Karla Burnett
hello@karla.io

Technical leader who dives deep into complicated problems to get them solved; security expert who works collaboratively with others to align on shared goals.

 

Work Experience

Stripe

Aug 2014 - Present

Staff Software Engineer

Tech lead: Context-Aware Data Access

Led a project to rearchitect the database query layer to prevent insecure direct object reference vulnerabilites. Found and patched more than a dozen existing vulnerabilities, and handed the project off, allowing it to complete successfully while I was on parental leave.

Tech lead: Security squad

Led a project to ensure that commands run against production infrastructure during incidents were appropriately logged and access controlled. Led a cross-functional team of senior engineers to develop a containerized solution allowing arbitrary code execution for critical incident remediation, while also enforcing security controls and meeting regulatory requirements.

Tech lead: User Security

Led a team responsible for authentication and authorization of site users. Rewrote the entire authorization stack to support SAML integrations for enterprise users, converted onboarding flows from Backbone to React, allowing new regulatory requirements to be fulfilled easily, and built account takeover protections and detections that dropped losses by 50%.

Tech lead: Data Products

Tech lead on a greenfield project of six engineers to add user-facing reporting functionality to the site. Developed the initial alpha and beta versions of Stripe Sigma, unlocking an entirely new reporting product line for the company, while also scaling and maintaining a large Elasticsearch cluster, going from once a month incidents to the ability to scalably increase capacity.

Security

Focused on application security: re-wrote the site's user and session authentication layers, created new rate limiting infrastructure that has scaled through 30x growth, orchestrated and ran internal phishing tests that changed the company's stance from focusing on training to focusing on technical defenses.

University of NSW

Feb 2010 - Jul 2014

Course Co-ordinator and Tutor, Computing 1

Organised five different tutorials for fifty high school students to take UNSW's first semester computer science course, teaching one of these groups myself. Students had differing levels of experience, from complete beginners to members of the Australian Informatics team. Responsible for marking assessments and exams, planning and running whole-course tutorials, and encouraging students in computer science activities.

NICTA

Oct 2013 - Feb 2014

Taste of Research Summer Scholar, Verification

Developed a tool for trace refinement based software verification. The tool would process a simple C-like language, intelligently calculating paths to explore, to determine whether a post-condition would hold given a certain pre-condition.

Google

Jul 2013 - Oct 2013

Software Engineering Intern, Security

Developed an XSS detection tool, details confidential.

Atlassian

Jul 2012 - Jan 2013

Student Developer, Security

As part of a newly formed team, worked on a number of different security-related development projects. These included a custom tool for detecting XSS in Velocity templates, and creating multiple proof of concept exploits for vulnerabilities from CSRF to remote code execution. Also spent time on the QA team, fixing a number of security issues in a large-scale enterprise issue tracker.

 

Speaking and Writing

Speaking and Writing

2019 – Presenter at PyCon AU, Doing Irresponsible Things (Lightning talk)
2019 – Presenter at Hopper Down Under, 2 Factor, 4 Humans
2019 – Presenter at Deconstruct Conf, 2 Factor, 4 Humans
2019 – Presenter at IT-Defense, When I grow up
2018 – Presenter at NorthSec, Ichthyology: Phishing as a Science
2018 – Presenter at !!Con, Storytelling with traceroute!
2017 – Presenter at the Grace Hopper Celebration, Ichthyology: Phishing as a Science
2017 – Presenter at BlackHat, Ichthyology: Phishing as a Science
2017 – Presenter at Circle City Con, Ichthyology: Phishing as a Science
2015 – Author of SSL: it's hard to do right
2014 – Co-author of Summary-Based Interprocedural Analysis via Modular Trace Refinement
2014 – Member of Ruxcon presentation committee
2012 – Presenter at Ruxcon, Reverse Engineering a Mass Transit Ticketing System

 

Education

Deaf Society of NSW

Jul 2017 - Dec 2019

Certificate III, IV, and Diploma in Auslan

Achieved the highest level of language certification available for Auslan, indicating the ability to easily converse in a range of settings, from professional to personal.

University of NSW

Sydney, Australia
Feb 2011 - Jul 2014

Bachelor of Computer Science

Graduated with a High Distinction average (GPA 4.0).

Majored in database systems, but focused on security side projects, courses on distributed systems, and how to write maintainable code.

Deaf Society of NSW

Feb 2012 - Jul 2012

Certificate II in Auslan

Gained basic competence in everyday Auslan (Australian sign language), and an understanding of the culture and history of the Deaf community of Australia.

 

Languages

 
Python, Ruby, Bash, C, Go, Java, Scala
Assorted assembly languages (x86, x86-64, ARM)
Assorted web technologies (HTML, CSS, Javascript, Coffeescript, React)