Blogs· 5min January 25, 2023
It's always daunting moving jobs. In this post, Chris Townsend shares insights into his first month as a Senior Software Engineer at Form3. He talks us through his reasons for joining, the interview process and his onboarding experience, as well as what his future career aspirations are.
It all started when a recruiter from Form3 contacted me on LinkedIn about 12 months before I started. I wasn't looking for a new role at the time. I was working in Lisbon and enjoying the project I was working on. They wished me luck with my project and told me to reach out if my situation changed.
Six months on since that first conversation, I've seen Form3 blogs and sponsorship at GopherCon and had become a fan of the Form3 Tech podcast. I'd developed a hunger to find out more. The tech culture was something that was very important to me, and seeing Form3 making ground in the payments world peaked my interest. ️So I reached out to Form3 to find out more.
It all started with a informal chat with a Form3 recruiter over Zoom, which was super easy to schedule as they use a calendar booking service. The recruiter was also very open with salary banding from the very start, this no nonsense transparency was really attractive to me.
During the informal chat, I heard about Form3, what they did, the tech stack, and pointed me to the engineering website. I was asked questions about my background, they complimented any experience that would match up well working at Form3, but also reassured me of the tech I was less skilled with. It all went well, so I was then sent the Form3 tech test.
The next step was the tech test task. You can check out the task I was assigned here. Even if you are not familiar with using Go; the team reviewing your test will take this into account.
The interview I was part of had 3 parts:
Everyone I met during the interview was friendly, it never felt like a question and then answer situation, it was more of a flowing conversation.
The interview was great because I got to learn lots about Form3, how they work, and get to know some people I would work with. It gave me insight into to the engineering culture and the interesting problems engineers face here. When I received my offer to join, it was precisely the offer that was communicated to me at the start of the process, and with everything I had learnt about Form3, I was very happy to accept.
There is a lot to cover in my first few weeks, but I'll try to cover as much as I can here. If you do have any questions, then please feel free to reach out to me at LinkedIn.
My equipment was actually delivered a couple of weeks before my first day, which gave me plenty of time to use my work from home setup allowance.
Form3 takes security very seriously, so there are some procedures to follow. Everything was very easy to set up. Although Form3 has a very high security standard, I don't feel restricted in any way.
On my first day, I met my Team Lead, who helped me get started with my onboarding and answered all the questions I had. The first real task was getting my Github account set up, so I could access all the onboarding material and documentation managed by the engineers. Form3 practises what they preach about infrastructure as code, so this is all done via Terraform. Once this is all provisioned, you are ready to go 🚀.
Slack is the main instant communication tool, I was added to all my team's channels, I also took the time to check out the social channels. I'm now a proud member of:
I spent the rest of the day configuring the IDE, terminal, and zsh, as well as reading the first sections of the onboarding guide documentation.
In my first few weeks, I had a number of meetings to introduce areas of Form3. These meetings consisted of
All of these meetings lasted an hour or less and were informal. The hosts were always open for questions throughout, I learned a lot. I was particularly impressed with the product team and how well they know their markets.
We like to pair at Form3, so I would pair most days with my onboarding buddy when I wasn't following the onboarding plan. I was shown a huge amount of patience and understanding for my 100+ of questions about engineering at Form3.
By pairing, I was able to get started very quickly on a ticket. My buddy was doing most of the driving, but I was able to contribute to the feature. At Form3, we have a bunch of tooling to make an engineer's life a bit easier, so pairing is streamlined by these tools.
Every week my team run demo sessions. These are a place where we can talk about the code we have merged, run through our integration test cases to ensure we covered the acceptance criteria on our tickets and perform a live demo of the feature. I've really enjoyed our demos as it gives insight to what other work is being done in the sub-teams, and a chance to really test your feature. Features are very specific and are usually associated with happy/unhappy paths.
Engineers work closely with Business Analysts (BAs) to support understanding the features. This gives engineers opportunity to raise concerns, edge cases or other questions that may come up during the implementation. In my career, I don't think I've ever worked with such knowledgeable BAs. As an engineer I like to really understand what I'm working on, but given the complexities of the payment schemes, I'm grateful to have these team members on board.
Flexible remote working at Form3 is actually flexible remote working 😅. I know this is an odd thing to say, but from experience it's not always the case. At Form3, I'm really able to fit my life around work. Most group meetings are recorded, so if I can't make a meeting I can still access it. If it's a team discussion meeting and I'm not able to make a specific time, we can move the meeting or create a working document to discuss it asynchronously.
Working at Form3, I know that if I need to go to the doctor, take the dog for a walk at a specific time, have a two-hour lunch to go to the gym, or arrange childcare, I can do so. It makes me feel good working here, I'm performing at my best, and I have a work / life balance!
So far, my Form3 experience has been fantastic, but if I had to pick the highlights, they would have to be (in no particular order). order)
Not only does Form3 have great problems to solve, but it gives me an opportunity to change the world of payments. I'm hoping in the future, me at Form3 will have:
Blogs · 5 min
For a Red Team operator it can be disappointing to retire a particular technique, but it can also be an opportunity to share their knowledge with the community. Phishing operations can require a lot of time and effort to set up the infrastructure, acquiring and categorising domains, fine tuning payloads, preparing pretexts and bypassing those pesky filters and controls, but there are ways to make the process simpler. This post will explore one such method, using GitHub as a tool to distribute, host, and compromise a target in a bait, hook, and catch operation that can be done from a mobile device. This post will cover: GitHub Apps, Hosting, Distribution and SSH Access.
February 1, 2023
Blogs · 4 min
Dragan Stepanović is a Senior Principal Engineer at Talabat. He joins Renato Rodrigues de Araujo, Senior Software Engineer at Form3, to discuss asynchronous pull request based code reviews. Dragan shares a study he conducted on the topic and discusses the advantages of synchronous team collaboration.
January 19, 2023
Blogs · 6 min
Process injection in MacOS is a difficult topic: it is well controlled and there are simply no API calls that provide any useful interface for it. As it is a feature that rarely has legitimate use cases, it makes sense from a security perspective to disable it entirely, or at least heavily restrict it under normal user conditions. However, as a red teamer, it is difficult to move from the freedom of process hollowing and remote threads on Windows, to the harsh reality of the MacOS hardened runtime. This is true especially when trying to create hidden C2 channels and evade detection from EDR and XDR software. There is one technique, however, that does not get the recognition it deserves, most probably because it can only target Electron based applications. While this sounds like a big limitation, there are popular applications that can be targeted and are more than likely to be present on the target system such as Slack, Visual Studio Code and Microsoft Teams to only name a few. These applications can all be a target of code injection by abusing Electron's built in remote debug interface.
January 11, 2023