Hacking for better security, discover Ashraf's portrait!

Can you tell us about your job?

A: As a DevSecOps Engineer, my job is to secure the entire software lifecycle, from planning to production. The main thing is to make sure that the security aspect is taken into account at every stage by the various teams. I then make sure that there are no vulnerabilities in the code, and that the infrastructure on which the app is deployed is perfectly configured and secure. That's why I also carry out penetration tests to ensure their solidity and permeability (black and white pentests).

Do you remember your first intrusion?

A: Yes, I think it was in 2014. A teenager thing, I was having doubts about my girlfriend at the time, and I wanted to check her Facebook page to see if she was hiding things from me.
I took advantage of a flaw in hotmail at the time to retrieve her password. What I found there obviously didn't please me... That's when I realized that it could do harm. It was also the starting point for my passion for ethical hacking, which aims to use these skills for virtuous ends.

Why did you continue after that episode?

A: At the time, it's quite satisfying to have so much access. There's a feeling of power. I like Spiderman's phrase "With great power comes great responsibility". All of a sudden, you've got a lot of responsibility in your hands.

Why did you choose to make this your career (DevSecOps Engineer / Ethical Hacker)?

A: It's a challenging job, I'm my own adversary.
I set up a security system which I then have to try to penetrate.
As I said before, it's a lot of responsibility, but it's a challenge that I particularly enjoy.

In fact, it was somewhat by chance that I started to make a career out of it.
When I was a student, fascinated by pentesting and the world of hacking, I took control of my school's information system via a network flaw. They then offered me a paid job to secure it.
That was my first "official" experience. I then signed up for HackerOne. It's a platform that offers the opportunity to participate in well-defined pentests for the benefit of companies that give access to their technical environments as part of Bug Bounty programs.

So you learned on the job?

A: I started out at a fairly generalist school for Information and Communication Technology. Security wasn't a specialty at all, but I tried to transpose what I learned there by applying it to cybersecurity. I also regularly consulted hacking books ("The Hacker PlayBook 1 and 2", "Penetration Testing A Hands on Introduction to Hacking", "Black hat python"...). I've also always tried to get in touch with people who share the same passion, and take part in security events such as CTF (Capture The Flag).

I then went on to engineering school. There isn't really a school for becoming a DevSecOps or Pentester, but the things I learned and the ones that are most useful to me today are the ones I learned on my own.

On the other hand, I also took a number of certifications. I started with Network, System (Linux, Microsoft...), then Application (Web, Database...) certifications. Since joining Algoan, I've also taken some Cloud certifications.

Why did you choose Algoan?

A : For several reasons. I was reluctant to join a big company. I knew that the hierarchy, which was too vertical, wouldn't give me the opportunity to participate in decision-making. Nor did I want to be confined to a single technology.
At Algoan, I first got on very well with Fabrice, our CTO, whose vision I shared. I immediately felt that I was going to have the opportunity to play a concrete part in the growth of a project, with the freedom to develop myself. It was this very start-up spirit that appealed to me.

BONUS QUESTIONS

Which intrusion are you most proud of?

A: Not the one I'm most proud of, but certainly the one that impressed me the most. I took control of a telephone operator via a network flaw. At the time, I was frightened by the scale of the intrusion and what was possible. I usually report any vulnerabilities I find to the security teams. They're usually quite open and offer rewards.

If you had to rate the Mr. Robot series out of 10?

A: I'd give 7 for the script, and 4 for the technique used. They use kiddies script tools!

Find Achraf on LinkedIn

‍