What does a regular working day look like for you?
Our Red Team is a small team of 9 people, and our mission is to simulate an adversary and test our clients’ applications, networks and systems in order to assess their security posture. Our activities include for instance web application penetration testing, working on active directory assessment, performing compliance tests, and preparing a phishing campaign. A project usually lasts between 3 and 20 days, so it is always a short cycle, and that is what makes my job dynamic – in 1 month, I can work on 5 different projects.
Within a project, there is always more or less the same timeline. It starts with a preparation phase, followed by the activity itself, where we for instance are given a website and we try to find its vulnerabilities. After, there is a reporting phase in which we explain what is problematic in the system, compute a severity score for each issue, and provide recommendations. The goal is then for the client to, based on this report, solve the problems raised so they can increase their security level. This way, it will be harder for hackers to break into their system.
The end goal is to make our client’s system more secure, and therefore also contribute to a more secure digital world. “It is impossible to find everything, and there will probably always be a gap that you are missing in the system, but we try to be as complete as we can. By repeating this kind of tests continuously, you can tend to secure systems as much as possible”.
What are the most important qualities for a Security Engineer?
I would say my job is quite technical, so it is important to have some security skills, but you should also be able to see the bigger picture and understand how a website or network works. In terms of soft skills, I believe communication, both with your client and team, is very important.
What projects are you currently working on?
I just finished a Static Application Security Testing (SAST) project in which we analysed the source code from our client to identify vulnerabilities. I also just finished a web application test, in which we tried to find out what is problematic from a security point of view in the client’s website. I am currently working on a phishing campaign. In this campaign, we created a phishing email from scratch, sent it out to our client’s employees, and monitored how many people opened the email and clicked on the links. Then, we shared some awareness material with them to inform people about the risks of phishing. Afterwards we will send out a second email to see if these trainings helped.
Fun fact
If Stéphanie could switch jobs for one day, she would like to have a job in the Communications team, because she believes this is a dynamic job in which she would be in touch with a lot of different people. Also, she could help organising cool events, like a sports tournament, a women-only lunch, or employee testimonials.
Were you always part of the Red Team?
I started working in Sopra Steria’s Blue Team in September 2021. This team is also called the SOC Team or the Security Operation Center and is responsible for protecting and monitoring the security of some of Sopra Steria’s clients. When there is an alert, to the SOC members must investigate it, evaluate the severity and inform the right people or take further actions. At the same time, I worked on a development project in the Sopra Steria Toulouse team, where we developed a tool that aims to automate the tasks of Blue/SOC Team.
What do you like about Sopra Steria’s culture?
When I applied to Sopra Steria, I could feel that the company is very human, and this was important to me because I didn't want to join a huge company where you are treated like a number. Everyone in the HR team was nice, and I could feel that they were trying to find out if there was a match between me and the company, more than just selling Sopra Steria as a company.
Now that I work here, I can say that there is a nice and peaceful atmosphere, and I can always ask help to anyone. I have a good work-life balance, there is not a lot of pressure from management, and no one is telling me when to start or end my day. We are free in our projects and in how we are organising our day. If you want to, and you take the initiative, you can also change teams or activities. Red and Blue team members are young, and we have a lot of fun at work or outside of work.
Fun fact
If Sopra Steria was an animal, Stéphanie thinks it would be an entire zoo, because 1 animal is too restrictive. There would for sure be an elephant in the zoo, that represents our big projects in the Public Sector, like i-Police for example. Also, there would be a bonobo because this animal lives in an inclusive group where women also have their place, and this is also the case at Sopra Steria. And then there is also a polar bear that represents the caring aspect of Sopra Steria and the peaceful atmosphere.