The Tao of Software Engineering
Hi Mehdi! Can you tell us a bit about your background?
Yes sure! Although I'm not really sure how far I should go back... Well, let's try to summarize: after high school, I studied engineering and that first led me toward software architecture. During these first years, I had the opportunity to do my first internship in security: I was performing OWASP-based testing on the web application and found it quite funny, to be honest! I also explored project management governance, things like ISO 27001 certifications, etc. during an internship, but it wasn't technical enough for me.
After that, I flew to Ireland to do my master's at the University of Dublin: Digital Investigation & Forensic Computing.
I learned a lot about reverse engineering, cyber certifications, the law, and investigations in general, including how to question witnesses! My final exam consisted in presenting the results of my investigation to a fake court, and my professor—a former Scotland Yard agent—was playing the defense attorney. I can tell you that the debates were though!
The studies were exciting, but I eventually ended up doing something else. The problem with this career path is that the opportunities are quite limited: basically, it's either the army or Interpol. And 80% of the investigations revolve around pedocriminality, which explains the turnover...
Anyway, after that I decided to start as a cybersecurity consultant, doing mostly pentesting for big clients.
Is it when you discovered the problem of secrets sprawl?
Well, I'd say yes and no. Of course, we were regularly advocating for sane management of credentials, but what we generally see on the ground is often "all or nothing": it is either super robust, with strong policies already in place, or it is almost open-bar and no serious thinking has gone into the problem.
I was working on application security, and for sure we knew it was a problem. We just weren't aware of the sheer size of it.
What made you switch to development after that?
I learned a lot in consulting but, technically, it wasn't very rewarding. Whenever I found something interesting I wanted to dig, I was told there was no time for it—because we were always understaffed.
Besides, I was already doing a lot of programming. In particular, I've been working for years on a personal project to analyze gaming stats. We don't realize it, but games produce so much data, that looking for patterns in this haystack is almost like looking for secrets in source code! All this to say that the switch was quite natural for me.
How did your first hear about GitGuardian? Can you tell us more about your position?
I was looking for a new Tech Lead position when I stumbled upon GitGuardian's offer which looked interesting given my background... but at the same time, I also found another offer related to sports, which I'm fond of! And honestly, I went first with that one... Before changing my mind soon after! But of course, I had to re-apply to a new position.
This time it was for working as Engineering Lead in the Rogue 1 squad (Engineering teams are organized in tribes and squads to cut out the functional perimeter and dispatch responsibilities efficiently, ndlr). We are in charge of maintaining the GitGuardian Public Monitoring product. In particular, I've been working on clients' custom webhooks, to make sure events are properly repatriated, and doing a lot of codebase rationalization.
How was the interview process?
I had my first interview with Eric (the CTO, ndlr) and it was a big YES: I directly recognized that he knew what he was doing, both strategically and from an engineering point of view. All the other interviews just served as a confirmation after that, but I was already impressed by the maturity level displayed.
I think I made the right decision in joining GitGuardian.
What makes you say that? What did you enjoy the most during your first month?
As I said, for such a young company, I was surprised to see such maturity on many critical points: internal documentation, which is already consequent and self-sufficient (a good thing!), development and HR processes, and code quality relative to the features. I was very happy to be able to find my path autonomously with the documentation! And the other very pleasant thing I would say is the emphasis on balance between quality and velocity, which is excellent.
What would you say about the atmosphere in your team?
I appreciate the goodwill of the dev team, and I hope this will continue as we grow! I really like to share my knowledge and take the time to help out. Plus we hold regular knowledge sessions once or twice a month about interesting topics: it can be a new tech we've been trying out, an external library, improvements, and technical decisions or an introduction to a security topic.
I already did one on Gitflows, and another based on a talk I gave at FOSDEM at the start of this year.
Tell me more about that, you are a conference speaker?
Yes! I started doing that out of the pure desire to share my knowledge on very specific topics, that I really tried in a professional context. I want to be able to answer when I'm asked how something will function in a production setting or at scale.
So far I participated twice in the Django and twice to PyCon France editions. The last one was for the Python track at FOSDEM, and it was about managing feature flags in Django.
What would you say to someone who is considering joining GitGuardian?
I'd say go! That being said, to be a good fit, I think a person needs to be curious because there is a lot of information to digest at first. The best way to take your marks is to navigate by yourself. Taking initiatives and asking questions are definitely going to help too—no worries, even seniors often forget things!
Aside from the classic engineering stuff, I would tell this person that we work in close collaboration with the product and marketing teams, and the clients of course—which is great because nothing beats seeing that the product is used!
Finally, I would also reassure her that knowing cybersecurity is not a requirement. There is enough information sharing to arouse curiosity and ramp up softly. But it is still the heart of the business, so a minimum interest is important.
Any hobbies?
I'm a sports addict and I've been for some time now! Kung fu, capoeira, judo, but also swimming and climbing... I've been doing that for as long as five years old... and I have just validated my 1st level as a yoga teacher.
Martial arts are supposed to bring something to your life, beyond the pure physical effort. They are super beneficial for things like controlling emotions, mental health, and respect towards others. In my job, I think it is a great quality to be able to let the ego go and just accept criticism from "masters" for what it really is: the way to improve!
Thank you for your time!
Thanks!