                                  === Kelby Ludwig ===
                               ==== Security Engineer ====
                              === kelbyludwig@gmail.com ===
                === https://kel.bz - @kelbyludwig - github.com/kelbyludwig ===
       |=------------------------------=[ Resume ]=--------------------------------=|

       ----[ About Me ]

       I am an Austin-based software engineer with expertise in security, cryptography
       engineering, as well as teaching and supporting others.

       ----[ Skills and Proficiency ]

       * Cryptography (Engineering)                                      [****- 4/5]

       * Cryptography (Mathematics)                                      [***-- 3/5]

       * Web Application Penetration Testing                             [****- 4/5]

       * Secure Code Review                                              [****- 4/5]

       * Python                                                          [****- 4/5]

       * Linux                                                           [***-- 3/5]

       ----[ Work Experience ]

       ------ [ Stripe - Software Engineer Security Infrastructure - Nov 2019

       At Stripe, I worked on the Security Infrastructure team which owns many of the
       core internal authorization controls at Stripe. This includes our internal
       permission management system as well as our service-to-service user credentials.
       My primary focus area at Stripe was on the user credentials where I lead the
       design, implementation, pilot, and initial Stripe-wide rollout.

       ------ [ Cisco (Duo) - Tech Lead Security Engineering - Mar 2017 => Oct 2019

       At Duo, I was one of the original Engineers on the Security Engineering team.
       As a Security Engineer I supported Product and  Engineering teams by enabling
       them to easily ship secure software to our customers. This included:

       * Reviewing and contributing to software designs as a security expert.
       * Conducting research to investigate new classes of security issues.
       * Performing audits of our products to identify security issues.
       * Providing implementation guidance on common security problems.
       * Improving static analysis tools to better detect issues before deployment.
       * Providing secure-by-default framework APIs for Engineering teams.
       * Leading security defect incidents from triage to resolution.

       ------ [ Praetorian - Principal Security Engineer - Jan 2014 => Mar 2017

       At Praetorian, my primary responsibility was leading, managing, and executing
       application security assessments.  A majority of my engagement work  involved
       finding flaws in modern web applications, however, I have also  done software
       security work for many different tech stacks  and  platforms.  In addition to
       assessment work,  I was also responsible for assisting sales in closing deals
       and was a core contributor to Praetorian's recruiting team.

       ----[ Projects, Writing, Speaking, and Research ]

       ------ [ Attacks on SSO Systems 

       "Attacks on SSO Systems" was research that stemmed from a vulnerability class
       affecting SAML implementations that I discovered.  My initial discovery phase
       of this research lead to six CVEs affecting many SAML libraries.  I presented
       on this topic at BlackHat USA 2018 and AppSec USA 2018.

       Blog: https://duo.sc/saml-vuln
       BlackHat USA recording: https://youtu.be/Zjrty05REoc
       AppSec USA recording: https://youtu.be/h7ViO5YUuFA

       ------ [ Trudy & MITM-VM 

       Trudy is a modular, and transparent TCP proxy written in Golang. It was built
       to increase the efficiency of monitoring  &  modifying TCP-based protocols on
       proxy  unaware devices.  MITM-VM is a  Vagrant virtual  machine that provides
       proxy and  man-in-the-middle tooling, was well as configures a virtual router
       that works well with Trudy.

       Trudy: https://github.com/praetorian-inc/trudy
       MITM-VM: https://github.com/praetorian-inc/mitm-vm

       ------ [ noyz 

       noyz is a Golang implementation of Trevor Perrin's  Noise protocol framework.
       noyz  also has  a  small application layer  with an API modeled  after Golang
       standard library networking interfaces.

       noyz: https://github.com/kelbyludwig/noyz

       ------ [ Otter 

       Otter is an extension for Burp Suite  that facilitates authorization testing.
       Its primary design goal is to make authorization testing for web applications
       as simple as browsing the application with a web browser.

       Otter: https://github.com/kelbyludwig/otter

       ------ [ CVE-2017-11424 

       CVE-2017-11424 is an issue I identified within the PyJWT Python library which
       could enable symmetric/asymmetric "key confusion" attacks against its users.

       The patch: https://github.com/jpadilla/pyjwt/pull/277

       ----[ Education and Training ]

       BS Computer Science - University of Texas at Austin - 2011 => 2015

       GIAC Web Application Penetration Tester (GWAPT) - 2015 => 2019