About
Software Engineer focused on supporting large-scale software systems.
Dedicated to…
Dedicated to…
Activity
1K followers
-
Boran Şeref reposted thisBoran Şeref reposted this🚨 URGENT: I can't write much..... but... the largest supply chain compromise in npm, Inc. history just happened, packages with a total of 2 billion weekly downloads just got turned malicious..... Packages were compromised 1 hour ago. Please share urgently ansi-styles (371.41m downloads per week) debug (357.6m downloads per week) backslash (0.26m downloads per week) chalk-template (3.9m downloads per week) supports-hyperlinks (19.2m downloads per week) has-ansi (12.1m downloads per week) simple-swizzle (26.26m downloads per week) color-string (27.48m downloads per week) error-ex (47.17m downloads per week) color-name (191.71m downloads per week) is-arrayish (73.8m downloads per week) slice-ansi (59.8m downloads per week) color-convert (193.5m downloads per week) wrap-ansi (197.99m downloads per week) ansi-regex (243.64m downloads per week) supports-color (287.1m downloads per week) strip-ansi (261.17m downloads per week) chalk (299.99m downloads per week) I'll give a more detailed post later... 😬 #malware #npm #supplychain #infosec #appsec #applicationsecurity
-
Boran Şeref reposted thisBoran Şeref reposted thisThat's why "vibe coding" for non-technical people will not work. Imagine this: you're not a software engineer. You code "in plain English" just by interacting with an LLM. You don't review the generated output as you don't have the skills to do it. You push this stuff in a production app - maybe even a successful one. Then this happens... As a software engineer, this is definitely not a problem: I review the generated code line by line, see what makes sense and what doesn't, then fix it manually or reiterate with the agent. The agent is doing the boring part, but I'm the pilot. My bet is that software engineers will have more work, not less, in the upcoming years ;) P.s. screenshot just generated from my last interaction with Cursor.
-
Boran Şeref reposted this« The ones who rely most on ChatGPT are the first to be replaced by it. » My counterpoint: To even use ChatGPT properly in a non-trivial project, you need a lot of skills. Yeah. You might vibe code a web app in a few days. But if you are not skilled, then it will just be filled with technical debt. And your project will fall under its own weight soon enough. Writing code is only the bottleneck for small projects. As the project becomes sufficiently large, writing the code becomes the trivial part... and engineering decisions become ever more critical.Boran Şeref reposted thisIn praise of getting stuck: Listen and think - part IIIn praise of getting stuck: Listen and think - part II
-
Boran Şeref reposted thisBoran Şeref reposted thisIf shifting security left is the silver bullet, why does it still feel like we’re getting lit up in a corporate firing squad? Shift left was supposed to save us. Catch bugs early. Save money. Ship flawless code with angelic choirs singing through the CI/CD pipeline. That’s what the suits preached in 2015, when DevOps became gospel. The pitch: fix early, avoid disasters later. Sounds smart until you meet the folks doing the work. Spoiler: they’re drowning. Security teams parachuted into sprints like substitute teachers in a chem lab explosion. Expected to turn devs into security wizards with a few slides and a lunch session. The devs? Buried in sprints, choking on Jira, judged by how fast they ship broken features. So now what? We’ve got a flaming dumpster rolling downhill with corp logos on the side. Tickets vanish. Static analysis tools scream like smoke alarms in a dorm kitchen. Security champions get crowned, then ignored. Lunch-and-learns feel like time theft. Security’s the backseat driver yelling slow down while product’s flooring it toward a cliff. And here’s what no one puts on the dashboard: this isn’t shifting left. It’s shifting blame and hoping no one reads the postmortem. We act like a few hours of training turns coders into encryption sorcerers. That’s fantasy. Might as well hand out CPR manuals and ask them to do open-heart surgery during deploy. Security tickets? Buried under features, duct-taped to hotfixes, or left to rot in backlogs untouched since the Obama era. Speed wins. Security’s the blocker. The hero is the one who ships a barely-working feature five minutes before the investor demo. Security teams, for all their Slack-thread diplomacy, have zero power. They escalate, but once the app catches fire, it’s finger-pointing bingo. And the tools? Loud, brittle, misconfigured. False positives flood inboxes. Devs learn to hit dismiss faster than commit. Worst part? It looks great on paper. Clean dashboards. Tickets marked done. Everyone high-fiving their own PRs while vulnerable code ships like discount fireworks. So what works? Security engineers need to live in dev teams. Not as compliance cops, but builders. People who write code under pressure and can bake security in instead of stapling it on. Stop rewarding speed over safety. We’ll fix it later just means don’t get breached before IPO. Make the secure way the easy way. Use libraries, and workflows that make good choices easier. Treat developers like grown-ups. They want to build good things. But pride doesn’t survive under vague tickets, broken tools, and meetings that treat them like kids. Security needs real backing. Money, headcount, and a leader willing to say no when the feature’s garbage and the timeline’s suicidal. So here’s the real question: If shift-left was supposed to stop the shooting, why are we still bleeding out? A more detailed article is here https://lnkd.in/dnzRejdmThe Cult of Shift Left Security: Why It Sounds Great but Fails in Practice - SV EOTIThe Cult of Shift Left Security: Why It Sounds Great but Fails in Practice - SV EOTI
-
Boran Şeref reposted thisBoran Şeref reposted thisIf you're building AI agents that operate on live infrastructure, Google just published a must-read security blueprint. Here’s the TL;DR 👇 As someone on a team that’s building infra-level AI agents every day, the parts that stuck out the most from this article were: 👉 Agents aren’t dangerous because they’re smart. 👉 They’re dangerous because they’re unpredictable. The same inputs don’t always yield the same outputs. A single prompt injection can turn helpful automation into real-world damage. Their toolchains can touch real-world systems: * Provision infra * Deploy code * Delete data * Wire funds * Expose secrets These aren’t just harmless copilots writing code… they’re agents holding privileged API keys. In the white paper, Google breaks agent risks into two buckets: 1️⃣ Rogue actions The model gets steered into executing harmful plans. (“Delete the prod cluster.”) 2️⃣ Sensitive data disclosure The model gets tricked into leaking private information. (Accidentally expose customer PII in a reply.) Google’s proposed defense is a hybrid stack that maps almost perfectly to how we already secure microservices: ✅ Deterministic policy engine: block bad tool calls before they happen (API gateways, OPA, Cedar) ✅ Reasoning-based defenses: add LLM-native guards to detect subtle prompt attacks (adversarial evals, Sec-PaLM, guardrails) ✅ Continuous assurance: regression tests, red-teaming, variant testing, observability The real insight for builders is this: securing AI agents isn’t about inventing entirely new paradigms. It’s about applying the discipline we already know with even more rigor. Limit what they can do. Make every action observable. Treat every agent like an untrusted junior SRE with a badge. I highly recommend reading the entire Google article when you’ve got the time! I’ll put the link in the comments.
-
Boran Şeref reposted thisBoran Şeref reposted this"[Azure's AI SRE agent] seems to be geared toward pushing actions on the user, and it’s very easy to click that 'Approve' button..." Yikes 😬 SRE Weekly's curator, Lex Neva, wrote a post about the Azure SRE Agent over the weekend that highlighted a few pieces of the demo that I personally find a bit scary (🔗 in comments). In particular… “Right out of the gate, the AI has drawn an obviously incorrect conclusion from the data that it presented. Is it then basing the rest of its investigation on this erroneous conclusion?” Then: "It finds a suspicious rule that it claims prevents the app from reaching its Redis database and jumps right to removing the rule: 'I will remove this rule to restore connectivity and then verify the app’s health'." It’s a timely reminder that AI agents in production can go from “cool demo” to “delete your firewall rules” real fast. Unless we build them right, of course. Simply put: ✅ AI-powered incident response is the future. BUT ❌ It shouldn’t come from vendors’ pre-built agents. 👉 AI SRE agents need to come from the builders who know THEIR OWN infrastructure, risks, and priorities 👈 Because no vendor agent can understand the context that makes your system YOURS. They can guess. They can generalize. But they can’t know what matters in your stack unless you give them that knowledge. That’s why I believe the future of AI in SRE is open infrastructure knowledge graphs + custom agents. That means: 🔒 Tools you own. 🤝 Logic you trust. 🖊️ Decisions you can trace and audit. This is what we’re exploring with our OSS infra knowledge graph. I’d love to get some feedback from others working on similar challenges around building AI agents. Drop a comment to let me know how you’re tackling building your own agents that understand your infra. What’s working? What’s not? What tools are you using? 🤔
-
Boran Şeref reposted thisBoran Şeref reposted thisPrediction: In the near-future, we will see a new job type. The "AI Slop Salvager". It will be a software developer type role, and they will get panicked calls from customers' who were using their vibe-coded app that was developed by someone who wasn't a developer. The app would have gone to production, been in use for some time, before having some kind of critical problem. The original creator of the app would have left, or given up. The slop salvager will have to leaf through the lengthy and verbose code that Cursor or Junie had produced, to try to work out what it was actually doing, and to see if the issue can be resolved. It may be possible to fix it cleanly, or a bit hacky, or, worst case, necessitate a rewrite. I feel like we already went through this once with things like Access databases, with developers' migrating to more resilient solutions. But I think we'll have to do it again to help companies with all of their AI-generated apps that don't work quite as well as they should.
-
Boran Şeref reposted thisBoran Şeref reposted thisThe backend engineering goal is simple. • Clean code. • Scalable solutions. • Straightforward architecture But here’s the truth: Simplicity is earned. You can’t design clean systems until you’ve seen poor ones. You won’t appreciate good architecture until you’ve felt the pain of bad decisions. To build simple solutions, you have to understand the complexity first. That’s the path. Illustration by: Ash Lamb
Boran Şeref commented on a post
3w
What if they did both? like pushed to their private git servers, at the same time involved in public repositories.
If you think what you're doing is worth publishing, then publish. This wouldn't hold you back compared to a candidate whose work is fully private. Rather, it'd push you forward imo
Experience & Education
-
Red Hat
View Boran’s full experience
See their title, tenure and more.
or
Licenses & Certifications
Languages
-
Türkçe
Native or bilingual proficiency
-
English
Full professional proficiency
-
Czech
Elementary proficiency
Organizations
-
Turkiye Bilişim Dernegi
Member
- Present -
IEEE
Member
- -
DevOps Istanbul Meetups
Member
Recommendations received
1 person has recommended Boran
Join now to viewOther similar profiles
Explore top content on LinkedIn
Find curated posts and insights for relevant topics all in one place.
View top content