When Stéphanie Ouillon joined Mozilla after university, she was excited to find a job that married her passions for open-source software and privacy and security. And after more than nine years, she’s still excited — thanks to the different roles and teams that keep her job interesting, the experienced engineers who have mentored her, and the new teammates she helps with learning. Below, Stéphanie explains the work she and her colleagues on the Security Assurance team are doing to keep Mozilla users safe, and shares what she’s looking forward to as her team grows.
What brought you to Mozilla, and why have you stayed?
When I started engineering school for computer science, I was lucky enough to get involved with a student group called MiNET, which ran a campus ISP and was also a sort of club for people interested in the same things I was — and one of the former members worked at Mozilla. So I knew the company was one of my options here in Paris, and seeing that he was here helped me feel like, “OK, that’s possible for me, too.” And I was very into open source software; it was important to me to work somewhere where users could look at the code to see what’s going on, and have some agency over and knowledge about the software they were running. I’d also gotten involved very early on in security and privacy — I always wanted to understand not just how to code, but how things could go wrong. So with that background, Mozilla’s mission and values really set it apart for me. It wasn’t just another tech company; there was a real purpose behind working here.
I’ve been here nine years, and I think I’ve stayed for those same reasons, but also because I get to work in a place with many engineers who are excellent at what they do. And they’re not just excellent; they also truly care about security and privacy. That’s true of our leadership, too. Usually, I do not have to struggle to convince people that security is important, and that’s huge. It makes life so much easier for a security engineer.
Tell us about your role. What are you working on day to day?
All of my work has been under the umbrella of security assurance, but right now I’m focused mostly on risk assessment — which means I ask a lot of questions. Whenever we change something technical, like a new service or feature, I get my nose into it and talk with the people who are building it, to try to understand how the systems work, what our goals are, and what risks there might be from a security perspective. As a developer, you’re thinking mostly about how to make your product work, and you might not be in the mindset to find holes in the design or identify the ways things could go wrong. So it can be helpful to have someone who’s dedicated just to that.
If we’re building a new app, for example, users might put personal data in it — so our risk assessment would include thinking about how we want to store that information so it’s safe and secure. What are all the possible attack scenarios, and how would we need to respond if that happened? Do we have the resources to do so? There’s no such thing as zero risk, but if there’s something that needs to be done to enhance our security, we want to do that before we ever bring the app to users.
We do risk assessment across every level of the product organization, and during the past two years I have been working mostly with the Infrastructure teams, thinking about the architecture and design at a high level. Now I’m shifting back to what we call application security, focusing more on the products themselves — looking at UX and APIs and everything else at the code level — to make sure they’re as secure as possible.
How have you grown in your time at Mozilla — and who and what helped you learn?
I was on the same team my first several years here — though I had a few different roles in that time — and my manager taught me a lot. They were a technical mentor to me, but they also helped me learn to do security with empathy. If someone’s been working for months on a product and you find a major flaw in the design that needs to be fixed before they can ship, you don’t have to come at that situation like the security police, telling them all about what they’ve done wrong. You can start by really trying to understand what they want to achieve, and considering all the different, sometimes contradictory, aspects of building that product. Then, figure out how you can help. That’s how we ship great products, and it’s also what enables us on the security team to continue doing our job, because we need people to tell us what we don’t already know. We have to build the kinds of relationships where our teammates feel completely comfortable reaching out to us when they have a question, even a small one.
Another thing I’ve learned here is to ask questions. Early on, that was hard for me; I tried to figure everything out myself. But someone told me, “Spend an hour on something, and if you don’t get it, just ask.” That’s normal, and it doesn’t mean you’re not smart enough. It just means it’s a really tricky piece of code that maybe one or two people on Earth understand — and luckily for me, I can reach out to those people, so I should. Back when I was working on Gecko and Firefox, there were many senior developers at Mozilla who had been here for so long that even when it came to security, they often knew more than me. I was still asking them questions and trying to find the things they may not have considered, but they were also helping me learn my job. And I’ve found the people who are the best in their fields are also often the most humble; they’re happy to help junior team members.
The other thing that’s helped me learn is changing roles and teams. Starting my career here, working with new people and learning new skills was so important to figuring out what I really liked to do. And as security engineers, it’s always good to explore new areas — we want to see the bigger picture. Plus, I just like doing different things. I don’t want to be bored at work, and that’s never a problem for me at Mozilla.
What are you most excited about in the months and years to come?
Lately I’ve been really enjoying working with the product teams again. Focusing on infrastructure for the past few years has been a great opportunity to learn that area, but I love this atmosphere where we’re innovating and building new things, thinking about the experience for our users. It reminds me of when I started at Mozilla and was working on Firefox OS, the mobile operating system — that was a product I used myself and really believed in, so it was easy to see, “Oh, yeah, this feature is going to be great.” We’ve been developing a lot of new products — some of which are already out, like Relay Phone Masking, which allows you to protect your number from spam lists when you’re buying something online or creating an account. Working on that, I was thinking, “Yes! I want this for myself.”
I’m also looking forward to getting new hires on the security assurance team, and being able to help them learn. We do have formal mentorship programs, but it also just happens naturally, like when you’re working on a project with someone who recently joined. I’ve been here so long, and it’s quite nice to share what I’ve learned, whether it’s technical knowledge or just how things work within the company. If you need some information or you have a concern you want to raise, for example, who should you reach out to and how? At a certain point, I don’t even think of it as mentoring; it’s just sharing and supporting each other. I love getting to collaborate with new people.
Interested in joining our team? Check out our open roles.