From Ecole 42 to fullstack developer: an interview to discover

Hi Matthieu, it's great to meet you and talk about your career! To start with, could you describe your current role as a fullstack developer, with a particular interest in cybersecurity?

Hello, and thank you for seeing me. To be concise yet comprehensive, I'm responsible for the design, development and maintenance of web and mobile applications. My job involves coding both server-side (PHP, Python) and client-side (HTML, CSS, TWIG, Tailwind, JavaScript). Perhaps you've heard these words before? If not, they may seem somewhat obscure to you: they are programming languages used to develop software, web applications and other computer systems.

As you said, I have a keen interest in cybersecurity, which means that I integrate security practices right from the start of the development cycle. My main responsibilities include
- Analysing the functional and technical requirements of projects
- Designing and implementing software architectures
- Carrying out security and performance tests
- Continuous monitoring and vulnerability management

By using these resources correctly, we can ensure the security of the applications developed. What's more, I use a framework (think of it as a prefabricated toolbox for software developers. It contains ready-to-use tools and rules to follow that help build applications in an efficient and organised way, without having to create everything from scratch every time). This makes the development process faster, more structured and more secure).

It's all very technical! But even though I'm new to the subject, I've got a good understanding of what you do. Can you tell me how you manage to balance the functional requirements of an application with its security imperatives?

This is an important point. To do this:
- I start with an in-depth needs analysis to understand the functional requirements of the application.
- I then use frameworks and libraries (a set of reusable functions and classes that simplify and speed up software development) that are recognised for their security.
- I carry out regular code reviews and penetration tests to identify and correct vulnerabilities.
- I set up access controls and permissions management.
- Finally, I ensure that the entire team and customers are aware of the issues through ongoing training in good security practices.

"The main threats often come from people. Even if the IT system is designed correctly, with no known flaws, there is no such thing as 0 risk".

Can you describe a project where you had to take security considerations into account right from the design stage? What technologies and practices did you use to ensure the security of the application?

One of the notable projects where I had to take security into account right from the design stage was the development of the ENGECO platform. Here are the steps and technologies I used:
- Risk analysis: identification of potential threats from the outset.
- Secure architecture: separation of roles and minimisation of attack surfaces.
- Use of HTTPS (secure version of the HTTP protocol used to secure data exchanges on the Internet) for all communications.
- Input validation and sanitation: to prevent SQL and XSS injections.
- Encryption of sensitive data: use of cryptographic libraries to encrypt data in transit and at rest.

At ENGECO, security has been a priority, in particular to prevent SQL injections. But I'm well aware that all these terms may seem a bit remote to you!
Indeed... Which is why I'd like to talk about Ecole 42! What a nice reference! Can you tell me what your training there consisted of and how that experience prepared you for a career in fullstack development and cybersecurity?

"École 42 offers intensive, practical training that taught me a lot. It taught me how to learn."

Here are some key aspects:

• Project-based learning: each project required a complete solution to the given problem, often with integrated security requirements.
• Collaboration and peer-learning: working with other students on complex projects strengthened my ability to collaborate and share good safety practices, among other things.
• Access to varied resources: I was able to explore various technologies and frameworks used in industry.
• Culture of autonomy: it prepared me to be proactive and to continue to learn independently, including in the field of cybersecurity.
• Practical experience: Hackathons (events where people collaborated intensively on projects over a few days to create innovative prototypes) and programming exercises that included security challenges.

"The branch specialisation I chose included projects such as redesigning Instagram, Tinder and Netflix".

School 42(copyright)

Impressive! And what do you think has been most beneficial to your professional development?

I would say:

• Autonomous learning: my ability to solve problems independently, (a key cybersecurity skill) has increased.
• Collaboration and networking: working with peers and accessing a vast network of professionals has been more than beneficial.
• Immersion through real-life projects : projects based on real-life situations prepared me for the real-life challenges of development and security.
• Continuous updating : a culture of continuous learning, which is essential in a field as dynamic as cybersecurity.

So, would you be able to tell me what the main cybersecurity threats are today?

The main threats to cybersecurity today include :

• Massive data leaks from large groups holding users' personal information.
• Ransomware attacks. They continue to grow in frequency and sophistication.
• Phishing: an attack technique in which cybercriminals send fraudulent emails to lure victims to fake websites, enticing them to divulge personal information such as login details, passwords or financial details.
• Internal threats: employees can intentionally or unintentionally cause data leaks or security breaches.
• Zero-day attacks : this is typically an attack against which the user cannot protect himself. Exploitation of vulnerabilities not yet known to developers.
• The Internet of Things (IoT): IoT devices, which are often poorly secured, are new targets. Watch out for your computer camera, for example.
• Supply chain attacks: compromising suppliers to reach target companies.
• Library corruption: when a software library in use is compromised by malicious code.
• The notorious "Man in the middle": an attack carried out by intercepting and manipulating communications on public networks.

"Social engineering: you know, that famous phone call where you're led to believe that it's your banker calling because your bank account has been hacked. Then they take advantage of the situation to get our bank details. Well, there you go, jackpot".

The risk in cyber security is the synergy between different types of attack.

It's clear that you don't realise this on a day-to-day basis... Finally, what does Inforca bring to your work? On a day-to-day basis?

Inforca offers a flexible working environment that fosters team cohesion with people of varied backgrounds who are open to discussion. What's more, thanks to the diversity of our clients - institutions and professionals from different business sectors - the assignments we take on are always varied and stimulating. The search for solutions that are best suited to our customers' needs and putting them into practice creates real intellectual stimulation on a daily basis.

Interview by A.F, Digital Development and Events Manager at Inforca, with Matthieu, fullstack/cybersecurity developer at Inforca.