OWASP New Zealand Day 2015

https://www.owasp.org/images/9/94/New_Zealand_Day_2015_020.png 26th and 27th Feburary 2015 - Auckland

= Introduction =

Introduction
We are proud to announce the sixth OWASP New Zealand Day conference, to be held at the University of Auckland on Friday February 27th, 2015. OWASP New Zealand Day is a one-day conference dedicated to application security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

Similar to last year:


 * We will be offering training on the day before the conference (Thursday, 26th of February).
 * After lunch on the conference day, we will split to two tracks - one focused on technical topics, the other on policy, compliance and risk management.

The sixth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer a slightly different location from the last five years. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact [mailto:kim.carter@owasp.org?cc=adrian.hayes@owasp.org?cc=denis.andzakovic@owasp.org us].

Registration
Registration for the main conference day is now open: Conference Registration Here

There is no cost for the main conference day and lunch is provided. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.

If you are interested in registering for the training session on the 26th please email [mailto:adrian.hayes@owasp.org?cc=denis.andzakovic@owasp.org&cc=kim.carter@owasp.org adrian.hayes@owasp.org, denis.andzakovic@owasp.org, and kim.carter@owasp.org] and let us know who you would like to attend.

Important dates

 * CFP & CFT submission deadline: 19th January 2015
 * Conference and Training Registration deadline: 12th February 2015
 * Training Day date:         26th February 2015
 * Conference Day date:          27th February 2015

Conference Sponsors
Gold Sponsors:

Silver Sponsors:

Support Sponsor:

Conference Committee

 * Denis Andzakovic - OWASP New Zealand Leader (Auckland)
 * Adrian Hayes - OWASP New Zealand Leader (Wellington)
 * Kim Carter - OWASP New Zealand Leader (Christchurch)
 * Lech Janczewski - Associate Professor - University of Auckland School of Business

Please direct all enquiries to denis.andzakovic@owasp.org | adrian.hayes@owasp.org | kim.carter@owasp.org

= Presentation Schedule=

Presentations
27th Feburary 2015

= Speakers List=

Kirk Jackson - Xero - Applying OWASP Top 10 to ASP.NET MVC projects
Abstract

What's the OWASP Top 10, and how do we defend against those threats? Advances in web platforms and frameworks make it easier to defend against common web attacks, and by introducing the defenses you can enabled in ASP.NET MVC we'll see how much simpler that can make our lives as web developers.

Speaker Bio

Kirk Jackson is Security Officer at Xero, and has presented at previous OWASP, Kiwicon and other developer conferences.

Francois Marier - Mozilla - Integrity protection for third-party JavaScript
Abstract

Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.

This is the motivation behing a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.

Speaker Bio

Francois is a senior software engineer in the Mozilla Security & Privacy team where he spends his time working on new ways to protect Firefox users. By night, he contributes to Debian and other free software projects.

Adam Bell - Lateral Security - Defaced: An insight into methodologies, tools and motivations
Abstract

"The internet is a hostile place, particularly if you are a charitable organisation.

Websites are compromised and defaced on a daily basis and sometimes their owners need a little help getting to the bottom of what happened.

So what if your website has been compromised and is getting reports of abuse... How do you react? What can you do?

This talk will cover a recent incident response and investigation I carried out and describe how you, as the developer-in-charge of an all-in-one webhost can investigate and respond.

Based on a true story, this talk will describe the incident response methodology I used, take a look at some of the tools that the defacer had left behind and give an insight into the badguys mindset and motives."

Speaker Bio

Adam Bell once ate a jam sandwich. He lives in Auckland with his newly spawned hacker progeny and fears the day she learns to pop shell. By day he is a security consultant for a prominent boutique security company, by night he tries to remember what sleep is.

Pedro Worcel - Security-Assessment.com - CMS Hell
Abstract

We all know about Wordpress and its (in)security. What about other CMSes? What about NZ made ones?

Introducing 'droopescan', a plugin-based tool for scanning CMSs. In this talk we will see its effectiveness in identifying versions and plugins, and we will see how the landscape looks like for installations of two CMSs (Drupal & SilverStripe) in New Zealand.

Speaker Bio

Pedro is a security researcher for Security-Assessment.com, with more than five years of experience in IT. I have a strong background on web applications, and generally enjoy building and hacking software of all kinds.

Nick von Dadelszen - Lateral Security - Lazily Finding Holes Without Breaking The Law
Abstract

Why risk actively testing for security vulnerabilities in websites when a large amount of vulnerabilities can be passively found? Based on an event where a major security issue was found in a potential client's site just through passive browsing during a scoping exercise, we thought, why not always be scanning? So, enter some dodgy nickvd style code and quick fixes, a little more polished code from feabell, and you have a system that is continuously passively scanning everything you browse. The vulnerabilities just come to you. This is the true lazyman's way to find vulnerabilities, and could be used to check a large number of sites for some common issues in a quick and painless manner.

Speaker Bio

A regular in the NZ security industry, Nick has now clocked up his 15th year of penetration testing. With a full security team at Lateral Security to keep in check, his time is now more commonly spent in meetings and reviewing reports. However, he still loves to jump in and get his hands dirty, especially when it is something new and interesting. Origin: New Zealand

Benjamin Kearns - Lateral Security - Crypto 101: A "no crazy maths" guide to crypto vulnerabilities
Abstract

While less common that other types of security vulnerabilities encryption flaws can often have a very high impact. Some big applications, hardware and frameworks have been vulnerable to simple encryption flaws in recent years.

This talk with run you through a variety of crypto flaws which we've observed in web and mobile applications over the last couple of years.

It will show you how to exploit them and discuss how to protect yourself.

Speaker Bio

Ben works as a Security Consultant for Lateral Security. He has two and a half years of security experience which is backed by a further five years of IT experience, primarily spent developing web applications and administering Linux systems.

Chris Smith - Insomnia Security - PHP Magic Tricks: Type Juggling
Abstract

PHP is a magical language! Unfortunately, magic leads to unexpected behaviour and unexpected behaviour leads to security bugs. This talk will go over a specific magic trick that PHP performs as a loosely- and dynamically-typed language.

The trick is type juggling, a set of rules that PHP enacts when trying to compare different types together. Given the different possible ways you might want to compare different data, you'd expect there to be some unexpected behaviour in there. You'd be right. And, given the importance of the comparison operator for enforcing security controls, you'd expect that to lead to some tasty bugs. You'd be right.

You will be introduced to PHP's various type juggling rules and how you might want to exploit them in security-critical areas of modern applications. We'll also look at a few publicized bugs that exploit this functionality and then finish off on how you can avoid exposing yourself to these issues. It'll be as easy as 'abc' == 0, I promise.

Speaker Bio

Chris is a consultant for Insomnia Security where he breaks other peoples stuff and writes reports about it. Previously a Linux sysadmin and polyglot developer, he now exacts his revenge on technologies that have wronged him.

Andrew Kampjes and Mike Haworth - nil and Aura - Surprise Features in Your Favourite Framework
Abstract

Modern web frameworks allow developers to be productive, however they are feature rich and not every feature is well understood. Some of these features can work in unexpected ways and can be leveraged by attackers. This talk will look at some of the gotchas in popular frameworks. We'll also look at the ways popular features such as social logins can go wrong.

Speaker Bio

Andrew Kampjes enjoys getting under the hood of Rails and playing with its quirks. He also gets a sick satisfaction finding security flaws in other’s code.

Mike Haworth is a Principal Security Consultant for AuraInfoSec, he spends his days doing everything from Red Team engagements to Code Reviews.

Jamie Anderson - SafeStack - Thinking Securely: Practical Advice for Developers
Abstract

If there’s one lesson that we can learn from 2014, it’s that security needs to become a priority for any web-based application. The challenge for developers is that they don’t think the same way that security professional do. They don’t see the holes until it’s too late.

As someone who has experienced both sides of the story, I have found a few ways to help to bridge this gap. In this talk I will share my story as well as a few tips and tricks I've learned along the way so that developers like me can think more securely and write more secure software.

Speaker Bio

Jamie has spent a decade and a half writing software, ranging from desktop software to back-end services to web-based applications. He has recently joined the information security community and is now a secure development specialist for SafeStack.

Andrew Kelly - Insomnia Security Group Ltd - The Fall and Rise of InfoSec
Abstract

A talk with a beginning, a middle ... and a 'will it ever end?' at the end. A light-hearted, albeit with a serious message somewhere, skip and jump through three decades of collected wisdom and anecdotes on the 'fall' of InfoSec with the rise of viruses, worms, etc., in the 80's and 90's - and its subsequent 'rise' again in the 2000's due to hacking and similar nefarious activities now being 'accepted' as mainstream. Changing attitudes in the last 30 years - but not changes in music and fashion - will be covered; alongside some ideas on how you can use such changes to your advantage in your own careers and/or organisations. All this by a man who (he claims) has done the hard yards: All nine of them!

Speaker Bio

Andrew is the Operations Manager for Insomnia Security, and a man in the twilight years of his working life. 2015 marks his 27th in Computer Security, Data Security, IT Security, Cyber Security and/or Information Security (and his 30th in IT), and he reckons he's fogotten more than he ever knew about most things - including InfoSec. Andrew now spends most of the short ime left to him now reminiscing about the old days, wallowing in past glories ... and wondering why kids today just don't understand.

Aloysius Cheang - Cloud Security Alliance - Securing the Cloud to the Internet of Things
Abstract

CSA's Software Defined Perimeter (SDP), a next generation security architecture for virtual private clouds, hardened SaaS, BYOD and Internet of Things (IOT), is explained. CSA is disrupting network security by making networks dark and adapting innovations from top secret systems. We will deep dive into the reference architecture, review enterprise implementations and discuss the future of SDP and IOT through the looking glass of the CSA.

Speaker Bio

Aloysius Cheang is a cybersecurity enthusiast first and a senior business executive second. He has extensive experience in managing and delivering direct business values in strategic, complex multi-million dollar information technology (IT) program and business projects for Global 500 organisations worldwide. In his line of work, Aloysius has managed large multi-cultural, multi-disciplinary team spread across 5 continents and 4 major time zones, many a time building up the business from scratch.

Chris Esther - Confide Ltd - Joined up PCI DSS : A systematic approach to PCI DSS v3 compliance
Abstract

In this presentation I will eschew the list of requirements approach to compliance and will reframe the PCI DSS using a systems approach to provide a holistic view of its requirements. The key processes and their linkages will be identified, including: Similarly the core information required by PCI DSS will be identified and relationships between them discussed, including: If you are new to PCI DSS it should provide a solid foundation for understanding it. For those already being embraced by PCI DSS it may provide another perspective that should help when managing the increased evidential requirements of PCI DSS V3.
 * Scoping
 * Vulnerability management
 * Configuration management
 * Change management
 * Development
 * Testing
 * Cardholder data flow diagram
 * Network diagram
 * Configuration Management Database

Speaker Bio

Developer background, qualified lawyer, QSA. Currently providing advisory and compliance services to commercial and government organisations focusing on PCI DSS and privacy.

Carlos Cordero - Room9 - Security all the way: the transformation of a NZ web applications development firm
Abstract

Room9 develops, re-engineers, and maintains, applications built on web technologies. We are a software development firm to the core. In September last year we started a transformation by which we will make the manifold dimensions of security the main distinguishing attribute of our organisation.

To achieve this we are working in several fronts in parallel: upscaling of our staff (SANS), certification (GIAC), reviewing and re-writing all of our policies, reviewing and re-designing all of our processes and guidelines, transforming most of our core operations, and becoming quite active in communicating to our clients the realities of security.

We have learnt are lot already about the realities of refocusing everything on security. These lessons, reality checks, and anecdotes, we believe could be valuable for any IT shop who is wanting to focus more on security.

Our presentation will be sharing:

the thinking behind our decision to transform the firm; our initial expectations of what the process would be like contrasted against the realities we are finding while implementing it; how we are getting organised and moving ahead; the role DevOps is playing in our transformation; the two foci: on internal security and on the work we do for others; why everyone in the organisation has to be involved; the role of leadership; the importance of benchmarking for best practice and of not compromising the objectives; balancing the need to remain secure with the practicalities of what can be achieved; the need for an iterative approach, lots of humour, and a sprinkle of paranoia, for mental sanity’s sake.

Speaker Bio

Commercial Executive at Room9, a web applications development company based in Hamilton. In charge of all things commercial. A full member of the IITP despite not having a computer science degree but a business management one. Prior to New Zealand, founding partner of an intelligence firm which counts as clients vendors such as Microsoft, Intel, Oracle, IBM, HP, Dell, Telefonica, Telmex, AT&T, Siemens, to name a few. Also was an elected leader of the Peruvian equivalent to NZ Tech.

James Healy - Stoic Limited, soon-to-be apprentice at SafeStack - Handling Vulnerability Disclosure in New Zealand
Abstract

Reporting security issues to businesses and organisations can sometimes get dicey. You scare the person monitoring the company contact form inbox, they call the lawyers and you find yourself in a courtroom looking at up to 5 years imprisonment (Crimes Act, section 249). This talk is about responsible disclosure in New Zealand, some of the pitfalls that can come from your chosen method of disclosure, tips on how I've managed to avoid lawyers and jail time reporting vulnerabilities to New Zealand companies as well as the roles and responsibilities of the security researcher in responsible disclosure.

Speaker Bio

James researched malware and packers during his teen years before moving onto web application security and development. For the past year he's been a C# developer at CourierPost and recently started an apprenticeship at SafeStack. He's also a freelance developer pretending to be from a large company called Stoic Ltd when in fact it's just him making websites. He enjoys beer and coffee. You should probably buy him one of those. James is also a little weirded out writing a bio in third-person.

= Training Day =

Training Day
We are happy to announce that training will run on Thursday the 26th of February 2015, the day before the OWASP Day conference. The courses will be running from 9:00 AM sharp to 5:00PM. The training venues will be auditoriums kindly provided by the University of Auckland, in the same building as the OWASP Day conference itself. Feedback from previous training has been very positive and there are limited spaces - so get in quick!

Details are as follows:

Training Abstract - Bootstrapping Agile Security
Agile development is often seen as a delicate balance of ritual and roles allowing for rapid development, continuous deployment and the expansion of the post-it note industry. Security is often seen as a lumbering giant of process, governance and technology allowing for increased control, reduced risk and the expansion of the technology vendor industry.

What if you could merge the two?

The world of security is changing to meet the needs of agile software development. Organisations around the world are coming up with tools, techniques and processes to make security a continuous presence to support developers. This hands on, fast-paced course will not only give students a solid grounding in how to bring security into agile software development life-cycles, but also give a range of tools, techniques and practical skills to make it happen.

Trainer Bio - Laura Bell
Laura Bell is the founder and lead consultant at SafeStack, a specialist New Zealand agile security firm. With almost a decade of experience in software development and information security, Laura specialises in bringing security practices and culture into organisations of every shape and size. Her recent research into agile security practices has generated a set of tools and processes that can enable the management of security risk without compromising innovation or speed.

Registration
If you are interested in registering for the training session please email [mailto:adrian.hayes@owasp.org?cc=denis.andzakovic@owasp.org&cc=kim.carter@owasp.org adrian.hayes@owasp.org.nz, denis.andzakovic@owasp.org, and kim.carter@owasp.org] and let us know who you would like to attend.

<!-- = Call For Presentations =

Call For Presentations
OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines including architects, web developers and engineers, system administrators, penetration testers, policy specialists and more. We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:


 * Web application security
 * Mobile security
 * Secure development
 * Vulnerability analysis
 * Threat modelling
 * Threat and vulnerability countermeasures
 * Platform or language security (JavaScript, .NET, Java, RoR, etc)
 * Penetration Testing
 * Browser and client security
 * Application and solution architecture security
 * PCI DSS
 * Risk management
 * Security concepts for C*Os, project managers and other non-technical attendees
 * Privacy controls

The email subject must be "OWASP New Zealand 2015: CFP" and the email body must contain the following information/sections:


 * Name and Surname
 * Affiliation
 * Telephone number
 * Email address
 * Short presenter bio
 * Title of the contribution
 * Type of contribution: Technical, Informative, Management
 * Short abstract (up to 500 words)
 * List of the author's previous papers/articles/speeches on the same/similar topic (if any)
 * If you are not from New Zealand, will your company support your travel/accommodation costs? - Yes/No

The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:


 * Due to limited budget available, expenses for international speakers cannot be covered.
 * If your company is willing to cover travel and accommodation costs, the company will become "Support Sponsor" of the event.

Please submit the above information to all of the following: Denis Andzakovic (denis.andzakovic@owasp.org), Adrian Hayes (adrian.hayes@owasp.org) and Kim Carter (kim.carter@owasp.org).

Submissions deadline: 19th January 2015

= Call For Trainers =

Call For Trainers
We are happy to announce that training will run on Thursday February 26th 2015, the day before the OWASP Day conference. The training venues will be auditoriums kindly provided by the University of Auckland, in the same building as the OWASP Day conference itself. Classes will contain up to 20 students, and each seat has power for laptop usage. A wide range of half-day or full-day training proposals will be considered, see the Call for Papers for a list of example topics.

If you are interested in running one of the training sessions, please contact Denis Andzakovic, Adrian Hayes and Kim Carter with the following information:


 * Trainer name
 * Trainer organisation
 * Telephone + email contact
 * Short Trainer bio
 * Training title
 * Trainer requirements (e.g. a projector, whiteboard, etc)
 * Trainee requirements (e.g. laptop, VMWare/Virtualbox, etc)
 * Training summary (less than 500 words)
 * Target audience (e.g. testers, project managers, security managers, web developers, architects)
 * Skill level required (Basic / Intermediate / Advanced)
 * What attendees can expect to learn (key objectives)
 * Short course outline

The fixed price per head for training will be $250 for a half-day session and $500 for a whole-day session. As this training is part of an OWASP event, part of the proceeds go back to OWASP. The split is as follows:


 * 25% to OWASP Global - used for OWASP projects around the world
 * 25% to OWASP NZ Day - used for expenses such as catering during the conference
 * 50% to the training provider.

Please submit the above information to all of the following:
 * Denis Andzakovic (denis.andzakovic@owasp.org)
 * Adrian Hayes (adrian.hayes@owasp.org)
 * Kim Carter (kim.carter@owasp.org).

Submissions deadline: 19th January 2015

= Call For Sponsorships =

Call For Sponsorships
OWASP New Zealand Day 2015 will be held in Auckland on the 27th of February, 2015 and is a security conference entirely dedicated to application security. The conference is once again being hosted by the University of Auckland with their support and assistance. OWASP New Zealand Day 2015 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2015 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:


 * Refreshments (coffee break/lunch) - we want to keep people refreshed during the day; while we certainly bring good and interesting speakers, we don't want people to go home when they become hungry.
 * Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
 * Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
 * Printed Materials - printed materials will include brochures, tags and lanyards.

Facts
In 2013, the event was supported by six sponsors and attracted more than 250 participants. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013

The OWASP New Zealand community is strong, this year has Christchurch as a new region and there are more than 360 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 250 and 300 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

Sponsorships
There are three different levels of sponsorships for the OWASP Day event:

Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event) Includes:


 * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2015

Silver Sponsorship: 1500 NZD

Includes:


 * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2015
 * The publication of the sponsor logo on the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
 * The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship: 2750 NZD

Includes:


 * The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
 * The publication of the sponsor logo on the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
 * The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
 * Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
 * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2015

Those who are interested in sponsoring OWASP New Zealand 2015 Conference can contact the [mailto:kim.carter@owasp.org?cc=adrian.hayes@owasp.org?cc=denis.andzakovic@owasp.org OWASP New Zealand Board]. -->