DevSecOps

Every technical support team I have worked with shares the same friction point: an analyst keeps four tabs open simultaneously (the EDR console, a ticketing system, an asset CMDB, and a query window) and spends a sizeable chunk of their shift copy-pasting IDs between them. The intelligence exists. The problem is getting it out fast enough. The Model Context Protocol (MCP) is the most credible attempt I have seen yet to reduce that cost. It is a small, open specification for letting LLM-driven assistants invoke external tools in a typed, structured way: a server exposes a catalogue of tools with JSON Schema input contracts, and any MCP-aware client (Claude Desktop, Claude Code, Zed, or your own automation) can call them without writing any glue code. One server definition, every compatible client for free. ...

A few months back I saw a post circulating on LinkedIn about a developer who had been targeted by a fake recruiter. The person had been invited to a “technical assessment,” cloned a repository, and ran the code provided as part of the interview. What followed was a silent drain of every credential stored on their machine. I remember reading it and feeling a specific kind of disgust, not just at the technical sophistication of the attack, but at the deliberate choice to weaponize something as emotionally charged as a job search. ...

It Happened Again On April 22, 2026, the official Bitwarden CLI npm package (@bitwarden/cli) was compromised. For roughly 90 minutes, between 5:57 PM and 7:30 PM ET, anyone who ran npm install @bitwarden/cli received a malicious package. Around 334 developers did exactly that. The attackers did not break into Bitwarden’s npm account directly. Instead, they hijacked a GitHub Actions workflow in Bitwarden’s CI/CD pipeline and weaponised npm’s Trusted Publishing mechanism to push a poisoned release. Trusted Publishing is OIDC-based and requires no stored credentials: it was introduced as a hardening measure after credential-based attacks. It became the entry point. ...

Every few kernel cycles, a release quietly shifts what is possible for the platforms running on top of it. Linux 7.0 is one of those releases. There is no single flashy new security module, no headline-grabbing feature, but there are several changes that collectively improve weak seams that cloud-native security teams have been working around for years. Before this release reached mainstream distributions, I spent a good hour working through the upstream changelog with GitHub Copilot, running multiple state-of-the-art models, cross-referencing commit messages, kernel documentation, and coverage from the broader community, and iterating until the picture was clear. ...

Introduction I have been experimenting with Spec-Driven Development for a while now. If you are not familiar with the approach, I have a few articles tagged spec-kit that cover the theory and a real hands-on walkthrough where I built a Go TUI for Apple Container management. The short version: instead of vibe-coding with an LLM and hoping for the best, you invest upfront in a structured specification, then let the AI work against that spec. The results are measurably different. ...

A few days ago, Docker published an article on LinkedIn about a new tool called Docker Sandboxes (sbx). The pitch is simple: run AI coding agents in fully autonomous mode, without worrying about them touching your host machine. I read it and decided to install it on my MacBook Pro M4 (32 GB RAM) and test it for real. Not to read the documentation and summarize it, but to actually break things, observe what happens, and verify the security claims hands-on. ...

The Unexpected Swag from KubeCon EU 2026 KubeCon EU 2026 Amsterdam was a great edition. I walked away with good conversations, new connections, and the usual conference bag full of stickers. But one thing stood out among the swag: six months of GitHub Copilot Pro+, courtesy of GitHub. I’m not going to pretend I wasn’t excited. Copilot Pro+ isn’t cheap, and having it handed to you as conference loot—just because you showed up in the right place, accepting the right invitation—felt like a proper thank-you to the community. GitHub clearly knows its audience. ...

The countdown is on. As of March 2026, we are less than five months away from the full applicability of the EU AI Act (August 2, 2026). For those of us running AI workloads on Kubernetes, whether it’s self-hosted inference engines like vLLM or RAG-based agentic systems, compliance is no longer a legal “later” problem. It’s an engineering “now” problem. Before we dive into the technical implementation, let’s look at the critical roadmap and the cost of getting it wrong: ...

Intro We have all been there: a Slack notification triggers an alert for a “Critical” CVE, and the scramble to patch begins. But as our clusters grow, so does the noise. The most jarring security stories are often the ones happening silently inside our own production environments. Datadog recently released its State of DevSecOps 2026 report, and the numbers provide a sobering reality check for anyone managing cloud-native infrastructure. The report reveals that 87% of organizations are currently running at least one known exploitable vulnerability in their deployed services. Even more concerning is that many of these services rely on libraries that have been abandoned by their maintainers. This is not just a theoretical problem; it is based on telemetry from thousands of real-world cloud environments, making the findings impossible to dismiss. ...

As a DevSecOps Team Leader, my job is to secure customers using modern technologies. Sounds straightforward, right? The reality is far more complex. Every day, I face the challenge of enabling innovation while maintaining security. The rapid adoption of AI has introduced a new dimension to this challenge: agentic AI assistants that do not just chat, they act. This challenge connects directly to something I wrote about recently. In my article on spec-driven development with GitHub Spec-Kit, I discussed how structure and governance matter when using AI for coding. The same principle applies here: when AI agents can execute code, access secrets, and operate with user privileges, we need structure and governance more than ever. ...