Fabien DUCHENE

FRANCE - global mobility

+33-970-444-513
f.duchene \'_'/ car-online.fr

Information Security Researcher

InfoSec Work Experience

	LIG (INRIA, Grenoble INP..) Jan 2011 - still active	PhD student in model-based security testing, Dir. Roland Groz - projects DIAMONDS, SPaCIoS combining formal methods, software testing and pentesting ones to optimize security test generation Blackbox, Model-based testing, attack graphs, attack patterns, fuzzing, model-inference vacant teacher at Ensimag: 4MMSR-Network Security, 5MMSSI-Information System Security
	Sogeti-ESEC Apr 2010 - Jan 2011	IT security consultant, European Security Expertise Center trained IT security professionals to conceive, implement and audit a Microsoft PKI (20 people) performed Active Directory security audit (12.000 users) and advised ISO 27002 measures secured a web infrastructure: firewalls, filtering proxies, VPN, MX, HIPS,DNS,syslog (1300 users) operated and improved L2 controls as the check step of an ISO 27001 initiative responded to calls for tenders: data leak prevention, patch management, log management, Web SSO
	Aug 2009 - Mar 2010	Intern: junior infrastructure and security architect, Technical and Security Head Dept performed lectures and trainings during TechDays 2010: identity management and protection (300 p.) extended a platform now running in 7 partners datacenters integrating security scenarios (20 servers) wrote a master thesis analyzing the Microsoft Forefront security products, for pre-sales teams use
	Prologin 2007	Finalist of the National Computer Science contest, IT Engineering Faculty Epita, Paris
	University projects Sep 2006 - Jun 2009	SOA architecture: realized the core of this web-services application, designed secure transactions Software Engineering: created a Java compiler. Realized some blackbox and whitebox test suites Artificial intelligence: improved a basic neural network model to recognize handwritten letters Distributed Systems: implemented an RDIR service, a DSM and a distributed mutex system
	Car-Online Jun 2005 - still active	Information systems outsourcing (startup created when I was 18) system and network architecture setting up for a distributed company (4 sites) created the car-online framework to develop shared functionnalities accross websites (10.000+ SLOC) took part to the analysis of importants projects : Auto-Flash(40.000€), RHB-Grenoble (700 users) VoIP,VPN, backup, strong authentication, secure wireless ; repaired and sold 90+ workstations, servers

Education: Engineer and PhD student in Computer Science

	PhD student, LIG, France Jan 2011 - still active	security test generation: Blackbox, Model-based testing, attack graphs, attack patterns, fuzzing, model-inference, evolutionary algorithms created the SecurIMAG information security club at Ensimag
	MSc,Grenoble INP-Ensimag-Telecom,France Jul 2006 - Apr 2010	Security and distributed systems: cryptography, software and systems engineering, networks, telecommunications. GPA: 14.31/20. Distinction
	Universidad Politécnica de Madrid, Spain Feb 2009 - Jul 2009	GPA:8/10 Majors: distributed operating systems, communicating systems engineering, parallel architecture processors
	The University of Queensland, Australia Jul 2008 - Dec 2008	33rd world ranked university. GPA: 5.8/7. Distinction SOA, Artificial Intelligence, DataMining, Network and computer Security
	Aux Lazaristes, CPGE, France Sep 2004 - Jul 2006	Mathematics, Physics for competitive entrance exams to Grandes Ecoles

InfoSec skills

	Methodology	Analyzing, conceiving and validating a data communication infrastructure Project, Change and People management ; Software engineering
	Security R&D	Reverse-Engineering: Windows kernel, applications: ASM x86-64, .Net Exploit: privilege escalation Forensics: Windows XP, Vista, 7, iOS 5, BitLocker
	Identity Management	Active Directory, ADCS PKI, Meta-directory Forefront Identity Manager, ADFS Web-SSO
	Security Audit	Technical: black-box pen-testing ; white-box configuration analysis and code review Data retrieval: backtrack,nmap ; Analysis ; Exploit: XSS,SQL injection,hash collisions,metasploit Risk (basics): EBIOS, ISO 27001, 27002
	Security infrastructure	Identity management: Active Directory, ADCS PKI, meta-directory FIM, ADFS Web SSO Data Leak Prevention: WebSense, digital rights RMS, partition encryption: BitLocker, TrueCrypt OS hardening: Windows 7, 2008 R2, Debian(GRSecurity,SamHain,AppArmor), Red-Hat, Mac OS Remote access: NAP, DirectAccess deperimeterization, proxy TMG 2010, UAG 2010 publishing Networks: 802.11, WPA2 Enterprise 802.1x, IPv6, IPSec, VoIP, NetASQ, Juniper, Cisco, Asterisk
	Infrastructure	Core: DNS, DHCP, Exchange 2010 messaging, postfix, Sharepoint 2007 portal, DFS-R Rationalization: virtualization SCVMM, App-V, cloud-computing, SCOM monitoring Workstation: WDS, SCCM deployment, WSUS patch management Remote access: NAP, DirectAccess deperimeterization, proxy TMG 2010, UAG 2010 publishing
	Software testing	Model-Based testing, Fuzzing, Model-Inference ; JUnit
	Software engineering	Python, Powershell, PHP, C#, C, Java, ASP.Net, Unix shell, Visual Studio, Eclipse, RegExp, SOA, UML

Publications

Fabien Duchene and Roland Groz and Sanjay Rawat and Jean-Luc Richier, "XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing", in the Third International Workshop on Security Testing (SECTEST), in association with the Fifth International Conference on Software Testing, Verification and Validation (ICST), Apr 2012

Teaching

	Lecturer, Ensimag Mar 2011 - still active	5MMSSI-Information Systems Security (2011-2012), Ensimag (lecturer) - CTF like exam! 1337 rulZ ;) 4MMSR-Network Security (2010-2012) - security research seminars, Ensimag (lecturer) 3MMRTEL-Communication networks (2011-2012), Ensimag (practical and theoretical exercises only)
	Lecturer, UJF Jan 2012 - still active	SAFE - Audit, Forensics and Threats (2012), UJF (lecturer)
	Trainer, ESEC Apr 2010 - Jan 2011	the Microsoft ADCS 2008 R2 PKI for the decider, implementer and pentester, Sogeti-ESEC
	Trainer, Microsoft Aug 2009 - Mar 2010	TechDays 2010, Paris, France: Forefront Identity Manager 2010, Forefront Protection: Suite 2010 and for Exchange Servers 2010
	Volunteer Jan 2007 - Jan 2009	~90 hours teaching of CS (OOP, JUnit tests, PHP) 5 students (France, Australia)

Conferences

TechDays 2010, Paris, France

FIM 2010 - Managing smart cards lifecycle, Philippe Beraud, Stéphane Méténier, Fabien Duchène

Forefront 2010 for protecting the messaging infrastructure, Stéphane Saunier, Cyril Voisin, F. D.

Forefront: Microsoft's vision of an integrated protection system, Cyril Voisin, Fabien Duchène

Cyber-Security Community

Gre-Hack:the first ethical hacking conference in Grenoble: mainly offensive security
SecurIMAG:co-creator of an ethical hacking club at Ensimag: challenges, lectures, tools, advising students

Invited Talks

Year 2012:* round table, ethical hacking: advances for consumers or worldwide threat? Grenoble, France

Former students

MSc students:none yet
BSc graduated:Ludovic Fanton (2010, Epitech, Sogeti-ESEC)

Interests

Teaching IT:helped 5 students to improve their knowledge. About 90 hours of teaching in France and in Australia
Sports:Scuba diving (Indonesia, Malaysia) Biking, Swimming, Jogging: 5h/week since 2007 ; former rugby player
Reading:Twitter, RSS, Blogs, Mag securs, MISC. Currently reading: Windows Internals, Cloud Security and privacy
Diverse:Car and motocycle driving license. Taste for travelling. Diverse open-source projects.

Languages

Spanish:Trips: Madrid(5 months), Malaga(1 month) ; working proficiency ; living with 3 spanish people
German:Studied for 10 years. high school level. basic proficiency
French:Native language ; Chinese:Beginner ; Portuguese:Beginner

References

Referees:Roland Groz, Researcher,Professor LIG,Ensimag - Claude Amiens, Sogeti-ESEC, security consultants manager - Cyril Voisin, Microsoft, Senior Security Advisor - S. Viardot, Ensimag, Academic Dean
Web:www.car-online.fr/en/spaces/fabien_duchene/