With 36 years of experience, Behshad Rejai, VP of engineering in the Software Integrity Group, shares her views of the future of software development.
Unpretentious and soft-spoken, Behshad Rejai belies ambition, but in her 36 years in the software development space, she has had a remarkable progression across a number of industries. After coming to the United States from Iran when she was 18, she worked to get her undergraduate and graduate degrees in computer science from the University of Nebraska–Lincoln.
Since grad school, she has worked in software development continuously since 1983, first with GM Research Labs, then for Rockwell International and Boeing in aerospace, including on the space shuttle program, where she helped develop an expert system—something akin to AI in the 1980s—for routing cables in the shuttle’s payload bay. Rejai followed that up with a few more projects for the Department of Defense on software interface specifications of a ground-based interceptor.
But as the Cold War ended, the aerospace industry entered a downturn. Rejai started looking for new opportunities and found one with Synopsys. She spent her first 15 years at Synopsys working for the electronic design automation (EDA) side of the business on software that helps design semiconductors. She’s spent the last five years on the software security side of the house.
“The beauty of software engineering is that you can pretty much pick any domain,” Rejai says. “Your software engineering skills can apply to any domain. Over the course of my career, I’ve moved from automobiles to aerospace to EDA to software security.”
For example, after joining Synopsys, she started as a first-level manager, then progressed up the corporate ladder to become the VP of engineering in the Software Integrity Group. Now that Rejai is retiring from an active role in software development for Synopsys, she’s taken some time to reflect on her career and all the changes she has seen in how software is developed.
Considering the last five to 10 years of software development and how much things have changed, what are some of the most important developments that you’ve seen?
When I started 20 years ago at Synopsys, we followed a waterfall software development process strictly. Nowadays, software development is much more collaborative and agile. The boundaries of different stages of the life cycle are no longer well defined. You design, implement, and test the application incrementally and validate it with the customer along the way.
The other significant change is the use of open source packages. Applications are mostly assembled rather than being developed. And rightly so. Why reinvent the wheel if it already exists? You can just use an open source package—if the licensing is compatible with your company’s practices. Up to 90% of applications use open source, according to the Synopsys OSSRA report.
Over the past five to 10 years, due to the move to the agile process and use of open source packages, the velocity of software development and time to market has improved significantly.
Could you tie agile, CI/CD, and DevOps together? Because there seems to be some confusion out there about how those three relate to one another.
Sure. Agile is really about the software development process. As I mentioned, agile is about the boundaries of different phases of the software development life cycle becoming less well defined and removed. And software applications being developed collaboratively and incrementally without knowing everything up front. Agile is about the process.
CI/CD is more about practices, where you’re continuously integrating and continuously delivering or deploying. CI/CD is also about more automation and quicker feedback to the developers about their build, test, and integration issues. Continuous delivery or deployment may not be appropriate for every application, but the key with a mature CI/CD practice is to have your software ready for production.
DevOps, on the other hand, is more about roles. Just like agility removes boundaries from the phases of the development process, DevOps removes boundaries between developers and release engineers. Release engineers used to be the only ones responsible for releasing software to production, and developers were the ones responsible for development. With DevOps, the roles are less defined. For example, developers not only develop the application but also push their code into production and play the role of release engineers. John Steven, who was a leading figure at Synopsys, actually has a really good differentiation of agility, CI/CD, and DevOps.
In the last five to 10 years, what are some of the underreported but significant software development life cycle (SDLC) developments?
I’d say it is the focus and emphasis on the user experience throughout the SDLC. With iPhones and smart devices, there is much more focus on user experience. You’re not expected to read a manual. Everything should be intuitive. I call it delightful user experience and “extreme ease of use.” With the introduction of smart devices, a little over a decade ago, there is a fundamental new way of thinking about the user.
Our own attitude toward the use of software and our tolerance for complicated applications has dramatically shrunk. I always remind my development team that if an application is difficult to develop, it doesn’t mean it should be difficult to use. At Synopsys, we have a dedicated user experience team in the organization, and the developers also pay extra attention to how easy it is to get value from the software application they are developing. Extreme ease of use is as important with software security tools because of developer productivity. If it takes a long time to figure out how to use a software security tool, that’s a hindrance to their productivity.
What do you think is going to happen in the next five to 10 years in software development?
There has been a lot of hesitation about moving development to the cloud, especially having your source code in the cloud. That has improved, but over the next five to 10 years, it will improve even more, and the cloud will be the natural place to develop and host applications. The cloud will be considered the safer place to store your source code and data compared to attempting to host it yourself in data centers. Cloud providers are constantly investing in cloud security and driving innovation. Security is their core competency and their No. 1 worry. For example, the application of automated reasoning technology by Amazon to help with the security of the cloud is a great example of an innovative approach to cloud security. Basically, you prove that your code is secure. It’s provable security.
Modern applications have been split up into all these different areas, such as microservices, frameworks, open source, and proprietary code. What do you think of these and their immediate and longer-term future?
Using microservices and componentization of software rather than having a monolithic application is the wave of the future. The idea is to be able to do development in parallel, to remove the dependencies of these modules on each other, and just as long as the APIs and the communications between these microservices are defined, you can have teams work independently on their components.
For example, our Polaris platform is a combination of several microservices, and the teams are completely independent, working on their own microservice. The nice thing about microservices is that you can reuse them in different applications. For example, a single sign-on microservice, even though it’s been developed for our Polaris platform, you can take that and use it in each of the Synopsys application security products.
Are there any other points about the future of software development you want to mention?
Well, the proliferation of IoT is going to increase the demand for the software security industry. There will be tens of billions of connected devices in a few years. Everything around us will be connected, which means a higher risk of security getting compromised. As our lives become intertwined with our digital devices, we’re exposed to more security risks. For example, a Portland, Oregon, couple claimed that their Amazon Echo smart speaker recorded a conversation and transmitted it to someone in their contact list. It sounds bizarre, doesn’t it?
Ten years ago, most of us had to only worry about protecting our computers. Five years ago, we had to worry about protecting our smartphones. Now we have to worry about protecting our cars, our home appliances, and our wearables. So we are going to see more attention to having security testing tools integrated into the software development life cycle. Security requirements are going to be treated just like functional and business requirements. What we will see is that application security testing tools will continue to improve so that their use won’t hinder the developers’ productivity and development velocity.
So, wrapping up, what do you know now that you wish you knew when you got into software development?
Nothing extraordinary! The one thing that I wish I knew early on is to always have an elevator pitch about myself and my skills ready—a 30-to-60-second pitch about who you are, what you do, and what you want to do. A pitch compelling enough to spark the listener’s interest in you and what value you add. In general, women underestimate their abilities and performance and are not as confident as men. Having an elevator speech is a great way to gain confidence in introducing yourself at job fairs, networking events, job interviews, or other types of gatherings when you’re asked about yourself.