Over the last several decades, the unprecedented surge in the video game industry has led to its rise as THE titan in the global entertainment and media sector.

The surge is not expected to stop anytime soon with a projected revenue growth from $262 billion in 2023 to $312 billion in 2027.* AI is the catalyst for this growth, enabling game developers to create more immersive, accessible, and profitable games.

In this Q&A, our VP of Strategy Andrew Montgomery, a 20-year veteran of data strategy, will discuss the future of gaming and AI. We’ll delve into his insights on the most exciting area of gaming, the biggest AI challenge for 2025, and practical advice for teams integrating AI into their development life cycle.

What area of gaming excites you the most?

Player analytics because I have been in data science for most of my career. I see so many interesting things happening in player behavior analysis. AI is used to gather and analyze vast amounts of player data, providing insights into player behavior, preferences, and engagement patterns. This helps in making informed decisions for game updates and new features.

With predictive analytics, AI models predict player churn, in-game spending, and other key metrics, enabling better strategic planning and targeted engagement efforts.

This is where smart organizations can lean into new avenues of growth. With rich profiles and player insights, brands can bring forward cross-title offerings and mashups that excite and draw new customers to their brand. In the digital worlds that are informed and shaped by AI, anything is possible.

When you think about AI in gaming, which challenge should organizations focus on in 2025?

I think organizations in the gaming space are rightly focused on scaling their titles and improving player retention, and system interoperability combined with advancements in AI are key to achieving those business outcomes. Additionally, the notion of what constitutes a “gaming platform” has continued to evolve. It is no longer just a console or a PC but includes everything from handheld devices to mobile phones, tablets, and wearables. The diversity of platforms in conjunction with the legacy infrastructure many game brands are built on creates a significant barrier to AI adoption.

Thankfully, with the rise of modern computing from system virtualization and cloud computing, models and languages can find new life in build-once-deploy-anywhere ecosystems. This provides some reprieve but ultimately architecting and designing gaming frameworks is an essential step in creating a game platform that can scale.

As a data strategist for many years, what is your advice for teams who want to integrate AI into their development life cycle?

Quickly understanding data gaps is pivotal for integrating AI into the dev cycle for many reasons including building and securing confidence with stakeholders.

It’s important to realize what looks good with simulated data may not be achievable in practice for many reasons. Commonly identified issues include system interoperability, data quality, and data governance. It is critical to understand gaps and mitigation strategies early while evaluating and prioritizing use cases to develop. Stakeholder support can be lost if you experience too many false starts.

As we look ahead to 2025, I’m excited to see how AI continues to shape the future of gaming. For any organization looking to level up with impactful AI capabilities, I encourage you to reach out. Let’s discuss how we can partner to unlock the full potential of AI.

Sources:

• Jon Wakelin and Alex Baker, “Top 5 developments driving growth for video games,” pwc (blog), 16 January, 2024, https://www.pwc.com/us/en/tech-effect/emerging-tech/emerging-technology-trends-in-the-gaming-industry

Andrew Montgomery, vice president of strategy, is an experienced technology executive and data strategist with 20+ years of experience with Fortune 500 companies. Andy’s focus is helping customers unlock their data to simplify business complexities and reshape business outcomes.

Level Up with AI: Insights on Gaming from a Data Strategy Veteran was originally published in Object Computing on Medium, where people are continuing the conversation by highlighting and responding to this story.

Most mobile apps rely on external APIs and database storage to function effectively. Flutter, a powerful cross-platform framework that uses the Dart programming language, provides a streamlined way to integrate these components into your app development process. In this article, we’ll guide you through the essential steps of building a Flutter app that interacts with APIs and databases, demonstrating the simplicity and efficiency of this approach.

Getting Started

First things first, let’s tell Flutter that we want to create a new application called music_collector. We will assume that you already have Flutter installed on your development machine. If you have Android Studio installed, you can create a new application through the File menu system. Or, if you prefer, you can do it on the command line.

flutter create --org com.your_organization music_collector

Once the application has been created, we need to indicate which packages we plan on using. We can do this by either editing the pubspec.yaml directly or by using flutter on the command line.

flutter pub add elite_orm http numberpicker path path_provider sqflite xml -

This will add the following lines to your pubspec.yaml under the dependencies section:

  elite_orm: ^1.0.9
  http: ^1.2.0
  numberpicker: ^2.1.2
  path: ^1.8.3
  path_provider: ^2.0.13
  sqflite: ^2.3.2
  xml: ^6.1.0

We’ll be using the elite_orm and sqflite packages to persist our music albums and the http and xml packages to access an online music database API.

After we get the project created and configured, we’re ready to start writing our app by creating the model.

Defining the Model

By using elite_orm, we can create a class that will serve as our data model and, in doing so, we will have essentially written all of the code needed to persist instances of our model in the database. This package greatly simplifies the effort required in order to create and read persistent data. First, let’s import the package.

import 'package:elite_orm/elite_orm.dart';

After that, it’s just a matter of extending the Entity class and adding our data members to describe what our model will contain. We define our data members and indicate a composite primary key to ensure that each album by the same artist is unique within the database

class Album extends Entity<Album> {
 Album([artist = "", name = "", DateTime? release, Duration? length])
     : super(Album.new) {
   // The composite primary key is artist and name.
   members.add(DBMember<String>("artist", artist, true));
   members.add(DBMember<String>("name", name, true));
   members.add(DateTimeDBMember("release", release ?? DateTime.now()));
   members.add(DurationDBMember("length", length ?? const Duration()));
 }

 // Accessors.
 String get artist => members[0].value;
 String get name => members[1].value;
 DateTime get release => members[2].value;
 Duration get length => members[3].value;
}

That’s it! We can now Create, Read, Update, and Delete Album objects within our database using the Bloc class provided by elite_orm.

Accessing an Online API

There are a multitude of Dart packages that make a Flutter developer’s life easy. There’s a package for many of the basic tasks required to develop a complex application. Making HTTP requests and parsing XML are no exceptions.

We’ll be using the open music encyclopedia Musicbrainz. Our use of the online database will be fairly narrow and simple. We’re going to provide a list of albums released by an artist by performing two searches. The first will be an artist search based on input from the user and the second will be a search of the releases made by the artist based on the artist identifier obtained from the first search.

First, we need to import our packages and files.

import 'package:http/http.dart' as http;
import 'package:xml/xml.dart';
import '../model/album.dart';

For brevity, we’re not going to show the whole class. If you want to see all of the private helper methods, please see the github repository.

The entry point for consumers of this class is the getAlbums method. It takes a string that represents all or part of an artists/groups name. It makes a call to get the artist identifier and, after receiving it, the method makes another call to get the releases associated with that artist identifier. All in all, the processing of the XML is fairly simple and, frankly, not that interesting.

As you may already know, the leading underscore for members and methods indicates that it is private. We define a private API URL and a couple of private helper methods to get different URLs to help us get the data we need.

class MusicBrainz {
 static const String _apiURL = "https://musicbrainz.org/ws/2";

 String _getArtistURL(String artist) => "$_apiURL/artist?query=$artist";
 String _getReleasesURL(String artistId) =>
     "$_apiURL/artist/$artistId?inc=release-groups";

 Future<List<Album>> getAlbums(String artist) async {
   // Request a list of artists that partially match "artist".
   http.Response response =
       await http.get(Uri.parse(_getArtistURL(artist)));
   if (response.statusCode == 200) {
     // Get the artist id from the response, if possible.
     final List<String> artistInfo = _getArtistInfo(artist, response.body);
     // Now request albums from the artist (if we found one).
     if (artistInfo.first.isNotEmpty) {
       final String artistId = artistInfo[0], artistName = artistInfo[1];
       response = await http.get(Uri.parse(_getReleasesURL(artistId)));
       if (response.statusCode == 200) {
         return _getAlbums(artistName, response.body);
       }
     }
   }
   return [];
 }
}

Writing the User Interface

Our UI is going to be straightforward and utilitarian. We’ll have just two screens, one for adding or editing albums and another for listing the albums in our database. We’re going to start with the more complicated of the two, the add/edit album screen.

Editing Interface

The majority of the layout is the same for both adding and editing an album. If the EditAlbum object is constructed with an Album, we know we are editing an album. Without an Album, we’ll be adding a new one and we’ll need a couple of additional widgets to help the user fill in the information from the MusicBrainz site. As we can see, the EditAlbum widget doesn’t do much. The bulk of the functionality will be in the EditAlbumState class.

We will be using a BLoC to access the data in our database. A BLoC (Business Logic Component) helps separate logic from the user interface while maintaining the flutter reactive model of redrawing the UI when a state or stream changes.

import 'package:flutter/material.dart';
import 'package:numberpicker/numberpicker.dart';
import 'package:elite_orm/elite_orm.dart';

import '../model/album.dart';
import '../database/database.dart';
import '../utility/musicbrainz.dart';
import '../utility/error_dialog.dart';
import '../style/style.dart';

// There is only one Bloc object that we will use on both this screen and the
// home screen.
final bloc = Bloc(Album(), DatabaseProvider.database);

class EditAlbum extends StatefulWidget {
 final Album? album;
 const EditAlbum({super.key, this.album});

 @override
 State<EditAlbum> createState() => EditAlbumState();
}

class EditAlbumState extends State<EditAlbum> {
 @override
 Widget build(BuildContext context) => PopScope(
     canPop: false,
     onPopInvoked: _onWillPop,
     child: Scaffold(
       appBar: AppBar(
           title: Text(widget.album == null ? "Add Album" : "Edit Album")),
       body: SafeArea(child: _renderContent()),
       bottomNavigationBar: BottomAppBar(
         child: Container(
           padding: Style.bottomBarPadding,
           decoration: Style.bottomBarDecoration(context),
           child: Row(
             mainAxisAlignment: MainAxisAlignment.end,
             children: _bottomIcons(),
           ),
         ),
       ),
     ),
   );

As you can see, we override the build method with a typical Scaffold widget, which contains an app bar area, a body, and a bottom navigation bar. The whole thing is wrapped by a PopScope widget. This allows us to ask the user to save or discard their changes before leaving the screen. Our _onWillPop method will only leave the screen if there are no modifications or the user chooses to discard the modifications.

The SafeArea is what will hold the bulk of our UI. It provides a dynamic level of padding to avoid the operating system interface of the phone or tablet on which your app will run. It has only one required parameter which, in our case, is a widget created by the _renderContent method that contains the UI for this screen.

The last part of the UI is the bottom navigation bar. It contains a row of buttons that will allow the user to save new and existing albums and to delete existing albums. Later, we will take a closer look into what goes into making an app functional.

Next, we’ll take a look at the data members and initialization of the State object.

 // Content editing
 bool _modified = false;
 int _minutes = 0;
 int _seconds = 0;
 final _artistController = TextEditingController();
 final _titleController = TextEditingController();
 final _dateController = TextEditingController();

 // Keep track of searching and results.
 bool _searching = false;
 final List<Widget> _possible = [];

 // These are static so that we can cache the previous search automatically.
 static final List<Album> _albums = [];
 static final _searchController = TextEditingController();

 @override
 void initState() {
   super.initState();

   // Fill in the widgets with data.
   _fillSearchList();
   if (widget.album != null) {
     _fromAlbum(widget.album!);
   }

   // Set up listeners so that we can notify the user if there is unsaved data
   // when they leave this screen.
   _artistController.addListener(() => _modified = true);
   _titleController.addListener(() => _modified = true);
   _dateController.addListener(() => _modified = true);
 }

Our UI will have a field for editing the artist, title, date, and duration. It will also have, when adding a new album, an artist field for searching and a list of albums as a search result. In our initState method, we first call a method to fill in our search related widgets and then, if this EditAlbumState object was constructed with an Album object, we will fill in the album editing fields with the data from the Album object. Next, we set up some listeners on the text editing controllers so that, when the user modifies them, we set our flag to keep track of modifications.

Now let’s take a look at the code to build the UI. It’s a fairly large method, but not complex at all.

Widget _renderContent() {
   List<Widget> content = [];
   if (widget.album == null) {
     content.addAll([
       const Padding(
         padding: Style.columnPadding,
         child: Text("Search by Artist", style: Style.titleText),
       ),
       Padding(
         padding: Style.columnPadding,
         child: Row(
           children: [
             Expanded(
               child: TextField(
                 controller: _searchController,
                 decoration: Style.inputDecoration,
                 textInputAction: TextInputAction.search,
                 onSubmitted: (s) => _searchArtist(),
               ),
             ),
             IconButton(
               icon: Icon(
                 Icons.search,
                 color: Theme.of(context).colorScheme.primary,
               ),
               onPressed: _searchArtist,
             ),
           ],
         ),
       ),
       Container(
         height: 100,
         margin: Style.columnPadding,
         padding: Style.columnPadding,
         decoration: Style.containerOutline(context),
         child: _searching
             ? const Column(
                 mainAxisAlignment: MainAxisAlignment.center,
                 children: <Widget>[
                   CircularProgressIndicator(),
                   Text("Searching...", style: Style.titleText)
                 ],
               )
             : ListView(children: _possible),
       ),
     ]);
   }

This first section adds an interface for searching for albums released by a particular artist. But, it is only added when we are creating a new Album, i.e., widget.album == null. When the search is in progress, the _searching boolean is true which will cause the UI to display a CircularProgressIndicator until _searching is set to false. When the search is finished, we will display the list of possible albums in a ListView.

 content.addAll([
     const Padding(
       padding: Style.columnPadding,
       child: Text("Artist", style: Style.titleText),
     ),
     Padding(
       padding: Style.textPadding,
       child: TextField(
         controller: _artistController,
         textCapitalization: TextCapitalization.words,
         decoration: Style.inputDecoration,
       ),
     ),
     const Padding(
       padding: Style.columnPadding,
       child: Text("Title", style: Style.titleText),
     ),
     Padding(
       padding: Style.textPadding,
       child: TextField(
         controller: _titleController,
         textCapitalization: TextCapitalization.words,
         decoration: Style.inputDecoration,
       ),
     ),

This next bit simply adds text editing fields for the artist and album title. It’s all pretty straightforward.

const Padding(
       padding: Style.columnPadding,
       child: Text("Release Date", style: Style.titleText),
     ),
     Padding(
       padding: Style.columnPadding,
       child: Row(
         children: [
           Expanded(
             child: TextField(
               readOnly: true,
               controller: _dateController,
               decoration: Style.inputDecoration,
             ),
           ),
           IconButton(
             icon: Icon(
               Icons.calendar_month,
               color: Theme.of(context).colorScheme.primary,
             ),
             onPressed: _pickDate,
           ),
         ],
       ),
     ),

The Release Date field is also a text field. But, we’re not going to leave the date formatting up to the user. To make things easy, we make use of the flutter function showDatePicker which we call within the _pickDate method. The showDatePicker function is a modal dialog that provides a calendar from which the user can pick a date. Once the user picks a date, we update the Release Date text field to reflect the value that the user chose.

const Padding(
       padding: Style.columnPadding,
       child: Text("Duration", style: Style.titleText),
     ),
     Container(
       margin: const EdgeInsets.all(8),
       padding: const EdgeInsets.all(3),
       decoration: Style.containerOutline(context),
       child: Column(
         children: [
           Padding(
             padding: Style.columnPadding,
             child: Row(
               children: [
                 Expanded(
                   child: Column(
                     children: [
                       const Text("Minutes"),
                       NumberPicker(
                         value: _minutes,
                         axis: Axis.horizontal,
                         minValue: 0,
                         maxValue: 999,
                         itemWidth: 50,
                         onChanged: (value) => setState(() {
                           _minutes = value;
                           _modified = true;
                         }),
                       ),
                     ],
                   ),
                 ),                 
                  Expanded(
                   child: Column(
                     children: [
                       const Text("Seconds"),
                       NumberPicker(
                         value: _seconds,
                         axis: Axis.horizontal,
                         minValue: 0,
                         maxValue: 59,
                         itemWidth: 50,
                         onChanged: (value) => setState(() {
                           _seconds = value;
                           _modified = true;
                         }),
                       ),
                     ],
                   ),
                 ),
               ],
             ),
           ),
         ],
       ),
     ),
   ]);

For the duration of the album, we are going to use a NumberPicker widget for the minutes and another for the seconds. This widget provides a scrolling interface to select numbers within a specified range. If you recall, it’s one of the packages we installed in the beginning.

   return ListView(children: content);
 }

Once we have built up the set of widgets that make up our UI, we wrap them all in a ListView so that e can easily scroll the contents of the UI up and down, as it may be too long to display it all on the phone screen at the same time.

The last bit that we’re going to look at in the EditAlbumState class is how we save all of the information provided by the user to the database. When the user presses the save button, the _saveAlbum method is invoked.

Album _toAlbum() {
   final DateTime releaseDate = DateTime.parse(_dateController.text);
   final Duration duration = Duration(minutes: _minutes, seconds: _seconds);

   return Album(
       _artistController.text, _titleController.text, releaseDate, duration);
 }

 void _saveAlbum() async {
   try {
     final Album album = _toAlbum();
     String message;
     if (album.artist.isNotEmpty && album.name.isNotEmpty) {
       if (widget.album == null) {
         await bloc.create(album);
         message = "Album Saved";
       } else {
         if (widget.album!.artist != album.artist ||
             widget.album!.name != album.name) {
           // Changing the name of the artist or album is the same as creating
           // a new album.  Because the artist and album make up the primary
           // key, we have to create the new album and delete the old one.
           // There's no way to just "rename" an entry in the database.
           await bloc.create(album);
           await bloc.delete(widget.album!);
         } else {
           // If the artist and name has not changed, then we can update.
           await bloc.update(album);
         }
         message = "Album Updated";
       }
       _modified = false;

       // Because we're using the build context after an await, we need to
       // ensure that this widget is still mounted before using it.
       if (mounted) {         Navigator.pop(context);
       }
     } else {
       message = "Invalid Album";
     }


     // Same here.
     if (mounted) {
       ScaffoldMessenger.of(context).showSnackBar(
         SnackBar(content: Text(message)),
       );
     }
   } catch (err) {
     if (mounted) {
       ErrorDialog.show(context, err.toString());
     }
   }
 }

As we can see above, once we have the Album created we can then give that to the bloc to have it store it in the database. If this is a new album, we simply tell the bloc to create it. If it is an existing album, we have the bloc update it.

Below is a screenshot of what our UI will look like when adding a new album.

There’s more to this screen. If you’re interested in seeing more of the inner workings of this particular UI, please see the git repository. Now, we’re going to move on to the home screen.

Home Interface

The home screen is a much simpler UI. All it does is display a scrolling list of the albums that the user has saved in the database.

import 'package:flutter/material.dart';

import '../model/album.dart';
import '../screens/edit_album.dart';
import '../style/style.dart';

class ListAlbums extends StatefulWidget {
 const ListAlbums({super.key});

 @override
 State<ListAlbums> createState() => _ListAlbumsState();
}

class _ListAlbumsState extends State<ListAlbums> {
 Widget _renderAlbum(Album album) {
   return GestureDetector(
     child: Card(
       shape: Style.cardShape(context),
       child: ListTile(
         subtitle: Text(album.artist),
         title: Text(album.name, style: Style.cardTitleText),
       ),
     ),
     onTap: () {
       Navigator.push(
         context,
         MaterialPageRoute(builder: (context) => EditAlbum(album: album)),
       );
     },
   );
 }

The _renderAlbum is called for each album in the database, but only as they are visible on the screen due to the nature of the ListView.builder constructor. We use a Card wrapped in a GestureDetector so that when the user taps on the card, it will bring the user to the album editing screen through the Navigator using a MaterialPageRoute.

Widget _renderAlbums(AsyncSnapshot<List<Album>> snapshot) {
   if (snapshot.hasData) {
     // Sort the list by artist first and then the release date.
     snapshot.data!.sort((a, b) {
       final int cmp = a.artist.compareTo(b.artist);
       return cmp == 0 ? a.release.compareTo(b.release) : cmp;
     });
     return ListView.builder(
       itemCount: snapshot.data!.length,
       itemBuilder: (context, index) {
         return _renderAlbum(snapshot.data![index]);
       },
     );
   } else {
     return Center(
       child: const Column(
         mainAxisAlignment: MainAxisAlignment.center,
         children: <Widget>[
           CircularProgressIndicator(),
           Text("Loading...", style: Style.titleText)
         ],
       ),
     );
   }
 }

 Widget _renderAlbumsWidget() {
   return StreamBuilder(
     stream: bloc.all,
     builder: (context, snapshot) => _renderAlbums(snapshot),
   );
 }

The _renderAlbumsWidget method uses a StreamBuilder to create the scrolling list of albums. Whenever the bloc.all stream is updated, this widget will automatically recreate the list of albums. So, as albums are added, deleted, or updated, it will be reflected in our list automatically.

 List<Widget> _bottomIcons() {
   return [
     IconButton(
       icon: Icon(Icons.add, color: Theme.of(context).colorScheme.primary),
       iconSize: Style.iconSize,
       onPressed: () {
         Navigator.push(
           context,
           MaterialPageRoute(builder: (context) => const EditAlbum()),
         );
       },
     ),
   ];
 }

Our bottom row of buttons only contains a single icon for adding new albums. When the user presses the icon, it will take the user to our album adding screen.

@override
 void initState() {
   super.initState();

   // Ensure that the bloc stream is filled.
   bloc.get();
 }

We override the initState method so that we can fill the bloc stream when the screen is created. This causes the UI to initially show the list of existing albums from the database.

 @override
 Widget build(BuildContext context) {
   return Scaffold(
     appBar: AppBar(title: const Text("Music Collector")),
     body: SafeArea(child: _renderAlbumsWidget()),
     bottomNavigationBar: BottomAppBar(
       child: Container(
         decoration: Style.bottomBarDecoration(context),
         child: Row(children: _bottomIcons()),
       ),
     ),
   );
 }
}

As we did for our editing UI, we override the build method and use the Scaffold widget to contain our UI. The functionality, again, is delegated to other methods. As you can see, this screen is much simpler than the editing screen.

Main

The final part of the application that we’re going to look at is the code that actually starts the UI. This is main.dart and is the entry point into the application. We create a class that extends the StatelessWidget and creates a MaterialApp that runs our home screen, i.e. ListAlbums.

import 'package:flutter/material.dart';
import 'screens/list_albums.dart';

void main() {
 runApp(const MusicCollector());
}

class MusicCollector extends StatelessWidget {
 const MusicCollector({super.key});

 @override
 Widget build(BuildContext context) {
   return MaterialApp(
     darkTheme: ThemeData(
       brightness: Brightness.dark,
       colorSchemeSeed: Colors.yellow.shade600,
     ),
     theme: ThemeData(
       brightness: Brightness.light,
       colorSchemeSeed: Colors.red.shade800,
     ),
     home: const ListAlbums(),
   );
 }
}

Conclusion

Flutter is a powerful mobile platform that can help you build complex applications that can run on Android, iOS, and other systems. There are many mobile development platforms available, but Flutter makes it quick and easy to get started writing mobile apps. This example application shows the basics and can be a good starting point for your own applications.

Be sure to follow and subscribe to be notified of future articles. Please visit Object Computing’s website to learn more about our application development services.

Chad Elliott is a Principal Software Engineer at Object Computing, with over 30 years experience in software development ranging from embedded software to server-side applications to mobile applications. The majority of his free time is spent developing mobile apps in Flutter.

Flutter Fundamentals: Building a Mobile App with APIs and Databases was originally published in Object Computing on Medium, where people are continuing the conversation by highlighting and responding to this story.

The first article of this two-part series discussed how to identify Accidental Architecture and the challenges it can cause an organization. We defined Intentional Architecture as a deliberate system architecture that is created from a set of goals, trade-offs, team structure, and constraints under which it’s built and maintained.

If you’re stuck in the muck of Accidental Architecture, taking action is certainly the right course. That said, the wrong series of actions can have consequences that are just as dire as no action. Our roadmap to Intentional Architecture is paved with insights gleaned from countless organizations that have navigated through the challenges of Accidental Architecture.

Preparing for the Journey

The mechanisms to move a system from Accidental to Intentional Architecture are simple to describe, but they may be difficult to implement. It requires commitment from business and technical leaders and a proper understanding of its importance. In short, Intentional Architecture requires alignment between technology and business goals.

There is a journey ahead for any organization that is committed to achieving an Intentional Architecture. And, ensuring your organization is ready for the journey is critical. Without real support, the odds of completing the journey — or even making meaningful progress — are very low.

This is the stopping point of this journey if your organization is not able to do the work of aligning business and technology goals. We invite you to resume this journey when your organization is ready to create the conditions where that alignment can happen.

The Roadmap to Intentional Architecture

After working with many clients, we have found the following guide on advancing Intentional Architecture is successful within organizations that are ready for this journey. Here’s a roadmap to get you started:

Mission Possible: Defining Your IT Purpose

One place to start is by identifying the primary purpose of IT in the organization. We’ve experienced all sorts of responses when we propose this as a starting point. From quizzical looks to downright shock is common. Yet, when organizations really take a look at their own internal beliefs, there is a wide discrepancy in the view of purpose.

For example, a mission statement for an IT organization could read something like this:

Empower teams to build reliable, efficient, and user-friendly software that delivers competitive features with reduced cost, risk, and time to delivery.

A clear and inspiring mission statement is crucial to prepare your organization for the technological journey ahead. Your organization should have a statement that is more specific to your organization than our example. It should act as a mandate, empowering your tech team and guiding their work. Think of visionary leadership — a bold leader who can clearly articulate the future. Or in some organizations, this can be found in a grassroots campaign where leadership is gained through a track record of success. An inspiring leader, whether internal or external, can ignite a movement within your organization to embrace intentional architecture.It may even be an outside evangelist who inspires and directs an internal groundswell.

Agreeing on the Path

Hopefully, this doesn’t occur with a traumatic incident like a major system crash or security breach. (Sadly, these are real events that take place.) The goal is to establish alignment between business decision-makers and technical leadership on the purpose of your application or system that suffers from Accidental Architecture. An assessment of responsibilities or a joint workshop may be necessary to uncover all relevant information and create a coalition.

A common discussion with our clients includes a session to understand the pain points that they experience. Importantly, we work to learn who experiences the pain. We find it common for decision makers to disproportionately feel a lesser amount of pain under its current architectural state. Understanding why decision-makers feel less pain (and may not be aware of the depth of pain felt by other stakeholders) is a critical part of these discussions.

Your technical team likely faces challenges meeting deadlines and budgets beyond their control, often accumulating technical debt. Technical debt is often the result of working around architectural deficiencies to meet these deadlines and remain within budget.

The accumulation of substantial technical debt is the single largest symptom of Accidental Architecture. However, we cannot stress enough the importance of understanding the types of technical debt your organization may hold.

Driving a Culture of Improvement

To build a culture of improvement, start by providing the space and resources your team needs to tackle these challenges head-on. Continue by facilitating open dialogue between teams; seek outside consultation when needed. This is an investment in your organization’s future success. If this is counter to your corporate culture, we recommend collaborating with change management specialists.

Examples of tackling this task with our clients include:

• Conveying the full risk profile they bear under large technical debt loads.
• Illustrating how to classify technical debt as benign, moderate, risky, or dangerous.
• Creating efficient and effective workflows and processes that stop (or slow down) the accumulation of more technical debt.
• Collaborating on how to create realistic roadmaps for emergence from Accidental Architecture, building hope and trust.
• Helping them create the business case that ties improvements in technical debt to new initiatives or new feature development.

Prioritizing Your “Ilities”: What Matters Most?

While all aspects of quality in an Intentional Architecture are important, after some thought you’ll certainly find that some aspects are more important than others. Choose 3 to 5 “ilities” — essential quality attributes — that are most important to your business and systems.

Here are some of the most popular attributes to consider:

• Reliability
• Scalability
• Efficiency
• Security
• Familiarity
• Safety
• Maintainability
• Adaptability
• Portability
• Resilience
• Responsiveness

Many of these overlap in concept. Often depth in one must be traded for another. Ranking your choices according to their relative importance to your business is crucial. While highly subjective, the ranking will communicate your priorities so that stakeholders can make reasonable trade-offs.

Establishing a Baseline (and Stop Making It Worse)

Gather the stakeholders for each component or subsystem that knows where the skeletons are hiding. Document a baseline score indicating how close the component is to achieving each of the attributes that were selected from the “ilities” attributes. This again is subjective, but that’s OK. Be honest and base the evaluation on the experience of all stakeholders–including the technical teams.

Mapping Out a Plan: Defining Intentional Architecture with Quality Targets

Collaborate with technical leaders and engineers to define specific goals, known as fitness functions, for each component or sub-system. Fitness is the objective ability of a system or component to meet one more of the quality objectives. Is X fit for purpose? What is “acceptable” as an objective target will depend on the particular requirements of your system, your tolerance for variation, and any immovable obstacles such as compliance requirements.

Here’s an example list of (simplified) technical target statements with their corresponding business targets:

Note: Meeting these targets is not free. The more stringent the target, the more it will cost to meet, and the more trade-offs will need to be made to satisfy it. Ensure that your targets are reasonable and in line with the requirements of your business and risk tolerance. This is the primary motivation for choosing no more than five qualities that are most important to your business.

Incrementally Improving While Continuously Validating Against Targets

Intentional Architecture is not a one-time activity — it becomes woven into the fabric of an organization. It is the adoption of a different mindset and a different way of thinking. Both business and technical teams should be connecting throughout the software development lifecycle and discussing design choices that positively and negatively impact quality targets.

You may be asking “are we there yet” at this point, and the answer is yes and no. This journey of crafting intentional software and systems architecture is a continuous loop of evaluation, adaptation, and refinement. The team must constantly assess the established guidelines, adjusting their course as conditions and needs evolve. New guidelines may emerge as they explore the landscape while existing ones are reaffirmed or retired based on their continued relevance.

Just like a team of seasoned explorers navigating uncharted territory, achieving this requires a deep understanding of the system’s inner workings and the constraints of the environment it operates within. Skill, training, and experience are essential for traversing these complexities, ultimately leading to a successful team “conquering” the challenge of Accidental Architecture.

Did the steps we’ve outlined provide clear guidance on transitioning from Accidental to Intentional Architecture? What additional challenges or questions do you have about implementing Intentional Architecture? Please comment to let us know!

If our team of experienced consultants, strategists, and architects can help you navigate this journey, contact us to schedule a consultation and discover how we can help you achieve your business goals.

Garey Hoffman is a Partner and Vice President of Engineering of Object Computing. Hoffman plays a pivotal role in overseeing and driving the technical aspects of the organization. He is involved in managing a team of skilled engineers, architects, and technical professionals to deliver quality solutions and services to clients. He is also responsible for aligning technical strategies with business objectives, ensuring the successful execution of projects, and maintaining a strong focus on innovation and emerging technologies. Outside of the office, Garey is a lifelong builder and can be found enjoying the outdoors with his family.

Mike Pleimann has 15 years of experience as an Application Architect and almost 25 years in software engineering. Currently leading the Application Architecture team, he combines technical proficiency with managerial skills to guide teams toward success in large-scale software architecture and engineering programs. As a seasoned leader in the field, he brings a wealth of knowledge and strategic vision to his projects in telecom, collections, defense, and gaming industries. He is dedicated to crafting robust, scalable solutions that are fit for purpose and has consistently earned accolades from clients and peers. Mike holds a BS in Computer Science from Missouri S&T.

From Accidental to Intentional: Your Roadmap to Architectural Excellence was originally published in Object Computing on Medium, where people are continuing the conversation by highlighting and responding to this story.

In the modern world of software development, building responsive and scalable applications is essential. This is especially true for cloud-based deployments, where keeping costs down while maintaining performance is crucial. Reactive programming, a paradigm centered on efficiently processing asynchronous events and data streams, can be an excellent choice for achieving this. In this article, we will:

• Explore what reactive programming is and why you might use it.
• Take a brief look at Netty
• Compare traditional blocking I/O to reactive non-blocking I/O
• Recommend some reactive libraries and supporting frameworks to get you started.

What is Reactive Programming?

Reactive programming is a declarative programming paradigm primarily focused on processing asynchronous events and data streams. When used appropriately, it enables applications to be more resilient, concurrent, and responsive by managing data flows and reacting to changes in real time. This approach is especially beneficial for systems handling a large number of concurrent requests, such as web servers or real-time data processing applications.

Reactive programming’s declarative and functional approach abstracts away the “how” of asynchronous programming, allowing developers to focus on the desired outcome. This stands in contrast to the more imperative programming style familiar to many Java developers, where one explicitly defines step-by-step instructions for executing a task. For many Java developers, Reactive’s declarative approach presents a learning curve. However, once overcome, it enables them to write more concise, readable code, ultimately leading to more robust and maintainable software.

Why Utilize Reactive Programming?

With reactive programming gaining traction, it is crucial to stay ahead of the curve and understand why it may or may not suit your needs.

• Ecosystem and Community Support: Reactive programming is by no means a new concept, and has a wide range of support throughout the Java ecosystem with various libraries and resources to accelerate development efforts.
• Scalability and Performance: Allows for efficiently handling large numbers of concurrent events to ensure a responsive and performant system under heavy load.
• Real-time Data Processing: Provides ways to handle the continuous ingestion and processing of large streams of data making it ideal for real-time data processing applications.
• Cost Optimization: The efficient use of resources can significantly reduce cloud costs for options such as serverless deployments where you are paying only for the resources consumed.
• Responsive User Interfaces: Enhances user experience through asynchronous handling of user input, network requests/responses, and database updates.
• Future Proofing: Embracing reactive programming within your application early can save costly refactors in the future assuming there is an anticipated need for high concurrency.
• Learning Curve: Reactive programming is a paradigm shift away from what the typical Java developer may be comfortable with, and will require some ramp-up time for anyone new to it. Any organization that anticipates a need for it will find it invaluable to have developers that are well versed in its application.

Introducing Netty

One framework that capitalizes on the reactive paradigm is the Netty Client/Server framework (https://netty.io), which efficiently handles asynchronous I/O operations by leveraging reactive principles. Netty enjoys widespread adoption across the industry, and depending on your use case, you may interact directly with it or through other Java frameworks that rely on it as their underlying server model, particularly when working with reactive applications. Next, we will delve into the traditional model for blocking I/O and its drawbacks, before introducing the reactive non-blocking I/O model, which lies at the core of the Netty framework.

Traditional Blocking I/O — The Thread Per Request Model

With traditional blocking HTTP, an incoming request is assigned a dedicated thread until the request is completed. This is referred to as the Thread Per Request Model. This model offers simplicity and performs well within its limits. However, its downside lies in its limited ability to handle concurrent requests, as it depends on the number of threads available in its pool. Furthermore, if any external blocking calls are required during request processing (such as a database query), the corresponding thread must wait until a response is received, preventing it from serving new incoming requests.

While this approach may suffice for applications with low load and fast request processing times, it may encounter resource inefficiencies and scalability issues in high-load scenarios or when dealing with slower request processing times, such as external databases or service calls. In such cases, the application’s capacity to process concurrent requests is directly tied to the number of threads in its pool.

Of course, scaling the application itself, either vertically or horizontally, could address this issue but may incur significant costs. A more efficient solution would be to adopt a better threading model.

Reactive Non-Blocking I/O — The Event Loop Model

Netty achieves reactive, non-blocking I/O through its Event Loop Model. Incoming events, such as HTTP requests, are queued for processing. The event loop, operating on a single thread, periodically checks the queue, handling events sequentially. If a blocking operation occurs, Netty registers a callback to resume processing the event after the operation completes, freeing the event loop to handle other events. For any CPU-intensive tasks or blocking I/O, the event loop should delegate execution to a separate worker thread, while non-blocking I/O should be executed on the event loop thread itself. Generally, Netty employs 1 to 2 event loops per CPU core to leverage the asynchronous nature of multi-core systems.

In summary, Netty and its Event Loop Model facilitate concurrent request processing with minimal thread proliferation, optimizing resource utilization and scalability for high-performance web applications.

Considerations Before Adopting the Reactive Approach

• Use Non-Blocking I/O Libraries: To get the most benefit from the event loop model discussed above, it is crucial that the majority of I/O used by your application is non-blocking. For instance, if you are currently using JDBC for database interactions, you can switch to R2DBC. If there are no non-blocking alternatives for a specific library, many reactive frameworks provide options for handing off the execution of these calls to a separate thread pool, which is crucial to avoid blocking the event loop. However, be warned that this should only be done when absolutely necessary. Using a separate thread pool for the majority of your I/O will essentially revert your application to the thread-per-request model, and you will likely see no benefit from going reactive. In fact, you may experience worse performance due to the general overhead of using a reactive framework.
• Virtual Threads as an Alternative: Virtual Threads were added in JDK 21 and are designed to handle blocking I/O in a non-blocking manner. This means you can write your code in a typical imperative style and continue to use blocking I/O libraries like JDBC. Although Virtual Threads are fairly new, many frameworks, such as Micronaut and Spring Boot, already support them. If you require a fairly simple application, for instance, an API that takes a request, reads/writes to a database, and sends a response, then Virtual Threads might be a great option for you. You may find Virtual Threads have a smaller learning curve and could save you from having to refactor your application to use non-blocking reactive libraries like R2DBC. Note that Virtual Threads and reactive programming are both tools that can be used to solve similar problems, and in the future, they will likely each find their respective niches. You should weigh your options carefully when choosing which will best suit your needs.

Reactive Libraries Utilizing Netty

To harness Netty’s reactive non-blocking I/O for responsive, resilient, and scalable software, numerous libraries are available. One of the most popular and widely supported reactive libraries for Java is Project Reactor. Project Reactor seamlessly integrates with Netty and offers a reactive programming model based on the Reactive Streams specification, facilitating the development of reactive servers and clients with Netty as the transport layer. Other notable reactive libraries supporting Netty include Vert.x, RxNetty, and Akka Streams.

Java Frameworks Supporting Reactive Programming and Netty

Several Java frameworks can efficiently develop reactive applications running on Netty. These frameworks typically support various reactive libraries, allowing you to choose the one that best suits your use case. Below are some of the most widely used frameworks for your reference.

• Micronaut — Micronaut Documentation
• Spring Boot via Spring Webflux — Webflux Documentation
• Quarkus via Mutiny — Mutiny Documentation

Conclusion

Reactive programming offers a powerful solution to the challenges of modern application development, enabling developers to create highly responsive and scalable systems. By abstracting away the complexities of asynchronous programming and providing a clear focus on desired outcomes through its declarative programming style, the reactive programming paradigm opens up a plethora of new possibilities. With frameworks like Netty and libraries such as Project Reactor, developers have powerful tools at their disposal to harness the full potential of reactive programming and deliver high-performance web applications that meet the demands of software development in the modern world.

Further Reading:

https://www.reactivemanifesto.org/

https://netty.io/

https://projectreactor.io/

https://docs.oracle.com/en/java/javase/21/core/virtual-threads.html

Matthew J. Perry is a Senior Software Engineer at Object Computing, specializing in building and deploying high-performance cloud native applications for our clients. With over 8 years of experience, Matthew has a proven track record in leveraging Java and cloud-native frameworks such as Micronaut and Spring Boot to deliver scalable, robust solutions for our clients. He excels in driving complex projects from concept to completion, optimizing application performance, and implementing best practices in software development.

Maximizing Performance with Netty and Reactive Programming in Java was originally published in Object Computing on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction

Few technological advances have generated as much excitement as artificial intelligence (AI). None more so than generative AI. Manufacturers view AI as integral to the creation of hyper-automated and intelligent factories. AI is seen as a powerful tool for product and process innovation. It reduces cycle time, minimizes waste, improves maintenance practices, and enhances demand, inventory, and forecasting capabilities — all while contributing to achieving sustainability goals.

In an industry study by MIT Technology Review Insights, researchers interviewed 300 manufacturers that have begun working with AI. Most of these (64%) are still in the early phases, currently researching or experimenting with AI. 35% of executives indicated that they have begun to put AI use cases into production.

To thrive in today’s dynamic market, manufacturers must leverage AI by developing and scaling use cases. To facilitate this, manufacturers must also address challenges with talents, skills, and data.

We will explore these essential areas of opportunity, critical obstacles for information technology (IT) and operational technology (OT), and techniques to scale AI in manufacturing.

AI’s Triple Threat: Boosting Design, Efficiency, and Sustainability

Companies that successfully implement AI-powered solutions have already seen significant reductions in downtime and improvements in labor productivity. A McKinsey study shows manufacturers that have adopted AI practices have reported cost decreases by as much as 55%, and revenue increases by 66%. Improvements were realized in these three areas of opportunity: product design and development, manufacturing productivity, and sustainability.

Product Design and Development: Manufacturers can revolutionize product development by accelerating design processes, enhancing innovation, and improving overall efficiency.

• Design Twinning: Digital twins of in-development products can be evaluated, tested, and rapidly iterated long before the first prototypes are constructed.
• Customization: AI allows for greater customization in production, enabling manufacturers to meet specific customer needs more precisely and efficiently.
• Solution Development: AI solutions can be integrated into the product, unlocking new capabilities that interpret and respond to complex signals that traditional software rules or logic cannot handle (e.g. object recognition).

Manufacturing Productivity: Manufacturers have a substantial opportunity to transform operations as AI becomes more accessible — from optimizing resources to eliminating waste, and improving throughput. Here are several key areas where AI can drive significant improvements:

• Predictive Maintenance: By taking historical data from maintenance logs, you can predict how a machine will behave under a future payload, whether you’ll need to fix it, when, why, and how — based on what fixed that problem in the past. This can reduce downtime significantly.
• Predictive Quality: Predicting and reducing failures can yield significant cost savings.
• Waste Reduction: Using metrics to predict behavior across product specifications and processes can minimize scrap and maximize product quality.
• Demand/Inventory Forecasting: With a thorough understanding of plant operations and the data behind production, it’s possible to forecast the demand and movement of critical parts, resulting in significant inventory savings.

Sustainability: Manufacturers have a responsibility to balance economic growth while also minimizing their impact on the environment and society. AI can help manufacturers improve supply chain transparency, enable them to design and produce more sustainable products, and minimize environmental impacts.

• Energy Utilization: Using metrics and historical trends we can predict energy demands and optimize factory operations to utilize more environment-friendly energy as well as reduce waste.
• CO2 Emissions: Real-time monitoring of emissions throughout the manufacturing process can identify and address emission hotspots promptly​.

Bridging the Gaps: Overcoming Challenges to AI Adoption in Manufacturing

Manufacturing is undergoing a revolution, with traditional boundaries between operational and technological teams dissolving. AI and its associated advancements are a catalyst, pushing collaboration to the forefront. Let’s unpack five critical challenges that IT and OT must tackle together to harness the full potential of this transformative era.

1. Data, Data, Data: Data quality, weak integration, and data governance are the most commonly cited reasons for project failure and use case abandonment. In the MIT research, 57% of executives cited data quality hampered use case development.
2. Talents and Skills: A lack of talent and skills is the toughest challenge in scaling AI use cases. The closer use cases get to production, the larger the impact. Additionally, data quality and governance as well as insufficient access to cloud resources are magnified due to workforce gaps.
3. Stakeholder Alignment: Adopting AI in manufacturing involves significant changes in processes, technologies, and mindsets. It is crucial to ensure that these changes are successfully implemented in a sustainable way.
4. Fragmentation: Most manufacturers find some modernization of data architecture, infrastructure, and processes are needed to support AI, along with other technology and business priorities. Modernizing data systems to improve interoperability between engineering, design, the factory floor, OT, and IT is a critical priority.
5. Use case definition: Identifying the right use case is essential to AI adoption. Manufacturing systems are holistic and one metric has implications for multiple downstream systems. Additionally, it is easy to fall into the trap of never-ending analysis. Selecting the right use case and clearly identifying its dependencies is critical.

Building a Sustainable AI Foundation: Strategies for Success in Manufacturing

There can be a lot of skepticism about introducing AI solutions in manufacturing and whether the investment is justified. To overcome hesitancy and create trust with AI-powered solutions, you have to: 1) Be Intentional about the use case that is developed, 2) Assemble the right team (including leadership, operations, IT/tech, digital transformation, and finance people), and 3) Adopt a data first agile delivery process that reflects data accessibility and feasibility with model development.

Below are 5 techniques we have found successful in supporting these needs and ensuring we can unlock the power of AI in manufacturing:

1. Getting the right people in the room: AI is not just an IT or data scientist’s problem. AI is an integral part of solving complex business objectives and as such requires a multidisciplinary team to unlock it. It requires OT leaders, IT leaders, finance leaders, and SMEs to work together to design and plan solutions. This approach ensures there is both top-down and bottom-up support, that the appropriate budget is allocated relative to the target ROI, and that the right skills are available to execute.
2. Starting small and achievable: There are so many things that can become hurdles in implementing AI in manufacturing, from overcoming incompatibilities in systems to securely connecting shop floor systems and networks to the appropriate cloud systems needed to build and run AI models. Prioritizing a well-defined, value-adding AI use case within a single facility can cultivate internal advocates for AI. This initial success can then be leveraged to build a collaborative foundation for future AI initiatives.
3. Gaining consensus on how to track progress: Aligning the organization and team with what “done” means and the mechanics that track progress is critical. Oftentimes, organizations struggle to align the IT, OT and business stakeholders. That is why it is critical, given the dynamics of delivering AI solutions into always-on manufacturing environments, that an end-to-end lifecycle be represented in milestones and iterative success criteria. This allows the delivery, deployment, and operational teams to understand their target metrics, and stakeholders understand the progress through the lifecycle of the project.
4. Quickly identifying and understanding data gaps: It is important to realize that what looks good with simulated data may not be achievable in practice for many reasons. Commonly identified issues include system interoperability, data quality, and data governance. It is critical to understand gaps and mitigation strategies early while evaluating and prioritizing use cases to develop. Stakeholder support can be lost if you experience too many false starts.
5. Clearly articulating foundational and use case investment: Whether this is the first use case being developed or the use cases require integration with older OT systems, there is likely a need for some incremental investment into foundational systems and architecture.

It is important to clearly understand this investment independent of the use case(s) being developed, because the funding and ROI may match different time horizons. With this in mind, programs manage these deliverables as separate work streams with different ROI horizons.

To realize the value of AI within manufacturing, organizations must comprehend use case feasibility, address gaps early, and adopt a delivery methodology that can align and deliver.

If you’re looking to leverage AI for your organization, our team can partner with you to unlock value and mitigate pitfalls. Learn about our AI and data insights expertise and workshops, and be sure to follow us on Medium for upcoming content.

Sources:

Taking AI to the Next Level in Manufacturing, MIT Technology

State of AI in 2023, McKinsey Study

Andrew Montgomery, vice president of strategy, is an experienced technology executive and data strategist with 20+ years of experience with Fortune 500 companies. Andy’s focus is helping customers unlock their data to simplify business complexities and reshape business outcomes.

Unlocking Manufacturing’s Hidden Profits: How AI Revolutionizes Design, Efficiency & Sustainability was originally published in Object Computing on Medium, where people are continuing the conversation by highlighting and responding to this story.

A well-known website crashed a few weeks ago, and it made the news. We won’t disclose the company name, but it’s a very popular site and that crash affected millions of people. Fortunately, due to the heroic efforts of the support teams, it was operational after about 12 hours. Unfortunately, it lost a mountain of revenue.

We know the cause and the extent of how deeply this problem is entrenched within this organization. And, we have seen how organizations like this arrive at a place where they see symptoms like this system crash. It was likely a result of years of “architecture by accident.” In our observation, this architectural anti-pattern is common in organizations of all sizes, from small startups to large enterprises. Most experienced technologists understand that a system’s architecture is created on a set of goals, trade-offs, team structure, and the constraints under which it was built and is maintained. Without a deliberate architectural strategy, atmospheric pressures result in Accidental Architecture.

Agile Methodology Over Time

Failure to plan system architecture — and neglecting the execution of those plans — plays a substantial role in the growth of accidental architecture. While Agile methodology encourages adaptability, collaboration, and continuous improvement — which are excellent means of responding to change — this philosophy isn’t meant to replace real architectural planning.

The natural tendency of systems to become more disordered and complex over time advances more quickly in software than in physical systems. This advantage of software systems in allowing more flexibility also allows more chaos and unpredictable system future states. Think of this as gaining one pound a year, and in 10 years you realize you’re no longer able to fit into your favorite jeans. This is the impact of accidental architecture: critical systems can become unstable and difficult to maintain in a way that goes unnoticed for years.

Recognizing the Symptoms

Major system crashes that impact millions of users aren’t the only symptom of accidental architecture. Below is a list of symptoms. You may recognize signs of your own business and architecture listed here:

1. Perpetual First Aid
   The organization must constantly pay for the rising costs of non-stop bug fixes, customer churn from software defects, and cyberattacks.
2. Hero Technical Team
   The technical team must routinely rise up to handle frequent (and risky) incredible technical challenges just to sustain normal business operations.
3. Innovation Gridlock
   Implementing new business features takes longer than the market will bear and brings new, unexpected system failures upon release — resulting in more reputational damage.
4. Application Monster
   The application user interface is unnecessarily complicated or just doesn’t make sense to users. New users are frequently overwhelmed, lost, or confused. Typical symptoms can include randomly logging out users, data inconsistencies in different parts of the system, difficult navigation in commonly used areas, time-consuming training, and user circumvention of the system to do their jobs a different way.
5. Molehills into Mountains
   Technical changes or system updates that should be straightforward are monumentally complex. Also, the risk of failing is so high that making changes is actively avoided or simply not approved by leadership.
6. Vendors Threaten to Not Support Key Dependencies (or Worse, They Do Support It!)
   Third-party tools, libraries, services, or service providers threaten to end support for dependencies. Or, they charge huge premiums to continue to support obsolete versions. Or, they simply stop offering support at any price.

These technical symptoms are frequent root causes of the painful business symptoms above:

1. Big Ball of Mud
   A modification in one area of the system requires substantial change in one (or more) additional areas of the application. Relationships between system areas are not well understood.
2. God Objects
   Software code (especially classes or services) that tries to do too much — or must do too much — just to make the application function. Or, there are attempts to make code “reusable” in multiple parts of the overall system.
3. Circular dependencies
   The system consists of chains of components depending on each other in a circular and sometimes non-trivial fashion (A ➞ B ➞ C ➞ A).
4. Code Duplication
   A severe example of Code Duplication occurs when functions (or classes) are duplicated, modified slightly, and then re-inserted into the application. Generally, the reason this occurs is due to a poor understanding of how a modification to the original code would impact existing use cases (e.g. no regression testing is available).
5. Scary Migrations
   Migrating to a new version of system dependencies takes years and brings inordinate risk. A common example is moving to a new database version that is several revisions ahead of the current installation.
6. Cockroach Defects
   There are bugs that were supposed to be fixed that reappear. They are seemingly impossible to eliminate. This is typically caused by automated tests that are ignored or skipped, dramatically increasing the risk of system rollbacks after deployment.
7. Software Bloat
   Each release of the system demands ever-increasing resource allocation (memory, processing, storage, etc.) driving up the cost of operations. Related symptoms include: reducing overall system performance, increasing system resource requirements, or increasing deployment time.

If these symptoms sound familiar to you, it’s likely your organization faces the challenges of Accidental Architecture. There is hope. The next article in the series will serve as a guide for business and technology leaders to restructure their architecture practices and refine their approach to achieving Intentional Architecture.

Be sure to follow and subscribe to be notified of the next installment. Please visit Object Computing’s website to learn more about our services.

Mike Pleimann has 15 years of experience as an Application Architect and almost 25 years in software engineering. Currently leading the Application Architecture team, he combines technical proficiency with managerial skills to guide teams toward success in large-scale software architecture and engineering programs. As a seasoned leader in the field, he brings a wealth of knowledge and strategic vision to his projects in the telecom, collections, defense, and gaming industries. He is dedicated to crafting robust, scalable solutions that are fit for purpose and has consistently earned accolades from clients and peers. Mike holds a BS in Computer Science from Missouri S&T.

Garey Hoffman is a Partner and Vice President of Engineering of Object Computing. Hoffman plays a pivotal role in overseeing and driving the technical aspects of the organization. He is involved in managing a team of skilled engineers, architects, and technical professionals to deliver quality solutions and services to clients. He is also responsible for aligning technical strategies with business objectives, ensuring the successful execution of projects, and maintaining a strong focus on innovation and emerging technologies.

Business Leaders: How Do You Know If Your Enterprise Has Accidental Architecture? was originally published in Object Computing on Medium, where people are continuing the conversation by highlighting and responding to this story.

Imagine a solution that not only enhances the security of your products but also saves time and reduces costs. This is precisely what Secure by Design (SbD) principles offer. Unlike traditional reactive security measures, which often lead to last-minute setbacks and avoidable changes, SbD takes a proactive approach. By integrating security from the beginning, we not only save valuable time, money, and resources but also elevate the overall project experience for everyone involved.

The Foundations of Implementing Secure by Design

In How We Achieved Cost-Efficiency through Embedded Security, we talked about how trust and collaboration are paramount to the successful implementation of an SbD program. By integrating a dedicated security engineer into our team, we can engage in effective collaboration to identify risks, threats, and appropriate mitigation steps. Let’s explore how we can seamlessly integrate agile security into the software development lifecycle.

1. Security Planning and Assessments

During the planning phase of a project, it’s crucial to develop our security architecture. This involves analyzing applicable privacy and security laws, frameworks, or policies, such as GDPR, HIPAA, and SOC 2.

In addition, threat modeling is vital to the completeness of our security architecture. It helps us identify realistic privacy and security concerns along with methods to mitigate their risks. Subsequently, we can translate identified security controls or mitigation steps from the architecture into user stories or update the acceptance criteria of existing stories. This approach allows us to effectively plan, track, and implement security measures into the product from the beginning.

2. Continuous Security Support

Throughout the lifecycle of a project, features and scope often change. Therefore, it’s essential to make security as agile as the rest of the development team. One way we accomplish this is by creating abuser stories. An abuser story is essentially the ‘evil’ version of a user story that describes what a threat actor can do. Each abuser story contains threat scenarios, which capture how a threat actor can accomplish the abuser story. We can brainstorm this information by asking the team to think about features from an attacker’s perspective.

This approach allows us to examine the privacy and security aspects of specific features in greater depth than would otherwise be possible. Moreover, it helps us stay current with any new or evolving features or requirements. This process is led by the security team and can be integrated into sprint planning or refinement sessions to involve the entire team while minimizing the time commitment.

3. DevSecOps

DevSecOps represents an enhanced approach to DevOps that integrates security practices into the pipeline, reducing the need for manual security checks and accelerating vulnerability remediation. This is my favorite aspect of SbD, as it allows us to incorporate a broad range of security functionality in an agile manner, enabling security teams to concentrate on more strategic initiatives. Additionally, developers receive immediate feedback on potential security issues, allowing them to write secure code from the start.

Below is a list of essential security functions that should be integrated into your DevOps pipeline:

• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Secret Detection
• Source Composition Analysis (SCA)
• Software Bill of Material (SBOM) Generation
• Continuous SBOM Analysis
• Infrastructure Misconfiguration Detection

Your security tools should be configured to proactively block security vulnerabilities from being introduced into your application or environment. Furthermore, it’s crucial to collaborate with your team to fine-tune these tools to minimize noise and avoid unnecessary work. By adopting this approach, we establish a seamless, automated method for ensuring the security of our applications while keeping up with rapid development.

4. Assessments and Validation

When following SbD principles, the overall product quality and security are significantly improved. However, it’s still crucial to verify that your application is free from security flaws. This can be achieved through various methods, such as:

• Application security testing
• Penetration testing
• Cloud security assessments
• Vulnerability assessments
• Code security reviews

In many cases, conducting smaller tests throughout the project lifecycle rather than one large assessment at the end can be more effective. This approach enables us to identify and address issues early, minimizing the need for significant re-work and creating shorter feedback loops for our team.

Conclusion

Implementing SbD has not only enhanced the overall quality and security of our work but has also delivered tangible benefits to our clients. By integrating security considerations into every phase of our development process, we ensure that the products and solutions we deliver are inherently robust and resilient against potential threats. This proactive approach not only minimizes risks for our clients but also translates into lower costs and faster time-to-market. Ultimately, our clients benefit from increased confidence in the security and reliability of our offerings, leading to enhanced trust and satisfaction with our services.

Brandon Lynch is a Security Engineer with expertise in software development lifecycle security, encompassing infrastructure and software assessments, as well as comprehensive reporting. He’s skilled in defense-in-depth threat identification, remediation planning, and offering strategic recommendations, as well as designing and implementing DevSecOps practices, creating automated CI/CD pipelines through the integration of security scanning tools and the application of branch protection rules, utilizing both commercial and open-source solutions. He holds certifications such as a Certified Ethical Hacker (CEH) Master and Google Cloud Certified Professional Cloud Security Engineer.

4 Keys to Successfully Implementing Security by Design was originally published in Object Computing on Medium, where people are continuing the conversation by highlighting and responding to this story.

Imagine having a conversation with your dataset as if you were talking to a colleague, gaining insights by simply asking questions. With generative AI, this is entirely possible. In the era of conversational chatbots, businesses are beginning to think about how these can be leveraged to harness the full potential of their data. Traditional methods for extracting insights from data often require special skills and are time-consuming. Using Gen AI models to “chat” directly with our data makes these data insights more accessible and actionable, revolutionizing the way data-driven decisions are made.

While many people tend to think of Gen AI models like ChatGPT as a sort of ‘search engine’, tech leaders recognize the potential to tap into their company’s own proprietary data. Large language models (LLMs) in isolation only know what they have been trained on. Proprietary data and documents published after the model’s training are unknown to out-of-the-box LLMs.

This article discusses the concept of “chatting with your data.” It is an approach to integrate proprietary, sensitive data with LLMs such that users securely engage in natural-language conversations with their datasets and unlock the data’s full potential with less manual effort. It specifically focuses on chatting with “messy” unstructured data such as PDF documents, raw text, CSV, or JSON files. Furthermore, it includes an overview of how LangChain, a popular open-source framework, easily jumpstarts your chats.

Why Chat with Your Data?

“Chatting with your data” presents valuable opportunities to automate workflows, democratize data access, and accelerate the monetization of data insights. Leveraging Gen AI in this way allows for Q&A sessions with a dataset, and also the ability to automate mundane tasks like summarizing or translating documents. There are numerous benefits associated with the ability to understand and transform data simply by having a natural language conversation.

1. Automate and accelerate workflows: Chatting with data is an effective way to accelerate workflows and automate some of the more mundane processes that humans spend time doing manually. The focus is on acceleration with human oversight rather than replacing humans altogether. By taking away the boring and repetitive tasks, time is freed up for data professionals to focus on the more creative, innovative, and decision-making aspects of their roles. This is comparable to the role of spellcheck in word processors — it didn’t replace the need for humans to write the content, but it saved time and improved quality.
2. Empower more people to interact with the data: Through conversational interfaces, this approach empowers a broader spectrum of users, including non-technical stakeholders, to interact with and derive insights from the data in real time. Making complex datasets more accessible and understandable will foster more collaboration across teams.
3. Quick insights to unlock the value of data assets: Harnessing the time-save provided by this automation allows organizations to extract valuable data insights quickly, translating them into actionable strategies at an accelerated pace.

Unlock Conversational Data Interactions with RAG

Chatting with data has many benefits, but how can a model perform tasks and analysis on data it hasn’t seen during training? Enter Retrieval Augmented Generation (RAG), a technique for enhancing a model’s abilities by referencing an external knowledge base beyond the information it was trained on. This technique enables users to provide an LLM with a proprietary dataset and make queries about the data or assign tasks to the LLM, receiving informed responses in real time.

To most effectively utilize RAG, it is good practice to split unstructured data like text documents into semantically meaningful chunks. This allows the LLM to search for the most relevant chunk related to the user’s query and use only the most relevant information to generate a helpful response. Splitting a document involves steps of tokenization and vector storage that will be discussed later in the article.

Once a user makes a query, the RAG system retrieves the relevant information from the vector store and uses its natural language abilities to generate a helpful response. This is the power of RAG, bridging the gap between data exploration and response generation to facilitate more nuanced and insightful conversations between a user and their data.

Preparing Your Data to Chat

While generative AI models require less polished and meticulously cleaned data than traditional machine learning models, effective data preparation is still an essential step to maximize the potential of RAG. To get the most out of RAG, there are some standard steps to prepare unstructured data such as text documents.

1. Meaningful tokenization (splitting): LLMs have associated token limits. This is a number of tokens (usually characters but can also be parts of words or entire words) that can be entered into the model’s context window. For this reason, it is often infeasible to pass an entire large document into the LLM along with our prompt (question or task). To avoid hitting token limits and receiving an error following a query, a common practice is to split documents into smaller sub-documents, reducing the number of tokens per “document.” It is good practice to split documents into chunks that are semantically meaningful, keeping groups of relevant tokens (words, sentences, paragraphs, etc) together. This helps the RAG process return the data that is most relevant to the query at hand.
2. Embedding: Embedding text data for RAG is the process of transforming the natural language text that humans use into numeric representations that the LLM can understand. These are high-dimensional vector representations of text that capture semantic meaning and contextual relationships between tokens. This enables similarity computations and the retrieval of the most relevant information by comparing the data’s embeddings to those of the user’s query.
3. Vector store: Storing embeddings in a vector store facilitates the retrieval of documents or document chunks that are the most semantically similar to the user’s query. This ensures that only the most relevant information is considered when the LLM generates its response.

These are the essential steps to preparing data for RAG systems, leading to the most accurate responses and most accessible insights.

Crafting Data Dialogues: The Art of Effective Prompt Design with RAG

A prompt is a request sent to an LLM to receive a response back, and prompt design is the process of creating prompts that elicit the desired response. Effective prompt design is essential to ensuring helpful, accurate, and well-structured responses from language models. It is important to make sure the model understands what is being requested of it and has clear guidelines to respond in a way that is most helpful to the user and meets their expectations. Beyond the short query that the user submits to the model (like in interactions with ChatGPT), PromptTemplates are often used to provide the model with the most information possible about the expectations for the generated response.

PromptTemplates integrate nicely with RAG because they can be used to instruct the model to only make use of the designated data store when generating answers. While prompts can contain questions, they can also be constructed to instruct the model to take on an assignment. Examples of such tasks include summarizing, editing, switching text to a different tense or tone, or generating new text. Prompt templates are excellent ways to designate between question-answer and task-based instructions for the model.

The following shows the creation of a PromptTemplate for a question/answer interaction with a dataset consisting of transcripts from lectures in a machine learning course. Note how the template provides placeholders for not only the query, but the useful context to inform the response.

Prompt design is an essential part of creating a RAG system. The following are some tips for ensuring more effective prompt design:

1. Give clear and specific instructions to the model. Define the task and any constraints, or even the format the response should be given in (e.g. a bulleted list, a five-sentence paragraph, or a JSON file)
2. Include few-shot examples. Give the model a few examples of similar prompts and expected responses, so it can learn how to respond in the desired format. “Few-shot” prompting is a common technique that provides the model with the expectations for how similar queries should be responded to.
3. Break down complex prompts into individual steps. A prompt could contain a list of steps for the model to take in a particular order to best complete the request.
4. Experiment with wording and tone. Altering prompts to guide the model toward the expected behavior can be helpful.

Putting it All Together with LangChain

LangChain is an open-source framework for developing applications using LLMs. LangChain comes equipped with modules and end-to-end templates that make it easy to quickly implement each step of the “chat with your data” approach.

To make data preparation simple with unstructured data, LangChain provides a variety of document loaders, configurable document splitters, embedding strategies (including those assisted by an LLM), and supported vector stores.

For data retrieval during the RAG process, LangChain provides several Retrievers — a class of objects that can be used to configure a RAG strategy dependent on use case. For example, if hitting token limits is an issue, the ContextualCompresionRetriever can be used to retrieve only the most relevant portions of a document chunk to further reduce the number of context tokens being passed into the LLM.

Chains are a valuable feature of LangChain that encapsulate sequences of interconnected components that execute in a specific order. There are several use-case-specific options for chains to use, and custom chains can be created as well. For example, the RetrievalQAChain is designed to facilitate RAG for question/answer-based exchanges with an LLM. Chains can easily be integrated with a preferred retriever, LLM, and vector database. Chains can also be joined together in sequences for more complex workflows, and Router Chains can be leveraged as a tool to decide which of multiple chains is best suited to handle a given query. Ultimately, chains provide a framework to implement a chat-with-your-data workflow with minimal lines of code.

Ultimately, LangChain’s modularization of useful components that can be strung together into chains makes the framework an effective tool for implementing RAG systems to chat with a dataset.

Going from Q/A to ChatBot

Asking questions or making requests to the LLM in a one-at-a-time manner is sufficient for several use cases. When a more conversational structure would be beneficial, such as for a customer-service chatbot that needs to remember conversation history, LangChain provides tools for these use cases as well. This structure looks similar to the chains explored previously but will involve the addition of a “memory” of sorts for the LLM to reference context from previous chats in future responses. This allows for follow-up questions or requesting refinements or edits to a previously completed task.

The following example shows an application of this when having a conversation with lecture transcripts from a machine learning course. The ChatBot uses these transcripts to answer a question, then uses the transcripts plus the conversation history to answer a follow-up question. Note that in the second question, TAs are not mentioned, but the ChatBot uses the context of the previous question to understand that those are the people whose majors are being referred to.

LangChain provides a variety of options for conversation memory. One example is “conversation buffer memory,” which simply keeps a list of chat messages in history and passes those along with the question to the chatbot each time. Using this, a new chain (i.e. ConversationalRetrievalChain) can be created from building upon the initial RetrievalQAChain with the addition of the memory component.

Data Security Considerations

RAG is a powerful technique, but it is important to ensure that applications that utilize RAG are used safely, without compromising data integrity. The following are key best practices to consider when implementing a RAG system to chat with data.

• Encryption of data in transit and at rest: Utilizing industry-standard data encryption protocols is a good way to ensure sensitive information is protected both in transmission and while being stored.
• Access controls and authentication: Implementing different levels and scope of access to the RAG system is a good way to ensure that only authorized users can interact with the system and access sensitive data.
• Data anonymization: Employing anonymization is an effective way to protect sensitive information within the data. Anonymization includes actions like removing personally identifiable information (PII) from the data and using anonymized identifiers to prevent the identification of individuals. Masking data in this way will also help protect this sensitive information from being stored by an LLM from a third party API, like OpenAI.

Takeaways & Next Steps for the Future

Turning proprietary, unstructured data into a conversational agent that empowers users to accelerate workflows and increase the accessibility of quick, actionable data insights.

Some considerations for future improvements include:

• Fine-tuning: Continuously fine-tuning the parameters of the RAG model can help improve response quality and relevance. Fine-tuning can be helpful at the data prep strategy, with prompt design, or with other LLM parameters.
• User interface: Integrating this process with a user interface can make having data interactions more convenient, leading to more accessibility for RAG systems to enable more people to chat with their datasets.
• Experiment with more retrieval techniques: Experimenting with additional retrieval techniques such as re-ranking could help the model construct more helpful responses that make the most effective use of the provided data.

If you’re intrigued by the concept of ‘chatting with your data’, our team can help you turn this concept into reality. Learn about our AI and data insights expertise, check out our recent webinars, and be sure to follow us on Medium for upcoming content.

Additional Resources:

• LangChain
• Document splitters
• Retrievers
• Chatbots
• Deeplearning.ai course

Madison Koehler, Data Scientist at Object Computing, obtained her MS in Artificial Intelligence in 2022 and has spent the last two years kicking off her career as a data scientist. She utilizes a strong background in mathematics, statistics, and computer science to create data-driven insights in the machine learning and deep learning space, and has utilized cloud service providers such as Amazon Web Services (AWS) to build and optimize large-scale pipelines spanning the entire machine learning lifecycle.

How to Chat with Your Data was originally published in Object Computing on Medium, where people are continuing the conversation by highlighting and responding to this story.

As an integral part of modern critical infrastructure and pivotal to the transportation of goods in many developed countries, rail carriers assume responsibility for thousands of miles of track that must be monitored and maintained. Performing these duties adequately is paramount to regulatory compliance and safety. However, the processes to conduct these operations are generally slow, manual, and resource-intensive. These inefficiencies can lead to backlogs and compromise safety.

The solution lies in building the right tech stack. By harnessing the power of cloud computing and machine learning (ML), we can extract rich insights from LiDAR (Light Detection and Ranging) data. Let’s dig deeper into the problems and how our solutions can provide railroads with vital and timely information for maintenance and intervention.

Challenges in Vegetation Management

One critical area requiring improvement is vegetation management at railway crossings. For safety reasons, the railway responsible for a crossing must ensure the area around it is free of vegetation that could obstruct visibility. When this vegetation management is done poorly, vehicle passenger and train operator sightlines can become obscured, leading to collisions and other accidents.

The manual and time-consuming process to complete this critical responsibility requires dispatching crews or contractors to take measurements and make assessments. Plus, the costs associated with conducting and validating manual assessments can be prohibitive, making it impossible to do with enough frequency to adequately manage vegetation encroachment. A means to expedite this process could serve to greatly enhance rail crossing safety, ensuring that visibility-obscured crossings are identified and remedied in a more timely manner.

LiDAR Technology and Its Potential

Fortunately, advancements in technology offer promising solutions. LiDAR is a popular tool for gathering data on trackside objects, including vegetation. However, the sheer volume of LiDAR data can be overwhelming, often remaining unused because there’s no easy way to interpret and analyze it.

Unlocking the Value of LiDAR Data

While LiDAR data holds undeniable value for railroads, it’s a tough nut to crack. It contains a massive amount of detail about trackside objects, making analysis challenging. However, if we can properly analyze this data, it can significantly speed up many tasks for rail carriers. This translates to both improved track safety and reduced resource needs for maintenance.

A Practical Example: Streamlining Vegetation Management

A specific application of this tech stack is a tool we designed to manage railroad-crossing vegetation. This tool leverages:

• LiDAR data collected from vehicles already using the railway.
• Cloud computing for secure data transfer and storage facilities, along with the processing power and scalability required to perform complex calculations and assessments systematically. The computational power and integrability of cloud services also enable the rendering and display of meaningful visualizations and reports based on the data analysis.
• Machine learning algorithms for automated insight generation, eliminating the need for manual inspection. This enables rapid assessment of large datasets, pinpointing critical issues and recommending targeted actions.
• Asterisms, a vendor-neutral platform for interactive data visualization.

The tool analyzes LiDAR data in conjunction with open-source geospatial data to:

• Detect and classify vegetation within designated compliance zones.
• Identify potential compliance violations related to vegetation growth.
• Quantify the extent and type of vegetation occluding the view.

LiDAR in Production: Road-Rail Intersection Sightline Compliance

By combining the gathered LiDAR and open-source geospatial data with powerful ML techniques, the tool detects and classifies vegetation within specified compliance zones around railway crossings. The analysis culminates in identifying compliance violations and details the magnitude and variety of the vegetation occlusion. These insights, both qualitative and quantitative, provide a meaningful evaluation of the crossing’s sightline compliance and can be used directly to identify crossings needing vegetation management.

This tool goes beyond simply identifying vegetation by providing:

• Detailed breakdowns: The tool calculates an “occlusion proportion” for each zone, revealing the overall blockage percentage and breakdown by vegetation height.
• Interactive 3D visualizations: Users can virtually explore 3D maps of crossings, complete with surrounding vegetation and objects.
• Prioritization for resource allocation: Capable of analyzing thousands of crossings in a matter of minutes, the tool allows users to quickly identify and prioritize the most critical compliance violations and determine the necessary remediation resources.
• Remote inspection: Through the supplied 3D visualizations, users can remotely search and inspect crossings of interest to verify reported statuses.

All of this occurs in the browser, providing an automated and centralized toolkit instead of a formerly manual and fragmented practice.

The Utility of Using Your LiDAR Data

The successful utilization of LiDAR data means reduced manual work for rail carriers while pursuing maintenance standards and compliance. Not only is the manual workload (and associated resource cost) of data collection mitigated, but the effort required to complete assessments about this data is reduced. Nesting LiDAR data within the detailed tech stack allows targeted insights to be generated automatically and much more expeditiously.

Accordingly, the time to insights is greatly improved; the delta between data collection and the realization of actions to be taken becomes much smaller. This throughput enhancement then allows operators to dispatch remediation resources in a more timely manner. The generalized reduction in procedural effort and time lets assessments be conducted more frequently, keeping a more-present eye on the status of railway conditions.

The real power of this technology lies in its speed. As multiple assessments can be completed quickly, action item prioritization is also enabled. Considering a large number of identified tasks to be completed, the most pressing or impactful can be selected to receive correction efforts first. This not only helps railways comply with regulations, but more importantly, it keeps everyone safe.

Looking Ahead

This technology represents a significant step forward. We are already developing ways to use the same basic architecture with LiDAR data for many other applications, both on and off the rails. Early tests show it can be used to assess ballast quality, monitor the health of the tracks and ties, identify objects encroaching on the tracks, and even evaluate tunnel quality.

The integration of LiDAR, cloud computing, and machine learning holds immense potential for a wide range of applications, not just in railways but across various industries.

To see a demo of this tool and learn more about our LiDAR expertise, visit our website.

Samuel Vanfossan, PhD, is a Data Scientist at Object Computing, responsible for the design and implementation of machine learning and operations research solutions. His interests include the application of artificial intelligence to geospatial data and the intersection of machine learning and optimization.

Allan Trapp, PhD, is the Managing Director of Data Science at Object Computing. He leads a team of data scientists and engineers who craft ML business solutions across diverse industries including agriculture, transportation, finance, and life sciences. Data-driven actions are his passion and motivate his research on agricultural management zones and the carbon-offset marketplace.

LiDAR + ML + Geospatial Data: A Powerful Engine for Smarter Railway Management was originally published in Object Computing on Medium, where people are continuing the conversation by highlighting and responding to this story.

The Escalating Risks: Why Secure Software Development is Critical Now

The financial impact of cybercrime is undeniable. A 2021 report by Cybersecurity Ventures estimates global losses reached $6 trillion. Additionally, Gartner predicts a significant rise in software supply chain attacks, potentially leading to increased data breaches and operational disruptions for businesses. Furthermore, the Identity Theft Resource Center reported a concerning 78% year-over-year increase in data breaches, highlighting the crucial need for robust cybersecurity measures to safeguard sensitive information and mitigate financial risks.

These statistics highlight the crucial need for robust security embedded throughout the software development lifecycle. Traditionally, as I’ve experienced throughout my career — and which persists in many organizations — security reviews were a reactive measure. Once the development team had a good bit of the system developed, they would pull in the security team to do a review. Security would give feedback and the engineers would have to do rework.

On rare occasions, security would be pulled in early to look at the design and make suggestions, but often when security was brought back to review near the end, much of the original design had changed during iterative development. This approach often increased timelines and costs due to rework and created a culture of divisiveness between security and product development.

At Object Computing, we knew there had to be a better way. We set out to proactively address growing security demands while fostering collaboration within our company and ensuring the success of our client’s projects.

Introducing Secure by Design: A Collaborative Approach

We embraced the concept of Security by Design (SbD), which advocates that software be designed, developed, and delivered securely by default. Initially, there were concerns that integrating security from the very beginning of the development process would increase time and cost for clients, but we started small and internally, focusing on:

• Threat Modeling: By analyzing the design and creating a threat model, we had focus areas from a security perspective as the application was built. This proactive approach helped us identify potential security vulnerabilities early on. It involves identifying assets, understanding attackers, creating attack scenarios, evaluating risks, and implementing countermeasures.
• Open-Source Security Scanning: We initially looked at commercial tools — and there are great ones in the market — but the costs for these tools can be prohibitive. For clients with a tighter budget, we found a robust, trustworthy open-source community with tools that do the same types of scans at only the cost of implementation.

We then began incorporating:

• Strategic Touchpoints: Security is now embedded in the project team, participating in project planning, kick-off, standup meetings as needed, and end–of-sprints. This close communication prevents the need for rework and fosters collaboration while limiting the number of touchpoints to only what is needed to reduce overhead.
• Automatic Scans: By using open-source scanning tools, we have continuous dependency and vulnerability checking throughout the software development lifecycle with each code check-in. This ensures that no new issues are introduced in the code during the project.
• Risk Assessments: Both the security and development teams continually review our threat models to identify the highest areas of risk and give them extra scrutiny right from the start.

The Results: Efficiency Gains and Improved Security

The old siloed approach would pull together the project team who would walk the architecture with the security team, which could be a one- or two-day event involving multiple people. The security team members would then analyze the application in full, including scans and manual walkthroughs, and generate their reports. Then the application teams were charged with implementing the findings towards the end of a project. This rework could easily take 2 to 3 weeks of time, along with frustration.

Over the past three years of developing our SbD practice, we have adjusted our processes to meet the cost expectations of our clients and still ensure we deliver a product that is secure by design. We’ve seen significant improvements in:

• Time and Cost Reduction: By strategically incorporating security team members throughout the process, eliminating the need for lengthy reviews and rework, we have reduced our security costs in both people and time. And, automating scans and integrating security throughout the process minimizes rework and saves our clients time and money. This slashes security review times from weeks to 2–3 hours per week. There is no rework creating delays to the project — just a smooth, efficient process that keeps timelines on track and budgets in check.
• Early Risk Detection: Threat modeling and continuous scanning help identify and address security issues early, preventing costly late-stage fixes. We participate at the end of sprint planning, update our threat model, and add abuser stories to align with relevant features. These abuser stories are created in partnership with developers who enjoy thinking about potential ways to hack the systems.
• Stronger Collaboration: Strategic touchpoints between developers and security professionals throughout the development process foster a more positive and productive work environment. We collaborate instead of dictate and work as partners instead of adversaries.

Embracing the Future of Secure Development

In April 2023 and an update in October, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI) and 13 additional internal partners published recommendations on how software manufacturers should ensure the security of their products. Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software is raising the visibility and shifting the responsibility to software manufacturers. The United States National Security Strategy 2023 pillar 3.3 discusses holding software manufacturers accountable for insecure software development practices.

These types of initiatives will only grow in strength and power in the years to come. Companies that adopt SbD practices now will be well-positioned for success in the evolving security landscape, gaining a competitive advantage and building trust with their customers.

Janelle Morris, Senior Director of Information Security at Object Computing, is accomplished at creating quality technology platforms, integrating acquisitions, managing vendors, growing key talent, and exceeding customer expectations. She leads with expertise in solving customer problems, driving change, and delivering exceptional results.

From Rework to Results: How We Achieved Cost-Efficiency through Embedded Security was originally published in Object Computing on Medium, where people are continuing the conversation by highlighting and responding to this story.