Expert Interview: Infrastructure as Code with Oscar Quintas
One of the best things about working in a tech startup is all the interesting, clever people you get to meet and collaborate with along the way. Growing a company from a cool idea into a serious market contender requires the assembly of your very own team of Avengers (or, Justice League, depending on your allegiance).
With that in mind, we'd like to shine the spotlight on one of our experts, Oscar Quintas. He's part of our Product Content team, working as a Senior Security Researcher. He's also our resident sorcerer on all things Infrastructure as Code (IaC). He is the force behind our 178 (and counting!) IaC platform challenges, and our go-to for all the burning questions we have regarding this fresh, piping hot topic.
We think he's pretty special, so we'd like you to get to know him a little better. Here he will share his insights on the piping hot topic of Infrastructure as Code security, his role, and what organizations can do to better prepare their cloud infrastructure and engineers:
Q:Tell us about your role at Secure Code Warrior. What does a typical day look like for you?
A: I am part of the Product Content team working as a Senior Security Researcher. A typical day involves reviewing challenges code in different languages (Python, Java, Golang, and many others!) to ensure that code quality standards are met, and security best practices are implemented. I also develop new IaC content.
Q: You have been the genius behind all of our Infrastructure as Code platform challenges. What is your process?
A: I would say it is a combination of research, and working hard to deliver content that provides high relevance and engagement to multiple skill levels. I usually start by looking at the most common problems users are facing when deploying infrastructure, and with that information, I develop useful challenges to show the security best practices for each case.
I always try to offer a good learning experience for our warriors, and ensure it is a job-relevant and useful exercise with an ongoing benefit.
Q: IaC security is a really popular topic at the moment. What are the main issues facing companies in terms of their cloud security practices?
A: Infrastructure as Code is all about managing your infrastructure resources using code. With just a few lines of that code, you can deploy hundreds of cloud resources (network, firewall rules, virtual machines, containers, etc.) that can contain security bugs if not properly configured. So, the same principles applied for secure application deployment can apply to IaC, and these risks -- and their fixes -- must be understood by every team involved in the SDLC.
This awareness and action begins with proper training in IaC security, and prioritizing the secure coding skills of your cloud engineers. They can be a powerful layer of defense, and this is especially important when they are building the infrastructure that hosts applications.
Q: There is a lot of industry interest around Kubernetes, and it seems to be used widely. However, our platform data reflects Terraform as an overwhelmingly popular language, with high engagement. Do you have any insights to share on why it is gaining such traction?
A: Terraform is the de facto language for IaC as it allows us to deploy infrastructure resources in multi-cloud environments (e.g. AWS, GCP, Azure) using a simple syntax. It allows you to define your infrastructure using code and it transparently interacts with cloud APIs to manage the deployment of the resources.
This language is incredibly versatile, and as it can be added to source control repositories, DevOps / DevSecOps principles can also be applied to the infrastructure deployment. However, this will also introduce new threats that must be addressed, so comprehensive training in secure coding with Terraform is a must.
Q:Youre an IaC security expert. What is the best part of your job?
A: IaC is still in its early days so there are a lot of new things being released frequently. It is a bit challenging to keep up to date with these new technologies, but it is rewarding at the same time. I really like to learn new things and test security best practices for new services.
Take your IaC security to the next level.
If you want your cloud developers to hone their security skills around Infrastructure as Code, challenge yourself with our IaC Top 8! Read each chapter for the full run-down of eight common IaC security bugs, including interactive challenges to test their new knowledge.
Let us know your score, and make Oscar proud!
We'd like to shine the spotlight on one of our experts, Oscar Quintas. He's part of our Product Content team, working as a Senior Security Researcher. He's also our resident sorcerer on all things Infrastructure as Code (IaC).
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
One of the best things about working in a tech startup is all the interesting, clever people you get to meet and collaborate with along the way. Growing a company from a cool idea into a serious market contender requires the assembly of your very own team of Avengers (or, Justice League, depending on your allegiance).
With that in mind, we'd like to shine the spotlight on one of our experts, Oscar Quintas. He's part of our Product Content team, working as a Senior Security Researcher. He's also our resident sorcerer on all things Infrastructure as Code (IaC). He is the force behind our 178 (and counting!) IaC platform challenges, and our go-to for all the burning questions we have regarding this fresh, piping hot topic.
We think he's pretty special, so we'd like you to get to know him a little better. Here he will share his insights on the piping hot topic of Infrastructure as Code security, his role, and what organizations can do to better prepare their cloud infrastructure and engineers:
Q:Tell us about your role at Secure Code Warrior. What does a typical day look like for you?
A: I am part of the Product Content team working as a Senior Security Researcher. A typical day involves reviewing challenges code in different languages (Python, Java, Golang, and many others!) to ensure that code quality standards are met, and security best practices are implemented. I also develop new IaC content.
Q: You have been the genius behind all of our Infrastructure as Code platform challenges. What is your process?
A: I would say it is a combination of research, and working hard to deliver content that provides high relevance and engagement to multiple skill levels. I usually start by looking at the most common problems users are facing when deploying infrastructure, and with that information, I develop useful challenges to show the security best practices for each case.
I always try to offer a good learning experience for our warriors, and ensure it is a job-relevant and useful exercise with an ongoing benefit.
Q: IaC security is a really popular topic at the moment. What are the main issues facing companies in terms of their cloud security practices?
A: Infrastructure as Code is all about managing your infrastructure resources using code. With just a few lines of that code, you can deploy hundreds of cloud resources (network, firewall rules, virtual machines, containers, etc.) that can contain security bugs if not properly configured. So, the same principles applied for secure application deployment can apply to IaC, and these risks -- and their fixes -- must be understood by every team involved in the SDLC.
This awareness and action begins with proper training in IaC security, and prioritizing the secure coding skills of your cloud engineers. They can be a powerful layer of defense, and this is especially important when they are building the infrastructure that hosts applications.
Q: There is a lot of industry interest around Kubernetes, and it seems to be used widely. However, our platform data reflects Terraform as an overwhelmingly popular language, with high engagement. Do you have any insights to share on why it is gaining such traction?
A: Terraform is the de facto language for IaC as it allows us to deploy infrastructure resources in multi-cloud environments (e.g. AWS, GCP, Azure) using a simple syntax. It allows you to define your infrastructure using code and it transparently interacts with cloud APIs to manage the deployment of the resources.
This language is incredibly versatile, and as it can be added to source control repositories, DevOps / DevSecOps principles can also be applied to the infrastructure deployment. However, this will also introduce new threats that must be addressed, so comprehensive training in secure coding with Terraform is a must.
Q:Youre an IaC security expert. What is the best part of your job?
A: IaC is still in its early days so there are a lot of new things being released frequently. It is a bit challenging to keep up to date with these new technologies, but it is rewarding at the same time. I really like to learn new things and test security best practices for new services.
Take your IaC security to the next level.
If you want your cloud developers to hone their security skills around Infrastructure as Code, challenge yourself with our IaC Top 8! Read each chapter for the full run-down of eight common IaC security bugs, including interactive challenges to test their new knowledge.
Let us know your score, and make Oscar proud!
One of the best things about working in a tech startup is all the interesting, clever people you get to meet and collaborate with along the way. Growing a company from a cool idea into a serious market contender requires the assembly of your very own team of Avengers (or, Justice League, depending on your allegiance).
With that in mind, we'd like to shine the spotlight on one of our experts, Oscar Quintas. He's part of our Product Content team, working as a Senior Security Researcher. He's also our resident sorcerer on all things Infrastructure as Code (IaC). He is the force behind our 178 (and counting!) IaC platform challenges, and our go-to for all the burning questions we have regarding this fresh, piping hot topic.
We think he's pretty special, so we'd like you to get to know him a little better. Here he will share his insights on the piping hot topic of Infrastructure as Code security, his role, and what organizations can do to better prepare their cloud infrastructure and engineers:
Q:Tell us about your role at Secure Code Warrior. What does a typical day look like for you?
A: I am part of the Product Content team working as a Senior Security Researcher. A typical day involves reviewing challenges code in different languages (Python, Java, Golang, and many others!) to ensure that code quality standards are met, and security best practices are implemented. I also develop new IaC content.
Q: You have been the genius behind all of our Infrastructure as Code platform challenges. What is your process?
A: I would say it is a combination of research, and working hard to deliver content that provides high relevance and engagement to multiple skill levels. I usually start by looking at the most common problems users are facing when deploying infrastructure, and with that information, I develop useful challenges to show the security best practices for each case.
I always try to offer a good learning experience for our warriors, and ensure it is a job-relevant and useful exercise with an ongoing benefit.
Q: IaC security is a really popular topic at the moment. What are the main issues facing companies in terms of their cloud security practices?
A: Infrastructure as Code is all about managing your infrastructure resources using code. With just a few lines of that code, you can deploy hundreds of cloud resources (network, firewall rules, virtual machines, containers, etc.) that can contain security bugs if not properly configured. So, the same principles applied for secure application deployment can apply to IaC, and these risks -- and their fixes -- must be understood by every team involved in the SDLC.
This awareness and action begins with proper training in IaC security, and prioritizing the secure coding skills of your cloud engineers. They can be a powerful layer of defense, and this is especially important when they are building the infrastructure that hosts applications.
Q: There is a lot of industry interest around Kubernetes, and it seems to be used widely. However, our platform data reflects Terraform as an overwhelmingly popular language, with high engagement. Do you have any insights to share on why it is gaining such traction?
A: Terraform is the de facto language for IaC as it allows us to deploy infrastructure resources in multi-cloud environments (e.g. AWS, GCP, Azure) using a simple syntax. It allows you to define your infrastructure using code and it transparently interacts with cloud APIs to manage the deployment of the resources.
This language is incredibly versatile, and as it can be added to source control repositories, DevOps / DevSecOps principles can also be applied to the infrastructure deployment. However, this will also introduce new threats that must be addressed, so comprehensive training in secure coding with Terraform is a must.
Q:Youre an IaC security expert. What is the best part of your job?
A: IaC is still in its early days so there are a lot of new things being released frequently. It is a bit challenging to keep up to date with these new technologies, but it is rewarding at the same time. I really like to learn new things and test security best practices for new services.
Take your IaC security to the next level.
If you want your cloud developers to hone their security skills around Infrastructure as Code, challenge yourself with our IaC Top 8! Read each chapter for the full run-down of eight common IaC security bugs, including interactive challenges to test their new knowledge.
Let us know your score, and make Oscar proud!
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
One of the best things about working in a tech startup is all the interesting, clever people you get to meet and collaborate with along the way. Growing a company from a cool idea into a serious market contender requires the assembly of your very own team of Avengers (or, Justice League, depending on your allegiance).
With that in mind, we'd like to shine the spotlight on one of our experts, Oscar Quintas. He's part of our Product Content team, working as a Senior Security Researcher. He's also our resident sorcerer on all things Infrastructure as Code (IaC). He is the force behind our 178 (and counting!) IaC platform challenges, and our go-to for all the burning questions we have regarding this fresh, piping hot topic.
We think he's pretty special, so we'd like you to get to know him a little better. Here he will share his insights on the piping hot topic of Infrastructure as Code security, his role, and what organizations can do to better prepare their cloud infrastructure and engineers:
Q:Tell us about your role at Secure Code Warrior. What does a typical day look like for you?
A: I am part of the Product Content team working as a Senior Security Researcher. A typical day involves reviewing challenges code in different languages (Python, Java, Golang, and many others!) to ensure that code quality standards are met, and security best practices are implemented. I also develop new IaC content.
Q: You have been the genius behind all of our Infrastructure as Code platform challenges. What is your process?
A: I would say it is a combination of research, and working hard to deliver content that provides high relevance and engagement to multiple skill levels. I usually start by looking at the most common problems users are facing when deploying infrastructure, and with that information, I develop useful challenges to show the security best practices for each case.
I always try to offer a good learning experience for our warriors, and ensure it is a job-relevant and useful exercise with an ongoing benefit.
Q: IaC security is a really popular topic at the moment. What are the main issues facing companies in terms of their cloud security practices?
A: Infrastructure as Code is all about managing your infrastructure resources using code. With just a few lines of that code, you can deploy hundreds of cloud resources (network, firewall rules, virtual machines, containers, etc.) that can contain security bugs if not properly configured. So, the same principles applied for secure application deployment can apply to IaC, and these risks -- and their fixes -- must be understood by every team involved in the SDLC.
This awareness and action begins with proper training in IaC security, and prioritizing the secure coding skills of your cloud engineers. They can be a powerful layer of defense, and this is especially important when they are building the infrastructure that hosts applications.
Q: There is a lot of industry interest around Kubernetes, and it seems to be used widely. However, our platform data reflects Terraform as an overwhelmingly popular language, with high engagement. Do you have any insights to share on why it is gaining such traction?
A: Terraform is the de facto language for IaC as it allows us to deploy infrastructure resources in multi-cloud environments (e.g. AWS, GCP, Azure) using a simple syntax. It allows you to define your infrastructure using code and it transparently interacts with cloud APIs to manage the deployment of the resources.
This language is incredibly versatile, and as it can be added to source control repositories, DevOps / DevSecOps principles can also be applied to the infrastructure deployment. However, this will also introduce new threats that must be addressed, so comprehensive training in secure coding with Terraform is a must.
Q:Youre an IaC security expert. What is the best part of your job?
A: IaC is still in its early days so there are a lot of new things being released frequently. It is a bit challenging to keep up to date with these new technologies, but it is rewarding at the same time. I really like to learn new things and test security best practices for new services.
Take your IaC security to the next level.
If you want your cloud developers to hone their security skills around Infrastructure as Code, challenge yourself with our IaC Top 8! Read each chapter for the full run-down of eight common IaC security bugs, including interactive challenges to test their new knowledge.
Let us know your score, and make Oscar proud!
Table of contents
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.