=== Kelby Ludwig ===
==== Security Engineer ====
=== kelbyludwig@gmail.com ===
=== https://kel.bz - @kelbyludwig - github.com/kelbyludwig ===
|=------------------------------=[ Resume ]=--------------------------------=|
----[ About Me ]
I am an Austin-based software engineer with expertise in security, cryptography
engineering, as well as teaching and supporting others.
----[ Skills and Proficiency ]
* Cryptography (Engineering) [****- 4/5]
* Cryptography (Mathematics) [***-- 3/5]
* Web Application Penetration Testing [****- 4/5]
* Secure Code Review [****- 4/5]
* Python [****- 4/5]
* Linux [***-- 3/5]
----[ Work Experience ]
------ [ Stripe - Software Engineer Security Infrastructure - Nov 2019
At Stripe, I worked on the Security Infrastructure team which owns many of the
core internal authorization controls at Stripe. This includes our internal
permission management system as well as our service-to-service user credentials.
My primary focus area at Stripe was on the user credentials where I lead the
design, implementation, pilot, and initial Stripe-wide rollout.
------ [ Cisco (Duo) - Tech Lead Security Engineering - Mar 2017 => Oct 2019
At Duo, I was one of the original Engineers on the Security Engineering team.
As a Security Engineer I supported Product and Engineering teams by enabling
them to easily ship secure software to our customers. This included:
* Reviewing and contributing to software designs as a security expert.
* Conducting research to investigate new classes of security issues.
* Performing audits of our products to identify security issues.
* Providing implementation guidance on common security problems.
* Improving static analysis tools to better detect issues before deployment.
* Providing secure-by-default framework APIs for Engineering teams.
* Leading security defect incidents from triage to resolution.
------ [ Praetorian - Principal Security Engineer - Jan 2014 => Mar 2017
At Praetorian, my primary responsibility was leading, managing, and executing
application security assessments. A majority of my engagement work involved
finding flaws in modern web applications, however, I have also done software
security work for many different tech stacks and platforms. In addition to
assessment work, I was also responsible for assisting sales in closing deals
and was a core contributor to Praetorian's recruiting team.
----[ Projects, Writing, Speaking, and Research ]
------ [ Attacks on SSO Systems
"Attacks on SSO Systems" was research that stemmed from a vulnerability class
affecting SAML implementations that I discovered. My initial discovery phase
of this research lead to six CVEs affecting many SAML libraries. I presented
on this topic at BlackHat USA 2018 and AppSec USA 2018.
Blog: https://duo.sc/saml-vuln
BlackHat USA recording: https://youtu.be/Zjrty05REoc
AppSec USA recording: https://youtu.be/h7ViO5YUuFA
------ [ Trudy & MITM-VM
Trudy is a modular, and transparent TCP proxy written in Golang. It was built
to increase the efficiency of monitoring & modifying TCP-based protocols on
proxy unaware devices. MITM-VM is a Vagrant virtual machine that provides
proxy and man-in-the-middle tooling, was well as configures a virtual router
that works well with Trudy.
Trudy: https://github.com/praetorian-inc/trudy
MITM-VM: https://github.com/praetorian-inc/mitm-vm
------ [ noyz
noyz is a Golang implementation of Trevor Perrin's Noise protocol framework.
noyz also has a small application layer with an API modeled after Golang
standard library networking interfaces.
noyz: https://github.com/kelbyludwig/noyz
------ [ Otter
Otter is an extension for Burp Suite that facilitates authorization testing.
Its primary design goal is to make authorization testing for web applications
as simple as browsing the application with a web browser.
Otter: https://github.com/kelbyludwig/otter
------ [ CVE-2017-11424
CVE-2017-11424 is an issue I identified within the PyJWT Python library which
could enable symmetric/asymmetric "key confusion" attacks against its users.
The patch: https://github.com/jpadilla/pyjwt/pull/277
----[ Education and Training ]
BS Computer Science - University of Texas at Austin - 2011 => 2015
GIAC Web Application Penetration Tester (GWAPT) - 2015 => 2019