専門家インタビュー:Oscar Quintasによるコードとしてのインフラストラクチャ
One of the best things about working in a tech startup is all the interesting, clever people you get to meet and collaborate with along the way. Growing a company from a cool idea into a serious market contender requires the assembly of your very own team of Avengers (or, Justice League, depending on your allegiance).
With that in mind, we'd like to shine the spotlight on one of our experts, Oscar Quintas. He's part of our Product Content team, working as a Senior Security Researcher. He's also our resident sorcerer on all things Infrastructure as Code (IaC). He is the force behind our 178 (and counting!) IaC platform challenges, and our go-to for all the burning questions we have regarding this fresh, piping hot topic.
We think he's pretty special, so we'd like you to get to know him a little better. Here he will share his insights on the piping hot topic of Infrastructure as Code security, his role, and what organizations can do to better prepare their cloud infrastructure and engineers:
Q:Tell us about your role at Secure Code Warrior. What does a typical day look like for you?
A: I am part of the Product Content team working as a Senior Security Researcher. A typical day involves reviewing challenges code in different languages (Python, Java, Golang, and many others!) to ensure that code quality standards are met, and security best practices are implemented. I also develop new IaC content.
Q: You have been the genius behind all of our Infrastructure as Code platform challenges. What is your process?
A: I would say it is a combination of research, and working hard to deliver content that provides high relevance and engagement to multiple skill levels. I usually start by looking at the most common problems users are facing when deploying infrastructure, and with that information, I develop useful challenges to show the security best practices for each case.
I always try to offer a good learning experience for our warriors, and ensure it is a job-relevant and useful exercise with an ongoing benefit.
Q: IaC security is a really popular topic at the moment. What are the main issues facing companies in terms of their cloud security practices?
A: Infrastructure as Code is all about managing your infrastructure resources using code. With just a few lines of that code, you can deploy hundreds of cloud resources (network, firewall rules, virtual machines, containers, etc.) that can contain security bugs if not properly configured. So, the same principles applied for secure application deployment can apply to IaC, and these risks -- and their fixes -- must be understood by every team involved in the SDLC.
This awareness and action begins with proper training in IaC security, and prioritizing the secure coding skills of your cloud engineers. They can be a powerful layer of defense, and this is especially important when they are building the infrastructure that hosts applications.
Q: There is a lot of industry interest around Kubernetes, and it seems to be used widely. However, our platform data reflects Terraform as an overwhelmingly popular language, with high engagement. Do you have any insights to share on why it is gaining such traction?
A: Terraform is the de facto language for IaC as it allows us to deploy infrastructure resources in multi-cloud environments (e.g. AWS, GCP, Azure) using a simple syntax. It allows you to define your infrastructure using code and it transparently interacts with cloud APIs to manage the deployment of the resources.
This language is incredibly versatile, and as it can be added to source control repositories, DevOps / DevSecOps principles can also be applied to the infrastructure deployment. However, this will also introduce new threats that must be addressed, so comprehensive training in secure coding with Terraform is a must.
Q:Youre an IaC security expert. What is the best part of your job?
A: IaC is still in its early days so there are a lot of new things being released frequently. It is a bit challenging to keep up to date with these new technologies, but it is rewarding at the same time. I really like to learn new things and test security best practices for new services.
Take your IaC security to the next level.
If you want your cloud developers to hone their security skills around Infrastructure as Code, challenge yourself with our IaC Top 8! Read each chapter for the full run-down of eight common IaC security bugs, including interactive challenges to test their new knowledge.
Let us know your score, and make Oscar proud!
私たちの専門家の一人、オスカー・キンタスにスポットライトを当てたいと思います。彼は当社のプロダクトコンテンツチームの一員で、シニアセキュリティリサーチャーとして働いています。また、コードとしてのインフラストラクチャ (IaC) のすべてに関する、当社の常駐ソーサラーでもあります。
マティアス・マドゥ博士は、セキュリティ専門家、研究者、CTO、セキュア・コード・ウォリアーの共同創設者です。Matias はゲント大学で静的分析ソリューションを中心にアプリケーションセキュリティの博士号を取得しました。その後、米国のFortifyに入社し、開発者が安全なコードを書くのを手伝わずに、コードの問題を検出するだけでは不十分であることに気づきました。これがきっかけで、開発者を支援し、セキュリティの負担を軽減し、顧客の期待を超える製品を開発するようになりました。Team Awesome の一員としてデスクにいないときは、RSA カンファレンス、BlackHat、DefCon などのカンファレンスでプレゼンテーションを行うステージでのプレゼンテーションを楽しんでいます。
Secure Code Warriorは、ソフトウェア開発ライフサイクル全体にわたってコードを保護し、サイバーセキュリティを最優先とする文化を築くお手伝いをします。アプリケーションセキュリティマネージャ、開発者、CISO、またはセキュリティ関係者のいずれであっても、安全でないコードに関連するリスクを軽減するお手伝いをします。
デモを予約
マティアス・マドゥ博士は、セキュリティ専門家、研究者、CTO、セキュア・コード・ウォリアーの共同創設者です。Matias はゲント大学で静的分析ソリューションを中心にアプリケーションセキュリティの博士号を取得しました。その後、米国のFortifyに入社し、開発者が安全なコードを書くのを手伝わずに、コードの問題を検出するだけでは不十分であることに気づきました。これがきっかけで、開発者を支援し、セキュリティの負担を軽減し、顧客の期待を超える製品を開発するようになりました。Team Awesome の一員としてデスクにいないときは、RSA カンファレンス、BlackHat、DefCon などのカンファレンスでプレゼンテーションを行うステージでのプレゼンテーションを楽しんでいます。
Matiasは、15年以上のソフトウェアセキュリティの実務経験を持つ研究者および開発者です。フォーティファイ・ソフトウェアや自身の会社であるセンセイ・セキュリティなどの企業向けにソリューションを開発してきました。マティアスはキャリアを通じて、複数のアプリケーションセキュリティ研究プロジェクトを主導し、それが商用製品につながり、10件以上の特許を取得しています。デスクから離れているときには、マティアスは上級アプリケーション・セキュリティ・トレーニング・コースの講師を務め、RSA Conference、Black Hat、DefCon、BSIMM、OWASP AppSec、BruConなどのグローバルカンファレンスで定期的に講演を行っています。
マティアスはゲント大学でコンピューター工学の博士号を取得し、そこでアプリケーションの内部動作を隠すためのプログラムの難読化によるアプリケーションセキュリティを学びました。
One of the best things about working in a tech startup is all the interesting, clever people you get to meet and collaborate with along the way. Growing a company from a cool idea into a serious market contender requires the assembly of your very own team of Avengers (or, Justice League, depending on your allegiance).
With that in mind, we'd like to shine the spotlight on one of our experts, Oscar Quintas. He's part of our Product Content team, working as a Senior Security Researcher. He's also our resident sorcerer on all things Infrastructure as Code (IaC). He is the force behind our 178 (and counting!) IaC platform challenges, and our go-to for all the burning questions we have regarding this fresh, piping hot topic.
We think he's pretty special, so we'd like you to get to know him a little better. Here he will share his insights on the piping hot topic of Infrastructure as Code security, his role, and what organizations can do to better prepare their cloud infrastructure and engineers:
Q:Tell us about your role at Secure Code Warrior. What does a typical day look like for you?
A: I am part of the Product Content team working as a Senior Security Researcher. A typical day involves reviewing challenges code in different languages (Python, Java, Golang, and many others!) to ensure that code quality standards are met, and security best practices are implemented. I also develop new IaC content.
Q: You have been the genius behind all of our Infrastructure as Code platform challenges. What is your process?
A: I would say it is a combination of research, and working hard to deliver content that provides high relevance and engagement to multiple skill levels. I usually start by looking at the most common problems users are facing when deploying infrastructure, and with that information, I develop useful challenges to show the security best practices for each case.
I always try to offer a good learning experience for our warriors, and ensure it is a job-relevant and useful exercise with an ongoing benefit.
Q: IaC security is a really popular topic at the moment. What are the main issues facing companies in terms of their cloud security practices?
A: Infrastructure as Code is all about managing your infrastructure resources using code. With just a few lines of that code, you can deploy hundreds of cloud resources (network, firewall rules, virtual machines, containers, etc.) that can contain security bugs if not properly configured. So, the same principles applied for secure application deployment can apply to IaC, and these risks -- and their fixes -- must be understood by every team involved in the SDLC.
This awareness and action begins with proper training in IaC security, and prioritizing the secure coding skills of your cloud engineers. They can be a powerful layer of defense, and this is especially important when they are building the infrastructure that hosts applications.
Q: There is a lot of industry interest around Kubernetes, and it seems to be used widely. However, our platform data reflects Terraform as an overwhelmingly popular language, with high engagement. Do you have any insights to share on why it is gaining such traction?
A: Terraform is the de facto language for IaC as it allows us to deploy infrastructure resources in multi-cloud environments (e.g. AWS, GCP, Azure) using a simple syntax. It allows you to define your infrastructure using code and it transparently interacts with cloud APIs to manage the deployment of the resources.
This language is incredibly versatile, and as it can be added to source control repositories, DevOps / DevSecOps principles can also be applied to the infrastructure deployment. However, this will also introduce new threats that must be addressed, so comprehensive training in secure coding with Terraform is a must.
Q:Youre an IaC security expert. What is the best part of your job?
A: IaC is still in its early days so there are a lot of new things being released frequently. It is a bit challenging to keep up to date with these new technologies, but it is rewarding at the same time. I really like to learn new things and test security best practices for new services.
Take your IaC security to the next level.
If you want your cloud developers to hone their security skills around Infrastructure as Code, challenge yourself with our IaC Top 8! Read each chapter for the full run-down of eight common IaC security bugs, including interactive challenges to test their new knowledge.
Let us know your score, and make Oscar proud!
One of the best things about working in a tech startup is all the interesting, clever people you get to meet and collaborate with along the way. Growing a company from a cool idea into a serious market contender requires the assembly of your very own team of Avengers (or, Justice League, depending on your allegiance).
With that in mind, we'd like to shine the spotlight on one of our experts, Oscar Quintas. He's part of our Product Content team, working as a Senior Security Researcher. He's also our resident sorcerer on all things Infrastructure as Code (IaC). He is the force behind our 178 (and counting!) IaC platform challenges, and our go-to for all the burning questions we have regarding this fresh, piping hot topic.
We think he's pretty special, so we'd like you to get to know him a little better. Here he will share his insights on the piping hot topic of Infrastructure as Code security, his role, and what organizations can do to better prepare their cloud infrastructure and engineers:
Q:Tell us about your role at Secure Code Warrior. What does a typical day look like for you?
A: I am part of the Product Content team working as a Senior Security Researcher. A typical day involves reviewing challenges code in different languages (Python, Java, Golang, and many others!) to ensure that code quality standards are met, and security best practices are implemented. I also develop new IaC content.
Q: You have been the genius behind all of our Infrastructure as Code platform challenges. What is your process?
A: I would say it is a combination of research, and working hard to deliver content that provides high relevance and engagement to multiple skill levels. I usually start by looking at the most common problems users are facing when deploying infrastructure, and with that information, I develop useful challenges to show the security best practices for each case.
I always try to offer a good learning experience for our warriors, and ensure it is a job-relevant and useful exercise with an ongoing benefit.
Q: IaC security is a really popular topic at the moment. What are the main issues facing companies in terms of their cloud security practices?
A: Infrastructure as Code is all about managing your infrastructure resources using code. With just a few lines of that code, you can deploy hundreds of cloud resources (network, firewall rules, virtual machines, containers, etc.) that can contain security bugs if not properly configured. So, the same principles applied for secure application deployment can apply to IaC, and these risks -- and their fixes -- must be understood by every team involved in the SDLC.
This awareness and action begins with proper training in IaC security, and prioritizing the secure coding skills of your cloud engineers. They can be a powerful layer of defense, and this is especially important when they are building the infrastructure that hosts applications.
Q: There is a lot of industry interest around Kubernetes, and it seems to be used widely. However, our platform data reflects Terraform as an overwhelmingly popular language, with high engagement. Do you have any insights to share on why it is gaining such traction?
A: Terraform is the de facto language for IaC as it allows us to deploy infrastructure resources in multi-cloud environments (e.g. AWS, GCP, Azure) using a simple syntax. It allows you to define your infrastructure using code and it transparently interacts with cloud APIs to manage the deployment of the resources.
This language is incredibly versatile, and as it can be added to source control repositories, DevOps / DevSecOps principles can also be applied to the infrastructure deployment. However, this will also introduce new threats that must be addressed, so comprehensive training in secure coding with Terraform is a must.
Q:Youre an IaC security expert. What is the best part of your job?
A: IaC is still in its early days so there are a lot of new things being released frequently. It is a bit challenging to keep up to date with these new technologies, but it is rewarding at the same time. I really like to learn new things and test security best practices for new services.
Take your IaC security to the next level.
If you want your cloud developers to hone their security skills around Infrastructure as Code, challenge yourself with our IaC Top 8! Read each chapter for the full run-down of eight common IaC security bugs, including interactive challenges to test their new knowledge.
Let us know your score, and make Oscar proud!
以下のリンクをクリックして、このリソースのPDFをダウンロードしてください。
Secure Code Warriorは、ソフトウェア開発ライフサイクル全体にわたってコードを保護し、サイバーセキュリティを最優先とする文化を築くお手伝いをします。アプリケーションセキュリティマネージャ、開発者、CISO、またはセキュリティ関係者のいずれであっても、安全でないコードに関連するリスクを軽減するお手伝いをします。
レポートを表示デモを予約
マティアス・マドゥ博士は、セキュリティ専門家、研究者、CTO、セキュア・コード・ウォリアーの共同創設者です。Matias はゲント大学で静的分析ソリューションを中心にアプリケーションセキュリティの博士号を取得しました。その後、米国のFortifyに入社し、開発者が安全なコードを書くのを手伝わずに、コードの問題を検出するだけでは不十分であることに気づきました。これがきっかけで、開発者を支援し、セキュリティの負担を軽減し、顧客の期待を超える製品を開発するようになりました。Team Awesome の一員としてデスクにいないときは、RSA カンファレンス、BlackHat、DefCon などのカンファレンスでプレゼンテーションを行うステージでのプレゼンテーションを楽しんでいます。
Matiasは、15年以上のソフトウェアセキュリティの実務経験を持つ研究者および開発者です。フォーティファイ・ソフトウェアや自身の会社であるセンセイ・セキュリティなどの企業向けにソリューションを開発してきました。マティアスはキャリアを通じて、複数のアプリケーションセキュリティ研究プロジェクトを主導し、それが商用製品につながり、10件以上の特許を取得しています。デスクから離れているときには、マティアスは上級アプリケーション・セキュリティ・トレーニング・コースの講師を務め、RSA Conference、Black Hat、DefCon、BSIMM、OWASP AppSec、BruConなどのグローバルカンファレンスで定期的に講演を行っています。
マティアスはゲント大学でコンピューター工学の博士号を取得し、そこでアプリケーションの内部動作を隠すためのプログラムの難読化によるアプリケーションセキュリティを学びました。
One of the best things about working in a tech startup is all the interesting, clever people you get to meet and collaborate with along the way. Growing a company from a cool idea into a serious market contender requires the assembly of your very own team of Avengers (or, Justice League, depending on your allegiance).
With that in mind, we'd like to shine the spotlight on one of our experts, Oscar Quintas. He's part of our Product Content team, working as a Senior Security Researcher. He's also our resident sorcerer on all things Infrastructure as Code (IaC). He is the force behind our 178 (and counting!) IaC platform challenges, and our go-to for all the burning questions we have regarding this fresh, piping hot topic.
We think he's pretty special, so we'd like you to get to know him a little better. Here he will share his insights on the piping hot topic of Infrastructure as Code security, his role, and what organizations can do to better prepare their cloud infrastructure and engineers:
Q:Tell us about your role at Secure Code Warrior. What does a typical day look like for you?
A: I am part of the Product Content team working as a Senior Security Researcher. A typical day involves reviewing challenges code in different languages (Python, Java, Golang, and many others!) to ensure that code quality standards are met, and security best practices are implemented. I also develop new IaC content.
Q: You have been the genius behind all of our Infrastructure as Code platform challenges. What is your process?
A: I would say it is a combination of research, and working hard to deliver content that provides high relevance and engagement to multiple skill levels. I usually start by looking at the most common problems users are facing when deploying infrastructure, and with that information, I develop useful challenges to show the security best practices for each case.
I always try to offer a good learning experience for our warriors, and ensure it is a job-relevant and useful exercise with an ongoing benefit.
Q: IaC security is a really popular topic at the moment. What are the main issues facing companies in terms of their cloud security practices?
A: Infrastructure as Code is all about managing your infrastructure resources using code. With just a few lines of that code, you can deploy hundreds of cloud resources (network, firewall rules, virtual machines, containers, etc.) that can contain security bugs if not properly configured. So, the same principles applied for secure application deployment can apply to IaC, and these risks -- and their fixes -- must be understood by every team involved in the SDLC.
This awareness and action begins with proper training in IaC security, and prioritizing the secure coding skills of your cloud engineers. They can be a powerful layer of defense, and this is especially important when they are building the infrastructure that hosts applications.
Q: There is a lot of industry interest around Kubernetes, and it seems to be used widely. However, our platform data reflects Terraform as an overwhelmingly popular language, with high engagement. Do you have any insights to share on why it is gaining such traction?
A: Terraform is the de facto language for IaC as it allows us to deploy infrastructure resources in multi-cloud environments (e.g. AWS, GCP, Azure) using a simple syntax. It allows you to define your infrastructure using code and it transparently interacts with cloud APIs to manage the deployment of the resources.
This language is incredibly versatile, and as it can be added to source control repositories, DevOps / DevSecOps principles can also be applied to the infrastructure deployment. However, this will also introduce new threats that must be addressed, so comprehensive training in secure coding with Terraform is a must.
Q:Youre an IaC security expert. What is the best part of your job?
A: IaC is still in its early days so there are a lot of new things being released frequently. It is a bit challenging to keep up to date with these new technologies, but it is rewarding at the same time. I really like to learn new things and test security best practices for new services.
Take your IaC security to the next level.
If you want your cloud developers to hone their security skills around Infrastructure as Code, challenge yourself with our IaC Top 8! Read each chapter for the full run-down of eight common IaC security bugs, including interactive challenges to test their new knowledge.
Let us know your score, and make Oscar proud!
目次
マティアス・マドゥ博士は、セキュリティ専門家、研究者、CTO、セキュア・コード・ウォリアーの共同創設者です。Matias はゲント大学で静的分析ソリューションを中心にアプリケーションセキュリティの博士号を取得しました。その後、米国のFortifyに入社し、開発者が安全なコードを書くのを手伝わずに、コードの問題を検出するだけでは不十分であることに気づきました。これがきっかけで、開発者を支援し、セキュリティの負担を軽減し、顧客の期待を超える製品を開発するようになりました。Team Awesome の一員としてデスクにいないときは、RSA カンファレンス、BlackHat、DefCon などのカンファレンスでプレゼンテーションを行うステージでのプレゼンテーションを楽しんでいます。
Secure Code Warriorは、ソフトウェア開発ライフサイクル全体にわたってコードを保護し、サイバーセキュリティを最優先とする文化を築くお手伝いをします。アプリケーションセキュリティマネージャ、開発者、CISO、またはセキュリティ関係者のいずれであっても、安全でないコードに関連するリスクを軽減するお手伝いをします。
デモを予約[ダウンロード]始めるためのリソース
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
