Hi! I'm

Federico Calò

Software Developer | Technical Writer

I create modern web applications and custom digital tools to help businesses grow through technological innovation. My passion is combining computer science and economics to generate real value.

Contact Me

About Me

My passion for computer science was born at the Technical Commercial Institute of Maglie, where I discovered the power of programming and the fascination of creating digital solutions. From the start, I understood that computer science was not just code, but an extraordinary tool for turning ideas into reality.

During my studies in Business Information Systems, I began to interweave computer science and economics, understanding how technology can be the engine of growth for any business. This vision accompanied me to the University of Bari, where I obtained my degree in Computer Science, deepening my technical skills and passion for software development.

Today I put this experience at the service of businesses, professionals and startups, creating tailor-made digital solutions that automate processes, optimize resources and open new business opportunities. Because true innovation begins when technology meets the real needs of people.

My Skills

Data Analysis & Predictive Models

I transform data into strategic insights with in-depth analysis and predictive models for informed decisions

Process Automation

I create custom tools that automate repetitive operations and free up time for value-added activities

Custom Systems

I develop tailor-made software systems, from platform integrations to customized dashboards

const federico = {
  nome: "Federico Calò",
  ruolo: "Sviluppatore Software",
  città: "Bari, Italia",
  missione: "Aiutare attraverso l'informatica",
  passioni: [
    "Codice Pulito",
    "Innovazione",
    "Crescita Continua"
  ]
};

La Mia Missione

Credo fermamente che l'informatica sia lo strumento più potente per trasformare le idee in realtà e migliorare la vita delle persone.

Democratizzare la Tecnologia

La mia missione è rendere l'informatica accessibile a tutti: dalle piccole imprese locali alle startup innovative, fino ai professionisti che vogliono digitalizzare la propria attività. Ogni realtà merita di sfruttare le potenzialità del digitale.

Unire Informatica ed Economia

Non è solo questione di scrivere codice: è capire come la tecnologia possa generare valore reale. Intrecciando competenze informatiche e visione economica, aiuto le attività a crescere, ottimizzare processi e raggiungere nuovi traguardi di efficienza e redditività.

Creare Soluzioni su Misura

Ogni attività è unica, e così devono esserlo le soluzioni. Sviluppo strumenti personalizzati che rispondono alle esigenze specifiche di ciascun cliente, automatizzando processi ripetitivi e liberando tempo per ciò che conta davvero: far crescere il business.

Trasforma la Tua Attività con la Tecnologia

Che tu gestisca un negozio, uno studio professionale o un'azienda, posso aiutarti a sfruttare le potenzialità dell'informatica per lavorare meglio, più velocemente e in modo più intelligente.

Parliamone Insieme →

Join the Community

Join the developer community where we discuss software, AI, architecture and DevOps. Share ideas, ask questions and grow with us.

Channel

FC Dev Blog

Get notifications on new articles, complete series, weekly tips and featured tools. Bilingual IT/EN content directly in your Telegram.

New articles as they are published
Weekly tips and code snippets
Polls on future topics

Subscribe to Channel

Group

FC Dev Community

A bilingual IT/EN community for developers. Discussions, Q&A, mutual help and networking with other professionals.

Discussions on articles and technologies
Coding help and code review
Job opportunities and collaboration

Join the Group

Discussion Topics

View

Master SQL

RoadMap.sh

November 2024

View

Oracle Certified Foundations Associate

Oracle

October 2024

View

People Leadership Credential

Connect

September 2024

💻 Languages & Technologies

Java

Python

JavaScript

Angular

React

TypeScript

SQL

PHP

CSS/SCSS

Node.js

Docker

Git

💼

12/2024 - Present

Custom Software Engineering Analyst

Accenture

Bari, Puglia, Italy · Hybrid Analysis and development of computer systems through the use of Java and Quarkus in Health and Public Sector. Continuous training on modern technologies for creating customized and efficient software solutions and on agents.

💼

06/2022 - 12/2024

Software analyst and Back End Developer Associate Consultant

Links Management and Technology SpA

Experience analyzing as-is software systems and ETL flows using PowerCenter. Completed Spring Boot training for developing modern and scalable backend applications. Backend developer specialized in Spring Boot, with experience in database design, analysis, development and testing of assigned tasks.

💼

02/2021 - 10/2021

Software programmer

Adesso.it (prima era WebScience srl)

Experience in AS-IS and TO-BE analysis, SEO evolutions and website evolutions to improve user performance and engagement.

🎓

2018 - 2025

Degree in Computer Science

University of Bari Aldo Moro

Bachelor's degree in Computer Science, focusing on software engineering, algorithms, and modern development practices.

📚

2013 - 2018

Diploma - Corporate Information Systems

Technical Commercial Institute of Maglie

Technical diploma specializing in Business Information Systems, combining IT knowledge with business management.

Contattami

Hai un progetto in mente? Parliamone! Compila il form qui sotto e ti risponderò al più presto.

* Campi obbligatori. I tuoi dati saranno utilizzati solo per rispondere alla tua richiesta.

Secret Management: The Problem of Secrets in Software

Secrets (credentials, API keys, certificates, access tokens) are the most sensitive elements of a software infrastructure. A single exposed secret can compromise entire systems, databases, and cloud accounts. According to GitGuardian research, in 2024 over 12 million secrets were found exposed in public repositories on GitHub.

Secret management is not just about "not committing passwords to code." It's a complete system covering the generation, secure storage, distribution, rotation, and revocation of secrets throughout their entire lifecycle.

What You'll Learn

Architecture of a secret management system
HashiCorp Vault: setup, configuration, and integration
AWS Secrets Manager and cloud alternatives
Automatic credential rotation strategies
Secret detection in repositories with GitLeaks and TruffleHog
Common anti-patterns and how to avoid them

Anti-Patterns: How NOT to Manage Secrets

Before exploring solutions, let's look at the most common mistakes that lead to credential exposure:

Hardcoded in code: passwords and API keys written directly in source code
.env files in repository: configuration files with secrets accidentally committed
Unprotected environment variables: secrets passed as env vars without encryption
Secrets shared via chat: credentials sent on Slack, Teams, or email
Never-rotated secrets: static credentials that are never changed
Over-broad permissions: API keys with access to all services instead of the minimum required

The Cost of an Exposed Secret

An exposed secret in a public repository is discovered by automated bots on average within 24 seconds. In less than a minute, malicious actors can begin exploiting the credential. The average remediation time in organizations without automated processes is 327 days.

HashiCorp Vault: The Reference Standard

HashiCorp Vault is the most widely adopted enterprise secret management solution. It offers secure storage, controlled access, audit logging, and support for dynamic secret rotation. Vault can generate credentials on-demand with limited TTL, eliminating the problem of static secrets.

Vault Setup with Docker


# docker-compose.vault.yml
version: "3.8"
services:
  vault:
    image: hashicorp/vault:1.15
    container_name: vault
    ports:
      - "8200:8200"
    environment:
      VAULT_DEV_ROOT_TOKEN_ID: "dev-root-token"
      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
    cap_add:
      - IPC_LOCK
    volumes:
      - vault-data:/vault/data

volumes:
  vault-data:

Basic Operations with Vault CLI


# Configure the client
export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_TOKEN="dev-root-token"

# Enable KV v2 secrets engine
vault secrets enable -version=2 kv

# Write a secret
vault kv put kv/myapp/database \
  username="dbadmin" \
  password="super-secret-password" \
  host="db.internal.company.com"

# Read a secret
vault kv get kv/myapp/database

# Read a specific field
vault kv get -field=password kv/myapp/database

# Create an access policy
vault policy write myapp-read - <<EOF
path "kv/data/myapp/*" {
  capabilities = ["read", "list"]
}
EOF

# Create a token with limited policy
vault token create -policy=myapp-read -ttl=1h

Dynamic Secrets: On-Demand Credentials

One of Vault's most powerful features is dynamic secrets: credentials generated at request time with a limited TTL. When the TTL expires, Vault automatically revokes the credentials. This eliminates the static secrets problem.


# Enable the database secrets engine
vault secrets enable database

# Configure PostgreSQL connection
vault write database/config/mydb \
  plugin_name=postgresql-database-plugin \
  allowed_roles="readonly" \
  connection_url="postgresql://{{username}}:{{password}}@db:5432/mydb?sslmode=disable" \
  username="vault_admin" \
  password="vault_admin_password"

# Create a role with dynamic credentials
vault write database/roles/readonly \
  db_name=mydb \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl="1h" \
  max_ttl="24h"

# Get dynamic credentials
vault read database/creds/readonly

AWS Secrets Manager

For organizations operating on AWS, AWS Secrets Manager offers a managed service for secret management with built-in automatic rotation, native support for RDS, Redshift, and DocumentDB, and seamless integration with AWS services.

Secret Management Solutions Comparison

HashiCorp Vault: multi-cloud, self-hosted or managed (HCP), maximum flexibility
AWS Secrets Manager: AWS native, automatic RDS rotation, easy to use
Azure Key Vault: Azure native, AD integration, HSM support
GCP Secret Manager: GCP native, IAM integration, versioning
Kubernetes Secrets: base64 encoded (not encrypted!), use with external-secrets-operator

Secret Detection in Repositories

Prevention is the first line of defense. Secret detection tools analyze code looking for exposed credentials before they reach the remote repository.

GitLeaks: Pre-Commit Hook


# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

# .gitleaks.toml - custom configuration
[extend]
useDefault = true

[[rules]]
id = "custom-api-key"
description = "Custom API Key pattern"
regex = '''MYAPP_API_KEY\s*=\s*['"]([A-Za-z0-9_-]+)['"]'''
secretGroup = 1
entropy = 3.5

[allowlist]
paths = [
  '''test/.*''',
  '''.*_test\.go''',
  '''.*\.md'''
]

CI/CD Integration


# .github/workflows/secret-detection.yml
name: Secret Detection
on:
  push:
    branches: [main, develop]
  pull_request:

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: GitLeaks scan
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: #123;{ secrets.GITHUB_TOKEN }}

Rotation Strategies

Secret rotation is the process of periodically replacing credentials. Rotation reduces the exposure window in case of compromise and limits the damage of leaked secrets that haven't been discovered yet.

Automatic rotation: services like AWS Secrets Manager can automatically rotate credentials at configurable intervals
Dynamic secrets: Vault generates credentials with limited TTL, eliminating the need for rotation
Planned manual rotation: for secrets that can't be automatically rotated, plan quarterly rotation
Emergency rotation: procedure to revoke and rotate all secrets in case of breach

Secret Management Best Practices

Never in code: zero secrets in source code, configuration files, or container images
Centralize: one single secret management system for the entire organization
Least privilege: each application accesses only the secrets it needs
Audit logging: log every secret access for compliance and forensics
Automatic rotation: implement rotation for all secrets with maximum 90-day TTL
Pre-commit hooks: GitLeaks or TruffleHog as pre-commit to block secrets before push
Encryption at rest: secrets must be encrypted when not in use

Conclusions

Secret management is one of the most critical pillars of DevSecOps. An exposed secret can nullify all other security investments. The combination of secure storage (Vault), preventive detection (GitLeaks), and automatic rotation creates a robust defense system against credential compromise.

In the next article, we'll explore Policy as Code, analyzing how to define and automatically enforce security policies with OPA/Rego, Kyverno, and Sentinel.