Work Experience
Senior Manager and Lead Researcher, Security Research Lab
Dec. 2011 - present, Synopsys SIG, Paris, France (prev. San Francisco, US).
Lead Security Researcher and Manager until Sept. 2015
Senior Security Researcher until Sept. 2012
As the Senior Manager and Lead Security Researcher, Romain leads the security research across products such as Coverity, Seeker, and Defensics (Codenomicon fuzzer). Our main directive is to identify novel approaches to automatically detect security issues in applications. Romain's team is responsible for the prototyping, specifications, and research for all-security in Coverity, and contributes to other products.
In Products:
- Designed and implemented a patented precise remediation advices for Coverity. This novel approach is based on a framework aware analysis and deep understanding of security issues. Implemented in C++.
- Designed and implemented the hybrid analysis of sanitizers for Java applications. This analysis enables Coverity to have precise understanding of sanitization routines (i.e., JavaScript string escaper, HTML escaper, etc.) without any hardcoded knowledge. Implemented in Java and C++.
- Designed and implemented a modular infrastructure for framework analysis of Coverity, which does a pass over the program to analyze and understand the implicit flow of control that frameworks (Spring MVC, Struts, ASP.NET, etc.). This infrastructures communicates with Coverity so that it understands aspects of the frameworks such as entry points, dispatch to views, etc. Implemented in Java, Python, and C++.
- Designed and prototyped several checkers to identify issues such as CSRF, missing authorization checks, sensitive data leaks, etc. Design and specifications for other checkers such as XSS, SQL injection, etc.
Research:
- Diverse analysis methods for JavaScript applications. The goal is to consider the limitations of approaches (i.e., use-analysis, global points-to analysis) when trying to understand a client-side or server-side application written in JavaScript.
- Automated understanding of JavaScript view templates (Pug, Nunjucks, etc.) and discovery of XSS-prone sites, even under automated HTML escaping.
- Diverse methods for false-negatives hunts (reasoning about security issues a tool doesn't find), which leverage runtime analysis for JavaScript, automated analysis of fixes in commits, NLP to detect sensitive data sources, manual assessment.
- A TypeScript based language and compiler to specify hardcoded knowledge for security analysis tools.
- Evolutionary and goal-oriented fuzzing, a genetic-algorithm based fuzzer prototype that leverages a quick static analysis pass to define goals. Instrumentation based on LLVM source-to-source rewriting.
- Released several security issues such as RCE in Struts2 (due to OGNL injection), HTTP response splitting in Node, DOM XSS in Confluence, etc.
Senior Software Security Consultant
Nov. 2008 - Nov. 2011, Cigital Inc., Washington DC Area, US.
Security consultant until August 2010
As a Senior Consultant, Romain led the development of the security assessment lab within Cigital (now representing a good part of Cigital revenue). Now that the assessment lab is operational, Romain provides technical and research leadership to security analysts by taking on the following roles:
- Technical Lead for multiple ongoing assessments. Provide guidance and technical expertise to analysts in the assessment lab.
- Client Coordinator interacting with clients to ensure projects run efficiently and smoothly. Interface between the clients and the assessment lab analysts for project coordination.
- Research Coordinator for all analysts of the lab. Develop and coordinate new research topics and tools such as binary analysis, static analysis tools, and hybrid analysis in the assessment lab. Romain is also a principal contributor to the research within the lab.
Romain worked on projects which cover the entire spectrum of software security testing including:
- Manual penetration testing. Romain has a wide experience in penetration testing on different platforms and software. Romain has executed and led penetration tests on thick clients (from games under Windows to anti-virus under Mac OS X), mobile applications (iOS, BlackBerry and Android platforms), web services, and web applications.
- Architecture risk analysis. Romain analyzed solutions, which include real-time trading systems, cloud-based services, etc.
- Manual and automated code review on small to very large applications. Romain has a reviewed source code for Fortune 500 customers, deployed static analysis tools across a nationwide bank network, and provide guidance to development teams on software weaknesses and remediation.
Romain also authored security knowledge standards such as attack patterns (
CAPEC), and co-authored the Software Assurance Findings Expression Schema (SAFES).
Computer Security Scientist
May 2006 - Sept. 2008, NIST, Washington DC Area, US.
Study the impact of the
static analysis tools (source code analysis) such as Coverity, Klockwork K7, Fortify SCA, etc., contribute to the
SAMATE Reference Dataset, study tools behavior on source code variations (creation of PHP source manipulation and metrics computing
PHP-Ast/Oracle).
Work on the evaluation methodologies of
Web Application Scanners such as Acunetix WVS, Cenzic Hailstorm, Watchfire AppScan, HP WebInspect, Parosproxy etc. (creation of a proof-of-concept
minimum bar web apps scanner/hybrid tool:
Grabber).
Co-organizing the
NIST Static Analysis Tool Exposition (SATE) 2008.
Development of various websites:
SAMATE Reference Dataset,
SATE 2008's
Data-Mining and Computer Scientist
April 2005 - Sept. 2005, GERAD, Montreal, Canada.
I worked on
automatic generation of conjectures and theorems for the graph theory. I developed software in C++ with Qt and XML: "database on graph theory information", "automatic generation/refutation of conjectures and theorems" and "generation of a dissimilarity matrix".
I did this internship under the direction of Pierre Hansen and Gilles Caporossi from the
Group for Research in Decision Analysis (GERAD), HEC, Montréal, Québec, Canada.
Community Projects
Papers and Talks
- R. Gaucher, Why haven't we stamped out XSS and SQLi yet?, RSA 2013
- V. Okun, R. Gaucher and Paul E. Black, "Static Analysis Tool Exposition (SATE) 2008", U.S. National Institute of Standards and Technology (NIST) Special Publication (SP) 500-279, June, 2009
- R. Gaucher, "Automated tools for security, the challenge 2.0?", Presentation, CSI 2008, Web 2.0 Summit, Nobember 18, 2008, Washington DC, USA.
- R. Gaucher, "SATE 2008: Automated Evaluation", Presentation, PLDI 2008, Static Analysis Workshop, June 12, 2008, Tucson, AZ, USA.
- R. Gaucher, "Web Application Security Scanners: Problems and Solutions for testing the tools", Presentation, DHS Software Assurance Working Groups Session, Jan 31, 2008, Virignia, USA.
- R. Gaucher and E. Dalci, "Web Application Security Scanners: Building a test suite for the tools", Presentation, HICSS-41 Conference (IEEE), Jan 6, 2008, Hawaii, USA.
- E. Fong, R. Gaucher, V. Okun, E. Dalci and P. Black, "Building a Test Suite for Web Application Scanners", in Proceedings of HICSS-41 Conference (IEEE), Jan 7-10, 2008, Hawaii, USA.
- E. Fong and R. Gaucher, "Testing web application scanner tools", Presentation, Verify Conference 2007, Oct 30, 2007, USA.
- V. Okun, W. Guthrie, R. Gaucher and P. Black, "Effect of Static Analysis Tools on Software Security: Preliminary Investigation", in Proceedings of 3nd International Workshop on Quality of protection (QoP 2007) Conference, Oct 29, 2007, Alexandria VA, USA.
- P Black, E. Fong, V. Okun and R. Gaucher, "Software Assurance Tools: Web Application Security Scanner, Functional Specification Version 1.0", NIST Special Publication 500-269, Aug. 29, 2007, USA.
- M. Koo, R. Gaucher and V. Okun "Source Code Security Analysis Tool: Test Plan", NIST Special Publication 500-270, March. 9, 2007, USA.
General Computer skills
- Languages: C/C++, Python, JavaScript, TypeScript, Java, Scala, PHP.
- Others: Used to be proficient in OpenGL, operational research, Matlab, FORTRAN, and MPI.
Education
- 2003-2006: Graduate from ISIMA, CS engineering school (MSc.). Specialty in modeling and applied mathematics.
Clermont-Ferrand, France (ISIMA Website). Final year thesis: A least squares cluster wise regression heuristic using Variable Neighborhood Search (VNS).
- 2000-2003: Classes préparatoires (specific advanced classes: maths, physics and electronics) at Troyes, France.
- 2000: Baccalauréat in electronics at Troyes, France
Languages
- French: Native
- English: Fluent