Ship It Weekly - DevOps, SRE, Platform and Cloud Engineering News

This is a guest conversation episode of Ship It Weekly, separate from the weekly news recaps.In this Ship It: Conversations episode, I talk with Joel DeStefano from Guardsquare about mobile app security, why it is different from backend and cloud security, and why scanning alone is not enough once an app is shipped into the real world.We talk about the shift in trust model that happens with mobile apps. In backend and cloud systems, teams usually have more control over the runtime, infrastructure, policies, and monitoring. With mobile, the app becomes a public artifact running on someone else’s device, in an environment you do not fully control.The bigger theme here is that mobile security is not just “scan it before release.” Scanning matters, but teams also need to think about app hardening, obfuscation, runtime protection, monitoring, and whether the app connecting back to their APIs is genuine and uncompromised.Highlights• Why mobile changes the trust model compared to backend and cloud systems• What DevOps, SRE, and platform teams should understand about mobile app risk• Why scanning is useful, but not enough by itself• The danger of assuming app store approval means an app is secure• Why “we do not store sensitive data in the app” can be a misleading security argument• How attackers can reverse engineer apps, inspect workflows, and learn how the app talks to backend APIs• What code hardening and obfuscation actually help protect against• Why runtime checks matter for rooted devices, compromised environments, debuggers, hooking frameworks, overlays, and accessibility abuse• The difference between Android and iOS security assumptions• Why the OS is not responsible for protecting your app’s business logic• How mobile security should fit into CI/CD without destroying release velocity• What should block a release versus what should become tracked risk• Why testing, hardening, runtime protection, and monitoring should work together as one strategy• How AI may speed up attackers without fundamentally changing the need for strong security fundamentals• Joel’s advice for improving mobile security posture: start with the app’s critical workflows, backend interactions, and real business riskJoel / Guardsquare links• Guardsquare: https://hubs.ly/Q04fJgkJ0• Guardsquare Blog: https://www.guardsquare.com/blogOWASP mobile security links• OWASP Mobile Application Security: https://owasp.org/www-project-mobile-app-security/• OWASP MASVS: https://mas.owasp.org/MASVS/Our linksMore episodes + show notes + links: https://shipitweekly.fmOn Call Brief: https://oncallbrief.com

This is a guest conversation episode of Ship It Weekly, separate from the weekly news recaps.In this Ship It: Conversations episode, I talk with Francois Richard, Engineering Director at Meta, about reliability at scale, how AI is changing production risk, what teams actually learn from incidents, and why recovery practice matters just as much as prevention.We talk about the proactive and reactive sides of reliability, why SLOs should represent a promise to users instead of just another dashboard number, how incident reviews should drive real system improvements, and how teams can practice recovery before production forces the lesson on them.The bigger theme here is that reliability is not just about avoiding failure. It is about knowing what happens when prevention fails. That means practicing regional failure, understanding overload behavior, improving incident response, using AI carefully during investigation, and making reliability targets match the actual lifecycle and importance of the system.Highlights• Why reliability work starts with both prevention and recovery• The difference between reactive incident response and proactive reliability engineering• How Meta thinks about disaster recovery testing and regional failure practice• Why an SLO should be treated like a promise to users, not just a dashboard metric• How SLO trends help teams decide when to invest more in reliability or take more product risk• What engineers actually learn during the “pressure cooker” of an incident• Why incident reviews should produce follow-up work, not just a nicer explanation of what broke• The difference between finding the cause of an incident and improving the system• Where AI agents can help with incident investigation, telemetry, metrics, and query building• Why AI-generated code can increase change volume while reducing human context• How faster code generation changes the kinds of reliability problems teams should expect• Why recovery practice matters, especially for region loss, traffic spikes, overload, and restart behavior• What smaller DevOps and SRE teams can learn from Meta-scale reliability patterns• Why not every system needs six nines, especially early in a product lifecycle• How to think about reliability investment based on user promise, product maturity, and operational risk• Why At Scale Systems & Reliability is focused on the infrastructure behind AI and the use of AI to operate large-scale systemsFrancois’ links• LinkedIn: https://www.linkedin.com/in/francoisrichard/At Scale links• Systems & Reliability 2026: https://bit.ly/4xd2FdG• At Scale Conferences: https://atscaleconference.com/Our linksMore episodes + show notes + links: https://shipitweekly.fmOn Call Brief: https://oncallbrief.com

This is a guest conversation episode of Ship It Weekly, separate from the weekly news recaps.In this Ship It: Conversations episode, I talk with Ang Chen from the University of Michigan about Project Vera, a cloud emulator built to help teams test infrastructure changes more safely before they touch real cloud.We talk about why testing against real cloud APIs is slow, expensive, and risky, how Vera works under tools like Terraform and CloudFormation, what “high fidelity” actually means, and where a tool like this could fit in local dev and CI/CD.The bigger theme is one I think matters a lot: if AI is going to play a real role in cloud operations, it probably needs a sandbox first, not direct access to production.NoteThis interview was recorded on February 13, 2026. Since then, Vera’s public project materials have expanded the framing a bit further around multi-cloud support and safe environments for agent learning, so keep that in mind while listening.Highlights• Why real cloud testing still creates cost, delay, and risk • How Vera emulates cloud behavior at the API layer • Where this could help with Terraform, CloudFormation, and CI/CD workflows • Why “useful enough to catch real mistakes” may matter more than perfect emulation • The limits, tradeoffs, and fidelity questions that still need to be solved • Why safe training grounds may matter before AI agents touch real infrastructureAng’s links• LinkedIn: https://www.linkedin.com/in/ang-chen-8b877a17/ • University of Michigan profile: https://eecs.engin.umich.edu/people/chen-ang/ • Publications: https://web.eecs.umich.edu/~chenang/pubs.htmlProject Vera• Project site: https://project-vera.github.io/ • GitHub: https://github.com/project-vera/vera • The quest for AI Agents as DevOps: https://project-vera.github.io/blogs/cloudagent/cloudagent/ • No More Manual Mocks: https://project-vera.github.io/blogs/cloudemu/cloudemu/Stuff mentioned• A Case for Learned Cloud Emulators: https://dl.acm.org/doi/10.1145/3718958.3754799 • Cloud Infrastructure Management in the Age of AI Agents: https://dl.acm.org/doi/abs/10.1145/3759441.3759443 • LocalStack: https://www.localstack.cloud/Our linksMore episodes + show notes + links: https://shipitweekly.fmOn Call Brief: https://oncallbrief.com

This week on Ship It Weekly, Brian covers five “AI meets reality” stories that every DevOps, SRE, security, and platform team can learn from.Block’s AI layoff story is getting messier as follow-up reporting pushes back on the original framing, Meta bought Moltbook and brought more attention to the trust and security problems already showing up around AI-agent platforms, and Atlassian cut about 10% of its workforce while saying AI is changing the skills and roles it needs. Plus: GitHub gives one of the more honest outage breakdowns we’ve seen lately, Anthropic and Mozilla show a more grounded AI use case with Claude finding real Firefox bugs, and there’s a quick lightning round on Bedrock AgentCore policy, Dependabot for pre-commit hooks, and Cloudflare’s latest threat report.LinksBlock layoffs follow-uphttps://www.theguardian.com/technology/2026/mar/08/block-ai-layoffs-jack-dorseyMeta acquires Moltbookhttps://www.theguardian.com/technology/2026/mar/10/meta-acquires-moltbook-ai-agent-social-networkWiz on Moltbook exposurehttps://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keysAtlassian team updatehttps://www.atlassian.com/blog/announcements/atlassian-team-update-march-2026GitHub availability issues write-uphttps://github.blog/news-insights/company-news/addressing-githubs-recent-availability-issues-2/Anthropic + Mozilla Firefox securityhttps://www.anthropic.com/news/mozilla-firefox-securityAnthropic labor market reporthttps://www.anthropic.com/research/labor-market-impactsAWS Bedrock AgentCore Policy GAhttps://aws.amazon.com/about-aws/whats-new/2026/03/policy-amazon-bedrock-agentcore-generally-available/GitHub Dependabot support for pre-commit hookshttps://github.blog/changelog/2026-03-10-dependabot-now-supports-pre-commit-hooks/Cloudflare 2026 Threat Reporthttps://blog.cloudflare.com/2026-threat-report/More episodes and show notes athttps://shipitweekly.fmOn Call Briefs at:https://oncallbrief.com

This week on Ship It Weekly, Brian looks at how the boundary of ops keeps expanding.We cover AWS flagging issues in Bahrain/UAE amid Iran strikes, ArgoCD vs Flux and why ArgoCD can get stuck in failed sync states, GitHub Actions being exploited at scale (plus Trivy’s incident), RoguePilot prompt injection meeting real credentials in Codespaces, Block’s “AI remake” layoffs, and Anthropic’s Claude Code Security for defenders.Lightning round: DeepSeek model access geopolitics, Vercel’s agentic security boundaries, a KEV CVE to patch, an MCP-atlassian SSRF-to-RCE chain, and Claude Cowork scheduled tasks.LinksAWS Bahrain/UAE (Reuters) https://www.reuters.com/world/middle-east/amazon-cloud-unit-flags-issues-bahrain-uae-data-centers-amid-iran-strikes-2026-03-02/ArgoCD to Flux https://hai.wxs.ro/migrations/argocd-to-flux/GitHub Actions exploitation https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitationTrivy incident https://github.com/aquasecurity/trivy/discussions/10265RoguePilot https://thehackernews.com/2026/02/roguepilot-flaw-in-github-codespaces.htmlBlock layoffs (WSJ) https://www.wsj.com/business/jack-dorseys-block-to-lay-off-4-000-employees-in-ai-remake-28f0d869Claude Code Security https://www.anthropic.com/news/claude-code-securityDeepSeek (Reuters) https://www.reuters.com/world/china/deepseek-withholds-latest-ai-model-us-chipmakers-including-nvidia-sources-say-2026-02-25/Agentic boundaries https://vercel.com/blog/security-boundaries-in-agentic-architecturesCISA KEV https://www.cisa.gov/news-events/alerts/2026/03/03/cisa-adds-two-known-exploited-vulnerabilities-catalogmcp-atlassian CVE https://arcticwolf.com/resources/blog-uk/cve-2026-27825-critical-unauthenticated-rce-and-ssrf-in-mcp-atlassian/Claude Cowork tasks https://support.claude.com/en/articles/13854387-schedule-recurring-tasks-in-coworkMore: https://shipitweekly.fm