OWASP New Zealand Day 2019

https://www.owasp.org/images/e/e3/NZDay_2019_web_banner.jpg 21st and 22nd February 2019 - Auckland

= Introduction =

Introduction
We are proud to announce the tenth OWASP New Zealand Day conference, to be held at the University of Auckland on Friday, February 22nd, 2019. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

Who is it for?


 * Web Developers: There will be a choice of two streams in the morning. Talks in the first stream will include introductory talks to information security, while those in the second stream will address deeper technical topics. Afternoon sessions will cover offensive security in stream one, and continue with deeper technical topics in stream two
 * Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics

Conference structure
Date: Friday, 22 February 2019 Time: 9:30am - 6:00pm Cost: Free

The main conference is on Friday, the 22nd of February, and will have two streams in both the morning and the afternoon:

Training
In addition to the main conference on Friday, we are pleased to offer opportunities for application security-related training on Thursday (21 February), at the same venue. The Call for Training is currently open, and details on the training sessions selected will appear below as they are finalised.

General
The tenth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same facilities as those we used in 2018. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact [mailto:john.dileo@owasp.org us].

Registration
Registration is not yet open. Please join our low volume mailing list to be notified when registration opens and/or follow us on twitter @owaspnz

There is no cost for the main conference day. Currently, we are planning to provide morning and afternoon tea; however, this is subject to meeting our sponsorship goals for the event. Spaces are limited, so we do ask that, if at any point you realise you will not be able to attend, you cancel your registration to make room for others.

Important dates

 * CFP submission deadline: 21st December 2018
 * CFT submission deadline: 21st December 2018
 * Conference Registration deadline: 14th February 2019
 * Training Registration deadline:  14th February 2019
 * Training Day date:         21st February 2019
 * Conference Day date:          22nd February 2019

For those of you booking flights, ensure you can be at the venue by 9:00am. The conference will end by 6:00pm. However, we will have post conference drinks at a local drinking establishment for those interested. We are planning to hold a special event on Thursday evening for speakers, trainers, and conference volunteers - more details on that to follow.

Places to eat & drink on the day
 Coffee cart and selection of snacks next to the reception on the ground floor, this is the closest but will probably have long lines Mojo Symonds - also on campus Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St The CBD - walk up and over Albert Park to get to the CBD with many great food options  Fort Street has burgers, kebabs, and KFC High Street & Lorne Street have lots of little cafes and restaurants  Subway, Starbucks, St. Pierre's Sushi & Pita Pit - walk up Symonds Street</li> Vulture’s Lane is a popular pub with the InfoSec crowd, there are more seats downstairs</li> The Bluestone Room - also a popular pub just across Queen St</li> </ul>

Conference Sponsors
Conference Host:

Platinum Sponsors:

Gold Sponsors:

Silver Sponsors:

Supporting Sponsors:

Conference Committee

 * John DiLeo - Conference Chair, OWASP New Zealand Leader (Auckland)
 * Brendan Seerup - Sponsorships and Promotion
 * Lech Janczewski - Conference Host Liaison - Associate Professor, University of Auckland School of Business
 * YOU - We are looking for volunteers to help make this our most successful conference yet!

Please direct all enquiries to john.dileo@owasp.org

OWASP NZ on Twitter (https://twitter.com/owaspnz)

= Training =

Training
In addition to the main conference on Friday, we are pleased to provide opportunities for individuals/vendors to present training on Thursday, at the same venue. We are able to accommodate a maximum of four (4) concurrent training sessions. The Call for Training is currently open, and details will be provided here as selections are finalised. Training fees are $250 for half-day sessions, and $500 for full-day sessions.

= Call For Presentations =

Call For Presentations
The Call for Presentations is now open, and will close on Friday, 21st December.

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines, including architects, Web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three focus areas of the conference:

Track One:


 * Introductions to various Information Security topics, and the OWASP projects
 * Policy, Compliance and Risk Management

Track Two:
 * Technical topics

Introductory talks should appeal to an intermediate to experienced software developer, without requiring a solid grounding in application security or knowledge of OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.

This being an OWASP conference, the selection process for talks in Track One will give priority to those related to OWASP's Projects, Tools, and Guidance (check out the current [OWASP Project Inventory](https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory) for more information). If multiple submissions are received related to the same OWASP Project/Tool, preference will be given to speakers actively involved as leaders or members of the respective project teams.

Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:


 * Web application security
 * Mobile security
 * Cloud security
 * Secure development
 * Vulnerability analysis
 * Threat modelling
 * Application exploitation
 * Exploitation techniques
 * Threat and vulnerability countermeasures
 * Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
 * Penetration Testing
 * Browser and client security
 * Application and solution architecture security
 * PCI DSS
 * Risk management
 * Security concepts for C*Os, project managers and other non-technical attendees
 * Privacy controls

The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:


 * Due to limited budget available, expenses for international speakers cannot be covered.
 * If you are selected as a speaker, and your company is willing to cover travel and accommodation costs, the company will be recognised as a "Supporting Sponsor" of the event.

Please submit your presentation on PaperCall.

Submissions deadline: 21st December 2018

Applicants will be notified in the following week after the deadline, whether they were successful or not. <!-- = Call For Trainers =

Call For Trainers
We are happy to announce that training will run on Thursday, 21 February 2019, the day before the OWASP NZ Day conference. The training venue will be Level 0, Rooms: case rooms 1(005), 2(057), 3(055), and 4(009), kindly provided by the University of Auckland School of Business, in the same building as the OWASP NZ Day conference itself. Classes can contain up to 69 students, with power for laptop usage and Wi-Fi. A wide range of half-day or full-day training proposals will be considered, see the Call for Papers for a list of example topics.

If you are interested in running one of the training sessions, please contact John DiLeo with the following information:


 * Trainer name
 * Trainer organisation
 * Telephone + email contact
 * Short Trainer bio
 * Training title
 * Trainer requirements (e.g. a projector, whiteboard, etc)
 * Trainee requirements (e.g. laptop, VMware/VirtualBox, etc)
 * Training summary (less than 500 words)
 * Target audience (e.g. testers, project managers, security managers, web developers, architects)
 * Skill level required (Basic / Intermediate / Advanced)
 * What attendees can expect to learn (key objectives)
 * Short course outline

The fixed price per head for training will be $250 for a half-day session and $500 for a whole-day session. As this training is part of an OWASP event, part of the proceeds go back to OWASP. The split is as follows:


 * 25% to OWASP Global - used for OWASP projects around the world
 * 25% to OWASP NZ Day - used for NZ Day expenses
 * 50% to the training provider.

Submissions deadline: 21st December 2018

Applicants will be notified in the following week after the deadline, whether they were successful or not.

= Call For Sponsorships =

Call For Sponsorships
OWASP New Zealand Day 2019 will be held in Auckland on the 22nd of February, 2019, and is a security conference entirely dedicated to application security. The conference is once again being hosted by the University of Auckland with their support and assistance. OWASP New Zealand Day 2019 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2019 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:


 * Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
 * Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
 * Printed Materials - printed materials will include brochures, tags and lanyards.
 * Recognition items for speakers and trainers
 * Morning and afternoon tea, to promote a congenial environment for networking among application security professionals

Facts
Last year, the event was supported by seven sponsors and attracted more than 700 registrations. Plenty of constructive (and positive!) feedback from the audience was received, and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

The OWASP New Zealand community is strong, there are more than 500 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 900 and 1000 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

Sponsorships
There are four different levels of sponsorships for the OWASP New Zealand Day event:

Supporting Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event) Includes:


 * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2019

Silver Sponsorship: 1750 NZD

Includes:


 * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2019
 * The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
 * The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship: 3000 NZD

Includes:


 * The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
 * The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
 * The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
 * Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
 * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Those who are interested in sponsoring OWASP New Zealand 2019 Conference can contact the [mailto:john.dileo@owasp.org,brendan.j.seerup@gmail.com Conference Committee].

= Presentation Schedule =

Presentations
5th February 2018

= Speakers List =

Laura Bell - SafeStack - Fear Itself
Abstract

Abstract: The world is a scary place right now. While the risk posed by security threats is high, there are many organisations and people for whom this is the least of their concerns.

In a time of unsettled economies & governments, where there are more breaches each week than we would have once seen in a year... how can we change the way we enable and inspire security change to stop trying to scare the terrified and start trying to help.

Speaker Bio

With almost a decade of experience in software development and information security, Laura Bell specializes in bringing security survival skills, practices, and culture into fast paced organisations of every shape and size.

An experienced conference speaker, trainer, and regular panel member, Laura has spoken at a range of events such as BlackHat USA, Velocity, OSCON, Kiwicon, Linux Conf AU, and Microsoft TechEd on the subjects of privacy, covert communications, agile security, and security mindset.

As the co-author of "Agile Application Security" published by O'Reilly media, Laura is internationally recognised as a leader in her field.

She is the founder and CEO of SafeStack, leading its operations from Auckland, New Zealand.

Chris Berry - Aura Information Security - Offensive Defence
Abstract

Frustrated by the ability to take over corporate networks by exploiting the same petty misconfigurations for the past several years, I want to expose blue teamer’s and dev’s to the current internal pen test strategies, which have proven consistently effective in going from no auth to domain admin.

Speaker Bio

Chris is a Security Consultant at Aura Information Security with experience across a broad variety of domains and industries. He is owned by a cat.

Catherine McIlvride and Fiona Sasse - Pizza Roulette
Abstract

Catherine and Fiona are security newbies in the world of bleepbloops. As their hunger for more knowledge on Security Testing grows, they attempt to chomp into the cyber realm of ordering pizza. Pull up a chair, grab a slice* and prepare yourself for a feast! *Disclaimer: Pizza will not be included.

Speaker Bio

Catherine and Fiona are software testers who have been united by their passion for pizza and their curiosity for wearing black and whites hats. They hammer and chisel their way through interfaces, databases, and all other places to identify cracks and gaps. Now they face their next adventure roaming unfamiliar territory in the security space.

Ryan Kurte and Kirk Holloway - Auth* Infrastructure for Everyone
Abstract

Auth(entication|orisation) is tough. We’re going to talk about how it’s usually done, the developer and user experience of auth*, and some things that often go wrong. Then we’re going pitch an idea that might, hopefully, maybe, help us all build safe exciting things.

Speaker Bio

Ryan is an aspiring hardware whisperer and academic with an incurable side project problem.

Kirk builds tiny bits of content that go in bigger bits of content for your local internet box. Combined they form 5/8ths of a full stack developer.

Sarah Bennett and Patricia Ramsden - Xero - Guarding the Pot of Gold while the Rainbow gets bigger
Abstract

We've all heard that as an industry we're severely outnumbered (defenders vs attackers). Many of us become a potential targets due to the type of market our company is in. The closer to money handling you are, the more attention you get therefore the more that ratio of defenders to attackers gets worse. We've seen our adversaries change over time as we've grown. We'll discuss how our hitting one million paid subscribers affected us in terms of security, and how the motives of attackers seem to change with the seasons.

Speaker Bio

TBD

Ian Welch and Kaishuo Yang - Bermudez: a honeypit designed to waste hacker's time
Abstract

Small enterprises don’t have the human resources to deal with web attacks 24/7 although attacks can occur anytime. We describe a honeypit designed to entrap and slow attackers down giving time for a sysadmin to detect and respond to an attack.

Speaker Bio

Ian works for Victoria University of Wellington (VUW) doing computer security teaching and research mostly related to honeypots (CaptureHPC) and more recently software-defined networks (Gasket and Baffle).

Kai is a research assistant at Victoria University of Wellington (VUW). He developed Bermudez as part of his final year project last year and is working over summer on a security policy language for software-defined networks called Baffle.

Declan Ingram - CERT - Enough theory, how are websites getting hacked in real life?
Abstract

Since opening in April 2017, CERT NZ has dealt with hundreds of hacked websites. In this talk I propose to step through a few case studies of what went wrong, and how to stop it from happening to your websites. This talk will be done specifically for OWASP day and won’t be used for other audiences.

Speaker Bio

Declan Ingram is the Manager of Operations for CERT NZ and leads the technical side of CERT NZ – including the Incident Response Team. He has worked for over 17 years in information security, with broad experience in both incident response and security testing.

Tim Goddard - Rails Derailed
Abstract

Modern web application frameworks provide a lot of protections by default, but no protection is absolute. We explore common, severe security issues in Ruby on Rails applications, why they still occur despite its attempts to protect us.

Speaker Bio

Tim (pruby) moved two years ago from being a useful human being and building web applications, to the more haphazard world of tearing them apart. He applies his development background and knowledge to review applications from the ground-up, using the code to inform an efficient approach to security testing.

Anupama Natarajan - Unisys New Zealand - Secure APIs: Road to Business Growth
Abstract

Security must never be an afterthought. API Security is key for all modern digital businesses and secure APIs provide more confidence to the consumers. Come and learn the art of detecting underprotected APIs and how to secure them.

Speaker Bio

I am a Software Professional with over 15 years experience in designing and developing Web, Data Warehouse, Business Intelligence and Mobile solutions. I am a Microsoft Certified Trainer (MCT) and really passionate in sharing knowledge. I love solving complex business problems for my clients with innovative solutions using Microsoft Technologies and use that experience in my trainings and presentations. I share tried and tested examples which people can start use in their organisations immediately.

Yappare - Timing Based Attacks in Web Applications
Abstract

Timing-based attacks are deadly but often overlooked. Pentesters often miss such attacks when testing web applications.

By the end of the talk, the audience will learn ways to identify timing-based webapp vulnerabilities through careful manual and automated analysis of response generation times.

Speaker Bio

I was a Chemical Engineering graduate but have interest in application security. 7+ years in penetration testing industry and 5 years in bug bounty scene and currently at top leaderboard of Bugcrowd. Involving in these two areas of ‘hacking’ environment, expose me with various ways of identifying web vulnerabilities.

Felix Shi - Developer's guide to Deserialization Attacks
Abstract

A beginner friendly talk on deserialization attacks, targeted towards webapp devs and QA engineers. Heavy emphasis on explaining the attack vectors, the technical/business impact, and how to test for it.

There will be demos in some popular languages/frameworks - namely Python, Java, and C#.

Speaker Bio

Felix works in the security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.

Tom Isaacson - IoT: How to fight the tyre fire
Abstract

Everyone knows that IoT is a tyre fire but what can we do to start putting it out? Take a quick tour through the new OWASP IoT Top 10 and some other (personal) examples of how not to do IoT.

Speaker Bio

I’ve been an embedded developer for 20 years. I haven’t bothered learning web development because I still think the internet is a passing fad, but I’ve been forced to think about security after we added networking to our products.

Olly - Xero - Finding the path to #DevSecOps nirvana
Abstract

A talk about my experiences automating security infrastructure in AWS at Xero. The end goal, things to consider in a security context, the 80/20 rule, convincing people and how to get started. Buzzwords include: DevOps, DevSecOps, AWS, Cloud, CI/CD, “.* as code”.

Speaker Bio

Oliver is a Graduate Security Engineer at Xero where he helps build and deploy security infrastructure into AWS focusing on automation and repeatability. He is a contributor to Security Monkey, Netflix’s open source AWS security auditing tool.

Nick Le Mouton - drugs.com - Thinking like an Attacker (Hacking your own organisation)
Abstract

Often as developers we think like defenders. We identify vulns (SQLi, XSS etc) and patch them. How often do we think, how far could an attacker get by using this vuln? What could they do?

It’s easier to get non security buy-in if you can provide a working exploit to show how serious a vuln is.

Speaker Bio

I started my career as a developer and for the last 20 years I’ve moved more and more into the security space. I’m currently the CTO for Drugs.com, but spend a lot of time reading through legacy code and identifying areas of concern/exploiting vulnerabilities.

Rory Shillington - VoltsAndBits - When Shoestrings Snap
Abstract

Have you ever fed a sheep to a wolf? Every day, charities, non-profit organisations and small businesses get devoured by online threats. Let’s take a look at what’s happening both at the keyboard and IRL/AFK.

Speaker Bio

Rory Shillington is an electrical engineer trying to save polar bears by day, and a jack of all admins by night.

When not designing, testing and breaking solar inverters, he helps a small handful of clients navigate the minefields of the internet while keeping their websites patched (arrr). He has a strong passion for computer security with a number of years of hands-on experience, and a tendency of venturing questionable distances to solve other people’s problems. He also maintains a number of hobby and community websites.

Jens Dietrich - Massey University - Evil Pickles: DoS Attacks Based on Object-Graph Engineering
Abstract

Evil pickles is a new type of degradation of service attack inspired by billion laughs. It exploits the object serialisation interface present in most modern languages (such as Java, C#, Ruby), and can be used to exhaust resources including CPU time, stack and heap memory of the systems attacked.

Speaker Bio

Jens is an Associate Professor at Massey University Turitea Palmerston North. Jens has a MSc in Mathematics and a PhD in Computer Science from the University of Leipzig. After graduating in 1996, he worked as a software consultant, participating in some of the first large-scale enterprise-level projects that used object-oriented programming (Smalltalk and later Java) and agile principles. Clients he worked for include Mercedes-Benz, Volkswagen and some of the largest German banks. He moved to Namibia in 1999, working for a development aid agency to establish a computing curriculum at the local university of applied science. He continued with freelance consulting work for European and US clients during this time, and started several open source projects. In 2003 he moved to New Zealand to take up a position at Massey. Jens’ research interest are in the areas of software modularisation, evolution and static analysis for bug and vulnerability detection. He currently leads a National Science Challenge project on program analysis, and his research on fast algorithms for static analysis of large Java programs has been supported by several rounds of funding by Oracle Incl (through Oracle Labs Brisbane). Jens is executive member of Software Innovation NZ (SI^NZ) and member of the ACM.

Karan Sharma - Enough with XSS, let's talk about something else?
Abstract

I think it is time to lift our game and think beyond classic vulns such as XSS, CSRF, Dir Traversal, SQLi and talk about recent web vulns which are becoming more and more common and being exploited in the wild these days like IDOR, XXE, SSRF, DOM Clobbering, RPO and Insecure Cryptographic Storage.

Speaker Bio

Working as a Security Consultant at one of the leading financial institute of NZ. Very passionate about web app security and have been doing it for over 6 years. Love building and breaking stuff especially web apps and IoT stuff. I spend my days testing web apps and network infrastructure for vulnerabilities and then help mitigate what I find.

Like to code in node.js on embedded devices and love building Web of Things oppose to Internet of Things (no pun intended).

Dion Bramley - Secure development in Go
Abstract

Google loves Go, and they claim it makes secure development much easier for people who aren’t teams of seasoned security experts. But what makes it so special? Why should you choose Go for your next secure API project? How to do secure Go. And why it can be a really terrible option for some projects

Speaker Bio

I have been working in software since 2012 using a wide range of languages. Currently I work at Spalk Ltd (yuck, sports) as a senior engineer building APIs and streaming services, and teaching interns. I studied a combination of computer science and computer engineering at UoA for 5 years. Sometimes I do free security and (engineering) design consulting for startups and charities. Hobbies include theatre, gaming, and helping people be awesome.

Sam Shute - Quantum Security - Riding someone else’s wave with CSRF
Abstract

Cross-site request forgery is one of the common vulnerabilities we are seeing in pen tests. It can be used to create or delete accounts, escalate privileges, and perform other actions. This talk will cover what it is, common issues and how to properly defend against it.

Speaker Bio

Sam is a security consultant with Quantum Security. While relatively new to the security industry he spent the last 7 years studying various security topics at the University of Waikato. Sam has been an organiser and challenge developer of the New Zealand Cyber Security Challenge for the last 3 years. His areas of interest include behavioral biometrics, the physical/digital security overlap and breaking IoT devices.

David Pearce - Secure Your Programming Future!
Abstract

Can programming languages help us write secure code? It’s an age-old question. New languages come and go, but don’t often seem that different. But wait! You haven’t seen anything like Whiley before. Forget about type checking. This is a whole new level. You might think the demo is faked. It’s not.

Speaker Bio

David graduated with a PhD from Imperial College London in 2005, and took up a lecturer position at Victoria University of Wellington, NZ. David’s PhD thesis was on efficient algorithms for pointer analysis of C, and his techniques have since been incorporated into GCC. His interests are in programming languages, compilers and static analysis. Since 2009, he has been developing the Whiley Programming Language which is designed specifically to simplify program verification. David has previously interned at Bell Labs, New Jersey, where he worked on compilers for FPGAs; and also at IBM Hursely, UK, where he worked with the AspectJ development team on profiling systems.

Alex Hogue - Atlassian - Operation Luigi: How I hacked my friend without her noticing
Abstract

My friend gave me permission to “hack all her stuff” and this is my story. It’s about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM.

Speaker Bio

Alex is your conference speaker, your best friend, and your sweet mango boy. Alex fell off the back of a gently glowing ute 17 years ago, and now haunts the Earth in corporeal form. Critics have called him “aggressively wonky”. He does incident detection and response at Atlassian, which is kiiinda like being an adult. Catch him scratching out MEMBERS ONLY signs into MEMERS ONLY.

David Waters - Pushpay - Handling Of A PCI Incident - PANs In The Database
Abstract

Are you storing credit card numbers in your database when you’re not meant to? Would you know? We will be briefly cover PCI, and telling the story of the discovery of PANs in our pipeline. Then describe the full journey from discovery, to recovery to future prevention.

Speaker Bio

David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 19 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.

= Diversity fund =

Diversity and Financial Aid fund
'''The Diversity and Financial Aid assistance fund has now closed. If you find yourself stuck and need assistance, please get in touch with kirk.jackson@owasp.org and we'll see what we can do.'''

[We have unashamedly followed the model adopted by the nz.js(con) team with their fund. Many thanks to Jen and the team!]

Due to the support of our lovely sponsors, we have some additional funding available to help people from around New Zealand attend the OWASP NZ Day that would find it hard to otherwise attend. In particular, we welcome applications from women, people of colour, LGBTIQ and all others. You all deserve to be able to learn more about security, and we’ll do our darndest to help make that happen!

Our funds are limited, and we’ll be reviewing applications every two weeks starting in December. Submit your applications soon, so we can approve them early and you’ll be in several review cycles!

Process:


 * Fill out our application form
 * We will review and approve applications each two weeks. The next review date is in Dec 2017.
 * We will contact all applicants and let them know the result of the review.
 * Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:


 * We are biased towards (but not exclusively for) diverse applicants.
 * We do attempt to maximise cost efficiency and will aim to get as many people to OWASP with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: nick.malcolm@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

= Code of Conduct =

Code of Conduct
We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy:.

Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

If you have any concerns during the day, please seek out Kirk, Nick or Kim. We will make ourselves visible at the start of the day so you know what we look like.