OWASP New Zealand Day 2010

Introduction
OWASP New Zealand Day 2010 15th July - Auckland

http://www.owasp.org/images/a/a7/Owasp_nz_day_2010.jpg

= Introduction =

Following the success of the OWASP New Zealand 2009 security conference which attracted more than 150 attendees, the OWASP New Zealand Chapter decided to organise the OWASP New Zealand Day 2010. The event will be held on the 15th July 2010 in Auckland. For those people who missed the first OWASP New Zealand Day, this is a national security conference entirely dedicated to web application security. The intent of the conference is to promote and raise web application security awareness in New Zealand. IT professionals, including security professionals, developers, managers and students are invited to partecipate to this conference.

Registration
Registration is now closed.

Topics
The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:


 * OWASP Project presentation (i.e Tool Updates/Project Status etc);
 * Threat modelling of web applications;
 * Privacy concerns with applications and data storage;
 * Vulnerability analysis of web applications (code review, pentest, static analysis, scanning);
 * Baseline or metrics for web application security;
 * Countermeasures for web application vulnerabilities;
 * Web application security;
 * Platform or language (e.g. Java, .NET) security features that help secure web applications;
 * Secure application development;
 * How to use databases securely in web applications;
 * Security of Service Oriented Architectures;
 * Access control in web applications;
 * Web services security;
 * Browser security;
 * PCI.

Conference structure and schedule
OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes. It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors. The detailed agenda of the conference will be available on the web site before the event.

Scott Bell - Web Application Vulnerabilities: How far does the rabbit hole go?
We all know SQL Injection and File Inclusion bugs are dangerous. We know they can be used to 'hack you'. But what does this really mean? Do you know the true impact of these bugs? You might think you know the answers, but do you? In this presentation, we will be covering the risk and impact of such vulnerabilities and a demonstration will be shown on how far these bugs can be leveraged.

Scott Bell

Scott Bell is a security consultant at Security-Assessment.com. He has been involved with IT security for seven years and has a passion for Web Application security. Scott has a PhD in reverse-shell-ology and previously performed penetration testing at Yahoo! Inc.

Dean Carter - The Ramblings of an ex-QSA
As a QSA there were a bunch of things Dean was forbidden from discussing.

As an ex QSA some of these matters will remain firmly sequestered inside his kimono - but others things, more general things, can now be shared.

Dean has 30 minutes worth of handy tips, hints, lessons and some brickbats relating to PCI and secure system development that he can now share with the community.

Dean Carter

Dean still remembers the day he first heard about the PCI DSS - he then spent several years trying to convince everyone that the PCI DSS was the bestest thing since the Beatles… not many people listened… they had projects to finish and settings to tweak…

Then Dean joined Security-Assessment.com and became a QSA (PCI power-up!)… people listened! Organisations even paid to listen! A few organisations went so far as to demonstrate their security posture to Dean The QSA. In return he signed their Reports on Compliance. Most made great progress towards compliance… while some simply went in political circles and denied the need to make any effort.

Two years on Dean, the ex-QSA, now works for financial institution where, in between other tasks, he regularly sticks his nose into PCI matters and still firmly believes that the PCI DSS is a positive thing.

Paul Craig – Security-Assessment.com - "Oh F#!K" : What To Do When You Get Pwned
If your company’s website were hacked tomorrow, would you know what to do? Forensics is not what you see on CSI, and most people have no idea what they should do in the event of a compromise. What is an appropriate incident response for a company, what do you say to your CEO, when do you involve law enforcement? Do you attempt to solve the forensic case yourself; keeping in mind any action you take may directly affect the evidence, or compromise legal judicial requirements. This presentation will demonstrate the forensic process for a compromised website, and what an organization should do when they find out they have been compromised. I will use case studies from previous incidents and demonstrate what you should and shouldn’t do when you get pwned.

Paul Craig

My name is Paul Craig, I work as the lead forensic incident responder at Security-Assessment.com and I work with many New Zealand companies who have been compromised. From small websites to large corporations and government agencies, our nation is regularly being defaced and defrauded. IT Forensics is here to pick up the pieces, and it’s my job to spend long nights trying to provide answers to businesses regarding what really happened.

Graeme Neilson / Kirk Jackson - Aura Software Security / Xero - Tales from the Crypt0
Does the thought of SSL, HTTPS and S/MIME make you squeamish? Does PKI make you want to scream? Does encrypting data at rest make you want to bury yourself alive?

Cryptography is an important part of most web applications these days, and developers and admins need to understand how, why and when to employ the best and appropriate techniques to secure their servers, applications, data and the livelihoods of their users.

Join Graeme Neilson (Aura Software Security) and Kirk Jackson (Xero) for a series of scary stories in "Tales from the Crypt0".

Graeme Neilson

Graeme Neilson is lead security researcher at Aura Software Security, a security consultancy based in Wellington with clients across the globe.

Kirk Jackson

Kirk Jackson is a developer at Xero, makers of the world's easiest accounting system.

Please note that CFP will close on the 30th June 2010.

Call For Sponsorships (CLOSED)
The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events. Three types of sponsorships are available:
 * Support Sponsorships: n/a - company covers expenses for international speaker / media company that provides article/coverage on the event

- Publication of the sponsor logo on the event web site.
 * Silver sponsorship: 1500 NZD

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.
 * Gold Sponsorship: 3500 NZD

- Publication of the sponsor logo on the event web site; - Publication of the sponsor logo on the OWASP New Zealand Chapter page; - The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference; - The possibility to distribute the company brochures, CDs or other materials to the participants during the event; - Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks. Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the [mailto:robertosl@owasp.org OWASP New Zealand Board]. Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

Call for Paper (CLOSED) and review process
OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the [mailto:robertosl@owasp.org OWASP New Zealand Board]. The email subject must be “OWASP New Zealand 2010: CFP” and the email body must contains the following information/sections:


 * Name and Surname
 * Affiliation
 * Address
 * Telephone number
 * Email address
 * List of the author’s previous papers/articles/speeches on the same topics
 * Title of the contribution
 * Type of contribution: Technical or Informative
 * Abstract (max one A4 style page)
 * Why the contribution is relevant for OWASP New Zealand 2010
 * If you are not from New Zealand, will your company support your expenses - Yes/No

The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

Due to limited budget available, expenses for international speakers cannot be covered. If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

Conference Venue
The University of Auckland Business School Owen G Glenn Building Room: OGGB 260-073 (OGGB4) Address: 12 Grafton Road Auckland New Zealand Map

Topics
The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:


 * OWASP Project presentation (i.e Tool Updates/Project Status etc);
 * Threat modelling of web applications;
 * Privacy concerns with applications and data storage;
 * Vulnerability analysis of web applications (code review, pentest, static analysis, scanning);
 * Baseline or metrics for web application security;
 * Countermeasures for web application vulnerabilities;
 * Web application security;
 * Platform or language (e.g. Java, .NET) security features that help secure web applications;
 * Secure application development;
 * How to use databases securely in web applications;
 * Security of Service Oriented Architectures;
 * Access control in web applications;
 * Web services security;
 * Browser security;
 * PCI.

Conference structure and schedule
OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes. It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors. The detailed agenda of the conference will be available on the web site before the event.

Conference dates

 * CFP close: 			 			15th June 2010
 * Contributions submission deadline: 			25th June 2010
 * Registration deadline: 				20th June 2010
 * Conference Agenda due: 				20th June 2010
 * Conference date: 					15th July 2010

Conference Committee
OWASP New Zealand Day 2010 Organising Committee:


 * Roberto Suggi Liverani – OWASP New Zealand Leader
 * Rob Munro – OWASP New Zealand Evangelist
 * Lech Janczewski - Associate Professor - University of Auckland

Conference Sponsors
Gold Sponsors:

Silver Sponsors:

Support Sponsors: