Many outages never announce themselves as outages. They show up as rising latency or an error rate that creeps from 2% to 4% over an afternoon while everyone’s busy with something else. The site is up. Nothing has paged. Something is still wrong, and by the time it’s obvious, it’s been wrong for an hour. Catching the server that falls over is the easy case. The hard one is deciding which of these slow, quiet changes should pull someone out of bed. Most teams get that wrong, and they get it wrong by monitoring too specifically. Start From a Baseline A CPU spike on one box out of a hundred running the same workload isn’t worth a phone call. The same spike on your only server might be. It depends entirely on the case, and that’s the part people skip. The number on its own barely tells you anything. Take a 2% error rate. If it’s been flat at 2% all year, that’s your baseline. It’s what normal looks like for you, and it doesn’t need ...
A newly discovered supply chain security flaw is once again putting a spotlight on inherent weaknesses in CI/CD pipelines and the growing interest among cyberthreat actors to exploit them. Security researchers with Novee, an AI penetration testing platform provider, wrote about Cordyceps, an exploitable pattern in the open source supply chain that can allow attackers to hijack workflows and gain full control of code repositories, including those at dozens of the world’s largest companies, including Microsoft, Google, Python, Apache, and Cloudflare. In addition, the vulnerability can be exploited by any unauthenticated user, according to Elad Meged, founding engineer and security researcher at Novee. “No org membership or special privileges; a free account is enough to forge approvals, push code, or steal credentials,” Meged wrote in a report . The Novee team scanned 30,000 “high-impact” repositories, 654 were flagged in a single scan and more than 300 were confirmed to be ful...