Julien Vehent

Google

Since 2020: Cloud Detection & Response

I built and run the team that protects Google Cloud from threats. We catch bad actors in the Cloud to keep GCP customers safe.

GCP is a planet-wide cloud infrastructure that powers millions of projects across hundreds of thousands of customers. It is constantly under attack from attackers ranging from inexperienced script kiddies to sophisticated state actors. I am responsible for building the layers of threat detection that identify malicious activity across GCP, to stop threats from spreading.

• Created and executed the multi-year threat detection strategy of GCP
• Aligned detection & response with GCP's top goals of providing the most secure cloud, partnered with VPs and GMs on funding and reporting
• Established engineering velocity for planet-wide threat detection pipelines processing thousands of rules across exabytes of logs
• Sustained security investigations operational efficiency in 24/7 follow-the-sun setting
• Grew the team by 500% in 3 years, hired across North America and Australia, grew managers and senior ICs to support team expansion. Managed ~30 reports across 3 continents

Public Speaking

• Modern Threat Detection at Google
• Teleport Access Control podcast - Practical advice for securing the cloud

Mozilla

2015 - 2020: Head of Security, Firefox Services

Formed and ran the Cloud Security team of the Firefox infrastructure to grow security posture with a strong focus on collaboration with product teams (~300 people across dozens of projects, including Firefox) and integration of security into the SDLC. Promoted DevOps security principles across operational groups, and built tools to accelerate security testing in CI/CD. The result of this work has been captured in my book "Securing DevOps", published at Manning in 2018.

In this role, I reported to the board on the security posture of the organization, owned product and services security, managed risks across dozens of applications and several cloud providers and set the security roadmap for cloud services and release engineering of Firefox.

My team was also responsible for incident response across the Firefox infrastructure, and for engineering software and services that hardened defenses and increased product resistance to attacks (eg. fraud detection, code signing, secrets management, etc.).

As an engineer, I built the code signing backend of Firefox, the TLS auditing service, the secrets management platform and a number of internal tools. I also acted as a technical security lead on many new products, to shape engineering designs and follow security standards.

Inside Mozilla, I co-owned the bug bounty program, and sat on the security council to coordinate security efforts across the organization.

Achievements

• Built and grew a DevSecOps team from the ground up, covering secops, appsec, red team and metrics.
• Owned security for 100+ cloud services, serving 300M+ Firefox users
• Executed on a multi-year strategy to mature security operations, reduce incidents, and ship products with high security by default
• Created a metrics program to measure maturity, impact and report security KPIs to leadership
• Grew a remote team of ~12 engineers, distributed across North America and Europe
• Defined, implemented and ran security sensitive services: fraud detection, cryptographic signing, etc.
• Set the standard for security integration into the SDLC, from early reviews to testing, audits, and end-of-life management
• Supported various infrastructure environment (AWS, GCP, datacenters) and always evolving application stacks

Software

• Autograph: Mozilla's digital signature service, used to sign Firefox, add-ons & web extensions and many internal apps. Autograph is the service layer that provide cryptographic signers often implemented as separate packages, such as Renard, Margo or PKCS7.
• TLS Observatory: An observatory for TLS configurations, X509 certificates, and more. I wrote supporting tools like cipherscan.
• SOPS: Secrets configuration managers that allows ops teams to encrypt, provision & decrypt their YAML/JSON files with cloud provider KMSs.
• MIG (Mozilla InvestiGator): (archived) Real-time endpoints security platform composed of agents installed on all systems of an infrastructure that are be queried to investigate the file-systems, network state, memory or configuration of endpoints.

Public Speaking

• Cloudskills podcast episode 070: Securing DevOps in the Cloud
• Testguild podcast: Securing DevOps: Security in the Cloud with Julien Vehent
• 2018 - Securing Devops - AppSec Podcast
• 2018 - Modern Web Application Security - BSides Tampa 2018
• 2018 - Protecting Firefox Data with Content Signature - Enigma 2018
• 2017 - Securing Your Websites - DevFestFlorida 2017, Orlando, FL
• 2017 - Test Driven Security in the DevOps Pipeline - AppSecUSA 2017, Orlando, FL
• 2017 - Test Driven Security in Continuous Integration - Enigma 2017, San Francisco, CA
• 2017 - Episode Hors Série sur DevOps -NoLimitSecu Podcast (FR)
• 2016 - Continuous Security in the DevOps world - RMLLSec, Paris, France

link to slides

2013 - 2015: Security Engineer

• Mozilla Investigator (MIG): Creator & Lead developer. MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security. I created, deployed and operate MIG across several thousands servers at Mozilla.
• Application Security: all things that speak HTTP (1 or 2). Help projects integrate cryptography, access control, integrity and high availability in web applications. Assess and review the security of webapps and API: XSS, CSRF, SQLi, etc...
• AWS Security: help operational teams design and run secure platforms in AWS (EC2, VPC, RDS, S3, Route53, and so on).
• Risk and Security Review: co-designed Mozilla's Rapid Risk Assessment (RRA) framework, used across the organization to evaluate the risks of products and services.

AWeber.com

2011 - 2013: Systems & Security Engineer

AWeber is an email marketing service provider for small businesses worldwide. I designed and implemented the security of AWeber's web stack.

• Opscode Chef: authored security & web architecture provisioning scripts for Opscode Chef, in Ruby (Advanced FireWall (AFW), Ossec, Keymaster, ...).
• Web infrastructure: designed highly available infrastructure using load balancing with Haproxy, Nginx, Varnish, etc.
• Core Networking: lead architect on the redesign of the OSPF/BGP/VPN edge network. Replaced outdated Cisco routers with 10Gbps Linux routers. OSPF/BGP with Quagga, Openvpn, Keepalived, Conntrackd.
• Sysadmin: participate in day to day operations. Systems & network management, datacenter operations and KVM hypervisors. Level 2 on-call rotation.
• HIDS: deployment/maintenance of OSSEC for systems security monitoring
• GeoIP: developped and implemented a set of geolocation algorithms, in Python, to detect suspicious activities.
• Pentests: internal/external pentests (arachni, nmap, metasploit, ...)
• Education: Prepared and taugh security & automation classes internally.

Public Speaking

• 2013 - AFW: Firewalling dynamic infrastructures with Chef and Netfilter - Netfilter Workshop 2013 / Open Source Days in Copenhagen, Denmark
.

• 2012 - AFW: Firewalling dynamic infrastructures with Chef and Netfilter - Security BSides Delaware 2012
• 2012 - Workshop: Advanced Netfilter & Iptables - Fosscon Philadelphia. The goal of the workshop was to demonstrate how netfilter, iptables, ipset and other tools available in Linux, can be used to build complex firewall policies for dynamic environments. I mentionned, at the end, some of the work i've done with Chef and the AFW cookbook. The slides are here.
• 2012 - Netfilter & Iptables Elements - AWeber Communications
• 2012 - Certificates & Public Key Infrastructures - AWeber Communications. The slides are here.
• 2011 - Qos & Traffic Control in the Linux Kernel - Philadelphia Linux User Group (PLUG). This is a compressed version of my QoS article, rewritten and improved with the latest work on Bufferbloat, and some item from Comcast Residential DSL. The slides are here.