Skip to main content

Posts

The Open Source Trap: Why Trust Isn’t a Security Strategy

The XZ Utils backdoor was a wake-up call, but the underlying problem it exposed has not gone away. Sophisticated adversaries are playing the long game, spending months or years earning trust within open source projects before introducing malicious code into libraries that sit at the foundation of modern software infrastructure. Mike Vizard and Josh Bressers, VP of security at Anchore, dig into why the software supply chain remains dangerously vulnerable and what the industry is getting wrong in its response. Bressers points out that the vast majority of open source projects are maintained by a single person or a very small group of volunteers. These maintainers are often overworked and under-resourced, managing critical dependencies that thousands of organizations rely on in production. When an attacker targets one of these projects, the maintainer is the entire security perimeter. No amount of scanning or compliance tooling downstream can fully compensate for a compromise that h...
Post a Comment
Read more
Recent posts

Lightrun: IT is in the Dark Over Coding Assistant Runtime Visibility 

Software runs, but sometimes it doesn’t… and that’s often down to a lack of runtime visibility in relation to platform engineering teams being able to trust coding assistants and AI-powered site reliability engineering (SRE) services. It’s an assertion made by software reliability company Lightrun, in its State of AI-Powered Engineering Report 2026, based on an independent poll of 200 SREs and DevOps leaders at enterprises in the U.S., UK and EU.  “To keep pace with AI-driven velocity, we can no longer rely on reactive observability. We must shift runtime visibility left, giving AI tools and agents the live execution data they need to validate code before it ever fails in production,” said Lightrun CEO, Ilan Peleg. Runtime Visibility Fragility Peleg and team say that until AI-powered engineering tools have live visibility of how code behaves at runtime, they cannot be trusted to autonomously ensure reliable systems. But why is runtime visibility so flaky?  One of the m...
Post a Comment
Read more

Why Techstrong is Heading to Prague for SUSECON: Sovereignty, Open Infrastructure and the Future of AI

Every tech conference likes to say it is about the future. Most of them are really about product launches, roadmaps and a little carefully managed optimism. SUSECON feels different this year. Part of that is timing. Part of it is geography. And part of it is that SUSE happens to sit right in the middle of several conversations that are becoming more urgent by the day. The event runs April 20 through 23 in Prague , with more than 100 breakout sessions covering Linux, cloud native infrastructure, edge computing, AI, observability and digital sovereignty, along with keynotes, hands-on labs, certification exams and community gatherings. That is the official agenda. The real story sits just beneath it. SIGN UP FOR SPECIAL EDITION SUSECON NEWSLETTER FOR NEXT WEEK, ONLY 5 EDITIONS HERE   The deeper conversation is about control. For a long time, sovereignty sounded like the kind of topic that lived mostly in policy papers or conference panels in Brussels. It did not always feel con...
Post a Comment
Read more

Waydev Adds Ability to Track How Much AI Code Winds Up in Production

Waydev today revealed it has revamped its engineering intelligence platform to provide insights into how the adoption of artificial intelligence (AI) coding tools is impacting DevOps workflows. Company CEO Alex Circei said the overall goal is to make it easier for the leaders of software engineering teams to determine the return on investment (ROI) their AI coding tools are actually providing. While there is little doubt that AI tools are capable of generating code faster than humans, the percentage of that code making it into production environments is often unknown. DevOps engineers need to understand where AI code is being accepted, rejected or rewritten, and whether AI-assisted pull requests pass CI at the same rate as those authored by a human. The Waydev platform, now at every checkpoint in a DevOps workflow, captures which AI agent wrote the code across all commits, repositories, teams, and tools, along with insights into usage costs. A Waydev AI agent then provides a natur...
Post a Comment
Read more

GitHub Introduces Stacked PRs to Ease Review Bottlenecks

GitHub’s new Stacked Pull Requests feature restructures how developers submit and review changes by allowing large code updates to be broken into smaller, interdependent units. With Stacked PRs, each unit can be reviewed and merged individually while still contributing to the overall feature set. The approach helps developers shift away from monolithic pull requests, which have become increasingly difficult to manage as development continues to move faster. The release of Stacked PRs is a response to the rise of AI-assisted coding tools, which have greatly increased the volume and scale of code submissions, placing new pressure on review workflows. While large pull requests spanning dozens of files used to be merely inconvenient, they are sometimes now a systemic issue. There is a widening gap between code generation and code review, with reviewers dealing with reduced visibility and slower turnaround times. With the layered workflow of Stacked PRs, developers can sequence related...
Post a Comment
Read more

FinOps Isn’t Slowing You Down — It’s Fixing Your Pipeline 

If you work in DevOps, you’ve probably had this experience:   You ship something. It works. Performance looks good. Deployment is clean.   A few weeks later, someone from finance shows up asking why costs spiked 30%.   Now you’re digging through logs, trying to reconstruct decisions you made weeks ago, in a completely different context.   That’s not a FinOps problem.   That’s a workflow problem.   The Real Issue: Cost Lives Outside the Pipeline   Most DevOps teams have spent years tightening feedback loops:   Code quality → caught in PRs   Security → caught in CI   Performance → caught in testing   Cost is the outlier.   It typically shows up:   After deployment   In a separate dashboard   Owned by a different team   Which means it’s not actionable when it matters.   You can’t fix what you can’t see *in context*.   Why DevOps Teams End Up Owning Cloud Cost Anyway ...
Post a Comment
Read more

SmartBear Extends Scope of API Lifecycle Management Ambitions

SmartBear today added capabilities to its platform for designing and managing application programming interfaces (APIs) that make it easier to both keep track of them and detect drift. A revamped Swagger Catalog, in addition to providing a unified view of APIs, also makes it possible to govern them. At the same time, SmartBear is adding Swagger Contract Testing with drift detection that verifies the API is behaving as specified in a contract. Additionally, SmartBear later this quarter plans to revamp its API editor along with artificial intelligence (AI) tools for generating APIs, a context-aware ability to create documentation, Spectral-based governance enforcement, a Model Context Protocol (MCP) Server and expanded multi-protocol support, including OpenAPI 3.1. AsyncAPI 3.0, and GraphQL. Laura Kennedy, director of product management for SmartBear, said both additions extend the API lifecycle management capabilities of the company’s platform. For example, Swagger Catalog combi...
Post a Comment
Read more