cfn-nag

In August 2023, I had the great privilege of attending SANS SEC 540 Cloud Security Automation with Ahmed Abu Gharbia.

Before the course, I had all the pieces of a cloud-oriented CICD pipeline in my mind. I just needed a guide to help me put them all together. This course and Ahmed helped me put them together so well that for the first time ever, I participated in SANS extra credit CloudWars and won a coin!

This was a huge accomplishment for me. After three certifications and not even close to getting coins, I thought perhaps I was just one of those folks who does better after the fact. What I discovered was that because I started with greater context for the course, I was more capable more quickly. It was a joy to finally feel confident plumbing and navigating cloud CICD pipelines, and I look forward to putting the knowledge to work!

As part of getting the coin during CloudWars, I wandered into a territory I never had before: the "instructor needs to check because this is really on your own stuff" problems. 

Despite my nerves at facing the daunting task of learning a code base, learning the rule syntax, and learning how to troubleshoot the whole thing, I tried. And I succeeded.

The skills I have developed to write code to secure organizations set me up for success when facing an entirely new language. Through modeling after existing objects, Googling a lot of ruby syntax, and iterating over and over, I crafted not only the rule to detect the misconfigured API gateway stage, but a utility custom rule that allows traversal into terraform subproperties to check values, extending the usefulness of the tool overall.

Unfortunately, this project is no longer maintained. Despite that, the contribution was a worthy effort in teaching myself lots of new things, and it stands a testament to the skills I can earn through time, patience, and poking stuff to see what happens :)