Education

1983

2nd "accessit" (~ certificate of merit) at the "Concours Général" (general Competition) in physics.
First "Ampère" price

1983-1985

"Maths sup & maths spé" (~ degree in mathematics & physics)

1985-1988

ENSTA
(French "grande école" ~ master of engineering, see http://www.ensta.fr/)

1988: SAGEM, Pontoise (work experience placement)
Specification and design of a security system on top of MS/DOS on a 386 PC (Orange Book B2 features).

Work history

2009

Hofud, IT security consulting, audit and development.

Nessus plugins development.
Security testing of an online banking system.

2008-2009

Tenable Network Security France

Security research engineer.

Developements in the Nessus core.
- New port scanners (TCP and UDP), one of them uses a statistical filter.
- "Port enumerators", calling the netstat command through SMB + WMI.
Plugins development
- PCI DSS compliance.
- New HTTP API/
- Miscellaneous vulnerability tests.

2007-2008

SOGETI IS

Computer security consultant.

Computer security audits

Several audits of a French bank subsidiaries abroad (Africa, Eastern Europe).
Audit of a French company (cosmetic sector).

1999-2007

Algoriel

Computer security consultant

ITSEC & ISO-15408 evaluations
- ITSEC evaluation of BullSoft Netwall firewall: penetration testing.
- Common Criteria evaluation of an internet banking Protection Profile.
- ITSEC documents writing for the approval of a Defense communication network; security target and conformity documents.
- Common Critera security target of an online banking system.
- Evaluation procedures definition & writing.
Computer security audits
- Audit of a banking system connected to the SWIFT network.
- Several audits of a French bank subsidiaries abroad (Africa, Eastern Europe).
- Several audits of a certificate & trusted services provider.
- Banking applications "agreement" before they are installed on an IP network: protocol & architecture analysis, vulnerability search, tests.
- Production machines audit at a telecom company.
Security policy
- Suggestions for a banking agreement process.
- High level specification for operating system and COTS hardening.
Consulting
- Risk analysis before data flows are opened through internet firewalls of a French bank.
Teaching
- Course for a telecom company: Security audit of Uunix and NT machines.

1998-1999

Solutions en lignes, computer consulting

Intranet architecture specification.
Solaris 2 system administrator.
Definition of commercial stategy in computer security.

1994-1998

Dorotech, storage system software & integration

DoroStore backup & archival software: maintenance and evolutions (about 500000 C lines under Unix):
- Server porting on HP/UX, AIX 4 and SVR4/386.
- New storage functions: offsite backups, new magnetic cache, big files (> 2GB) management, tape storage multiplexing, "synthetic" backups, backup archival & HSM coupling...
- Archival database rewriting: Informix SE was replaced by a module written into C-ISAM.
- Security system rewriting, interface with Kerberos V through GSS API, network filtering proxy.
Automatic tests design with the DejaGnu framework (14000 TCL lines)

1993-1994

SAGEM Argenteuil

SAVAN 15 tank aiming device: real time programming, automation, inertial technics.

1990-1993

AIKI: software reliability, security and safety

Development of the AETIUS software engineering tool: C & MotifGUI.
AETIUS is a dynamic analyser that can be used for debugging, tests, maintenance, reverse engineering, documentation and validation... It learns the software behaviour from execution traces.
- Maintenance: definition of new features, porting on new architectures.
- Design & developement of symbolic debugger / tracers on Sun 4, HP9000/400, HP9000/700 and MS/DOS, either by instrumenting the compiler generated assembly language or using the system debugging API.
- Interface with Microtek emulators.
- Design & development of a binary (non symbolic) tracer on Sun 4 and HP9000/400; coupled with AETIUS, it becomes a dissassembler
System administration (Sun 4, HP9000, RS/6000, PC); I also chose the development tools.
Starting from 1992, I managed the developement team and looked for business partners abroad.

1989-1990

Aster Ingénierie

War plane retrofit at Thomson DPI.
- Ballistic algorithms design.
- Software specification (SA/RT method)

1988-1989

National service: cooperation in Tunis.
Computer teacher at ENIT ("École Nationale d'Ingénieurs de Tunis") http://www.universites.tn/enit/)

I taught Pascal and Fortran.
Authorship of a C language tutorial

Free software

Nessus security scanner :
SSL implementation for the client / server communications, tests of SSL based servers, new version of the NASL interpretor (written from scratch in Bison), contribution of more than 1000 test scripts (plugins)...

Publications

NASL2 reference manual — http://michel.arboi.free.fr/nasl2ref/

Engagements

Presentation of the new version of Nessus Attack Script Language at Eurosec 2004.

Langages

English: read, written, spoken.

Arabic studied since 1985. Three one month long training courses in Cairo. Arabic calligraphy studied in 1987 and 1988

Greek: basic knowledge.

Technologies mastered

Computer languages: C, Perl, Bison, Lex, Pascal, Ada, C++, Fortran, assembly languages...
Operating systems: Unix, Windows
GUI: Motif
Norms: ISO 15408 "Common Criteria", ISO 17799