The Technology Radar is prepared by the ThoughtWorks Technology Advisory Board, comprised of: Rebecca Parsons CTO | Martin Fowler Chief Scientist | Bharani Subramaniam | Camilla Crispim
Trang 1TECHNOLOGY
RADAR VOL.18
Our thoughts on the technology and trends that are shaping the future
thoughtworks.com/radar
Trang 2The Technology Radar is prepared by the
ThoughtWorks Technology Advisory Board, comprised of:
Rebecca Parsons (CTO) | Martin Fowler (Chief Scientist) | Bharani Subramaniam | Camilla Crispim | Erik Doernenburg
Evan Bottcher | Fausto de la Torre | Hao Xu | Ian Cartwright | James Lewis Jonny LeRoy | Ketan Padegaonkar | Lakshminarasimhan Sudarshan | Marco Valtas | Mike Mason
Neal Ford | Rachel Laycock | Scott Shaw | Shangqi Liu | Zhamak Dehghani
This edition of the ThoughtWorks Technology Radar based on a meeting
of the Technology Advisory Board, which met in Sydney in March 2018
Trang 3WHAT’S NEW?
Highlighted themes in this edition:
BROWSER BULKS UP, SERVER
SLIMS DOWN
The browser continues to expand its capabilities as a
deployment target for application logic As platforms take
care of more cross-cutting concerns and nonfunctional
requirements, we see a trend toward reduced complexity
in back-end logic The introduction of WebAssembly
opens up new language options to create logic for web
applications and pushes processing closer to the metal
(and the GPU) Web Bluetooth enables browsers to handle
functionality formerly reserved for native applications,
and we increasingly see open standards such as CSS Grid
Layout and CSS Modules supplanting custom libraries The
search for better user experiences encourages the trend
toward pushing functionality into the browser, and many
back-end services become thinner and less complex as
a result Display and interaction logic resides in the client,
platforms or sidecars handle cross-functional concerns,
and the back-end services can focus on core domain logic
CREEPING CLOUD COMPLEXITY
While AWS continues to race ahead with a dizzying array of
new services, we increasingly see Google Cloud Platform
(GCP) and Microsoft Azure mature as viable alternatives
Abstraction layers such as Kubernetes and practices
such as continuous delivery and infrastructure as code
facilitate the transition between clouds by supporting
easier evolutionary change But cloud strategies necessarily
become more complex with the advent of Polycloud (which
allows organizations to pick and choose multiple providers
based on differentiated capabilities) and growing regulatory
and privacy concerns For example, many EU countries
now legally mandate data locality, making the jurisdiction
of data storage and the underlying host policies a new
dimension of differentiation for cloud evaluators The range
of options for compute environments is also increasing,
with AWS Fargate offering containers as a service (CaaS) as
an intriguing middle ground between functions as a service
and managing longer-lived clusters While cloud resources
continue to mature within organizations, an inevitable
creeping complexity always accompanies building real
solutions with these new pieces
TRUST TEAMS BUT VERIFY
Security remains of paramount concern for virtually all software development But we see a shift in the traditional
“lock everything down globally” approach to a more nuanced, localized approach Many systems now manage trust within smaller domains and use modern mechanisms
to create transitive trust between disparate systems The philosophy has shifted from “never trust anything” outside
of the domain and “never verify anything” inside the domain
to “trust teams but verify” everywhere — that is to say, assume well-intentioned interactions with other parts of the system but verify trust at the local level This enables teams to enjoy high degrees of control over their own infrastructure, equipment, and application stacks, leading
to high visibility and, when necessary, high guardrails for access Tools such as Scout2 and techniques such as BeyondCorp reflect this maturing perspective on trust We welcome this shift toward localized autonomy, especially when tools and automation can ensure equal or better compliance
things EVOLVE
The Internet of Things (IoT) ecosystem continues to evolve at a steady and strong pace and includes critical success factors such as security and maturing engineering practices We see growth across the entire IoT ecosystem, from on-device operating systems to connectivity standards and most strongly in cloud-based device management and data processing We see maturity in tools and frameworks that support good engineering practices such as continuous delivery, deployment, and
a host of other necessities for eventual widespread use
In addition to the main cloud providers — including Google IoT Core, AWS IoT, and Microsoft Azure IoT Hub — companies such as Alibaba and Aliyun are also investing heavily in IoT PaaS solutions Our EMQ and Mongoose
OS blips provide a glimpse of the mainstream capabilities
of today’s IoT ecosystem and illustrate that things are
evolving nicely indeed
Trang 4ABOUT THE RADAR
ThoughtWorkers are passionate about technology
We build it, research it, test it, open source it, write about it, and constantly aim to improve it — for everyone Our mission is to champion software excellence and revolutionize IT We create and share the ThoughtWorks Technology Radar in support
of that mission The ThoughtWorks Technology Advisory Board, a group of senior technology leaders
in ThoughtWorks, creates the Radar They meet regularly to discuss the global technology strategy for ThoughtWorks and the technology trends that significantly impact our industry
RADAR AT A GLANCE
Items that are new or have had significant changes since the last Radar are represented as triangles, while items that have not changed are represented as circles
Our Radar is forward looking To make room for new items, we fade items that haven’t moved recently, which isn’t a reflection on their value but rather our limited Radar real estate
Worth exploring with the goal of understanding how it will affect your enterprise.
3
TRIAL
Worth pursuing It is important to understand how
to build up this capability
Enterprises should try this technology on a project that can handle the risk.
2 ADOPT
We feel strongly that the industry should be adopting these items
We use them when appropriate on our projects.
1
The Radar captures the output of the Technology Advisory Board’s discussions in a format that provides value to a wide range of stakeholders, from developers
to CTOs The content is intended as a concise summary
We encourage you to explore these technologies for more detail The Radar is graphical in nature, grouping items into techniques, tools, platforms, and languages & frameworks When Radar items could appear in multiple quadrants, we chose the one that seemed most appropriate We further group these items in four rings
to reflect our current position on them
For more background on the Radar, see thoughtworks.com/radar/faq
HOLD HOLD ASSESS TRIAL ADOPT ADOPT TRIAL ASSESS
96 108
4 2
Trang 55
1 2
3 13
15 23
17
18 19
8 9
21 20
22 24
53
62 63 64 65
67 68 69
71
73 74 75 76 77
79
56
59 60 61
57
58
26
38 39 40
46
43
44
47 51
32
30
33 34
25 27
35 36 37
41 42
45
49
29 28
104 87
2 Applying product management to internal platforms
3 Architectural fitness function
4 Autonomous bubble pattern
5 Chaos Engineering
6 Domain-scoped events NEW
7 Hosted identity management as a service NEW
12 Embedded mobile mocks NEW
13 Ethereum for decentralized applications
14 Event streaming as the source of truth
15 GraphQL for server side resource aggregation NEW
16 Infrastructure configuration scanner NEW
17 Jupyter for automated testing NEW
18 Log level per request NEW
19 Security Chaos Engineering NEW
20 Service mesh
21 Sidecars for endpoint security
22 The three Rs of security
HOLD
23 Generic cloud usage NEW
24 Recreating ESB antipatterns with Kafka
35 AWS Fargate NEW
36 Azure Service Fabric
37 Azure Stack NEW
48 TICK Stack NEW
49 Web Bluetooth NEW
50 Windows Containers
HOLD
51 Overambitious API gateways
Trang 65
1 2
3 13
15 23
17
18 19
8 9
21
20
22 24
53
62 63 64 65
67 68 69
71
73 74 75 76 77
79
56
59 60 61
57
58
26
38 39
32
30
33 34
25 27
35 36
37
41 42
45
49
29 28
104 87
52 Appium Test Distribution NEW
88 Android Architecture Components
89 Atlas and BeeHive
100 Tensorflow Eager Execution NEW
101 TensorFlow Lite NEW
Trang 7It’s important to remember that encapsulation applies to
events and event-driven architectures just as it applies
to other areas of software In particular, think about
the scope of an event and whether we expect it to be
consumed within the same application, the same domain
or across an entire organization A DOMAIN-SCOPED
EVENT will be consumed within the same domain as
it’s published, as such we expect the consumer to have
access to a certain context, resources or references
in order to act on the event If the consumption is
happening more widely within an organization, the
contents of the event might well need to be different, and
we need to take care not to “leak” implementation details
that other domains then come to depend upon
Identity management is a critical platform component
External users on mobile apps need to be authenticated,
developers need to be given access to delivery
infrastructure components, and microservices may
need to identify themselves to other microservices
You should ask yourself whether identity management
should be “self-hosted” In our experience, a HOSTED
IDENTITY MANAGEMENT AS A SERVICE (SaaS)
solution is preferable We believe that top-tier hosted
providers such as Auth0 and Okta can provide better
uptime and security SLAs That said, sometimes
self-hosting the solution is a realistic decision, especially for enterprises that have the operational discipline and resources to do so safely Large enterprise identity solutions typically offer a much more expansive range of capabilities such as centralized entitlements, governance reporting and separation of duties management among others However, these concerns are typically more relevant for employee identities, especially in regulated enterprises with legacy systems
Organizations are becoming more comfortable with the
POLYCLOUD strategy — rather than going “all-in” with one provider, they are passing different types of workloads
to different providers based on their own strategy Some
of them apply the best-of-breed approach, for example:
putting standard services on AWS, but using Google for machine learning and data-oriented applications and Azure for Microsoft Windows applications For some organizations this is a cultural and business decision Retail businesses, for example, often refuse to store their data
on Amazon and they distribute load to different providers based on their data This is different to a cloud-agnostic strategy of aiming for portability across providers, which is costly and forces lowest-common-denominator thinking
Polycloud instead focuses on using the best match that each cloud provider offers
HOLD HOLD ASSESS TRIAL ADOPT ADOPT TRIAL ASSESS
5
1 2
3 13
14
4 6
11 12
15 23
17
18 19
8 9
21
20
22 24
62 63 64 65
67 68 69
71
73
74 75 76 77
79
56
59 60 61
46
43
44
47 51
35 36 37
41 42
45
49
29 28
86
91
93 95 97 99 100 101 102
104 87
2 Applying product management to internal platforms
3 Architectural fitness function
4 Autonomous bubble pattern
5 Chaos Engineering
6 Domain-scoped events NEW
7 Hosted identity management as a service NEW
12 Embedded mobile mocks NEW
13 Ethereum for decentralized applications
14 Event streaming as the source of truth
15 GraphQL for server side resource aggregation NEW
16 Infrastructure configuration scanner NEW
17 Jupyter for automated testing NEW
18 Log level per request NEW
19 Security Chaos Engineering NEW
20 Service mesh
21 Sidecars for endpoint security
22 The three Rs of security
HOLD
23 Generic cloud usage NEW
24 Recreating ESB antipatterns with Kafka
Trang 8Some organizations are doing away with
implicitly trusted intranets altogether and
treating all communication as if it was being
transmitted through the public internet
(BeyondCorp)
Previously in the Radar, we’ve discussed the rise of the
perimeterless enterprise Now, some organizations
are doing away with implicitly trusted intranets
altogether and treating all communication as if it was
being transmitted through the public internet A set of
practices, collectively labeled BEYONDCORP, have been
described by Google engineers in a set of publications
Collectively, these practices — including managed
devices, 802.1x networking and standard access proxies
protecting individual services — make this a viable
approach to network security in large enterprises
When developing mobile applications, our teams often
find themselves without an external server for testing
apps Setting up an over-the-wire mock may be a good
fit for this particular problem Developing the HTTP
mocks and compiling them into the mobile binary for
testing — EMBEDDED MOBILE MOCKS — enables
teams to test their mobile apps when disconnected and
with no external dependencies This technique may
require creating an opinionated library based on both
the networking library used by the mobile app and your
usage of the underlying library
One pattern that comes up again and again when
building microservice-style architectures is how to
handle the aggregation of many resources server-side
In recent years, we’ve seen the emergence of a number
of patterns such as Backend for Frontend (BFF) and
tools such as Falcor to address this Our teams have
started using GRAPHQL FOR SERVER-SIDE RESOURCE
AGGREGATION instead This differs from the usual mode
of using GraphQL where clients directly query a GraphQL
server When using this technique, the services continue
to expose RESTful APIs but under-the-hood aggregate
services use GraphQL resolvers as the implementation
for stitching resources from other services This technique
simplifies the internal implementation of aggregate
services or BFFs by using GraphQL
For some time now we’ve recommended increased delivery team ownership of their entire stack, including infrastructure This means increased responsibility in the delivery team itself for configuring infrastructure
in a safe, secure, and compliant way When adopting cloud strategies, most organizations default to a tightly locked-down and centrally managed configuration to reduce risk, but this also creates substantial productivity bottlenecks An alternative approach is to allow
teams to manage their own configuration, and use an
INFRASTRUCTURE CONFIGURATION SCANNER to ensure the configuration is set in a safe and secure way Watchmen is an interesting tool, built to provide rule-driven assurance of AWS account configurations that are owned and operated independently by delivery teams Scout2 is another example of configuration scanning to support secure compliance
We’re seeing some interesting reports of using JUPYTER FOR AUTOMATED TESTING The ability to mix code, comments and output in the same document reminds
us of FIT, FitNesse and Concordion This flexible approach is particularly useful if your tests are data heavy or rely on some statistical analysis such as performance testing Python provides all the power you need, but as tests grow in complexity, a way to manage suites of notebooks would be helpful
One problem with observability in a highly distributed microservices architecture is the choice between logging everything — and taking up huge amounts
of storage space — or randomly sampling logs and potentially missing important events Recently, we’ve noticed a technique that offers a compromise between these two solutions Set the LOG LEVEL PER REQUEST
via a parameter passed in through the tracing header Using a tracing framework, possibly based on the OpenTracing standard, you can pass a correlation id from service to service in a single transaction You can even inject other data, such as the desired log level,
at the initiating transaction and pass it along with the tracing information This ensures that the additional data collected corresponds to a single user transaction
as it flows through the system This is also a useful technique for debugging, since services might be paused or otherwise modified on a transaction-by-transaction basis
Trang 9We deliberately introduce false positives into
production networks and other infrastructure
to check whether procedures in place are
capable of identifying security failures under
controlled conditions
(Security Chaos Engineering)
We’ve previously talked about the technique of Chaos
Engineering in the Radar and the Simian Army suite of
tools from Netflix that we’ve used to run experiments
to test the resilience of production infrastructure
SECURITY CHAOS ENGINEERING broadens the
scope of this technique to the realm of security We
deliberately introduce false positives into production
networks and other infrastructure — build-time
dependencies, for example — to check whether
procedures in place are capable of identifying security
failures under controlled conditions Although useful,
this technique should be used with care to avoid
desensitizing teams to security problems
Increasingly, we’re seeing organizations prepare
to use multiple clouds — not to benefit from individual provider’s strengths, though, but to avoid vendor “lock-in” at all costs
(Generic cloud usage)
The major cloud providers continue to add new features
to their clouds at a rapid pace, and under the banner
of Polycloud we’ve suggested using multiple clouds
in parallel, to mix and match services based on the strengths of each provider’s offerings Increasingly, we’re seeing organizations prepare to use multiple clouds
— not to benefit from individual provider’s strengths, though, but to avoid vendor “lock-in” at all costs This, of course, leads to GENERIC CLOUD USAGE, only using features that are present across all providers, which reminds us of the lowest common denominator scenario
we saw 10 years ago when companies avoided many advanced features in relational databases in an effort
to remain vendor neutral The problem of lock-in is real However, instead of treating it with a sledgehammer approach, we recommend looking at this problem from the perspective of exit costs and relate those to the benefits of using cloud-specific features
Trang 10Our teams have confirmed that .NET CORE has
reached a level of maturity that makes it the default for
.NET server applications The open source NET Core
framework enables the development and deployment
of NET applications on Windows, macOS and Linux with
first-class cross-platform tooling Microsoft provides
blessed Docker images which make it easy to deploy
.NET Core applications in a containerized environment
Positive directions in the community and feedback from
our projects indicate that NET Core is the future for
.NET development
Microsoft has steadily improved AZURE and today not
much separates the core cloud experience provided
by the major cloud providers – Amazon, Google and
Microsoft The cloud providers seem to agree and
seek to differentiate themselves in other areas such
as features, services and cost structure Microsoft
is the provider who shows real interest in the legal
requirements of European companies They’ve a
nuanced and plausible strategy, including unique offerings such as Azure Germany and Azure Stack, which gives some certainty to European companies
in anticipation of the GDPR and possible legislative changes in the United States
Headless Content Management Systems (CMSes) are becoming a common component of digital platforms CONTENTFUL is a modern headless CMS that our teams have successfully integrated into their development workflows We particularly like its API-first approach and implementing CMS as Code It supports powerful content modelling primitives as code and content model evolution scripts, which allow treating it
as other data store schemas and applying evolutionary database design practices to CMS development Other notable features that we’ve liked include inclusion of two CDNs by default to deliver media assets and JSON documents, good support for localization, and the ability
— albeit with some effort — to integrate with Auth0
HOLD HOLD ASSESS TRIAL ADOPT ADOPT TRIAL ASSESS
5
1 2
3 13
14
4 6
11 12
15 23
17
18 19
8 9
62 63 64 65
67 68 69
71
73 74 75 76 77
79
56
59 60 61
46
43
44
47 51
35 36 37
41 42
45
49
29 28
86
91
93 95 97 99 100 101 102
104 87
35 AWS Fargate NEW
36 Azure Service Fabric
37 Azure Stack NEW
48 TICK Stack NEW
49 Web Bluetooth NEW
50 Windows Containers
HOLD
51 Overambitious API gateways