Categories

Architecture

Kubernetes 1.35: what you can already see coming

Con 1.34 liberado en agosto de 2025 y el ciclo de 1.35 en su última fase de congelación de funciones, qué llegará estable, qué quedará en beta, qué nos interesa a quienes mantenemos clústeres pequeños o medianos y qué podemos ignorar sin culpa hasta el siguiente ciclo.

Architecture

gVisor: sandboxing for multi-tenant containers

gVisor interpone un kernel en espacio de usuario entre el contenedor y el anfitrión. Después de años en producción en Google y adopción creciente en plataformas serverless, merece una lectura honesta sobre cuándo compensa frente a microVMs y runtimes clásicos.

Technology

OSV-Scanner: vulnerabilities with a source of truth

OSV-Scanner se ha convertido en una referencia silenciosa para escanear dependencias open source. Su valor no está en el escaneo en sí, que muchas herramientas ofrecen, sino en su conexión directa con OSV.dev como fuente de verdad. Un análisis de por qué esto importa más de lo que parece.

Technology

Post-quantum cryptography in TLS: real-world adoption

Post-quantum cryptography stopped being an academic topic once Cloudflare, Google, and Apple put ML-KEM hybrids into production. By 2025 it already covers the majority of real web traffic. A look at where adoption stands, where friction still shows up, and what to review in your own infrastructure.

Methodologies

Migrating SSH to post-quantum cryptography: a practical guide

OpenSSH added hybrid post-quantum key exchange with ML-KEM in version 9.9 and made it the default algorithm in 10.0. The question is no longer whether to migrate SSH to post-quantum, but how to do it without breaking old clients: enable the hybrid mode, keep a classical fallback, and verify with ssh -v that the active algorithm is the right one.

Technology

Mesh networks with WireGuard without losing your mind

WireGuard is simple over a single link, but hand-building a multi-node mesh quickly turns into a tangle of keys and routes. Patterns that work, when pure WireGuard earns its keep, and when it is worth leaning on Tailscale or Headscale instead.

Methodologies

VEX: filtering vulnerability noise with context

Después de años acumulando SBOMs, el cuello de botella es filtrar qué CVEs afectan de verdad. VEX aparece como la pieza que convierte el ruido en señal, y en 2025 empieza a tener adopción real en pipelines de supply chain.

Methodologies

Semgrep: modern SAST in your pipeline

Semgrep has grown into one of the most pragmatic static analyzers in the ecosystem. A look at why it works where other SAST tools fail, and how to fit it into a pipeline without turning it into noise.

Technology

Final NIST PQC standards: what to do with them now

NIST published the final post-quantum cryptography standards in August 2024. Six months on, it is time to move from headline to plan: crypto inventory, crypto-agility, a realistic timeline, and the typical mistakes of teams jumping in now.

Methodologies

SLSA v1.0: a mature framework for the software supply chain

SLSA v1.0 splits software supply-chain security into three tracks (Build, Source, and Dependencies), of which only Build is stabilized, with three levels: L1, L2, and L3. If you build in GitHub Actions, reaching L2 with Sigstore-signed provenance takes a few hours and is the starting point I recommend to any team.

Technology

NIST PQC: The Post-Quantum Cryptography Standards

In August 2024, NIST published its first finalized post-quantum cryptography standards: FIPS 203 (ML-KEM) for key exchange, FIPS 204 (ML-DSA) for digital signatures, and FIPS 205 (SLH-DSA) as a hash-based alternative. They replace RSA and ECDSA before a quantum computer can break them, and hybrid implementations are already live in Chrome and Cloudflare.

How to Install

How to Install CrowdSec as a Community WAF

CrowdSec installs on Debian or Ubuntu with an official script and the crowdsec package; you then enable the Traefik, WordPress and Gitea collections, configure acquisition to read the right logs, and add the Traefik bouncer as a middleware to block or captcha-challenge IPs flagged by the LAPI in real time.

Technology

Zero Trust: Principles to Stop Trusting the Network

Zero Trust is not a product but a security architecture. It discards the assumption that the internal network is trusted and verifies every access explicitly, with least privilege, assuming breach is already active. The five principles: verify explicitly, least privilege, assume compromise, validate the device, and continuous visibility.

Tools

Podman: Containers Without a Daemon or Root

Podman is the Docker alternative with no central daemon and no root privileges required. Each container runs as a direct child process of the launching user, with rootless support since version 1.0 in 2019. If a container escapes, it does not gain host root. When Podman makes sense and what real differences to expect.

Technology

Trivy and Grype: Container Image Scanning in CI

Trivy and Grype are the two leading open-source tools for container image scanning in CI/CD pipelines. Both detect CVEs in OS packages and language dependencies with less than 5% coverage difference. Trivy stands out for IaC scanning; Grype natively integrates the SBOM workflow with Syft.

Technology

eBPF: High-Performance Monitoring in Linux

eBPF (Extended Berkeley Packet Filter) is a Linux kernel technology that runs verified programs directly inside the kernel, with no modules and no source-code changes. The kernel verifier rejects any unsafe program before it runs, letting teams monitor system calls, network traffic, and I/O at a much lower CPU cost than traditional external probes.

Tools

Efficient PC Management with Microsoft PC Manager

Microsoft PC Manager is a free, official Microsoft tool that brings temporary-file cleanup, Windows startup management, one-click access to Windows Defender, and a visual disk-usage map into a single panel. It runs on Windows 10 and Windows 11, but it does not replace a full antivirus or dedicated data-recovery tools.