{"id":676,"date":"2023-04-03T15:32:02","date_gmt":"2023-04-03T22:32:02","guid":{"rendered":"https:\/\/blog.mozilla.org\/careers\/?p=676"},"modified":"2023-04-03T15:37:34","modified_gmt":"2023-04-03T22:37:34","slug":"security-assurance-engineer-stephanie-ouillon","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/careers\/security-assurance-engineer-stephanie-ouillon\/","title":{"rendered":"Security Assurance Engineer Ste\u0301phanie Ouillon on protecting users, assessing risk, and learning at Mozilla"},"content":{"rendered":"<p><i>When Ste\u0301phanie Ouillon joined Mozilla after university, she was excited to find a job that married her passions for open-source software and privacy and security. And after more than nine years, she\u2019s still excited \u2014 thanks to the different roles and teams that keep her job interesting, the experienced engineers who have mentored her, and the new teammates she helps with learning. Below, Ste\u0301phanie explains the work she and her colleagues on the Security Assurance team are doing to keep Mozilla users safe, and shares what she\u2019s looking forward to as her team grows.<\/i><\/p>\n<p><b>What brought you to Mozilla, and why have you stayed?<\/b><b><i>\u00a0<\/i><\/b><\/p>\n<p>When I started engineering school for computer science, I was lucky enough to get involved with a student group called MiNET, which ran a campus ISP and was also a sort of club for people interested in the same things I was \u2014 and one of the former members worked at Mozilla. So I knew the company was one of my options here in Paris, and seeing that he was here helped me feel like, \u201cOK, that\u2019s possible for me, too.\u201d And I was very into open source software; it was important to me to work somewhere where users could look at the code to see what\u2019s going on, and have some agency over and knowledge about the software they were running. I\u2019d also gotten involved very early on in security and privacy \u2014 I always wanted to understand not just how to code, but how things could go wrong. So with that background, <a href=\"https:\/\/www.mozilla.org\/mission\/\">Mozilla\u2019s mission<\/a> and values really set it apart for me. It wasn\u2019t just another tech company; there was a real purpose behind working here.<\/p>\n<p>I\u2019ve been here nine years, and I think I\u2019ve stayed for those same reasons, but also because I get to work in a place with many engineers who are excellent at what they do. And they\u2019re not just excellent; they also truly care about security and privacy. That\u2019s true of our <a href=\"https:\/\/www.mozilla.org\/about\/leadership\/\">leadership<\/a>, too. Usually, I do not have to struggle to convince people that security is important, and that\u2019s huge. It makes life so much easier for a security engineer.<\/p>\n<p><b>Tell us about your role. What are you working on day to day?<\/b><\/p>\n<p>All of my work has been under the umbrella of security assurance, but right now I\u2019m focused mostly on risk assessment \u2014 which means I ask a lot of questions. Whenever we change something technical, like a new service or feature, I get my nose into it and talk with the people who are building it, to try to understand how the systems work, what our goals are, and what risks there might be from a security perspective. As a developer, you\u2019re thinking mostly about how to make your product work, and you might not be in the mindset to find holes in the design or identify the ways things could go wrong. So it can be helpful to have someone who\u2019s dedicated just to that.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-678 size-full\" src=\"http:\/\/blog.mozilla.org\/careers\/files\/2023\/04\/stephanie-ouillon-group-scaled.jpg\" alt=\"\" width=\"2560\" height=\"1920\" srcset=\"https:\/\/blog.mozilla.org\/careers\/files\/2023\/04\/stephanie-ouillon-group-scaled.jpg 2560w, https:\/\/blog.mozilla.org\/careers\/files\/2023\/04\/stephanie-ouillon-group-300x225.jpg 300w, https:\/\/blog.mozilla.org\/careers\/files\/2023\/04\/stephanie-ouillon-group-600x450.jpg 600w, https:\/\/blog.mozilla.org\/careers\/files\/2023\/04\/stephanie-ouillon-group-768x576.jpg 768w, https:\/\/blog.mozilla.org\/careers\/files\/2023\/04\/stephanie-ouillon-group-1536x1152.jpg 1536w, https:\/\/blog.mozilla.org\/careers\/files\/2023\/04\/stephanie-ouillon-group-2048x1536.jpg 2048w, https:\/\/blog.mozilla.org\/careers\/files\/2023\/04\/stephanie-ouillon-group-1000x750.jpg 1000w\" sizes=\"(max-width: 2560px) 100vw, 2560px\" \/>If we\u2019re building a new app, for example, users might put personal data in it \u2014 so our risk assessment would include thinking about how we want to store that information so it\u2019s safe and secure. What are all the possible attack scenarios, and how would we need to respond if that happened? Do we have the resources to do so? There\u2019s no such thing as zero risk, but if there\u2019s something that needs to be done to enhance our security, we want to do that before we ever bring the app to users.<\/p>\n<p>We do risk assessment across every level of the product organization, and during the past two years I have been working mostly with the Infrastructure teams, thinking about the architecture and design at a high level. Now I\u2019m shifting back to what we call application security, focusing more on the products themselves \u2014 looking at UX and APIs and everything else at the code level \u2014 to make sure they\u2019re as secure as possible.<\/p>\n<p><b>How have you grown in your time at Mozilla \u2014 and who and what helped you learn?<\/b><\/p>\n<p>I was on the same team my first several years here \u2014 though I had a few different roles in that time \u2014 and my manager taught me a lot. They were a technical mentor to me, but they also helped me learn to do security with empathy. If someone\u2019s been working for months on a product and you find a major flaw in the design that needs to be fixed before they can ship, you don\u2019t have to come at that situation like the security police, telling them all about what they\u2019ve done wrong. You can start by really trying to understand what they want to achieve, and considering all the different, sometimes contradictory, aspects of building that product. Then, figure out how you can help. That\u2019s how we ship great products, and it\u2019s also what enables us on the security team to continue doing our job, because we need people to tell us what we don\u2019t already know. We have to build the kinds of relationships where our teammates feel completely comfortable reaching out to us when they have a question, even a small one.<\/p>\n<p>Another thing I\u2019ve learned here is to ask questions. Early on, that was hard for me; I tried to figure everything out myself. But someone told me, \u201cSpend an hour on something, and if you don\u2019t get it, just ask.\u201d That\u2019s normal, and it doesn\u2019t mean you\u2019re not smart enough. It just means it\u2019s a really tricky piece of code that maybe one or two people on Earth understand \u2014 and luckily for me, I can reach out to those people, so I should. Back when I was working on Gecko and Firefox, there were many senior developers at Mozilla who had\u00a0 been here for so long that even when it came to security, they often knew more than me. I was still asking them questions and trying to find the things they may not have considered, but they were also helping me learn my job. And I\u2019ve found the people who are the best in their fields are also often the most humble; they\u2019re happy to help junior team members.<\/p>\n<p>The other thing that\u2019s helped me learn is changing roles and teams. Starting my career here, working with new people and learning new skills was so important to figuring out what I really liked to do. And as security engineers, it\u2019s always good to explore new areas \u2014 we want to see the bigger picture. Plus, I just like doing different things. I don\u2019t want to be bored at work, and that\u2019s never a problem for me at Mozilla.<\/p>\n<p><b>What are you most excited about in the months and years to come?<\/b><\/p>\n<p>Lately I\u2019ve been really enjoying working with the product teams again. Focusing on infrastructure for the past few years has been a great opportunity to learn that area, but I love this atmosphere where we\u2019re innovating and building new things, thinking about the experience for our users. It reminds me of when I started at Mozilla and was working on Firefox OS, the mobile operating system \u2014 that was a product I used myself and really believed in, so it was easy to see, \u201cOh, yeah, this feature is going to be great.\u201d We\u2019ve been developing a lot of new products \u2014 some of which are already out, like <a href=\"https:\/\/support.mozilla.org\/en-US\/kb\/mask-your-phone-number-relay-phone-masking\">Relay Phone Masking<\/a>, which allows you to protect your number from spam lists when you\u2019re buying something online or creating an account. Working on that, I was thinking, \u201cYes! I want this for myself.\u201d<\/p>\n<p>I\u2019m also looking forward to getting new hires on the security assurance team, and being able to help them learn. We do have formal mentorship programs, but it also just happens naturally, like when you\u2019re working on a project with someone who recently joined. I\u2019ve been here so long, and it\u2019s quite nice to share what I\u2019ve learned, whether it\u2019s technical knowledge or just how things work within the company. If you need some information or you have a concern you want to raise, for example, who should you reach out to and how? At a certain point, I don\u2019t even think of it as mentoring; it\u2019s just sharing and supporting each other. I love getting to collaborate with new people.<\/p>\n<table style=\"background-color: #00ffff;\" cellpadding=\"15\">\n<tbody>\n<tr>\n<td>\n<h3 style=\"text-align: center;\">Interested in joining our team? <a href=\"https:\/\/www.mozilla.org\/careers\/listings\/\">Check out our open roles.<\/a><\/h3>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>When Ste\u0301phanie Ouillon joined Mozilla after university, she was excited to find a job that married her passions for open-source software and privacy and security. And after more than nine &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/careers\/security-assurance-engineer-stephanie-ouillon\/\">Read more<\/a><\/p>\n","protected":false},"author":144,"featured_media":682,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[451108],"tags":[],"coauthors":[306191],"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/careers\/wp-json\/wp\/v2\/posts\/676"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/careers\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/careers\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/careers\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/careers\/wp-json\/wp\/v2\/comments?post=676"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/careers\/wp-json\/wp\/v2\/posts\/676\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/careers\/wp-json\/wp\/v2\/media\/682"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/careers\/wp-json\/wp\/v2\/media?parent=676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/careers\/wp-json\/wp\/v2\/categories?post=676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/careers\/wp-json\/wp\/v2\/tags?post=676"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/careers\/wp-json\/wp\/v2\/coauthors?post=676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}