Two years after the final NIST standards, post-quantum migration is no longer hypothetical. What has actually been migrated, what remains stuck, where the real operational problems lie, and how the timelines look from April 2026.
Four and a half years after Rust officially entered Linux 6.1, with real Apple GPU and NVMe drivers in production and several public conflicts between maintainers, it is time for a sober technical balance. What works, what still costs, and where the next phase is heading.
Con 1.34 liberado en agosto de 2025 y el ciclo de 1.35 en su última fase de congelación de funciones, qué llegará estable, qué quedará en beta, qué nos interesa a quienes mantenemos clústeres pequeños o medianos y qué podemos ignorar sin culpa hasta el siguiente ciclo.
gVisor interpone un kernel en espacio de usuario entre el contenedor y el anfitrión. Después de años en producción en Google y adopción creciente en plataformas serverless, merece una lectura honesta sobre cuándo compensa frente a microVMs y runtimes clásicos.
OSV-Scanner se ha convertido en una referencia silenciosa para escanear dependencias open source. Su valor no está en el escaneo en sí, que muchas herramientas ofrecen, sino en su conexión directa con OSV.dev como fuente de verdad. Un análisis de por qué esto importa más de lo que parece.
CVE-based attack surface management has moved from an abstract list to an engineering practice with real prioritization. We look at how it works once EPSS, KEV and exposure context enter the same equation.
Post-quantum cryptography stopped being an academic topic once Cloudflare, Google, and Apple put ML-KEM hybrids into production. By 2025 it already covers the majority of real web traffic. A look at where adoption stands, where friction still shows up, and what to review in your own infrastructure.
OpenSSH added hybrid post-quantum key exchange with ML-KEM in version 9.9 and made it the default algorithm in 10.0. The question is no longer whether to migrate SSH to post-quantum, but how to do it without breaking old clients: enable the hybrid mode, keep a classical fallback, and verify with ssh -v that the active algorithm is the right one.
WireGuard is simple over a single link, but hand-building a multi-node mesh quickly turns into a tangle of keys and routes. Patterns that work, when pure WireGuard earns its keep, and when it is worth leaning on Tailscale or Headscale instead.
Después de años acumulando SBOMs, el cuello de botella es filtrar qué CVEs afectan de verdad. VEX aparece como la pieza que convierte el ruido en señal, y en 2025 empieza a tener adopción real en pipelines de supply chain.
Semgrep has grown into one of the most pragmatic static analyzers in the ecosystem. A look at why it works where other SAST tools fail, and how to fit it into a pipeline without turning it into noise.
Two years after Zero Trust stopped being a marketing word, it is worth looking at how it connects with the SIEM teams run day to day. A look at useful signals, avoidable noise, and the decisions that actually change security posture.
CodeQL lleva años siendo el motor de análisis estático de GitHub, pero su alcance real no siempre está claro. Balance de qué detecta bien, qué se le escapa y cómo conviene integrarlo en el flujo de revisión.
Dependabot and Renovate chase the same goal with different philosophies. I compare both after years running them on my own and client projects, covering when one fits better and when the other suits a team's workflow more.
NIST published the final post-quantum cryptography standards in August 2024. Six months on, it is time to move from headline to plan: crypto inventory, crypto-agility, a realistic timeline, and the typical mistakes of teams jumping in now.
SLSA v1.0 splits software supply-chain security into three tracks (Build, Source, and Dependencies), of which only Build is stabilized, with three levels: L1, L2, and L3. If you build in GitHub Actions, reaching L2 with Sigstore-signed provenance takes a few hours and is the starting point I recommend to any team.
In August 2024, NIST published its first finalized post-quantum cryptography standards: FIPS 203 (ML-KEM) for key exchange, FIPS 204 (ML-DSA) for digital signatures, and FIPS 205 (SLH-DSA) as a hash-based alternative. They replace RSA and ECDSA before a quantum computer can break them, and hybrid implementations are already live in Chrome and Cloudflare.
CrowdSec installs on Debian or Ubuntu with an official script and the crowdsec package; you then enable the Traefik, WordPress and Gitea collections, configure acquisition to read the right logs, and add the Traefik bouncer as a middleware to block or captcha-challenge IPs flagged by the LAPI in real time.
Zero Trust is not a product but a security architecture. It discards the assumption that the internal network is trusted and verifies every access explicitly, with least privilege, assuming breach is already active. The five principles: verify explicitly, least privilege, assume compromise, validate the device, and continuous visibility.
Podman is the Docker alternative with no central daemon and no root privileges required. Each container runs as a direct child process of the launching user, with rootless support since version 1.0 in 2019. If a container escapes, it does not gain host root. When Podman makes sense and what real differences to expect.
Trivy and Grype are the two leading open-source tools for container image scanning in CI/CD pipelines. Both detect CVEs in OS packages and language dependencies with less than 5% coverage difference. Trivy stands out for IaC scanning; Grype natively integrates the SBOM workflow with Syft.
eBPF (Extended Berkeley Packet Filter) is a Linux kernel technology that runs verified programs directly inside the kernel, with no modules and no source-code changes. The kernel verifier rejects any unsafe program before it runs, letting teams monitor system calls, network traffic, and I/O at a much lower CPU cost than traditional external probes.
Microsoft PC Manager is a free, official Microsoft tool that brings temporary-file cleanup, Windows startup management, one-click access to Windows Defender, and a visual disk-usage map into a single panel. It runs on Windows 10 and Windows 11, but it does not replace a full antivirus or dedicated data-recovery tools.
3 min2614.4
We use first- and third-party cookies to analyze site traffic. You can accept them, reject them, or configure your choice.
Learn more about cookies
Cookie preferences
NecessaryEssential for the site to work. Always on.
AnalyticsHelp us understand how the site is used (Google Analytics).