Back to Basics: TLS and PKI from the Ground Up

This is the third article in my “Back to Basics” series. The goal is simple: take something modern engineers interact with daily through abstractions, and explain what is actually happening underneath. In the first article, I hardened an SSH daemon and explained why the defaults are insecure. In the second, I showed that containers are ordinary Linux processes wrapped in namespaces and cgroups. This article applies the same approach to TLS: strip away the abstractions, read the raw structures, and understand what the tooling is doing on your behalf. ...

June 29, 2026 · 16 min · 3263 words · Matteo Bisi

Athena Coalition: Coordinated Open Source Defense in the AI Vulnerability Era

The Problem We Have Today Open source security is no longer limited by finding vulnerabilities. It is limited by coordination. Modern software depends on thousands of open source components: libraries, container images, build tools, package managers, CI/CD actions, and infrastructure projects. When a serious vulnerability appears, many teams still struggle with basic questions. Question Why it is hard Where is the vulnerable component running? SBOMs and inventories are often incomplete. Who owns the remediation? Dependencies cross teams, vendors, and platforms. Can we patch fast enough? Testing, release windows, and legacy systems slow everything down. What if no clean patch exists yet? Teams need mitigations, not only advisories. AI makes this harder. Frontier models can inspect code, reason across dependencies, and find chained vulnerabilities faster than traditional disclosure processes were designed to handle. Discovery is accelerating. Exploitation windows are shrinking. ...

June 16, 2026 · 4 min · 711 words · Matteo Bisi

Cloud Native Days Italy 2026: A Wrap-Up from Bologna

Bologna, May 18-19: The Fifth Edition Bologna, May 18-19, 2026. The fifth edition of Cloud Native Days Italy is behind us, and I’m still riding the wave of energy it left behind. Writing this post as one of the organizers feels different from a regular conference recap. Seeing something you worked on for months actually land — with real people in real rooms — is hard to describe briefly. If you want to read how the journey to this edition started, I covered it in an earlier post. ...

May 22, 2026 · 4 min · 761 words · Matteo Bisi

Lazarus Group Hides Malware in Git Hooks to Target Developers

A few months back I saw a post circulating on LinkedIn about a developer who had been targeted by a fake recruiter. The person had been invited to a “technical assessment,” cloned a repository, and ran the code provided as part of the interview. What followed was a silent drain of every credential stored on their machine. I remember reading it and feeling a specific kind of disgust, not just at the technical sophistication of the attack, but at the deliberate choice to weaponize something as emotionally charged as a job search. ...

May 6, 2026 · 6 min · 1236 words · Matteo Bisi

Supply Chain Attacks Won't Stop: 8 Controls to Reduce Your Exposure

It Happened Again On April 22, 2026, the official Bitwarden CLI npm package (@bitwarden/cli) was compromised. For roughly 90 minutes, between 5:57 PM and 7:30 PM ET, anyone who ran npm install @bitwarden/cli received a malicious package. Around 334 developers did exactly that. The attackers did not break into Bitwarden’s npm account directly. Instead, they hijacked a GitHub Actions workflow in Bitwarden’s CI/CD pipeline and weaponised npm’s Trusted Publishing mechanism to push a poisoned release. Trusted Publishing is OIDC-based and requires no stored credentials: it was introduced as a hardening measure after credential-based attacks. It became the entry point. ...

April 26, 2026 · 12 min · 2439 words · Matteo Bisi

Kubernetes 1.36: The Release That Said Goodbye to Ingress NGINX

Introduction Tomorrow, April 22, 2026, Kubernetes 1.36 will be officially released. As a team leader working in security, part of my job is reading release notes to understand what is coming and, more importantly, to track the direction the developers are moving in. Some releases are routine progress; others signal a shift in priorities. This is one of those. Kubernetes 1.36 will be remembered as the release that formalized the end of Ingress NGINX. That alone would make it memorable; Ingress NGINX is too big and too deeply embedded in the ecosystem to ignore, and I will dedicate a section to it. But the focus of this post is security: alongside the NGINX retirement, 1.36 delivers meaningful hardening through the graduation of user namespace isolation to GA, faster SELinux volume labeling reaching GA, the stable release of external ServiceAccount token signing, and the permanent removal of features that have been known security liabilities for years. ...

April 21, 2026 · 9 min · 1756 words · Matteo Bisi

Linux 7.0: What Platform and Security Leaders Should Know

Every few kernel cycles, a release quietly shifts what is possible for the platforms running on top of it. Linux 7.0 is one of those releases. There is no single flashy new security module, no headline-grabbing feature, but there are several changes that collectively improve weak seams that cloud-native security teams have been working around for years. Before this release reached mainstream distributions, I spent a good hour working through the upstream changelog with GitHub Copilot, running multiple state-of-the-art models, cross-referencing commit messages, kernel documentation, and coverage from the broader community, and iterating until the picture was clear. ...

April 16, 2026 · 8 min · 1675 words · Matteo Bisi

Testing GSD: From a Docs-Only Repo to Working Go Code in One Session

Introduction I have been experimenting with Spec-Driven Development for a while now. If you are not familiar with the approach, I have a few articles tagged spec-kit that cover the theory and a real hands-on walkthrough where I built a Go TUI for Apple Container management. The short version: instead of vibe-coding with an LLM and hoping for the best, you invest upfront in a structured specification, then let the AI work against that spec. The results are measurably different. ...

April 13, 2026 · 19 min · 3968 words · Matteo Bisi

Hardening ACTUI: Dependabot and OpenSSF Scorecard for a Side Project

The Unexpected Swag from KubeCon EU 2026 KubeCon EU 2026 Amsterdam was a great edition. I walked away with good conversations, new connections, and the usual conference bag full of stickers. But one thing stood out among the swag: six months of GitHub Copilot Pro+, courtesy of GitHub. I’m not going to pretend I wasn’t excited. Copilot Pro+ isn’t cheap, and having it handed to you as conference loot—just because you showed up in the right place, accepting the right invitation—felt like a proper thank-you to the community. GitHub clearly knows its audience. ...

April 2, 2026 · 8 min · 1619 words · Matteo Bisi

The Trivy Supply Chain Attack: A Breakdown of Credential Theft and the CanisterWorm Escalation

Introduction Trivy, the widely adopted open-source security scanner from Aqua Security, is a cornerstone of modern CI/CD pipelines and container security. With over 33,000 stars on GitHub as of March 2026, its footprint spans across Docker images, Homebrew, and countless developer machines. This ubiquity, however, made the supply-chain compromise discovered between March 19–21, 2026, particularly devastating. The incident was not a single point of failure but a multi-stage attack involving malicious releases, manipulated GitHub Actions, and a self-propagating worm that leveraged decentralized infrastructure. ...

March 21, 2026 · 4 min · 736 words · Matteo Bisi