Lautaro Orellano | DevSecOps Engineer

// what I work on

Technical Areas

Application Security & GHAS Operations

I operate GitHub Advanced Security across multi-repository organizations, from initial enablement to ongoing operations. This includes configuring CodeQL analysis with default and extended query suites, setting up code-scanning workflows that run on pull requests and pushes to protected branches, and triaging alerts based on severity, data-flow reachability, and actual exploitability in the application context.

Secret scanning with push protection is non-negotiable in my setups — I configure custom patterns for organization-specific secrets (internal API keys, connection strings, service tokens) and ensure push protection blocks commits containing high-confidence credential matches before they reach the remote. For dependency management, I run Dependabot with security-updates enabled, grouped PRs to reduce noise, and auto-merge policies for patch-level updates that pass CI.

At the organizational level, I configure security policies, enforce required code-scanning checks on default branches, and use the Security Overview API to build dashboards that track open alert counts, remediation velocity, and mean-time-to-fix across repositories.

Secure CI/CD & Supply Chain

Pipeline security starts at the workflow definition. I enforce permissions: blocks at the job level following least-privilege — most workflows only need contents: read, and any elevated permission (writing packages, creating deployments, pushing to registries) is explicitly scoped. Third-party actions are pinned by full commit SHA, not by tag, to prevent tag-mutation attacks in the supply chain.

For cloud deployments, I configure OIDC federation between GitHub Actions and cloud providers (Azure, GCP) to eliminate stored credentials entirely — no service account keys, no client secrets in repository secrets. The workflow authenticates with a short-lived token issued by the cloud provider's identity federation, scoped to the specific workload identity.

I structure CI/CD around centralized reusable workflows. Security gates — linting, SAST, dependency review, IaC validation — run from a shared .github organization repository, ensuring every repo gets the same security checks without duplicating configuration. Branch protection rules enforce required status checks, dismiss stale approvals, and require CODEOWNERS review for infrastructure-sensitive paths.

Cloud Security & Infrastructure

My primary cloud experience is on Google Cloud Platform, where I've built and secured infrastructure using Terraform. I design VPC networks with proper subnet segmentation, configure firewall rules with deny-by-default policies, and set up Cloud Load Balancing with Cloud Armor WAF rules for DDoS mitigation and OWASP-based request filtering.

IAM is designed around service accounts with minimal role bindings — I avoid primitive roles (Owner, Editor) and assign predefined roles at the narrowest scope possible (project, folder, or resource-level). Terraform state is stored in Cloud Storage with versioning enabled, encryption at rest, and object-level access controls.

On Azure, I'm building deeper expertise — currently pursuing AZ-900 while working hands-on with Azure DevOps pipelines and migration workflows. I hold the Azure DevOps-to-GitHub migrations delivery credential, which covers repository migration, pipeline translation from YAML/Classic to GitHub Actions, and security configuration mapping between platforms.

Infrastructure is managed as code with Terraform. I organize modules by concern — networking, compute, IAM, storage — with clear input/output contracts between modules. Every terraform plan runs in CI before apply, and destructive changes require explicit manual approval through the pipeline.

Technical Leadership & Community

I lead technical community initiatives focused on DevSecOps practices and knowledge transfer. This includes mentoring developers on secure coding patterns, conducting workshops on GitHub Advanced Security adoption, and creating documentation and runbooks for security operations procedures.

My approach to security culture is practical: instead of mandating compliance top-down, I embed security tools directly into the developer workflow where they provide immediate, actionable feedback. A developer should see a code scanning alert in the same PR where they introduced the vulnerability — not in a quarterly audit report three months later.

// how I think about this

Engineering Approach

Security is a development concern, not an afterthought. If a vulnerability is caught in production, the feedback loop has failed. Every scanning tool I configure is designed to surface issues during the pull request review, not after deployment. The goal is to make the secure path the path of least resistance for developers.
Automate the repeatable, reason about the complex. I automate scanning, policy enforcement, and secret detection so that human effort is spent on architecture review, threat modeling, and incident analysis — the things that require context and judgment, not pattern matching.
Least privilege is not optional. From IAM roles to pipeline permissions: to network firewall rules, every entity gets exactly the access it needs. Default-deny everywhere. This applies to service accounts, GitHub tokens, cloud roles, and container runtime configurations.
If you can't observe it, you can't secure it. Monitoring and audit trails are built into every layer — application logs, CI/CD execution traces, cloud audit logs, and security alert dashboards. Visibility is a prerequisite for security, not a nice-to-have.

// what I use

Toolchain

Security & Scanning

GitHub Advanced Security (CodeQL, Secret Scanning, Dependabot, Push Protection), OWASP ZAP for dynamic analysis, manual code review for business logic vulnerabilities. OWASP Top 10 as baseline assessment framework.
CI/CD & Automation

GitHub Actions (reusable workflows, composite actions, OIDC federation, matrix strategies), Docker (multi-stage builds, distroless base images), Kubernetes with Helm charts for orchestration.
Cloud Platforms

Google Cloud Platform (Compute Engine, VPC, Cloud IAM, Cloud Armor, Load Balancing, Cloud Storage, Security Command Center), Microsoft Azure (DevOps, Defender for Cloud — building expertise). Multi-cloud identity federation.
Infrastructure-as-Code

Terraform (modular structure, remote state with locking, plan review in CI, provider version pinning), infrastructure security validation with static analysis, policy-as-code enforcement.
Monitoring & Observability

Grafana dashboards, Prometheus metrics collection, GitHub Security Overview API, cloud audit log analysis, alert routing and escalation workflows.
Systems & Languages

Linux (server administration, shell scripting, systemd, process management), Git (advanced workflows, branch protection strategies, monorepo patterns), Python, Bash, JavaScript, YAML.

// credentials

Professional Certifications

Foundations

GHAS

Security Delivery

Copilot Delivery

Migrations

ADO Migrations

Security Sales

Copilot Sales

Sales Pro

Platform Sales

Revenue Motions

Technical Sales

AZ-900

Foundations

Terraform

Cloud Security

Network Dev

Load Balancing

ML Data Prep

App Dev Env

Linux Intro (LFS101)

// get in touch

Contact

For DevSecOps consulting, security pipeline implementation, GHAS enablement, or technical collaboration. Open to full-time roles, contract work, and community partnerships.

→ github.com/LautaroOrellano → linkedin.com/in/lautaroorellano → credly.com/users/lautaro-orellano