Developers and other IT professionals already use a lot of tools to do their work. With trends coming and going, it’s often time to review their current tools and see if they require any new ones. Especially in the area of DevSecOps and the ongoing attention to security, it’s a must to be on the lookout for new tools. Due to the increasing attention to principles such as “shift left”, privacy by design, and secure design, developers are required to take up extra tasks. They would benefit from specialized tools to make their work easier. In this article, we’ll review some of the great new tech tools worth exploring.
Context and criteria
New tools should help developers with their core duties or any of the supported tasks which enable them to ship features faster and more reliably. Therefore, any tool that is being evaluated should contribute to this task.
Every tool needs to support the (current or new) workflow which developers use. Besides this, the tool should be easy to learn and implement. Therefore, demos or practical examples should be offered by the vendor. Teams need to justify the required time and money before they make a decision. And finally, the tool should drive further innovation that also pushes other initiatives which can be derived from it. Both free-to-use, as well as commercial tools, are evaluated as it does not matter for the features itself which pricing model applies here.
These selection criteria act as the base for the rest of this article.
As mentioned in our previous article, feature flags enable developers to quickly enable or disable new features without the “big bang effect” of a full release. Risks are much lower since often these features can be flipped without a complete deployment of their application.
As of today, there are a lot of software vendors and online tools which offer help to manage feature flags. Some tools are even labeled as “feature management platforms, such as Launchdarkly. Feature management enables teams to improve their performance by supporting the four key metrics of software development and delivery.
A number of challenges that feature flag software aim to solve:
- Being able to handle feature flags on a large scale since this is the technical dept that comes with actually using feature flags grows fast. The complexity increases significantly if there are multiple teams involved.
- Most of the time, custom build feature management solutions only support true/false statements when it comes to feature flags. This limits the full potential of what feature flags can offer. There is a need to support more complex use cases like taking into account CPU usage or disk pressure.
- Handling of feature flags through a nice Graphical User Interface. This removes the limit of developers having to create and maintain feature flags in their source code. People without programming skills can turn feature flags on or off or define a schedule that is based on business decisions.
- API first: feature flag management software uses APIs to handle feature flags. This brings options to automate operations. Besides this, specific templates can be used to quickly reuse implementation details in multiple projects.
Feature flag management is intertwined with progressive delivery, therefore it supports the same goals and principles.
Consider the following links to read more about the various options which are present.
- Read the definitive guide to feature management from Launchdarkly.
- A great overview of feature management tools and related free software to start with.
- Martin Fowler wrote a very good article about the different categories of feature toggles.
- Posthog offers a rather complete list of popular Open Source based feature flag tools which are a great way to explore numerous options.
The list of resources is just the tip of the iceberg but gives you a great way to push the options you have when you want to use feature flags on a daily basis.
Hacking as a Service
Organizations increasingly utilize the knowledge and deep technical experience of ethical hackers to validate their software applications. In turn, they use a lot of tools to automate their security tests. Think of simulating DDOS attacks, SQL injection, or simulate input validation flaws. As of today, there are also a number of great tools that further help to professionalize these kinds of activities.
Tools that offer similar attack methods are called “Hacking as a Service” tools since they offer this kind of service without the need for the ethical hacker to set up those tools manually. Think of the following services which are offered: malware distribution, tracking of various assets such as phones, and computers (locations), gaining unauthorized access to systems, and unlocking of phones to remotely execute scripts.
As mentioned by Cybrary, these services are often offered on the dark web.
Increased threat landscape
According to the website of Rapid7, “hacking as a service” will change the threat landscape since it really lowers the barrier to actually attacking a company or a great number of individuals.
- The technical knowledge which is needed to actually execute an attack is “packed” into the tools/services which are offered. Therefore, more people can obtain those tools and launch the attack. Companies need to be aware of more (potential) attackers and/or greater volumes of attacks.
- Phishing as a Service mixes technical skills and social engineering activities. By offering these topics as a service, campaigns can be set up very quickly and also disappear within a jiffy. This makes it very difficult for organizations to react to actual phishing attacks which might have happened in the recent past. Evidence is destroyed in seconds so detection becomes a lot harder.
- Companies such as Hacksclusive offer various services which are charged in credits. Think of scanning vulnerabilities, automated Pentesting, and monitoring (potential attacks). In essence, they offer a complete platform that you can subscribe to expand the options to outsource your “white hat” hacking needs.
Other hacking tools include Invincity, the Metasploit framework, Burp suite (as part of PortSwigger), and Nessus.
In addition to this great list of (Open Source and commercial) tools, Hackclub offers a Platform as a Service. This platform consists of a series of repositories to help high school makers and students to host their own back-end services for the purpose of how to learn to hack them.
No one could have missed the increasing popularity of the so-called developer portals. These portals are at the heart of the platform engineering approach. Those platforms should support the development, deployment as well as operation of software applications. A cohesive view of these activities, bundled in an easy-to-use platform for developers makes it easier to use and track all of the moving parts of their daily work. The number of moving parts becomes bigger every day since it now includes CI, CD, Cloud resources, IaC scripts, source code to describe business logic, DevTools, Security tools, and audits as well as a bunch of (connected) microservices and various environments that all serve a phase in the development cycle.
Developer portals help to unify many different aspects of your development organization. Think of the following:
- Provide a “one-stop shop” for developers which acts as the single point of entry for their DevOps tools, IaC scripts, GitOps workflows, feature flags, guardrails, etc.
- Offer a “software catalog” which answers the basic question “what is deployed where”. It acts as the single source of truth for anything that is running on any cloud or on-premise. It also always reflects the current state as it is continuously updated with the actual services that are running.
- Every feature can be accessed through its API therefore it also serves as a so-called “API catalog”.
- Documentation is created automatically to keep all the records of the company in shape. This also acts as an audit trail for (external) auditors in case they require evidence of what has happened in the (recent) past.
- The central repository is the backbone of the auditing process (see previous issue)
Since there is a great need for developer portals, many organizations already experiment with them.
A lot of companies saw the increasing trend in developer portals, so they offer tools for organizations that do not want to build one themselves.
- Port offers a complete platform that helps developers to streamline their operations through a unified user interface. It is possible to view use cases, request a product demo and compare their portal with Backstage.
- The website of Opslevel answers a lot of useful questions about developer portals in one of their blog posts.
- Be sure to visit the website of Backstage to explore the most popular developer portal which is currently available. Spotify created this portal and makes it an “open platform” for everyone to check out.
Developers encounter constant pressure to release faster software features with more confidence. The number of tasks increases and now and then they need to explore new or other tools to help them with their work. In this article, we explored several tools and technologies which are trending now. The tools focus on hacking-related aspects, feature flags as well as developer portals that streamline the entire software delivery process. If you’re curious about them, it’s best to browse through the links which have been mentioned in the text blocks.