Software developers not only represent the early adopters who will determine the success of a particular product or project, but also have become primary influencers in software purchases. In the latest William Blair Thinking Podcast, analysts Jason Ader, Arjun Bhatia, and Jonathan Ho delve into the key trends and potential disruptions, including generative AI, in this exciting new era of coding capabilities.
00:29 - 1:37
Hi everybody. Welcome back to another episode of William Blair Thinking Presents. Today, we welcome the co-group heads of William Blair's technology, media, and communications research sector, Jason Ader and Arjun Bhatia, both of whom, if you're familiar with these, joined me for a discussion on generative AI a few months back. And then we also have Jonathan Ho. He's a William Blair analyst who specializes in cybersecurity and security technology.
I’m looking forward to this conversation. This one is going to be largely about the technology team's quarterly publication On the Ground and in the Cloud, which delves into trends impacting developer technologies across a wide scope of topics, including software development, DevOps, database analytics and observability. I figure we can have a fun conversation here about what the series is all about.
But first question, I think to get things kicked off, maybe Jason, Arjun, can you explain to the listeners what inspired this On the Ground and in the Cloud series in the first place? And then from there we can delve into this fourth edition of the publication and maybe some of the previous ones as well.
1:38: - 02:43
Yeah, sure. I'll start out. We thought that it made sense to have a quarterly series on developer technologies because developers are just becoming incredibly influential within IT departments. And the main reason, as you might imagine, is because every company has become a software company. Every company needs to be thinking about driving innovation and competitive advantage through software development, through software applications.
And so what is the infrastructure that supports these developers? What are the tools that developers need in order to accomplish those tasks in sort of the most efficient way and in the most innovative way? There's a lot to unpack there, and we can talk about that through the conversation. But at a high level, I think the idea was developers are kind of the new kingmakers.
What are developers thinking in their daily roles? What are they looking to do? How are they looking to do it? And then which tools and vendors are they looking to leverage to make all that happen? And so I think that was the genesis of the series.
2:44 - 2:56
Chris TAnd the series. Can you just have a couple of the recent ones? This one obviously focuses on DevSecOps, but what were some of the other ones that you've released recently?
2:56 - 4:08
Each of us has actually published one so far. So we're really trying to spread the wealth here. Jonathan can talk about his recent one, which I think is incredibly timely. And then Arjun just published one in the prior quarter. We kicked things off with sort of an overview of what's happening in the DevOps market in terms of how far along we are, in terms of maturity and the process that companies are embarking on here and pushing forward in terms of accelerating the release times of software.
And that's really kind of the goal in many ways of DevOps is to bring together different teams that in the past were highly siloed and create better coordination, better efficiency. Ultimately, that will speed up your release times of software, make the software more secure, more reliable and more bulletproof. So there's a lot of technology that goes into that, and we sort of felt that we should be covering sort of each set of technologies separately because it is pretty technical.
We wanted to not bite off more than we can chew. But Arjun, do you want to just briefly talk about your piece and then you can pass it over to Jonathan?
4:08 - 6:18
Well, yes. So before I mean, I think before even getting into that, I think one of the interesting things about the space DevOps or even just developer technology is there's so much infrastructure and tools, right, that developers use on a daily basis and the space is very fragmented and you need to have dozens of tools that developers are using to actually build and deploy software.
And so part of the benefit of having this series on Dev Tech is we can lay out what all of those different components are and talk about how there's a desire for consolidation. And I'm sure we'll get into it a little bit, but there are a couple of platforms that are emerging that will address the entire DevOps process.
We're in an interesting position now because it's going from fragmented tools, from multiple vendors that developers are using to increasingly starting to consolidate. So it's an interesting trend that's happening. What I had published last quarter was at the very beginning was something that addresses the very beginning of the DevOps cycle, which is Agile planning and basically what we talk about is how the developer does not work in a silo, right?
The developer builds software and they release it, right? They're critical in the process, but they work with a lot of other teams to figure out what to build, and then they collaborate internally within the dev team to figure out who's working on what. And that process is called Agile planning and it's really meant to be a quick, rapid-fire way of breaking up a giant monolithic software application into smaller components and launching pieces of those individually.
But when you do that, you can run into this issue of not being coordinated as a team where the different silos are not talking to each other. You're not communicating with the business team who's actually directing developers and telling them what they need to build next to drive value for the end user, for the customer. And that's what this Agile planning market, Agile planning tools really address, right, is how do we make sure what we're building aligns with business outcomes and with what impacts the customer the most?
6:18 - 6:27
And then so maybe that's actually a good segue to then, Jonathan, how would you wrap yours up the latest edition, which is really focused on DevSecOps?
6:27 - 9:48
Yeah, it's a great question. And just maybe building off of what Arjun and Jason were saying, I started my career as a software engineer and also as a program project manager using a lot of the tools that existed before Agile development, before DevOps became a thing. And I think what we've seen over time is that as there's been an increase in complexity, as we've seen significant changes in infrastructure, how software is made, and there's been this revolution in terms of how tools are leveraged inside of these organizations in order to meet changing business needs over time.
Specific to the report that we focused on this time, we specifically targeted the security area and what's changed in security as we think about what's been happening inside of the developer world. And so essentially in the original days of software development, we used to call it Waterfall development, you would have these long program project development timelines, you would release software once a year or once every six months, and usually the developers would be tasked with building new features and new capabilities.
That's their primary job, is to build software. And during that process, you may or may not have some checks in between where you test the software, but oftentimes security would get involved very late in that process. So after you've written your code, after you've built your applications, then there's a review process that happens at the end and then the security people would hit the stop button and say, “Hey, you need to go and rewrite this.”
And that was something that added to the pain points for the developers and caused them to not want to use or engage with security teams in the past. If we think about what's happened today, you know, a lot of software development is happening at an even faster pace as we switch to Agile. Deployments are happening constantly as opposed to once every six months.
And so all of this now has to be automated. All of this now has to happen in a much, much shorter timeframe. And you cannot have security get in the way and block these deployments. So I think the first thing I'd point out is that there's this increasing tension that's developed over time between the developers and the security teams, where the developers, now that they wield more power, you know, they can go to the security teams and say, look, the tools that you're providing us, they're not adequate for what we need.
We understand we need to deliver a secure code, but you need to give us tools that can be used in a way that doesn't interfere with our development process and can be highly automated. At the end of the day, what you're seeing is this compromise where the developers and the security teams need to meet together to ultimately accomplish goals that satisfy both sets of requirements.
So in particular, in a world that's becoming increasingly SaaS oriented, or security as a service, these deployment timeframes are sometimes multiple times a day. And so I think the DevOps tools, the cloud tools have changed enough that the developers and the security teams have changed their entire mode of operation to now become increasingly integrated with the security teams now part of the DevOps process, and hence why this moniker of DevSecOps has become a reality.
9:48 - 10:38
Let’s harp on the bottleneck real quick because it seems to me that when we talk about Agile software, right, the first thing in the report, Arjun, is you talk about the fact that it requires collaboration and teamwork. It's vital to this thing. Then you've got DevSecOps in that proprietary survey that you did, Jonathan, in that report the core takeaway there was that these bottlenecks are creating serious problems.
I think it's interesting comparing the two because it seems to me that that would be one of those areas that would need to be resolved almost immediately for this thing to function correctly. So when you talk about Agile software, Arjun, and this idea of collaboration in teamwork, these bottlenecks do not exist in the same way they do within DevSecOps. Would you say that you're seeing the same type of bottlenecks? It's just coming at a different point in time in the process?
10:38 - 12:02
No, I actually think it's a very good analogy. And when we think about the Agile process or the development process in general, there used to be a bigger friction between developers and business teams, right? In terms of what outcome do we need to drive with a software release?
In Waterfall, which was the old way of developing and releasing software, the developer team would be kind of in a silo, right? They would be far away from the end customer. They wouldn't be getting continuous feedback from the users of the application to say, “Hey, here's what we need to build.” They would plan what to build on their own, and it would take a year for them to build it.
In that year, what the customer wants has probably changed and that's what Agile really addresses and Agile started in the early 2000s late nineties. And it's been a long time, right? It's been over 20 years that there's this release of the Agile Manifesto back then that really started to bring the customer requirements closer to the dev team. So you saw the business teams that were closer to the customer, worked closely with the dev teams. It seems like it's just a little bit later in the cycle where now security is starting to get more integrated into the development process, the same way business teams got more integrated into the development process over the last 15 or so years. Right? So it's very analogous. Just maybe the timeline is a little bit delayed.
12:02 - 12:48
I think that's spot on in terms of this transition process that's happened. And I mean, I think at the same time, if you look at sort of the changes that have happened overall in infrastructure and Jason can comment on this as well, is that the developers and the operations people used to be different groups as well. So the developers would write the code and then there would be a separate team responsible for operating that code in production.
And so as these different disciplines start to converge and you see unification of these teams everyone needs to have a seat at the table and have the ability to contribute early in the process. And these teams all work together now to select the different platforms and the different tools that they want to use as part of that process.
12:48 - 12:51
Jason, did you want to add anything that?
12:51 - 14:08
I totally agree with the comments on the progress that we're making. I would just say we're not there yet.
And every organization sort of has had its own journey towards getting to that sort of holy grail of coordination and consolidation. And I think where we are right now in the market is we're seeing momentum towards platforms. In other words, vendors that can pull together multiple pieces of the DevOps toolchain in a sort of a single product and that pendulum has happened a bunch of times before in the DevOps market over the last 30 years or in software development, I should say, in the last 30 years.
But we are seeing, I think, momentum towards platforms and somewhat away from best of breed, even though best of breed is still very important for certain pieces of the toolchain, especially for larger companies that have the in-house expertise to kind of assemble the best of breed tools together. But for smaller companies, I would say like the SMB market, we think there's going to be a lot of adoption over the next five to 10 years of single platforms that can do pretty much everything good enough.
Part of it is they don't they lack the in-house expertise to kind of manage all these different tools. And part of it is cost. Just having a single platform is probably going to be less expensive.
14:08 - 14:42
Yeah, when we think about sort of the drivers that are going to push for this higher adoption across enterprises, the shift to more modern platforms, more modern tools, particularly in the security world, we're seeing that come from a variety of pain points. First, we're seeing the number of attacks increase in terms of companies targeting organizations increasingly through their software supply chain and so compliance requirements are expected to increase. We're seeing the hackers themselves increase the frequency and the sophistication of their attacks.
14:42 - 14:50
And what are the stat lines for attacks versus even 10 years ago? How many attacks are we seeing per year now versus even ten years ago?
14:50 - 14:55
Yeah, I don't I don't have a specific number in my head, but I think there's been a dramatic increase.
14:55 - 14:56
In millions, right?
14:57 - 15:47
I'll put it this way. When we first started covering this industry 15 years ago, we would talk about this being a multibillion-dollar industry for the hackers or for the attackers it's now over a trillion dollars in terms of the amount of damage that's out there. And so naturally, the hackers will look for vulnerabilities wherever they can find them.
So if it's within infrastructure or within traditional I.T. landscapes, a lot of security tools already exist to protect against it. The developers are the newer area that are now being targeted. So we're oftentimes now seeing in RFPs, as people select their vendors, the need to provide a software bill of materials and to help people understand where those weaknesses potentially could come from as they deploy either custom built software or third party software in their environments.
15:47 - 15:57
So then what are the expectations, market expectations in terms of growth for both areas? Agile software and DevSecOps? Are did you guys touch on that somewhat already? Do you have more specifics maybe on that?
15:57 - 16:36
I'll go ahead and answer. On the DevSecOps side, our estimates are that the market will grow at about 25% going forward. This is already a very large market at close to $5 billion in spend annually. And so our belief is that as every company becomes sort of a software company, you do need to increase your spending, increase your amount of focus on security.
And the entire industry is at varying levels of maturity to what Jason said earlier. We're not there yet. There's a lot of companies that are still figuring out what they need. A lot of resistance still from both developers and security teams trying to meet in the middle.
16:36 - 18:04
Yeah, I'll say if we kind of just zoom out a little bit too and think about how fast the developer population is growing, there is as the world gets more digitized, there's an increasing need for more applications and that means more developers. And there is a big shortage right now of developers to fill the need, the demand for applications.
So the number of developers in the world is going to continue to increase. I think the forecasts are at least 10% growth over the next five years or so on an annual basis. Right? So we could get to a point by the end of the decade where the number of developers that exist are double what they are today, which means the market for DevSecOps for Agile tools, for infrastructure, DevOps, where Jason covers, is going to continue to increase.
And at the same time, what we've been talking about this entire time is that the role of the developer is getting integrated into the rest of the business, meaning other business folks, right? Operations team, strategy teams, marketing team sales teams will need to get more in tune with what the developer team is working on, which means the market for this space should grow faster than 10%.
In Agile, we have estimated that it's going to grow over 20% over the next five years. So there's a lot of growth left here still. And then gen AI, Jason, if you want to talk about what that means for the space and how that can play into it.
18:04 - 18:10
I was just going to ask that question actually. How does AI fit into all of that? Because I'm sure it does.
18:10 - 19:30
I think it will absolutely help drive more spending and tools and vendors. And so, it's a whole new vector of growth and innovation. I would say the way to think about generative AI applied to DevOps. Today, it's primarily focused on coding assistance. So basically helping developers write code through basically the machine. You tell the machine what you want and it'll write the code for you.
Obviously you’re going to have to review it and make sure there's no inaccuracies. So that's one big piece of it. The other piece of it would be reviewing code. Developers actually spend a lot of time reviewing other people's code so the machine can actually do code reviews, and the AI can do code reviews, which I think will also not be completely foolproof, but will save a lot of time.
So historically, developers have spent something like 30% of their time actually writing code and the rest of the time doing other tasks like mundane tasks. So I think the idea is over time, you know, once this generative AI technology really matures and gets to the point where you don't need that much human intervention, developers will spend a lot more of their time actually dealing with code, architecting code, helping the AI write code, and then less time on things like documentation and reviews, other things that they don't like to do.
19:30 - 19:39
What would that look like? What does that change in terms of expectations for new designs or whatever it is?
19:39 - 21:14
There's a lot, I mean, there's a big debate right now is what does it mean for developer jobs? Does it mean that over time there will be fewer roles or jobs for developers? Because, you know, the AI is going to do more of that work. We just did an expert call with a DevOps integrator who adamantly believes that it's actually the opposite.
It's going to drive more developer jobs because the pipeline velocity is just going to accelerate so rapidly, there's just going to be more for everybody to do. The machines and the people. So have a sort of an interesting viewpoint and we're not going to know, I think for several years in terms of what the true impact is.
But as Arjan said, there is a definite significant gap between supply and demand for developers right now. So maybe it will help narrow that gap in terms of generative AI. But then the other piece of this is, okay, well, we're applying it to coding assistance, we're paying generative AI to coding assistance and code review. What about applying it to other parts of the toolchain?
What about applying it to the Agile planning piece of it? What about applying it to security and operations? Can we really accelerate and streamline other elements of the software development cycle versus just coding? And I think that is pretty powerful because then you see generative AI really improving and driving efficiency and innovation across not just coding assistance and coding, but also sort of a lot of on the on the security operations side as well.
21:14 - 21:20
So Jonathan, Arjun, I'll pose the same question to you. Maybe, Jonathan, first, I'd love to hear your thoughts there.
21:20 - 23:08
Yeah, it's an interesting dynamic because what we've seen with this coding assistance from generative AI, at least in the initial versions of these generative AI tools, is that they're incredibly useful for software engineers to help write code more quickly. However, a lot of the code that the generative AI engines is producing actually contains more vulnerabilities than traditional code.
And so you have this dynamic where you're actually writing code much more quickly, and that code has many more vulnerabilities in it. So you have this introduction of a lot more potential risks into the environment. And so there's definitely going to be a need for generative AI to have its own DevSecOps tools embedded inside in order to help reduce the number of vulnerabilities that get produced.
Now, clearly, we expect generative AI to improve and for vulnerabilities to naturally be reduced as these engines become more intelligent. But some of the things that are challenges today from a security perspective are that generative is oftentimes using some type of training dataset that can be derived from other developers that are putting code into repositories or into publicly available datasets and sometimes that code is proprietary in nature.
So on the one hand, if you use generative AI to generate code, maybe that code belongs to somebody else and could introduce proprietary IP violations. At the same time, if your developers are using generative AI deemed to be putting your data into these data training sets that can produce its own set of challenges as well.
So net-net, we see, you know, generative AI is opening up a lot of opportunities, but also introducing a lot of challenges from a security perspective.
23:08 - 24:18
Yeah, I think it’s really interesting. I agree with all that and I think it's very hard really to understand how this is going to change over the next five years, let alone the next 10 years. Because think about when Chat GPT came out. It's been about a year right? So much has changed in just one year where to try to extrapolate to what's going to happen in five years, 10 years, It's very hard to do.
But I think it's going to get better. What I think for developers, right, is just going to lower the barrier to entry to become a developer. It's going to become easier to become a developer in five years than it was five years ago. Right? Which means we will see more rapid software or application launches, right?
We'll see code shipped faster, we'll see code written faster, we'll have more people to address the bottleneck that is software development today and you should see digitization increase at a faster pace. I think you can make the argument right now or the fear argument that so many jobs will be impacted. But I think right now at least what we're seeing is generative AI be more of a copilot as opposed to a replacement, right, to existing jobs.
24:18 - 24:41
So, unfortunately, we have to close it up just based on the time available to us. For more [information], please reach out to Arjun, Jonathan or Jason. Thank you, all three of you for joining.
Always love our chats. I think we should do this again soon. There's always updates. I feel like that we can dive into deeper here. So with that, we'll close out. Thanks for joining us.