Thibaut Tauveron

Le génie logiciel peut-il encore rester une exception ?

Sat, 31 Jan 2026 00:00:00 +0000

Modèle québécois en ingénierie 🔗

Au Québec, l’ingénierie est encadrée par un principe simple mais exigeant : certaines décisions techniques engagent la sécurité du public et, à ce titre, ne peuvent pas être prises par n’importe qui, ni n’importe comment.

L’Ordre des ingénieurs du Québec structure cette responsabilité autour de plusieurs mécanismes bien connus : un titre protégé, des actes réservés, une obligation de compétence, et surtout une responsabilité personnelle envers la société.

GCP IAM Watcher: Monitor Google Cloud IAM Changes

Thu, 28 Aug 2025 00:00:00 +0000

Identity and Access Management (IAM) sits at the core of every cloud security program. The roles and permissions granted to users, service accounts, and groups directly define what they can access - and therefore how much damage can be done if credentials are misused.

That’s why monitoring IAM changes is a critical part of a defense-in-depth strategy. A single misconfigured role binding can expose sensitive data, weaken compliance posture, or enable lateral movement in the event of compromise.

Practical Guide to GCP Metadata Server with a Real Use Case

Wed, 23 Jul 2025 00:00:00 +0000

The 3am problem 🔗

It was Friday evening, and I was on-call.

One of our central software components had a nasty bug. At random times, especially in the middle of the night, it would just stop consuming Pub/Sub messages. There was no fix ready, and the only way to keep things running was to manually restart the Kubernetes deployment.

Restarting it wasn’t difficult. But being paged at 3AM repeatedly? Not fun.

Weekend peace, No pages please 🔗

I had two goals:

Mastering GCP IAM: Secure Your Google Cloud Environment

Mon, 07 Jul 2025 00:00:00 +0000

Introduction 🔗

Identity and Access Management (IAM) in Google Cloud Platform (GCP) is the backbone of secure cloud operations. It determines who can do what, where — across your entire GCP organization. Whether you’re deploying a serverless app, managing infrastructure via Terraform, or granting temporary developer access, IAM decisions can either safeguard or expose your environment.

This blog post is a hands-on guide to mastering IAM in GCP — not just from a theoretical angle, but through the lens of real-world security practices, tooling tips, and hard-earned lessons from working with complex GCP organizations.

Golden Signals on Google Cloud with Managed Prometheus

Tue, 01 Jul 2025 00:00:00 +0000

Introduction: The Power of Golden Signals at the Edge 🔗

It’s late Friday afternoon—the kind of time you really don’t want something to go wrong—when the reports start coming in: the mobile app is painfully slow, eventually showing a generic “something went wrong” message.

I pull up the dashboards, and the problem is instantly visible at the edge: the API Gateway is returning a surge of 500 errors, with noticeable spikes in latency. It’s clear the issue is affecting all users.

6 Practical Ways to Reduce Your GCP Costs

Mon, 23 Jun 2025 00:00:00 +0000

Running workloads in Google Cloud Platform (GCP) gives you powerful infrastructure, but costs can add up quickly if you’re not careful. Here are six actionable strategies I personally use to keep my GCP bill under control.

Leverage Committed Use Discounts Wisely 🔗

GCP offers two types of Committed Use Discounts (CUDs): spend-based and resource-based.

Spend-based CUDs are simpler to manage—you commit to spending a fixed amount on specific services (like Compute Engine or Cloud SQL), and GCP gives you a discount across eligible usage.

Zero-Trust Access on GCP with Azure AD and IAP

Fri, 13 Jun 2025 00:00:00 +0000

Introduction 🔗

Building secure public access to internal apps — without a VPN — is a common challenge in modern cloud environments. During one of my recent projects, I needed a secure and scalable way to expose internal web tools (like ArgoCD and Grafana) across multiple environments (DEV, QA, PROD). The solution had to support:

SSO via Azure Active Directory
Fine-grained, host-level access control
A VPN-free experience
Low operational cost

To solve this, I designed and deployed a cloud-native architecture using Google Cloud Identity-Aware Proxy (IAP), Workforce Identity Federation, and nginx ingress in GKE. Here’s how it works and how you can build a similar setup.

How I Passed the CISSP Exam: Study Guide & Strategy

Sat, 10 May 2025 00:00:00 +0000

My Background 🔗

Before diving into how I prepared for and passed the CISSP exam, I want to give a bit of context about my professional background and why I decided to pursue this certification in the first place.

I’m a software engineer with a strong focus on cloud, security, and DevOps. Over the years, I’ve built and secured cloud platforms across industries like banking, fintech, medtech, and consulting, always aiming to align business needs with technical solutions.

The Hive - TryHackMe Challenge

Tue, 09 Aug 2022 00:00:00 +0000

If you haven’t checked out TryHackMe yet, it’s a fantastic platform for learning cybersecurity through hands-on challenges. The site offers a wide variety of “rooms” — self-contained virtual environments that simulate real-world systems with intentional vulnerabilities. Each room is designed to help you build practical skills by hunting down hidden flags through enumeration, exploitation, and lateral thinking.

What’s especially cool is that the community can contribute their own rooms, which makes for a fun and ever-evolving ecosystem of challenges — and a great way to learn from others.

Reverse Engineering Siebel Test Automation Jenkins Plugin

Sat, 07 Aug 2021 00:00:00 +0000

A while back, I had the opportunity to work with a Swedish insurance company on enhancing their DevOps capabilities. Like many large enterprises, they were using Oracle Siebel as their CRM system—and one of the big challenges was introducing automated smoke testing into their existing workflow.

Siebel isn’t exactly known for being automation-friendly out of the box, but Oracle does offer tools to support test automation. During that project, I dug into those tools and even reverse-engineered a Jenkins plugin to better understand how it all worked—and to ultimately remove Jenkins from the equation entirely.

Palsforlife – TryHackMe Challenge

Tue, 01 Jun 2021 00:00:00 +0000

TryHackMe is an awesome platform for learning cybersecurity through hands-on labs. Their gamified approach makes diving into new tools and techniques genuinely fun. As I was progressing through various challenges, I noticed there was only one room that touched on Kubernetes.

Given how much Kubernetes has exploded in popularity in recent years, it’s becoming an increasingly attractive target — which means it’s just as important to understand how clusters can be exploited as it is to secure them. That’s what inspired me to design and propose a room focused on Kubernetes, blended with a bit of World of Warcraft flair — and thus, Palsforlife was born.

Capitalizing on Your Linux Command History

Tue, 09 Mar 2021 00:00:00 +0000

When working with Linux, I often forget commands I don’t use regularly — and I definitely don’t enjoy retyping long ones. Luckily, bash keeps a history of previously executed commands, which we can leverage to save time and boost productivity.

Making the Most of Bash History 🔗

The simplest way to access past commands is by pressing the up and down arrow keys. A more powerful method is using Ctrl-R, which lets you start typing a command and autocompletes it based on history.

Deploy Traefik on GKE with Google L7 Load Balancer

Mon, 15 Feb 2021 00:00:00 +0000

When deploying services in Google Kubernetes Engine (GKE), one of the first things we typically do is expose them externally. The simplest approach is to set the type: LoadBalancer on a Kubernetes Service, which provisions a regional External TCP/UDP Network Load Balancer (L4) for you automatically. This works well for basic needs—especially if you’re exposing raw TCP services like SSH or Jenkins agents.

However, there are two downsides:

It’s regional, which can introduce latency for users located far from your cluster.

A TCP proxy between networks in GCP

Mon, 08 Feb 2021 00:00:00 +0000

Connecting isolated networks in Google Cloud without peering can be tricky, especially when overlapping IPs and security boundaries are involved.

In this post, I’ll walk through a practical solution I implemented to bridge two GCP networks using a lightweight TCP proxy. Rather than relying on complex subnet gymnastics or network peering, I used a dual-NIC VM and HAProxy to cleanly route traffic across projects. It’s a scalable pattern that keeps networks decoupled while still allowing secure communication between them.