News and Tech Update

A small internal tool was built over a weekend. An engineer used an AI coding assistant to generate most of the backend. A simple interface was added, a few API calls were wired together and within hours the app was live. The app worked. The app felt fast. The app looked like progress. No one thought much about how the tool was deployed. There was no pipeline, no review process and no structured testing. The code was generated, copied, slightly adjusted and pushed into an environment that was already running. For a while everything seemed fine. Then something subtle happened. An API key was exposed in a configuration file. A dependency pulled in by the generated code had a known vulnerability. A route that should have been protected was left open. None of these issues were visible from the outside. The system still worked. Users kept using the tool. This is the part that makes AI-generated apps risky. They do not fail loudly. They fail quietly and often too late. The Illusi...

Security has long been the last item on the checklist. Code gets written, reviewed, merged—and then, somewhere down the line, a security team takes a look. That model worked when development moved at a human pace. It doesn’t work as well when AI writes and refactors code faster than any team can keep up with. Vercel is taking a direct shot at that problem with the open-source release of deepsec, an agent-powered security harness that runs on your own infrastructure and surfaces hard-to-find vulnerabilities in large codebases. How It Works Deepsec uses Claude and Codex to conduct a tailored investigation of a codebase, starting with static analysis to identify security-sensitive files. From there, coding agents investigate each candidate, tracing data flows, checking for mitigations, and producing actionable findings with severity ratings. The process runs in five stages: scan, investigate, revalidate, enrich, and export. The scan stage runs roughly 110 regex matchers across t...

A survey of 954 IT decision-makers suggests more resources are now being allocated to reducing friction across the software development lifecycle (SDLC). Conducted by CDW, the survey finds more than two-thirds of respondents (68%) report their organization has adopted an internal developer platform (IDP). The primary goal is to improve operational efficiency (57%), provide better user experiences (48%), and improve observability and security (47%), the survey finds. However, a significant percentage of respondents also noted that their development teams are still encountering friction, with systems integration (25%) and security and compliance restrictions (23%) identified as the two primary sources. Additionally, the survey identifies testing and quality assurance (22%) and integration, deployment and implementation (18%) as the two biggest bottlenecks in their organization’s software engineering workflows. IT leaders, as a result, are investing more in automation in areas s...

In today’s fast-paced software development landscape, Continuous Integration and Continuous Deployment (CI/CD) pipelines are essential for delivering applications efficiently. However, the speed and automation they offer can inadvertently introduce security vulnerabilities if not properly managed. Integrating security into CI/CD pipelines, often referred to as DevSecOps, is no longer optional; it’s a necessity.​ The Importance of Security in CI/CD Traditional security practices often occur late in the development cycle, leading to delays and increased costs when vulnerabilities are discovered. By embedding security checks into the CI/CD pipeline, teams can identify and address issues early, reducing risk and maintaining development velocity.​ Key Strategies for Integrating Security Automated Security Testing Incorporate tools that automatically scan code for vulnerabilities during the build process. Static Application Security Testing (SAST) and Dynamic Application ...

The default reaction to vibe coding has been alarm — a default assumption that letting AI write large chunks of an application is going to flood production with vulnerabilities and undocumented behavior. That fear is doing as much damage as the bad code people are afraid of. Teams that freeze, ban the tools or push the work into the shadows end up with less visibility into how AI is actually showing up in their codebase, not more. Tyler Merritt, CTO at UneeQ, joins Mike Vizard to push back on the panic and reframe the problem. Merritt’s argument is that AI-assisted development is a construction site, not a finished building — and construction sites are inherently messy. The job for engineering leaders isn’t to keep the site spotless, it’s to make sure the right safety systems, inspections and review steps are wrapped around the work that’s happening anyway. They get into the practical mechanics of doing that. Instead of trusting any single model, Merritt makes the case for using mu...

A global survey of 636 software development professionals published today finds nearly two-thirds (64%) believe they are achieving at least a 25% increase in developer velocity and productivity using artificial intelligence (AI). Conducted by Jellyfish, a provider of a software engineering intelligence platform, just under a quarter (24%) report there has been a 50% to 100% increase in developer velocity and productivity, while another 6% have seen an increase of 100% or more. The top use cases for AI are code writing (53%), code review (49%) and code explanation (43%), with Claude Code (39%), Gemini Code Assist (35%) and GitHub Copilot (31%) being the top three tools adopted. However, only slightly more than half (53%) said AI is improving the quality of the code being developed. Other challenges include increasing cost of AI tools (42%), reluctance in adoption from senior engineers (36%) and a proliferation of tools making it difficult to select the best one (31%). Despite these ...