Title: Senior Information Security Engineer
Who am I?
I am the person who stays up to date with all of the relevant security issues that face both our company infrastructure and our customers’ needs.
My work history before joining Pagely included work with security, hosting, data center providers, development, and as a vulnerability researcher. Working as a researcher I reported a number of vulnerabilities, including some in WordPress and WordPress plugins. More pertinently I held the head of security title at a large hosting provider, Where I built out infrastructure that did network wide monitoring and prevention of attacks as well as built a set of tools that protected and secured websites.
I also periodically give public presentations, and have graced the stage at dozens of conferences across the globe. Atypically covering topics I personally enjoy pouring hours of my personal time researching: security, privacy and legal history. I’ve presented on these topics at various conferences all over the world since 2010.
What I do at Pagely
My typical work day at Pagely begins with helping customers. Primarily helping customers who need help with security compliance requirements or in the unfortunate event our security monitoring is reporting signs of compromise. For the latter I begin working on cleaning up the site and investigating the source. Eventually compiling the information found to notify the site owner and let them know about the compromise, what we did to clean up and what they need to do to have it not happen again. Of course, cleaning up hacked sites isn’t nearly as fun as it sounds, which is why after helping customers I switch gears to work on the Pagely security infrastructure needs.
Using the information learned from customer compromises I build preventative measures with the goal that those same attacks wont work on other customer sites. Be it implementing a new WAF (web application firewall) rule, putting together new tools/utilities or getting personal. What do I mean by getting personal? Well not everything gets fixed in code, sometimes you’ve got the raise awareness. Be it a blog post, communicating directly with the developers, or compiling knowledge and presenting it publicly. You can see my blog posts here, behind the scenes I have been contacting and working with multiple plugin authors to patch insecurities in their plugins’ code, and just this past weekend I spoke about security at WordCamp Bangkok.
Luckily, the above is not too common and doesn’t take up all of my time. Most days I’m not presented with unknown vulnerabilities in WordPress or having to speak publicaly, but instead I stay abreast of the current security trends and validate our infrastructure and organizational security are up to date. Patching servers, implementing new technology to improve security, and meeting with our other team members to ensure any questions or concerns on security they may have are met: Helping Sean Tierney with his security concerns while he travels with remoteyear, chatting with DevOps and Arman Zakaryan about any new threats, or having a little fun and teaching everyone here (except Michael M) how to pick locks at the last team meeting (not a required job skill, but a fun way to explain security concepts)