers running data workloads on AWS. 

“Our new AI-powered pipeline recommendations and improved search capabilities will dramatically simplify and accelerate complex integration projects so our customers can focus on strategic pursuits that drive their business forward,” said Vaikom Krishnan, SVP of engineering at SnapLogic

Crystal 0.30.1 released
Crystal 0.30.1 has been released with regression fixes and support for a recent version of dependencies. No new features were added, according to the Crystal team. 

The team said it fixed a bug/unhandled case in LLVM, a constraint in the standard library that that got in conflict with how fibers were resumed by the runtime, as well as fixing a socket leaking after failed SSL connect. 

CodeStream is now available on premise
CodeStream is now available as an on premise solution and it includes all of the features and integrations with team messaging and issue trackers while keeping the discussions and code snippets on a user’s own servers, the company explained.

According to the company’s website, CodeStream “makes it easy for teams of any size to build, share and retain knowledge about their codebase.” Now, CodeStream OnPrem is a docker-ized version of the CodeStream Cloud service that can be installed and operated entirely on premise. It requires a Linux host OS running Docker.

GitHub Classroom announces new integration with learning management systems
GitHub Classroom announced new integrations with learning management systems (LMS) such as Canvas and Google Classroom, which allows teachers to sync their list of students from their LMS with GitHub Classroom without the need for manual copying.

“This means less time spent making GitHub Classroom work with your existing tools, and more time spent being an amazing educator,” GitHub Classroom wrote in a blog

Each LMS requires slightly different configuration to set up, which the company explained here

The post SD Times news digest: SnapLogic announces August 2019 release, Crystal 0.30.1, and CodeStream is now available on premise appeared first on SD Times.

via Click on the link for the full article

XebiaLabs DevOps Platform 9.0 comes with new push-button audit reporting

XebiaLabs is updating its DevOps Platform to provide compliance and visibility across the entire software delivery pipeline. Version 9.0 of the platform comes with a new release audit report that covers the entire release cycle. 

According to the company, it enables users to see “what happened, when it happened, where it happened, and who made it happen.”

“Until now, collecting and analyzing that proof and providing it in a format auditors can use has been almost impossible. XebiaLabs automates the process, giving teams the audit evidence they need instantly,” said Derek Langone, the CEO of  XebiaLabs.

According to the company, auditing requires constant exchanges between security, compliance, development and DevOps teams. Other features of the audit report include ability to visualize and monitor the software chain of custody, verify security and compliance, drill down into the chain of custody for any release and any tasks, understand risks, and easily identify bottlenecks. 

The DevOps platform has also been updated to improve configuration management, integrate with secrets management solutions, automatically start releases based on events, and new integrations with COmpuware Topaz for Total Test and Delphix Dynamic Data Platform. 

A full list of updates is available here

The post XebiaLabs DevOps Platform 9.0 comes with new push-button audit reporting appeared first on SD Times.

via Click on the link for the full article

Infragistics reveals new embedded business intelligence platform

Development tools provider Infragistics is announcing a new embedded business intelligence platform designed to give organization’s more insight into their data. Reveal is an embedded analytics/dashboard platform that aims to reduce the time and money spent on embedding business analytics into applications by letting developers use pre-built components.

According to the company, Reveal can reduce development time by 85 percent and cut costs by as much as $350,000.

“The use of data is exploding in businesses, government, and nonprofits, and many ISV’s, CTO’s and marketing executives say that embedded analytics add great value to their apps,” Infragistics wrote in a post.

Through the new platform, enterprises can embed the dashboard/analytic engine into their SaaS and on-premise apps with containerized deployment and a microservice architecture. The solution also includes data connectors that allow developers to view insights in real time. Other features include the ability to share dashboards, annotating them and exporting them to common formats such as PDFs and PowerPoint. 

“Reveal is optimized as a developer, cloud and mobile first solution,” said Jason Beres, senior VP of developer tools at Infragistics. “We built it using modern technology and native toolkits for web, desktop, iOS and Android. This allows users to create beautiful dashboards on one device and easily share it with others who can experience the exceptional beauty on any other screen or device.”

The post Infragistics reveals new embedded business intelligence platform appeared first on SD Times.

via Click on the link for the full article