Secure your code, from the start.

Expert Interview: Infrastructure as Code with Oscar Quintas

10th September 2020

One of the best things about working in a tech startup is all the interesting, clever people you get to meet and collaborate with along the way. Growing a company from a cool idea into a serious market contender requires the assembly of your very own team of Avengers (or, Justice League, depending on your allegiance).

With that in mind, we’d like to shine the spotlight on one of our experts, Oscar Quintas. He’s part of our Product Content team, working as a Senior Security Researcher. He’s also our resident sorcerer on all things Infrastructure as Code (IaC). He is the force behind our 178 (and counting!) IaC platform challenges, and our go-to for all the burning questions we have regarding this fresh, piping hot topic.

Oscar Quintas

We think he’s pretty special, so we’d like you to get to know him a little better. Here he will share his insights on the piping hot topic of Infrastructure as Code security, his role, and what organizations can do to better prepare their cloud infrastructure and engineers:

Q:Tell us about your role at Secure Code Warrior. What does a typical day look like for you?

A: I am part of the Product Content team working as a Senior Security Researcher. A typical day involves reviewing challenges code in different languages (Python, Java, Golang, and many others!) to ensure that code quality standards are met, and security best practices are implemented. I also develop new IaC content.

Q: You have been the genius behind all of our Infrastructure as Code platform challenges. What is your process?

A: I would say it is a combination of research, and working hard to deliver content that provides high relevance and engagement to multiple skill levels. I usually start by looking at the most common problems users are facing when deploying infrastructure, and with that information, I develop useful challenges to show the security best practices for each case.

I always try to offer a good learning experience for our warriors, and ensure it is a job-relevant and useful exercise with an ongoing benefit.

Q: IaC security is a really popular topic at the moment. What are the main issues facing companies in terms of their cloud security practices?
A: Infrastructure as Code is all about managing your infrastructure resources using code. With just a few lines of that code, you can deploy hundreds of cloud resources (network, firewall rules, virtual machines, containers, etc.) that can contain security bugs if not properly configured. So, the same principles applied for secure application deployment can apply to IaC, and these risks -- and their fixes -- must be understood by every team involved in the SDLC.

This awareness and action begins with proper training in IaC security, and prioritizing the secure coding skills of your cloud engineers. They can be a powerful layer of defense, and this is especially important when they are building the infrastructure that hosts applications.

Q: There is a lot of industry interest around Kubernetes, and it seems to be used widely. However, our platform data reflects Terraform as an overwhelmingly popular language, with high engagement. Do you have any insights to share on why it is gaining such traction?
A: Terraform is the de facto language for IaC as it allows us to deploy infrastructure resources in multi-cloud environments (e.g. AWS, GCP, Azure) using a simple syntax. It allows you to define your infrastructure using code and it transparently interacts with cloud APIs to manage the deployment of the resources.

This language is incredibly versatile, and as it can be added to source control repositories, DevOps / DevSecOps principles can also be applied to the infrastructure deployment. However, this will also introduce new threats that must be addressed, so comprehensive training in secure coding with Terraform is a must.

Q:You're an IaC security expert. What is the best part of your job?
A: IaC is still in its early days so there are a lot of new things being released frequently. It is a bit challenging to keep up to date with these new technologies, but it is rewarding at the same time. I really like to learn new things and test security best practices for new services.

Take your IaC security to the next level.

If you want your cloud developers to hone their security skills around Infrastructure as Code, challenge yourself with our IaC Top 8! Read each chapter for the full run-down of eight common IaC security bugs, including interactive challenges to test their new knowledge.

Let us know your score, and make Oscar proud!

Matias is the co-founder and CTO of Secure Code Warrior. He has over a decade of hands-on software security experience, holding a Ph.D. in computer engineering from Ghent University.

View Comments