Feb 2022 – Aug 2023 · 1 yr 6 mos

• Support and direction for teams of native and web security engineers (span from Oculus, WhatsApp to Zoncolan/Pysa security engineers). Led workgroups for metrics (surface prioritization framework, static analysis maturity model) and re-prioritize team focuses (cut scope after reorg).

Sep 2012 – Feb 2022 · 9 yrs 5 mos

• Principal Security Researcher and Head the Security Research Lab, Synopsys. Research, design, and implementation of key components of Coverity static analysis for web and mobile security. Management the security research team.
• Achievements:
• Train and scale security research for static analysis models, framework understanding, and security checkers (20+ developers/researchers) across programming languages
• Develop facilities to generate, develop, and maintain models
• Develop/maintain in-house higher-level modeling language and its compiler
• Technical achievements (a/o patents):
• Initial architecture & implementation of a new/snappy static analysis engine (now Rapid Scan Static) in Rust
• Automated analysis and detection of unsafe injection sites in JavaScript templates (P)
• Automated context-specific remediations (P)
• Framework analysis
• Hybrid analysis for sanitizers
• Precise analysis of injection issues w/ security constraints
• Speciality:
• Static analysis
• Fuzzing
• Security analysis
• Framework understanding
• Static analysis of dynamic languages

Dec 2011 – Sep 2012 · 9 mos

• I'm essentially the bridge between application security and program analysis.
• Based on our latest press release, I can tell that I prototyped and researched at least the following areas:
• whitebox fuzzing for Java programs
• frameworks analysis
• precise analysis for SQLi and XSS
• actionable remediation and code fix generation

May 2010 – Nov 2011 · 1 yr 6 mos

• As a Senior Consultant, Romain led the development of the security assessment lab within Cigital. Now that the assessment lab is operational, Romain provides technical and research leadership to security analysts by taking on the following roles:
• Technical Lead for multiple ongoing assessments. Provide guidance and technical expertise to analysts in the assessment lab.
• Client Coordinator interacting with clients to ensure projects run efficiently and smoothly. Interface between the clients and the assessment lab analysts for project coordination.
• Research Coordinator for all analysts of the lab. Develop and coordinate new research topics and tools such as binary analysis, static analysis tools, and hybrid analysis in the assessment lab. Romain is also a principal contributor to the research within the lab.
• Romain worked on projects which cover the entire spectrum of software security testing including:
• Manual penetration testing. Romain has a wide experience in penetration testing on different platforms and software. Romain has executed and led penetration tests on thick clients (from games under Windows to anti-virus under Mac OS X), mobile applications (iOS, BlackBerry and Android platforms), web services, and web applications.
• Architecture risk analysis. Romain analyzed solutions, which include real-time trading systems, cloud-based services, etc.
• Manual and automated code review on small to very large applications. Romain has a reviewed source code for Fortune 500 customers, deployed static analysis tools across a nationwide bank network, and provide guidance to development teams on software weaknesses and remediation.
• Romain also authored security knowledge standards such as attack patterns (CAPEC), and co-authored the Software Assurance Findings Expression Schema (SAFES).

Oct 2008 – May 2010 · 1 yr 7 mos

• architectural risk analysis, threat modeling, code review (security/quality, automated a/o manual)
• penetration testing of: web application, mobile applications, online games (MMORPG), software, etc.
• data analysis: help customer understanding their data better (descriptive, exploratory, data-mining), focus on system security and fraud detection

Jan 2008 – Present · 18 yrs 3 mos

Jan 2008 – Feb 2010 · 2 yrs 1 mo

May 2006 – Sep 2008 · 2 yrs 4 mos

• Co-organizer & Evaluator of the NIST Static Analysis Tool Exposition 2008 (SATE) <http://samate.nist.gov/index.php/SATE>
• Developed several source code metrics, performed statistical analysis to tools behavior such as "number of findings".
• Study the impacts of the static analysis tools (source code analysis) such as Coverity, Klockwork K7, Fortify SCA, Findbugs, etc., contribute to the SAMATE Reference Dataset, study tools behavior on source code variations (creation of PHP-Ast/Oracle project).
• Work on the evaluation methodologies of Web Application Scanners such as Acunetix WVS, Cenzic Hailstorm, Watchfire AppScan, HP WebInspect etc. (creation of a proof-of-concept minimum bar web apps scanner/hybrid tool: Grabber <http://rgaucher.info/beta/grabber/).

Apr 2005 – Sep 2005 · 5 mos

• Worked on automatic generation of conjectures and theorems of graph theory.
• Developed software in C++/Python (Qt, XML, GiNaC):
• Database on graph theory information
• Data-Mining: automatic generation/refutation of conjectures and theorems in graph theory (working with invariants)
• Automation software for Operational Research heuristics
• Research with Pierre Hansen and Gilles Caporossi, HEC Montreal/GERAD