Skip to main content Search

March DevOps News

In this episode of the DevOps Sauna, Darren and Pinja discuss the latest stories and developments in the DevOps space in March 2025, including recent developments with xAI and the coming end of Opsgenie.

[Darren] (0:03 - 0:22)

Yeah, not only the biggest acquisition they've ever made, but I believe the seventh largest acquisition of all time.

Welcome to the DevOps Sauna, the podcast where we deep dive into the world of DevOps, platform engineering, security, and more as we explore the future of development.

[Pinja] (0:22 - 0:32)

Join us as we dive into the heart of DevOps, one story at a time. Whether you're a seasoned practitioner or only starting your DevOps journey, we're happy to welcome you into the DevOps Sauna.

[Darren] (0:38 - 0:42)

Welcome back to the DevOps Sauna. I am once again here with Pinja.

[Pinja] (0:42 - 0:43)

Hey, how's it going, Darren?

[Darren] (0:44 - 0:50)

It's going as well as it could be for recording on a Monday, almost morning, but I guess afternoon. I don't do well with time.

[Pinja] (0:51 - 0:56)

I think it's fair to say it is Monday, it is afternoon, but it's also the last day of March 2025.

[Darren] (0:57 - 1:00)

That's true. And that means one thing, we should record some news.

[Pinja] (1:00 - 1:12)

We definitely should. And let's start with a big one. And we need to talk about Elon Musk here.

We need to talk about X, because Elon Musk has sold X to himself.

[Darren] (1:13 - 1:43)

Yeah, basically. He just decided to sell the platform formerly known as Twitter to himself. And it's actually his AI company, which I guess is pronounced xAI, but is written xai.

So I think we should pronounce it xaiI just because it would annoy him. So he sold X to xai, presumably so that the AI company that produces Grok can have access, like unrestricted access to Twitter's data for training purposes.

[Pinja] (1:43 - 2:13)

Yeah, I know that he and his company X have been trying to make X this overarching everything app. So I guess this is part of this venture as well, even though so far it hasn't been a successful effort to make it a so-called everything app. But this is a very interesting development as, as you said, it will be using data from X as training data.

So I think we're seeing some problems with it, especially when it comes to the EU regulations.

[Darren] (2:13 - 3:22)

Yep. GDPR, for example, where people have to very specifically opt into data gathering and know the purposes and duration of data storage. So the EU is obviously investigating this purchase for any potential GDPR issues, which it doesn't seem unreasonable that they would find.

I think people worry when people talk about gathering training data for AI, they worry a lot about things like books, and they don't fully realize the volume of social media. There was actually something our own Henri Terho said at The Future of Software conference last week, where he was saying how Reddit is the perfect data source for AI because it's curated. It has everything broken down into convenience sections with upvotes and downvotes to show what is good, and what is useful, and what is appreciated.

It's perfectly tagged data. So I feel like Elon Musk is attempting to do something like that with Twitter without realizing the, let's say, the tone of X, formerly Twitter, and how that might influence and bias the AI models.

[Pinja] (3:22 - 3:33)

Yeah, and I think this is also bringing xAI’s or xai’s Grok within the X to Social app as well. So this integration will now be also brought to the public.

[Darren] (3:34 - 4:01)

But we'll see how that goes. In closer-to-home news, Semaphore went open source. So Semaphore, the DevOps platform, has transitioned to an Apache 2.0 license, which is actually kind of interesting. I don't think there were many DevOps platforms that would allow such a license or open source in such a way. I think it's like the Jenkins CI/CD. But a lot of them are kind of wrapped up.

[Pinja] (4:02 - 4:21)

And this is not the most familiar tool for myself. So, Darren, would you please enlighten me and perhaps some of the listeners as well. Is this a very widely used tool?

You now compared it to Jenkins as well, which is perhaps not the tool that us, who are not the most technical people, are the most familiar with.

[Darren] (4:21 - 5:39)

We're in a kind of interesting era for DevOps in that we're migrating to platform engineering. And platform engineering is all about abstraction. There was this concept of the single pane of glass, which I think is what a lot of companies are aiming for, where they'll have GitHub, and they'll have GitLab because GitLab can have your pipelines built in, it can have your image repository built in, your security tooling built in.

So you have to go to one place. One of the big tripping points of Jenkins, for example, is that it does one thing, and it does one thing really well. But it means every time you want to deal with a pipeline, you have to go out of your code repository to a pipeline tool with probably not the best user interface.

So I've never used Semaphore. From a brief look, it looks like its user interface is actually reasonably good. But the idea of creating a second place where developers or DevOps practitioners will need to go and look for one specific thing is kind of dated one.

So ,if you have a platform engineering team, they might be building with Semaphore behind the scenes, and that's a great use of it. But if you don't have platform engineering teams, you're unlikely to see these in the wild anymore. You'll see Jenkins because they've been around since 2012, and people just can't migrate away from them.

[Pinja] (5:39 - 6:10)

And if we think of this move to open source, and this is, if we compare to Jenkins again, a tool that might be widely used in the background without, for example, business people or the ones using the single pane of glass, for example, seeing it. But this is encouraging the community contributions and perhaps the ones who are the devoted users for this tool. And also, again, in comparison to Jenkins, I think this is a really interesting step for these people.

[Darren] (6:11 - 6:33)

Yep. I actually think it's a great thing. We've seen, over the past couple of years, a couple of big open source tools, particularly by HashiCorp, just going closed source or with a more restrictive license.

So seeing a tool go the other way to start opening things up and encouraging this community engagement and transparency is very cool to see.

[Pinja] (6:33 - 6:44)

Indeed. Let's talk about Sonar and especially SonarQube. Sonar extended their code security coverage by adding SonarQube Advanced Security.

[Darren] (6:44 - 7:10)

Yep. Upcoming availability for advanced security. Basically, it's just a step up from what we expected from SonarQube's code security coverage before.

So we're starting to see a lot of better software composition analysis and static application testing. So I think it's a welcome change for everyone out there using SonarQube. I'm actually looking forward to seeing how well this competes with some other industry tools.

[Pinja] (7:11 - 7:45)

And if we think of it, it is just adding to what SonarQube does very well already. So their analysis tools and secrets detection, for example, is a really nice addition, as you say, as well. There is this one confusion, perhaps, that I have at the moment because we're now talking about advanced security features.

And if we think of the name, the company called Sonar, who has a tool called SonarQube, but then we also have a company called Sonatype offering similar types of services and even adding to the mix. So this is now called advanced security, which is also a feature in GitHub.

[Darren] (7:46 - 8:41)

Yep. And there's this type of cyber attack called namespace confusion, which is basically where you trick people into importing malicious libraries into their code by calling it a common typo or something like that, where you have a name that's off by one character, and then someone accidentally types that and they end up with malicious code in their system. And this is a known type of attack, but no one seems to be considering it from a business point of view, where you have Sonar now putting out SonarQube advanced security, not to be confused with GitHub Advanced Security, when they do very much the same thing.

And now SonarQube advanced security is moving in a direction consistent with Sonatype. So Sonar, Sonatype, Advanced Security, exactly as you say, there's all this around these three tools specifically, this namespace confusion that I don't think is going to make any of these tools particularly easy for people to navigate.

[Pinja] (8:41 - 9:08)

Indeed. Let's move to the Atlassian sphere. It was 2018 when Atlassian acquired Opsgenie, and now they have announced that they're actually going to end Opsgenie support by two years from now, so April 27.

So this is a move for them, they are integrating all the Opsgenie's capabilities into their own other platforms, for example, JSM (Jira Service Management), which they launched five years ago in 2020.

[Darren] (9:08 - 9:40)

Yep, it's a bit of a typical tale these days, I think, where someone acquires something, integrates the parts of it they think are useful, and then slashes it. So I don't think it's an unexpected move by Atlassian, especially given, if we think about it, Opsgenie, a lot of it was built into their server offerings, which are now, of course, no longer offered. So, having this built into their cloud offerings as default is probably the direction they're heading.

So I don't think this news should have really surprised anyone.

[Pinja] (9:40 - 10:11)

No, perhaps not. It's more about, for the organizations that are using Opsgenie at the moment, just to be aware of this. And I think the end of sale happens already in a couple months time, now in 2025, but just for the Opsgenie users and organizations to be aware of their options.

So for example, move to Jira Service Management, that's one option, or I guess also Compass is something. If you want the alerts and the on-call management, that would be one option as well.

[Darren] (10:11 - 10:28)

Yep, that's definitely a way for you to go. So it's not like this tooling will disappear. If you're reliant on Opsgenie, there are definitely options for you, both with Atlassian and elsewhere.

Shall we talk about Google? Google has just made a particularly large purchase.

[Pinja] (10:28 - 10:47)

Yeah, and it is basically the parent company of Google. So Alphabet, as many already know, purchased cybersecurity firm, Wiz, and the acquisition is priced for $32 billion in cash. And I think this is the biggest ever acquisition Google has ever made.

[Darren] (10:48 - 11:31)

Yeah, not only the biggest acquisition they've ever made, but I believe the seventh largest acquisition of all time. So we can understand all this. And for those who don't know, Wiz is a cloud security platform.

Wiz is basically something that connects to your cloud infrastructure and tells you all the security issues you're having and moves forward to mitigate them. We can't go too deep into it in a news episode because it's quite complex, but they have typically been a market leader in performance for basically forever. So I say forever, they haven't been around all that long compared to Google.

But yeah, this is a huge success for Wiz and just an interesting development for Google.

[Pinja] (11:32 - 12:03)

It is. And I guess one of their strategic initiatives right now is to invest in cloud security based on this because this is, as I said, the seventh largest acquisition of all time. Because Wiz is, as you say, it's a market leader.

They serve, was it 40% of Fortune 100 companies? And they were projected to have $1 billion in revenue only this year. So, the $32 billion as an acquisition prize was not unjustified, I think, in this case.

[Darren] (12:04 - 12:20)

Yeah. It's particularly impressive for a company that's been around since 2020. So they're a five-year-old company who've now kind of overshadowed and eclipsed a lot of these more established players in cloud security models.

[Pinja] (12:21 - 12:43)

Yeah, that's true. So it will be very interesting to see. Previously in this episode, we already talked about the Opsgenie and how Atlassian acquired them.

And now they're basically sunsetting that part of the app and part of their offering. So I don't really know what time will tell what Google will do with Wiz and what kind of strategy they actually have in their back pocket for cloud security.

[Darren] (12:44 - 13:14)

I'm guessing it will be a similar model to YouTube where it will continue to operate somewhat independently because I don't think they can afford to become kind of locked into a specific cloud platform. They're not going to just focus on GCP because GCP is fast growing, I think, but AWS and Azure are, from what I remember, a corner of the market. So I think we're just going to see Wiz, maybe append by Google at the end of its name, and continue to operate more or less as it has.

[Pinja] (13:14 - 13:36)

Yeah, exactly. We already mentioned GitHub previously, but let's talk about GitHub in more detail. We have a couple of news stories around that.

An analysis was made, it's a very recent one, by GitGuardian, and they uncovered that a significant increase has happened in hard-coded secrets within the public GitHub repositories lately.

[Darren] (13:36 - 14:36)

Yep, it was actually a comic, almost 5% containing a secret. So one in twenty GitHub repositories, public ones, contain secret information, and that was a 25% increase over a previous study. We've always had the saying in cybersecurity that the main problem is people, and this is the issue that's happening here.

People are putting secrets into code. People don't understand how to put them into a separate file and use gitignore to make sure they don't go into the public repository. Or even if you're coding something at a very ideal level, if you're not even in infrastructure where you can have your things stored safely in a vault, you can at least take steps to make sure the passwords aren't uploaded, but these aren't being done.

I wonder if the AI coding era that's upon us is influencing these things.

[Pinja] (14:37 - 15:35)

There's a really good point. Was it last year or the year before that, one of our former colleagues said that they would never give anybody AI coding tools as their first thing, and it's just, I come back to the secret management practices of companies here. So AI coding tools do not replace any of these good practices because even this study showed and this analysis showed that there's been ongoing for a really long time this vulnerability, because they did a similar kind of study in 2022, and 70% of those secrets that they discovered three years ago still remain active.

So it is not just that this was a one-time thing, and also if we think of it that it's not just world public repositories. What if I have my private one, but even 35% of those private repositories analyzed contain at least one plain text secret? So it is something that we need to take seriously in organizations, especially now with the rise of AI coding tools.

[Darren] (15:36 - 16:16)

It is, and to jump back to something we said before, it's literally never been easier to prevent this. You can have a pipeline with gittyleaks or GitHub Advanced Security or anything; literally any security setup can, with one command, parse your code for secrets and say “Hey, this is a high entropy string, you probably don't want to upload this!” and put a stop on things right there. But the fact that this one command is not being used locally it's not being used in pipelines, if pipelines even exist, it's kind of shocking.

So, I honestly think we're going to see more of this.

[Pinja] (16:16 - 16:40)

It is. Unfortunately, before we get a hold of it, because it comes down to people, and as you said, in cybersecurity, the biggest risk is the person, is the people. So here is the same thing.

If we do not have our processes in place, and we don't make good procedures to handle this, because as you said just before this, it should be easier than ever to prevent this from happening.

[Darren] (16:40 - 16:46)

It should be, but just because something's easy doesn't mean it's taken seriously.

[Pinja] (16:46 - 17:02)

No, and speaking of vulnerabilities and data leaks, we continue with GitHub, and there is an article saying that GitHub Action compromised risks, and that means that it caused data leaks for 23,000 repositories.

[Darren] (17:03 - 17:41)

Yep, it's actually been a bad month for GitHub on this front. Essentially, what happened is there were some actors who modified this GitHub Actions, it was like what, tj-actions/changed-files. It's used to track changes, and they injected this Node.js function, which included an encoded string that downloaded a malicious Python script. So, basically, it's kind of a standard injection attack. We're not sure how long that's actually been running, but yeah, 23,000 repositories is a, well, considerable amount.

[Pinja] (17:41 - 18:35)

It is, and as you said, we don't know how long this has been going on. It was discovered and identified by StepSecurity, which is a security firm, on March 14, so a couple weeks ago, but nobody knows the extent of it for more than that. But now that was the date of identification, and GitHub has released some guidance for the users whose repositories have been exposed.

So of course, number one, review what has been exposed, and if there have been any potentially compromised credentials, rotate them. That's, I guess, the couple's first crucial steps, and you can take some enhanced security measures to protect yourself and your repositories from any further supply chain attacks like this. And I guess, what could be those steps?

Because I don't think GitHub itself provided any guidance on that, but what could be the first steps on the added security measures, Darren?

[Darren] (18:35 - 19:38)

I think the big thing was the disclosure of secrets, but as we literally just discussed, public repositories have secrets exposed anyway. I feel like this attack was caught in a reasonable time as to not have the effect they wanted. But ideally, you want to identify repositories, so you want to locate repositories using versions of tj-actions between the affected dates, so between the 12 March and the 15 March, and then just identify exposed secrets.

Honestly, if you have any secrets in public repositories, you should rotate them and remove them from public repositories anyway. And then, yeah, update to the latest version. There were some instructions by GitHub to update to the latest version of the change files system, so updating should really cover your basis.

Updating and rotating secrets, there's nothing out of the ordinary for this particular hack, just the kind of thing we expect to see.

[Pinja] (19:39 - 19:54)

Last but not least, let's go back to open source and perhaps a little bit more positive news. So, Open Infrastructure Foundation Board announced that they intend to join the Linux Foundation to amplify the global impact of open source.

[Darren] (19:55 - 20:44)

Yep. So, as regular listeners will know, we like open source on this podcast. We like open source at Eficode.

I mean, one of our partners being GitLab; we like the fact that they're mostly built on open source systems behind one pane of glass. We do similar things with our Eficode ROOT platform. So, the idea that large entities are coming together to make open source more usable, more visible, and have an actual impact on society is kind of cool.

So, yeah, very happy with this news. Not sure what it's going to mean in the short term because this is one of those, hey, we're joining together, this is great. I hope we see some big information, or big news, out of them upcoming.

But as of right now, I think all we have is intent, like a signaled intent.

[Pinja] (20:45 - 21:16)

And both organizations have many strengths. And if we think of fostering innovation across their projects, like more Linux, duh, in this case, but also Kubernetes. I think Open Infra also said that they would like to drive advancements in their data center technologies, especially using AI, but nothing more was in this article that we saw.

So, it is a great idea. We very much look forward to seeing more in this collaboration in the future.

[Darren] (21:17 - 21:40)

Yep. We'll be keeping our eye on this. Hopefully, it leads to some good stuff.

I'd like to see open source become a lot more known, established, and trusted. And I think that's the intention of everyone across the open source world. They want to see these commercial efforts, maybe not stopped, but open source to be seen as a viable contender.

[Pinja] (21:40 - 22:09)

Yeah. I really much like seeing these big collaborations being announced. This is a step towards that direction and building that, as I say, building a trust in the open source community and some credibility as well, based on this kind of cooperation.

And Open Infra, they're a big nonprofit organization. And if we think about the open source community, so the Linux Foundation, it doesn't get much bigger than that, to be honest here.

[Darren] (22:10 - 22:21)

Yeah. So, we'll be keeping an eye on that. And if anything else happens with that, I'm sure we'll be including it in an upcoming news episode.

That's everything we have for today. Thank you for joining me, Pinja.

[Pinja] (22:21 - 22:22)

Thank you, Darren.

[Darren] (22:22 - 22:25)

And we'll hopefully catch you next time. Thanks all. Bye.

[Pinja] (22:26 - 22:32)

Thank you. We'll now tell you a little bit about who we are.

[Darren] (22:33 - 22:35)

I'm Darren Richardson, Security Consultant at Eficode.

[Pinja] (22:36 - 22:40)

I'm Pinja Kujala. I specialize in Agile and portfolio management topics at Eficode.

[Darren] (22:41 - 22:43)

Thanks for tuning in. We'll catch you next time.

[Pinja] (22:43 - 22:51)

And remember, if you like what you hear, please like, rate, and subscribe on your favorite podcast platform. It means the world to us.

Published:

DevOpsSauna Sessions