Raphaël Jamet
Software security engineer

Work experience

Staff application security engineer at PayFit (Nov 2021 - Aug 2023)

PayFit has a SaaS product helping SMBs compute and run their payroll and HR processes, in France, Spain and the UK. I joined in at a time when the company scaled up drastically, and there was a strong need for more maturity in all security aspects. Starting from close to scratch, the team and I worked on discovering and documenting risks, followed by the definition and operation of a full-fledged program following best practices.

We were working on project design reviews, SDLC and supply chain hardening, vulnerability management, platform hardening, code reviews, running and maintaining our tools (home-made and off-the-shelf), bug bounty, general security evangelism and shenanigans,... Anything that made a long-lasting impact and where the time and maintenance costs made sense.

We also frequently interfaced with other teams when required or requested, and in that context, I was involved in various vendor security reviews, privacy issues, incident management, general debugging and customer support, and our compliance audits for ISO27001.

Application security engineer at Aircall (Nov 2020 - Jun 2021)

Aircall is a scale-up that used to not have a dedicated security team. Together with another new hire, we worked on building a product security program from scratch, and to drum up the corresponding culture among Aircall employees. I took care of the application security side, with code reviews, vulnerability lifecycle management, design advice, documentation, privacy discussions, and bug bounty program operation.

Software security engineer at Google Zürich (May 2015 - Feb 2020)

I used to work in the Information Security Engineering team (a generalist product security team) at Google. My role was to design, develop and maintain systems that prevent entire classes of security bugs from being written in the first place, by influencing all the steps in the software lifecycle: initial design reviews, tooling recommendations, static analysis, code reviews, consulting, all the way through analysis of bug bounty reports.

More specifically, I focused on client-side XSS prevention: through a combination of processes that involve static analysis early in the developer experience, building libraries such as the Closure goog.html types, and security engineer consultations on-demand, we managed to get mostly rid of DOM-based XSSes in our TypeScript stacks. I worked closely with the Angular web framework and with TSLint, but also spent some time applying those principles to other types of bugs and doing more general security consulting work, and I took care of my share of the team's consulting load.

I also participated in other efforts from the broader team: my background in cryptography and networking let me take on security reviews revolving around those concerns, I wrote two challenges for the Google CTF, I hosted interns and helped interview candidates.

Before:

• Teacher for three Intro to C courses (2011-2014, 3 times 64 hours) in Université Joseph Fourier, for first year STEM students. The course covered basic algorithms, the use of a subset of C and some basic UNIX command-line competency.
• Four research internships (2008-2011) in Grenoble's research centers, revolving around distributed systems and their infrastructure.
• Internship at Corys TESS (2007), a company making training simulators in the transportation and energy industries, where I created an automated HTML documentation generator in C from their 3d models.
• Freelance journalist (2008-2010) for Téléprogrammes-InfosPresse, for whom I wrote around thirty articles revolving around issues related to Internet and information technologies.

Education

PhD thesis: Protocols and Models for the Security of Wireless Ad-Hoc Networks (2011-2014)

Supervised by Dr. Pascal Lafourcade (with the help of Stephane Devismes and Karine Altisen), in Verimag, Université de Grenoble, and defended on 3/10/14. Manuscript available here.

The goal of my PhD was to build and analyze secure protocols for wireless ad-hoc networks. Because of the material constraints (energy, computing power, memory, reliability) and the cooperative nature of these networks, the protocols must guarantee continued operation in presence of faults or deliberate attacks. We developed several models and protocols:

• SR3, A secure and resilient many-to-one routing protocol for wireless sensor networks based on a reputation mechanism, the security of which we formally proved. Experimental evaluations showed both its resiliency and fairness.
• A model to formally find flaws in network-based intrusion detection systems based on their data inputs.
• A quantitative notion for the security of routing protocols, based on the ability for an intruder to corrupt the routes generated by the protocol.

Other

• Master in Computer Science (2009-2011), specialized in Security and Cryptology. This was a joint Master program between Université Joseph Fourier and ENSIMAG in Grenoble, with courses in English.
• Licence Informatique (2008-2009), Université Joseph Fourier, Grenoble, and simultaneously, six-month in law university.
• Magistère Informatique (2008-2011), an optional research-centered program, Université Joseph Fourier, Grenoble.
• DUT Informatique (2006-2008), IUT2 de Grenoble.

Skills

I speak and write French and English fluently, and have some rusty notions of high German. I'm mostly using TypeScript nowadays. I used to write Perl and Java commonly, and have some familiarity reading Ruby, C, C++, Python and Golang.