Professional Experience

Since 2013: Mozilla Security

2015 - now: Firefox Operations Security Manager, at Mozilla

Created the Operations Security team to address risks across the Firefox infrastructure with a strong focus on collaboration with engineering groups (~300 people across dozens of projects, including Firefox) and integration of security into the SDLC. Promoted DevOps security principles across operational groups, and built tools to accelerate security testing in CI/CD. The result of this work has been captured in Securing DevOps - Safe services in the Cloud, published at Manning.

Management responsibilities include informing Product Leadership of the security posture of the organization, modeling threats and prioritizing mitigations, managing risks across dozens of applications and several cloud providers and setting the security roadmap for cloud services and release engineering.

The Operations Security team is also responsible for incident response across the Firefox infrastructure, and for engineering software and services that harden defenses and increase product resistance to attacks (eg. fraud detection, code signing, secrets management, etc.).

As an engineer, I built the code signing backend, the TLS auditing service, the secrets management platform and a number of internal tools. I also act as a security architect on all new projects, to shape engineering designs and follow security standards.

Inside Mozilla, I co-own the bug bounty program, and sit on the security council to help coordinate security efforts across the organization.

Software

  • SOPS: Secrets management stinks, use some sops!
  • Server Side TLS: editor of a set of guidelines to maintain high security on TLS endpoints.
  • TLS Observatory: An observatory for TLS configurations, X509 certificates, and more. I wrote supporting tools like cipherscan.
  • Autograph: Digital signature micro-service.
  • Userplex: Users Multiplexers to go from one LDAP to many SaaS

Public Speaking

2018 - Securing Devops - AppSec Podcast
2018 - Modern Web Application Security - BSides Tampa 2018
2018 - Protecting Firefox Data with Content Signature - Enigma 2018
2017 - Securing Your Websites - DevFestFlorida 2017, Orlando, FL
2017 - Test Driven Security in the DevOps Pipeline - AppSecUSA 2017, Orlando, FL
2017 - Test Driven Security in Continuous Integration - Enigma 2017, San Francisco, CA
2017 - Episode Hors Série sur DevOps -NoLimitSecu Podcast (FR)
2016 - Continuous Security in the DevOps world - RMLLSec, Paris, France



2013 - 2015: Security Engineer

  • Mozilla Investigator (MIG): Creator & Lead developer. MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security. I created, deployed and operate MIG across several thousands servers at Mozilla.
  • Application Security: all things that speak HTTP (1 or 2). Help projects integrate cryptography, access control, integrity and high availability in web applications. Assess and review the security of webapps and API: XSS, CSRF, SQLi, etc...
  • AWS Security: help operational teams design and run secure platforms in AWS (EC2, VPC, RDS, S3, Route53, and so on).
  • Risk and Security Review: co-designed Mozilla's Rapid Risk Assessment (RRA) framework, used across the organization to evaluate the risks of products and services.

Public Speaking

2016 - Mozilla InvestiGator: Investigate 1,000 endpoints in 10s - OSDFConf, Washington, DC
2016 - Investigate 1,000 endpoints in 10s with Mozilla Investigator - RMLLSec, Paris, France
2016 - Mozilla InvestiGator: Distributed and Real-Time Digital Forensics at the Speed of the Cloud - Security Bsides, Tampa, FL
2015 - Mozilla InvestiGator: Distributed and Real-Time Digital Forensics at the Speed of the Cloud - Usenix LISA15, Washington, DC
2015 - Mozilla InvestiGator: Distributed and Real-Time Digital Forensics at the Speed of the Cloud - SANS DFIR Summit, Austin, Tx
2015 - Mozilla InvestiGator: Distributed and Real-Time Digital Forensics at the Speed of the Cloud - HITB Conference, Amsterdam, NL
2014 - SSL/TLS for the Pragmatic - Bucks Country DevOps, New Hope, Pa



2011 - 2013: Systems & Security Architect at AWeber Communications

AWeber is an email marketing service provider for small businesses worldwide. I design and implement the security of AWeber's web stack, engineer scalable web hosting infrastructure on Linux.

  • Opscode Chef: Actively participated in the automation effort. Wrote security & web architecture provisioning scripts for Opscode Chef, in Ruby (Advanced FireWall (AFW), Ossec, Keymaster, ...).
  • Web infrastructure: designed new hosting infrastructure without single points of failures. Load balancing using Haproxy, Nginx tuning, Varnish... all running on Linux.
  • Core Networking: lead architect on the redesign of the OSPF/BGP/VPN edge network. Replaced outdated Cisco routers with 10Gbps Linux routers. OSPF/BGP with Quagga, Openvpn, Keepalived, Conntrackd, ... Entirely provisionned by Opscode Chef.
  • Sysadmin: participate in day to day operations. Systems & network management, datacenter operations and KVM hypervisors. Level 2 on-call rotation.
  • HIDS: deployment/maintenance of OSSEC for systems security monitoring
  • GeoIP: developped and implemented a set of geolocation algorithms, in Python, to detect suspicious activities.
  • Pentests: internal/external pentests (arachni, nmap, metasploit, ...)
  • Education: Prepared and taugh security & automation classes internally.
keywords: ossec, iptables, chef, python, ruby, geolocation, cryptography, log monitoring

Public Speaking

2013 - AFW: Firewalling dynamic infrastructures with Chef and Netfilter - Netfilter Workshop 2013 / Open Source Days in Copenhagen, Denmark
.

2012 - AFW: Firewalling dynamic infrastructures with Chef and Netfilter - Security BSides Delaware 2012
2012 - Workshop: Advanced Netfilter & Iptables - Fosscon Philadelphia

The goal of the workshop is to demonstrate how netfilter, iptables, ipset and other tools available in Linux, can be used to build complex firewall policies for dynamic environments. I mentionned, at the end, some of the work i've done with Chef and the AFW cookbook. The slides are here.

2012 - Netfilter & Iptables Elements - AWeber Communications
2012 - Certificates & Public Key Infrastructures - AWeber Communications

The slides are here.

2011 - Qos & Traffic Control in the Linux Kernel - Philadelphia Linux User Group (PLUG)

This is a compressed version of my QoS article, rewritten and improved with the latest work on Bufferbloat, and some item from Comcast Residential DSL. The slides are here.




2011: Systems Engineer at Greenlink Networks

Greenlink Networks was a startup that provided rewards programs for local businesses and TV stations. I was in charge of building a bigger, faster and more reliable hosting infrastructure for the 30+ websites of the company.

  • Support 24/7 operations of the web platform. As GLN was a small shop, I was the oncall sysadmin, DBA, QA and sometimes developer all at once.
  • Transform the single node, Java based, web platform into a load balanced cluster.
  • Handle the migration of all components to AWS: websites (java) and database (oracle).
  • Maintain the production and corporate infrastructure on a day-to-day basis.
keywords: lighttpd, haproxy, tomcat, jboss, postgresql, solaris, centos, EC2



2008 to 2010: Security Consultant at Axians - Vinci Energies Group

Information and Web Security Consultant for banks and financial institutions in the Paris area.

2010: Web Security Engineer at La Banque Postale

Member of the Architecture team: web front-ends security, cryptography, strenghtening of ebanking operations.

  • eBanking security: Access control, system and network partitioning, performances
  • J2EE security: SSL/TLS, IBM IHS, WAS 6, MQ and Web Services cryptography
  • Security assessments and risks analysis

2009: IT Security Engineer at ALD International

Member of the Security team: BCM developement and testing, IT Disaster Recovery Plan (40+ locations worldwide and 2 datacenters).

  • Develop BCM methodology and define Business/IT priorities
  • Design IT recovery architectures
  • Run BCP tests and evaluate reaction capabilities

2008: Web Security Engineer at Societe Generale

eBanking architecture team: web front-ends security and performance, cryptography usage in applications and communications, security audit.

  • eBanking security: Access control, log auditing, performances
  • Security measures: SSL/TLS on J2EE, Weblogic, HAproxy
  • Qualys security audits, firewall rules management




2007: Research Engineer at University of Maryland

Programming of a TCP/UDP proxy in C on Linux 2.6 for connection redirection inside honeypots networks.

In the team of Dr. Michel Cukier at the Center for Risk and Reliability.

  • Research: Study of network attacks aiming Linux and Microsoft systems in honeypots environments
  • Design: software engineering using UML specification
  • Coding: C on Linux (TCP stack, B-tree based Decision engine)

note: this project still lives on sourceforge under the name Honeybrid.





Summer 2006: Intern Assistant to the Chief Security Officer at MAAF Assurances

Member of the Information System team: Perl programming for security log processing, application of the privation protection law.

  • Development of a Perl software to supervise antivirus solutions (Norton,
  • Compliancy of the information system with the privacy protection law




2005: Sysadmin at Microgate

Architecture design and maintenance of the email infrastructure.

  • Migration of the Email infrastructure to Linux/Postfix/Cyrus
  • Integrated PKI (OpenSSL) and LDAP Directory (OpenLDAP)
  • Design of a Site to Site interconnection with OpenVPN

note: I still maintain this architecture remotely.





2002 to 2004: Part-time Tech support at URSSAF

French agency for the social security system funding, Tours, France

Helpdesk and Administration/Maintenance of Windows NT/2000 based networks

Education

2007: Master in Information Security Management - University of Poitiers, France

2005: Bachelor in Telecommunications Security - University of Tours, France

2004: Brevet de Technicien Superieur en Informatique de Gestion - ISCB of Tours, France

Option System and Network Administrator.
The program was half-time in class and half-time in a professional position at Ursaff.

Writing

Securing DevOps: Safe services in the Cloud

Manning Editions - ISBN 9781617294136

Securing DevOps is my first book. It explores how the techniques of DevOps and Security should be applied together to make cloud services safer. The book is written for a technical audience of administrators, operators and security engineers who are tasked with keeping their customers data safe. Securing DevOps reviews state of the art practices used in securing web applications and their infrastructure, and teaches techniques to integrate security directly into the product.

DevOps: nuageux, avec chance de securite - MISC 88 - November 2016

An overview of security techniques in DevOps through the eyes of a fictional french startup.

Mozilla InvestiGator: Quand vos serveurs se prennent pour Sherlock Holmes - MISC HS 11 - May 2015

A presentation of MIG through three short stories of security investigations.

A state-of-the-art of SSL/TLS Server Side - MISC Magazine - March 2014

This article is an overview of the security of SSL/TLS, the challenges in selecting ciphers and certificates, and the state of transport security in general.

Mozilla Server Side TLS guidelines

The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools.

Postfix Postscreen: The Zombie Exterminator - GNU/Linux Magazine #147 - April 2012

A tour of Postscreen, the zombie blocker integrated in Postfix 2.8. I also used this article as an opportunity to develop Postscreen-stats, a Python script that parses the Postscreen logs in an intelligent way.

Web Development with Perl and Mojolicious - GNU/Linux Magazine #138 - May 2011

Introduction to the Mojolicious framework through the development of a simple URL shortener.

Fighting Spam with DSPAM - GNU/Linux Magazine #132 - November 2010

Description of the QOS layer of the Linux Kernel. The article covers the description of the shapping algorithms, the definition of a QoS policy with implementation examples and the set up of RRDtools graphs using Perl.

QoS and Traffic Control in the Linux Kernel - GNU/Linux Magazine #127 - May 2010

Description of the QOS layer of the Linux Kernel. The article covers the description of the shapping algorithms, the definition of a QoS policy with implementation examples and the set up of RRDtools graphs using Perl.

DKIM Email signature and verification with DKIMProxy - GNU/Linux Magazine #125 - March 2010

Article describing the DKIM protocols, its implementation in DKIMProxy and the deployment of a DKIM infrastructure using Debian, Postfix and Bind 9.