Cloud Native & Open Source: A Team Lead’s Working Journal 💻

This is the third article in my “Back to Basics” series. The goal is simple: take something modern engineers interact with daily through abstractions, and explain what is actually happening underneath. In the first article, I hardened an SSH daemon and explained why the defaults are insecure. In the second, I showed that containers are ordinary Linux processes wrapped in namespaces and cgroups. This article applies the same approach to TLS: strip away the abstractions, read the raw structures, and understand what the tooling is doing on your behalf. ...

It’s 2026 and I still receive questions from customers and colleagues about why they should adopt a hardened container image catalog, why it matters, and how to justify the investment internally. I hear it from security engineers, from architects, from technical leads at companies that are otherwise doing serious work on their security posture. The honest answer is short: European regulations like DORA and NIS2 require it, and from a purely technological standpoint it is the logical evolution of how we have always managed infrastructure. Both arguments stand independently. Together they leave no room for debate. ...

It is a sunny Sunday, even here in Ireland. While my wife is going through articles to find her next career path, I find myself wanting to write down some reflections about a few reports I have been reading lately, and how clearly they mirror what I experience in my daily working routine. McKinsey’s State of Organizations 2026, published in May, makes something very explicit that most senior leaders already sense but rarely act on: middle managers are the primary carriers of organizational culture. They are the ones who translate strategy into daily behavior. They decide, in practice, what gets celebrated, what gets tolerated, and what gets ignored. No amount of executive messaging overrides what an engineer experiences in their one-to-ones, in sprint reviews, or in the way their manager handles failure. ...

The Problem We Have Today Open source security is no longer limited by finding vulnerabilities. It is limited by coordination. Modern software depends on thousands of open source components: libraries, container images, build tools, package managers, CI/CD actions, and infrastructure projects. When a serious vulnerability appears, many teams still struggle with basic questions. Question Why it is hard Where is the vulnerable component running? SBOMs and inventories are often incomplete. Who owns the remediation? Dependencies cross teams, vendors, and platforms. Can we patch fast enough? Testing, release windows, and legacy systems slow everything down. What if no clean patch exists yet? Teams need mitigations, not only advisories. AI makes this harder. Frontier models can inspect code, reason across dependencies, and find chained vulnerabilities faster than traditional disclosure processes were designed to handle. Discovery is accelerating. Exploitation windows are shrinking. ...

A few days ago during WWDC26, Apple released container 1.0. The release notes are short, but the important part is clear: Apple wants people to try the new container machine functionality. As a team leader, when new products or tools enter the areas I work on, I like to spend some free time testing them directly. It helps me understand where they can be useful, where the limits are, and what security implications they may have for my engineering team or for customers. ...

Attackers Now Run at Machine Speed If you have been following this blog, you know that 2026 has not been a quiet year for the security community. The Trivy supply chain attack in March was the wake up call: a trusted security scanner turned into a credential harvesting machine, followed by the CanisterWorm escalation that propagated itself through the npm ecosystem at a speed no human operator could match. In the weeks after, we saw several other serious and successful exploitations following the same pattern: automation turned against the defenders, with exploits appearing within hours of a patch instead of months. ...

Bologna, May 18-19: The Fifth Edition Bologna, May 18-19, 2026. The fifth edition of Cloud Native Days Italy is behind us, and I’m still riding the wave of energy it left behind. Writing this post as one of the organizers feels different from a regular conference recap. Seeing something you worked on for months actually land — with real people in real rooms — is hard to describe briefly. If you want to read how the journey to this edition started, I covered it in an earlier post. ...

Every technical support team I have worked with shares the same friction point: an analyst keeps four tabs open simultaneously (the EDR console, a ticketing system, an asset CMDB, and a query window) and spends a sizeable chunk of their shift copy-pasting IDs between them. The intelligence exists. The problem is getting it out fast enough. The Model Context Protocol (MCP) is the most credible attempt I have seen yet to reduce that cost. It is a small, open specification for letting LLM-driven assistants invoke external tools in a typed, structured way: a server exposes a catalogue of tools with JSON Schema input contracts, and any MCP-aware client (Claude Desktop, Claude Code, Zed, or your own automation) can call them without writing any glue code. One server definition, every compatible client for free. ...

A few months back I saw a post circulating on LinkedIn about a developer who had been targeted by a fake recruiter. The person had been invited to a “technical assessment,” cloned a repository, and ran the code provided as part of the interview. What followed was a silent drain of every credential stored on their machine. I remember reading it and feeling a specific kind of disgust, not just at the technical sophistication of the attack, but at the deliberate choice to weaponize something as emotionally charged as a job search. ...

On April 29, 2026, CVE-2026-31431 was publicly disclosed. Nicknamed “Copy Fail”, it is a local privilege escalation in the Linux kernel with a CVSS score of 7.8, present in every major distribution running kernel 4.13 or later: Ubuntu, RHEL, Amazon Linux, SUSE, Rocky Linux. What makes it stand out from most CVEs in this class is how little an attacker needs: a 732-byte Python script, standard library only, no compilation, no race conditions, no kernel offsets. First try, every time. ...