From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

IT Brew

Software Development

Brianna Monsanto

itbrew.com

Life is full of trade-offs. A late-night Uber may get you home faster, but for a higher price than walking. A pair of cute heels may win you compliments, but can hurt your feet…and AI coding may speed up development, but can open your software to large security risks.

 from agentic application security platform Apiiro suggests AI coding assistants might speed up developers’ workflow at a hefty security-related cost.

Apiiro researchers examined code from thousands of code repositories produced by developers from Fortune 50 companies. They concluded that AI-assisted developers produced 3-4 times more commits than regular coders, but had fewer push requests, a crucial part of the coding process that enables other team members to review code.

“If the pull request is very large [and] it contains a lot of code, it’s really hard to do a proper review because it overloads the security review that you need to do,” Apiiro Product Manager Itay Nussbaum told IT Brew.

Apiiro researchers also claim that while AI-written code had significantly fewer syntax errors and logic bugs, it often opened the door to much larger issues. 

 paths increased 322% in AI-assisted coding compared to standard-written code. Meanwhile, architectural design flaws jumped 153%.

“In other words, AI is fixing the typos but creating the timebombs,” the report wrote. “That makes reviews and automated scans less effective, and raises the stakes for context-aware analysis at design and code time.”

As of June, Apiiro said AI code produced 10,000 new security findings per month, a ten-fold uptick since December 2024.

Apiiro’s research echoes several concerns around AI-assisted coding as it continues to make waves across the industry. IT Brew has previously reported on the 

Quentin Rhoads-Herrera, VP of security services at Stratascale, told IT Brew that he leverages AI-assisted coding in his personal life and has seen firsthand the risks that come with it.

“I’ve seen pretty much everything I’ve coded as a hobby has vulnerabilities in it because it’s just giving me working code to my exact request, not looking at what the best practices are,” Rhoads-Herrera said.

Nussbaum said AI-assisted developers should make sure they have protective mechanisms in place, such as automating the security review process, to protect themselves from vulnerabilities.

Rhoads-Herrera also advised AI-assisted teams to continue to keep the human in the loop: “The human review of all the code is still very critical.”

Opened ai hand with falling red binary code and scattered red arrows.

AI is fixing coding typos, but creating ‘timebombs’: report

As of June, AI code produced 10,000 new security findings per month, according to research from Apiiro. 

Caroline Nihill

Pat Casey, the chief technology officer and EVP of development operations at ServiceNow, wasn’t always a technologist.

He first went to college to be an engineer, but switched his major to biology after becoming disillusioned with engineering and realizing, “I could spend my whole career in the US, and you built like one bridge. It just wasn’t a lot of infrastructure, in my perception, being built.”

Casey later pursued a PhD program for neurophysiology while working at Aldus PageMaker, a desktop publishing company. Aldus, which was later bought by Adobe, put Casey to work in IT. He would install mail onto a computer, reset someone’s password, or help another to figure out why their C drive wasn’t working.

“I remember I woke up one morning, sometime [in] my second year as a graduate student, and I was just in this horrible mood,” Casey said. “Then I realized I had my days wrong, it’s actually one of the days I was going into the office…My mood lifted. I’m suddenly looking forward to the day.”

Shortly after this epiphany, Casey dropped out of the neurophysiology program and took a full-time position at Aldus.

Casey found himself working for Adobe in Seattle. He said that others had told him the dreariness of the Pacific Northwest was going to get to him, but he figured that was just to keep Californians from moving there.

By the second winter, the weather was starting to get to him.

“The weather was so depressing for me, I don’t know a better way to put it,” Casey said. “It got so bad that I would actually get in my car and I would drive out to the top of the Snoqualmie Pass just to get in the sun, like stop at the side of the road.”

A friend of Casey’s got in touch with him because their software company Peregrine Systems in San Diego was hiring in its engineering department. Casey said the weather in San Diego was appealing, and that “I’d love to be in engineering instead of IT.”

Fred Luddy, who was serving as Peregrine’s chief technology officer, interviewed Casey for the position. Luddy would later begin ServiceNow, where Casey now works.

Luddy was inspired to begin ServiceNow after working for Modernfold Doors, where he worked on the order entry system. Luddy worked to automate the process for putting orders in their system and presented it to an employee whose job it was to manually type in delivery addresses.

“For [Luddy], that was a trivial piece of work, for her, that had meaningfully changed her life for the better,” Casey said.

After working at Peregrine for a few years, Casey decided to start his own company writing maintenance management software.

Casey sold the company he started to the Peregrine customer base because he knew them and because it was a reseller group. The company would sell his product, and both he and Peregrine would profit.

“Hopefully, everybody won, including the customers,” Casey said.

He said that for the first six months of working on his own, it was “glorious.” As a “super strong introvert,” he was productive, but also felt himself going into a “small hole of introversion.”

“I realized that, independent of the economics of it, I needed to be in a working environment to have people around me, which was really important—at least it was for me,” Casey said.

“I think I have a really strong need to have other people in my life…For me, being at work, it’s one of the ways I get to meet people.”

Casey joined ServiceNow in 2004, motivated by what Luddy was doing at the company and that Casey would get to work with people again, “as opposed to working with myself from the couch.”

Casey also said he didn’t join the company “because my goal in life is to be part of a really successful, multi-billion dollar software company.” He said that it was important for him to work in an environment with a positive culture, and that “the work we were doing helped a human being.”

Michele Richards, the SVP of impact engineering at ServiceNow and the 

(a group of technical or technical-adjacent employees who aim to help customer experience) project management officer, said that after being at the company for 10 years, Casey has taken on larger, public roles over time.

“Now he’s on stage…and he’s really accepted, as his role has grown, that people do want to see him,” Richards said. “If he’s in the UTG Connect and you’re in a social event, he will really work the room.”

“He has really grown from being a real introvert, hands on keyboard [and] head down, to being this impressive leader.”

How a "super strong introvert" rose to lead a major tech company

 ServiceNow’s co-founder, chief technology officer, and EVP of dev ops talks changing careers, changing careers and more

How a ‘super strong introvert’ rose to lead a major tech company

The White House released long-awaited AI guidance in July, and it’s a mixed bag. While the Trump administration’s “anti-woke” executive order takes aim at perceived diversity, equity, and inclusion (DEI) initiatives in the development of large language models, IT pros who spoke with IT Brew were pleasantly surprised to find a focus on open source in its separate AI action plan.

According to the EO signed by President Trump, DEI in regard to AI is considered the “suppression or distortion” of factual information about race or sex. It continues: “DEI displaces the commitment to truth in favor of preferred outcomes and, as recent history illustrates, poses an existential threat to reliable AI.” The Associated Press 

 the order as an attempt at censorship, and noted that it “still faces a study period before it gets into official procurement rules.”

Asad Ramzanali, the current director of AI and tech policy at the Vanderbilt Policy Accelerator and former official at the White House Office of Science and Technology Policy under President Biden, told IT Brew that he imagines the implementation of the “anti-woke” order may look like a government-established test for systems.

“I worry that in the hope of creating neutrality, you just mandated an ideological purity test,” Ramzanali said. “I’m allowed to have a political view, you’re allowed to have a political view, your company can have a political view. That’s really tricky to push companies ostensibly through procurement to meet some kind of neutrality.”

While experts maintain that the anti-woke EO that follows the action plan’s release is concerning, they also agree that the administration’s positioning toward open-source models is a benefit to the private sector.

Seemingly more substantive guidance on AI is outlined in the administration’s action plan, titled “Winning the Race,” which points to the government’s ability to “accelerate the maturation of a healthy financial market for compute” through collaborating with industry and using other vehicles in the federal space, like the National AI Research Resource Pilot and the National Institute of Standards and Technology, for open-source models.

The administration recommends ensuring access to “large-scale computing power for startups and academics by improving the financial market for compute. Currently, a company seeking to use large-scale compute often must sign long-term contracts with hyperscalers—far beyond the budgetary reach of most academics and many startups.”

The action plan further states that the US has “solved this problem before” through spot markets (when assets are purchased or sold immediately without a long-term commitment) and forward markets (where contracts are made to purchase or sell assets at a determined price in the future). This is in concert with the industry and government approach the administration believes can hasten the maturation of a healthy market for compute.

the action plan focuses on infrastructure and diplomacy—pointing directly toward encouraging both open-source and open-weight models.

 webpage points to releasing open-source software as a benefit from the standpoint of having more perspectives. It states that open-source work has “benevolent results” but it is not “an act of charity.” It goes on to say that having an open-source approach can yield higher returns than the initial investment.

, however, pointed to open-source software as having limited support and functionality, compatibility issues, and more. It looks to open-source security risks, as well, if the software is maintained incorrectly—specifically, vulnerabilities can allow attackers to access sensitive information or take control of a system.

Policy and industry experts, like Travis Hall, the director for state engagement at the nonprofit and nonpartisan Center for Democracy and Technology and Dhruv Patel, CEO of Syncurrent—a company that provides digital services to match local governments to grants—point to the action plan’s stance on open source as a positive for the market.

Hall highlighted the open-source and open-weight systems of the action plan as a potential positive.

“I think that this is a big deal, particularly for industry and IT professionals, because there have been debates…on whether or not open systems should be allowed, whether they can be exported, whether there should be expert controls on model weights or open-source systems,” Hall said. “It means that the tendency towards large model, proprietary systems being the only thing that is available is not going to be the case.”

Hall believes this aspect of the plan is a “pro-competitive move that will help IT professionals in particular” through having a broader set of choices than what is currently available—like those provided by Linux, WordPress, and Android. He also said that IT pros can benefit from having the ability to use open-source systems and “innovate on their own.”

“Everybody knows that open-source software is available, it is a thing,” Hall said. “It hasn’t made commercial proprietary software go away, but it does help to diversify the ecosystem and also help support a more competitive ecosystem.”

Patel told IT Brew that those who adopt open-source models will be impacted, but said he doesn’t know if it’s “for the better or for the worse.”

“Right now, I lean more good than bad, particularly because of the emphasis on supporting open source and supporting open models, as opposed to not,” Patel said.

He continued: “For tech businesses, for tech startups, it’s incredibly important that we have robust open-source models. But even more so for nutritional IT tech-enabled businesses, businesses that don’t directly have a fingerprint in tech but they’re tech-enabled.”

Trump administration’s AI plan takes aim at ‘anti-woke’ large language models

The action plan, released at the end of July, also contains language in support of ensuring access to open models for startups and academics.

Billy Hurley

Software engineer Joshua McKenty had worked on enough open-source projects by 2010 to know that the Global Earthquake Model (GEM) was not on a path to being open source.

With stints at NASA, Netscape, and a consultancy leveraging open-source tech, McKenty had experience designing publicly collaborative code, using a shared, continuous-release philosophy known as 

He and the earthquake scientists knew their teams could use a little Agility.

Helen Crowley, former researcher and GEM’s secretary general, said scientists at the time only 

“For us, it meant maybe you would make your software available somewhere at the end, once it was ready for other people to look at. But I think what Josh really explained to us is that it had to be 

McKenty shared how he helped to turn GEM—and develop its software engine OpenQuake— into an open-source, community-driven initiative, literally bringing together two teams that hadn’t always shared the same spaces: developers and scientists. The process involved a lot of Agile, which in theory meant iterative development and in practice meant offsites in the mountains and paired programming at desks.

“I focused a lot more on cultural transformation, rather than just, ‘Let’s produce software and feel proud of ourselves,’” he told us.

In 2010, McKenty was asked to review the then-in-progress Global Earthquake Model, which at the time was on year two of a five-year grant.

The GEM team wanted to create an open-source model to estimate earthquake-related impact and calculate human or economic losses for a collection of assets—the kind of tool that could help everyone from city planners to insurance providers.

“You need to have a first release now, not at the end of five years, so that you build a community around the software,” he remembers. That meant changing development practices.

McKenty took a six-month contract as interim secretary for IT—moving to Italy and occasionally commuting to the GEM office in Switzerland.

The definition of software, McKenty says, is it will be wrong—often because of a communication problem between the person with the problem and the engineer building the solution.

And that lack of cooperation exists at a wide range of organizations, not just the ones making earthquake models.

A global survey of 3,500 developers, published in July by Atlassian, found 55% of knowledge workers had difficulty tracking down information despite knowing a lot of people at their job,” and 56% said their companies “plan and track in different ways, which makes it hard to collaborate.”

Principles in the Agile manifesto, created in 2001, include tenets like delivering working software frequently, collaborating with business and developers, and reflecting regularly.

McKenty saw an occasional lack of agility (there’s that word again) in the methods of scientists, who often need their software to work just once in a lab, McKenty said. An 

, however, had to work constantly for a world of contributors.

In those six months, McKenty shook up the team, focusing on collaboration. It was not uncommon for a scientist and programmer to pair up on a task like simulating the shaking of the Earth. With this setup, no one had to wait for an email about which of a library’s many algorithms best resembled earthquake movement.

“You understand the science and I understand the software, and let’s make that work minute by minute, instead of month by month, or requirement by requirement,” he told us.

With McKenty at the helm, GEM’s team of coders and scientists produced a new feature or version every two weeks—what Agility proponents often call “sprints.”

Crowley remembers an offsite code sprint in Switzerland—“a weekend featuring lots of couches and pizza and just a good atmosphere.”

During McKenty’s tenure, the team had 20 or 30 releases, McKenty said, that culminated in OpenQuake 1.0’s release in 2013.

The GEM Foundation’s OpenQuake has been used in recent years to determine risk profiles for public schools in Peru, roads in Solomon Islands, and buildings in San Francisco. In December 2018, GEM “

 with a total of 30 national and regional seismic hazard models.”

“I am more proud of OpenQuake than anything else I’ve ever worked on, because I spent six months and I got the community in this sort of shape, and I let it go,” he said.

McKenty is currently CEO at fraud prevention company Polyguard.

Agile, as a practice, is hanging in there, even as the idea of paired programming these days might involve a vibe coder and their LLM.

 from this year polled global pros with knowledge of their company’s Agile practices and found that 61% of respondents have been using Agile practices for over five years, and 24% have deployed them within the last three years.

The ability to work in agile, cross-functional teams is increasingly important to IT pros, according to McKenty, who sees the source of good, working software as a collaboration between human teams talking to each other, sharing spaces, and trying to close up a gap that’s always open.

“I think that’s the definition of every software project; usually the product owners or the customer have an understanding of what they want, but not how to make it happen, and the software team has an understanding of how to make it happen, but not actually what they want. And so building good software is about being able to communicate across that divide.”

How to build an earthquake model: Bring scientists and software engineers together (literally)

 Joshua McKenty shares his Agile approach with Global Earthquake Model (GEM).

The link between music and math has been long known; musical notes are the representation of vibrations and frequencies, which math quantifies. The art of music—the way it makes us feel—is how our brains recognize and translate patterns and then translates them into feeling and emotion.

Adam Ribaudo, an artist and IT professional, said that he’s always felt an intuitive link between math and music, specifically when it comes to intuition and harmonies.

“There needs to be some sort of intuition and some mental map of how notes relate to each other,” Ribaudo said. “That mental map can then be transferred more easily to mathematical or some technical concepts where you’re searching in your brain for those harmonic registries.”

Technology, says composer, musician, and technologist Chester Jankowski, is about turning abstractions into patterns. So it’s not all too surprising, then, that musicians frequently make great technologists, coders, and IT professionals, according to 

. Each organization points to how musical artists think and problem solve logically and mathematically.

Jankowski and Ribaudo, along with other musicians who work in IT, say that the overlaps between logic and creativity assist them in both composing code and music. In order to improvise in music, for example, you have to know the foundation of music—how notes and keys work, etc. The same holds true in IT: In order to fix a system, you have to know the infrastructure.

When Wolfgang Wedemeyer, a ServiceNow senior staff software engineer and musician, is in the midst of working or composing, he doesn’t always see the connection between his expertise in music and software until later. Once he’s reflected on an experience, he can begin to connect the two.

“I get into a very similar flow state when I’m working creatively on music and when I’m also working on solving some of the harder software problems,” Wedemeyer said. “When it comes to theory and rules and patterns and all that sort of stuff, I find there’s similarities between doing parallel programming and working on harmonies, where you have to keep multiple things that are happening simultaneously in your head and make them work together in a logical way.”

Jankowski pointed back to the intuition for problem-solving, and said that musicians are often skilled at seeing the “bigger picture.”

“If something’s broken…you could either just go through a checklist and check everything in order, or sometimes you just have this flash of insight,” Jankowski said. “You’re able to go there and retrace your steps.”

Director of software engineering management at ServiceNow,Yaron Guez, told IT Brew that the translation of skills is more subtle. He believes that programming languages and music theory are the same in that both require certain rules to be followed.

“I haven’t had a moment where, because I know this circle of fifths or the way music modes work…that’s going to help me specifically on this programming challenge,” Guez said. “It’s just the same type of problem-solving, or rather, the same type of understanding another language.”

Guez said that in encountering different technologists who are also musicians, he finds that those individuals are often the ones where “this isn’t just math to them.”

“Not to say that math doesn’t have creative elements to it—of course, when it comes to proofs and whatnot—but still, they’re not just following a set of instructions and relying on their knowledge and expertise to do it,” Guez said. “They’re using creative problem-solving to figure it out.”

A close-up of a person's hands playing electric guitar chords with AI data patterns overlaid.

What music and coding have in common: Math

“It’s just the same type of problem-solving, or rather, the same type of understanding another language.”

The AI tools industry execs say that can make you more productive may actually be holding you up.

 by AI research nonprofit METR, which found that experienced developers who used AI tools in their workflow took 19% more time to complete assigned tasks.

 The researchers conducted a randomized controlled trial among 16 seasoned developers. Between February and June, the developers completed 246 tasks on popular open-source repositories that they were regular contributors to, such as the Mirror of the Glasgow Haskell Compiler and Hugging Face Transformers library. Participants were able to use any AI tool of choice and were compensated for their time.

Researchers recorded the screens of participants as they completed their assigned tasks. They then used the screen captures, as well as “rich statistics from source-code management systems” and interviews and surveys with participants to better understand the results. Some of the factors researchers attributed to the longer work time included participants overusing AI tools, believing they would improve productivity; existing familiarity with repositories, rendering AI tools less useful; and unsatisfactory outputs, leading participants to spend extra time trying different prompts or tinkering with AI-generated code.

Prior to starting the study, the developers predicted that AI would speed up their completion time by 24%. Their confidence in how much the tools would reduce their workflow fell slightly (20%) after participating in the study.

 The researchers of the study state that the factors they alleged contributed to the discovered slowdown are study-specific, and it should not be assumed that AI tools do not have practical real-world applications.

“These results do not imply that current AI systems are not useful in many realistic, economically relevant settings,” the study’s authors wrote. “Furthermore, these results do not imply that future models will not speed up developers in this exact setting.”

” continues to gain popularity in the industry and developers embrace generative AI and LLMs in their workflows. A 

 found that more than three-fourths (76%) of developers used or planned to use AI tools in the development process last year.

Michael Armstrong, CTO at Authenticx, told IT Brew that the nonprofit’s discovery on AI tools tacking on time for some developers was unsurprising. He said he has personally seen occasional productivity losses when AI tools are introduced due to a variety of reasons, including learning curves, substandard quality, and distractions created by these tools.

“What I’ve observed is you can have a really, really good coder, but if they don’t really understand what they’re trying to solve for…the results are not ideal,” Armstrong said.

Meanwhile, David Murray, CEO of talent platform Confirm, said the study validated what he and his team had experienced in their own workflow slowdowns, citing 

 and developers tinkering with AI-generated code. He said it has influenced how he advises his team to work with AI tools.

“The guidance that we’ve kind of given each other is basically [to] be mindful and give very specific instructions and focus on specific use cases.”

a clock split into three different pieces, like a pie chart

AI coding tools might actually be slowing you down

METR found that seasoned developers took 19% longer to complete tasks when using AI tools.

Anthropic and Meta both won landmark cases concerning copyright infringement in two Northern California district courts in late June, signalling the beginning of the fight on fair use between AI companies and creators.

The law firm McDermott Will & Emery wrote 

 that both companies showed the use of copyrighted materials in LLM training is highly transformative. The decision in the case against Meta also signified a new battleground surrounding market-harm evidence, as the authors were not able to show data that tied the company’s AI, Llama, to a loss in book sales or licensing value.

The post said appeals for the cases are “virtually certain,” and concluded that while companies wait on clearer appellate laws, they should “assume that training on text obtained from dubious sources remains a high-risk activity and that a lack of market-harm evidence may be only a temporary shield.”

Anthropic’s case included the use of pirated material to create its central library, which will be subject to another trial, according to the judge’s decision.

Three authors (Andrea Bartz, Charles Graeber, and Kirk Wallace Johnson) had their work copied by Anthropic through both pirated and purchased sources, according to the filing.

The company used the unauthorized copies to train LLMs and kept library copies in place as a permanent and general-purpose resource, “even after deciding it would not use certain copies to train LLMs or would never use them again to do so.”

Judge William Alsup, who oversaw the case against Anthropic, said that the evidence provided did not prove any non-transformative use of the work through its model, Claude.

“Yes, Claude could help less capable writers create works as well-written as [the plaintiffs’] and competing in the same categories,” Alsup wrote. “But Claude created no exact copy, nor any substantial knock-off. Nothing traceable to [the plaintiffs’] works.”

Alsup said that the use of the books to train Claude was “exceedingly transformative” and was fair use under the Copyright Act.

Judge Vince Chhabria, who oversaw the Meta case, also pointed out that the tech giant’s use of 13 authors’ works was transformative. He 

 that while a company is more likely to be protected by fair use doctrine, there isn’t a rule saying that this “inoculates you from a claim of copyright infringement.”

Chhabria continued that under the fair-use doctrine, the market harm for copyrighted work is “more important than the purpose for which the copies are made.” He continued in the conclusion that Meta’s use of the authors’ works presented no meaningful evidence on market dilution “at all.”

The plaintiffs in this case contended that Llama is capable of reproducing snippets of text from their books and that Meta’s use of their works for training without permission diminished their ability to license work for training LLMs.

“Both of these arguments are clear losers,” Chhabria wrote. “Llama is not capable of generating enough text from the plaintiffs’ books to matter, and the plaintiffs are not entitled to the market for licensing their works as AI training data.”

Anthropic and Meta both win landmark fair-use cases surrounding LLM training

Authors took the companies to court concerning the use of copyrighted materials in LLM training—judges agreed that the tech’s final product was “transformative.” 