Devsecops

Like your favorite music streaming service’s 2025 Wrapped®, here’s my recap of Kubernetes security highlights from 2025, plus predictions for features likely graduating to stable in early 2026. As a DevSecOps Team Leader, I bridge development speed with security rigor daily. Kubernetes and cloud-native security are my passion, especially hardening workloads for production. With Kubernetes v1.35 releasing December 17, now’s the perfect time to review 2025’s security wins and plan for 2026. ...

In today’s fast-paced tech landscape, it’s common to find incredibly talented engineers mastering complex orchestrators like Kubernetes or crafting intricate Infrastructure as Code solutions. We’re living in an era of high-level abstractions, which is fantastic for productivity. However, this focus on the ’new and shiny’ can sometimes lead us to overlook the foundational bedrock upon which everything is built. It might seem a bit old-school to write a blog post about hardening SSH in 2025. Yet, these ‘basic’ skills are more critical than ever. In a world of ephemeral infrastructure and complex supply chains, securing the front door to our systems remains a non-negotiable first step. ...

In my last few years as a Team Leader DevSecOps, I’ve spent a significant amount of time helping customers, mostly in the financial sector, navigate the complexities of cloud-native security. I have seen companies invest heavily in state-of-the-art runtime protection, CNAPPs, and sophisticated CI/CD security gates. Yet, a familiar pattern emerges time and again: the moment security teams start looking at vulnerability reports, chaos ensues. The numbers are just too high to handle, creating a paralyzing sense of alert fatigue. ...

Even in the cloud-native era, where everything is an API call away, some technologies from the past refuse to fade away. Recently, I found myself helping my team of talented engineers configure HashiCorp Boundary for Microsoft Active Directory authentication. I was surprised to see that they were not familiar with the concepts of LDAP, a technology that was a cornerstone of my career for years. After spending countless hours configuring Domino, Sametime, WebSphere Portal, and Connections with LDAP, the process felt like riding a bike. ...

In the rapidly evolving landscape of AI and large language models (LLMs), the ability to connect these models to external tools and data sources is crucial for building powerful, automated applications. The Model Context Protocol (MCP) has emerged as a standard for this purpose, but its use also introduces new security challenges. This article explores how to work securely with third-party MCP servers, drawing insights from the recently released OWASP GenAI security cheatsheet. ...

OpenSSF, the Open Source Security Foundation, is an influential collaborative initiative under the Linux Foundation dedicated to improving open source software security. Bringing together industry leaders, security experts, and developers, OpenSSF drives broad community efforts to address vulnerabilities, foster best practices, and enhance transparency across software supply chains. Among its standout contributions is the advocacy and tooling development around Software Bill of Materials (SBOMs), which have rapidly become indispensable for managing security risks in modern software ecosystems. ...

This article is a follow-up to my previous post about the state of the External Secrets Operator project. Let’s start with the most important news: External Secrets Operator is set to resume releases on September 22!!! What changed More than 300 volunteers have signed up to contribute across organizations, far exceeding expectations and widening the pipeline of future Members, Reviewers, and Maintainers. Governance has been clarified with a formal Contribution Ladder and focused tracks (Core, Providers, CI, Testing), plus interim roles to spread the load and reduce burnout risk. ...

External Secrets Operator is a great FOSS project that, over the last few years, has gained traction in Kubernetes environments, becoming one of the standard security tools for managing and integrating Kubernetes secrets from external sources. ESO is an operator and can be installed in different ways, for example via HELM or the OpenShift Operator Catalog. Here’s their GitHub repo. A couple of weeks ago, the team raised a giant RED FLAG with the following announcement: ...

Security should be a primary driver in IT! Everyone understands the importance of running secure, reliable code at every level of our infrastructure. Since the container revolution began a decade ago with Kubernetes 1.0, traditional IT administrators have lost some control to developers, who can now use Dockerfiles to package and deploy software at unprecedented speed. But at what cost? As organizations adopted runtime security tools to monitor containers and processes, it quickly became clear that pulling base images from public repositories often introduced a flood of vulnerabilities. ...

Kubernetes 1.33 was released on April 23, 2025, and, as usual, introduces a host of fixes and new features. Be sure to check out the release notes; I assure you, you won’t be disappointed! As the Team Leader of a DevSecOps group, I tend to focus on security features. In this article, I want to highlight the new pod support for user namespaces. This feature isn’t entirely new—it was first introduced as an Alpha feature (UserNamespacesSupport) in Kubernetes 1.28. However, as of version 1.33, it is enabled by default, and there’s no longer any need to set a Kubernetes feature flag. ...