AI

The Problem We Have Today Open source security is no longer limited by finding vulnerabilities. It is limited by coordination. Modern software depends on thousands of open source components: libraries, container images, build tools, package managers, CI/CD actions, and infrastructure projects. When a serious vulnerability appears, many teams still struggle with basic questions. Question Why it is hard Where is the vulnerable component running? SBOMs and inventories are often incomplete. Who owns the remediation? Dependencies cross teams, vendors, and platforms. Can we patch fast enough? Testing, release windows, and legacy systems slow everything down. What if no clean patch exists yet? Teams need mitigations, not only advisories. AI makes this harder. Frontier models can inspect code, reason across dependencies, and find chained vulnerabilities faster than traditional disclosure processes were designed to handle. Discovery is accelerating. Exploitation windows are shrinking. ...

Every technical support team I have worked with shares the same friction point: an analyst keeps four tabs open simultaneously (the EDR console, a ticketing system, an asset CMDB, and a query window) and spends a sizeable chunk of their shift copy-pasting IDs between them. The intelligence exists. The problem is getting it out fast enough. The Model Context Protocol (MCP) is the most credible attempt I have seen yet to reduce that cost. It is a small, open specification for letting LLM-driven assistants invoke external tools in a typed, structured way: a server exposes a catalogue of tools with JSON Schema input contracts, and any MCP-aware client (Claude Desktop, Claude Code, Zed, or your own automation) can call them without writing any glue code. One server definition, every compatible client for free. ...

Introduction I have been experimenting with Spec-Driven Development for a while now. If you are not familiar with the approach, I have a few articles tagged spec-kit that cover the theory and a real hands-on walkthrough where I built a Go TUI for Apple Container management. The short version: instead of vibe-coding with an LLM and hoping for the best, you invest upfront in a structured specification, then let the AI work against that spec. The results are measurably different. ...

As usual after KubeCon, I went offline for a few days to recharge. After an intense week like that, it’s not optional; it’s survival. Four in a Row KubeCon EU 2026 Amsterdam delivered, as it always does. This was my fourth consecutive KubeCon (something that still feels surreal when I think about it). None of this would have been possible without the support of SIGHUP and ReeVo, who have consistently believed in the value of being present and active in this community. Genuine gratitude goes to both of them. ...

In the last few days, we’ve witnessed a significant milestone for the global software ecosystem. A powerhouse coalition of tech leaders (including Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI) has committed $12.5 million in grant funding to advance open-source security. This isn’t just another corporate donation; it’s a strategic investment in the very foundation of modern technology. Why This Matters Now Open-source software (OSS) is the bedrock of everything from cloud infrastructure to the apps on your phone. However, as the ecosystem grows, so do the threats. We are currently seeing an “unprecedented influx” of security vulnerabilities, many discovered by automated AI systems. ...

Next week, I’ll be in Amsterdam for KubeCon EU 2026 (you can read my preview here), and my journey starts this Monday with the GitHub Social Club: Amsterdam. I was lucky enough to snag an invitation via LinkedIn and jumped at the chance to join. As someone who has used GitHub for years (both for personal projects and corporate needs) I’ve always appreciated the platform’s reliability. However, after a month of putting GitHub Copilot Pro through its paces, I’m genuinely surprised it isn’t even more ubiquitous. If you aren’t a “super heavy” coder but want access to the best tools, this is arguably the highest value-for-money platform in the AI space right now. ...

Quick Follow-Up After publishing the initial ACTUI article, I kept developing the tool. I started using it regularly and shared it with my team. Some feedback came in, and I naturally improved things during my free time. This is a quick update on what changed. What Changed Submenu Structure The original flat menu worked for a demo but felt cluttered with more features. I restructured the interface into three main sections: ...

Introduction to the AI Frontier The AI race has largely boiled down to a high-stakes contest between the US and China. On one side, established US companies like Anthropic, OpenAI, Google, and X have continuously pushed the boundaries of frontier AI models. Anthropic, the research lab behind Claude, is best known for its focus on AI safety and its unique ‘constitutional’ approach to alignment. Meanwhile, several Chinese tech firms have been fast-tracking models to compete with the best systems coming out of the US. This competition reached a turning point when Anthropic revealed it had been targeted by industrial-scale ‘distillation attacks’ from three major Chinese AI labs. ...

As a DevSecOps Team Leader, my job is to secure customers using modern technologies. Sounds straightforward, right? The reality is far more complex. Every day, I face the challenge of enabling innovation while maintaining security. The rapid adoption of AI has introduced a new dimension to this challenge: agentic AI assistants that do not just chat, they act. This challenge connects directly to something I wrote about recently. In my article on spec-driven development with GitHub Spec-Kit, I discussed how structure and governance matter when using AI for coding. The same principle applies here: when AI agents can execute code, access secrets, and operate with user privileges, we need structure and governance more than ever. ...

Introduction: Theory Meets Practice In my previous article about GitHub Spec-Kit, I explored the theoretical foundations of spec-driven development: why structured AI workflows matter for compliance, auditability, and team collaboration. I discussed the high-level concepts of audit trails, liability, and how spec-kit transforms “vibe coding” into a rigorous, documented process. Today, I’m sharing something different: a raw, unfiltered hands-on experience building a real tool from scratch using spec-kit. This is a chronological journey documenting what actually happened when I let spec-kit drive the development process from constitution to working code. ...