AI 资讯
Manage Sensitive Data In Application Code | 🏗️ Build A Secure Configuration Service
Exam Guide: Developer - Associate 🏗️ Domain 2: Security 📘 Task 3: Manage Sensitive Data In Application Code Managing Sensitive Data In Application Code is about keeping secrets out of your code, classifying data properly, and building applications that handle sensitive data safely. You need to know when to use Secrets Manager vs Parameter Store, how to mask PII in API responses and logs, and how to isolate data in multi-tenant applications. The ability to choose the right secret management service, implement data sanitization, and enforce tenant-level data boundaries, is vital. 📘Concepts Data Classification Understand data sensitivity levels and how each should be handled: Classification Examples Handling Requirements PII (Personally Identifiable Information) Name, email, SSN, phone number, address Encrypt at rest and in transit, mask in logs and API responses, restrict access PHI (Protected Health Information) Medical records, insurance IDs, lab results HIPAA compliance, encryption required, audit trail mandatory Financial Credit card numbers, bank accounts, transaction data PCI DSS compliance, tokenization, never store full card numbers Public Marketing content, public API docs No special handling needed 💡 If a scenario mentions compliance or audit trail , think encryption with KMS (for CloudTrail logging) and Secrets Manager (for automatic rotation). If it mentions PII in logs , think data masking and sanitization. Secrets Manager vs SSM Parameter Store Both store configuration and secrets. Feature Secrets Manager SSM Parameter Store Automatic rotation Yes (built-in for RDS, Redshift, DocumentDB) No (you build it yourself with Lambda) Cost $0.40/secret/month + $0.05 per 10,000 API calls Free (Standard tier), $0.05/advanced parameter/month Cross-account access Yes (via resource policy) Yes (advanced parameters only) Max size 64 KB 4 KB (Standard) / 8 KB (Advanced) Versioning Automatic (AWSCURRENT, AWSPREVIOUS labels) Yes (version history) Encryption Always encrypt
开源项目
Transitioning as a hubber
How GitHub's culture and benefits helped me be the best version of myself. The post Transitioning as a hubber appeared first on The GitHub Blog .
AI 资讯
I Almost Didn't Learn Programming Because I Was Bad at Math
For a long time, I thought programming wasn't for people like me. Not because I wasn't interested in technology. Not because I didn't enjoy solving problems. But because I kept hearing the same thing over and over again: "You need to be good at math to become a programmer." The more I heard it, the more I believed it. Whenever I saw developers building websites, apps, or cool projects, I assumed they were all math experts. 🧮 I imagined them solving complex equations all day while I struggled with basic math concepts. So before I even wrote my first line of code, I had already convinced myself that programming probably wasn't for me. And honestly, I think many beginners feel the same way. 🤔 The Fear Was Bigger Than The Reality When I finally started learning programming, I expected math to be my biggest challenge. It wasn't. My biggest challenge was understanding why things weren't working . I spent hours trying to figure out: Why isn't this button working? 🖱️ Why is this variable undefined? 🤨 Why did this code work yesterday but not today? 😅 Why did fixing one bug create three new bugs? 🐛 Very quickly, I realized that programming wasn't testing my math skills nearly as much as it was testing my patience and problem-solving ability. Most of the time, the challenge wasn't: "Can you solve this equation?" It was: "Can you figure out what's causing this problem?" 🧠 Logic Matters More Than Most People Think One of the biggest lessons I learned is that math and logic are not exactly the same thing. Yes, math uses logic. But you don't need to be a math genius to think logically. Programming is often about breaking a big problem into smaller, manageable pieces. For example: If a user clicks a button, what should happen next? If data is missing, what should the application do? If an error occurs, how should it be handled? That's logic. You're constantly thinking: "If this happens, then what should happen next?" And honestly, that's a huge part of software development. Some of
AI 资讯
Can We Talk About the "AI/ML Engineer" Shortcut for a Second?
Lately, it feels like my feed is completely flooded with "Become an AI/ML Engineer in 2 Hours!" crash courses and quick certificates promising a golden fast-track into machine learning roles. But let’s be completely real for a second: there are no tutorial shortcuts here. The more I dive into actual system architecture and cloud infrastructure, the more obvious it becomes: machine learning isn't a standalone magic trick. It's built entirely on rock-solid Computer Science, efficient data structures, and heavy-duty software engineering. Software Engineering First, AI Second If you can’t build or scale a reliable backend, manage data pipelines, or understand low-level underlying system logic, you simply cannot scale an AI model in production. Prompt engineering is cool for prototyping, but production-level ML requires real, foundational engineering skills. You have to learn how to be a great software engineer first. Looking Past the Hype (A Solid Structural Roadmap) If you actually want to look past the superficial fluff and understand how real data workloads, model deployments, and ML infrastructure fit into a cloud environment, I found an incredibly solid, structured resource. Instead of hand-waving past the hard parts, Microsoft Learn has an official, step-by-step breakdown on Azure AI and Machine Learning Fundamentals. It actually goes into the core architectural principles and shows you what real cloud-scale infrastructure looks like. Whether you are trying to map out your summer learning roadmap or just want to understand the actual systems backing these models, I highly recommend checking it out. Here is the structured entry point if you want to skip the shortcuts and dive into the real infrastructure: 🔗 Official Azure Machine Learning Technical Hub What are your thoughts? Are you seeing the same "AI shortcut" hype on your feeds, or are people finally starting to focus back on core system fundamentals? Let's discuss in the comments!
创业投融资
Thank you DEV community: the Thinking Engineer Toolkit is live
Over the past weeks, I’ve been sharing a series of posts that gravitate around one question: How do...
AI 资讯
GuardDuo — The AI Guardian That Keeps Vibe-Coding in Check
AI coding tools are incredible. But I noticed something — they ship code fast, skip the rules, and nobody catches it until it's already in production. That's exactly what GuardDuo is built to fix. The Problem We're in the age of vibe-coding. You describe what you want, the AI builds it, it works — and you ship it. But "works" and "correct" are two very different things. Imagine asking an AI to build a login form. It works perfectly. But under the hood it has hardcoded API keys, no input validation, missing aria-labels , and it's using fetch directly instead of your project's apiClient wrapper. Your Issue said none of that was allowed. Nobody caught it. That's the vibe-coding trap — and it's happening on every team using AI-assisted development right now. What is GuardDuo GuardDuo is a GitLab Duo Agent skill that acts as your AI guardian. Instead of just reviewing code in isolation, it cross-references your code changes against the actual intent of the linked GitLab Issue — using the Orbit Knowledge Graph , which is essentially the brain that knows your project's rules, requirements, and success criteria. In plain terms: GuardDuo reads what the Issue asked for , reads what the code actually does , and tells you exactly where they don't match. It audits across three dimensions: 🔐 Security — hardcoded secrets, SQL injection, missing input validation ♿ Accessibility — missing alt text, aria-labels , poor color contrast 📐 Standards — deviations from your project's established patterns and conventions And when it finds a problem, it doesn't just flag it — it fixes it. How It Works Just open GitLab Duo Chat or GitLab Agent Platform(on your choice of IDE) -> choose the agent as GuardDuo and type: Audit issue #[issue no.] — GuardDuo pulls the Issue context from Orbit, analyzes the code, and returns a structured report Fix issue #[issue no.] — GuardDuo generates a corrected implementation that satisfies all requirements Or paste any code snippet directly and ask it to audit o
开源项目
I automated my job (and it made me a better leader)
Explore how my day as a senior leader looks now that I use 40 automations to help, and learn more about some of my favorites. The post I automated my job (and it made me a better leader) appeared first on The GitHub Blog .
开发者
What's Wrong with DEV.to Notifications?
I've been using DEV.to for a while, and one area that often feels inconsistent is the notification...
AI 资讯
What it takes to build docs worth reading
Treating docs as a product When documentation lives as an afterthought, it shows. Pages drift out of date, examples break quietly, and release notes scatter across a dozen places no one can find. The fix is not a weekend cleanup. It is a decision to treat docs the way you treat any product people depend on: someone owns it, it has standards, and it gets maintained on purpose. That is the decision I made when the docs came to the Developer Relations team at the end of 2025. Not "let's tidy this up," but "this is ours now, and we are accountable for whether a developer can actually build from it." The work, in the repository The honest record of what a team does to a codebase lives in its git history, so that is where the story starts. Comparing the six months before the handoff to the six months since: Before vs. Under DevRel: Commits: 476 → 1,900+ Merged pull requests: 145 → 447 Unique contributors: 21 → 64 A repository that averaged fewer than 500 commits over half a year is now past 1,900 in the same span. The contributor count tripled, because we treated the docs as something the whole community could improve, not a walled garden. This is what a team that decided to do the work looks like when you measure it. Our proudest metric is what was cut In six months, we added roughly 339,000 lines and removed roughly 281,000. That near balance is the point. A neglected docs site accumulates: dead pages, stale tutorials, examples that no longer compile, three slightly different explanations of the same concept. Adding more on top of that does not help anyone. So we cut nearly as much as we wrote. We rebuilt the Hello World walkthrough from 1,300 lines down to about 300 without losing a thing. We consolidated scattered release notes into a single clean reference. A docs site is judged by what a developer can find and trust, not by how much sits on the shelf. A library you can learn from At the start of the year, the examples library had effectively one usable entry. Today,
AI 资讯
I Got Tired of Paying $99/mo for Options Data — So I Built My Own API tags: python, api, finance, showdev
I build algorithmic trading bots as a side project. Nothing fancy — just small strategies that trade US equity options automatically. The problem I kept running into wasn't the strategy logic. It was the data. Every time I wanted to pull real-time options chains, Greeks, or IV, I had two options: Pay $99+/mo to a data provider Scrape something I probably shouldn't be scraping Neither felt right for a hobbyist project. So I built Market-Options — a simple REST API for US equity options data at $20/mo. What It Does It's a plain REST API. No SDK, no special client library — just HTTP requests and JSON responses. It covers four endpoints: chain — full options chain for a given underlying contract — data for a single contract contracts — batch lookup across multiple contracts contract-overview — Greeks, IV, expiration details Coverage is the top 100 US equity underlyings, which accounts for roughly 95% of actual US options volume. If you're building a bot that trades SPY, QQQ, AAPL, TSLA, or anything in that tier — it's covered. Why Only 100 Underlyings? Because that's what most people actually trade. When I looked at my own bots, and at what most retail algo traders focus on, the top 100 covers everything practical. Exotic underlyings with low volume are also harder to get real data on reliably — so rather than promise coverage I can't deliver, I focused on doing the core well. A Simple Example curl "https://api.market-option.com/chain?symbol=SPY&expiration=2025-01-17" \ -H "Authorization: Bearer YOUR_API_KEY" Response is clean JSON: { "symbol" : "SPY" , "expiration" : "2025-01-17" , "options" : [ { "strike" : 480 , "type" : "call" , "bid" : 3.45 , "ask" : 3.50 , "iv" : 0.182 , "delta" : 0.42 , "gamma" : 0.031 , "theta" : -0.18 , "vega" : 0.29 } ] } No parsing headaches, no weird date formats. Pricing Free tier : 1,000 credits/day — enough to test and build Pro : $20/mo, unlimited within fair use Trial : New accounts get 7 days of Pro, no credit card required Who It's F
开发者
Android verification is coming: Google confirms timeline and supported app stores
A new system service will roll out this month ahead of big changes starting in September.
开发者
Rejected by Google, Welcomed by Microsoft: A Journey Through Low-Level Grinding
There was a phase when Google was the only goal I could see. I pushed myself through endless DSA...
AI 资讯
Affiliate vs Sponsorship vs Ads: What Actually Earns More for Tech Creators in 2026?
Check this out: i run four monetization channels side by side. Sponsored posts, display ads, YouTube ad revenue, and affiliate links. After eighteen months of tracking every dollar in a spreadsheet I built myself, I can tell you with brutal honesty: affiliate income is the only one that scales without me having to constantly produce more content or chase the next brand deal. But the math only works if you pick the right program. Most affiliates I know are promoting garbage with terrible retention, and they have no idea they're burning their audience's trust for a $9 one-time payout. Let me walk you through how I evaluate affiliate programs, what I've learned from running real funnels, and why the AI API category has quietly become the most lucrative vertical for tech creators in 2026. My Monetization Stack After 18 Months of Testing Here's a snapshot of my monthly revenue from a tech newsletter with around 34,000 subscribers and a YouTube channel sitting at 88,000 subscribers: Sponsored posts: $2,100 per placement, but I can only land maybe 2-3 per month without annoying my list Display ads: $1,800 per month from Mediavine, but this number barely moves regardless of how hard I work YouTube ad revenue: $2,400 per month, capped by watch time and RPMs Affiliate income: $6,800 per month, and it grows every single month even when I publish nothing That last number is what got my attention. Affiliate income compounds. When I published a tutorial in February recommending a tool, that single piece of content still earned me $340 in May because users stayed subscribed. No other channel behaves like that. No other channel lets a piece of content from four months ago keep paying you. But here's the catch that took me a while to figure out: not all affiliate programs are built the same way. And the difference between a good program and a bad one can be 10x in lifetime earnings per referred user. # # How I Score an Affiliate Program (The Growth Hacker Scorecard) Before I promote
开发者
How a 10-Minute Bug Fix Completely Changed My Coding Mindset
When I first started learning how to code, I spent most of my time practicing and working on small...
AI 资讯
agentic workflows are being domesticated by actions
GitHub's Agentic Workflows preview has the kind of headline that makes people reach for the wrong conclusion. Natural language Markdown can turn into GitHub Actions workflows. That sounds like "the YAML is going away." I do not think that is the interesting story. The interesting story is that the agent is not escaping the workflow engine. It is being pulled into it. That matters because a lot of agent demos still pretend the future is a smart process floating above the boring machinery: the agent understands the request, edits the repo, runs some commands, and hands back a neat result. Nice demo. Very clean. Production engineering is not clean like that. Production engineering has permissions, logs, runner groups, approval rules, secrets, firewalls, budgets, weird old repositories, compliance questions, and someone who has to explain what happened when the helpful automation did something surprising. So the shape of Agentic Workflows is useful precisely because it is less magical than the demo version. GitHub is putting agents inside the same CI/CD world that already carries a lot of organizational trust. That is the right direction. markdown is not the control plane The cute part is that a developer can describe a workflow in Markdown and have GitHub turn that into standard Actions YAML. That is useful. YAML is not a personality test, and most teams have better things to do than memorize every Actions syntax edge case. But Markdown is only the input surface. The control plane is still Actions. That distinction matters. If the generated workflow is a normal Actions workflow, then all the existing machinery can still matter: repository permissions, runner selection, logs, environments, approvals, branch protection, organization policy, and whatever security controls the company already built around CI. This is where I get more optimistic about agentic tooling. The bad version of agents asks every organization to trust a new, parallel execution model because the mode
AI 资讯
Coding-Agent Misalignment: Turn Failure Taxonomies into QA Checks
Coding agents are no longer just autocomplete with a longer prompt. GitHub describes Copilot cloud agent as software that can research a repository, create an implementation plan, make code changes on a branch, run in an ephemeral GitHub Actions-powered environment, and let a developer review or create a pull request afterward. OpenAI's Codex GitHub integration similarly positions code review as a repository-aware review pass that follows AGENTS.md guidance and focuses comments on serious issues. That shift changes the buyer question. The useful question is not "does the agent usually write code?" It is "can the team detect when the agent drifts away from the developer's intent before the change reaches production?" A May 2026 arXiv paper, "How Coding Agents Fail Their Users" , gives teams a better vocabulary for that review. The authors studied 20,574 real IDE and CLI coding-agent sessions across 1,639 repositories and define misalignment as a breakdown that becomes visible through developer correction or pushback. The paper reports seven recurring symptom categories: wrong project diagnosis, misread developer intent, developer constraint violation, self-initiated overreach, faulty implementation, operational execution error, and inaccurate self-reporting. Effloow Lab also ran a bounded OpenAI API check using three synthetic, non-confidential coding-agent transcript snippets. The run did not measure real-world incidence, compare vendors, or reproduce the paper. It produced a small rubric that maps visible symptoms to review gates such as diff-scope checks, evidence-before-edit checks, acceptance-criteria coverage, and verification-output requirements. The public lab note is available at /lab-runs/coding-agent-misalignment-failure-taxonomy-poc-2026 . This guide turns that research and lab output into a practical QA checklist for teams buying, piloting, or packaging coding-agent workflows. Why This Matters for Agent Buyers Coding-agent procurement often starts with p
AI 资讯
DiffusionGemma: How Google's New Open LLM Hits 1,000 Tokens/sec and Changes Inference Economics
TL;DR: Google released DiffusionGemma, an open Apache 2.0 diffusion-based LLM that generates text up to 4x faster than autoregressive models, hitting 1,000+ tokens/sec on a single H100 and fitting in 18 GB VRAM. It trades some accuracy for speed. Here is what that means in practice. What DiffusionGemma Actually Is Google DeepMind released DiffusionGemma , the first production-grade open-weight model that applies discrete diffusion to text generation. The same family of techniques behind image generators like Stable Diffusion, now applied to language. Instead of predicting one token at a time left-to-right, DiffusionGemma fills a 256-token block with noise and iteratively refines the entire block across multiple denoising passes until confidence thresholds are met. It commits roughly 15-20 tokens per forward pass on average, not one. This is a fundamentally different compute pattern from everything shipping in production today. The Numbers Metric Value Tokens/sec (H100, FP8, low batch) 1,100+ Tokens/sec (RTX 5090) 700+ Total parameters 25.2B (marketed as 26B) Active parameters at inference 3.8B MoE expert config 8 active / 128 total VRAM required (quantized) 18 GB Canvas (block) size 256 tokens Tokens committed per forward pass ~15-20 Max denoising steps 48 Context window 256K tokens License Apache 2.0 For context: comparable autoregressive models on the same H100 generate roughly 200-250 tokens/sec. DiffusionGemma is up to 4x faster on throughput. The jump comes from shifting the decode bottleneck from memory bandwidth to compute. Why the Architecture Matters DiffusionGemma is a 26B Mixture of Experts (MoE) model built on the Gemma 4 backbone, but it replaces the autoregressive decoder with a diffusion head . How a single generation works: The model initializes a 256-token block with random placeholder tokens It runs up to 48 denoising steps, refining all tokens simultaneously with bidirectional attention (every token attends to every other token in the block) Token
AI 资讯
Podcast: Craig McLuckie on Culture as a Team's Operating System in the AI Era
In this podcast, Shane Hastie, Lead Editor for Culture & Methods spoke to Craig McLuckie, co-creator of Kubernetes and CEO of Stacklok, about the impact of AI coding tools on open source communities and engineering teams, designing deliberate organisational culture, and navigating evolving career paths for engineers in the age of AI. By Craig McLuckie
AI 资讯
Build Your Own AI Medical Assistant: Automating Health Report Analysis with AutoGPT & OpenAI
Ever stared at a physical examination report and felt like you were reading ancient hieroglyphics? "Elevated Serum Triglycerides"? "Hypoechoic nodule"? The immediate urge is to Google it, only to be convinced by WebMD that you have three days to live. In the world of AI Agents and Healthcare Automation , we can do better. Today, we are building an AI Physician Assistant using the AutoGPT protocol. This isn't just a chatbot; it’s an autonomous agent capable of parsing complex medical data, searching verified medical encyclopedias via SerpApi , and even cross-referencing hospital schedules to suggest the right department for a follow-up. By leveraging the OpenAI API and Pydantic for structured data validation, we are moving from "chatting" to "doing." If you're looking for more production-ready patterns or advanced AI implementation strategies in healthcare, definitely check out the deep-dive articles at * WellAlly Tech Blog * . The Architecture: How the Agent "Thinks" Unlike a standard LLM call, an autonomous agent operates in a loop: Perception -> Reasoning -> Action -> Observation . Here is how our AI Assistant handles a medical report: graph TD A[User Uploads Report/Text] --> B{Pydantic Parser} B -->|Structured Data| C[AutoGPT Agent Core] C --> D[Search Tool: SerpApi] D -->|Medical Context| C C --> E[Reasoning: Match Symptoms to Dept] E --> F[Tool: Hospital Schedule API] F -->|Availability| G[Final Recommendation & Appointment Plan] G --> H[User Notification] Prerequisites To follow this advanced tutorial, you’ll need: Python 3.10+ OpenAI API Key (GPT-4o recommended for reasoning) SerpApi Key (to search Google Scholar/Medical Databases) Pydantic for data modeling Step 1: Defining the Medical Schema (Pydantic) The biggest challenge in medical automation is data integrity . We cannot allow the AI to hallucinate vital signs. We use Pydantic to ensure the agent only proceeds if the data matches our schema. from pydantic import BaseModel , Field from typing import List
AI 资讯
I Had 6 Side Projects Open in One Browser Window. Here's What That Was Costing Me.
I Had 6 Side Projects Open in One Browser Window. Here's What That Was Costing Me. I counted once, on a normal Tuesday. 41 tabs, one window, six different side projects. A repo here, a localhost there, a Stripe dashboard, two Notion pages, a half-read Stack Overflow thread I was scared to close. I was using a tab manager to hold it all together. Save the session, restore it later, feel organized. It worked, in the sense that nothing got lost. But something was off, and it took me a while to name it. The tab manager was keeping my tabs. It was not keeping my projects. And the gap between those two things was quietly costing me. The number that bothered me I did a rough audit of one week. Every time I sat down to work on a project, I had to reconstruct where I was. Which task was next? When was that thing due? Where did I save that reference last month? The tabs were there, but the answers were not in the tabs. I timed it loosely. Five to ten minutes of "wait, where was I" at the start of every session, multiplied across six projects, multiplied across a week. Call it an hour, maybe more, spent just getting back to the surface before any real work started. An hour a week is not a catastrophe. But it was an hour spent doing something a tool should do for me, and the friction was enough that I started avoiding the projects with the most tabs. The cost was not really the time. It was that the heaviest projects felt the worst to open, so I opened them least. Why the tab manager could not fix this Here is the thing I had to admit. A tab manager is excellent at one job: saving and restoring tabs. It is not built to know anything about the project those tabs belong to. A tab is a URL. A project is a URL plus: A task that is due Friday A reference I saved three weeks ago and need again now A subscription renewing on the 14th A sense of what I actually shipped last time I worked on it When all of that lives outside the tab manager, in a to-do app, a notes file, my memory, rest