Lorena

Meet Lorena. She’s a Senior Security Architect.

From Caesar’s cipher to modern certificates, meet the cryptographer

I am a Senior Security Architect in Global Security Operations. In my team, Application Security, we work with proactive identification, assessment, and mitigation of security risks in our in-house developed software. Basically, we’re a central service dedicated to protecting Novo Nordisk’s digital assets.

We play an important role in assisting development teams in identifying security vulnerabilities in the software they are building by utilising software security tools. We help them prioritise these vulnerabilities and explore effective ways to address or mitigate them.

Sharing what we know and helping to coach developers is a big part of what we do. If we can support them with a better understanding of code vulnerabilities, it makes it easier for them to incorporate security practices into their daily workflows — and this means fewer vulnerabilities in the software they write.

What's that notepad for?

📝I have an obsession with order and create lists for everything: shopping lists, to-do lists, books I want to read, films I'd like to watch, places I want to visit, favourite recipes, memorable quotes from books and, of course, a wish list of toys that my children mention throughout the year. 

Lorena_Fallback

Joining

To be fair, you were right

When I first moved to Denmark 12 years ago, I was in academia doing a postdoc and joined the Spanish Association of Researchers in Denmark. Through that forum, I connected with many other Spanish researchers, most of whom had a biotechnology background and were working at Novo Nordisk. At that time, I only associated Novo Nordisk with biotechnology and drug development, and I never would have imagined the strong role that IT and digitisation in general had in the company’s entire value chain. To be fair, it probably hadn’t fully developed in that direction back then either.

I’ve always been drawn to jobs that in some way or another create value for society. Roughly speaking, for many years, my contribution entailed expanding society’s knowledge through research and getting the next generation of professionals ready through education. As any other pharmaceutical company, Novo Nordisk enhances people's lives with the drugs it produces. But what specifically motivated me to work for Novo Nordisk was my mother's sudden diagnosis of type 1 diabetes four years ago, as it was precisely their products that helped her lead a normal life and continue enjoying time with her grandchildren.

Bookworm

📚 I always have at least three books on my current reading list: a novel to immerse myself in a captivating story, a health-related book for wellness and personal development, and a technical book that helps me enhance my skills and stay updated.

Work

Supercomputer security

One exciting project I'm currently involved in—though it's still in progress—involves collaborating with data scientists from the Research and Early Development area, who are developing AI training models to run on the supercomputer Gefion. This initiative utilises container images to execute Python code within a Kubernetes cluster.

My team is aiding in reviewing the build process of these images, to identify potential security concerns and determine appropriate measures to address them in a proactive way. This may include scanning the Python code with a SAST tool, analysing dependencies using an SCA tool, scanning the container images at different stages of the process, or attaching an SBOM artifact to every image, among other things. As always, we have to be aware of and address various constraints, both related to operating within a supercomputer environment – but also concerning the scientists’ perspective, who may perceive these additional security tests as extra tasks that only hinder their workflow or complicate their processes.

While still underway, this project is allowing me and my team to apply our expertise in application security while ensuring that innovative solutions remain secure.

Tech

For every threat, there is a tool

I work with a diverse array of technologies and tools, both as an end user, but also operating them and setting them up for others to use. For source code management, I primarily use Azure DevOps and GitHub, as these platforms are central to most software development projects in Novo Nordisk. To truly understand the needs and challenges of developers, I strive to put myself in their shoes and use the tools they rely on as much as possible.

While I don’t actively develop software in the traditional sense, I do write Python and PowerShell scripts to interact with our tools’ APIs and handle general task automation within our Application Security (AppSec) service. Additionally, we maintain demo build pipelines that illustrate how AppSec tools can be integrated into the build process or used for standalone regular scans.

The AppSec tools I work with include a Static Application Security Testing (SAST) tool, which analyses source code for security vulnerabilities before the application is run; a Software Composition Analysis (SCA) tool, which identifies open-source components in the codebase and their associated security and license risks; a Dynamic Application Security Testing (DAST) tool that assesses running applications for security weaknesses. Alongside these, I operate a Cloud Workload Protection platform that secures cloud workloads, ensuring they remain protected against threats. I am constantly exploring other tools, especially as the threat landscape in the area evolves and new attack vectors are identified.

"To truly understand the needs and challenges of developers, I strive to put myself in their shoes and use the tools they rely on as much as possible."
Lorena Ronquillo, Senior Security Architect at Novo Nordisk
Tech stack
javascript
kubernetes
devops
python
java
github

It’s pronounced /ləˈreɪn/, say it luh-rayn.

🥧Although I'm Spanish, my mother is French and I grew up enjoying traditional French cuisine. While at school, I often wondered why my friends didn’t know what a "Quiche Lorraine" was.

Community

Secure connections

I am part of the software development community in Novo Nordisk, including various Teams channels and groups in Viva Engage. They are valuable platforms for understanding developers' concerns and challenges, while also promoting our internal service offerings. For example, developers often share their tech stacks and tools in their posts, prompting me to verify whether our tools support them or if there are any out-of-the-box integrations available for their existing solutions. If not, my team explores how we can enable that functionality. Additionally, I use these channels to announce any upcoming training sessions of our AppSec tools.

Outside of Novo Nordisk, I am also a member of the OWASP community, which is a global organisation focused on improving the security of software. Being part of this community provides me with access to valuable resources, such as security guidelines, tools and best practices. It also allows me to connect with a network of professionals who share insights and experiences related to application security, further enhancing my knowledge and skills in the area.

Learning milestones

␥ I learned to code at university, starting with Pascal and progressing through C, C++, Java, JavaScript, and Lisp. I even created my own programming language during a Compilers course!
␥ In my first role as a software developer, I primarily worked with Java and had my first exposure to version control tools, specifically Subversion. Back then, git was just a gleam in a developer’s eye!
␥ During my second job as a software developer, I began to grasp the importance of security—what security truly means and the various ways software can be compromised.
␥ During my research time, I honed my ability to communicate complex concepts and developed strong analytical and problem-solving skills. I focused on cryptography, and I primarily used Python to write simulations of security protocols.
␥ While teaching, I deepened my understanding of industry best practices in application security and became familiar with many existing tools. One of the courses I taught was specifically focused on Software Security.

My Career

Autonomous

Completed a degree in Computer Science Engineering at the Autonomous University of Barcelona, while gaining practical experience at Thales IS as a part-time software developer.

Verifying

Joined a software company, focusing on writing code for digitally signing and verifying signatures in compliance with industry standards.

Steganography

Earned a PhD in Computer Science, specialising in steganography, which opened the door to job opportunities abroad, particularly in Denmark.

Vote for change

Relocated to Denmark to pursue a postdoc at the IT University of Copenhagen, conducting research on cryptography applied to electronic elections with the aim of ensuring secure elections.

Victorian

Participated in the official security evaluation of the e-voting system used by the Victorian electoral commission in Australia, helping the government ensure the system's reliability for their upcoming elections.

Educator

Shifted focus to an education at KEA (Københavns Erhvervsakademi), contributing to the design and development of one of Denmark's first cybersecurity programmes.

Life changing

Joined Novo Nordisk, where I leverage security expertise and educational skills to support secure software development.

Openings

Browse 1000+ job openings