What’s it like to work at a fully distributed company with a worldwide team and culture guided by a Creed? Welcome to “Life @ Automattic,” an occasional series of Q&As with the people behind the products. Today we talked with security engineer Alexander Concha.
Who are you, and what do you do?
Hello, my name is Alexander. I am originally from Peru, but I have been living in France since 2008. When the weather is nice, I love to go out and explore the countryside. There are many hiking trails and natural parks around here that offer breathtaking views and a chance to connect with nature. Along the way, I also enjoy cooking and trying new recipes.
At Automattic, I work as an application security engineer. I’m always looking for ways to improve security, whether it’s by trying out new tools and software or by trying to identify new security issues in our different services. I am also part of the WordPress.org security team.
What exactly is an application security engineer?
Roughly speaking, an application security engineer is someone who specializes in keeping software applications as safe as possible from different security threats. Among other things, we work with development teams to build new applications or features with security in mind. We also help respond to security incidents, constantly look for security flaws or monitor suspicious activity, etc.
As a security engineer at Automattic, one can also contribute to the WordPress.org project. Indeed, this collaboration is essential because it allows the WordPress.org security team to test, at probably the biggest WordPress installation in the world, the security fixes planned to be released. Such tests help quickly detect any breaking changes or performance-related issues these fixes might cause.
Describe a typical day at work.
While Automattic provides the freedom to work anytime, I mainly adjust my schedule to “classic” work hours to spend time with my young kids.
I usually start by catching up with P2/Slack. If there are no urgent pending code audit requests or security incidents that need my help, I usually review my backlog of items. They range from code audit requests and feature RFCs (requests for comments) to checking out a bit of particularly “suspicious” looking code I noticed while working on something else, and so on.
As for the work I do each day, it varies quite a bit.
For example, one of the projects I was involved in was planning and running spear-phishing campaigns. We do this because no matter how strong a platform’s security is, the weakest link will always be humans. Most of the breaches we see in big companies result from phishing attacks.
Other projects are less unusual but just as important. Today, for instance, I’m helping our hosted service migrate to use a newer PHP version. It’s not a “fun” project, per se, but it’s important for a whole lot of reasons, like improving performance and security, and reducing the overhead needed to maintain older software and custom patches.
What are some challenges you’ve faced?
When I had to deploy a mitigation change that would potentially corrupt some user content. Despite all the testing and code reviews, one is always stressed to do such a change, because if something goes wrong, recovering from it would take quite a bit of work.
What’s unique about working in security at Automattic?
One gets to work with talented colleagues who are an inspiration to continue learning and becoming a better engineer oneself.
There’s also the opportunity to work closely with the WordPress.org security team, which means our work has an impact on many WordPress sites in the world!
What keeps you going? What gets you charged up to come to work in the morning?
One of the things that I like the most in my role is that the day-to-day work is not always the same every day. That, and my passion to continue learning and improving on all things security. Attempting to find ways to “break” a given feature or mitigation change.
What advice would you give to someone who wants to get into security engineering?
Assuming one already has some experience with a programming language, I’d suggest starting with the basics by reading security related articles or following courses available at Coursera, edX, Audacity, etc. A fun and practical way to learn is by participating in Capture the Flag (CtF) events or by solving existing CtF challenges.
Thanks for spending time with us, Alexander!
Founded in 2005 by Matt Mullenweg, the co-creator of WordPress software, Automattic has been recognized as one of the world’s most innovative companies. We’re the people behind WordPress.com, WooCommerce, Jetpack, WordPress VIP, Simplenote, Longreads, WPScan, Akismet, Gravatar, Crowdsignal, Cloudup, Tumblr, Day One, Pocket Casts, and more. As of today, there are 1,986 Automatticians in 97 countries speaking 123 different languages. Maybe you can be one of us.