Skip to main content

Posts

Perplexity Bumblebee Shakes Loose Hidden Threats on Dev Desktops

The fight to maintain security has moved to the engineer’s messy desktop.   Last week, AI search provider Perplexity open-sourced an internal tool, Bumblebee, for checking developer machines, either Linux or macOS, for vulnerable software. Continuous integration pipelines have baked security checks into them, with Software Bills of Materials (SBOMs) ensuring that the correct version of a package makes it to runtime. So malicious attackers are gravitating to the underbelly of enterprise security, the developer’s laptop.  Most developer machines are no doubt teeming with unpatched and outdated software, byproducts of various experiments and projects. There’s probably an outdated version of Node.js on most machines, or perhaps a never-used Warp terminal. Or maybe they downloaded a malware-infested package at some point, and it is just sitting on the hard drive waiting to be activated.   And certainly, many Perplexity engineers have plentiful recipes for agents lying around, which cou...
Post a Comment
Read more
Recent posts

Ten Great DevOps Job Opportunities

DevOps.com is now providing a weekly DevOps jobs report through which opportunities for DevOps professionals will be highlighted as part of an effort to better serve our audience. Our goal in these challenging economic times is to make it just that much easier for DevOps professionals to advance their careers. Of course, the pool of available DevOps talent is still relatively constrained, so when one DevOps professional takes on a new role, it tends to create opportunities for others. The ten job postings shared this week are selected based on the company looking to hire, the vertical industry segment and naturally, the pay scale being offered. We’re also committed to providing additional insights into the state of the DevOps job market. In the meantime, for your consideration. Dice Okta, Inc. San Francisco, CA Staff Site Reliability Engineer, TCore (FedRamp) $194,000 to $267,000 Lockheed Martin Corporation Annapolis, MD Senior DevOps Engineer – Clearance Require...
Post a Comment
Read more

Co-Developing an AI Native Observability Platform  

As AI capabilities continue to evolve, AI is becoming central to managing the growing complexity of distributed, hybrid enterprise environments, enabling more effective analysis, correlation, and automation across interconnected systems.   Traditional infrastructure and specifically network monitoring approaches, often built around siloed tools and static thresholds, struggle to keep pace with the scale, velocity, and interdependencies of modern systems. Further blurring the boundaries between network, application, and infrastructure domains makes it harder to isolate root causes and maintain operational resilience. In this context, AIOps platforms have emerged as one response to the growing need for integrated observability, automation, and data-driven decision-making.   At AI Field Day, Selector AI presented an AIOps platform, which can be considered a foundation for co-creating more adaptive and data-driven network operations. Rather than positioning it purely as a product choice,...
Post a Comment
Read more

Attackers Can Exploit a Claude Code RCE Flaw to Take Command of System

A dangerous vulnerability found in Anthropic’s popular Claude Code developer model could have allowed bad actors to grab control of a victim’s system by luring them into clicking on a crafted malicious deeplink. Once in, the attacker could exploit the remote code execution (RCE) security flaw to execute arbitrary commands – such as shell commands – into the target’s Claude Code model. The vulnerability in version 2.1.118 of the model has since been fixed, but it’s another example of the security issues in these developer-focused tools that arise as adoption accelerates. A survey of more than 1,000 developers around the world by CodeSignal, which offers an AI-native skills platform to assess and develop technical talent, found that 81% of respondents said they’re using AI for development, with companies increasingly mandating the use of coding assistants. The RCE vulnerability in Claude Code was uncovered by security researcher Joernchen of 0day.click as he manually worked through...
Post a Comment
Read more

AI Agents in CI/CD Pipelines: Speed vs Control in Modern DevOps

The moment you push your code, deployment fires off on its own. The pipeline kicks in, the tests sail through, and within a few minutes your app is live in production. There is no manual sign-off and no one scanning through the final changes. Everything is running on the decisions of an AI agent plugged straight into the pipeline. At first it feels great. Stuff moves faster. That long stretch from development to live is just a sprint now. Teams get hooked because it slashes delays and smooths over all the bottlenecks everyone used to grumble about. And for a while it just works. Then things start to drift. Maybe there is a small config tweak made by the agent that changes how a service handles heavy loads. The tests pass, but in production it acts odd. Nothing explodes. No alarms go off. But users start to feel tiny delays here and there. The system is up yet something is definitely off. By the time somebody really figures out what happened, that change is baked into every environm...
Post a Comment
Read more

Designing an AI-Powered DevSecOps Guardrail Pipeline Using GitHub Actions 

Modern engineering teams ship software faster than ever, but this velocity often comes at the cost of security. Vulnerabilities frequently slip into production because security checks occur too late in the development life cycle, typically after code has already been merged or deployed. DevSecOps aims to solve this by embedding security directly into development workflows. In this article, I will elaborate on how I designed an AI-powered DevSecOps guardrail pipeline using GitHub Actions. The pipeline automatically analyzes code for security violations  before  The full implementation is available on  GitHub .     The Problem: Security Checks Happen Too Late   In many organizations, security reviews occur after code reaches staging or production. This reactive model creates several challenges:   Vulnerabilities reach production environments   Security teams become bottlenecks   Developers receive feedback too late   Incident response becomes reactive instead of preventati...
Post a Comment
Read more

Modernizing DevOps Security With Intelligent KYC Enforcement Layers 

DevOps teams don’t have a firewall problem; they have an identity problem .   When you consider the recent security incidents in cloud-native environments, the vast majority do not begin with a network breach. It begins with weakened credentials, overprivileged service accounts or tokens that are long past their expiry dates. With infrastructure being made ephemeral and pipelines being completely automated, identity becomes the actual control plane. This is where smart KYC enforcement layers fit in — not a compliance box, but an engineering control that is directly part of DevOps processes.   This is not about banking-style KYC. It is regarding the implementation of constant identity validation principles to human beings and machines that are working within your delivery ecosystem.   The Hidden Risk Inside Modern DevOps Pipelines   Most of the teams have already introduced:   CI/CD automation   Infrastructure as code   Container orchestration   Secrets management tools   ...
Post a Comment
Read more