Skip to main content

Posts

IBM and Red Hat Launch Lightwell Catalog to Automate Remediation

IBM and Red Hat this week revealed that Lightwell Network , a catalog of more than 6,500 application-layer dependencies that drives an automated vulnerability remediation service, is now generally available. At the same time, the Lightwell Clearinghouse Premier service, through which application development teams can both access validated patches and coordinate remediation efforts, is now available to a limited number of organizations. Ben Breard, a senior principal product manager at Red Hat, said collectively these two offerings will make it simpler for organizations to address 30 years of technical debt that is now being exposed by artificial intelligence (AI) models that make it possible to discover vulnerabilities and create exploits in a matter of hours. At the core of the Lightwell service is a remediation engine that software engineers are using to help identify, validate, and remediate vulnerabilities across critical dependencies embedded deep within modern software archit...
Recent posts

Why Your Best People Can’t Save a Broken Delivery System

When delivery falls apart, the reflex is to blame the team. Missed dates, quality slips, a burned-out squad — leadership tends to reach for a personnel fix and quietly move on. The uncomfortable pattern in most enterprise organizations is that the system itself is the failure mode. Decision latency, priority misalignment, and layers of governance that were designed for a slower era grind against the very people leaders keep asking to grind harder. Talented engineers cannot outrun a delivery pipeline that is structurally set up to stall. Marnus Marx, founder and Delivery Confidence Coach at Elanvia Consulting, joined Alan Shimel to unpack what that structural failure actually looks like from the inside. Marx came up through Unix and Linux systems before moving into DevOps and delivery coaching, which shapes how he diagnoses these breakdowns — as engineering problems in the socio-technical system, not character flaws in the humans stuck inside it. His frame of “delivery confidenc...

Why AI-Driven Devops is Exposing the Limits of Traditional Toolchains and What Comes Next for Engineering Teams in 2026

Modern software delivery has crossed a threshold where speed is no longer the differentiator, but a stress test for the entire engineering system. AI-assisted development has created a new baseline expectation where features, fixes and even architectural changes can be generated in minutes rather than days. This acceleration feels like progress, yet it exposes a structural weakness that has been building for years inside DevOps practices. Traditional DevOps was designed around human-paced iteration cycles. Code was written, reviewed, tested and deployed in relatively predictable sequences. AI changes this rhythm entirely by compressing multiple stages of development into a single generative step. A developer can now produce what looks like a complete service, including tests and infrastructure definitions, in one session. The pipeline is no longer dealing with incremental change, but with sudden bursts of high-volume transformation. This creates an operational paradox. Systems are f...

GitHub Copilot Bills Hit $800: Visual Studio’s June Update Adds Real-Time Usage Alerts and MCP Trust Checks

Microsoft’s June Stable Channel update for Visual Studio landed on two things developers have been asking for all year: A clearer view of what their Copilot habit actually costs, and a way to know whether an MCP server has quietly changed under the hood. Both features answer real pain points that surfaced in the past few months, not hypothetical ones. The Billing Shock That Started It All On June 1, GitHub moved every Copilot plan from premium request units to usage-based billing, calculated by token consumption rather than request count. Base plan prices didn’t change, but the way usage is metered did, and the shift meant users would be charged based on how many tokens they burn as they work, rather than a low flat rate per request. The reaction was loud. Some developers reported their monthly bills climbing from around $29 to nearly $750, and other reports of heavy agentic users have their costs surging from $39 to over $800 a month. Whether that’s a fair reflecti...

‘GitLost’ Flaw Lets Attackers Trick GitHub AI Agent Into Leaking Private Repos

A security flaw in GitHub’s months-old GitHub Agentic Workflows allows attackers to use an indirect prompt injection to trick the AI agent into grabbing information from a private repository and quietly posting it in a public repository belonging to the same organization. The vulnerability, dubbed “GitLost” by Noma Security researchers, is only the latest example for developers and security teams of the risks that come with AI agents and how vulnerable they are to deceptive tactics by threat actors that often – as in this case – don’t need coding skills, access, or stolen credentials to run such campaigns. This is different from a classic prompt injection, according to Sasi Levi, security research lead with Noma. Those earlier prompt injection examples were primarily about manipulating what an agent said, similar to jailbreaking a chatbot’s output. In contrast, GitLost is about manipulating what an agent does with its permissions. “The agent here isn’t just a chat window; it...

How AI is revamping DevSecOps processes

Artificial Intelligence is pushing DevSecOps into a new phase where security is no longer just about detecting vulnerabilities, but increasingly about resolving them automatically within the flow of software delivery. As many organizations are discovering, DevSecOps historically gave teams visibility into risk. AI is now turning that visibility into automated remediation. This evolution has taken place across four phases. From Discovery to Action One of the most significant shifts is that security tooling no longer stops at identifying problems. AI systems can detect an issue, recommend a fix, open a ticket, update code, or prepare a pull request for human approval. Traditional DevSecOps created strong visibility into vulnerabilities, but often lacked mechanisms to ensure remediation happened quickly and consistently. AI is helping close that gap between insight and action. In many environments, when a vulnerable library or dependency is detected, AI systems can automatically test s...

How Independent Service Deployments Expose the Limits of Conventional Regression Testing Tools

The architectural shift to independently deployable services was supposed to make software delivery faster and less risky. In many aspects, it has. Teams can ship a change to one service without coordinating a release across the entire system. A bug fix in the payment service does not require a synchronized deployment with the notification service, the user service, and the order management service. Ownership is cleaner. Blast radius is smaller. Deployment frequency goes up. What this architectural shift did not change is what happens between services. Services still call each other. They still depend on each other’s response shapes, error codes, and behavioral contracts. They still make assumptions, encoded in test suites and integration layers, about how their dependencies will behave. What changed is the rate at which those assumptions can become outdated – and the rate at which the regression testing tools designed for a different architectural model can fail to catch w...