Software security engineer
Software engineer at Google Zürich (May 2015 - Feb 2020)
I used to work in the Information Security Engineering team (a generalist product security team) at Google. My role was to design, develop and maintain systems that prevent entire classes of security bugs from being written in the first place, by influencing all the steps in the software lifecycle: initial design reviews, tooling recommendations, static analysis, code reviews, consulting, all the way through analysis of bug bounty reports.
More specifically, I focused on client-side XSS prevention: through a combination of processes that involve static analysis early in the developer experience, building libraries such as the Closure
goog.html types, and security engineer consultations on-demand, we managed to get mostly rid of DOM-based XSSes in our TypeScript stacks. I worked closely with the Angular web framework and with TSLint, but also spent some time applying those principles to other types of bugs and doing more general security consulting work, and I took care of my share of the team's consulting load.
I also participated in other efforts from the broader team: my background in cryptography and networking let me take on security reviews revolving around those concerns, I wrote two challenges for the Google CTF, I hosted interns, helped interview candidates, ...
- Teacher for three Intro to C courses (2011-2014, 3 times 64 hours) in Université Joseph Fourier, for first year STEM students. The course covered basic algorithms, the use of a subset of C and some basic UNIX command-line competency.
- Four research internships (2008-2011) in Grenoble's research centers, revolving around distributed systems and their infrastructure.
- Internship at Corys TESS (2007), a company making training simulators in the transports and energy industry, where I created an automated HTML documentation generator in C from their 3d models.
- Freelance journalist (2008-2010) for Téléprogrammes-InfosPresse, for whom I wrote around thirty articles revolving around issues related to Internet and information technologies.
PhD thesis: Protocols and Models for the Security of Wireless Ad-Hoc Networks (2011-2014)
Supervised by Dr. Pascal Lafourcade (with the help of Stephane Devismes and Karine Altisen), in Verimag, Université de Grenoble, and defended on 3/10/14.
The goal of my PhD was to build and analyze secure protocols for wireless ad-hoc networks. Because of the material constraints (energy, computing power, memory, reliability) and the cooperative nature of these networks, the protocols must guarantee continued operation in presence of faults or deliberate attacks. We developed several models and protocols:
- SR3, A secure and resilient many-to-one routing protocol for wireless sensor networks based on a reputation mechanism, the security of which we formally proved. Experimental evaluations showed both its resiliency and fairness.
- A model to formally find flaws in network-based intrusion detection systems based on their data inputs.
- A quantitative notion for the security of routing protocols, based on the ability for an intruder to corrupt the routes generated by the protocol.
- Master in Computer Science (2009-2011), specialized in Security and Cryptology. This was a joint Master program between Université Joseph Fourier and ENSIMAG in Grenoble, with courses in English.
- Licence Informatique (2008-2009), Université Joseph Fourier, Grenoble, and simultaneously, six-month in law university.
- Magistère Informatique (2008-2011), an optional research-centered program, Université Joseph Fourier, Grenoble.
- DUT Informatique (2006-2008), IUT2 de Grenoble.