Security

The Unexpected Swag from KubeCon EU 2026 KubeCon EU 2026 Amsterdam was a great edition. I walked away with good conversations, new connections, and the usual conference bag full of stickers. But one thing stood out among the swag: six months of GitHub Copilot Pro+, courtesy of GitHub. I’m not going to pretend I wasn’t excited. Copilot Pro+ isn’t cheap, and having it handed to you as conference loot—just because you showed up in the right place, accepting the right invitation—felt like a proper thank-you to the community. GitHub clearly knows its audience. ...

In the last few days, we’ve witnessed a significant milestone for the global software ecosystem. A powerhouse coalition of tech leaders (including Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI) has committed $12.5 million in grant funding to advance open-source security. This isn’t just another corporate donation; it’s a strategic investment in the very foundation of modern technology. Why This Matters Now Open-source software (OSS) is the bedrock of everything from cloud infrastructure to the apps on your phone. However, as the ecosystem grows, so do the threats. We are currently seeing an “unprecedented influx” of security vulnerabilities, many discovered by automated AI systems. ...

The recent Notepad++ supply chain compromise shows how even widely trusted, open-source tools become vectors for state-sponsored espionage when their distribution infrastructure falls into the wrong hands. This was a surgical, six-month operation that bypassed traditional code security controls by exploiting the update mechanism. What Happened and Where the SDLC Failed In 2025, Notepad++, a widely used open-source text editor, suffered a sophisticated supply chain attack. Chinese state-sponsored threat actors compromised the shared hosting provider in June, gaining control of the update distribution system. Even after losing direct server access in September following a kernel update, attackers maintained persistence through stolen credentials until December 2. The fixed version 8.8.9 with hardened update verification was released on December 9. ...

I’ve already touched the hardened images theme in the past talking how this theme is important in today’s world. Reducing the attack surface of our containers is not just a “nice to have” anymore; it is a fundamental requirement for a secure software supply chain. In an era where vulnerabilities can be exploited within hours of disclosure, starting with a secure base is half the battle. That is why the recent move by Docker is so significant. ...

In my last few years as a Team Leader DevSecOps, I’ve spent a significant amount of time helping customers, mostly in the financial sector, navigate the complexities of cloud-native security. I have seen companies invest heavily in state-of-the-art runtime protection, CNAPPs, and sophisticated CI/CD security gates. Yet, a familiar pattern emerges time and again: the moment security teams start looking at vulnerability reports, chaos ensues. The numbers are just too high to handle, creating a paralyzing sense of alert fatigue. ...

This article is a follow-up to my previous post about the state of the External Secrets Operator project. Let’s start with the most important news: External Secrets Operator is set to resume releases on September 22!!! What changed More than 300 volunteers have signed up to contribute across organizations, far exceeding expectations and widening the pipeline of future Members, Reviewers, and Maintainers. Governance has been clarified with a formal Contribution Ladder and focused tracks (Core, Providers, CI, Testing), plus interim roles to spread the load and reduce burnout risk. ...

External Secrets Operator is a great FOSS project that, over the last few years, has gained traction in Kubernetes environments, becoming one of the standard security tools for managing and integrating Kubernetes secrets from external sources. ESO is an operator and can be installed in different ways, for example via HELM or the OpenShift Operator Catalog. Here’s their GitHub repo. A couple of weeks ago, the team raised a giant RED FLAG with the following announcement: ...

Kubernetes 1.33 was released on April 23, 2025, and, as usual, introduces a host of fixes and new features. Be sure to check out the release notes; I assure you, you won’t be disappointed! As the Team Leader of a DevSecOps group, I tend to focus on security features. In this article, I want to highlight the new pod support for user namespaces. This feature isn’t entirely new—it was first introduced as an Alpha feature (UserNamespacesSupport) in Kubernetes 1.28. However, as of version 1.33, it is enabled by default, and there’s no longer any need to set a Kubernetes feature flag. ...

Today, I want to share with you a new initiative by OpenSSF called the Open Source Project Security Baseline. The TL;DR: This initiative consists of a series of checks that project maintainers must have in place in their software repositories to demonstrate a strong security posture. The baseline is divided into three well defined levels. I find this to be an interesting and practical initiative, easy to apply for improving and certifying a project’s security level. ...

It’s been a couple of years since I moved to Galway, and I’m still absolutely thrilled with my decision! Over the past few months, I’ve had the chance to meet some awesome people at a local security meetup called BurbSec. It was a fantastic experience—sharing ideas, meeting new faces, and of course, enjoying a few beers! ;-) Now, some of these folks are organizing a security conference called BSIDES Galway, happening on February 22nd, 2025! ...