Hi, I'm Gerard

I'm a security specialist with a strong focus on web applications. I've been working in the industry for more than 10 years, performing Web Audits and Penetration Testing, but also as a full stack developer.

In my spare time I do security research, bug bounties, participate in capture the flag competitions and contributing to open source projects.

Contact

Email (PGP)
Telegram Twitter LinkedIn Github

Services

  • Pentest
    Performing an in-depth analysis of your organization's security, vulnerabilities and weak points in all available environments and resources through a systematic testing process.
  • Web Security
    Deep-dive manual penetration testing, reporting and follow up of your web applications and web services's vulnerabilities by following the WSTG OWASP procedures.
  • Red Team
    Adversarial-based attack simulation to test the defenses of people, software and hardware of your organization, using real-life attack vectors.
  • Security Consultancy
    Helping businesses identify critical and data assets, providing technical solutions and assisting complaying with the latest security certifications.
  • Workshops / Talks
    Rising the security awareness of your company with security presentations, educating through workshops, organizing capture the flag events and performing internal phishing scenarios.

Experience

2019-Current Freelance: Security Consultancy
Performing pentests as well as organising talks and workshops for different companies.
2015-2021 Endouble, Netherlands: Senior Security Specialist
Performing website pentests and full company security audits. Giving workshops and talks to increase employee security awareness. Planning and executing internal phishing campaigns and CTF events. Implementing security monitoring, alerting and protecting assets in an automated way. Complying with ISMS based on ISO27001.
2013-2015 Technology in Live, Spain: Lead developer
Designing and building school management software, including a school social network, real time device management for tablets, evaluation and qualification system and many others.
2010-2013 3fera, Spain: Full Stack Developer
Creating web applications for a large variety of clients. Successfully developed challenging projects, including a basketball manager web-browser game, social network platforms, and a multi-level community.

Projects

2021 SynScan
Automated asset discovery and vulnerability scanner for continuous auditing. The tool discovers domains, enumerates hosts, performs port scans, identifies services and versions, obtains dependencies from repositories, software used in websites, performs audit checks on all those assets, and compares obtained data to up to date vulnerability databases, such as NIST.
2021 Pass
A password manager for teams built with Laravel. All the encryption and key generation happens in the client side. The server will NOT store any vault keys, nor user's secret keys.
2020 SigInt
Signals intelligence gathering by interception of WiFi, Bluetooth and GSM.
2020 Salmon
Open-Source Phishing Framework written in Laravel
2015 CMSDiff
PHP CLI tool to detect differences between CMS versions.

Achievements

2019 8th Recon Village CTF @ DEFCON 27
3 days OSINT (Open Source Intelligence) Capture the Flag competition
2019 WPML - CSRF lead to RCE
Responsive disclosure of an Authenticated Cross-Site Request Forgery lead to Remote Code Execution in WPML WordPress plugin
2019 Speaker at II Tarragona Lawyer School Cyber Security Congress
Exposing top vulnerabilities and threats with practical examples.
2018 Microsoft Security Hall of Fame
Recognized for finding and reporting vulnerabilities.
2018 CCN-CERT CTF XII Finalist
Finalist in the Spanish National Intelligence Agency Capture the Flag in 2018.
2017 Hackron 2017 CTF Winner
Finalist in the Capture the Flag at Hackron 2017 security conference.
2016 Speaker in Emerce Conference, Amsterdam
Annual event about online innovations for professionals in recruitment and HR.

CVEs

CVE-2021-30126
Lightmeter ControlCenter < 1.5.1 - Settings & Credentials exposure without authentication.
CVE-2020-10568
WP Sitepress Multilingual CMS WordPress Plugin (WPML) < 4.3.7-b.2 — Authenticated Cross Site Request Forgery lead to Remote Code Execution.
CVE-2016-10990
WP Cerber Security <= 2.0.1.6 - Unauthenticated Stored XSS.
CVE-2015-9412
WP Royal Slider <= 3.2.6 - Authenticated Cross-Site Scripting (XSS).