News and Tech Update

Key Takeaways: Vishing is the new frontline threat: Attackers are shifting from emails to phone-based scams, using AI and social engineering to bypass traditional security controls. DevSecOps must expand its scope: Securing code is no longer enough; communication channels like voice, chat, and messaging must be integrated into threat models and security pipelines. Human and technical defenses must work together: Strong architecture (encryption, authentication, Zero Trust) combined with employee awareness and verification practices is key to stopping modern social engineering attacks. As cybercriminals shift from email to phone lines, security professionals need to expand their scope. As a result, voice phishing or “vishing”, which involves social engineering through telephones or VOIP, is becoming increasingly common alongside traditional email phishing. Recent statistics indicate an exponential rise in vishing cases, which cost people over $1.2 billion in 2023. In this day and ...

CI/CD pipelines speed up software delivery, but performance testing is often delayed, resulting in late feedback and costly fixes. Many teams run tests earlier but fail to enforce performance as a deployment gate. This article provides a practical framework for integrating LoadRunner Enterprise into CI/CD pipelines, enabling continuous, automated and enforceable performance validations with early regression detection. The Problem: Shift Left in Theory Vs. Reality Despite the theory, many teams: Run tests only in QA or staging Perform manual reviews without automated enforcement Fail to block deployments when performance thresholds are breached The Real Challenge: It’s not the tools — it’s integration and enforcement. Shift left is effective only when performance is a primary release criterion, not just an earlier activity. Why Early Performance Validation Matters Delayed testing leads to late bottleneck discovery, slow feedback and production incidents. Integrating performan...

Akrites, a new Linux Foundation initiative backed by many of the world’s largest tech and financial firms, is the industry’s latest attempt to get ahead of AI‑accelerated software supply chain risks by hardening critical open source projects before attackers can exploit them. On June 25, the Linux Foundation unveiled Akrites , a coordinated industry program designed to find, fix, and responsibly disclose vulnerabilities in open-source software exploited by AI-based attackers. It’s not the first such effort. But Akrites may be the most comprehensive. One such initiative is Chainguard’s Athena coalition , which seeks to repair open-source flaws before attackers can exploit them. Another is IBM and Red Hat’s Project Lightwell , which has similar goals. These two, however, seek to provide safe code and a platform for managing compliance, SBOMs, and governance across heterogeneous open‑source supply chains. Akrites’ mission, on the other hand, is to give the indus...

With AI, teams across organizations are now building internal applications faster than ever, often pulling in open source libraries and frameworks without much thought about long-term support, lifecycle management, or security ownership. An unintended consequence of this is that unsupported open source software (OSS) is quietly spreading across environments faster than security and engineering teams can keep track of it. Most organizations already struggled with open source visibility before AI-assisted development became mainstream. Now, many are also accumulating technical debt at a much faster rate, creating future maintenance, security, and migration obligations every time new dependencies are introduced. The question is no longer simply how fast organizations can build software with AI. It’s whether they can securely govern and sustainably support the software ecosystems they are creating. Unsupported OSS is Becoming a Major Blind Spot Many organizations already have unsu...

Qodo this week extended its platform for managing code quality and governance to enable an artificial intelligence (AI) agent to review code spanning multiple repositories. Additionally, version 2.8 of the Qodo platform adds a custom rules miner that discovers coding patterns from existing codebase behavior and pull request (PR) history that are then used to create structured, enforceable rules. Finally, Qodo has added an ability to discover AI skills that contain code review instructions, coding standards, and engineering best practices across multiple repositories. The platform surfaces those skills in a portal that enables DevOps teams to centrally manage and assess their impact on software engineering workflows. Qodo CEO Itamar Friedman said these capabilities extend an agentic AI platform for governing code that is based on graph technology that tracks the relationships that exist between code. Whenever a pull request (PR) modifies a shared dependency, the agent reads the rep...

HeroDevs this week revealed it has joined the Commonhaus Foundation as the founding member of the Open Source Sustainability Initiative (OSSI) after establishing partnerships with the open source Hibernate, Jackson, and Quarkus communities to provide commercial support for older versions of these frameworks. OSSI is a framework administered by the Commonhaus Foundation through which governance of open source software projects is provided. HeroDevs COO Rob Nalen said the provider of end-of-life support services for open source software sees a clear need to work more closely with maintainers of open source projects that don’t have the resources required to support enterprise IT organizations that for one reason or another are not able to upgrade to the latest version of an open source software framework in a timely manner. The alliance between HeroDevs and the Commonhaus Foundation, in effect, buys enterprise IT teams, especially if they operate in highly regulated industries, the ti...