your123 - stock.adobe.com

AI, new skills and self-defense code emerge as app-dev musts

Gartner analysts paint an app-dev vision for 2021 and beyond marked by AI-driven tooling, novel approaches to app security and new skills.

Application development team leaders have plenty to consider in the coming months and years, such as how to help developers learn new skills, embed security deep into the development process and embrace the growing impact of AI and machine learning on how software is built.

"It's not leaders that adopt or deliver new technology, it's our teams," Gartner analyst Jim Scheibmeir said during the company's recent Application Innovation & Business Solutions Summit event.

Gartner has identified 18 application development skills and placed them in three categories according to importance. High-priority skills include agile practices, AI and machine learning, DevOps and user experience, decoupled apps and modernizing legacy applications.

It places application security, AR/VR, mobile, event-driven apps, modern web/JavaScript, multiexperience, polyglot and progressive web apps in the "significant" category. Finally, Gartner considers low-code and web assembly of "moderate" importance, Scheibmeir said.

"There are roadblocks [to learning new dev skills], and this is the leader's role -- to remove them," he added.

App-dev team leaders have many options for doing so, such as by budgeting for online learning courses. "These are often free, so it's as much about time as dollars," Scheibmeir said.

It's also important to give developers permission to disconnect. "I struggle to learn when my email is exploding or my Teams or Slack is constantly pinging me," he said. "We need to make it OK for our engineers to take the time out … to pick up new skills."

Teams should celebrate new skills by creating a minimum viable product, he added. And team leaders should be generous when they assign new skills training. "You will be tempted to assign one emerging skill to one engineer," Scheibmeir said. "Don't do that. You are creating yet another silo of knowledge on your team."

AI and app dev's future

By 2024, half of software development projects will include AI-powered robots on the team, a move that will be the biggest tech personnel shift since offshoring and nearshoring if it comes to pass, Gartner analyst Neil Barton said in a presentation.

"You're thinking that if you have a DevOps program at your organization you've automated a lot of … things and you're right," Barton said. But even if a company has, it has only addressed one-third of the software development lifecycle.

"What we've automated so far is scripted automation," he said. "So, what can we do if we applied machine learning to unexploited parts of the software development process?

"When people really start applying AI to the software development process, the amount of work that can be automated is going to grow dramatically," Barton added. By 2025, AI-augmented developer tools are going to seem as ordinary and commonplace as a satellite navigation system in your car, he said.

Existing types of AI-powered development tools, such as code-completion software like Microsoft's IntelliSense, are becoming much more powerful.

"Can you imagine … that you could say 'Fetch the name of the employee who earns the highest salary' and the system would come back to you and it would turn your request into SQL that can be automatically executed? You don't have to imagine it, because it's for real," Barton said.

A developer named Kenneth Acquah posted a video on Twitter in June 2020, showing that example and other business analyst-oriented SQL queries made with the assistance of OpenAI's GPT-3 AI model.

"This feels like a real step change in what AI can do to autocomplete code," Barton said. "It's not just completing a sentence, it's potentially completing an entire block of code."

Machine vision is also coming into vogue as a means for automatic code creation. Romanian company TeleportHQ has created technology, shown in the YouTube video below, in which an AI-powered camera is trained on a man sketching a wire frame for a web page on a whiteboard. To his right, a video screen shows the system automatically generating the HTML code described by his drawing.

Microsoft's AI lab has a project called Sketch2Code that does something similar. So does Mphasis, a 22,000-person systems integrator in India, with its Autocode.ai tool.

The last example is of particular interest, according to Barton. "If [systems integrators] are producing tools that are going to automate that work, that is in some ways short-term bad for them because that is less work that they can bill you for," he said. But companies like Mphasis clearly see AI's growing role in application development, and they realize that if they don't build it, their competition will, he added.

As more AI-driven development tools emerge and mature, enterprises should consider several points before making a purchase, Barton said. These include factors such as language support, cost and lock-in potential. Then there's the impact on morale.

"We may well find that some of our developers don't like this very much," Barton said. "[But] developers are in general in favor of automation that saves them from having to do boring and repetitive work."

On the other hand, "we need to be really careful about the quality of the code that is produced by these tools," Barton said. He recalled the 2015 incident when sensitive Bank of England documents related to its contingency plans for Brexit was sent to the Guardian newspaper after an email autocomplete mishap.

"We really need to think about our quality control and our testing processes when robots are writing the code," Barton said.

Apps that defend themselves

There are many ways to secure applications, but smart teams will use a combination of methods that allow an app to exhibit self-defense qualities.

Dionisio Zumerle, GartnerDionisio Zumerle

The hacking group Magecart has used JavaScript listeners to skim credit card data off e-commerce websites, Gartner analyst Dionisio Zumerle said in another session. There's no reason why an enterprise couldn't create its own listener to embed in a browser, identify Magecart-like attacks and thwart them, Zumerle said.

This would be an example of in-code security, which can provide most of the functionality you need, he said. One complication of in-code security is access to source code, which can be difficult to obtain from an ISV.

Post-code security adds code to compiled binaries. Examples include obfuscation, white-boxing, certificate pinning and resource encryption, Zumerle said.

In-workload security code applies instrumentation to an application workload, meaning the code is close to the app but not inside. This approach minimizes any hit to performance and is used commonly by cloud workload protection platforms, he said.

Yet another category concerns anti-tampering measures, which include jailbreak/rooting detection, device fingerprinting and checksum.

Web application firewall and API protection tools vendors such as Cloudflare, Imperva, F5 and Radware are integrating self-defending capabilities into their software, Zumerle said.

While self-defending apps may sound alluring, enterprises still must ensure that they have a firm grasp on the software development lifecycle and the basics of security hygiene, he said. "You still need to do all the boring things first."

Dig Deeper on Agile, DevOps and software development methodologies