Defeat AI-Powered Threats with VMware Tanzu Spring
Here’s the panel I hosted on how the Spring project is adapting to AI-powered threats. We covered the volume spike in Spring security reports, the kinds of vulnerabilities the models are good at finding, chained “narrative” attacks, the three-bucket fix/fork/ditch triage for open source deps, the clean-room rebuild of Spring’s ~1,800 dependencies, and how the Spring release train got compressed. My co-worker pals have a lot to say: Cora Iberkleid, Ryan Morgan, and Michael Minella.
As ever, when you remove one bottleneck with AI, you move onto dealing with the next one. As Michael Minella put it: when customers ask if Spring will ship more often given the CVE volume, his question back is – if I did, could you consume it any faster? The answer is almost always no.
Check out the recording, it’s good stuff!
And, if you have anything to do with Java and Spring apps, you might be interested in the actual thing we talk about, VMware Tanzu Spring, which packages up all this stuff plus awhole lot more. …and, I’d be remise if I didn’t suggest that you TryTanzu.ai for even more.
ICYMI
Original content published since last time.
- Conference talks in an AI driven world are likely to get boring, or need to dramatically change
- Keep domestic wages low + sell to rich countries = profit!
Related to your interests
- OpenAI and Broadcom Unveil LLM-Optimized Intelligence Processor
- Gartner: AI coding agents will cost more than real developers – “Research by Gartner Peer Insights has found that 23% of tech leaders are spending $200 to $500 per developer per month on tokens for artificial intelligence (AI) coding agents, such as Claude Code, Cursor and OpenAI Codex.” And: “The IT analyst firm has forecast that by 2028, AI coding costs will overtake the average developer’s salary due to rising large language model (LLM) token consumption and the shift to consumption-based licensing models.”
- Using Claude Code: The unreasonable effectiveness of HTML – I like the idea of having your AI thingies creating one off HTML pages as output. For example, monitoring and management agents. Most services now have an MCP server that will give API access to observability, logs, etc. What if instead of emitting JSON, they (also) emitted an HTML page?
Wastebook
- “[I]f you’ve been nodding along as you read any of it and you’re still planning on using your computer to talk to datacenter-resident ghosts to ‘achieve’ stuff that you can only experience _through_it, well, then, you’re too close to the problem to notice.” Here
- “Pinterest clean girl fitness and fruit bowl gua sha yoga mat pilates in the forest” content.’ Here
AI Summaries
I wanted to read these, but I didn’t make the time, so I asked the robot to summarize them.
- 🤖 Europe’s Cloud Sovereignty Push Risks Driving Fragmentation, Not Security
- 🤖 What is an “AI Governance Platform?”
Logoff
As you may have read, it is hot in Europe.
Most people have no Air Conditioning here, which will surely change over the next decade.
In the meantime, here is Claude’s suggestion for keeping cool with fans:
There are two jobs here, run at opposite hours. At night, when it’s cooler outside than in, the goal is to flush the room – push hot air out, pull cool air in. By day, when it’s hotter outside, the goal flips: keep the cooled air in and repel the heat.
So at night, open the right window wide with the fan exhausting out of it, and crack the left (cool-side) window to about a third – the incoming air speeds up through the narrow gap into a real draft across the room. Pull the fan back a foot or two from the window and angle it to draw across the room’s width rather than threading a straight cool-air pipe between the two windows. If the room stops feeling fresh, open the left window a little until the cool side is clearly winning.
By day, do the opposite and less: button the room up, left window barely cracked, blinds down, fan pointed only at bodies.
Seems to work…fine, but not great.
Want to subscribe to this newsletter and get it in your email? Do that here. You’ll just get this type of link and post round-up, not everything posted on the weblog.
Leave a Reply