https://falcao.org/tags/security/Recent content in Security on Danilo Falcão da SilvaHugoen-usMon, 25 May 2026 14:35:00 -0300https://falcao.org/posts/batman-belt-kubernetes-tools/Mon, 25 May 2026 14:35:00 -0300https://falcao.org/posts/batman-belt-kubernetes-tools/<p><code>kubectl</code> is the Swiss Army knife. Nobody disputes this. But Swiss Army knives are terrible at most of the individual jobs they claim to do, and <code>kubectl</code> is no different: it can tail logs, but only one pod at a time. It can switch contexts, but with zero guardrails. It can describe resources, but in a wall of YAML that buries the thing you actually care about.</p> <p>Day-2 operations — the part where the cluster is live, traffic is flowing, and someone pages you at 2 a.m. — need sharper instruments. What follows is the utility belt I&rsquo;d recommend to any Kubernetes operator building their toolkit in 2026. Not everything here is new. Some of these tools have been around since 2018. The point is that they&rsquo;re still maintained, still solve real problems, and still faster than the <code>kubectl</code> incantation you&rsquo;d otherwise be typing.</p>https://falcao.org/posts/ai-bug-discovery-revolution/Sat, 23 May 2026 10:00:00 -0300https://falcao.org/posts/ai-bug-discovery-revolution/<p>On May 18, 2026, Linus Torvalds called the Linux kernel security mailing list <strong>&ldquo;almost entirely unmanageable.&rdquo;</strong> The reason: a flood of AI-generated bug reports. The reaction was predictable — ban AI, blame researchers, declare the tools aren&rsquo;t ready.</p> <p>I <a href="https://falcao.org/posts/ai-bug-reports-open-source/">wrote about the maintenance crisis last week</a> and I think that framing misses the deeper story. The problem is not that AI is generating too many reports. <strong>The problem is that the code was more broken than we thought, and for twenty years nobody had the tools to look at it properly.</strong></p>https://falcao.org/posts/open-source-sast-dast-sca-2026/Fri, 22 May 2026 10:00:00 -0300https://falcao.org/posts/open-source-sast-dast-sca-2026/<p>I don&rsquo;t pay for Snyk. Not because it&rsquo;s bad — it&rsquo;s a genuinely good product — but because there is a free stack that catches the vast majority of the same issues directly in CI, and the remaining gap hasn&rsquo;t been worth roughly <strong>$600 per developer per year</strong> to close. On a team of fifteen engineers, that&rsquo;s the price of a small EC2 fleet you actually need.</p> <p>This post is about the open-source security tooling I actually wire into pipelines: <strong>Trivy</strong> for containers, dependencies and IaC, <strong>Semgrep</strong> for application code, <strong>Nuclei</strong> and <strong>OWASP ZAP</strong> for the live app, and a few honourable mentions. It&rsquo;s not an exhaustive catalogue. It&rsquo;s the stack I keep coming back to.</p>https://falcao.org/posts/ai-bug-reports-open-source/Wed, 20 May 2026 10:00:00 -0300https://falcao.org/posts/ai-bug-reports-open-source/<p>On May 18, 2026, Linus Torvalds said the Linux kernel security mailing list had become <strong>&ldquo;almost entirely unmanageable&rdquo;</strong> because of duplicate AI-generated bug reports. Two months earlier, longtime stable maintainer <strong>Willy Tarreau</strong> had already shared the numbers: a list that received two to three reports per week in 2024 was getting <strong>five to ten reports per day</strong> by March 2026. In January, <strong>Daniel Stenberg shut down the curl bug bounty</strong> after the valid-report rate on HackerOne dropped from above 15% to below 5%, with twenty submissions in 21 days — seven of them in one 16-hour window — and zero real vulnerabilities among them.</p>