Low code is one of the solutions that can be utilized to combat some of the challenges that may be arising as a result of the current economic climate. 

According to Gartner, the low-code market will grow 20%. By comparison, Gartner also predicted a 5% increase in the IT sector as a whole in 2023.  

Gartner defines the low-code market as being made up of a number of different technologies: application platforms, robotic process automation, integration platform as a service, and citizen automation and development platforms, to name a few. 

The largest market segment within low code is application platforms, but citizen automation and development platforms are the fastest growing segment; they are expected to grow by 30% in 2023. Low-code application platforms are those that minimize the use of coding needed to create an application, while citizen development platforms are used to enable people who are not formal developers, such as an accountant or HR representatives, to create applications, according to Gartner. 

By 2026, Gartner predicts that citizen developers will make up at least 80% of the user base for low-code platforms (in 2021 it was 60%).

“The high cost of tech talent and a growing hybrid or borderless workforce will contribute to low-code technology adoption,” said Jason Wong, distinguished VP analyst at Gartner. “Empowered by the intuitive, flexible and increasingly powerful features of low-code development tools, business technologists and citizen technologist personas are developing lightweight solutions to meet business unit needs for enhanced productivity, efficiency and agility — often as fusion teams.”

John Bratincevic, principal analyst at Forrester, has seen that a lot more companies are investing in citizen development, and he expects this trend will continue. At the end of last year, he published a case study on how the oil and gas company Shell Plc has scaled its citizen development program to over 4,000 employees.

Making DIY a priority

One of the keys to their success, according to the report, was that they have a centralized Center of Expertise and hundreds of distributed DIY coaches.  Cultivating small communities of citizen developers throughout the organization was important to their success. 

In the next phase of their citizen developer journey, Shell plans to double the number of citizen developers and make DIY a priority in IT budgets. 

“It seems like a lot of companies have gotten much more serious about citizen development, as I described. So I expect to see more of those programs actually hitting scale,” said Bratincevic. 

He recalled a recent conversation with a financial company where they had 10-15 accountants using low code to create applications. He asked why they didn’t just hire a consultant to come in and build something for them and the response was that they “didn’t have $5 million lying around for so-and-so to come in and do this for me.”

“To her, it made a lot more sense to have her subject-matter experts to build these very important sophisticated applications, rather than pay consultants a bunch of money to do it on whatever product coding or logo,” said Bratincevic.

When low code first started gaining popularity, it was common for citizen developers to use it to create a simple app to automate part of their workflow. 

Now, it is being used to create a wider range of application types. It’s not uncommon to see it used for customer-facing applications, Bratincevic said. 

“They’re increasingly a general purpose replacement for coding for a range of application use cases,” he said.

People will expect AI in their low-code platforms

The emergence of ChatGPT showed people what’s truly possible with AI. Bratincevic expects that users will now demand AI capabilities in their low-code platforms. 

“You and I actually have AI features in our normal tools that we don’t even think about,” he said. “So for example, when you’re using PowerPoint, and it suggests a layout, that’s AI.”

According to Bratincevic, examples of companies who are vocal about having these capabilities in their low-code offerings are OutSystems and Microsoft. 

“I think it’s like anything else, it’s just going to make people more effective and faster, and help them learn things more quickly, right? Just like developers go out and grab code off the internet. Now they’ll grab code from some kind of feature the platform has, and I think it’ll be practical and useful,” said Bratincevic. 

Market forecast

• Gartner predicts a 20% increase in low-code spending in 2023
• They also predict that citizen developers will make up at least 80% of the user base for low-code platforms by 2026
• Forrester predicts more low-code platforms to incorporate AI features to make development easier

The post Low code spending to increase in 2023 appeared first on SD Times.

With 70% of respondents to a report expecting to use more APIs in 2023 than last year, this presents a heightened challenge for API security, which only comprises about 4% of the testing efforts at organizations today. 

The 4th annual State of the APIs Report collected insights from more than 850 global developers, engineers, and leaders from across the technology community spanning over 100 countries including the US, the UK, Germany, and India.

The increased API usage is especially prominent in telecommunications, which is projected to rise to 72%, up from 59% last year. This is followed by smaller, yet still considerable, increases in the fields of technology and professional services. 

Mark O’Neill, VP analyst, and chief of research for software engineering at Gartner, correctly predicted in 2021 that by this year, API breaches would be the number one threat vector for web applications. 

“Part of the reason for that is because with mobile and web apps, along with any other type of modern application that you’re using, it all involves the use of APIs,” O’Neill said. 

Gartner research has estimated that by 2025, fewer than half of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools and “security controls try to apply old paradigms to new problems.”

This vast number of APIs floating around the organization is further complicated by multiple teams building and managing APIs all while using different cloud platforms and frameworks, according to O’Neill. 

“When you have different platforms where your teams are building and deploying APIs, there’s no one place to put the gateway, which is a problem for traditional API management solutions,” O’Neill said. 

To secure this wide API landscape, many companies have put up multiple gateways, which means that now there are more gateways in front of APIs, but it created a new problem of learning how to manage all of these gateways together. 

“Many clients have asked us for a federated solution that would work across different API gateways and allow teams to have a single picture of their API traffic and to have a single control plane for management and security, but at the moment, that is a gap in the market,” O’Neill said. 

A single federated solution would allow users to set up authentication and authorization schemes across different APIs, ensuring that only the right users have access to the right resources. It also enables administrators to set up rate limiting and other security measures, such as IP white/blacklisting, to protect against malicious attacks. 

With such a solution, teams would also gain visibility into API performance and usage, allowing teams to identify and address potential security issues quickly.

A hodgepodge of APIs in use

The other problem APIs present for API management solutions is that there are many different types of APIs in use.

The API jumble often consists of REST, Webhooks, Websockets, SOAP, GraphQL, Kafka, AsyncAPIs, gRPCs, if not more. 

“If you look at a typical organization that has deployed API management, they may believe that all of their APIs are being managed on one platform,” O’Neill said. “But typically, there are a lot of other APIs that they have that are part of web applications, part of mobile apps, and they’re not managed, they’re effectively under the radar for that organization. And these are the ones that get breached.”

The APIs to watch out for in particular are GraphQLs, according to O’Neill. Users can do very wide and deep queries on data, which can also be their downside because it’s difficult to set up proper access control rules. The complexity of the query can make it hard to predict what data will be accessible. 

Additionally, the use of variables in queries can make it difficult to prevent malicious users from exploiting the API. GraphQL APIs are often stateless, which means that security teams need to ensure that all requests are properly authenticated and authorized. These types of APIs are also new so many organizations are just building up their security teams’ skills around GraphQL and graph APIs in general. 

Another challenge is to consider where all of your APIs are coming from. 

While internal APIs were still the most common API type developers reported working on for their organization, more developers in 2022 reported working on partner-facing or third-party APIs than the year prior. In addition, the SaaS applications that developers utilize also often use their own set of APIs. 

The percentage of developers who reported working on partner-facing and third-party APIs grew by almost 5% in 2022 compared to 2021, according to the 2022 State of the API report. This change was even more dramatic with partner-facing APIs in industries like technology, which grew by nearly 10%.

One hotspot of security issues tends to be around the APIs that require access to data: customer data, preferences, and all sorts of account information. Issues also surround APIs that run a function to do something because often that requires a transaction, so payment information might be at risk, O’Neill said. 

“One is the whole area of loyalty cards where you get points for making purchases, traveling, and so on. Those involve many APIs. So you have an API to look up how many points a certain person has or you have an API to spend the points. We’ve seen security breaches where attackers have been able to find people who have accrued many points and then spend those,” O’Neill said. “Often the person is not aware, because they simply were not aware that they were running up all these points in the first place, and then they’re not aware when they get spent.”

Best practices for API security

The first step for ensuring API security is to catalog all of the APIs in the organization and to have an inventory. Often, companies only look at their existing API gateway to see what APIs are registered there, but even multiple gateways don’t paint the complete picture, O’Neill explained. 

“The way that we advise people to do this is to see what APIs your business depends on,” O’Neill said. “So those of course can be your own APIs, but they can also be important to APIs that you’re consuming from third parties as well. It’s going to be a problem if those APIs suffer a security breach, if they are unavailable, or if they are just simply changing and creating breaking changes. So API discovery is a hard problem because you have to look in multiple places for the APIs.” 

One approach is to simply ask the internal product managers who are then speaking to engineering leaders about what APIs the teams are building. 

There are also some solutions on the market that enable users to tap into application firewalls in the infrastructure at the CDN level to look at the traffic and see what API calls are happening. 

“That approach can in many ways be too late because those APIs that you’re discovering are already in production. But still, it’s better than not discovering them at all,” O’Neill said. 

Using APIs to increase security

By collaborating with APIs, organizations can become more secure as a whole. One such example occurred in the Open Banking Initiative that started in Europe but has since spread in popularity to North America.

The Open Banking Initiative began in January 2016, when the Competition and Markets Authority (CMA) in the UK issued a directive ordering the country’s nine largest banks to open up their customer data to third-party providers.

Since then, it has become valuable because it has allowed financial institutions to create Open APIs that outside organizations and their third-party developers can leverage, according to MuleSoft in a blog post. 

Rather than opening up the APIs to attack, the initiative enabled a secure form of data exchange that accelerates collaboration with outside organizations and has decreased the risks associated with screen scraping, a technique used by programs to extract data from the human-readable output of a computer application. 

Screen scraping is insecure because it requires customers to provide third-party aggregators with login credentials and it also pushes significant traffic to servers with every “scrape.”

Open Banking initiatives offer financial institutions the opportunity to safely collaborate with third-party developers through APIs. Unlike screen scraping, this secure data exchange is API-enabled and does not strain or overload servers. 

Market forecast for 2023

Cyberattacks and data breaches don’t pause with an economic slowdown. When prioritizing security investments, security leaders should continue to invest in security controls and solutions that protect the organization’s customer-facing and revenue-generating workloads, as well as any infrastructure critical to health and safety for those organizations in industries such as utilities, energy, and transportation, according to Forrester in its Planning Guide 2023: Security & Risk.

“API-first is the de facto modern development approach, and APIs help organizations create new business models and methods of engagement with customers and partners. However, security breaches due to unprotected APIs and API endpoints are common and no single type of tool fully addresses API security,” the guide states. 

API management tools address authentication and authorization issues, while API-specific security tools are used for scanning and discovery. Additionally, some security tools extend further to provide runtime protections and microgateways to protect against API attacks. Traditional security tools such as WAFs and bot management solutions are also expanding to cover these attacks, the report added. 

Gartner’s O’Neill said that he is seeing large vendors take steps forward in providing strong API protection and are acquiring some of the smaller specialist vendors that have come along for API protection as well. 

According to the 2022 State of APIs report, 69% of developers said that they expect to use APIs more in 2023 while 25% said that they expect about the same. Only about 6% stated that they expect less or they didn’t know. 

The post Time to hide your API appeared first on SD Times.

Now, the country is in another period of uncertainty. You’ve read the headlines all year: The Great Resignation, layoffs, a possible recession, Elon Musk’s takeover of Twitter shaking up marketing spending, introductions of things like GitHub Copilot and ChatGPT having workers worrying about their future job security, and more. The list could go on and on, but one thing that would help people through these times is knowing they’ll make it out okay on the other end. 

Unfortunately that level of predictability isn’t always possible in the real world, but in the business world, value stream management can help you with it.

According to Lance Knight, president and COO of ConnectALL, the information you can get from value stream management can help you with predictability. This includes things like understanding how information flows and how you get work done. 

“You can’t really be predictable until you understand how things are getting done,” said Knight. 

He also claimed that predictability is a more important outcome of value stream management than the actual delivery of value, simply because of the fact that “you can’t deliver value unless you have a predictable system.” 

Derek Holt, general manager of Intelligent DevOps at Digital.ai, agreed, adding “If we can democratize the data internally, we can not only get a better view, but we can start to use things like machine learning to predict the future. Like, how do we not just show flow metrics, but how do we find areas for flow acceleration? Not just what are our quality metrics, but how do we drive quality improvement? A big one we’re seeing right now is predicting risk and changing risk. How do you predict that before it happens?”

Knight also said that a value stream is only as effective as the information that you feed into it, so you really need to amplify feedback loops, remove non-value-added activities and add automation. Then once your value stream is optimized, you can realize the benefit of predictability. 

If you’ve already been working with value streams for a while then it may be time to make sure all those pieces are running smoothly and look for areas where there is waste that can be removed. 

Knight also explained the importance of embracing the “holistic part” in value stream management. What he means by this is not just thinking about metrics, but thinking about how you can train people to understand Lean principles so that they can understand how the way they develop software will meet their digital transformation needs. 

Challenges companies face 

Of course, all that is easier said than done. There are still challenges that companies face after adopting value stream management to actually get to the maturity level where they gain that predictability. 

One issue is that there is confusion in the market caused by vendors about what value stream management actually is. “Some people think value stream management is the automation of your DevOps pipeline. Some people think value stream management is the metrics that I get. And there’s confusion between value management and value stream management,” said Knight. 

Knight wants us to remember that value stream management isn’t anything new; It can trace its origins back to Lean Manufacturing created by Toyota in the 1950s in Japan.  

And ultimately, value is just the delivery of goods and services. Putting any other definition on it is just the industry being confused, Knight believes. 

“So people who are trying to implement value streams are getting mixed messages, and that’s the number one challenge with value stream management,” said Knight.

Digital.ai’s Holt explained that another challenge, especially for those just getting started, is getting overwhelmed. 

“Don’t be paralyzed by how big it seems,” said Holt. He recommends companies have early conversations acknowledging that they might get things wrong, and just get started. 

Where has value stream been? Where is it headed? 

In our last Buyer’s Guide on value stream management, the theme was that it aligns business and IT. 

Holt has seen in the past year that companies are adopting mentalities that are less about that alignment. Now the focus is that software is the business and the business is software. 

In this new mentality, metrics have become crucial, so it’s important to have a value stream management system in place that actually enables you to track certain metrics. 

“Things like OKRs continued to kind of explode as a simple means to drive better outcome-based alignment … simple KPIs around objective-based development efforts or outcome-based development efforts,” said Holt. 

Holt also noted that in Digital.ai’s recently published 16th annual State of Agile report, around 40% of respondents had adopted one of these approaches, and that was significantly up from the previous year. 

He went on to explain that companies investing in value stream management want to be sure that their investments are actually paying off, especially in the current economic climate.

He also said value streams can help organizations make small, evolutionary improvements, rather than one big revolution. 

“Value stream management is building on some of the core transformations that happened before,” said Holt. “Wiithout the Agile transformation, there would have been no DevOps, and without Agile and DevOps, there probably wouldn’t be an ability to talk about value stream management.”

So value stream management will continue to build on the successes of the past, while also layering in new trends like low code, explained Holt. 

What sets successful value stream management practices apart

Chris Condo, principal analyst at Forrester, last month wrote a blog post where he laid out the three qualities that set successful value stream management practitioners apart. 

1. Use of AI/ML to predict end dates. According to Condo, development teams with access to predictive capabilities are able to use them to create timelines that are more likely to be met. He noted that the successful teams don’t replace estimates produced by people on their team, but rather augment those estimates with machine estimation. 
2. Bottleneck analysis. Teams can use value stream management to discover what the real cause of their bottlenecks is. “When it comes to VSM, too many clients put the cart before the horse, thinking that they need a high-performing DevOps culture and tool chain to effectively use VSM. None of this could be further from the truth,” said Condo.
3. Strong metrics and KPIs. Development leaders want these metrics if they are going to be putting money into value stream management, so look for vendors that can provide excellent metrics. 

The post Value stream management provides predictability in unpredictable times appeared first on SD Times.