All news with #devsecops tag

🤖 The new Jules extension for Gemini CLI lets developers delegate routine engineering tasks—like bug fixes, dependency updates, and vulnerability patches—to an autonomous background agent. Jules runs asynchronously and can work on multiple GitHub issues in parallel, preparing fixes in isolated environments for review. It also composes with other extensions to automate security remediation, crash investigation, and unit test creation, returning ready-to-review branches so you can stay focused on higher-value work.

🔧 The AWS Serverless Model Context Protocol (MCP) Server now includes specialized tools to configure and manage AWS Lambda event source mappings (ESM), combining AI assistance with ESM expertise. The new toolset—comprising the ESM guidance tool, the ESM optimization tool, and an ESM Kafka troubleshooting tool—translates high-level throughput, latency, and reliability requirements into concrete ESM configurations and generates optimized AWS SAM templates. It also validates VPC network topology for VPC-based event sources and diagnoses common ESM issues to streamline setup, tuning, and troubleshooting workflows.

💡 Developers are accelerating AI adoption across industries by using copilots and agentic workflows to compress the software lifecycle from idea to operation. Microsoft positions tools like GitHub, Visual Studio, and Azure AI Foundry to connect models and agents to enterprise systems, enabling continuous modernization, migration, and telemetry-driven product loops. The shift moves developers from manual toil to intent-driven design, with agents handling upgrades, tests, and routine maintenance while humans retain judgment and product vision.

🔁 Penetration testing delivery must evolve from static, manual reports to automated, real-time workflows that shorten remediation cycles and improve visibility. This contributed piece highlights seven practical automation workflows — from auto-creating remediation tickets in Jira or ServiceNow to auto-closing informational findings — that reduce triage noise and accelerate fixes. Implementing targeted rules and alerts ensures findings reach the right teams immediately and supports continuous testing practices.

🤖 The 2025 DORA Report synthesizes survey responses from nearly 5,000 technology professionals and over 100 hours of qualitative data to examine how AI is reshaping software development. It finds AI amplifies existing team strengths and weaknesses: strong teams accelerate productivity and product performance, while weaker teams see magnified problems and increased instability. The report highlights near-universal AI adoption (90%), widespread productivity gains (>80%), a continuing trust gap in AI-generated code (~30% distrust), and recommends investment in platform engineering, user-centric workflows, and the DORA AI Capabilities Model to unlock AI’s value.

🔧 Cloudflare announced financial sponsorships for two key open-source frontend projects, Astro and TanStack. The company is partnering with Webflow to support Astro and with Netlify to support TanStack, creating a coalition of contributors to bolster project sustainability. Cloudflare runs its developer documentation on Astro, citing its “zero JS by default” model and framework-agnostic approach as essential for fast, SEO-friendly docs. The announcement also highlights TanStack’s libraries and the release candidate for TanStack Start as strategic investments for building ambitious, type-safe web applications.

🔍 The DORA research team introduces the inaugural DORA AI Capabilities Model, identifying seven technical and cultural capabilities that amplify the benefits of AI-assisted software development. Based on interviews, literature review, and a near-5,000‑respondent survey, the model highlights priorities such as clear AI policies, healthy and AI-accessible internal data, strong version control, small-batch work, user-centricity, and quality internal platforms. The guidance focuses on practices that move organizations beyond tool adoption to measurable performance improvements.

🚀 Operation StormBreaker transformed how Marine Corps Community Services (MCCS) develops and authorizes IT. By creating a Marine Corps–authorized landing zone in AWS and pairing it with the Department of the Navy’s RAISE platform, MCCS implemented CI/CD pipelines and automated security checks to push security left. The result: ATOs that once took 18 months can now be granted in a day, saving roughly $1M per system and improving digital services for Marines and families.

🧰 AWS has added a LocalStack integration for Visual Studio Code that enables developers to test and debug serverless applications locally from the IDE. The integration connects VS Code to a LocalStack-emulated environment without manual port configuration or code changes, exposing emulated services such as AWS Lambda, Amazon SQS, Amazon API Gateway, and DynamoDB. Available through the AWS Toolkit for VS Code (v3.74.0+), a guided walkthrough installs the LocalStack CLI, creates a LocalStack profile, and lets developers switch profiles and deploy to the LocalStack environment at no additional AWS cost.

🔧 This guide explains how managed service providers (MSPs) and managed security service providers (MSSPs) can use automation and AI to cut manual effort, improve consistency, and scale services. It highlights five high-impact use cases—risk assessments, policy generation, compliance tracking, remediation planning, and progress reporting—and shows how platforms like Cynomi's vCISO Platform can reduce workloads by up to 70%. Practical steps for piloting, training, and measuring ROI complete the roadmap.

🔁 Automation is reshaping how penetration test findings are delivered and acted upon. Traditional static reports—PDFs, emailed documents, and spreadsheets—create delays and manual handoffs that undermine remediation speed. Platforms like PlexTrac centralize scanner and manual findings and enable real-time routing, ticketing, and retesting to reduce MTTR and standardize workflows across teams. By automating triage, assignment, and triggered validation into existing tools (Jira, ServiceNow, Slack), teams get faster handoffs, consistent remediation lifecycles, and measurable operational gains. Start small, iterate workflows, and measure MTTR improvements to avoid common pitfalls like overengineering or stale automation.

🛠️ In Episode #6 of the Agent Factory podcast, Keith Ballinger discusses how AI agents and the Gemini CLI are reshaping software development and elevating developers into orchestration and context engineering roles. He demonstrates 'vibe coding' with live demos that produced a command-line markdown viewer in under 15 minutes and highlights open-source projects Terminus and Aether as practical examples. The episode also addresses infrastructure for AI workloads, multi-cloud and edge orchestration, and the growing need for human review in regulated industries.

🚀 OpenAI has released a major update to Codex, its agentic coding assistant, adding a native VS Code extension and expanded terminal and IDE support. Plus and Pro subscribers can now use Codex with every build across web, terminal, and IDE without separate API keys, as the service links to your ChatGPT account to preserve session state. The release also adds a Seamless Local ↔ Cloud Handoff to delegate paired local tasks to the cloud asynchronously, alongside CLI command upgrades and bug fixes; competitors like Claude are pursuing similar web-to-terminal integrations.

🛠️ Anthropic is rolling out a research preview of a web-based Claude Code, bringing its terminal-focused coding assistant into the browser at Claude.ai/code. The web preview requires installing the GitHub Claude app on a repository and committing a "Claude Dispatch" GitHub workflow file before use, with optional email and web notifications for updates. Claude Code—already available in terminals and integrated editors under paid plans—can inspect codebases to help fix bugs, test features, simplify Git tasks, and automate workflows. It remains unclear whether the terminal and web versions can access or share the same repository content or usage data.

🔒 Lacework FortiCNAPP unifies CSPM, CWP, CIEM, and CDR to secure cloud-native workloads from development through runtime. It integrates with CI/CD pipelines to scan IaC, container images, and libraries, and leverages FortiDevSec for static and dynamic testing so vulnerabilities are caught before deployment. At runtime, behavior-based workload protection, cloud audit log analysis, and Fortinet Composite Alerts produce high-fidelity detections, while FortiWeb and automation via FortiSOAR enable edge blocking and orchestrated remediation.

🔗 AWS Transform for .NET now supports Azure DevOps repositories alongside GitHub, GitLab, and Bitbucket. You can connect Azure DevOps repos directly to AWS Transform to discover, assess, and transform hundreds of repositories in parallel and run unit tests as part of the modernization workflow. Dependencies hosted in Azure Artifacts (NuGet) are resolved automatically during transformation, simplifying migration of .NET Framework applications to Linux-ready, cross-platform .NET while preserving Azure DevOps workflows.

🔁 Pentesting remains a critical control for uncovering real-world vulnerabilities, but static PDF reports and spreadsheet handoffs create delays and inefficiencies. The piece advocates automating pentest delivery so findings are consolidated and routed in real time through rules-based workflows, enabling teams to act immediately and reduce churn. Platforms like PlexTrac are highlighted for centralizing manual and scanner outputs, automating ticketing into tools such as Jira and ServiceNow, and triggering retests to close the loop. The result is faster remediation, standardized processes, and measurable reductions in MTTR for both service providers and enterprises.

🔒 This guide consolidates practical recommendations for securing AWS CodeBuild CI/CD pipelines, emphasizing webhook configuration, trust boundaries, and least-privilege access. It warns against automatic pull request builds from untrusted contributors and prescribes push-based, branch-based, and contributor-filtered webhook patterns, plus staged rollout using Infrastructure as Code. Additional safeguards include scoped GitHub tokens, per-build IAM roles, isolated build environments, CloudTrail logging, and manual approval gates for sensitive deployments.