All news with #devsecops tag

🔔 AppLifecycle Manager Feature Flags (ALM FF) enters public preview as a rule-based service to decouple feature releases from code deployments. By using toggles and the Common Expression Language (CEL), teams can perform gradual rollouts, instant kill-switches, and percentage-based traffic ramps. String-type flags enable dynamic configuration for applications, including LLM prompts, while OpenFeature compatibility avoids vendor lock-in.

🔒 This AWS Security blog post outlines a pattern-based approach to policy as code, using Open Policy Agent (OPA) in CI/CD pipelines to validate Terraform plan JSON before deployment. It organizes checks around recurring control intents—required metadata, allowed configuration, exposure restriction, protection enforcement, and privilege constraint—to simplify review and maintenance. The article includes examples for S3 secure transport, VPC security group exposure, and IAM trust policy constraints, and describes artifact retention and phased rollout best practices.

🚀 The Gemini CLI CI/CD extension lets developers deploy functional apps directly from a terminal, closing the gap between local prototyping and production pipelines. It performs a pre-deployment secret scan, analyzes project files, and can containerize using buildpacks before deploying to Cloud Run or Cloud Storage. For production workflows it can design CI/CD pipelines, provision resources, and generate Cloud Build YAML and triggers.

🔒 Trend Micro researchers disclosed a previously undocumented Linux implant dubbed Quasar Linux RAT (QLNX) that targets developers and DevOps credentials to establish a stealthy foothold. The fileless loader masquerades as kernel threads, erases logs, and persists via seven or more mechanisms such as systemd, crontab and .bashrc injection. Its credential harvester extracts secrets from high-value files including .npmrc, .pypirc, .git-credentials, .aws/credentials, .kube/config, .docker/config.json and .env, enabling registry poisoning, cloud access or CI/CD pivoting. QLNX also installs PAM inline-hook backdoors, a userland LD_PRELOAD rootkit and an eBPF kernel component to hide artifacts while supporting 58 remote commands and data exfiltration.

🐧 Trend Micro researchers revealed a previously undocumented Linux implant named Quasar Linux (QLNX) that targets software developers by compromising development and DevOps environments such as npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX dynamically compiles rootkit and PAM backdoor modules on the host, runs fileless in memory, and employs multiple persistence methods while wiping logs and spoofing process names to remain stealthy. The toolkit includes a 58-command RAT, credential harvesting (SSH keys, cloud configs, and /etc/shadow), kernel eBPF hiding, surveillance, lateral movement, and in-memory injection; Trend Micro provided IoCs but attribution and prevalence remain unclear.

🛠️The SAM CLI now supports BuildKit for building container images from Dockerfiles, enabling faster, more efficient Lambda container builds. You can use multi-stage builds to produce smaller final images, improved caching to reduce rebuild times, and parallelized build steps for faster overall builds. BuildKit also enables cross-architecture targets (x86_64 and arm64) and secure build-time use of Docker secrets. To use it, update to SAM CLI v1.159.0+ and run sam build with the --use-buildkit flag; the feature works with both Docker and Finch.

🚀 Google announced that Cloud Composer is now Managed Service for Apache Airflow and that Apache Airflow 3.1 is Generally Available to support AI and MLOps workloads. The release introduces a decoupled architecture, native DAG versioning, managed backfills, event-driven scheduling, and Human-in-the-Loop alerts. Managed Airflow embeds a Data Engineering Agent for agentic troubleshooting, adds a declarative YAML-based Deployment Automation Framework with cross-product bundles, and launches an MCP Server in public preview to reduce developer context-switching.

🤖 Artificial intelligence is rapidly reshaping software development across planning, design, coding, testing, deployment, and maintenance. Download the May 2026 Enterprise Spotlight to learn how organizations can harness AI-enabled development to boost productivity and software quality.

🔒 AI is transforming DevSecOps by moving security earlier into the development lifecycle and shifting teams from reactive validation to continuous, intelligent enforcement. Organizations are embedding security controls into AI coding assistants, using LLMs for contextual vulnerability scanning, and surfacing automated remediation directly in IDEs and pull requests. Experts caution this brings new risks—model access, prompt injection, data leakage and provenance—that demand enterprise governance, cross-functional alignment, and updated skill sets.

🤖 We built a CI-native orchestration system around OpenCode that launches up to seven specialised AI reviewers per merge request, each focused on domains like security, performance, code quality, documentation, release management, and internal compliance. A coordinator agent deduplicates and rates structured XML findings, applies a conservative approval-biased rubric, and posts a single unified review. Deployed across thousands of merge requests, it approves clean code, blocks critical issues, and reduces median review latency to 3m39s while keeping human oversight.

🧭 Cloudflare introduces Flagship, a native feature-flag service built on the CNCF standard OpenFeature that evaluates flags at the edge using Workers, Durable Objects, and KV. The Worker binding performs in-isolate evaluations with typed accessors and full evaluation details, avoiding external HTTP calls and reducing latency. Flagship centralizes flag storage, change auditing, percentage rollouts, and nested targeting rules, and is now available in private beta to help teams safely ship autonomous or AI-assisted code.

🔒 Advances in AI are accelerating vulnerability discovery and compressing the window between disclosure and exploitation. Francis deSouza explains why organizations must rapidly harden code, lock down CI/CD and build systems, and automate remediation to avoid being overwhelmed by machine-speed attacks. The article advocates integrating defensive AI—agentic SecOps, continuous asset discovery, and Google Cloud Model Armor—while securing AI agents using frameworks like SAIF to prevent prompt injection and data leakage.

🤖 Drasi's team turned documentation testing into a monitoring problem by running AI-driven synthetic users that follow tutorials verbatim inside Dev Containers using the GitHub Copilot CLI. The agent is naïve, literal, and unforgiving: it executes commands exactly, verifies outputs, and captures screenshots, terminal logs, and a final markdown report. Weekly automated runs detect silent drift and environment regressions; failures automatically file issues with reproducible artifacts.

🔒 Recent weeks have seen multiple high-profile supply chain compromises, including malicious modifications to Axios and repository hijacks by TeamPCP that impacted tools such as Trivy. These incidents highlight how widely used libraries can rapidly propagate risk and complicate inventory and remediation efforts. The report emphasizes securing identity and CI/CD pipelines, maintaining accurate software inventories, prioritizing rapid patching, and reinforcing fundamentals like segmentation, robust logging, and multi-factor authentication to limit impact and lateral movement.

🔒 Modern vulnerability management must go beyond scanning version numbers to encompass download policies, AI guardrails, and build-pipeline controls. Organizations should adopt a trusted internal artifact registry, rigorous component screening, and dependency pinning to reduce supply-chain and malicious-package risks. Complement these controls with enriched vulnerability intelligence, SCA, and developer training. Systematic handling of EOL or abandoned components — via migration, LTS, or compensatory controls — completes the approach.

⚠️Silos between endpoint, SOC, and backup teams increase incident impact and slow recovery. The article identifies six common failures—unclear roles, fragmented asset and risk views, mismatched policies, disconnected tools, absent cross-team drills, and siloed metrics—and offers concrete fixes. Build a unified RACI, consolidate inventories and logs, align retention and playbooks, integrate EDR/SOC/backup workflows, run joint simulations, and measure resilience with shared KPIs. N-able is presented as a vendor that unifies management, security operations, and data protection to enable automation, faster detection, and safer recovery.

🔍 AWS announces general availability of AWS Transform custom's comprehensive codebase analysis transformation, delivering up-front deep static analysis that documents architecture, technical debt, code metrics, and migration plans to preserve institutional knowledge and reduce documentation overhead. The transformation supports any language — including Python, Java (Maven and Gradle), Node.js, and .NET — and scales to codebases exceeding one million lines. Behavior analysis is available in early access. To run it locally, install the AWS Transform CLI and execute: atx custom def exec -n AWS/comprehensive-codebase-analysis -p. The service is available in US East (N. Virginia) and Europe (Frankfurt).

🛠️ AWS announced seven new AWS-managed transformations for Transform custom, designed to accelerate code modernization across multiple languages and frameworks. General availability includes a comprehensive codebase analysis that produces hierarchical, cross-referenced documentation and a Node.js version upgrade with full dependency modernization. Early access transformations target Java performance tuning, Log4j to SLF4J migration, Angular to React conversion, and Angular and Vue version upgrades. All AWS-managed transformations are validated, customizable, and benefit from continual learning; the service is available in US East (N. Virginia) and Europe (Frankfurt).

🔐 The UK NCSC's chief executive Richard Horne told the RSA Conference (March 24) to 'seize the disruptive vibe coding opportunity' while urgently developing safeguards. He warned AI-assisted development can either reduce systemic vulnerability or propagate new flaws depending on model design and controls. NCSC CTO David C published Secure Vibe Coding Commandments advocating secure-by-default models, provable provenance, AI-powered audits, deterministic guardrails and sandboxed hosting.

🔐 NTT Security warns of a newly disclosed malware strain called StoatWaffle that automatically executes when developers open and trust weaponized Visual Studio Code folders. The threat leverages a crafted .vscode/tasks.json with a runOn: folderOpen setting to trigger a Node.js-based loader, credential stealer and RAT without explicit user action. Operators attributed to WaterPlum are evolving the long-running Contagious Interview campaign to target developer workflows and toolchains.