Skip to content

Instantly share code, notes, and snippets.

@wryfi
Last active October 8, 2022 01:26
Show Gist options
  • Save wryfi/93591acff56c903362f8334a3acc9f06 to your computer and use it in GitHub Desktop.
Save wryfi/93591acff56c903362f8334a3acc9f06 to your computer and use it in GitHub Desktop.
name quadrant ring isNew description
Container security scanning Techniques Adopt TRUE <p>The continued adoption of containers for deployments, especially <a href="https://www.thoughtworks.com/radar/platforms/docker">Docker</a>, has made <strong>container security scanning</strong> a must-have technique and we've moved this technique into Adopt to reflect that. Specifically, containers introduced a new path for security issues; it's vital that you use tools to scan and check containers during deployment. We prefer using automated scanning tools that run as part of the deployment pipeline.</p>
Data integrity at the origin Techniques Adopt TRUE <p>Today, many organizations' answer to unlocking data for analytical usage is to build a labyrinth of data pipelines. Pipelines retrieve data from one or multiple sources, cleanse it and then transform and move it to another location for consumption. This approach to data management often leaves the consuming pipelines with the difficult task of verifying the inbound data's integrity and building complex logic to cleanse the data to meet its required level of quality. The fundamental problem is that the source of the data has no incentive and accountability for providing quality data to its consumers. For this reason, we strongly advocate for <strong>data integrity at the origin</strong>, by which we mean, any source that provides consumable data must describe its measures of data quality explicitly and guarantee those measures. The main reason behind this is that the originating systems and teams are most intimately familiar with their data and best positioned to fix it at the source. <a href="https://www.thoughtworks.com/radar/techniques/data-mesh">Data mesh</a> architecture takes this one step further, comparing consumable data to a <em>product</em>, where data quality and its objectives are integral attributes of every shared data set.</p>
Micro frontends Techniques Adopt FALSE <p>We've seen significant benefits from introducing <a href="https://martinfowler.com/articles/microservices.html">microservices</a>, which have allowed teams to scale the delivery of independently deployed and maintained services. Unfortunately, we've also seen many teams create a front-end monolith — a large, entangled browser application that sits on top of the back-end services — largely neutralizing the benefits of microservices. <strong>Micro frontends</strong> have continued to gain in popularity since they were first introduced. We've seen many teams adopt some form of this architecture as a way to manage the complexity of multiple developers and teams contributing to the same user experience. In June of this year, one of the originators of this technique published an <a href="https://martinfowler.com/articles/micro-frontends.html">introductory article</a> that serves as a reference for micro frontends. It shows how this style can be implemented using various web programming mechanisms and builds out an example application using <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/react-js">React.js</a>. We're confident this style will grow in popularity as larger organizations try to decompose UI development across multiple teams.</p>
Pipelines for infrastructure as code Techniques Adopt TRUE <p>The use of continuous delivery pipelines to orchestrate the release process for software has become a mainstream concept. CI/CD tools can be used to test server configuration (e.g., Chef cookbooks, Puppet modules, Ansible playbooks), server image building (e.g., <a href="https://www.thoughtworks.com/radar/tools/packer">Packer</a>), environment provisioning (e.g., <a href="https://www.thoughtworks.com/radar/tools/terraform">Terraform</a>, CloudFormation) and the integration of environments. The use of <strong>pipelines for infrastructure as code</strong> lets you find errors before changes are applied to operational environments — including environments used for development and testing. They also offer a way to ensure that infrastructure tooling is run consistently, using CI/CD agents rather than individual workstations. Our teams have had good results adopting this technique on their projects.</p>
Run cost as architecture fitness function Techniques Adopt TRUE <p>Automating the estimation, tracking and projection of cloud infrastructure's run cost is necessary for today's organizations. The cloud providers' savvy pricing models, combined with proliferation of pricing parameters and the dynamic nature of today's architecture, can lead to surprisingly expensive run cost. For example, the price of <a href="https://www.thoughtworks.com/radar/techniques/serverless-architecture">serverless</a> based on API calls, event streaming solutions based on traffic or data processing clusters based on running jobs, all have a dynamic nature that changes over time as the architecture evolves. When our teams manage infrastructure on the cloud, implementing <strong>run cost as architecture fitness function</strong> is one of their early activities. This means that our teams can observe the cost of running services against the value delivered; when they see deviations from what was expected or acceptable, they'll discuss whether it's time to evolve the architecture. The observation and calculation of the run cost is implemented as an automated function.</p>
Testing using real device Techniques Adopt TRUE <p>When adopting continuous delivery (CD) successfully, teams strive to make the various test environments look as close to production as possible. This allows them to avoid bugs that would otherwise only show themselves in the production environment. This remains just as valid for embedded and Internet of Things software; if we don't run our tests in realistic environments we can expect to find some bugs for the first time in production. <strong>Testing using real devices</strong> helps avoid this issue by making sure the right devices are available in the CD pipeline.</p>
Automated machine learning (AutoML) Techniques Trial TRUE <p>The power and promise of machine learning has created a demand for expertise that outstrips the supply of data scientists who specialize in this area. In response to this skills gap, we've seen the emergence of <strong>Automated machine learning (AutoML)</strong> tools that purport to make it easy for nonexperts to automate the end-to-end process of model selection and training. Examples include <a href="https://cloud.google.com/automl/">Google's AutoML</a>, <a href="https://www.datarobot.com">DataRobot</a> and <a href="http://docs.h2o.ai/h2o/latest-stable/h2o-docs/automl.html">the H2O AutoML interface</a>. Although we've seen promising results from these tools, we'd caution businesses against viewing them as the sum total of their machine-learning journey. As stated on the <a href="http://docs.h2o.ai/h2o/latest-stable/h2o-docs/automl.html">H2O website</a>,"there is still a fair bit of knowledge and background in data science that is required to produce high-performing machine learning models." Blind trust in automated techniques also increases the risk of introducing ethical bias or making decisions that disadvantage minorities. While businesses may use these tools as a starting point to generate useful, trained models, we encourage them to seek out experienced data scientists to validate and refine the results.</p>
Binary attestation Techniques Trial TRUE <p>As the usage of containers, deployment of large fleet of services by autonomous teams and increased speed of continuous delivery become common practice for many organizations, the need for automated deploy-time software security controls arise. <strong>Binary attestation</strong> is a technique to implement deploy-time security control; to cryptographically verify that a binary image is authorized for deployment. Using this technique, an attestor, an automated build process or a security team signs off the binaries that have passed the required quality checks and tests and are authorized to be deployed. Services such as <a href="https://cloud.google.com/binary-authorization/">GCP Binary Authorization</a> enabled by <a href="https://www.thoughtworks.com/radar/tools/grafeas">Grafeas</a>, and tools such as <a href="https://www.thoughtworks.com/radar/tools/in-toto">in-toto</a> and <a href="https://www.thoughtworks.com/radar/tools/docker-notary">Docker Notary</a> support creating attestations and validating the image signatures before deployment.</p>
Continuous delivery for machine learning (CD4ML) Techniques Trial FALSE <p>With an increased popularity of ML-based applications, and the technical complexity involved in building them, our teams rely heavily on <strong><a href="https://martinfowler.com/articles/cd4ml.html">continuous delivery for machine learning (CD4ML)</a></strong> to deliver such applications safely, quickly and in a sustainable manner. CD4ML is the discipline of bringing CD principles and practices to ML applications. It removes long cycle times between training models and deploying them to production. CD4ML removes manual handoffs between different teams, data engineers, data scientists and ML engineers in the end-to-end process of build and deployment of a model served by an application. Using CD4ML, our teams have successfully implemented the automated versioning, testing and deployment of all components of ML-based applications: data, model and code.</p>
Data discoverability Techniques Trial TRUE <p>One of the main points of friction for data scientists and analysts, in their workflow, is to locate the data they need, make sense of it and evaluate whether it's trustworthy to use it. This remains a challenge due to the missing metadata about the available data sources and lack of adequate functionality needed to search and locate data. We encourage teams who are providing analytical data sets or building data platforms to make <strong>data discoverability</strong> a first-class function of their environments; to provide the ability to easily locate available data, detect its quality, understand its structure and lineage and get access to it. Traditionally this function has been provided by bloated data cataloguing solutions. In recent years, we've seen the growth of open-source projects that are improving developer experiences for both data providers and data consumers to do one thing really well: to make data discoverable. <a href="https://github.com/lyft/amundsen">Amundsen</a> by Lyft and <a href="https://github.com/linkedin/WhereHows">WhereHows</a> by LinkedIn are among these tools. What we like to see is a change in providers' behavior to intentionally share the metadata that help discoverability in favor of discoverability tools that infer partial metadata information from silos of application databases.</p>
Dependency drift fitness function Techniques Trial TRUE <p>Many teams and organizations have no formal or consistent way of tracking technical dependencies in their software. This issue often shows itself when that software needs to be changed, at which point the use of an outdated version of a library, API or component will cause problems or delay. <strong>Dependency drift fitness function</strong> is a technique to introduce a specific <a href="https://www.thoughtworks.com/radar/techniques/evolutionary-architecture">evolutionary architecture</a> fitness function to track these dependencies over time, thus giving an indication of the possible work needed and whether a potential issue is getting better or worse.</p>
Design systems Techniques Trial TRUE <p>As application development becomes increasingly dynamic and complex, it's a challenge to achieve the effective delivery of accessible and usable products that are consistent in style. <strong>Design systems</strong> define a collection of design patterns, component libraries and good design and engineering practices that ensure consistency in the development of digital products. We've found design systems a useful addition to our toolbox when working across teams and disciplines in product development, because they allow teams to focus on more strategic challenges around the product itself without the need to reinvent the wheel every time they need to add a visual component. The types of components and tools you use to create design systems can vary greatly.</p>
Experiment tracking tools for machine learning Techniques Trial TRUE <p>The day-to-day work of machine learning often boils down to a series of experiments in selecting a modeling approach, the network topology, training data and various optimizations or tweaks to the model. Because many of these models are still difficult to interpret or explain, data scientists must use experience and intuition to hypothesize changes and then measure the impact those changes have on the overall performance of the model. As these models have become increasingly common in business systems, several different <strong>experiment tracking tools for machine learning</strong> have emerged to help investigators keep track of these experiments and work through them methodically. Although no clear winner has emerged, tools such as <a href="https://mlflow.org/">MLflow</a> or <a href="https://www.wandb.com/">Weights & Biases</a> and platforms such as <a href="https://comet.ml">Comet</a> or <a href="https://neptune.ml">Neptune</a> have introduced rigor and repeatability into the entire machine learning workflow. They also facilitate collaboration and help turn data science from a solitary endeavor into a team sport.</p>
Explainability as a first-class model selection criterion Techniques Trial TRUE <p>Deep neural networks have demonstrated remarkable recall and accuracy across a wide range of problems. Given sufficient training data and an appropriately chosen topology, these models meet and exceed human capabilities in certain select problem spaces. However, they're inherently opaque. Although parts of models can be reused through <a href="https://www.thoughtworks.com/radar/techniques/transfer-learning-for-nlp">transfer learning</a>, we're seldom able to ascribe any human-understandable meaning to these elements. In contrast, an explainable model is one that allows us to say how a decision was made. For example, a decision tree yields a chain of inference that describes the classification process. Explainability becomes critical in certain regulated industries or when we're concerned about the ethical impact of a decision. As these models are incorporated more widely into critical business systems, it's important to consider <strong>explainability as a first-class model selection criterion</strong>. Despite their power, neural networks might not be an appropriate choice when explainability requirements are strict.</p>
Security policy as code Techniques Trial TRUE <p>Security policies are rules and procedures that protect our systems from threats and disruption. For example, access control policies define and enforce who can access which services and resources under what circumstances; or network security policies can dynamically limit the traffic rate to a particular service. The complexity of the technology landscape today demands treating <strong>security policy as code</strong>: define and keep policies under version control, automatically validate them, automatically deploy them and monitor their performance. Tools such as <a href="https://www.thoughtworks.com/radar/tools/open-policy-agent-opa">Open Policy Agent</a>, or platforms such as <a href="https://www.thoughtworks.com/radar/platforms/istio">Istio</a> provide flexible policy definition and enforcement mechanisms that support the practice of security policy as code.</p>
Sidecars for endpoint security Techniques Trial TRUE <p>Many of the technical solutions we build today run in increasingly complex <a href="https://www.thoughtworks.com/radar/techniques/polycloud">polycloud</a> or hybrid-cloud environments with multiple distributed components and services. Under such circumstances, we apply two security principles early in implementation: <em>zero trust network</em>, never trust the network and always verify; and the principle of <em>least privilege</em>, granting the minimum permissions necessary for performing a particular job. <strong>Sidecars for endpoint security</strong> is a common technique we use to implement these principles to enforce security controls at every component's endpoint, e.g., APIs of services, data stores or <a href="https://www.thoughtworks.com/radar/platforms/kubernetes">Kubernetes</a> control interface. We do this using an out-of-process sidecar — a process or a container that is deployed and scheduled with each service sharing the same execution context, host and identity. <a href="https://www.thoughtworks.com/radar/tools/open-policy-agent-opa">Open Policy Agent</a> and <a href="http://github.com/envoyproxy/envoy">Envoy</a> are tools that implement this technique. Sidecars for endpoint security minimize the trusted footprint to a local endpoint rather than the network perimeter. We like to see the responsibility of sidecar’s security policy configuration left with the team that is responsible for the endpoint and not a separate centralized team.</p>
Zhong Tai Techniques Trial TRUE <p><strong><a href="https://www.thoughtworks.com/insights/blog/zhong-tai-radical-approach-enterprise-it">Zhong Tai</a></strong> has been a buzzword in the Chinese IT industry for years, but it has yet to catch on in the West. At its core, Zhong Tai is an approach to delivering encapsulated business models. It's designed to help a new breed of small businesses deliver first-rate services without the costs of traditional enterprise infrastructure and enabling existing organizations to bring innovative services to market at breakneck speeds. The Zhong Tai strategy was originally proposed by Alibaba and soon followed by many Chinese Internet companies, because their business model is digital native, making it suitable to replicate for new markets and sectors. Nowadays, more Chinese firms are using Zhong Tai as a lever for digital transformation.</p>
BERT Techniques Assess TRUE <p><strong><a href="https://arxiv.org/abs/1810.04805">BERT</a></strong> stands for Bidirectional Encoder Representations from Transformers; it's a new method of pretraining language representations which was published by researchers at Google in October 2018. BERT has significantly altered the natural language processing (NLP) landscape by obtaining state-of-the-art results on a wide array of NLP tasks. Based on Transformer architecture, it learns from both the left and right side of a token's context during training. Google has also released pretrained general-purpose BERT models that have been trained on a large corpus of unlabelled text including Wikipedia. Developers can use and fine-tune these pre-trained models on their task-specific data and achieve great results. We talked about <a href="https://www.thoughtworks.com/radar/techniques/transfer-learning-for-nlp">transfer learning for NLP</a> in our April 2019 edition of the Radar; BERT and its successors continue to make transfer learning for NLP a very exciting field with significant reduction in effort for users dealing with text classification.</p>
Data mesh Techniques Assess TRUE <p><strong><a href="https://martinfowler.com/articles/data-monolith-to-mesh.html">Data mesh</a></strong> is an architectural paradigm that unlocks analytical data at scale; rapidly unlocking access to an ever-growing number of distributed domain data sets, for a proliferation of consumption scenarios such as machine learning, analytics or data intensive applications across the organization. Data mesh addresses the common failure modes of the traditional centralized <a href="https://martinfowler.com/bliki/DataLake.html">data lake</a> or data platform architecture, with a shift from the centralized paradigm of a lake, or its predecessor, the data warehouse. Data mesh shifts to a paradigm that draws from modern distributed architecture: considering domains as the first-class concern, applying platform thinking to create a self-serve data infrastructure, treating data as a product and implementing open standardization to enable an ecosystem of interoperable distributed data products.</p>
Ethical bias testing Techniques Assess TRUE <p>Over the past year, we've seen a shift in interest around machine learning and deep neural networks in particular. Until now, tool and technique development has been driven by excitement over the remarkable capabilities of these models. Currently though, there is rising concern that these models could cause unintentional harm. For example, a model could be trained to make profitable credit decisions by simply excluding disadvantaged applicants. Fortunately, we're seeing a growing interest in <strong>ethical bias testing</strong> that will help to uncover potentially harmful decisions. Tools such as <a href="https://github.com/marcotcr/lime">lime</a>, <a href="https://aif360.mybluemix.net/">AI Fairness 360</a> or <a href="https://www.thoughtworks.com/radar/tools/what-if-tool">What-If</a> can help uncover inaccuracies that result from underrepresented groups in training data and visualization tools such as <a href="https://ai.googleblog.com/2017/07/facets-open-source-visualization-tool.html">Google Facets</a> or <a href="https://pair-code.github.io/facets/">Facets Dive</a> can be used to discover subgroups within a corpus of training data. However, this is a developing field and we expect standards and practices specific to ethical bias testing to emerge over time.</p>
Federated learning Techniques Assess TRUE <p>Model training generally requires collecting data from its source and transporting it to a centralized location where the model training algorithm runs. This becomes particularly problematic when the training data consists of personally identifiable information. We're encouraged by the emergence of <strong>federated learning</strong> as a privacy-preserving method for training on a large diverse set of data relating to individuals. Federated learning techniques allow the data to remain on the users' device, under their control, yet contribute to an aggregate corpus of training data. In one such technique, each user device updates a model independently; then the model parameters, rather than the data itself, are combined into a centralized view. Network bandwidth and device computational limitations present some significant technical challenges, but we like the way federated learning leaves users in control of their own personal information.</p>
JAMstack Techniques Assess TRUE <p>The trend that started as <a href="https://www.thoughtworks.com/radar/platforms/backend-as-a-service">backend as a service</a> for native mobile apps many years ago is now becoming popular with web applications. We're seeing frameworks such as <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/gatsby-js">Gatsby.js</a> that combine static site generation and client-side rendering with third-party APIs. Referred to as <strong><a href="https://jamstack.org/">JAMstack</a></strong> (the JAM stands for <strong>J</strong>avaScript, <strong>A</strong>PI, and <strong>M</strong>arkup), this approach can provide rich user experiences to web applications that rely mostly on APIs and SaaS offerings. Because the HTML is rendered either in the web browser or at build time, the deployment model is the same as fully statically generated sites, with all its benefits: the attack surface on the server is small and great performance can be achieved with low resource usage. Such deployments are also ideal for a content delivery network. In fact, we toyed with the idea of labelling this technique as <em>CDN first</em> applications.</p>
Privacy-preserving record linkage (PPRL) using Bloom filter Techniques Assess TRUE <p>Linking records from different data providers in the presence of a shared key is trivial. However, you may not always have a shared key; even if you do, it may not be a good idea to expose it due to privacy concerns. <strong>Privacy-preserving record linkage (PPRL) using Bloom filter</strong> (a space-efficient probabilistic data structure) is an established technique that allows probabilistic linkage of records from different data providers without exposing privately identifiable personal data. For example, when linking data from two data providers, each provider encrypts its personally identifiable data using <a href="https://en.wikipedia.org/wiki/Bloom_filter">Bloom filter</a> to get cryptographic linkage keys and then sends them to you via a secure channel. Once data is received, the records can be linked by computing similarity scores between sets of cryptographic linkage keys from each provider. Among other techniques, we found PPRL using Bloom filters to be scalable for large data sets.</p>
Semi-supervised learning loops Techniques Assess TRUE <p><strong>Semi-supervised learning loops</strong> are a class of iterative machine-learning workflows that take advantage of the relationships to be found in unlabeled data. These techniques may improve models by combining labeled and unlabeled data sets in various ways. In other cases they compare models trained on different subsets of the data. Unlike either unsupervised learning where a machine infers classes in unlabeled data or supervised techniques where the training set is entirely labeled, semi-supervised techniques take advantage of a small set of labeled data and a much larger set of unlabeled data. Semi-supervised learning is also closely related to active learning techniques where a human is directed to selectively label ambiguous data points. Since expert humans that can accurately label data are a scarce resource and labeling is often the most time-consuming activity in the machine-learning workflow, semi-supervised techniques lower the cost of training and make machine learning feasible for a new class of users.</p>
10x engineers Techniques Hold TRUE <p>The old term <strong>10x engineer</strong> has come under scrutiny these past few months. A widely shared Twitter thread essentially suggests companies should excuse antisocial and damaging behaviors in order to retain engineers who are perceived as having immense individual output. Thankfully, many people on social media made fun of the concept, but the stereotype of the "rockstar developer" is still pervasive. In our experience, great engineers are driven not by individual output but by working in amazing teams. It's more effective to build teams of talented individuals with mixed experiences and diverse backgrounds and provide the right ingredients for teamwork, learning and continuous improvement. These 10x teams can move faster, scale more quickly and are much more resilient — without needing to pander to bad behaviors.</p>
Front-end integration via artifact Techniques Hold TRUE <p>When teams embrace the concept of <a href="https://www.thoughtworks.com/radar/techniques/micro-frontends">micro frontends</a> they have a number of patterns at their disposal to integrate the individual micro frontends into one application. As always there are antipatterns, too. A common one in this case is <strong>front-end integration via artifact</strong>. For each micro frontend an artifact is built, usually an NPM package, which is pushed into a registry. A later step, sometimes in a different build pipeline, then combines the individual packages into a final package that contains all micro frontends. From a purely technical perspective this integration at build time results in a working application. However, integrating via artifact implies that for each change the full artifact needs to be rebuilt, which is time consuming and will likely have a negative impact on developer experience. Worse, this style of integrating frontends also introduces direct dependencies between the micro frontends at build time and therefore causes considerable coordination overhead.</p>
Lambda pinball Techniques Hold TRUE <p>We've been building <a href="https://www.thoughtworks.com/radar/techniques/serverless-architecture">serverless</a> architectures on our projects for a couple of years now, and we've noticed that it's quite easy to fall into the trap of building a distributed monolith. <strong><a href="https://twitter.com/ctford/status/1128774411832762369">Lambda pinball</a></strong> architectures characteristically lose sight of important domain logic in the tangled web of lambdas, buckets and queues as requests bounce around increasingly complex graphs of cloud services. Typically they're hard to test as units, and the application needs must be tested as an integrated whole. One pattern we can use to avoid these pinball architectures is to draw a distinction between <a href="https://martinfowler.com/ieeeSoftware/published.pdf">public and published interfaces</a> and apply good old domain boundaries with published interfaces between them.</p>
Legacy migration feature parity Techniques Hold TRUE <p>We find that more and more organizations need to replace aging legacy systems to keep up with the demands of their customers (both internal and external). One antipattern we keep seeing is <strong>legacy migration feature parity</strong>, the desire to retain feature parity with the old. We see this as a huge missed opportunity. Often the old systems have bloated over time, with many features unused by users (50% according to a <a href="https://www.standishgroup.com/sample_research_files/Exceeding%20Value_Layout.pdf">2014 Standish Group report</a>) and business processes that have evolved over time. Replacing these features is a waste. Our advice: Convince your customers to take a step back and understand what their users currently <em>need</em> and prioritize these needs against business outcomes and metrics — which often is easier said than done. This means conducting user research and applying modern product development practices rather than simply replacing the existing ones.</p>
Apache Flink Platforms Trial TRUE <p><strong><a href="https://flink.apache.org/">Apache Flink</a></strong> has seen increasing adoption since our initial assessment on 2016. Flink is recognized as the leading stream-processing engine and also gradually matured in the fields of batch processing and machine learning. One of Flink's key differentiator from other stream-processing engines is its use of consistent checkpoints of an application's state. In the event of failure, the application is restarted and its state is loaded from the latest checkpoint — so that the application can continue processing as if the failure had never happened. This helps us to reduce complexity of building and operating external systems for fault tolerance. We see more and more companies using Flink to build their data-processing platform.</p>
Apollo Auto Platforms Trial TRUE <p>Once exclusive to tech giants, self-driving technology isn't rocket science anymore, as demonstrated by <strong><a href="http://apollo.auto/">Apollo Auto</a></strong>. The goal of the Baidu-owned Apollo program is to become the Android of the autonomous driving industry. The Apollo platform has components such as perception, simulation, planning and intelligent control that enable car companies to integrate their own autonomous driving systems into their vehicles' hardware. The developer community is still new but with a lot of vendors joining to contribute more ports. One of our projects helped our client to complete self-driving license exams with the Apollo-based autopilot system. Apollo also provides an evolutionary architecture approach to adopt advanced features gradually, which enables us to integrate more sensors and functions in an agile, iterative way.</p>
GCP Pub/Sub Platforms Trial TRUE <p><strong><a href="https://cloud.google.com/pubsub/">GCP Pub/Sub</a></strong> is Google Cloud's event streaming platform. It's a popular piece of infrastructure for many of our architectures running <a href="https://www.thoughtworks.com/radar/platforms/google-cloud-platform">Google Cloud Platform</a>, including mass event ingestion, communication of serverless workloads and streaming data-processing workflows. One of its unique features is support of pull and push subscriptions: subscribing to receive all published messages available at the time of subscription or pushing messages to a particular endpoint. Our teams have enjoyed its reliability and scale and that it just works as advertised.</p>
Mongoose OS Platforms Trial TRUE <p><strong><a href="http://mongoose-os.com/">Mongoose OS</a></strong> remains one of our preferred open-source microcontroller operating systems and embedded firmware development frameworks. It's worth noting that Mongoose OS fills a noticeable gap for embedded software developers: the gap between Arduino firmware suitable for prototyping and bare-metal microcontrollers' native SDKs. Our teams have successfully used <a href="https://mongoose-os.com/about.html">Cesanta's</a> new end-to-end device management platform, <a href="https://mdash.net/home/">mDash</a>, for small-scale greenfield hardware projects. Major Internet of Things (IoT) cloud platform providers today support the Mongoose OS development framework for their device management, connectivity, and over-the-air (OTA) firmware upgrades. Since we last reported on Mongoose OS, the number of supported boards and microcontrollers has grown to include STM, Texas Instruments and Espressif. We continue to enjoy its seamless support for OTA updates and its built-in security at the individual device level.</p>
ROS Platforms Trial TRUE <p><strong><a href="https://www.ros.org/">ROS</a></strong> (Robot Operating System) is a set of libraries and tools to help software developers create robot applications. It's a development framework that provides hardware abstraction, device drivers, libraries, visualizers, message-passing, package management and more. <a href="https://www.thoughtworks.com/radar/platforms/apollo-auto">Apollo Auto</a> is based on ROS. In our other <a href="https://en.wikipedia.org/wiki/Advanced_driver-assistance_systems">ADAS</a> simulation project, we've also used ROS's messaging system (<a href="http://wiki.ros.org/Bags">bag</a>). The technology isn't new, but it has regained developers’ attention with the development of ADAS.</p>
AWS Cloud Development Kit Platforms Assess TRUE <p>For many of our teams <a href="https://www.thoughtworks.com/radar/tools/terraform">Terraform</a> has become the default choice for defining cloud infrastructure. However, some of our teams have been experimenting with <strong><a href="https://docs.aws.amazon.com/cdk/latest/guide/home.html">AWS Cloud Development Kit</a></strong> (AWS CDK) and they like what they've seen so far. In particular, they like the use of first-class programming languages instead of configuration files which allows them to use existing tools, test approaches and skills. Like similar tools, care is still needed to ensure deployments remain easy to understand and maintain. Given that support for C# and Java is coming soon and ignoring for now some gaps in functionality, we think AWS CDK is worth watching as an alternative to other configuration file–based approaches.</p>
Azure DevOps Platforms Assess FALSE <p><strong><a href="https://azure.microsoft.com/en-us/services/devops/">Azure DevOps</a></strong> services include a set of managed services such as hosted Git repos, CI/CD pipelines, automated testing tooling, backlog management tooling and artifact repository. Azure DevOps Pipelines have been maturing over time. We particularly like its ability to define <a href="https://www.thoughtworks.com/radar/techniques/pipelines-as-code">Pipelines as code</a> and its ecosystem of extensions on the Azure DevOps <a href="https://marketplace.visualstudio.com/azuredevops">marketplace</a>. At the time of writing, our teams are still running into a few immature features, including lack of an effective UI for pipeline visualization and navigation and the inability to trigger a pipeline from artifacts or other pipelines.</p>
Azure Pipelines Platforms Assess TRUE <p><strong><a href="https://azure.microsoft.com/en-us/services/devops/pipelines/">Azure Pipelines</a></strong> is a product of <a href="https://www.thoughtworks.com/radar/platforms/azure-devops">Azure DevOps</a> that offers cloud-based solutions to implement pipelines as code for projects hosted in Azure DevOps Git server or other Git solution such as GitHub or Bitbucket. The interesting part of this solution is the ability to run your scripts in Linux, MacOS and Windows agents without the overhead of managing a virtual machine on your own. This represents a big step forward, especially for teams that work on Windows environments with .NET Framework solutions; we're also assessing this service for continuous delivery in iOS.</p>
Crowdin Platforms Assess TRUE <p>Most of the projects with multilingual support start with development teams building features in one language and managing the rest through offline translation via emails and spreadsheets. Although this simple setup works, things can quickly get out of hand. You may have to keep answering the same questions for different language translators, sucking the energy out of the collaboration between translators, proofreaders and the development team. <strong><a href="https://crowdin.com">Crowdin</a></strong> is one of a handful of platforms that help in streamlining the localization workflow of your project. With Crowdin the development team can continue building features and the platform streamlines the text that needs translation into an online workflow. We like that Crowdin nudges the teams to continuously and incrementally incorporate translation rather than managing them in large batches toward the end.</p>
Crux Platforms Assess TRUE <p><strong><a href="https://www.juxt.pro/crux/index.html">Crux</a></strong> is an open-source document database with bitemporal graph queries. Most database systems are temporal, meaning they help us model facts along with the time at which they occurred. Bitemporal database systems let you model not just the <em>valid</em> time the fact occurred but also the <em>transaction</em> time when it was received. If you need a document store with graph capabilities for querying the content, then give Crux a try. It's currently in alpha and lacks SQL support, but you can use a <a href="https://en.wikipedia.org/wiki/Datalog">Datalog</a> query interface for reading and traversing relationships.</p>
Delta Lake Platforms Assess TRUE <p><strong><a href="https://docs.databricks.com/delta/index.html">Delta Lake</a></strong> is an open-source storage layer by Databricks that attempts to bring transactions to big data processing. One of the problems we often encounter when using <a href="https://www.thoughtworks.com/radar/platforms/apache-spark">Apache Spark</a> is the lack of ACID transactions. Delta Lake integrates with the Spark API and addresses this problem by its use of a transaction log and versioned <a href="https://parquet.apache.org/">Parquet</a> files. With its serializable isolation, it allows concurrent readers and writers to operate on Parquet files. Other welcome features include schema enforcement on write and versioning, which allows us to query and revert to older versions of data if necessary. We've started to use it in some of our projects and quite like it.</p>
Fission Platforms Assess TRUE <p><a href="https://www.thoughtworks.com/radar/platforms/kubernetes">Kubernetes</a>'s serverless ecosystem is growing. We talked about <a href="https://www.thoughtworks.com/radar/platforms/knative">Knative</a> in a previous Radar; now we're seeing <strong><a href="https://fission.io/">Fission</a></strong> gaining traction. Fission lets developers focus on writing short-lived functions and map them to HTTP requests while the framework handles the rest of the plumbing and automation of Kubernetes resources behind the scenes. Fission also lets you <a href="https://fission.io/workflows/">compose functions</a>, integrate with third-party providers via web hooks and automate the management of the Kubernetes infrastructure.</p>
FoundationDB Platforms Assess TRUE <p><strong><a href="https://www.foundationdb.org">FoundationDB</a></strong> is an open-source multimodel database, acquired by Apple in 2015 and then open sourced in April 2018. The core of FoundationDB is a distributed key-value store, which provides strict serializability transactions. One of the interesting aspects of FoundationDB is its concept of layers to offer additional models. These layers are essentially stateless components built on top of the core key-value store, such as the <a href="https://www.foundationdb.org/blog/announcing-record-layer/">Record layer</a> and the <a href="https://www.foundationdb.org/blog/announcing-document-layer/">Document layer</a>. FoundationDB sets a high standard with its <a href="https://apple.github.io/foundationdb/testing.html">Simulation testing</a> where they run daily tests simulating various system failures. With its performance, rigorous testing and easy operability, FoundationDB is not just a database but can also be used by those looking to build distributed systems where they can use FoundationDB as a core primitive on which to build their system.</p>
GraalVM Platforms Assess TRUE <p><strong><a href="https://www.graalvm.org/">GraalVM</a></strong> is a universal virtual machine by Oracle for running applications written in JVM languages, JavaScript, Python, Ruby and R, as well as C/C++ and other LLVM-based languages. At its simplest, GraalVM can be used as a more performant VM for JVM and other supported non-JVM languages. But it also allows us to write polyglot applications with very little performance impact; and its <a href="https://www.graalvm.org/docs/reference-manual/native-image/">Native Image</a> utility (currently only available as an <a href="https://docs.oracle.com/en/graalvm/enterprise/19/guide/overview/license/licensing-information.html">Early Adopter Technology</a>) lets us compile Java code ahead of time to stand-alone executables for faster startup and less memory use. GraalVM has generated a lot of excitement in the Java community, and a host of Java frameworks (including <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/micronaut">Micronaut</a>, <a href="https://quarkus.io/">Quarkus</a>, and <a href="https://helidon.io/#/">Helidon</a>) are already taking advantage of it.</p>
Hydra Platforms Assess TRUE <p>Not everyone needs a self-hosted OAuth2 solution, but if you do, we found <strong><a href="https://www.ory.sh/hydra/">Hydra</a></strong> — a fully compliant open-source OAuth2 server and OpenID connect provider — quite useful. We really like that Hydra doesn't provide any identity management solutions out of the box; so no matter what flavor of identity management you have, it's possible to integrate it with Hydra through a clean API. This clear separation of identity from the rest of the OAuth2 framework makes it easier to integrate Hydra with an existing authentication ecosystem.</p>
Kuma Platforms Assess TRUE <p><strong><a href="https://kuma.io">Kuma</a></strong> is a platform-agnostic <a href="https://www.thoughtworks.com/radar/techniques/service-mesh">service mesh</a> for <a href="https://www.thoughtworks.com/radar/platforms/kubernetes">Kubernetes</a>, VMs and bare metal environments. Kuma is implemented as a control plane on top of <a href="https://www.envoyproxy.io/">Envoy</a> and as such can instrument any Layer 4/Layer 7 traffic to secure, observe, route and enhance connectivity between services. Most of the service mesh implementations are targeted natively at the Kubernetes ecosystem which in itself is not bad but hinders the adoption of service mesh for existing non-Kubernetes applications. Rather than waiting for large platform transformation efforts to be complete, you can now use Kuma and modernize the network infrastructure.</p>
MicroK8s Platforms Assess TRUE <p>We talked about <a href="https://www.thoughtworks.com/radar/platforms/kubernetes">Kubernetes</a> in the past and it continues to be the default choice for deploying and managing containers in production clusters. However, it's getting increasingly difficult to provide a similar experience offline for developers. Among other options, we've found <strong><a href="https://microk8s.io/">MicroK8s</a></strong> to be quite useful. To install the <a href="https://snapcraft.io/microk8s">MicroK8s snap</a>, pick a release channel (stable, candidate, beta or edge), and you can get Kubernetes running with a few commands. You can also keep track of mainstream releases and choose to upgrade your setup automatically.</p>
Oculus Quest Platforms Assess TRUE <p>We've long tracked AR/VR (Augmented/Virtual Reality) in our Radar, but its appeal has been limited to specific platforms and tethering options. The <strong>Oculus Quest</strong> changes the game, becoming one of the first consumer mass-market standalone VR headsets that requires no tethering or support outside a smartphone. This device opens the door for a huge jump in potential exposure to VR applications, whose demand will in turn drive the market toward more aggressive innovation. We applaud the democratization of VR this device helps usher in and can't wait to see what's on the horizon.</p>
ONNX Platforms Assess TRUE <p>The tools and frameworks ecosystem around neural networks have been evolving rapidly. The interoperability between them, however, has been a challenge. It's not uncommon in the ML industry to quickly prototype and train the model in one tool and then deploy it in a different tool for inference. Because the internal format of these tools aren't compatible, we need to implement and maintain messy convertors to make the models compatible. The Open Neural Network Exchange format <strong><a href="https://onnx.ai/">ONNX</a></strong> addresses this problem. In ONNX, the neural networks are represented as graphs using standard operator specifications, and together with a serialization format for trained weights, neural network models can be <a href="https://onnx.ai/supported-tools">transferred from one tool to another</a>. This opens up lots of possibilities, including <a href="https://github.com/onnx/models">Model Zoo</a>, a collection of pretrained models in ONNX format.</p>
Rootless containers Platforms Assess TRUE <p>Ideally, containers should be managed and run by the respective container runtime without root privileges. This is not trivial but when achieved, it reduces the attack surface and avoids whole classes of security problems, notably privilege escalation out of the container. The community has discussed this as <strong>rootless containers</strong> for quite a while, and it is part of the open container runtime specification and its standard implementation <a href="https://github.com/opencontainers/runc#rootless-containers">runc</a>, which underpins <a href="https://www.thoughtworks.com/radar/platforms/kubernetes">Kubernetes</a>. Now, Docker 19.03 introduces rootless containers as an experimental feature. Although fully functional, the feature doesn't yet work with several other features such as cgroups resource controls and <a href="https://wiki.ubuntu.com/AppArmor">AppArmor</a> security profiles.</p>
Snowflake Platforms Assess TRUE <p>We often relate data warehousing to a central infrastructure that is hard to scale and manage with the growing demands around data. <strong><a href="https://www.snowflake.com">Snowflake</a></strong>, however, is a new SQL Data Warehouse as a Service solution built from the ground up for the cloud. With a bunch of neatly crafted features such as database-level atomicity, structured and semi-structured data support, in-database analytics functions and above all with a clear separation of storage, compute and services layer, Snowflake addresses most of the challenges faced in data warehousing.</p>
Teleport Platforms Assess TRUE <p><strong><a href="https://gravitational.com/teleport/">Teleport</a></strong> is a security gateway for remotely accessing cloud native infrastructures. One of Teleport's interesting <a href="https://gravitational.com/teleport/features/">features</a> is its ability to double as a Certificate Authority (CA) for your infrastructure. You can issue short-lived certificates and build richer role-based access control (RBAC) for your <a href="https://www.thoughtworks.com/radar/platforms/kubernetes">Kubernetes</a> infrastructure (or for just SSH). With increased focus on infrastructure security it's important to keep track of changes. However, not all events require the same level of auditing. With Teleport you can stick with logging for most of the events but go the extra mile by recording the user screen for more privileged root sessions.</p>
Commitizen Tools Adopt TRUE <p><strong><a href="http://commitizen.github.io/cz-cli/">Commitizen</a></strong> is a simple tool to help streamline the commit process when using Git. It prompts you to provide any required fields and also formats your commit message appropriately. It supports different conventions for describing the required check-in formats, and you can add your own via an adapter. This simple tool saves time and avoids later rejections from a commit hook.</p>
ESLint Tools Adopt TRUE <p><strong><a href="https://eslint.org/">ESLint</a></strong> is being used as a standard in many of our projects. As a linting tool for JavaScript it has multiple rule sets, recommended rules and plugins in order to extend to frameworks or JavaScript flavors. We've seen it leveraged heavily to help teams create and enforce norms in their code by allowing for real-time analysis of code during development. It can be used to standardize coding practices by enforcing best practices and code styling, and identify vulnerabilities in your code. It does so by integrating well with most IDEs and giving live feedback while coding. It's styling rules in particular will automatically fix the linting errors, making the process seamless and effective without incurring additional development cost. Developers can quickly get up to speed with the rules thanks to the community documentation, which does a good job of explaining coding patterns. As ESLint becomes more common and powerful, it has gained traction in the industry, and this is illustrated by the <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/typescript">TypeScript</a> team's move to support and work with ESLint rather than investing in TSLint.</p>
React Styleguidist Tools Adopt TRUE <p><strong><a href="https://github.com/styleguidist/react-styleguidist">React Styleguidist</a></strong> is a development environment for React components. It includes a dev server with hot reloading capabilities and generates an HTML style guide for sharing with teams. The style guide shows a live version of all components in one place with documentation and a list of their props. We've mentioned React Styleguidist as a <a href="https://www.thoughtworks.com/radar/tools/ui-dev-environments">UI dev environment</a> before, and over time it has become our default choice among similar tools in this space.</p>
Bitrise Tools Trial TRUE <p>Building, testing and deploying mobile applications entails complex steps, especially when we consider a pipeline from source code repository to app stores. All of these steps can be automated with scripts and build pipelines in generic CI/CD tools. However, our teams have found <strong><a href="https://www.bitrise.io">Bitrise</a></strong>, a domain-specific CD tool for mobile applications, useful for mobile applications when there was no need to integrate with build pipelines for back-end systems. Bitrise is easy to set up and provides a comprehensive set of prebuilt steps for most mobile development needs.</p>
Dependabot Tools Trial TRUE <p>Keeping dependencies up to date is a chore, but for security reasons it's important to respond to updates in a timely manner. You can use tools to make this process as painless and automated as possible. In practical use our teams have had good experiences with <strong><a href="http://dependabot.com/">Dependabot</a></strong>. It integrates with GitHub repositories and automatically checks dependencies for new versions. When required, Dependabot will open a pull request with upgraded dependencies.</p>
Detekt Tools Trial TRUE <p><strong><a href="https://github.com/arturbosch/detekt">Detekt</a></strong> is a static code analysis tool for <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/kotlin">Kotlin</a>. It provides code smell analysis and complexity reports based on highly configurable rule sets. It can be run from the command line and, using plugins, via <a href="https://www.thoughtworks.com/radar/tools/gradle">Gradle</a>, <a href="https://www.sonarqube.org/">SonarQube</a> and IntelliJ. Our teams have found great value in using Detekt to maintain high code quality. When analysis and report generation are integrated into a build pipeline, it's obviously important that the reports are checked on a regular basis and the team sets aside time to act on the findings.</p>
Figma Tools Trial TRUE <p>One of the great pain points in interaction and visual design is the lack of tools built for collaboration. This is where <strong><a href="https://www.figma.com/">Figma</a></strong> comes in. It has the same functionalities of design programs such as Sketch and Invision, but by being able to collaborate with another person at the same time, it helps you discover new ideas together with real-time collaboration capabilities. Our teams find Figma very useful, especially in remote and distributed design work enablement and facilitation. In addition to its collaboration capabilities, Figma also offers an API that helps to improve the <a href="https://www.thoughtworks.com/radar/techniques/designops">DesignOps</a> process.</p>
Jib Tools Trial TRUE <p>Building containerized applications can require complex configurations in development environments and on build agents. If you're building a Java application and use Docker, you might consider using Google's <strong><a href="https://github.com/GoogleContainerTools/jib">Jib</a></strong>. Jib is an open-source plugin supporting both Maven and Gradle. The Jib plugin uses information from your build config to build your application directly as a Docker image without requiring a Dockerfile or Docker daemon. Jib optimizes around image layering, promising to speed up subsequent builds.</p>
Loki Tools Trial TRUE <p><strong><a href="https://loki.js.org">Loki</a></strong> is a visual regression tool that works with <a href="https://storybook.js.org/">Storybook</a>, which we mentioned previously in the context of <a href="https://www.thoughtworks.com/radar/tools/ui-dev-environments">UI dev environments</a>. With a few lines of configuration, Loki can be used to test all UI components. The preferred mode of operation is using Chrome in a Docker container as this avoids one-pixel differences when tests are run in nonidentical environments. Our experience has been that the tests are very stable, but updates to Storybook tend to cause tests to fail with minor differences. It also seems impossible to test components which use <code>position: fixed</code> but you can work around that by wrapping the component with a <code>fixed</code>.</p>
Trivy Tools Trial TRUE <p>Build pipelines that create and deploy containers should include <a href="https://www.thoughtworks.com/radar/techniques/container-security-scanning">container security scanning</a>. Our teams particularly like <strong><a href="https://github.com/aquasecurity/trivy">Trivy</a></strong>, a vulnerability scanner for containers, because it's easier to set up than other tools, thanks to it shipping as a stand-alone binary. Other benefits of Trivy are that it's open-source software and that it supports <a href="https://www.thoughtworks.com/radar/techniques/distroless-docker-images">distroless containers</a>.</p>
Twistlock Tools Trial TRUE <p><strong><a href="https://www.twistlock.com/">Twistlock</a></strong> is a commercial product with build-time and run-time security vulnerability detection and prevention capabilities. These capabilities span protecting VMs, container schedulers and containers to various registries and repositories that applications rely on. Twistlock has helped our teams accelerate development of regulated applications, where application infrastructure and architecture require compliance with, for example, Payment Card Industry (PCI) standards and the Health Insurance Portability and Accountability Act (HIPAA). Our teams have enjoyed the developer experience that Twistlock provides: the ability to run provisioning as code, the easy integration with other common observability platforms, and the out-of-the-box benchmarks to measure the infrastructure against industry-consensus best practices. We run Twistlock with regular runtime scans over our cloud-native applications, particularly when regulatory compliance is required.</p>
Yocto Project Tools Trial TRUE <p>Increasingly we're seeing powerful Internet of Things devices that run Linux rather than a special embedded OS. In order to reduce resource usage and decrease the attack surface, it makes sense to build a custom Linux distribution that only contains the tools and dependencies needed to run the software on the device. In this context the <strong><a href="https://www.yoctoproject.org/">Yocto Project</a></strong> has renewed relevance as a tool to create a Linux distribution tailored to the needs of a specific case. The learning curve is steep and due to its flexibility, it can be easy to do the wrong thing. However, over the many years of its existence, the Yocto Project has attracted an active community that can help. Compared to similar tools, it's easier to integrate into a CD workflow and, unlike Android Things or Ubuntu core for example, it's not tied to a specific ecosystem.</p>
Aplas Tools Assess TRUE <p>It's often very difficult to get a handle on our software estates as they grow ever more complex. <strong><a href="https://aplas.com/public">Aplas</a></strong> is a new software mapping tool that can be used to create visualizations of our software landscapes in the form of maps. The tool works by ingesting metadata about your existing systems and then displaying a map over which various views can be projected. Ingestion is either a manual process or one that can be automated via APIs. We're pretty excited to see this product evolve and to see what's possible with the automated collection of metadata. It should be possible, for example, to expose <a href="https://www.thoughtworks.com/radar/techniques/architectural-fitness-function">architectural fitness functions</a> such as <a href="https://www.thoughtworks.com/radar/techniques/run-cost-as-architecture-fitness-function">run cost</a> to create visualizations of how much is being spent on cloud infrastructure. Understanding which systems talk to other systems via which technology is another problem we often face and Aplas can visualize it for us.</p>
asdf-vm Tools Assess TRUE <p><strong><a href="https://asdf-vm.com">asdf-vm</a></strong> is a command-line tool to manage runtime versions of multiple languages, per project. It's similar to other command-line version management tools, such as <a href="https://rvm.io/">RVM</a> for Ruby and <a href="https://github.com/nvm-sh/nvm">nvm</a> for Node.js, with the advantage of an extensible plugin architecture to handle multiple languages. Its list of current <a href="https://asdf-vm.com/#/plugins-all">plugins</a> include many languages as well as tools such as <a href="https://github.com/rajatvig/asdf-bazel">Bazel</a> or <a href="https://github.com/RykHawthorn/asdf-tflint">tflint</a>, whose runtime version you may need to manage per project.</p>
AWSume Tools Assess TRUE <p><strong><a href="https://github.com/trek10inc/awsume">AWSume</a></strong> is a convenient script to manage AWS session tokens and assume role credentials from the command line. We find AWSume quite handy when we deal with multiple AWS accounts at the same time. Instead of specifying profiles individually in every command, the script reads from the CLI cache and exports them to environment variables. As a result, both the commands and AWS SDKs pick up the right credentials.</p>
dbt Tools Assess TRUE <p>Data transformation is an essential part of data-processing workflows: filtering, grouping or joining multiple sources into a format that is suitable for analyzing data or feeding machine-learning models. <strong><a href="https://www.getdbt.com">dbt</a></strong> is an open-source tool and a commercial SaaS product that provides simple and effective transformation capabilities for data analysts. The current frameworks and tooling for data transformation fall either into the group of <em>powerful and flexible</em> — requiring intimate understanding of the programming model and languages of the framework such as <a href="https://www.thoughtworks.com/radar/platforms/apache-spark">Apache Spark</a> — or in the group of dumb drag-and-drop UI tools that don't lend themselves to reliable engineering practices such as automated testing and deployment. dbt fills a niche: it uses SQL — an interface widely understood — to model simple batch transformations, while it provides command-line tooling that encourages good engineering practices such as versioning, automated testing and deployment; essentially it implements SQL-based transformation modeling as code. dbt currently supports multiple <a href="https://docs.getdbt.com/docs/supported-databases">data sources</a>, including <a href="https://www.thoughtworks.com/radar/platforms/snowflake">Snowflake</a> and Postgres, and provides various <a href="https://docs.getdbt.com/docs/running-dbt-in-production">execution options</a>, such as <a href="https://www.thoughtworks.com/radar/tools/airflow">Airflow</a> and Apache's own cloud offering. Its transformation capability is limited to what SQL offers, and it doesn't support real-time streaming transformations at the time of writing.</p>
Docker Notary Tools Assess TRUE <p><strong><a href="https://docs.docker.com/notary/">Docker Notary</a></strong> is an OSS tool that enables signing of assets such as images, files and containers. This means that the provenance of assets can be asserted which is superuseful in regulated environments and better practice everywhere. As an example, when a container is created, it's signed by a private key and a hash, tied to the publisher's identity, stored as metadata. Once published, the provenance of the container (or other asset) can be checked using the image hash and the publisher's public key. There are publicly available, trusted registries such as the <a href="https://docs.docker.com/ee/dtr/">Docker Trusted Registry</a>, but it's also possible to run your own. Our teams have reported some spiky edges running local Notary servers and suggest using a registry that includes Notary where possible.</p>
Facets Tools Assess TRUE <p>Given the growing amount of weighty decisions that are derived from large data sets, either directly or as training input for machine learning models, it's important to understand the gaps, flaws and potential biases in your data. Google's <strong><a href="https://pair-code.github.io/facets/">Facets</a></strong> project provides two helpful tools in this space: Facets Overview and Facets Dive. Facets Overview visualizes the distribution of values for features in a data set, can show training and validation set skew and can be used to compare multiple data sets; Facets Dive is for drilling down and visualizing individual data points in large data sets, using different visual dimensions to explore the relationships between attributes. They're both useful tools in carrying out <a href="https://www.thoughtworks.com/radar/techniques/ethical-bias-testing">ethical bias testing</a>.</p>
Falco Tools Assess TRUE <p>With increased adoption of <a href="https://www.thoughtworks.com/radar/platforms/kubernetes">Kubernetes</a> as container orchestrator, the security toolset around containers and Kubernetes is evolving rapidly. <strong><a href="https://falco.org/">Falco</a></strong> is one such container-native tool aimed at addressing runtime security. Falco leverages <a href="https://sysdig.com/blog/fascinating-world-linux-system-calls/">Sysdig's Linux kernel instrumentation</a> and system call profiling and lets us gain deep insights into system behavior and helps us detect abnormal activities in applications, containers, underlying host or Kubernetes orchestrator itself. We like Falco's capability to detect threats without injecting third-party code or sidecar containers.</p>
in-toto Tools Assess TRUE <p>We're seeing increased use of <a href="https://www.thoughtworks.com/radar/techniques/binary-attestation">Binary attestation</a> for securing the software supply chain, particularly within regulated industries. The currently favored approaches seem to involve either building a custom system for implementing the binary verification or relying on a cloud vendor's service. We're encouraged to see the open-source <strong><a href="https://github.com/in-toto/in-toto">in-toto</a></strong> enter this space. in-toto is a framework for cryptographically verifying every component and step along the path to production for a software artifact. The project includes a number of integrations into many widely used build, container auditing and deployment tools. A software supply chain tool can be a critical piece of an organization's security apparatus, so we like that as an open-source project, in-toto's behavior is transparent, and its own integrity and supply chain can be verified by the community. We'll have to wait and see if it'll gain a critical mass of users and contributors to compete in this space.</p>
Kubeflow Tools Assess TRUE <p><strong><a href="https://www.kubeflow.org/">Kubeflow</a></strong> is interesting for two reasons. First, it is an innovative use of <a href="https://www.thoughtworks.com/radar/tools/kubernetes-operators">Kubernetes Operators</a> which we've spotlighted in our April 2019 edition of the Radar. Second, it provides a way to encode and version machine-learning workflows so that they can be more easily ported from one execution environment to another. Kubeflow consists of several components, including Jupyter notebooks, data pipelines, and control tools. Several of these components are packaged as Kubernetes operators to draw on Kubernetes's ability to react to events generated by pods implementing various stages of the workflow. By packaging the individual programs and data as containers, entire workflows can be ported from one environment to another. This can be useful when moving a useful but computationally challenging workflow developed in the cloud to a custom supercomputer or tensor processing unit cluster.</p>
MemGuard Tools Assess TRUE <p>If your application handles sensitive information (such as cryptographic keys) as plain text in memory, there's a high probability that someone could potentially exploit it as an attack vector and compromise the information. Most of the cloud-based solutions often use <a href="https://en.wikipedia.org/wiki/Hardware_security_module">hardware security modules (HSM)</a> to avoid such attacks. However, if you're in a situation where you need to do this in a self-hosted manner without access to HSMs, then we've found <strong><a href="https://github.com/awnumar/memguard">MemGuard</a></strong> to be quite useful. MemGuard acts as a secured software enclave for storage of sensitive information in memory. Although MemGuard is not a replacement for HSMs, it does deploy a number of security tactics such as protection against cold boot attacks, avoiding interference with garbage collection and fortifying with guard pages to reduce the likelihood of sensitive data being exposed.</p>
Open Policy Agent (OPA) Tools Assess TRUE <p>Defining and enforcing security policies uniformly across a diverse technology landscape is a challenge. Even for simple applications, you have to control access to their components — such as container orchestrators, services and data stores to keep the services' state — using their components' built-in security policy configuration and enforcement mechanisms.</p> <p>We're excited about <strong><a href="https://www.openpolicyagent.org/">Open Policy Agent (OPA)</a></strong>, an open-source technology that attempts to solve this problem. OPA lets you define fine-grained access control and flexible policies as code, using the <a href="https://www.openpolicyagent.org/docs/latest/policy-language/">Rego</a> policy definition language. Rego enforces the policies in a distributed and unobtrusive manner outside of the application code. At the time of this writing, OPA implements uniform and flexible policy definition and enforcement to secure access to Kubernetes APIs, microservices APIs through <a href="https://www.envoyproxy.io/">Envoy</a> sidecar and <a href="https://www.thoughtworks.com/radar/tools/apache-kafka">Kafka</a>. It can also be used as a sidecar to any service to verify access policies or filter response data. <a href="https://www.styra.com/">Styra</a>, the company behind OPA, provides commercial solutions for centralized visibility to distributed policies. We like to see OPA mature through the <a href="https://www.cncf.io/blog/2019/04/02/toc-votes-to-move-opa-into-cncf-incubator/">CNCF incubation program</a> and continue to build support for more challenging policy enforcement scenarios such as diverse data stores.</p>
Pumba Tools Assess TRUE <p><strong><a href="https://github.com/alexei-led/pumba">Pumba</a></strong> is a chaos testing and network emulation tool for Docker. Pumba can kill, stop, remove or pause Docker containers. Pumba can also emulate networks and simulate different network failures such as delays, packet loss and bandwidth rate limits. Pumba uses the <a href="https://en.wikipedia.org/wiki/Tc_(Linux)">tc</a> tool for network emulation which means it needs to be available in our containers or we need to run Pumba in a sidecar container with tc. Pumba is particularly useful when we want to run some automated chaos tests against a distributed system running on a bunch of containers locally or in the build pipeline.</p>
Skaffold Tools Assess TRUE <p>Google brings us <strong><a href="https://skaffold.dev/">Skaffold</a></strong>, an open-source tool to automate local development workflows, including deployment on <a href="https://www.thoughtworks.com/radar/platforms/kubernetes">Kubernetes</a>. Skaffold detects changes in source code and triggers workflows to build, tag and deploy into a K8s cluster including capturing application logs back to the command line. The workflows are pluggable with different build and deployment tools, but this comes with an opinionated default configuration to make it easier to get started.</p>
What-If Tool Tools Assess TRUE <p>The machine learning world has shifted emphasis slightly from exploring what models are capable of understanding to how they do it. Concerns about introducing bias or overgeneralizing a model's applicability have resulted in interesting new tools such as <strong><a href="https://pair-code.github.io/what-if-tool/">What-If Tool</a></strong> (WIT). This tool helps data scientists to dig into a model's behavior and to visualize the impact various features and data sets have on the output. Introduced by Google and available either through <a href="https://www.tensorflow.org/tensorboard">Tensorboard</a> or <a href="https://www.thoughtworks.com/radar/tools/jupyter">Jupyter</a> notebooks, WIT simplifies the tasks of comparing models, slicing data sets, visualizing facets and editing individual data points. Although WIT makes it easier to perform these analyses, they still require a deep understanding of the mathematics and theory behind the models. It is a tool for data scientists to gain deeper insights into model behavior. Naive users shouldn't expect any tool to remove the risk or minimize the damage done by a misapplied or poorly trained algorithm.</p>
Azure Data Factory for orchestration Tools Hold TRUE <p><a href="https://azure.microsoft.com/en-us/services/data-factory/">Azure Data Factory</a> (ADF) is currently Azure's default product for orchestrating data-processing pipelines. It supports data ingestion, copying data from and to different storage types on prem or on Azure and executing transformation logic. While we've had a reasonable experience with ADF for simple migrations of data stores from on prem to cloud, we discourage the use of <strong>Azure Data Factory for orchestration</strong> of complex data-processing pipelines. Our experience has been challenging due to several factors, including limited coverage of capabilities that can be implemented through coding first, as it appears that ADF is prioritizing enabling <a href="https://www.thoughtworks.com/radar/platforms/low-code-platforms">low-code platform</a> capabilities first; poor debuggability and error reporting; limited observability as ADF logging capabilities don't integrate with other products such as Azure Data Lake Storage or Databricks, making it difficult to get an end-to-end observability in place; and availability of data source-triggering mechanisms only to certain regions. At this time, we encourage using other open-source orchestration tools (e.g., <a href="https://www.thoughtworks.com/radar/tools/airflow">Airflow</a>) for complex data pipelines and limit ADF for data copying or snapshotting. We're hoping that ADF will address these concerns to support for more complex data-processing workflows and prioritize access to capabilities through code first.</p>
Arrow languages-and-frameworks Trial TRUE <p><strong><a href="https://arrow-kt.io/">Arrow</a></strong> is a functional programming library for <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/kotlin">Kotlin</a>, created by merging two existing popular libraries (<a href="https://github.com/JcMinarro/kategory">kategory</a> and <a href="https://github.com/MarioAriasC/funKTionale">funKTionale</a>). While Kotlin provides building blocks for functional programming, Arrow delivers a package of ready-to-use higher-level abstractions for application developers. It provides data types, type classes, effects, optics and other functional programming patterns as well as integrations with popular libraries. Our initial positive impressions of Arrow were confirmed when using it to build applications that are now in production.</p>
Flutter languages-and-frameworks Trial TRUE <p>Several of our teams use <strong><a href="http://flutter.io/">Flutter</a></strong> and really like it. It's a cross-platform framework that enables you to write native mobile apps in <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/google-dart">Dart</a>. It benefits from Dart and can be compiled into native code and communicates with the target platform without bridge and context switching. Flutter's hot-reload feature is still impressive and provides superfast visual feedback when editing code. We're confident in recommending that you try Flutter on one of your projects.</p>
jest-when languages-and-frameworks Trial TRUE <p><strong><a href="https://www.npmjs.com/package/jest-when">jest-when</a></strong> is a lightweight JavaScript library that complements <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/jest">Jest</a> by matching mock function call arguments. Jest is a great tool for testing the stack; jest-when allows you to expect specific arguments for mock functions and thus lets you write more robust unit tests of modules with many dependencies.</p>
Micronaut languages-and-frameworks Trial TRUE <p><strong><a href="https://micronaut.io/">Micronaut</a></strong> is a JVM framework for building services using Java, <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/kotlin">Kotlin</a> or Groovy. It distinguishes itself through a small memory footprint and short startup time; it achieves these improvements by avoiding runtime reflection for <a href="https://martinfowler.com/articles/injection.html">dependency injection (DI)</a> and proxy generation, a common shortcoming of traditional frameworks, and instead uses a DI/<a href="https://en.wikipedia.org/wiki/Aspect-oriented_programming">AOP</a> container which performs dependency injection at compile time. This makes it attractive not just for standard server-side microservices but also in the context of, for example, the Internet of Things, Android applications and serverless functions. Micronaut uses Netty and has first-class support for reactive programming. It also includes features such as service discovery and circuit breaking that make it cloud-native friendly. Micronaut is a very promising entrant to the full-stack framework for the JVM space, and we're seeing it in more and more projects in production, prompting us to move it to Trial.</p>
React Hooks languages-and-frameworks Trial TRUE <p>Earlier this year, <strong><a href="https://reactjs.org/docs/hooks-intro.html">React Hooks</a></strong> were introduced to the popular JavaScript framework. They make it possible to use state and other React features without writing a class, offering a cleaner approach than higher-order components or render-props for use cases. Libraries such as <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/material-ui">Material UI</a> and <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/apollo">Apollo</a> have already switched to using Hooks. There are some issues with testing Hooks, especially with Enzyme, which contributed to our reassessment of <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/enzyme">Enzyme</a> as the tool of choice.</p>
React Testing Library languages-and-frameworks Trial TRUE <p>The JavaScript world moves pretty fast, and as we gain more experience using a framework our recommendations change. The <strong><a href="https://testing-library.com/">React Testing Library</a></strong> is a good example of a framework that with deeper usage has eclipsed the alternatives to become the sensible default when testing React-based frontends. Our teams like the fact that tests written with this framework are less brittle than with alternative frameworks such as <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/enzyme">Enzyme</a> because you're encouraged to test component relationships individually as opposed to testing all implementation details.</p>
Styled components languages-and-frameworks Trial TRUE <p>Using tagged template literals <strong><a href="https://www.styled-components.com/">styled components</a></strong> make it possible to put the CSS needed to style a React component directly into the JavaScript code that creates the component. This greatly reduces the pain with managing CSS and obviates the need for naming conventions or other means of avoiding naming conflicts in CSS. Developers can see the styling when looking at the component definition, and they don't have to memorize several megabytes worth of CSS. Of course, placing the CSS into the JavaScript code can make it harder to get a consistent view across the styling of different components, which is why we recommend understanding the trade-offs with this approach.</p>
Tensorflow languages-and-frameworks Trial TRUE <p>With its 2.0 release, <strong><a href="https://www.tensorflow.org/">TensorFlow</a></strong> retains its prominence as the industry’s leading machine learning framework. TensorFlow began as a numerical processing package that gradually expanded to include libraries supporting a variety of ML approaches and execution environments, ranging from mobile CPU to large GPU clusters. Along the way, a slew of frameworks became available to simplify the tasks of network creation and training. At the same time, other frameworks, notably <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/pytorch">PyTorch</a>, offered an imperative programming model that made debugging and execution simpler and easier. TensorFlow 2.0 now defaults to imperative flow (eager execution) and adopts <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/keras">Keras</a> as the single high-level API. While these changes modernize TensorFlow's usability and make it more competitive with PyTorch, it is a significant rewrite that often breaks backward compatibility — many tools and serving frameworks in the TensorFlow ecosystem won't immediately work with the new version. For the time being, consider whether you want to design and experiment in TensorFlow 2.0 but revert to version 1 to serve and run your models in production.</p>
Fairseq languages-and-frameworks Assess TRUE <p><strong><a href="https://github.com/pytorch/fairseq">Fairseq</a></strong> is a sequence-to-sequence modelling toolkit by Facebook AI Research that allows researchers and developers to train custom models for translation, summarization, language modeling and other NLP tasks. For users of <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/pytorch">PyTorch</a>, this is a good choice. It provides reference implementations of various sequence-to-sequence models; supports distributed training across multiple GPUs and machines; is very extensible; and has a bunch of pretrained models, including <a href="https://github.com/pytorch/fairseq/blob/master/examples/roberta/README.md">RoBERTa</a> which is an optimization on top of <a href="https://www.thoughtworks.com/radar/techniques/bert">BERT</a>.</p>
Flair languages-and-frameworks Assess TRUE <p><strong><a href="https://github.com/zalandoresearch/flair">Flair</a></strong> is a simple Python-based framework for NLP processing. It allows users to do standard NLP tasks such as <a href="https://en.wikipedia.org/wiki/Named-entity_recognition">named entity recognition (NER)</a>, <a href="https://en.wikipedia.org/wiki/Part-of-speech_tagging">part-of-speech tagging (PoS)</a>, <a href="https://en.wikipedia.org/wiki/Word-sense_disambiguation">word-sense disambiguation</a> and classification and performs well on a range of NLP tasks. Flair presents a simple and unified interface for a variety of word and document embeddings, including <a href="https://www.thoughtworks.com/radar/techniques/bert">BERT</a>, Elmo and its own Flair embeddings. It also has multilingual support. The framework itself is built on top of <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/pytorch">PyTorch</a>. We're using it in some of our projects and like its ease of use and powerful abstractions.</p>
Gatsby.js languages-and-frameworks Assess TRUE <p><strong><a href="https://www.gatsbyjs.org/">Gatsby.js</a></strong> is a framework to write web applications in an architectural style known as <a href="https://www.thoughtworks.com/radar/techniques/jamstack">JAMstack</a>. Part of the application is generated at build time and deployed as a static site, while the remainder of the functionality is implemented as a <a href="https://en.wikipedia.org/wiki/Progressive_web_applications">progressive web application (PWA)</a> running in the browser. Such applications work without code running on the server side. Usually, though, the PWA makes calls to third-party APIs and SaaS solutions for content management, for example. In the case of Gatsby.js, all client and build time code is written using React. The framework includes some optimizations to make the web application feel fast. It provides code and data splitting out of the box to minimize load times and speeds up performance when navigating the application by prefetching resources. APIs are called via <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/graphql">GraphQL</a> and several plugins simplify integration with existing services.</p>
GraphQL languages-and-frameworks Assess FALSE <p>We've seen many successful <strong><a href="https://github.com/facebook/graphql">GraphQL</a></strong> implementations on our projects. We've seen some interesting patterns of use too, including <a href="https://www.thoughtworks.com/radar/techniques/graphql-for-server-side-resource-aggregation">GraphQL for server-side resource aggregation</a>. That said, we've concerns about misuse of this framework and some of the problems that can occur. Examples include performance gotchas around N+1 queries and lots of boilerplate code needed when adding new models, leading to complexity. There are workarounds to these gotchas such as query caching. Even though it's not a silver bullet, we still think it's worth assessing as part of your architecture.</p>
KotlinTest languages-and-frameworks Assess TRUE <p><strong><a href="https://github.com/kotlintest/kotlintest">KotlinTest</a></strong> is a stand-alone testing tool for the <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/kotlin">Kotlin</a> ecosystem that our teams have come to like. It allows <a href="https://www.thoughtworks.com/radar/techniques/property-based-unit-testing">property-based testing</a>, a technique we've highlighted in the Radar before. Key advantages are that it offers a variety of testing styles in order to structure the test suites and that it comes with a comprehensive set of matchers, which allow for expressive tests in an elegant internal DSL.</p>
NestJS languages-and-frameworks Assess TRUE <p><strong><a href="https://nestjs.com/">NestJS</a></strong> is a server-side Node.js framework written in <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/typescript">TypeScript</a>. By integrating the rich ecology of the Node.js community, NestJS provides an out-of-the-box application architecture. The mental model to develop NestJS is similar to the server-side version of Angular or the TypeScript version of Spring Boot, so the learning curve for developers is low. NestJS supports protocols such as <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/graphql">GraphQL</a>, Websocket and ORM libraries.</p>
Paged.js languages-and-frameworks Assess TRUE <p>When using HTML and related technologies to produce books and other print output, the question of pagination must be considered. This includes page counters, repeated elements in headers and footers, as well as mechanisms to avoid awkward page breaks. <strong><a href="https://www.pagedmedia.org/paged-js/">Paged.js</a></strong> is an open-source library that implements a series of polyfills for the <a href="https://www.w3.org/TR/css-page-3/">Paged Media</a> and <a href="https://www.w3.org/TR/css-gcpm-3/">Generated Content for Paged Media</a> CSS modules. It is still experimental but fills an important gap in the "write once, publish everywhere" story for HTML.</p>
Quarkus languages-and-frameworks Assess TRUE <p><strong><a href="https://quarkus.io/">Quarkus</a></strong> is a cloud-native, container-first framework by Red Hat for writing Java applications. It has a very fast startup time (tens of milliseconds) and has low memory utilization which makes it a good candidate for FaaS or frequent scaling up and down in a container orchestrator. Like <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/micronaut">Micronaut</a>, Quarkus achieves this by using ahead-of-time compilation techniques to do dependency injection at compile time and avoid the runtime costs of reflection. It also works well with <a href="https://www.thoughtworks.com/radar/platforms/graalvm">GraalVM</a>'s Native Image which further reduces startup time. Quarkus supports both imperative and reactive models. Along with Micronaut and <a href="https://helidon.io/#/">Helidon</a>, Quarkus is leading the charge on the new generation of Java frameworks which attempt to address startup performance and memory without sacrificing developer effectiveness. It's gained a lot of community attention and is worth keeping an eye on.</p>
SwiftUI languages-and-frameworks Assess TRUE <p>Apple has taken a big step forward with their new <strong><a href="https://developer.apple.com/xcode/swiftui/">SwiftUI</a></strong> framework for implementing user interfaces on macOS and iOS platforms. We like that SwiftUI moves beyond the somewhat kludgy relationship between Interface Builder and XCode and adopts a coherent, declarative and code-centric approach. You can now view your code and the resulting visual interface side by side in XCode 11, making for a much better developer experience. The SwiftUI framework also draws inspiration from the <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/react-js">React.js</a> world that has dominated web development in recent years. Immutable values in view models and an asynchronous update mechanism make for a unified reactive programming model. This gives developers an entirely native alternative to similar reactive frameworks such as <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/react-native">React Native</a> or <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/flutter">Flutter</a>. Although SwiftUI definitely represents the future of Apple UI development, it is quite new and it will take time to smooth out the rough edges. We look forward to improved documentation and a community of developers who can establish a set of practices for testing and other engineering concerns.</p>
Testcontainers languages-and-frameworks Assess TRUE <p>Creating reliable environments for running automated tests is a perennial problem, particularly as the number of components that modern systems depend on keeps increasing. <strong><a href="https://www.testcontainers.org/">Testcontainers</a></strong> is a Java library that helps mitigate this challenge by managing dockerized dependencies for your tests. This is particularly useful for spinning up repeatable database instances or similar infrastructure, but it can also be used in web browsers for UI testing. Our teams have found this library to be helpful for making integration tests more reliable with these programmable, lightweight and disposable containers.</p>
Enzyme languages-and-frameworks Hold TRUE <p>We don't always move deprecated tools to Hold in the Radar, but our teams feel strongly that <strong><a href="http://airbnb.io/enzyme/">Enzyme</a></strong> has been replaced for unit testing <a href="https://www.thoughtworks.com/radar/languages-and-frameworks/react-js">React</a> UI components by <a href="https://testing-library.com/docs/intro">React Testing Library</a>. Teams using Enzyme have found that its focus on testing component internals leads to brittle, unmaintainable tests.</p>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment