“Life at ForAllSecure” is a Q&A series dedicated to our growing company.
For this month’s profile, we talked with Alex Brewer, Technical Solutions Engineer at ForAllSecure, who joined the company in November, 2020 and is based out of New York City.
As part of the customer success team, my job is to ensure our customers are successful with Mayhem. A lot of what I do involves understanding customer problems, anticipating the questions they’ll have about Mayhem, helping them get more value out of the features, and helping them help them integrate Mayhem into their development process. That involves me creating product enhancements with engineering. Sometimes, that'll involve me coming up with my own solution and delivering it to the customer.
Another piece of my job is outreach and education. I do a lot of presentations on Mayhem, as well as security education in general. For example, I was at API World last year doing a talk about API security, and I deliver a lot of the hackathons we’ve been doing at universities in our Mayhem Heroes program.
I graduated from Boston University in 2015 with a double degree in computer science and music. Out of college, I started working for a large application security company. At the time, they were really focusing on their flagship static analysis product. I started there as a Support Engineer, doing technical support, handling tickets, and responding to customers.
I think support gets kind of a bad rap because people think you're just responding to tickets, but it's actually a really interesting job. While everyone else in the company tries to figure out how the product works and how it can best work with the customer, support has to figure out how the product doesn't work. I have a lot of respect for people who do support, because customers come at you with really confusing problems, and you have to try and figure them out. As a person who loves solving problems, that was really enjoyable for me.
So, I worked as a Support Engineer for a couple years until we opened up an office in Japan. I used to live over there, so they asked me if I wanted to go live there for a little while and build up the customer success team. So, I spent about six months in Tokyo building the CS team, translating materials, hiring people, reading resumes—and everything was in Japanese, which was fun. It was challenging, because I speak Japanese but definitely not business Japanese or technical Japanese. And so having to learn all the lingo and vernacular was challenging, but I did that for a while.
When I came back to the US, they asked me if I wanted to stay on customer success, so I transitioned from support into customer success and did that for several years, which involved a lot more traveling for me and a lot more on-sites. Support is pretty much all remote, but with customer success I was doing deployments and onboarding people. So, I traveled a lot around the US.
During the pandemic, I decided to move to ForAllSecure for a couple different reasons, mainly just to have more flexibility. Working at a startup, you kind of have a little bit more power, a little bit more leeway in your own role. You're able to interact with more roles, like being able to interact directly with the engineering team here is great. So I moved here, and I guess here I am.
I'm sure you probably hear this a lot, but there's no typical day. But I can tell you what generally happens throughout the week and we can try to average everything out to what a typical day would look like.
I have several customer sync calls that are either weekly, biweekly, or monthly. Those are usually priority number one for me. In those calls, we talk with the customer and go over our project plan, ask them how they're doing, ask them if there are any improvements we could make or any problems they’re running into and if there are, we address those.
Outside of those customer calls, I have lots of internal calls with the team just to make sure that we’re meeting customer needs, for example strategizing around larger accounts.
Beyond that, I work on developing trainings and content for our educational programs. Every now and again, I travel to either universities or to conferences and deliver those talks and trainings.
I also occasionally work on proof of concepts for customers. For example, if a customer says, “I really want to fuzz this particular target” or “I really want to understand what it looks like to integrate with this particular tool”, I might be spending some time developing those integrations.
I would say the Mayhem Heroes project is pretty rewarding. I basically get to travel to universities around the US and teach students about software security.
A lot of what universities teach about software security is policy. And so, students will learn about policy, and then they'll go try to get a job. In interviews, they’ll be asked if they know static analysis, dynamic analysis, or pen testing, and they're like, “I don't know. I've never even heard of that.” Or “I've heard of that, but I don't know how to do it,” They might know that the policy says “thou shalt do XYZ”, but not how to do it, or what it looks like, or what it even means.
And so, we go to universities and we provide students with hands-on experience. We give them some vulnerable code or some vulnerable programs and say “let's break them”. And we see why they broke and figure out what's happening under the hood. It's really rewarding for me to teach people these skills and see them get really excited about breaking stuff and finding vulnerabilities.
After these workshops, people go scour through open source projects and find real issues. Last year, Mayhem was integrated into over 1400 open source projects, and 9 CVEs were found. We've been filing CVEs from actual projects on GitHub and other places just because people who attended our workshops fuzzed those projects and found defects. All of this is making software safer and more secure. So yeah, I think that's a pretty cool project.
There are a couple of things. One is a bit of a nuanced answer, because It works for me but it might not work for everyone. I would say that not staying in one place motivates me. With remote work, I think it's a lot easier to do. I live in New York, so there's lots of cool places to be that aren't my tiny little basement apartment, like cafes and shops where you can sit down with your laptop and work. Or, I really like to go to the library, where everyone's sitting there and working. Even if they're not my coworkers, being in an environment where everyone's working hard on something is really nice.
Another motivator for me is knowing that anything that takes a lot of time also takes a very short amount of time. There’s a huge mental aspect to starting on projects, but if you just start doing little pieces of them, then it's not so bad. Every big project has components that are small.
A big one is my confidence in customer-facing contexts has grown. I've always been customer-facing, ever since I started in a customer success role five or six years ago, but being on calls with the government or with giant companies, when they're looking to you for help—you have to be confident that you can help them.
I feel that I am able to hop onto a call, even when I don't know who the prospect is, and help them out and understand their needs. I don't worry about what they're going to say, because everyone out here is just trying to make sure that their software is a little bit safer.
I’m able to say,”I know how I can help you with that, because I've seen this problem before. I've worked with someone else who's had the same problem before.”
I think our People team does a great job making sure that we have time to connect with each other. Being a mostly remote company, it can be hard to feel connected, but I think we do a really good job of having social events and company-wide meetings where we're able to stay connected and talk about things that aren't work, and to just kind of have fun with each other.
I also think that we really embody the growth mindset. Our engineering team is one of the best I've ever worked with. They are constantly pushing the boundaries. Whenever there's a problem or whenever we're struggling, they’re right there ready to fix it. They're ready to figure out ways to make the product better. They never complain that we're running into too many problems or say that we should stop asking for improvements, even though, as busy as they are, it’d be really easy for them to say they don’t have time to handle stuff like that.
In my experience of other companies, especially larger companies, when you bring up issues with the product or how things work, it can get lost in a void. So, to be able to hear directly from our VP of engineering that something is a problem and is getting fixed is really nice.
Even in middle school and high school, I would mess with the school computers and see the ways that I could break things. Obviously, you do that because you're an obnoxious little kid and you're just trying to break stuff. But as you get older, you realize that it's actually a problem.
You would think that software that schools around the world—or our government, or huge software companies, or financial institutions—have access to isn’t something you need to worry about breaking. But the fact is that you do need to worry.
I think the part of our mission that I connect with is understanding that we're all kind of in this software ecosystem together. We're really big on open source here. Yes, we’re a company. We need to sell things to exist as a company. But at the same time, that's not really what it's about. The point of what we’re doing is to make sure that our software ecosystem is safe, so that you and I and everyone else, when we interact with software, have a little bit more confidence that it's going to work the way it's supposed to.
Customer success roles are everywhere. If you’re just looking for a customer success role, and it doesn't have to be in software security or for a software company, I don't think that's a tough thing to get into if that’s what you’re passionate about.
If you're focused specifically on customer success for software security, I think one of the best ways to really get involved in the security community is to start with open source. It's free. You go on GitHub, you start. You can download free software testing tools, and you can start forking repositories and running tests on things and seeing what breaks. Then make sure you responsibly disclose issues. Say, “Hey, I found this issue. I think this should be fixed.”
If you go out there and you're finding and reporting issues, it's very easy to use that when looking for a job. Put that on your resume and say, “I found XYZ issues. I reported and responsibly disclosed these things, and they got fixed.” Or maybe take part in developing a software reporting tool or open source reporting tools, things like that that people are using. That's a great way to get involved.
That's a tough one. I'm a very busy person. I'm slowly working through a master's degree, so I don't really have a lot of time outside of work to do fun things. But when I do, I’m part of a few different groups.
I’m part of a spoken-word poetry group. I help run workshops and do things like that. Here in New York, there's a couple of hip hop freestyle cypher groups, where people get together and freestyle for like three hours straight. I do that. We're actually working on a mixtape right now.
And then, I play a lot of my own music. I perform at open mics. I play various instruments and sing for a church here in the city.
I have hearing loss, so I'm really interested in hearing technology. I learned in the past month that, with a lot of effort, you can actually program your own hearing aids. You don't have to go to an audiologist or a doctor to do it. You just buy the link, and you can download the software. And if you're smart, you can figure out how to apply the right filters.
It's always been very frustrating for me that hearing aids sound like absolute trash. They're just horrible. I’ve been learning different ways to filter audio to make it a little bit more listenable, especially for musicians, because a lot of hearing aids are designed for speech and they're not designed for music. So that's one of the other things I do outside of my job. I do a lot of research around that.
I have a vermicompost in my apartment, which is just a bunch of worms in a little box. Whenever I'm making dinner, I’ll cut the end off my broccoli or whatever and throw it in there, and they love it. I've been doing that for about two years now.
They make the food into soil, so I've got multiple tiers. I've got some plants outside, and a couple plants in my window. Every five or six months, I switch the two bins out and put the worms and all the existing compost on the top. Everything filters through, so you get soil and compost and to put on the plants. So, yeah, I have pet worms, I guess.
Thank you for subscribing!