Hi! I'm

Federico Calò

Software Developer | Technical Writer

I create modern web applications and custom digital tools to help businesses grow through technological innovation. My passion is combining computer science and economics to generate real value.

Contact Me

About Me

My passion for computer science was born at the Technical Commercial Institute of Maglie, where I discovered the power of programming and the fascination of creating digital solutions. From the start, I understood that computer science was not just code, but an extraordinary tool for turning ideas into reality.

During my studies in Business Information Systems, I began to interweave computer science and economics, understanding how technology can be the engine of growth for any business. This vision accompanied me to the University of Bari, where I obtained my degree in Computer Science, deepening my technical skills and passion for software development.

Today I put this experience at the service of businesses, professionals and startups, creating tailor-made digital solutions that automate processes, optimize resources and open new business opportunities. Because true innovation begins when technology meets the real needs of people.

My Skills

Data Analysis & Predictive Models

I transform data into strategic insights with in-depth analysis and predictive models for informed decisions

Process Automation

I create custom tools that automate repetitive operations and free up time for value-added activities

Custom Systems

I develop tailor-made software systems, from platform integrations to customized dashboards

const federico = {
  nome: "Federico Calò",
  ruolo: "Sviluppatore Software",
  città: "Bari, Italia",
  missione: "Aiutare attraverso l'informatica",
  passioni: [
    "Codice Pulito",
    "Innovazione",
    "Crescita Continua"
  ]
};

La Mia Missione

Credo fermamente che l'informatica sia lo strumento più potente per trasformare le idee in realtà e migliorare la vita delle persone.

Democratizzare la Tecnologia

La mia missione è rendere l'informatica accessibile a tutti: dalle piccole imprese locali alle startup innovative, fino ai professionisti che vogliono digitalizzare la propria attività. Ogni realtà merita di sfruttare le potenzialità del digitale.

Unire Informatica ed Economia

Non è solo questione di scrivere codice: è capire come la tecnologia possa generare valore reale. Intrecciando competenze informatiche e visione economica, aiuto le attività a crescere, ottimizzare processi e raggiungere nuovi traguardi di efficienza e redditività.

Creare Soluzioni su Misura

Ogni attività è unica, e così devono esserlo le soluzioni. Sviluppo strumenti personalizzati che rispondono alle esigenze specifiche di ciascun cliente, automatizzando processi ripetitivi e liberando tempo per ciò che conta davvero: far crescere il business.

Trasforma la Tua Attività con la Tecnologia

Che tu gestisca un negozio, uno studio professionale o un'azienda, posso aiutarti a sfruttare le potenzialità dell'informatica per lavorare meglio, più velocemente e in modo più intelligente.

Parliamone Insieme →

Join the Community

Join the developer community where we discuss software, AI, architecture and DevOps. Share ideas, ask questions and grow with us.

Channel

FC Dev Blog

Get notifications on new articles, complete series, weekly tips and featured tools. Bilingual IT/EN content directly in your Telegram.

New articles as they are published
Weekly tips and code snippets
Polls on future topics

Subscribe to Channel

Group

FC Dev Community

A bilingual IT/EN community for developers. Discussions, Q&A, mutual help and networking with other professionals.

Discussions on articles and technologies
Coding help and code review
Job opportunities and collaboration

Join the Group

Discussion Topics

View

Master SQL

RoadMap.sh

November 2024

View

Oracle Certified Foundations Associate

Oracle

October 2024

View

People Leadership Credential

Connect

September 2024

💻 Languages & Technologies

Java

Python

JavaScript

Angular

React

TypeScript

SQL

PHP

CSS/SCSS

Node.js

Docker

Git

💼

12/2024 - Present

Custom Software Engineering Analyst

Accenture

Bari, Puglia, Italy · Hybrid Analysis and development of computer systems through the use of Java and Quarkus in Health and Public Sector. Continuous training on modern technologies for creating customized and efficient software solutions and on agents.

💼

06/2022 - 12/2024

Software analyst and Back End Developer Associate Consultant

Links Management and Technology SpA

Experience analyzing as-is software systems and ETL flows using PowerCenter. Completed Spring Boot training for developing modern and scalable backend applications. Backend developer specialized in Spring Boot, with experience in database design, analysis, development and testing of assigned tasks.

💼

02/2021 - 10/2021

Software programmer

Adesso.it (prima era WebScience srl)

Experience in AS-IS and TO-BE analysis, SEO evolutions and website evolutions to improve user performance and engagement.

🎓

2018 - 2025

Degree in Computer Science

University of Bari Aldo Moro

Bachelor's degree in Computer Science, focusing on software engineering, algorithms, and modern development practices.

📚

2013 - 2018

Diploma - Corporate Information Systems

Technical Commercial Institute of Maglie

Technical diploma specializing in Business Information Systems, combining IT knowledge with business management.

Contattami

Hai un progetto in mente? Parliamone! Compila il form qui sotto e ti risponderò al più presto.

* Campi obbligatori. I tuoi dati saranno utilizzati solo per rispondere alla tua richiesta.

Supply Chain Security: Protecting the Software Chain

Supply chain security in software refers to protecting the entire process of creating, distributing, and consuming software. Supply chain attacks are growing exponentially: compromising a single component in the chain allows attacking thousands of downstream organizations.

The SolarWinds attack of 2020 and the XZ Utils incident of 2024 demonstrated how vulnerable the supply chain is. In this article, we will explore the standards and tools for protecting the software chain: SBOM for component inventory, Sigstore for artifact signing, and the SLSA framework for provenance verification.

What You'll Learn

What an SBOM is and why it's fundamental
SBOM standards: CycloneDX and SPDX
Sigstore: artifact signing and verification
SLSA framework for supply chain integrity
Automatic SBOM generation in the CI/CD pipeline
Artifact provenance verification

SBOM: Software Bill of Materials

An SBOM (Software Bill of Materials) is a complete inventory of all components that make up a software product: libraries, frameworks, tools, and their exact versions. Like an ingredient list for food, the SBOM lets you know exactly what's inside the software.

SBOM has become a legal requirement in many contexts: US Executive Order 14028 requires it for federal government suppliers, and European regulations (NIS2, Cyber Resilience Act) are making it mandatory for digital products sold in the EU.

SBOM Standards: CycloneDX vs SPDX

      SBOM Standards Comparison
      
          Feature
          CycloneDX
          SPDX
        
          Maintained by
          OWASP
          Linux Foundation
        
          Focus
          Security and risk management
          License compliance
        
          Formats
          JSON, XML, Protobuf
          JSON, RDF, Tag-Value
        
          VEX support
          Native
          Through extensions
        
          Adoption
          Security community, DevSecOps
          Enterprise, government

Generate SBOM with Syft


# Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh

# Generate SBOM from a Docker image (CycloneDX)
syft myapp:latest -o cyclonedx-json > sbom-cyclonedx.json

# Generate SBOM in SPDX format
syft myapp:latest -o spdx-json > sbom-spdx.json

# Generate SBOM from local filesystem
syft dir:. -o cyclonedx-json > sbom-project.json

# Generate SBOM from a lock file
syft file:package-lock.json -o cyclonedx-json > sbom-deps.json

SBOM in the CI/CD Pipeline


# .github/workflows/sbom.yml
name: SBOM Generation
on:
  push:
    branches: [main]
    tags: ["v*"]

jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build Docker image
        run: docker build -t myapp:#123;{ github.sha }} .

      - name: Generate SBOM
        uses: anchore/sbom-action@v0
        with:
          image: myapp:#123;{ github.sha }}
          format: cyclonedx-json
          output-file: sbom.json

      - name: Upload SBOM as artifact
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.json

      - name: Attach SBOM to release
        if: startsWith(github.ref, 'refs/tags/')
        uses: softprops/action-gh-release@v1
        with:
          files: sbom.json

Sigstore: Artifact Signing

Sigstore is a Linux Foundation project that provides tools for cryptographic signing and verification of software artifacts. The goal is to make software signing as easy as code commit, eliminating key management complexity.

Sigstore consists of three main components:

Cosign: signing and verification of container images and OCI artifacts
Fulcio: Certificate Authority that issues ephemeral certificates based on OIDC identity
Rekor: immutable transparency log that records all signatures


# .github/workflows/sign-and-verify.yml
name: Sign and Publish
on:
  push:
    tags: ["v*"]

jobs:
  build-sign-publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write  # Required for Sigstore keyless
    steps:
      - uses: actions/checkout@v4

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3

      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: #123;{ github.actor }}
          password: #123;{ secrets.GITHUB_TOKEN }}

      - name: Build and Push
        id: build
        uses: docker/build-push-action@v5
        with:
          push: true
          tags: ghcr.io/myorg/myapp:#123;{ github.ref_name }}

      - name: Sign image (keyless)
        run: cosign sign --yes ghcr.io/myorg/myapp@#123;{ steps.build.outputs.digest }}

      - name: Attach SBOM
        run: |
          syft ghcr.io/myorg/myapp@#123;{ steps.build.outputs.digest }} -o cyclonedx-json > sbom.json
          cosign attach sbom --sbom sbom.json ghcr.io/myorg/myapp@#123;{ steps.build.outputs.digest }}

SLSA Framework

SLSA (Supply-chain Levels for Software Artifacts), pronounced "salsa", is a security framework that defines increasing levels of assurance about the provenance and integrity of software artifacts. Developed by Google, SLSA defines 4 levels:

      SLSA Levels
      
          Level
          Requirements
          Protection
        
          SLSA 1
          Documented build, provenance generated
          Basic transparency
        
          SLSA 2
          Automated build, signed provenance
          Protection from post-build tampering
        
          SLSA 3
          Isolated build, verifiable provenance
          Protection from build system compromise
        
          SLSA 4
          Hermetic build, two-person review
          Maximum integrity assurance

VEX: Vulnerability Exploitability eXchange

VEX is a format that allows software producers to communicate whether a known vulnerability in a component is actually exploitable in their product. This reduces noise for consumers who would otherwise need to triage every CVE manually.

VEX States

Not Affected: the vulnerability is not exploitable in the product
Affected: the vulnerability is exploitable and requires action
Fixed: the vulnerability has been fixed in the current version
Under Investigation: analysis is ongoing

Supply Chain Security Best Practices

Generate SBOM for every release: automate generation and attachment of SBOM to every release
Sign all artifacts: use Cosign/Sigstore to sign container images, binaries, and SBOMs
Verify signatures at deploy: configure admission controllers that reject unsigned images
Monitor dependencies: use the SBOM to receive immediate alerts when a new CVE is discovered
Reach SLSA 3+: implement isolated builds with verifiable provenance
Publish VEX: communicate vulnerability status to software consumers

Conclusions

Supply chain security has become an imperative for every software-developing organization. SBOM, Sigstore, and SLSA provide the tools and frameworks to build a transparent, verifiable, and attack-resistant software chain.

In the next article, we'll explore Secret Management, analyzing how to manage credentials, API keys, and certificates securely with HashiCorp Vault and automatic rotation strategies.

Feature	CycloneDX	SPDX
Maintained by	OWASP	Linux Foundation
Focus	Security and risk management	License compliance
Formats	JSON, XML, Protobuf	JSON, RDF, Tag-Value
VEX support	Native	Through extensions
Adoption	Security community, DevSecOps	Enterprise, government

Level	Requirements	Protection
SLSA 1	Documented build, provenance generated	Basic transparency
SLSA 2	Automated build, signed provenance	Protection from post-build tampering
SLSA 3	Isolated build, verifiable provenance	Protection from build system compromise
SLSA 4	Hermetic build, two-person review	Maximum integrity assurance