Technologies

Core skills


click here for PNG version

skill map, if this doesn't display, 3 options: click on the PNG or PDF version, or use a recent browser.

Professional Experience

Since 04/2013: Operations Security Engineer at Mozilla

Member of the Security Assurance team. Focus on systems and network security

11/2011 to 04/2013: Systems & Security Architect at AWeber Communications

AWeber is an email marketing service provider for small businesses worldwide. I design and implement the security of AWeber's web stack, engineer scalable web hosting infrastructure on Linux.

  • Opscode Chef: Actively participated in the automation effort. Wrote security & web architecture provisioning scripts for Opscode Chef, in Ruby (Advanced FireWall (AFW), Ossec, Keymaster, ...).
  • Web infrastructure: designed new hosting infrastructure without single points of failures. Load balancing using Haproxy, Nginx tuning, Varnish... all running on Linux.
  • Core Networking: lead architect on the redesign of the OSPF/BGP/VPN edge network. Replaced outdated Cisco routers with 10Gbps Linux routers. OSPF/BGP with Quagga, Openvpn, Keepalived, Conntrackd, ... Entirely provisionned by Opscode Chef.
  • Sysadmin: participate in day to day operations. Systems & network management, datacenter operations and KVM hypervisors. Level 2 on-call rotation.
  • HIDS: deployment/maintenance of OSSEC for systems security monitoring
  • GeoIP: developped and implemented a set of geolocation algorithms, in Python, to detect suspicious activities.
  • Pentests: internal/external pentests (arachni, nmap, metasploit, ...)
  • Education: Prepared and taugh security & automation classes internally.
keywords: ossec, iptables, chef, python, ruby, geolocation, cryptography, log monitoring

03/2011 to 11/2011: Systems Engineer at Greenlink Networks

Greenlink Networks provides rewards programs for local businesses and TV stations. I was in charge of building a bigger, faster and more reliable hosting infrastructure for the 30+ websites of the company.

  • Transform the single node architecture into a load balanced cluster.
  • Migrate from the datacenter hosted system to Amazon's cloud (AWS).
  • Maintain the production and corporate infrastructure on a day-to-day basis.
keywords: lighttpd, haproxy, tomcat, jboss, postgresql, solaris, centos, EC2

01/2008 to 05/2010: Security Engineer at Axians - Vinci Energies Group

Project

System Architect of the Knowledge Base, designed and build with Alfresco and Debian

Missions

La Banque Postale - eBanking Security Engineer (7 months)

Member of the Architecture team: web front-ends security, cryptography, strenghtening of ebanking operations.

  • eBanking security: Access control, system and network partitioning, performances
  • J2EE security: SSL/TLS, IBM IHS, WAS 6, MQ and Web Services cryptography
  • Security assessments and risks analysis

ALD International - Business Continuity Engineer (9 months)

Member of the Security team: BCM developement and testing, IT Disaster Recovery Plan (40+ locations worldwide and 2 datacenters).

  • Develop BCM methodology and define Business/IT priorities
  • Design IT recovery architectures
  • Run BCP tests and evaluate reaction capabilities

Societe Generale - eBanking Security Engineer (1 year)

eBanking architecture team: web front-ends security and performance, cryptography usage in applications and communications, security audit.

  • eBanking security: Access control, log auditing, performances
  • Security measures: SSL/TLS on J2EE, Weblogic, HAproxy
  • Qualys security audits, firewall rules management

04/2007 to 12/2007: Research Engineer at University of Maryland

Programming of a TCP/UDP proxy in C on Linux 2.6 for connection redirection inside honeypots networks.

In the team of Dr. Michel Cukier at the Center for Risk and Reliability.

  • Research: Study of network attacks aiming Linux and Microsoft systems in honeypots environments
  • Design: software engineering using UML specification
  • Coding: C on Linux (TCP stack, B-tree based Decision engine)

note: this project still lives on sourceforge under the name Honeybrid.

04/2006 to 08/2006: Assistant to the Chief Security Officer at MAAF Assurances

Member of the Information System team: Perl programming for security log processing, application of the privation protection law.

  • Development of a Perl software to supervise antivirus solutions (Norton,
  • Compliancy of the information system with the privacy protection law

Since 04/2005: Linux Engineer / Sysadmin at Microgate

Architecture design and maintenance of the email infrastructure.

  • Migration of the Email infrastructure to Linux/Postfix/Cyrus
  • Integrated PKI (OpenSSL) and LDAP Directory (OpenLDAP)
  • Design of a Site to Site interconnection with OpenVPN

note: I still maintain this architecture remotely.

09/2002 to 09/2004: Tech Support at URSSAF

French agency for the social security system funding, Tours, France

Helpdesk and Administration/Maintenance of Windows NT/2000 based networks

Education

2005 to 2007: Master Degree - Information Security Management

IRIAF - University of Poitiers - GPA: 16.3/20 - Honor: Summa Cum Laude

2005: Bachelor Degree - Security and Quality of Telecommunications

University of Tours - GPA: 13.5/20 - Honor: Cum Laude

Brevet de Technicien Superieur (Highest Technician Degree)

ISCB - University of Tours - 2002 to 2004

Option System and Network Administrator.
The course was organized half-time in class and half-time in a professional position (at Ursaff, in my case).

Public speaking & Teaching

2013 - AFW: Firewalling dynamic infrastructures with Chef and Netfilter - Netfilter Workshop 2013 / Open Source Days in Copenhagen, Denmark

Second presentation of my work on AFW, at the Netfilter Kernel Developers workshop in Copenhagen.

2012 - AFW: Firewalling dynamic infrastructures with Chef and Netfilter - Security BSides Delaware 2012

Abstract: Virtualized web infrastructures often means having a bunch of web applications talking HTTP to each other all over your network. REST APIs everywhere, VMs appearing and disappearing every day, without any sort of ACL or passwords between them. From a firewall standpoint, manually managing the firewall rules between those VMs is unreallistic, and often results in opening tcp/80 (and more) everywhere by default. This is obviously not ideal. Some have tried to deploy web application firewall, but few have survived to testify. The Advanced FireWall (http://github.com/jvehent/AFW) is a Chef cookbook that solves these problems by controlling host-based Netfiter firewalls on each system of a Chef provisioned environment. I will demonstrate how host-to-host rules can be created and kept up to date by using a set of generic rules expanded dynamically, and how, using AFW, you can keep control over every single packet of your network.
Video and slides are here.

2012 - Workshop: Advanced Netfilter & Iptables - Fosscon Philadelphia

The goal of the workshop is to demonstrate how netfilter, iptables, ipset and other tools available in Linux, can be used to build complex firewall policies for dynamic environments. I mentionned, at the end, some of the work i've done with Chef and the AFW cookbook. The slides are here.

2012 - Netfilter & Iptables Elements - AWeber Communications

After spending many months redoing the entire firewall infrastructure of AWeber, I gave an introductory talk to the sysadmins and developpers. The video is up here.

2012 - Certificates & Public Key Infrastructures - AWeber Communications

I gave this talk to to improve the understanding on the trust model of the Internet among developpers. It covers how Certificate Authority work, how to generate our own and manage it, ... . The slides are here.

2011 - Qos & Traffic Control in the Linux Kernel - Philadelphia Linux User Group (PLUG)

I presented this talk twice at PLUG. This is a compressed version of my QoS article, rewritten and improved with the latest work on Bufferbloat, and some item from Comcast Residential DSL. The slides are here.

2010 - Database Security Teacher - IRIAF - University of Poitiers

Security of Database Infrastructures. 40 hours course in the 2nd year of IT Security Master Program. The content of the course if available here.

Writing

Postfix Postscreen: The Zombie Exterminator - GNU/Linux Magazine #147 - April 2012

A tour of Postscreen, the zombie blocker integrated in Postfix 2.8. I also used this article as an opportunity to develop Postscreen-stats, a Python script that parses the Postscreen logs in an intelligent way.

Web Development with Perl and Mojolicious - GNU/Linux Magazine #138 - May 2011

Introduction to the Mojolicious framework through the development of a simple URL shortener.

Fighting Spam with DSPAM - GNU/Linux Magazine #132 - November 2010

Description of the QOS layer of the Linux Kernel. The article covers the description of the shapping algorithms, the definition of a QoS policy with implementation examples and the set up of RRDtools graphs using Perl.

QoS and Traffic Control in the Linux Kernel - GNU/Linux Magazine #127 - May 2010

Description of the QOS layer of the Linux Kernel. The article covers the description of the shapping algorithms, the definition of a QoS policy with implementation examples and the set up of RRDtools graphs using Perl.

DKIM Email signature and verification with DKIMProxy - GNU/Linux Magazine #125 - March 2010

Article describing the DKIM protocols, its implementation in DKIMProxy and the deployment of a DKIM infrastructure using Debian, Postfix and Bind 9.

Leisure

Music (bass guitar) and Sport (Roller, Golf, Squash)

Co-creator and administrator of the Linuxwall.info laboratory.

Valid XHTML 1.0 Strict

Valid CSS!