< ciso
brief />
Tag Banner

All news with #devsecops tag

98 articles

SageMaker Studio adds MWAA import support

πŸš€ Amazon SageMaker Unified Studio can now connect to existing Amazon Managed Workflows for Apache Airflow (MWAA) environments, enabling teams to manage Airflow workflows from within their Studio projects. To add a connection, open the Workflows tool, choose "Add connection," and supply the Airflow configuration referencing your domain and project. Once connected, project members can sync, trigger, and monitor workflows; environments running Apache Airflow 3+ also gain the visual drag-and-drop authoring experience.
read more β†’

AWS CodeBuild adds Amazon Linux 2023 host option

πŸ”§ AWS CodeBuild now supports Amazon Linux 2023 for on-demand build hosts via a new host kernel selection setting. This managed CI service lets you choose between Amazon Linux 2 (kernel 4) and Amazon Linux 2023 (kernel 6) for new or non-production projects to validate builds while keeping production unchanged. Host kernel selection is broadly available across Regions except GovCloud (US) and China, which only offer Amazon Linux 2023.
read more β†’

AWS AppConfig Adds Built‑In Experimentation Tools

🧭 AWS announces general availability of experimentation tools in AWS AppConfig, enabling built-in A/B testing and multivariate experiments without separate infrastructure. The tools leverage 25+ years of Amazon experimentation practices and provide AI-driven guidance, exposure control, and locked treatment allocations to support robust, data-driven releases. Experiments can be configured via console, CLI, API, or AWS CDK and analyzed with CloudWatch or existing analytics tools before promoting winners through standard safe rollouts.
read more β†’

AWS Security Agent expands to new regions

πŸ›‘οΈ AWS Security Agent (now part of AWS Continuum) is available in Asia Pacific (Mumbai), Asia Pacific (Singapore), and South America (SΓ£o Paulo). Customers in these regions can access STRIDE-based threat modeling (preview), full-repo and PR-level code reviews (preview) across major source platforms, managed compliance packs, and custom security requirements. New IDE plugins and MCP integration enable triggering threat modeling, code reviews, and remediation from Kiro or Claude Code, while on-demand penetration testing and retesting provide validated findings and fixes; simulated validation remains only in US East (N. Virginia).
read more β†’

CloudFormation and CDK Express Mode for Faster Deployments

πŸš€ AWS announces CloudFormation and CDK express mode, cutting deployment time by up to 4x for developers and AI agents by marking stacks complete once resource configuration is applied, rather than waiting for extended stabilization. Express mode lets propagation and long-running stabilization continue asynchronously, preserves dependency ordering and failure handling within stacks, and disables rollback by default to speed iterative fix-and-retry workflows. It requires no template changes and can be enabled via CLI, SDKs, console, or cdk deploy --express. The feature is available in all Regions where CloudFormation is supported.
read more β†’

CloudFormation adds pre-deployment validation by default

πŸ” AWS CloudFormation now performs pre-deployment validation on Create Stack and Update Stack operations, surfacing common deployment errors in seconds before any resources are provisioned. The release extends validation previously limited to change set creation and introduces three new checks as warnings for service quota limits, AWS Config Recorder conflicts, and ECR repository deletion readiness. Validation results are viewable via the DescribeEvents API, the CloudFormation console Deployment validations tab, and in CDK outputs for automation and AI agents. Pre-deployment validation is enabled by default across supported regions (excluding China) and can be skipped per-operation with the DisableValidation parameter or CLI flag.
read more β†’

Google Cloud adopts agentic AI for secure SDLC

πŸ”’ Google Cloud describes how it embeds modular AI agents across the software development lifecycle to create autonomous security guardrails. The approach includes centralized code analysis via the Mantis framework, multi-agent fuzz testing with self-reflection, and an autonomous patching pipeline that validates fixes before human review. Continuous reflection and a programmable posture management system help convert lessons into reusable skills that improve remediation speed and reduce false positives.
read more β†’

AWS Continuum aims to streamline code security

πŸ”’ AWS has introduced Continuum, a service to continuously discover, investigate, and remediate vulnerabilities across first-party and third-party codebases. The platform uses AI to validate exploitability, generate remediation recommendations, and propose fixes that integrate with existing development workflows. New capabilities include automatic threat modeling in STRIDE format, while more established features derive from the Security Agent product. Continuum supports graduated trust from human-in-the-loop review to an "enforce mode" for autonomous remediation.
read more β†’

AWS DevOps Agent Adds Release Management Preview

πŸ› οΈ AWS DevOps Agent now includes a release management capability in preview that reviews code changes for release readiness and runs autonomous release testing to improve production deployments. The feature evaluates drift from internal standards, dependency impacts, and access controls, and maps cross-repository dependencies to surface breaking changes. It also generates and executes test plans for web and API applications in customer environments to catch regressions and integration issues. The preview is available in US East (N. Virginia) at no additional cost.
read more β†’

AWS DevOps Agent adds custom SRE agents

πŸ› οΈ AWS announces that DevOps Agent now supports custom SRE agents, bring-your-own sub-agents, and headless access via MCP and A2A protocols. These features let teams automate recurring SRE workflows, extend the agent by connecting external sub-agents, and invoke DevOps Agent from familiar tools such as Kiro and Claude. Additional updates include chat enhancements, incident-skip rules, enhanced knowledge with memories and Git-managed skills, human labeling, dashboards for task quality, and availability in five new Regions.
read more β†’

UK government patches 400+ vulnerabilities via AI

πŸ”Ž The UK government's GC3 ran weekly in-person hackathons using frontier AI models to scan public code repositories across nine departments, identifying 407 findings including authentication bypasses, data exposure and remote code execution. Teams built diverse pipelines combining models and traditional tools like Gitleaks, Trivy and Semgrep, and all exploitable critical and high-risk issues were remediated. The initiative highlighted the benefits of tightly scoped model components, the need for human triage, and cost-effective scanning, though export restrictions on some models may affect future work.
read more β†’

Migrating a CLI from Node to Go in a day

πŸ› οΈ This post walks through converting a Node.js TypeScript CLI into a compact Go single-binary tool using Antigravity to automate translation, test generation, and platform mappings. The author set goals for zero dependencies, fast startup, and a zero-trust security posture, then used an agent-driven workflow to audit alternatives, scaffold code, and apply Test-Driven Development. The migration emphasized safety, explicit error handling, thorough testing, and modular subagents to parallelize large feature sets.
read more β†’

Managed Service for Prometheus Adds Native Histograms

πŸ” Amazon Managed Service for Prometheus now supports ingestion, storage, and querying of Prometheus native histograms, enabling higher-resolution metric distributions with lower cardinality compared to classic histograms. DevOps and SRE teams can obtain more accurate percentile calculations without predefining bucket boundaries. Native histograms use exponential bucketing and store full distributions in a single time series, reducing series count and lowering costs by metering only populated buckets.
read more β†’

GitHub tightens npm defaults to reduce supply-chain risk

πŸ”’ GitHub will change npm behavior in the upcoming v12 release to block several automatic actions during npm install that have enabled supply-chain attacks. Preinstall, install, and postinstall scripts from dependencies, native builds via node-gyp, and prepare scripts from Git, local file, and linked dependencies will require explicit approval before running. Git and remote URL dependencies will also be disabled by default unless permitted, and developers are advised to test with npm 11.16.0 to surface breaking warnings before upgrading.
read more β†’

Most Firms Admit Deploying Vulnerable Production Code

πŸ” A new Checkmarx report found that 95% of CISOs have been pressured to deprioritize or delay reporting security issues, and 75% acknowledged their organizations knowingly deployed vulnerable code to production. Respondents cited compensating controls, deadlines, late detection, and difficulty of fixes as reasons. The survey of 2,350 security professionals also flagged limited remediation rates and rising risks from AI-generated code.
read more β†’

Widespread AI Coding Use Outpaces Governance

πŸ› οΈ Nearly all software teams now use AI coding assistants, yet fewer than a third have formal governance in place. A UserEvidence survey for Black Duck of 831 developers and DevOps pros in March 2026 found 97% adoption but only 30% with full oversight. Popular tools include GitHub Copilot (83%) and Claude Code (63%). Teams report faster releases and an average of eight hours saved per developer weekly, but many face downstream friction in reviews, testing and rework.
read more β†’

EMR Serverless adds Spark Connect interactive sessions

πŸš€ Amazon EMR Serverless now supports interactive sessions with Spark Connect, enabling development and execution of Apache Spark applications from managed notebooks like SageMaker Unified Studio and common IDEs such as Jupyter and Visual Studio Code. You can monitor and debug active and completed sessions in the EMR console and obtain granular cost and usage visibility for individual sessions. The Spark Connect client-server model keeps your development environment decoupled from the Spark driver, enabling ad hoc exploration, iterative debugging, and incremental PySpark development. Spark Connect support is available in EMR release 7.13 in all regions where EMR Serverless is offered, with the SageMaker experience in supported regions.
read more β†’

VS Code introduces two‑hour extension update delay

πŸ”’ Microsoft will delay automatic extension updates in Visual Studio Code by two hours to reduce exposure to potentially compromised releases. The feature, available in VS Code 1.123, allows immediate manual updates via the "Update" button and shows reasons and scheduled times for pending updates. Trusted publishers such as Microsoft, GitHub, and OpenAI are exempt and continue to update immediately. The change follows similar cooldown controls added across package managers to curb software supply chain threats.
read more β†’

Embed security within agentic AI coding tools

πŸ”’ Ox Security urges that appsec be integrated directly into AI coding tools as agentic development accelerates code changes beyond traditional pipelines. Speaking at Infosecurity Europe, field CTO Boaz Barzel argued that security must become a continuous, contextual property of creation rather than a bolt-on stage. He outlined four agentic attack surfacesβ€”input, tools, execution and outputβ€”and advocated autonomous security agents that pentest and validate every commit to reduce MTTR and achieve full coverage.
read more β†’

Embed AI Governance into Release Infrastructure

🚦The author argues that traditional post-hoc compliance reviews fail for AI because AI systems change continuously. Drawing on research into Chinese and EU approaches, the piece recommends embedding governance into CI/CD pipelines so model cards, data lineage and risk evaluations are generated and enforced as deployment gates. It also urges treating agent identity as first-class security control and positioning compliance as operational release infrastructure rather than a review layer.
read more β†’