TLDR DevOps 2026-04-13

Secure coding starts long before production.

Modern applications move fast, which means security needs to be built in from the start, not added later. From API design to input handling and access control, early decisions have a big impact on reducing risk.

TheSecure Coding Best Practices Cheat Sheet outlines practical ways to reduce risk early. It covers key areas like secure design foundations, strong authentication and authorization, input validation, and preventing common vulnerabilities such as XSS, SQL injection, and broken access control.

Start building more secure applications from day one.

Get the Cheat Sheet Now!

Kubernetes 1.36, set to launch April 22, introduces 20 new alpha features targeting AI/ML workloads, large-scale cluster management, and resource efficiency, including workload-aware preemption that treats groups of related pods as single units during scheduling, sharded API streams to reduce network overhead in massive clusters, and deeper Dynamic Resource Allocation integration that simplifies GPU and specialized hardware management. The release also brings node-level gRPC APIs to reduce API server load, native gang scheduling support in the Job controller, Prometheus Native Histograms integration, and the ability for the Horizontal Pod Autoscaler to scale applications down to zero replicas based on external metrics like queue length.

Datadog Code Security MCP mitigates risks from AI-generated code by scanning in real time to detect vulnerabilities, secrets, and insecure dependencies before review, while consolidating multiple security checks into a single local workflow with consistent controls and minimal setup overhead.

Dropbox improved storage efficiency in its immutable blob store by introducing a three-layered compaction strategy that targets different levels of fragmentation, from slightly under-filled to extremely sparse volumes. This adaptive approach, combined with dynamic tuning and safeguards, reduced storage overhead significantly and allowed the system to reclaim space faster without overwhelming infrastructure at exabyte scale.

Good software design depends on “laziness” as a virtue—driving engineers to create simple, powerful abstractions that minimize future work—while LLMs lack this constraint and tend to generate excessive, unrefined code when unchecked. As a result, LLMs should be used as tools to support human judgment and abstraction, not replace it, or they risk increasing system complexity rather than improving it.

The community-maintained Kubernetes ingress-nginx controller, used by roughly half of all cloud-native environments, officially died in March after years of being maintained by just one or two volunteers in their spare time—a situation that became untenable after the IngressNightmare vulnerability (CVE-2025-1974, CVSS 9.8) exposed how attackers could achieve remote code execution and read all cluster secrets. The Kubernetes community is now migrating to Gateway API implementations like Envoy Gateway, NGINX Gateway Fabric, or Traefik, while the separate F5/NGINX Inc.-maintained controller remains actively supported and unaffected.

Stripe keeps CI fast in a massive Ruby monorepo by running only a small subset of tests using Selective Test Execution, which dynamically tracks file access during test runs and re-executes only tests affected by code changes. This approach avoids unreliable static analysis, achieves large compute savings, and maintains safety through guardrails like always running critical or previously failing tests.

A design document's real purpose is to create shared understanding and alignment, not to serve as a final deliverable, with the act of writing surfacing gaps, clarifying decisions, and enabling better collaboration. Effective design docs clearly define the problem, values, options, and tradeoffs, and are developed iteratively with feedback to avoid premature solutions and ensure sound reasoning.

Prompt caching improves latency and cost by reusing KV states, but scaling across replicas reduces cache hit rates unless mitigated with session affinity, tiered routing, and prefix-aware load balancing. Optimal performance depends on structured prompts, monitoring, and balancing local versus shared cache tradeoffs.

Microsoft Azure's Copilot Migration Agent turns complex migration data into clear answers. Through natural language prompts you can evaluate readiness, risk, and ROI to make confident decisions. Read the playbook.

Databricks launched database branching for Lakebase Postgres, using copy-on-write storage to create isolated database environments in seconds without duplicating data, replacing the traditional pg_dump approach that can take hours for large databases.

Datadog released an open source AI-native static application security testing (SAST) tool that uses large language models to detect code vulnerabilities with significantly fewer false positives than traditional rule-based tools.