Avatar

Florian Stosse

Information security engineer

Safran Data Systems

ESIEA Paris

About me

Hi, I’m Florian Stosse, just another information security engineer !

I currently work at Safran Data Systems (a Safran Electronics & Defense subsidiary), in the Space & Communications business unit. I focus on hardening and securing our embedded Windows 7 and 10 platforms, among other cool things :)

Previously, in October 2018, I started a PhD thesis at CEA-List and ANSSI to work on formal methods applied to software security. More specifically, I was working on software defenses and hardening against hardware vulnerabilities, such as Spectre and Meltdown, using sound static analysis tools ( Frama-C in particular).

My thesis was under the supervision of Julien Signoles (CEA), and my advisors were Patricia Mouy (ANSSI) and Florent Kirchner (CEA).

Unfortunately, we had to put a stop to the thesis, but hey, that’s life !

Before that, I graduated in August 2018 from ESIEA Paris, a French computer engineering school. During my graduate studies, I was an apprentice at Bureau Veritas’ R&D center in La Défense, Paris.

I worked in the RAMS department, and my main areas of work were:

  • software security (e.g. static analysis, SDLC),
  • connected/autonomous vehicles security (e.g. ISO 21434 for automotive security engineering),
  • and industrial systems security (e.g. ISO 62443 certification).

Do not hesitate to get in touch if you want to chat about these topics (or anything else, really) !

Interests

  • Information security
  • Windows security & hardening
  • Software security
  • Vehicles security

Education

  • M.Sc. in Information Security, 2015/2018

    ESIEA, Paris, France

  • Associate's degree in Computer Science, 2012/2014

    University of Lorraine, Metz, France

Work experience

 
 
 
 
 

Information security engineer

Safran Data Systems

June 2019 – Present Paris

Space & Communications business unit.

My main activies are:

  • Hardening of embedded Windows 7 & 10 platforms

  • Vulnerability and compliance scans with Nessus

  • Development, test and integration of new security solutions and architecture

  • Technical referent on Operating Systems and Security matters

  • Level 3 support on Operating Systems and Security matters

  • Security tools integration in CI/CD pipelines

    • Static analysis
    • Compilers build configurations hardening (e.g. sanitizers, stack canaries, CFG)
 
 
 
 
 

PhD student

ANSSI - National Cybersecurity Agency of France

October 2018 – April 2019 Paris

Thesis subject: software countermeasures against vulnerable hardware platforms.

Study of formal methods and countermeasures applicable for secure execution on vulnerable hardware platforms (e.g. Spectre & Meltdown vulnerabilities):

  • State of the art of existing countermeasures (LFENCE, Speculative Load Hardening, …)
  • Impacts study: generated code size, performances overhead, residual risk, …
  • Proof-of-Concept of a detection and remediation plug-in using static analysis for the Frama-C platform: Spectre v1 vulnerables branches detection and automatic insertion of countermeasures
  • Literature monitoring on software and side channels security.
 
 
 
 
 

Computer security engineer

Bureau Veritas

September 2015 – September 2018 La Défense, Paris

Working in the Safety department of our European Technical Center (R&D center) on various security-related activities, such as:

  • Connected vehicles and autonomous vehicles security:

    • Co-writer of the BV-CARCYBERSEC-001 guidelines: “Cybersecurity for connected cars: best practices”
    • Bureau Veritas’ representative at ISO 21434 (“Automotive Cybersecurity Engineering”) Joint Working Group
    • Cybersecurity and safety common process design for automotive manufacturer (based on SAE J3061 & ISO 26262)
    • Security audit of an autonomous shuttle, deployed in a sensitive production environment
    • Developped a set of security requirements and audit methodology for autonomous vehicle security (SESNA Project)
  • Embedded systems (IoT) and industrial systems (SCADA/ICS) security

    • IEC 62443 audits & certifications
    • IoT products security assessment
  • Software security

    • Static code analysis (with Frama-C)
    • Co-writer of the BV-SW200 guidelines: “Cybersecurity Guidelines for Development & Assessment of Software”
 
 
 
 
 

Internship - Embedded systems

Luxembourg Institute of Science and Technology (LIST)

May 2014 – August 2014 Luxembourg

Internship subject: multi-sensors ad-hoc network use to improve indoor positioning of mobile users.

Embedded system (LEGO Mindstorms EV3) programming in Java (Lejos framework). The goal was to build and program the robot to navigate inside a previously unknown room, in order to map its Wi-Fi and Bluetooth coverage.

The data would later be used to perform indoor positionning on a smartphone (using Wi-Fi RSSI, see HORUS system). The robot had to avoid obstacles and report them. I implemented the following parts:

  • Navigation and guidance systems
  • Infrared and ultrasonic sensors data acquisition

Publications

Guidelines for secure software development

With the emerging concerns about industrial cybersecurity and the ever-growing importance of software development for innovative fields …

BV-SW-200 : Cybersecurity Guidelines for Software Development & Assessment

This technical guide emphasizes a set of security objectives addressed to software developers and highlights good practices to be …

Interview : what's next for connected vehicles security ?

Following the publication of our work regarding the security of connected vehicles, I was sollicited by Sentryo, a French company …

Improving and managing cybersecurity in connected vehicles

Recent news-breaking attacks demonstrated a lack of readiness and foresight of the cybersecurity threat in the automotive industry. New …

BV-CARCYBERSEC-001 : Cybersecurity of connected vehicles – Best practices

Recent news-breaking attacks demonstrated a lack of readiness and foresight of the cybersecurity threat in the automotive industry. New …

Miscellaneous

Certifications

MOOCs

I try to always learn something new, fun and/or useful ! I rely a lot on MOOCs to do so, and I had the opportunity to follow these one so far: