Cybersecurity

In the rapidly evolving landscape of AI and large language models (LLMs), the ability to connect these models to external tools and data sources is crucial for building powerful, automated applications. The Model Context Protocol (MCP) has emerged as a standard for this purpose, but its use also introduces new security challenges. This article explores how to work securely with third-party MCP servers, drawing insights from the recently released OWASP GenAI security cheatsheet. ...

On November 5th, 2025, a set of high-severity vulnerabilities in runc were publicly disclosed, allowing for full container breakouts. Runc is the cornerstone of containerization on Linux, serving as the default low-level container runtime for industry-standard tools like Docker, Podman, and Kubernetes. Its ubiquity means that a vulnerability in runc has far-reaching implications for the entire cloud-native ecosystem. This post summarizes the vulnerabilities, the affected versions, and the recommended actions to mitigate them. ...

As Halloween approaches and the days grow shorter, it’s the perfect time for a spooky story… or, in my case, a recap of what’s been brewing in my professional life! With the end of the year lurking around the corner, it’s time to take stock of the exciting changes, challenging projects, and community efforts that have made 2025 a year to remember. So, grab your pumpkin-spiced latte, and let’s dive into the cauldron of the last few months. ...

Today, my manager forwarded me this article about several zero-day CVEs discovered in CyberArk and HashiCorp products. After some time spent researching online, I confirmed that both brands have fixed these CVEs by releasing updated versions!! I’m not surprised that these two big corporations acted quickly and fixed the vulnerabilities; both are well-known and reliable! This event gave me an excuse to write this article and respond to one of the most common questions I get from my customers whenever I share news about a new release of a secrets manager: ...

With the Digital Operational Resilience Act (DORA) now in effect across the European Union as of January 17, 2025, financial institutions face unprecedented cybersecurity and operational resilience requirements. Successfully achieving DORA compliance demands a comprehensive security strategy that also includes the following three fundamental components: Robust secrets management Hardened container images with minimal vulnerabilities Unified cloud-native application protection platforms (CNAPPs) These technologies work synergistically to meet DORA’s stringent ICT risk management, asset identification, and third-party oversight mandates. ...

Today, I want to share with you a new initiative by OpenSSF called the Open Source Project Security Baseline. The TL;DR: This initiative consists of a series of checks that project maintainers must have in place in their software repositories to demonstrate a strong security posture. The baseline is divided into three well defined levels. I find this to be an interesting and practical initiative, easy to apply for improving and certifying a project’s security level. ...

As a consultant, it’s always a pleasure to explore new tools, and since the end of 2024, we have been experimenting with CyberArk’s SaaS offering. The first component we started working with is Conjur Cloud, the SaaS version of Conjur Enterprise, which we are already very familiar with. Conjur Cloud features an impressive UI that allows users to configure and manage most settings seamlessly. Like Conjur Enterprise, it also has its own dedicated CLI, available for download on the CyberArk Marketplace. After installing the Conjur Cloud CLI on macOS 15.2, I encountered the following error when attempting to execute it: ...

It’s been a couple of years since I moved to Galway, and I’m still absolutely thrilled with my decision! Over the past few months, I’ve had the chance to meet some awesome people at a local security meetup called BurbSec. It was a fantastic experience—sharing ideas, meeting new faces, and of course, enjoying a few beers! ;-) Now, some of these folks are organizing a security conference called BSIDES Galway, happening on February 22nd, 2025! ...

As you may know, one of the key components of the CyberArk Conjur architecture is the Synchronizer, which is required to receive secrets from the Vault. Last week, I took charge of an abandoned Synchronizer version 11.7 that had not been working for some time and also needed to be upgraded to the latest 12.7 release. After completing the upgrade (check this link for the steps), the Windows service failed to start, and the log contained the following error: ...

During the past few weeks, I have described what a secrets manager is and provided an overview of the architecture and system requirements of CyberArk Conjur. A secrets manager can’t do its job if it can’t communicate with those who need to request secrets, and that’s where Conjur’s magic comes in! The “authenticators” are responsible for the authentication process in Conjur and are specialized to do this in the most secure way, depending on the service. Here is the list of authenticators currently supported: ...