Cloud Native

As a DevSecOps Team Leader, my job is to secure customers using modern technologies. Sounds straightforward, right? The reality is far more complex. Every day, I face the challenge of enabling innovation while maintaining security. The rapid adoption of AI has introduced a new dimension to this challenge: agentic AI assistants that do not just chat, they act. This challenge connects directly to something I wrote about recently. In my article on spec-driven development with GitHub Spec-Kit, I discussed how structure and governance matter when using AI for coding. The same principle applies here: when AI agents can execute code, access secrets, and operate with user privileges, we need structure and governance more than ever. ...

A few months ago, I shared the news about joining the Cloud Native Days Italy organizing team, and I wanted to give you an update on how things are progressing as we approach the big event in May 2026. The Organizing Journey: Hard Work, Big Rewards Working on Cloud Native Days Italy after my regular job is no small task. Between planning sessions, coordinating with team members, and handling the countless details that go into organizing a major tech conference, the hours add up quickly. But I have to say: it’s incredibly rewarding. ...

MITRE released the 2025 CWE Top 25 on December 11, 2025, identifying the most dangerous software weaknesses based on 39,080 CVE Records published between June 2024 and June 2025. The list ranks weaknesses by their frequency as root causes in CVE data and their CVSS severity scores, highlighting persistent threats like XSS and SQL Injection alongside emerging issues such as authorization flaws and memory bugs—key priorities for DevSecOps teams securing modern cloud‑native applications. Explore how the 2025 rankings differ from 2024, the top ten shifts, and what CWE root causes reveal beyond CVE trends. ...

Like your favorite music streaming service’s 2025 Wrapped®, here’s my recap of Kubernetes security highlights from 2025, plus predictions for features likely graduating to stable in early 2026. As a DevSecOps Team Leader, I bridge development speed with security rigor daily. Kubernetes and cloud-native security are my passion, especially hardening workloads for production. With Kubernetes v1.35 releasing December 17, now’s the perfect time to review 2025’s security wins and plan for 2026. ...

On November 5th, 2025, a set of high-severity vulnerabilities in runc were publicly disclosed, allowing for full container breakouts. Runc is the cornerstone of containerization on Linux, serving as the default low-level container runtime for industry-standard tools like Docker, Podman, and Kubernetes. Its ubiquity means that a vulnerability in runc has far-reaching implications for the entire cloud-native ecosystem. This post summarizes the vulnerabilities, the affected versions, and the recommended actions to mitigate them. ...

As Halloween approaches and the days grow shorter, it’s the perfect time for a spooky story… or, in my case, a recap of what’s been brewing in my professional life! With the end of the year lurking around the corner, it’s time to take stock of the exciting changes, challenging projects, and community efforts that have made 2025 a year to remember. So, grab your pumpkin-spiced latte, and let’s dive into the cauldron of the last few months. ...

OpenSSF, the Open Source Security Foundation, is an influential collaborative initiative under the Linux Foundation dedicated to improving open source software security. Bringing together industry leaders, security experts, and developers, OpenSSF drives broad community efforts to address vulnerabilities, foster best practices, and enhance transparency across software supply chains. Among its standout contributions is the advocacy and tooling development around Software Bill of Materials (SBOMs), which have rapidly become indispensable for managing security risks in modern software ecosystems. ...

Quick but exciting personal update: I am now part of the organizing team for the Cloud Native Days event in Italy! Everyone who knows me understands how much I love the community side of my work and how passionate I am about joining events and organizing amazing experiences. Having worked on event organization before with my friends at Let’s Connect, I know it’s both challenging and incredibly rewarding. ...

With the Digital Operational Resilience Act (DORA) now in effect across the European Union as of January 17, 2025, financial institutions face unprecedented cybersecurity and operational resilience requirements. Successfully achieving DORA compliance demands a comprehensive security strategy that also includes the following three fundamental components: Robust secrets management Hardened container images with minimal vulnerabilities Unified cloud-native application protection platforms (CNAPPs) These technologies work synergistically to meet DORA’s stringent ICT risk management, asset identification, and third-party oversight mandates. ...

The countdown to KubeCon EU (London) has begun, and I couldn’t be more thrilled to announce that, for the third year in a row, I’ll have the incredible privilege of attending! This year is extra special because, for the second time, I’ll be managing a booth alongside my amazing colleagues. Why? Because ReeVo, the company that SIGHUP has now joined, will proudly be a sponsor of this major event! ...