Brought to You By:

•⁠ Statsig ⁠ — ⁠ The unified platform for flags, analytics, experiments, and more.

•⁠ Linear ⁠ — ⁠ The system for modern product development.

—

How have servers and the cloud evolved in the last 30 years, and what might be next? Bryan Cantrill was a distinguished engineer at Sun Microsystems during both the Dotcom Boom and the Dotcom Bust. Today, he is the co-founder and CTO of Oxide Computer, where he works on modern server infrastructure.

In this episode of The Pragmatic Engineer, Bryan joins me to break down how modern computing infrastructure evolved. We discuss why the Dotcom Bust produced deeper innovation than the Boom, how constraints shape better systems, and what the rise of the cloud changed and did not change about building reliable infrastructure.

Our conversation covers early web infrastructure at Sun, the emergence of AWS, Kubernetes and cloud neutrality, and the tradeoffs between renting cloud space and building your own. We also touch on the complexity of server-side software updates, experimenting with AI, the limits of large language models, and how engineering organizations scale without losing their values.

If you want a systems-level perspective on computing that connects past cycles to today’s engineering decisions, this episode offers a rare long-range view.

—

Timestamps

(00:00) Intro

(01:26) Computer science in the 1990s

(03:01) Sun and Cisco’s web dominance

(05:41) The Dotcom Boom

(10:26) From Boom to Bust

(15:32) The innovations of the Bust

(17:50) The open source shift

(22:00) Oracle moves into Sun’s orbit

(24:54) AWS dominance (2010–2014)

(28:15) How Kubernetes and cloud neutrality

(30:58) Custom infrastructure

(36:10) Renting the cloud vs. buying hardware

(45:28) Designing a computer from first principles

(50:02) Why everyone is paid the same salary at Oxide

(54:14) Oxide’s software stack

(58:33) The evolution of software updates

(1:02:55) How Oxide uses AI

(1:06:05) The limitations of LLMs

(1:11:44) AI use and experimentation at Oxide

(1:17:45) Oxide’s diverse teams

(1:22:44) Remote work at Oxide

(1:24:11) Scaling company values

(1:27:36) AI’s impact on the future of engineering

(1:31:04) Bryan’s advice for junior engineers

(1:34:01) Book recommendations

—

The Pragmatic Engineer deepdives relevant for this episode:

• Startups on hard mode: Oxide. Part 1: Hardware

• Startups on hard mode: Oxide, Part 2: Software & Culture

• Three cloud providers, three outages: three different responses

• Inside Uber’s move to the Cloud

• Inside Agoda’s private Cloud

—

Production and marketing by ⁠⁠⁠⁠⁠⁠⁠⁠https://penname.co/⁠⁠⁠⁠⁠⁠⁠⁠. For inquiries about sponsoring the podcast, email podcast@pragmaticengineer.com.

Brought to You By:

•⁠ Statsig ⁠ — ⁠ The unified platform for flags, analytics, experiments, and more.

•⁠ Linear ⁠ — ⁠ The system for modern product development.

—

Michelle Lim joined Warp as engineer number one and is now building her own startup, Flint. She brings a strong product-first mindset shaped by her time at Facebook, Slack, Robinhood, and Warp. Michelle shares why she chose Warp over safer offers, how she evaluates early-stage opportunities, and what she believes distinguishes great founding engineers.

Together, we cover how product-first engineers create value, why negotiating equity at early-stage startups requires a different approach, and why asking founders for references is a smart move. Michelle also shares lessons from building consumer and infrastructure products, how she thinks about tech stack choices, and how engineers can increase their impact by taking on work outside their job descriptions.

If you want to understand what founders look for in early engineers or how to grow into a founding-engineer role, this episode is full of practical advice backed by real examples

—

Timestamps

(00:00) Intro

(01:32) How Michelle got into software engineering

(03:30) Michelle’s internships

(06:19) Learnings from Slack

(08:48) Product learnings at Robinhood

(12:47) Joining Warp as engineer #1

(22:01) Negotiating equity

(26:04) Asking founders for references

(27:36) The top reference questions to ask

(32:53) The evolution of Warp’s tech stack

(35:38) Product-first engineering vs. code-first

(38:27) Hiring product-first engineers

(41:49) Different types of founding engineers

(44:42) How Flint uses AI tools

(45:31) Avoiding getting burned in founder exits

(49:26) Hiring top talent

(50:15) An overview of Flint

(56:08) Advice for aspiring founding engineers

(1:01:05) Rapid fire round

—

The Pragmatic Engineer deepdives relevant for this episode:

• Thriving as a founding engineer: lessons from the trenches

• From software engineer to AI engineer

• AI Engineering in the real world

• The AI Engineering stack

—

Production and marketing by ⁠⁠⁠⁠⁠⁠⁠⁠https://penname.co/⁠⁠⁠⁠⁠⁠⁠⁠. For inquiries about sponsoring the podcast, email podcast@pragmaticengineer.com.

Brought to You By:

•⁠ Statsig ⁠ — ⁠ The unified platform for flags, analytics, experiments, and more. Statsig are helping make the first-ever Pragmatic Summit a reality. Join me and 400 other top engineers and leaders on 11 February, in San Francisco for a special one-day event. Reserve your spot here.

•⁠ Linear ⁠ — ⁠ The system for modern product development. Engineering teams today move much faster, thanks to AI. Because of this, coordination increasingly becomes a problem. This is where Linear helps fast-moving teams stay focused. Check out Linear.

—

As software engineers, what should we know about writing secure code?

Johannes Dahse is the VP of Code Security at Sonar and a security expert with 20 years of industry experience. In today’s episode of The Pragmatic Engineer, he joins me to talk about what security teams actually do, what developers should own, and where real-world risk enters modern codebases.

We cover dependency risk, software composition analysis, CVEs, dynamic testing, and how everyday development practices affect security outcomes. Johannes also explains where AI meaningfully helps, where it introduces new failure modes, and why understanding the code you write and ship remains the most reliable defense.

If you build and ship software, this episode is a practical guide to thinking about code security under real-world engineering constraints.

—

Timestamps

(00:00) Intro

(02:31) What is penetration testing?

(06:23) Who owns code security: devs or security teams?

(14:42) What is code security?

(17:10) Code security basics for devs

(21:35) Advanced security challenges

(24:36) SCA testing

(25:26) The CVE Program

(29:39) The State of Code Security report

(32:02) Code quality vs security

(35:20) Dev machines as a security vulnerability

(37:29) Common security tools

(42:50) Dynamic security tools

(45:01) AI security reviews: what are the limits?

(47:51) AI-generated code risks

(49:21) More code: more vulnerabilities

(51:44) AI’s impact on code security

(58:32) Common misconceptions of the security industry

(1:03:05) When is security “good enough?”

(1:05:40) Johannes’s favorite programming language

—

The Pragmatic Engineer deepdives relevant for this episode:

• What is Security Engineering?

•⁠ Mishandled security vulnerability in Next.js

•⁠ Okta Schooled on Its Security Practices

—

Production and marketing by ⁠⁠⁠⁠⁠⁠⁠⁠https://penname.co/⁠⁠⁠⁠⁠⁠⁠⁠. For inquiries about sponsoring the podcast, email podcast@pragmaticengineer.com.