Matteo Bisi

🚨 New Post: Datadog's State of DevSecOps 2026 report is a wake-up call.
87% of orgs have exploitable vulns in prod, but only 18% of "Critical" CVEs stay critical under runtime context. Time to shift to Exposure Management.

www.msbiro.net/posts/datado...
#DevSecOps #Datadog

🎉 MAIN SPONSOR ANNOUNCEMENT: REEVO

ReeVo's integrated approach to cloud and security reflects the same principles we champion in the cloud native ecosystem: resilience, scalability, and control.

🎟️ cloudnativedaysitaly.org

🚀 Amsterdam bound for #KubeCon EU 2026! 🇳🇱

Join me & ReeVo at Booth 893. My focus: Security 🔒 & the surge of AI/ML 🤖.

🎂 Fun fact: March 25 is my birthday! Stop by for a birthday coffee! ☕️

Full preview & agenda:
www.msbiro.net/posts/kubeco...

#CloudNative #Kubernetes #KubeCon

ACTUI Follow-Up: Submenus and Image Management Follow-up on Apple Container Terminal UI: new submenus, dedicated image management, and iterative improvements driven by real usage.

Dogfooding is fun! 🚀

Using ACTUI daily turned a PoC into a daily driver with submenus and image management.
Trace the tool's evolution in the specs folder via Spec-Driven Development (SDD).

www.msbiro.net/posts/actui-...

#DevOps #Golang #TUI #SDD

⏰ 7 DAYS LEFT: CFP Closes March 6th

Don't overthink it.
Submit your idea before it's too late.
The Bologna stage is waiting 🎤

📅 Deadline: March 6th, 2026 11:59 PM CET
📝 Submit here: sessionize.com/cloud-native...

#CloudNativeDaysItaly2026 #CFP

The Silent Heist: How Distillation Attacks Are Reshaping the Global AI Landscape An analysis of the recent distillation attacks against Anthropic's Claude models by three major Chinese AI companies, explaining what distillation is and its implications for the global AI landscape.

The AI race crosses a line. Anthropic caught 3 Chinese labs using "distillation attacks" to clone Claude’s
capabilities via millions of illicit queries. Read my breakdown of how the AI heist works:
www.msbiro.net/posts/distil...

Back to Basics: Why Containers Are Just Fancy Linux Processes Containers are Linux processes with namespaces and cgroups, nothing more. This article breaks down what Kubernetes securityContext, resource limits, and container escapes actually do at the kernel lev...

Containers aren't magic. They're Linux processes with namespaces & cgroups. Article #2 of my "Back to Basics" series — what Kubernetes securityContext actually does at kernel level, container escapes & debugging with nsenter.

🔗 www.msbiro.net/posts/back-to-basics-containers-linux-processes/

The Challenge of Securing AI Agents: A DevSecOps Perspective A DevSecOps team leader's reflection on the challenge of securing customers who use AI agents that act like users, and how this connects to spec-driven development and MCP security.

AI agents executing code with user privileges aren't chatbots, they're privileged accounts. Most orgs aren't ready.
My DevSecOps take on securing agentic AI and why visibility precedes governance:
www.msbiro.net/posts/securi...

#DevSecOps #AI

The only status check that matters right now 🟢

Early Bird pricing (37% off!) is active until 1pm CET, 16th March.

🎟️ cloudnativedaysitaly.org

Cloud Native Days Italy 2026 Cloud Native Days (CND) Italy is a local, community-organized event that gathers adopters and technologists from open source and cloud native communities.

@cloudnativedaysitaly.org May 18-19 in Bologna – the top community event for cloud native pros. Gold sponsor sold out fast! Platinum & Silver spots still open. 100% volunteer, no-profit.​
DM me or sponsor@cloudnativedaysitaly.org for details/prospectus. Let's make it epic!
cloudnativedaysitaly.org

GitHub - matteobisi/apple-container-tui: This repository contains a TUI (Terminal User Interface) for managing Apple Containers. The project began as a proof of concept to demonstrate spec-kit usage p... This repository contains a TUI (Terminal User Interface) for managing Apple Containers. The project began as a proof of concept to demonstrate spec-kit usage patterns in real-world scenarios. It sh...

Empty repo → working TUI in 2.5 hours with GitHub Spec-Kit.
Constitution → specs → 100 automated tasks → Go binary.

One manual fix. Everything else? AI-orchestrated.

👉 github.com/matteobisi/a...
📖
www.msbiro.net/posts/spec-k...

🚨 2# GUEST SPEAKER ANNOUNCEMENT 🚨
We've modernized everything in the cloud native stack... except the OS.

🗣️ @mauromorales.bsky.social - Staff Engineer at Spectro Cloud | Kairos Maintainer.
🎤 "What Should a Cloud-Native OS Look Like? Rethinking the Foundation of Modern Platforms"

#CNDItaly

… but Early Bird tickets are still available until March 16th (37% discount!) 👀

Grab your discounted #CloudNativeDaysItaly2026 ticket here: cloudnativedaysitaly.org

AGENTS.md AGENTS.md is a simple, open format for guiding coding agents. Think of it as a README for agents.

Engineering teams rebuild AI workflows every model drop. Fix it with portable CLI: AGENTS.md for context, mise.toml for envs, CISO-ready security.

Guide: www.msbiro.net/posts/ai-cli...

#DevOps #AI #Cybersecurity

🚨 SPEAKER ANNOUNCEMENT 🚨

@williamrizzo.bsky.social - CNCF Ambassador | @mirantis.bsky.social Global Field CTO

🎤 "Agentic AI in Platforms: Verticalizing Intelligence for Regulated Domains"

The AI agents are coming. Is your platform ready?

#CNDItaly #CloudNativeDaysItaly2026

When Your Update System Becomes the Attack Vector: The Notepad++ Supply Chain Compromise Deep dive into the Notepad++ supply chain attack: how state-sponsored hackers compromised the hosting provider, hijacked updates, and what we can learn about SDLC security.

6-month supply chain attack on Notepad++: hackers compromised the hosting provider, not the code.

Don't forget to include your update system in threat modeling!

Full analysis: www.msbiro.net/posts/notepa...

#CyberSecurity #SupplyChain #SSDLC

🚨 TICKETS ARE LIVE for Cloud Native Days Italy 2026!

💰 Limited-time (and quantity!) discounts:
→ Very Early Bird: 47% off (ends Feb 9)
→ Early Bird: 37% off (ends March 16)

#CNDItaly #CloudNativeDaysItaly2026

ClawdBot → MoltBot → OpenClaw: A Case Study in Confusion Attacks and Security Risks A comprehensive security analysis of the OpenClaw AI assistant project. Examining three name changes in 10 days as a confusion attack pattern, exposed cloud instances due to misconfiguration, the fake...

I dug into ClawdBot→MoltBot→OpenClaw (hot AI tool). AI fan + security pro here: confusion attacks, exposed clouds, fake VSCode plugin, API key traps. Why I won't touch it w/ real accounts. Full analysis: www.msbiro.net/posts/opencl...
#DevSecOps #AI #CyberSecurity

CloudNativeDaysItaly 🚀 The Italian Cloud Native community will come together for two unforgettable days of sharing, learning and connection. Be part of it!

🇮🇹☁️ Cloud Native Days Italy 2026 update! CFP is hot 🔥 Seeking sponsors 🤝 Tickets coming soon 🎟️📍 Bologna, May 18-19Join our Telegram for early access & discounts: t.me/cloudnatived... details: www.msbiro.net/posts/cloud-... #CloudNative #CNCF

GitHub Spec-Kit: Why Structured AI Development Beats Vibe Coding A DevSecOps team leader's perspective on GitHub Spec-Kit, spec-driven development, and why structured AI workflows matter for compliance, auditability, and team collaboration.

Tired of AI "vibe coding"? GitHub Spec-Kit: specs first → plans/tasks/code that align. DevSecOps wins: audit trails, team continuity. Spec-Kit (greenfield), OpenSpec (brownfield). Full guide: www.msbiro.net/posts/github... #DevSecOps #AIDev

Stop treating engineers like ticket movers. 🛑True motivation comes from context, not just code. It’s time to shift from Delegation to Ownership. My latest take on engineering leadership 👇
www.msbiro.net/posts/from-d... #leadership #devops #management

Evaluating Oss Security Fresh Editor s2c2f Holiday hacking from the couch: evaluating Fresh editor's security using OpenSSF Scorecard, Semgrep, and cargo audit. A practical guide to applying the S2C2F framework for secure OSS adoption without ...

Found a brilliant terminal editor. Unknown maintainer. No security audit.

So I ran OpenSSF Scorecard + Semgrep + cargo audit to vet it properly.

Here's how to evaluate ANY OSS tool in an afternoon (without killing dev productivity):

www.msbiro.net/posts/evalua...

Docker Hardened Images Are Now Free and Open Source Docker has made a significant move by releasing their Hardened Images catalog as free and open source. This post explores what this means for developers, the inclusion of Helm charts and MCP servers, ...

🔒 Docker Hardened Images: FREE & open source.

✅ Near-zero CVEs
✅ SBOMs + SLSA
✅ Hardened Helm charts
✅ MCP servers

Security for all.

www.msbiro.net/posts/docker...

#DevSecOps #Docker #CloudNative

CloudNativeDaysItaly 🚀 The Italian Cloud Native community will come together for two unforgettable days of sharing, learning and connection. Be part of it!

Join Telegram channel → get info early → save money → buy more coffee ☕.

@cloudnativedaysitaly.org (18-19 May 2026, Bologna) → t.me/cloudnatived...

MITRE's 2025 CWE Top 25: XSS #1, SQLi #2 from 39k CVEs. Missing auth rises; memory bugs persist.​

Prioritize input validation & CI/CD scans for cloud-native.​

Full post: www.msbiro.net/posts/top25m...

#CWE #MITRE #DevSecOps #Cybersecurity

Kubernetes Security 2025: Stable wins + 2026 preview!

✅ Bound SA tokens, Sidecar Containers, RRO mounts, RBAC selectors, namespace deletion fix

🔮 2026: User Namespaces beta/default, Pod mTLS certs, image pull auth

www.msbiro.net/posts/kubern...

#Kubernetes #DevSecOps #CloudNative

Proof that developers do leave their keyboards and talk to other humans.
✋ 2025 attendees: raise your hand if you spot yourself in the reel 👇

#CloudNativeDaysItaly2026

Back to Basics: My Opinionated 2025 sshd_config Hardening Back-to-basics sshd_config hardening for 2025: opinionated settings to disable root login, enforce key auth, modern ciphers, and timeouts. Secure your Linux servers from the ground up—no Kubernetes re...

I've published a comprehensive guide on hardening sshd_config for modern Linux systems, covering root login, key authentication, modern ciphers, and enterprise configurations.

www.msbiro.net/posts/back-t...

Read the full guide.

#DevSecOps #Cybersecurity #Linux #SSH #InfoSec

Tired of 150+ CVEs from one Ubuntu image? Reactive scanning fails. DORA, NIS2 & EO 14028 push proactive supply chain security. My article covers registry risks, DIY vs hardened, top providers, and a 90-day Kyverno + monitoring plan. Read: msbiro.net/posts/hardened #DevSecOps

runc container breakout vulnerabilities: A technical overview A set of high-severity vulnerabilities in runc were publicly disclosed in November 2025, allowing for full container breakouts. Runc is the cornerstone of containerization on Linux…

Thrilled! My CNCF blog on runc breakout vulns (CVE-2025-31133 etc.) is live. Honored to advocate for cloud native security.​

www.cncf.io/blog/2025/11...

#CloudNative #Kubernetes