A hacker making things more secure, meet Achraf!
Achraf has joined Algoan in 2019 as DevSecOps Engineer.
Can you tell us a little about your job?
A : As a DevSecOps Engineer, it is my job to safeguard the security of a software throughout its entire life cycle, from the initial planning stages through to production. It is key to ensure that security is properly incorporated into each stage of development by all the teams involved. Then I make sure the code doesn’t have any vulnerabilities and check the app infrastructure is perfectly configured and secured. That’s why I carry out penetration tests too, to assess their robustness and vulnerability to penetration (black and white pentests).
Do you remember your first hack?
A : Yes, it was in 2014, I think. It was a teenage thing, I had a few suspicions about my girlfriend at the time, and I wanted to check her Facebook to see if she was hiding anything from me.
I admit I took advantage of a fault on her hotmail to recover her password. Unfortunately, what I discovered wasn’t good! I suddenly realised the damage it could do. And it sparked my passion for ethical hacking, which puts these types of skills to use for good.
Why did you continue afterwards?
A : At the time, it was really satisfying to have gained this type of access. It makes you feel powerful. I like the quote from Spiderman, “With great power comes great responsibility.” That sums it up; just like that you have a lot of responsibility right there at your fingertips.
Why did you choose it as a career (DevSecOps Engineer / Ethical hacker)?
A : It’s a challenging role where I’m my own adversary. I implement a security system that I then have to try to hack into.
As I’ve said, it comes with a lot of responsibility, but I love the challenge.
I fell into this career by chance. When I was a student, I was really into pentesting and the world of hacking and I managed to gain control of my school’s IT system via a network fault. They offered me a paid role to fix it. That was my first ‘official’ experience. Then I signed up with HackerOne, a platform that gives you the chance to participate in well-defined pentests for businesses that give access to their technical environments in the context of Bug Bounty programs.
So you trained on the job?
A : I began with a general Information Technology & Communication school. Security was not a specialism, but I tried to transfer what I learned and apply it to cybersecurity. I would also often read hacking books like, The Hacker PlayBook 1 & 2, Penetration Testing: A Hands on Introduction to Hacking, Black hat python etc. I always make an effort to get to know others who share the same passions as me and take part in security themed events like CTF (Capture The Flag).
After that, I went to engineering school. There isn’t really a school where you go to learn to become a DevSecOps or Pentester. What I’ve learned and what is most useful to me today are the things I’ve integrated in a self-taught way.
On the other hand, I haven’t done too badly as regards certification. I began with Networking, System (Linux, Microsoft, etc.) certifications, then Applications (Web, databases, etc.) Since I’ve been at Algoan, I’ve also achieved Cloud certifications.
Why did you choose Algoan?
A : A few reasons. I wasn’t keen on joining a huge company. I knew a vertical management structure wouldn’t give me decision-making opportunities. I didn’t want to be restricted to a single technology type.
At Algoan, I got on well with Fabrice, our CTO, whose vision I shared. I immediately felt that I was going to have the chance to take part in the growth of a project with the freedoms that would allow me to develop. I loved the startup spirit.
What is the pentest you’re most proud of?
A : Not the one I’m most proud of but, definitely the one that made the biggest impression on me. I took control of a telephone operation via a network fault. At the time, I was alarmed at the scale of the penetration and what it was possible to do. I’m used to reporting any vulnerabilities I find to security teams. In general, they are open to this and offer a reward.
What would you give the MR ROBOT series out of 10?
A : I’d give it 7/10 for its stories and 4/10 for the tech they use! They use Script Kiddies!