Kelly's talk info

lsd-ucsc · Nov 20, 2023 · 033198c · 033198c
1 parent 61f4645
commit 033198c
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/content/lsd-seminar/2023fa.md b/content/lsd-seminar/2023fa.md
@@ -26,7 +26,7 @@ Talks will be advertised on the [ucsc-lsd-seminar-announce](https://groups.googl
 | [Oct. 27](#oct-27)  | Elaine Li                                                             | Multiparty Session Type Projection and Subtyping with Automata    |
 | [Nov. 3](#nov-3)    | Karine Even-Mendoza                                                   | GrayC: Greybox Fuzzing of Compilers and Analysers for C           |
 | [Nov. 17](#nov-17)  | Suha S. Hussain                                                       | MLFiles: Using Input-Handling Bugs to Inject Backdoors Into Machine Learning Pipelines |
-| [Dec. 1](#dec-1)    | Kelly Kaoudis                                                         | TBD                                                               |
+| [Dec. 1](#dec-1)    | Kelly Kaoudis                                                         | Systems security in practice: threat modelling at Trail of Bits   |
 | [Dec. 8](#dec-8)    | Susan Tan                                                             | TBD                                                               |
 
 # Sept. 29
@@ -193,11 +193,13 @@ worked at the NYU Center for Cybersecurity and Vengo Labs.
 
 **Speaker:** Kelly Kaoudis
 
-**Title:** TBD
+**Title:** Systems security in practice: threat modelling at Trail of Bits
 
-**Abstract:** TBD
+**Abstract:** Every system user and engineer has a different threat model, and a different understanding of the systems and applications they use or work on. Failure to unify these bodies of knowledge leads to not sufficiently considering weaknesses of the system and threats to it; this leads to surprise when an attacker exploits these weaknesses, which leads to incident response (and sometimes also sadness). Holistic threat modelling informs and enables making good system-level security decisions to minimize potential attack vectors. During a threat modelling engagement, Trail of Bits aims to methodically enumerate as many in-scope, system-level risks and weaknesses as possible. "System-level" here means architectural, design-level, or operational gaps in the client's security posture. We use concrete examples in the form of threat scenarios and findings to show the client (rather than tell them) the insufficiently applied security controls we have identified, and to illustrate the risk implications of the lack of those security controls.
 
-**Bio:** TBD
+In this talk, I will present some of the interesting findings we've uncovered during previous (published) threat modelling engagements. Using examples from engagement reports to motivate each step, I will walk through the threat modelling process at Trail of Bits, and also talk about how our process can be useful in academic security work.
+
+**Bio:** Kelly Kaoudis is a senior security engineer in the Research practice at Trail of Bits. She is a tech lead for threat modelling engagements, and contributes to Trail's academic and industry research projects including open source parser and file formats analysis tooling. Prior to Trail of Bits, Kelly was the tech lead for Twitter's application security team, and a graduate student in the Networking and Security (NSR) group at University of Colorado Boulder with Prof. Eric Keller. She received an MS in computer science from University of Colorado - Boulder in 2015.
 
 # Dec. 8