I create modern web applications and custom digital tools to help businesses grow through technological innovation. My passion is combining computer science and economics to generate real value.
My passion for computer science was born at the Technical Commercial Institute of Maglie, where I discovered the power of programming and the fascination of creating digital solutions. From the start, I understood that computer science was not just code, but an extraordinary tool for turning ideas into reality.
During my studies in Business Information Systems, I began to interweave computer science and economics, understanding how technology can be the engine of growth for any business. This vision accompanied me to the University of Bari, where I obtained my degree in Computer Science, deepening my technical skills and passion for software development.
Today I put this experience at the service of businesses, professionals and startups, creating tailor-made digital solutions that automate processes, optimize resources and open new business opportunities. Because true innovation begins when technology meets the real needs of people.
My Skills
Data Analysis & Predictive Models
I transform data into strategic insights with in-depth analysis and predictive models for informed decisions
Process Automation
I create custom tools that automate repetitive operations and free up time for value-added activities
Custom Systems
I develop tailor-made software systems, from platform integrations to customized dashboards
Credo fermamente che l'informatica sia lo strumento più potente per trasformare le idee in realtà e migliorare la vita delle persone.
Democratizzare la Tecnologia
La mia missione è rendere l'informatica accessibile a tutti: dalle piccole imprese locali alle startup innovative, fino ai professionisti che vogliono digitalizzare la propria attività. Ogni realtà merita di sfruttare le potenzialità del digitale.
Unire Informatica ed Economia
Non è solo questione di scrivere codice: è capire come la tecnologia possa generare valore reale. Intrecciando competenze informatiche e visione economica, aiuto le attività a crescere, ottimizzare processi e raggiungere nuovi traguardi di efficienza e redditività.
Creare Soluzioni su Misura
Ogni attività è unica, e così devono esserlo le soluzioni. Sviluppo strumenti personalizzati che rispondono alle esigenze specifiche di ciascun cliente, automatizzando processi ripetitivi e liberando tempo per ciò che conta davvero: far crescere il business.
Trasforma la Tua Attività con la Tecnologia
Che tu gestisca un negozio, uno studio professionale o un'azienda, posso aiutarti a sfruttare le potenzialità dell'informatica per lavorare meglio, più velocemente e in modo più intelligente.
Bari, Puglia, Italy · Hybrid
Analysis and development of computer systems through the use of Java and Quarkus in Health and Public Sector. Continuous training on modern technologies for creating customized and efficient software solutions and on agents.
💼
06/2022 - 12/2024
Software analyst and Back End Developer Associate Consultant
Links Management and Technology SpA
Experience analyzing as-is software systems and ETL flows using PowerCenter. Completed Spring Boot training for developing modern and scalable backend applications. Backend developer specialized in Spring Boot, with experience in database design, analysis, development and testing of assigned tasks.
💼
02/2021 - 10/2021
Software programmer
Adesso.it (prima era WebScience srl)
Experience in AS-IS and TO-BE analysis, SEO evolutions and website evolutions to improve user performance and engagement.
🎓
2018 - 2025
Degree in Computer Science
University of Bari Aldo Moro
Bachelor's degree in Computer Science, focusing on software engineering, algorithms, and modern development practices.
📚
2013 - 2018
Diploma - Corporate Information Systems
Technical Commercial Institute of Maglie
Technical diploma specializing in Business Information Systems, combining IT knowledge with business management.
Contattami
Hai un progetto in mente? Parliamone! Compila il form qui sotto e ti risponderò al più presto.
* Campi obbligatori. I tuoi dati saranno utilizzati solo per rispondere alla tua richiesta.
Container Security: Why It's Fundamental
Containers have revolutionized how we distribute software, but they have also
introduced new attack surfaces. A Docker image contains not only the application code, but also
the base operating system, system libraries, and runtime dependencies. Each component can contain
vulnerabilities that are inherited by the application.
Container security covers the entire lifecycle: from image building (build-time), to distribution
in the registry (distribution), to production execution (runtime). In this article, we will
explore tools and practices to protect every phase.
What You'll Learn
How container image scanning works with Trivy and Grype
Building secure images with multi-stage builds and distroless
Image signing and verification with Cosign
Runtime protection with Falco and network policies
Security context and Pod Security Standards in Kubernetes
Best practices for secure Dockerfiles
Trivy: Complete Vulnerability Scanner
Trivy by Aqua Security is the most popular container scanner, capable of analyzing
Docker images, filesystems, Git repositories, and IaC configurations. It's fast, accurate, and
easy to integrate into CI/CD pipelines.
Docker Image Scanning
# Install Trivy
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh
# Scan a Docker image
trivy image node:18-alpine
# Scan with severity filter
trivy image --severity CRITICAL,HIGH node:18-alpine
# Output in SARIF format for GitHub
trivy image --format sarif --output trivy-results.sarif myapp:latest
# Scan local filesystem
trivy fs --security-checks vuln,config .
# Scan with exit code for CI (fails if CRITICAL found)
trivy image --exit-code 1 --severity CRITICAL myapp:latest
Grype by Anchore is a lightweight alternative to Trivy, focused exclusively on
container image vulnerability scanning. It's particularly fast and integrates well with
Syft (from the same team) for SBOM generation.
# Install Grype
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh
# Scan an image
grype myapp:latest
# Scan with filter and JSON output
grype myapp:latest --only-fixed --output json > grype-results.json
# Scan with fail-on severity
grype myapp:latest --fail-on critical
# Generate SBOM with Syft and analyze with Grype
syft myapp:latest -o cyclonedx-json > sbom.json
grype sbom:sbom.json
Building Secure Docker Images
Container security starts with the Dockerfile. A well-built image drastically
reduces the attack surface and number of vulnerabilities.
Multi-Stage Build
The multi-stage build pattern separates the compilation environment from the final image,
eliminating build tools, sources, and development dependencies from the production image:
# Stage 1: Build
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build
# Stage 2: Production (minimal image)
FROM gcr.io/distroless/nodejs20-debian12
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
EXPOSE 3000
USER nonroot
CMD ["dist/server.js"]
Distroless Images
Google's distroless images contain only the application and its runtime
dependencies, without shell, package manager, or other system tools. This reduces the
attack surface to the absolute minimum.
Size and Vulnerability Comparison
Base Image
Size
Typical CVEs
node:20
~1.1 GB
200-400
node:20-slim
~250 MB
50-100
node:20-alpine
~180 MB
10-30
distroless/nodejs20
~130 MB
0-5
Dockerfile Security Best Practices
A secure Dockerfile follows specific rules that reduce the attack surface:
# 1. Use specific versions, never :latest
FROM node:20.11.0-alpine3.19
# 2. Create a non-root user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
# 3. Set WORKDIR
WORKDIR /app
# 4. Copy dependency files first (cache layer)
COPY package*.json ./
RUN npm ci --only=production && npm cache clean --force
# 5. Copy application code
COPY --chown=appuser:appgroup . .
# 6. Don't expose privileged ports
EXPOSE 8080
# 7. Use non-root user
USER appuser
# 8. Use HEALTHCHECK
HEALTHCHECK --interval=30s --timeout=3s \
CMD wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1
# 9. Use exec form for CMD
CMD ["node", "dist/server.js"]
Image Signing with Cosign
Cosign (part of the Sigstore project) allows digitally signing container images,
ensuring the image hasn't been modified after the build. This is fundamental for supply chain security.
# Install Cosign
brew install cosign # macOS
# or
go install github.com/sigstore/cosign/v2/cmd/cosign@latest
# Generate a key pair
cosign generate-key-pair
# Sign an image
cosign sign --key cosign.key myregistry.com/myapp:v1.0.0
# Verify the signature
cosign verify --key cosign.pub myregistry.com/myapp:v1.0.0
# Sign with keyless (Sigstore/Fulcio)
cosign sign myregistry.com/myapp:v1.0.0
Runtime Protection with Falco
Falco by Sysdig is the reference open source tool for container runtime security.
It monitors kernel syscalls in real-time and generates alerts when it detects anomalous or
suspicious behavior.
What Falco Detects
Shell spawn inside a container
Access to sensitive files (/etc/shadow, /etc/passwd)
Unexpected network connections
System file modifications
Privilege escalation
Cryptomining activity
Kubernetes Pod Security
In Kubernetes environments, container security extends to Pod configuration. Pod Security
Standards define three security levels:
Network Policies in Kubernetes limit network traffic between Pods, implementing
the principle of least privilege at the network level:
# Deny all ingress by default
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
---
# Allow only specific traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-api
namespace: production
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
Container Security Best Practices
Scan on every build: integrate Trivy/Grype in the CI pipeline for every image
Minimal images: use Alpine or distroless as base, avoid full images
Non-root: always run containers as non-root user
Read-only filesystem: mount root filesystem as read-only
No latest tag: always use specific tags with SHA256 digest
Private registry: use a private registry with integrated scanning
Image signing: sign every image with Cosign before deploying
Runtime monitoring: implement Falco for production monitoring
Conclusions
Container security is a critical aspect of DevSecOps that requires attention at every stage
of the lifecycle. From building minimal and secure images, to automated scanning, to runtime
monitoring, each layer adds protection against threats.
In the next article, we'll explore Supply Chain Security, analyzing SBOM
(Software Bill of Materials), Sigstore for artifact signing, and the SLSA framework for
ensuring software supply chain integrity.
