Cloud Native & Open Source: A Team Lead’s Working Journal 💻

I’ve already touched the hardened images theme in the past talking how this theme is important in today’s world. Reducing the attack surface of our containers is not just a “nice to have” anymore; it is a fundamental requirement for a secure software supply chain. In an era where vulnerabilities can be exploited within hours of disclosure, starting with a secure base is half the battle. That is why the recent move by Docker is so significant. ...

MITRE released the 2025 CWE Top 25 on December 11, 2025, identifying the most dangerous software weaknesses based on 39,080 CVE Records published between June 2024 and June 2025. The list ranks weaknesses by their frequency as root causes in CVE data and their CVSS severity scores, highlighting persistent threats like XSS and SQL Injection alongside emerging issues such as authorization flaws and memory bugs—key priorities for DevSecOps teams securing modern cloud‑native applications. Explore how the 2025 rankings differ from 2024, the top ten shifts, and what CWE root causes reveal beyond CVE trends. ...

Like your favorite music streaming service’s 2025 Wrapped®, here’s my recap of Kubernetes security highlights from 2025, plus predictions for features likely graduating to stable in early 2026. As a DevSecOps Team Leader, I bridge development speed with security rigor daily. Kubernetes and cloud-native security are my passion, especially hardening workloads for production. With Kubernetes v1.35 releasing December 17, now’s the perfect time to review 2025’s security wins and plan for 2026. ...

In today’s fast-paced tech landscape, it’s common to find incredibly talented engineers mastering complex orchestrators like Kubernetes or crafting intricate Infrastructure as Code solutions. We’re living in an era of high-level abstractions, which is fantastic for productivity. However, this focus on the ’new and shiny’ can sometimes lead us to overlook the foundational bedrock upon which everything is built. It might seem a bit old-school to write a blog post about hardening SSH in 2025. Yet, these ‘basic’ skills are more critical than ever. In a world of ephemeral infrastructure and complex supply chains, securing the front door to our systems remains a non-negotiable first step. ...

In my last few years as a Team Leader DevSecOps, I’ve spent a significant amount of time helping customers, mostly in the financial sector, navigate the complexities of cloud-native security. I have seen companies invest heavily in state-of-the-art runtime protection, CNAPPs, and sophisticated CI/CD security gates. Yet, a familiar pattern emerges time and again: the moment security teams start looking at vulnerability reports, chaos ensues. The numbers are just too high to handle, creating a paralyzing sense of alert fatigue. ...

Even in the cloud-native era, where everything is an API call away, some technologies from the past refuse to fade away. Recently, I found myself helping my team of talented engineers configure HashiCorp Boundary for Microsoft Active Directory authentication. I was surprised to see that they were not familiar with the concepts of LDAP, a technology that was a cornerstone of my career for years. After spending countless hours configuring Domino, Sametime, WebSphere Portal, and Connections with LDAP, the process felt like riding a bike. ...

In the rapidly evolving landscape of AI and large language models (LLMs), the ability to connect these models to external tools and data sources is crucial for building powerful, automated applications. The Model Context Protocol (MCP) has emerged as a standard for this purpose, but its use also introduces new security challenges. This article explores how to work securely with third-party MCP servers, drawing insights from the recently released OWASP GenAI security cheatsheet. ...

AI is part of our daily life, and I’m not afraid to say that I’m using it regularly for personal tasks. Naturally, I keep and respect the confidentiality of data, and I use my knowledge to understand what AI is telling me back; AI without being driven the correct way can produce absolute garbage. Now I’m transitioning from chatbot to AI CLI usage. I’m a victim of Network Chuck’s enthusiasm, so I wanted to build my first AI agent for publishing content on my personal blog. See below how I did it in minutes. ...

On November 5th, 2025, a set of high-severity vulnerabilities in runc were publicly disclosed, allowing for full container breakouts. Runc is the cornerstone of containerization on Linux, serving as the default low-level container runtime for industry-standard tools like Docker, Podman, and Kubernetes. Its ubiquity means that a vulnerability in runc has far-reaching implications for the entire cloud-native ecosystem. This post summarizes the vulnerabilities, the affected versions, and the recommended actions to mitigate them. ...

Introduction As everyone, we are evolving and we are including AI into several workflows, so it’s essential having a way to pass data to the AI from various types of files. This is where Microsoft’s MarkItDown comes in as a powerful tool. It’s a lightweight Python utility that converts numerous file formats into Markdown, a format easily consumable by AI models. Whether you want to use it with an AI assistant like Claude through its MCP server, as a CLI tool, with Python code, or run it in a container, MarkItDown offers a lot of flexibility. ...