Trans woman stands out as ‘good hacker’ – 01/29/2024 – Tech

The career of young trans woman Alexa Souza, 24, gained prominence when she revealed, in 2020, a security breach in the WordPress website editor. There were 700,000 web addresses at risk of invasion.

At the time, at 21, she was studying to obtain a cybersecurity expert certification at OffSec, the main entity on the subject. It’s a distinction that internet security researchers generally achieve between the ages of 35 and 40, say people consulted by Sheet.

“At the time, I raised my arms and said: ‘Wow, I’m not even going to post this, it was so easy’. I ended up publishing the report about the failure, I gained my certification and it was a valuable find for the community”, says Souza.

The discovery was what is called “zero day” in cybersecurity jargon, a security flaw that allows the system to be compromised without interaction with the operator. It is not necessary, for example, to run a program.

She stands out at the national level as a pentester, a cybersecurity area specializing in simulating virtual attacks on systems to find loopholes and test companies’ defense. People in the industry explain their actions with the expression “good hacker”.

At the end of last year, the specialist co-founded a startup specializing in pentesting, ViperX, a subsidiary of the already established Dfense Security. The new company’s objective is to earn R$5.5 million in 2024 and R$15 million in 2025 with an initial investment of R$2.7 million.

Diagnosed on the autism spectrum, Souza has communication difficulties and hyperfocus. She spends hours at a time looking for subtle flaws in the infrastructure of company websites and systems. Today, it already has other “zero days” detections in its portfolio.

Discovering this talent involved a series of opportune meetings and a lot of effort.

CYBERSECURITY TRAINING

Born and raised in Belford Roxo, in the metropolitan region of Rio de Janeiro, Souza decided, at 15, to take a technical course in IT (information technology) at Senac.

The student’s house at the time was an hour away by public transport from Senac’s Belford Roxo unit. “It was a dangerous path, I saw people armed with rifles close to the house,” she says. “My father accompanied me to the bus stop every day, once he intervened in an attempted robbery and saved a boy,” she says.

She left every day at 6 am, arriving at the place of study at 7 am. She got home at 11pm every day of the week.

At Senac, the student met what became her “capture the flag” team, a challenge whose objective is to find a programming element hidden in the middle of a code. Souza’s team became the 13th in the world of Hack The Box, the sport’s global community.

Standing out in this challenge earned Souza his first opportunities as a pentester, given the similarities between the game and professional activity.

Still in 2016, the first freelance services arrived. Success in the competitive world brought, in 2018, his first job, in the center of Rio de Janeiro.

“I then decided to save all my salary to be able to pay for my first license, the OSCP, which I obtained at the age of 18”, recalls Souza. She was the youngest Brazilian to receive this distinction.

She saved money for four months to have the R$3,100 needed to pay for the exam — around US$800 at the exchange rate at the time. “She would get home at 9pm and study until 1am so she could wake up at 7am,” says the cybersecurity expert. The journey from Belford Roxo to the center of Rio, where Souza’s work was located, took more than two hours.

There was still another obstacle: the modest computer with 4 gigabytes of RAM to solve the problems proposed in the OffSec exam. “It kept crashing a lot during the test, it was 2 GB for the virtual machine, 2 GB for the main machine, but I managed to pass the entire test”, says Souza. If he failed, he would have to pay another R$3,100.

With the OSCP certification, came a job offer from the Ceará company Morphus as a red teamer, a professional hired to test a company’s digital security protocols. In the new position, Souza was able to work remotely and save the almost five hours he spent commuting.

In June 2019, the cybersecurity specialist moved to São Paulo, after receiving a new offer, this time from the Italian multinational Italtel.

“I started living alone, it was a really crazy thing,” recalls Souza. “My parents always said they raised me for the world and, since then, I’ve had a lot of experience with pen testing, research and continued to get certified,” she says.

GENDER TRANSITION

In December 2022, already established in the job market, the cybersecurity specialist decided to make a gender transition. “It was something I always knew, but I never told anyone, it took me a while to understand this; when it happened, it was the height of happiness”, says Souza.

She then went to her parents’ house to go through the process. “They have always been very calm, but they are adapting to this day,” she says.

Souza states that his professional and academic success gave him a foundation to make the decision. “I now have the conditions to be the owner of my own nose, I feel safer at that point.”

This is because she says that Brazil is “a very difficult country for transgender women”. “It’s one of the countries that kills the most; where I lived, if I said I was trans, I would definitely be lynched in the street.”

For Souza, the cybersecurity community allowed her to develop without facing many prejudices. “It’s a very technical area, where all that matters is the quality of my work.”

NEW BUSINESS

Last year, Souza was approached by the owner of Dfense, Gabriel Paiva, with the proposal to start a new business.

The idea is to use her highly specialized knowledge to create pentest protocols that can be replicated by other quality professionals, to scale the service.

Paiva says that, in the current market, small boutique laboratories offer the service to a few clients. “Large cybersecurity companies also offer the option of pen testing, but without the quality that someone of Souza’s caliber has to offer.”

The initial investment of R$2.7 million will be allocated to hiring more cybersecurity and computing infrastructure professionals.

Sales are the responsibility of the Dfense team. “Now, we need to sell to achieve the goals we have announced to the market”, says Paiva.

Souza’s renown has already guaranteed ViperX speaking at the biggest technical events in Brazil, the BHack Conference and the Hackers 2 Hackers Conference (H2HC). At this last event, there were only four women among the speakers — one of them was the co-founder of ViperX.