Julien Vehent

Google

Since 2020: Cloud Detection & Response

I built and run the team that detects external threats targeting Google Cloud.

GCP is a planet-wide cloud infrastructure that powers millions of projects across hundreds of thousands of customers. It is constantly under attack from attackers ranging from script kiddies to state actors. I am responsible for building the layers of threat detection that identify malicious activity across GCP and stop it from spreading.

• Created and executed on the multi-year cloud detection strategy and roadmap for GCP and Alphabet
• Aligned detection & response with GCP's top goals of providing the most secure cloud, partnered with VPs and GMs on funding and reporting
• Grew the team 5x in 3 years, led hiring across North America and Australia, grew managers and senior ICs to support team expansion
• Established engineering velocity for a planet-wide threat detection pipelines processing hundreds of rules across exabytes of logs
• Sustained operational efficiency on first-level alert triaging and escalation in 24/7 follow-the-sun setting
• Converted local team to fully remote distributed across North America, created new office location for sub-team.

Mozilla

2015 - 2020: Head of Security, Firefox Services

Created the Operations Security team to address risks across the Firefox infrastructure with a strong focus on collaboration with engineering groups (~300 people across dozens of projects, including Firefox) and integration of security into the SDLC. Promoted DevOps security principles across operational groups, and built tools to accelerate security testing in CI/CD. The result of this work has been captured in Securing DevOps, published at Manning in 2018.

In this role, I reported to the board on the security posture of the organization, owned product and services security, managed risks across dozens of applications and several cloud providers and set the security roadmap for cloud services and release engineering of Firefox.

My team was also responsible for incident response across the Firefox infrastructure, and for engineering software and services that hardened defenses and increased product resistance to attacks (eg. fraud detection, code signing, secrets management, etc.).

As an engineer, I built the code signing backend, the TLS auditing service, the secrets management platform and a number of internal tools. I also acted as a security architect on all new projects, to shape engineering designs and follow security standards.

Inside Mozilla, I co-owned the bug bounty program, and sat on the security council to help coordinate security efforts across the organization.

Achievements

• Built and grew a DevSecOps team from the ground up, covering secops, appsec, red team and metrics.
• Owned security for 100+ cloud services, serving 300M+ Firefox users
• Executed on a multi-year strategy to mature security operations, reduce incidents, and ship products with high security by default
• Created a metrics program to measure maturity, impact and report security KPIs to leadership
• Grew a remote team of ~12 engineers, distributed across North America and Europe
• Defined, implemented and ran security sensitive services: fraud detection, cryptographic signing, etc.
• Set the standard for security integration into the SDLC, from early reviews to testing, audits, and end-of-life management
• Supported various infrastructure environment (AWS, GCP, datacenters) and always evolving application stacks

Software

• Autograph: Mozilla's digital signature service, used to sign Firefox, add-ons & web extensions and many internal apps. Autograph is the service layer that provide cryptographic signers often implemented as separate packages, such as Renard, Margo or PKCS7.
• TLS Observatory: An observatory for TLS configurations, X509 certificates, and more. I wrote supporting tools like cipherscan.
• SOPS: Secrets configuration managers that allows ops teams to encrypt, provision & decrypt their YAML/JSON files with cloud provider KMSs.
• MIG (Mozilla InvestiGator): (archived) Real-time endpoints security platform composed of agents installed on all systems of an infrastructure that are be queried to investigate the file-systems, network state, memory or configuration of endpoints.

2013 - 2015: Security Engineer

• Mozilla Investigator (MIG): Creator & Lead developer. MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security. I created, deployed and operate MIG across several thousands servers at Mozilla.
• Application Security: all things that speak HTTP (1 or 2). Help projects integrate cryptography, access control, integrity and high availability in web applications. Assess and review the security of webapps and API: XSS, CSRF, SQLi, etc...
• AWS Security: help operational teams design and run secure platforms in AWS (EC2, VPC, RDS, S3, Route53, and so on).
• Risk and Security Review: co-designed Mozilla's Rapid Risk Assessment (RRA) framework, used across the organization to evaluate the risks of products and services.

AWeber.com

2011 - 2013: Systems & Security Architect

AWeber is an email marketing service provider for small businesses worldwide. I designed and implemented the security of AWeber's web stack.

• Opscode Chef: authored security & web architecture provisioning scripts for Opscode Chef, in Ruby (Advanced FireWall (AFW), Ossec, Keymaster, ...).
• Web infrastructure: designed highly available infrastructure using load balancing with Haproxy, Nginx, Varnish, etc.
• Core Networking: lead architect on the redesign of the OSPF/BGP/VPN edge network. Replaced outdated Cisco routers with 10Gbps Linux routers. OSPF/BGP with Quagga, Openvpn, Keepalived, Conntrackd.
• Sysadmin: participate in day to day operations. Systems & network management, datacenter operations and KVM hypervisors. Level 2 on-call rotation.
• HIDS: deployment/maintenance of OSSEC for systems security monitoring
• GeoIP: developped and implemented a set of geolocation algorithms, in Python, to detect suspicious activities.
• Pentests: internal/external pentests (arachni, nmap, metasploit, ...)
• Education: Prepared and taugh security & automation classes internally.

Greenlink Networks

2011: Cloud Engineer

Greenlink Networks was a startup that provided rewards programs for local businesses and TV stations. I was in charge of building a bigger, faster and more reliable hosting infrastructure for the 30+ websites of the company. This is were I first adopted AWS, back in 2011 when it wasn't nearly as complete as it is today.

• Support 24/7 operations of the web platform. As GLN was a small shop, I was the oncall sysadmin, DBA, QA and sometimes developer all at once.
• Transform the single node, Java based, web platform into a load balanced cluster.
• Handle the migration of all components to AWS: websites (java) and database (oracle).
• Maintain the production and corporate infrastructure on a day-to-day basis.

Axians

2008 to 2010: Security Consultant

Information and Web Security Consultant for banks and financial institutions in the Paris area.

University of Maryland

2007: Research Engineer

Engineered a TCP/UDP proxy in C on Linux 2.6 for connection redirection inside honeypots networks.

Honeybrid was an intelligent network proxy that stands in front of a farm of honeypots and redirect connections from low interaction to high interaction honeypots. This work was completed at University of Maryland in the summer of 2007 as part of my Master thesis.

In the team of Dr. Michel Cukier at the Center for Risk and Reliability.

• Research: Study of network attacks aiming Linux and Microsoft systems in honeypots environments
• Design: software engineering using UML specification
• Coding: C on Linux (TCP stack, B-tree based Decision engine)

note: this project still lives on sourceforge under the name Honeybrid.

MAAF Assurances

Summer 2006: Intern Assistant to the Chief Security Officer

Member of the Information System team: Perl programming for security log processing, application of the privation protection law.

• Development of a Perl software to supervise antivirus solutions (Norton,
• Compliancy of the information system with the privacy protection law

Microgate

2005: Sysadmin

Architecture design and maintenance of the email infrastructure.

• Migration of the Email infrastructure to Linux/Postfix/Cyrus
• Integrated PKI (OpenSSL) and LDAP Directory (OpenLDAP)
• Design of a Site to Site interconnection with OpenVPN

URSSAF

2002 to 2004: part-time helpdesk

French agency for the social security system funding, Tours, France

Helpdesk and Administration/Maintenance of Windows NT/2000 based networks

2007: Master in Information Security Management - University of Poitiers, France

Honor: Summa Cum Laude

2005: Bachelor in Telecommunications Security - University of Tours, France

Securing DevOps: Safe services in the Cloud

Manning Editions - ISBN 9781617294136

Securing DevOps is my first book. It explores how the techniques of DevOps and Security should be applied together to make cloud services safer. The book is written for a technical audience of administrators, operators and security engineers who are tasked with keeping their customers data safe. Securing DevOps reviews state of the art practices used in securing web applications and their infrastructure, and teaches techniques to integrate security directly into the product.