Ship It Weekly - DevOps, SRE, Platform and Cloud Engineering News
Ship It Weekly - DevOps, SRE, Platform and Cloud Engineering News

Ship It Weekly - DevOps, SRE, Platform and Cloud Engineering News

Teller's Tech - DevOps, SRE and Cloud Podcast

Overview
Episodes

Details

Ship It Weekly is a short, practical recap of what actually matters in DevOps, SRE, cloud infrastructure, and platform engineering.Each episode, your host Brian Teller walks through the latest outages, releases, tools, and incident writeups, then translates them into “here’s what this means for your systems” instead of just reading headlines. Expect a couple of main stories with context, a quick hit of tools or releases worth bookmarking, and the occasional segment on on-call, burnout, or team culture.This isn’t a certification prep show or a lab walkthrough. It’s aimed at people who are already working in the space and want to stay sharp without scrolling status pages, cloud updates, and blogs all week. You’ll hear about things like cloud provider incidents, Kubernetes and platform trends, Terraform and infrastructure changes, and real postmortems that are actually worth your time.Most episodes are 15–30 minutes, so you can catch up on the way to work or between meetings. Every now and then there will be a “special” focused on a big outage or a specific theme, but the default format is simple: what happened, why it matters, and what you might want to do about it in your own environment.If you’re the person people DM when something is broken in prod, or you’re building the cloud and platform everyone else ships on top of, Ship It Weekly is meant to be in your rotation.

Recent Episodes

Amazon Q CVEs, Hijacked npm and Go Packages, AWS WAF HTTP/2 Issues, Lambda MicroVMs, and Why Execution Is the Boundary Now
JUL 3, 2026
Amazon Q CVEs, Hijacked npm and Go Packages, AWS WAF HTTP/2 Issues, Lambda MicroVMs, and Why Execution Is the Boundary Now
<p>This week on <strong>Ship It Weekly</strong>: Amazon Q Developer and the AWS language servers had a pair of trust-boundary CVEs, JFrog found hijacked npm and Go packages using hidden VS Code tasks to run malware when a workspace opens, AWS WAF had HTTP/2 request-body inspection issues, and AWS introduced Lambda MicroVMs for running user-generated and AI-generated code in isolated sandboxes.</p><p>The bigger theme: execution is the boundary now. The repo, the IDE, the AI assistant, the WAF, and the sandbox all sit at the point where something gets to run, inspect, block, or decide. Before execution, trust is a policy. After execution, trust is a blast radius.</p><p>In the lightning round, Brian covers GitHub’s record advisory volume, Git 2.55, Valkey 9.1 on Amazon ElastiCache, and a quick Fable 5 callback now that Anthropic’s Fable 5 is back online.</p><p><strong>Links</strong></p><p>AWS security bulletin: Amazon Q / AWS language server CVEs <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/security/security-bulletins/2026-047-aws/">https://aws.amazon.com/security/security-bulletins/2026-047-aws/</a></p><p>JFrog: Hijacked npm packages using VS Code tasks <a target="_blank" rel="noopener noreferrer nofollow" href="https://research.jfrog.com/post/hijacked-npm-vscode-tasks-blockchain/">https://research.jfrog.com/post/hijacked-npm-vscode-tasks-blockchain/</a></p><p>AWS security bulletin: AWS WAF HTTP/2 inspection issues <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/security/security-bulletins/2026-048-aws/">https://aws.amazon.com/security/security-bulletins/2026-048-aws/</a></p><p>AWS Lambda MicroVMs <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/aws/run-isolated-sandboxes-with-full-lifecycle-control-aws-lambda-introduces-microvms/">https://aws.amazon.com/blogs/aws/run-isolated-sandboxes-with-full-lifecycle-control-aws-lambda-introduces-microvms/</a></p><p>GitHub Advisory Database record volume <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/security/supply-chain-security/inside-the-advisory-database-and-what-happens-when-vulnerability-volume-breaks-records/">https://github.blog/security/supply-chain-security/inside-the-advisory-database-and-what-happens-when-vulnerability-volume-breaks-records/</a></p><p>Git 2.55 highlights <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/open-source/git/highlights-from-git-2-55/">https://github.blog/open-source/git/highlights-from-git-2-55/</a></p><p>Amazon ElastiCache Valkey 9.1 <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/database/announcing-valkey-9-1-for-amazon-elasticache/">https://aws.amazon.com/blogs/database/announcing-valkey-9-1-for-amazon-elasticache/</a></p><p>Claude Fable 5 and Mythos 5 model docs <a target="_blank" rel="noopener noreferrer nofollow" href="https://platform.claude.com/docs/en/about-claude/models/introducing-claude-fable-5-and-claude-mythos-5">https://platform.claude.com/docs/en/about-claude/models/introducing-claude-fable-5-and-claude-mythos-5</a></p><p>This week’s On Call Brief <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.tellerstech.com/on-call-brief-news/2026-W27/">https://www.tellerstech.com/on-call-brief-news/2026-W27/</a></p><p>More episodes and full show notes <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm/">https://shipitweekly.fm/</a></p>
play-circle icon
18 MIN
Ship It Conversations: Kat Traxler of Vectra AI on AI Security, the Zero-Day Clock, IAM, and Cloud Risk
JUN 28, 2026
Ship It Conversations: Kat Traxler of Vectra AI on AI Security, the Zero-Day Clock, IAM, and Cloud Risk
<p>This is a guest conversation episode of <strong>Ship It Weekly</strong>, separate from the weekly news recaps.</p><p>In this Ship It: Conversations episode, I talk with Kat Traxler of Vectra AI about AI security, the zero-day clock, IAM, cloud risk, AI-assisted bug hunting, and why the scariest future security problems may still start with the boring fundamentals teams already struggle with today.</p><p>Kat is a Principal Security Researcher at Vectra AI focused on abuse techniques and vulnerabilities in the public cloud, especially around the intersection of cloud security, AppSec, IAM, managed identities, and insecure-by-design flaws.</p><p>We talk about the current AI security mood, from the excitement around faster research and bug hunting to the fear that AI could shrink the window between vulnerability disclosure and exploitation. Kat explains the “San Francisco Consensus,” why the zero-day clock is getting so much attention, and why she thinks the facts may be real while some of the conclusions are overextended.</p><p>The bigger theme here is that AI is absolutely changing security work, but it does not erase the fundamentals. Attackers still take the lowest-friction path that works. For most teams, that still means credentials, IAM, misconfigurations, known vulnerabilities, and systems that were never threat-modeled as deeply as people assume.</p><p><strong>Highlights</strong></p><p>• Why AI security feels exciting and unsettling at the same time</p><p>• What the “San Francisco Consensus” means and why people are talking about the zero-day clock</p><p>• How AI may shrink the time between vulnerability disclosure and exploitation</p><p>• Why Kat is skeptical of the full “zero-day apocalypse” narrative</p><p>• Why credentials, IAM, misconfigurations, and known vulnerabilities still matter most for many teams</p><p>• How AI helps narrow the search space in bug hunting and security research</p><p>• Where AI is useful for code-level bugs, and where it still struggles with context and threat modeling</p><p>• Why human expertise still matters when using AI for writing, research, and cloud security analysis</p><p>• Why IAM remains hard because it sits at the intersection of people, access, and technology</p><p>• What insecure-by-design flaws are, and why AI may not solve those anytime soon</p><p><strong>Kat / Vectra AI links</strong></p><p>• Kat Traxler at Vectra AI: <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.vectra.ai/about/author/kat-traxler">https://www.vectra.ai/about/author/kat-traxler</a></p><p>• Kat’s site: <a target="_blank" rel="noopener noreferrer nofollow" href="https://kattraxler.cloud/">https://kattraxler.cloud/</a></p><p>• The San Francisco Consensus: <a target="_blank" rel="noopener noreferrer nofollow" href="https://kattraxler.cloud/the-san-francisco-consensus/">https://kattraxler.cloud/the-san-francisco-consensus/</a></p><p>• Kat on X: <a target="_blank" rel="noopener noreferrer nofollow" href="https://x.com/NightmareJS">https://x.com/NightmareJS</a></p><p>• Vectra AI: <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.vectra.ai/">https://www.vectra.ai/</a></p><p><strong>Our links</strong></p><p>More episodes + show notes + links: <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm">https://shipitweekly.fm</a></p><p>On Call Brief: <a target="_blank" rel="noopener noreferrer nofollow" href="https://oncallbrief.com">https://oncallbrief.com</a></p>
play-circle icon
42 MIN
containerd CRI Vulnerabilities, Datadog PostgreSQL HA on Kubernetes, AWS DevOps Agent with Datadog MCP Server, EKS Control Plane Egress, and Why Users Feel the Wait
JUN 26, 2026
containerd CRI Vulnerabilities, Datadog PostgreSQL HA on Kubernetes, AWS DevOps Agent with Datadog MCP Server, EKS Control Plane Egress, and Why Users Feel the Wait
<p>This week on <strong>Ship It Weekly</strong>: containerd disclosed a batch of CRI plugin vulnerabilities, Datadog tested PostgreSQL high availability on Kubernetes and found that failover is not useful if it cannot happen safely, AWS DevOps Agent and Datadog MCP Server moved AI incident response closer to real production workflows, and Amazon EKS added customer-routed control-plane egress.</p><p>The bigger theme: the control plane keeps getting wider. Runtimes, databases, incident agents, API-server egress, credentials, the cloud console, and object metadata are all becoming part of the production blast radius. And when something breaks, users do not experience your architecture diagram. They experience waiting.</p><p>In the lightning round, Brian covers GitHub self-service credential revocation for incident response, AWS Management Console Private Access without internet connectivity, Vercel Connect and short-lived agent credentials, and Amazon S3 annotations.</p><p><strong>Links</strong></p><p>containerd CRI plugin vulnerabilities / AWS security bulletin <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/security/security-bulletins/2026-046-aws/">https://aws.amazon.com/security/security-bulletins/2026-046-aws/</a></p><p>Datadog: PostgreSQL high availability on Kubernetes <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.datadoghq.com/blog/engineering/postgresql-ha-kubernetes/">https://www.datadoghq.com/blog/engineering/postgresql-ha-kubernetes/</a></p><p>AWS DevOps Agent and Datadog MCP Server <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/devops/production-ready-autonomous-incident-resolution-with-aws-devops-agent-now-ga-and-datadog-mcp-server/">https://aws.amazon.com/blogs/devops/production-ready-autonomous-incident-resolution-with-aws-devops-agent-now-ga-and-datadog-mcp-server/</a></p><p>Amazon EKS customer-routed control-plane egress <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/containers/amazon-eks-now-supports-control-plane-egress-through-your-vpc/">https://aws.amazon.com/blogs/containers/amazon-eks-now-supports-control-plane-egress-through-your-vpc/</a></p><p>GitHub self-service credential revocation for incident response <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/changelog/2026-06-24-self-service-credential-revocation-for-incident-response/">https://github.blog/changelog/2026-06-24-self-service-credential-revocation-for-incident-response/</a></p><p>AWS Management Console Private Access <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/about-aws/whats-new/2026/06/aws-management-console-private/">https://aws.amazon.com/about-aws/whats-new/2026/06/aws-management-console-private/</a></p><p>Vercel Connect <a target="_blank" rel="noopener noreferrer nofollow" href="https://vercel.com/blog/introducing-vercel-connect">https://vercel.com/blog/introducing-vercel-connect</a></p><p>Amazon S3 annotations <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/aws/amazon-s3-annotations-attach-rich-queryable-context-directly-to-your-objects/">https://aws.amazon.com/blogs/aws/amazon-s3-annotations-attach-rich-queryable-context-directly-to-your-objects/</a></p><p>Marc Brooker: Waiting, latency, MTTR, and the inspection paradox <a target="_blank" rel="noopener noreferrer nofollow" href="https://brooker.co.za/blog/2026/06/19/waiting.html">https://brooker.co.za/blog/2026/06/19/waiting.html</a></p><p>This week’s On Call Brief <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.tellerstech.com/on-call-brief-news/2026-W26/">https://www.tellerstech.com/on-call-brief-news/2026-W26/</a></p><p>More episodes and full show notes <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.shipitweekly.fm">https://www.shipitweekly.fm</a></p>
play-circle icon
19 MIN
Ship It Conversations: Guardsquare’s Joel DeStefano on Mobile App Security, Runtime Protection, App Hardening, and Why Scanning Isn’t Enough
JUN 21, 2026
Ship It Conversations: Guardsquare’s Joel DeStefano on Mobile App Security, Runtime Protection, App Hardening, and Why Scanning Isn’t Enough
<p>This is a guest conversation episode of <strong>Ship It Weekly</strong>, separate from the weekly news recaps.</p><p>In this Ship It: Conversations episode, I talk with Joel DeStefano from Guardsquare about mobile app security, why it is different from backend and cloud security, and why scanning alone is not enough once an app is shipped into the real world.</p><p>We talk about the shift in trust model that happens with mobile apps. In backend and cloud systems, teams usually have more control over the runtime, infrastructure, policies, and monitoring. With mobile, the app becomes a public artifact running on someone else’s device, in an environment you do not fully control.</p><p>The bigger theme here is that mobile security is not just “scan it before release.” Scanning matters, but teams also need to think about app hardening, obfuscation, runtime protection, monitoring, and whether the app connecting back to their APIs is genuine and uncompromised.</p><p><strong>Highlights</strong></p><p>• Why mobile changes the trust model compared to backend and cloud systems</p><p>• What DevOps, SRE, and platform teams should understand about mobile app risk</p><p>• Why scanning is useful, but not enough by itself</p><p>• The danger of assuming app store approval means an app is secure</p><p>• Why “we do not store sensitive data in the app” can be a misleading security argument</p><p>• How attackers can reverse engineer apps, inspect workflows, and learn how the app talks to backend APIs</p><p>• What code hardening and obfuscation actually help protect against</p><p>• Why runtime checks matter for rooted devices, compromised environments, debuggers, hooking frameworks, overlays, and accessibility abuse</p><p>• The difference between Android and iOS security assumptions</p><p>• Why the OS is not responsible for protecting your app’s business logic</p><p>• How mobile security should fit into CI/CD without destroying release velocity</p><p>• What should block a release versus what should become tracked risk</p><p>• Why testing, hardening, runtime protection, and monitoring should work together as one strategy</p><p>• How AI may speed up attackers without fundamentally changing the need for strong security fundamentals</p><p>• Joel’s advice for improving mobile security posture: start with the app’s critical workflows, backend interactions, and real business risk</p><p><strong>Joel / Guardsquare links</strong></p><p>• Guardsquare: <a target="_blank" rel="noopener noreferrer nofollow" href="https://hubs.ly/Q04fJgkJ0">https://hubs.ly/Q04fJgkJ0</a></p><p>• Guardsquare Blog: <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.guardsquare.com/blog">https://www.guardsquare.com/blog</a></p><p><strong>OWASP mobile security links</strong></p><p>• OWASP Mobile Application Security: <a target="_blank" rel="noopener noreferrer nofollow" href="https://owasp.org/www-project-mobile-app-security/">https://owasp.org/www-project-mobile-app-security/</a></p><p>• OWASP MASVS: <a target="_blank" rel="noopener noreferrer nofollow" href="https://mas.owasp.org/MASVS/">https://mas.owasp.org/MASVS/</a></p><p><strong>Our links</strong></p><p>More episodes + show notes + links: <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm">https://shipitweekly.fm</a></p><p>On Call Brief: <a target="_blank" rel="noopener noreferrer nofollow" href="https://oncallbrief.com">https://oncallbrief.com</a></p>
play-circle icon
35 MIN
PeopleSoft Zero-Day Exploited, npm v12 Install Script Changes, GitHub Agentic Tokens, Anthropic Model Risk, and Default Trust Breaking
JUN 19, 2026
PeopleSoft Zero-Day Exploited, npm v12 Install Script Changes, GitHub Agentic Tokens, Anthropic Model Risk, and Default Trust Breaking
<p>This episode of <strong>Ship It Weekly</strong> is about default trust getting punished. Brian covers Oracle’s emergency PeopleSoft advisory for CVE-2026-35273, npm v12 changing install-script defaults, GitHub Agentic Workflows moving away from long-lived personal access tokens, and Anthropic disabling Fable 5 and Mythos 5 after a U.S. export-control directive. The common thread: legacy ERP systems, package installs, CI/CD agents, and AI models all become production risks when teams trust the default without checking what that trust can actually do.</p><p>In the lightning round, Brian covers Tekton CloudEvents moving to a dedicated events controller, NVIDIA Triton Inference Server 26.04 changing inference defaults, AWS Nitro Isolation Engine bringing formal verification to Graviton5-based isolation, and Homebrew 6.0 adding explicit trust for third-party taps. The bigger theme: production does not care why you trusted the default. It only cares what that default was allowed to do.</p><p>The bigger theme: production does not care why you trusted the default. It only cares what that default was allowed to do.</p><p><strong>Links</strong></p><p>Oracle PeopleSoft CVE-2026-35273 advisory <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.oracle.com/security-alerts/alert-cve-2026-35273.html">https://www.oracle.com/security-alerts/alert-cve-2026-35273.html</a></p><p>npm v12 breaking changes <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/">https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/</a></p><p>GitHub Agentic Workflows no longer need PATs <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/">https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/</a></p><p>Anthropic Fable 5 / Mythos 5 access statement <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.anthropic.com/news/fable-mythos-access">https://www.anthropic.com/news/fable-mythos-access</a></p><p>Tekton Pipelines releases <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.com/tektoncd/pipeline/releases">https://github.com/tektoncd/pipeline/releases</a></p><p>NVIDIA Triton Inference Server 26.04 release notes <a target="_blank" rel="noopener noreferrer nofollow" href="https://docs.nvidia.com/deeplearning/triton-inference-server/release-notes/rel-26-04.html">https://docs.nvidia.com/deeplearning/triton-inference-server/release-notes/rel-26-04.html</a></p><p>AWS Nitro Isolation Engine <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/compute/aws-nitro-isolation-engine-formally-verifying-the-hypervisor-in-the-aws-nitro-system/">https://aws.amazon.com/blogs/compute/aws-nitro-isolation-engine-formally-verifying-the-hypervisor-in-the-aws-nitro-system/</a></p><p>Homebrew 6.0.0 <a target="_blank" rel="noopener noreferrer nofollow" href="https://brew.sh/2026/06/11/homebrew-6.0.0/">https://brew.sh/2026/06/11/homebrew-6.0.0/</a></p><p>This week’s On Call Brief <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.tellerstech.com/on-call-brief-news/2026-W25/">https://www.tellerstech.com/on-call-brief-news/2026-W25/</a></p><p>More episodes and show notes <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm/">https://shipitweekly.fm/</a></p>
play-circle icon
22 MIN