OWASP New Zealand Day 2018

https://www.owasp.org/images/5/53/NZ_day_2018_web.jpg 4th and 5th February 2018 - Auckland

= Introduction =

Introduction
We are proud to announce the ninth OWASP New Zealand Day conference, to be held at the University of Auckland on Monday February 5th, 2018. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

Who is it for?


 * Web Developers: There will be a choice of two streams in the morning. First stream covering introductory talks to information security, second stream covering deeper technical topics. Afternoon sessions will cover offensive security in stream one, and continue with deeper technical topics in stream two
 * Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics

Conference structure
Date: Monday 5 February 2018 Time: 9:30am - 6:00pm Cost: Free

The main conference is on Monday 5th of February, and will have two streams in both the morning and the afternoon:

Training
As well as the main conference on Monday, we are pleased to be able to provide training on Sunday at the same venue. All details including registration are as follows:

Building Security Into Your Development Teams Date: Sun 04 February 2018 Time: 9:00am - 5:30pm or part thereof Training Registration Page

Spaces going fast, so get in quick

General
The ninth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same location as last year for stream one, with the addition of another room near by for the stream two room. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact [mailto:kim.carter@owasp.org?cc=kirk.jackson@owasp.org&cc=denis.andzakovic@owasp.org us].

Registration
Registration for the main conference day is now open: Conference Registration Here, Follow us on twitter @owaspnz

There is no cost for the main conference day. Unfortunately due to increased conference running costs, lunch, morning and afternoon tea's will not be provided as it has been for the past OWASP NZ Days. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.

Important dates

 * CFP submission deadline: 8th December 2017
 * CFT submission deadline: 8th December 2017
 * Conference Registration deadline: 29th January 2018
 * Training Registration deadline:  29th January 2018
 * Training Day date:         4th February 2018
 * Conference Day date:          5th February 2018

For those of you booking flights, ensure you can be at the venue at 9:00am, the conference will end by 6:00pm however we will have post conference drinks at a local drinking establishment for those interested.

Conference Sponsors
Gold Sponsors:

Silver Sponsors:

Support Sponsors:

Conference Committee

 * Denis Andzakovic - OWASP New Zealand Leader (Auckland)
 * Kirk Jackson - OWASP New Zealand Leader (Wellington)
 * Kim Carter - OWASP New Zealand Leader (Christchurch)
 * Nick Malcolm - OWASP New Zealand (Auckland)
 * Sam Macleod - OWASP New Zealand (Auckland)

Please direct all enquiries to denis.andzakovic@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

OWASP NZ on Twitter (https://twitter.com/owaspnz)

University Liaison
Lech Janczewski - Associate Professor - University of Auckland School of Business

= Training =

Training
As well as the main conference on Monday, we are pleased to be able to provide training on Sunday at the same venue. All details including registration are as follows:

Building Security Into Your Development Teams Date: Sun 04 February 2018 Time: 9:00am - 5:30pm or part thereof Training Registration Page

Spaces going fast, so get in quick

= Call For Presentations =

Call For Presentations
'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines including architects, web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference:


 * Introductions to various Information Security topics, and the OWASP projects
 * Technical topics
 * Policy, Compliance and Risk Management

The introductory talks should appeal to an intermediate to experienced software developer, without a solid grounding in application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.

Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:


 * Web application security
 * Mobile security
 * Cloud security
 * Secure development
 * Vulnerability analysis
 * Threat modelling
 * Application exploitation
 * Exploitation techniques
 * Threat and vulnerability countermeasures
 * Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
 * Penetration Testing
 * Browser and client security
 * Application and solution architecture security
 * PCI DSS
 * Risk management
 * Security concepts for C*Os, project managers and other non-technical attendees
 * Privacy controls

The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:


 * Due to limited budget available, expenses for international speakers cannot be covered.
 * If your company is willing to cover travel and accommodation costs, the company will become "Support Sponsor" of the event.

'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''

Please submit your presentation here.

Submissions deadline: 8th December 2017

Applicants will be notified in the following week after the deadline, whether they were successful or not.

= Call For Sponsorships =

Call For Sponsorships
OWASP New Zealand Day 2018 will be held in Auckland on the 5th of February, 2018 and is a security conference entirely dedicated to application security. The conference is once again being hosted by the University of Auckland with their support and assistance. OWASP New Zealand Day 2018 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2018 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:


 * Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
 * Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
 * Printed Materials - printed materials will include brochures, tags and lanyards.

Facts
Last year, the event was supported by nine sponsors and attracted more than 900 registrations. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017

The OWASP New Zealand community is strong, there are more than 500 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 800 and 1000 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

Sponsorships
There are three different levels of sponsorships for the OWASP New Zealand Day event:

Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event) Includes:


 * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Silver Sponsorship: 1500 NZD

Includes:


 * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018
 * The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
 * The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship: 2750 NZD

Includes:


 * The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
 * The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
 * The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
 * Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
 * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Those who are interested in sponsoring OWASP New Zealand 2018 Conference can contact the [mailto:kim.carter@owasp.org,kirk.jackson@owasp.org,denis.andzakovic@owasp.org OWASP New Zealand Board].

= Presentation Schedule =

Presentations
5th February 2018

= Speakers List =

Laura Bell - SafeStack - Fear Itself
Abstract

Abstract: The world is a scary place right now. While the risk posed by security threats is high, there are many organisations and people for whom this is the least of their concerns.

In a time of unsettled economies & governments, where there are more breaches each week than we would have once seen in a year... how can we change the way we enable and inspire security change to stop trying to scare the terrified and start trying to help.

Speaker Bio

With almost a decade of experience in software development and information security, Laura Bell specializes in bringing security survival skills, practices, and culture into fast paced organisations of every shape and size.

An experienced conference speaker, trainer, and regular panel member, Laura has spoken at a range of events such as BlackHat USA, Velocity, OSCON, Kiwicon, Linux Conf AU, and Microsoft TechEd on the subjects of privacy, covert communications, agile security, and security mindset.

As the co-author of "Agile Application Security" published by O'Reilly media, Laura is internationally recognised as a leader in her field.

She is the founder and CEO of SafeStack, leading its operations from Auckland, New Zealand.

Chris Berry - Aura Information Security - Offensive Defence
Abstract

Frustrated by the ability to take over corporate networks by exploiting the same petty misconfigurations for the past several years, I want to expose blue teamer’s and dev’s to the current internal pen test strategies, which have proven consistently effective in going from no auth to domain admin.

Speaker Bio

Chris is a Security Consultant at Aura Information Security with experience across a broad variety of domains and industries. He is owned by a cat.

Catherine McIlvride and Fiona Sasse - Pizza Roulette
Abstract

Catherine and Fiona are security newbies in the world of bleepbloops. As their hunger for more knowledge on Security Testing grows, they attempt to chomp into the cyber realm of ordering pizza. Pull up a chair, grab a slice* and prepare yourself for a feast! *Disclaimer: Pizza will not be included.

Speaker Bio

Catherine and Fiona are software testers who have been united by their passion for pizza and their curiosity for wearing black and whites hats. They hammer and chisel their way through interfaces, databases, and all other places to identify cracks and gaps. Now they face their next adventure roaming unfamiliar territory in the security space.

Ryan Kurte and Kirk Ataur - Auth* Infrastructure for Everyone
Abstract

Auth(entication|orisation) is tough. We’re going to talk about how it’s usually done, the developer and user experience of auth*, and some things that often go wrong. Then we’re going pitch an idea that might, hopefully, maybe, help us all build safe exciting things.

Speaker Bio

Ryan is an aspiring hardware whisperer and academic with an incurable side project problem.

Kirk builds tiny bits of content that go in bigger bits of content for your local internet box. Combined they form 5/8ths of a full stack developer.

Sarah Bennett and Patricia Ramsden - Xero - Guarding the Pot of Gold while the Rainbow gets bigger
Abstract

We've all heard that as an industry we're severely outnumbered (defenders vs attackers). Many of us become a potential targets due to the type of market our company is in. The closer to money handling you are, the more attention you get therefore the more that ratio of defenders to attackers gets worse. We've seen our adversaries change over time as we've grown. We'll discuss how our hitting one million paid subscribers affected us in terms of security, and how the motives of attackers seem to change with the seasons.

Speaker Bio

TBD

Ian Welch and Kaishuo Yang - Bermudez: a honeypit designed to waste hacker's time
Abstract

Small enterprises don’t have the human resources to deal with web attacks 24/7 although attacks can occur anytime. We describe a honeypit designed to entrap and slow attackers down giving time for a sysadmin to detect and respond to an attack.

Speaker Bio

Ian works for Victoria University of Wellington (VUW) doing computer security teaching and research mostly related to honeypots (CaptureHPC) and more recently software-defined networks (Gasket and Baffle).

Kai is a research assistant at Victoria University of Wellington (VUW). He developed Bermudez as part of his final year project last year and is working over summer on a security policy language for software-defined networks called Baffle.

Declan Ingram - CERT - Enough theory, how are websites getting hacked in real life?
Abstract

Since opening in April 2017, CERT NZ has dealt with hundreds of hacked websites. In this talk I propose to step through a few case studies of what went wrong, and how to stop it from happening to your websites. This talk will be done specifically for OWASP day and won’t be used for other audiences.

Speaker Bio

Declan Ingram is the Manager of Operations for CERT NZ and leads the technical side of CERT NZ – including the Incident Response Team. He has worked for over 17 years in information security, with broad experience in both incident response and security testing.

Tim Goddard - Rails Derailed
Abstract

Modern web application frameworks provide a lot of protections by default, but no protection is absolute. We explore common, severe security issues in Ruby on Rails applications, why they still occur despite its attempts to protect us.

Speaker Bio

Tim (pruby) moved two years ago from being a useful human being and building web applications, to the more haphazard world of tearing them apart. He applies his development background and knowledge to review applications from the ground-up, using the code to inform an efficient approach to security testing.

Anupama Natarajan - Unisys New Zealand - Secure APIs: Road to Business Growth
Abstract

Security must never be an afterthought. API Security is key for all modern digital businesses and secure APIs provide more confidence to the consumers. Come and learn the art of detecting underprotected APIs and how to secure them.

Speaker Bio

I am a Software Professional with over 15 years experience in designing and developing Web, Data Warehouse, Business Intelligence and Mobile solutions. I am a Microsoft Certified Trainer (MCT) and really passionate in sharing knowledge. I love solving complex business problems for my clients with innovative solutions using Microsoft Technologies and use that experience in my trainings and presentations. I share tried and tested examples which people can start use in their organisations immediately.

Yappare - Timing Based Attacks in Web Applications
Abstract

Timing-based attacks are deadly but often overlooked. Pentesters often miss such attacks when testing web applications.

By the end of the talk, the audience will learn ways to identify timing-based webapp vulnerabilities through careful manual and automated analysis of response generation times.

Speaker Bio

I was a Chemical Engineering graduate but have interest in application security. 7+ years in penetration testing industry and 5 years in bug bounty scene and currently at top leaderboard of Bugcrowd. Involving in these two areas of ‘hacking’ environment, expose me with various ways of identifying web vulnerabilities.

Felix Shi - Developer's guide to Deserialization Attacks
Abstract

A beginner friendly talk on deserialization attacks, targeted towards webapp devs and QA engineers. Heavy emphasis on explaining the attack vectors, the technical/business impact, and how to test for it.

There will be demos in some popular languages/frameworks - namely Python, Java, and C#.

Speaker Bio

Felix works in the security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.

Tom Isaacson - IoT: How to fight the tyre fire
Abstract

Everyone knows that IoT is a tyre fire but what can we do to start putting it out? Take a quick tour through the new OWASP IoT Top 10 and some other (personal) examples of how not to do IoT.

Speaker Bio

I’ve been an embedded developer for 20 years. I haven’t bothered learning web development because I still think the internet is a passing fad, but I’ve been forced to think about security after we added networking to our products.

Olly - Xero - Finding the path to #DevSecOps nirvana
Abstract

A talk about my experiences automating security infrastructure in AWS at Xero. The end goal, things to consider in a security context, the 80/20 rule, convincing people and how to get started. Buzzwords include: DevOps, DevSecOps, AWS, Cloud, CI/CD, “.* as code”.

Speaker Bio

Oliver is a Graduate Security Engineer at Xero where he helps build and deploy security infrastructure into AWS focusing on automation and repeatability. He is a contributor to Security Monkey, Netflix’s open source AWS security auditing tool.

Nick Le Mouton - drugs.com - Thinking like an Attacker (Hacking your own organisation)
Abstract

Often as developers we think like defenders. We identify vulns (SQLi, XSS etc) and patch them. How often do we think, how far could an attacker get by using this vuln? What could they do?

It’s easier to get non security buy-in if you can provide a working exploit to show how serious a vuln is.

Speaker Bio

I started my career as a developer and for the last 20 years I’ve moved more and more into the security space. I’m currently the CTO for Drugs.com, but spend a lot of time reading through legacy code and identifying areas of concern/exploiting vulnerabilities.

Rory Shillington - VoltsAndBits - When Shoestrings Snap
Abstract

Have you ever fed a sheep to a wolf? Every day, charities, non-profit organisations and small businesses get devoured by online threats. Let’s take a look at what’s happening both at the keyboard and IRL/AFK.

Speaker Bio

Rory Shillington is an electrical engineer trying to save polar bears by day, and a jack of all admins by night.

When not designing, testing and breaking solar inverters, he helps a small handful of clients navigate the minefields of the internet while keeping their websites patched (arrr). He has a strong passion for computer security with a number of years of hands-on experience, and a tendency of venturing questionable distances to solve other people’s problems. He also maintains a number of hobby and community websites.

Jens Dietrich - Massey University - Evil Pickles: DoS Attacks Based on Object-Graph Engineering
Abstract

Evil pickles is a new type of degradation of service attack inspired by billion laughs. It exploits the object serialisation interface present in most modern languages (such as Java, C#, Ruby), and can be used to exhaust resources including CPU time, stack and heap memory of the systems attacked.

Speaker Bio

Jens is an Associate Professor at Massey University Turitea Palmerston North. Jens has a MSc in Mathematics and a PhD in Computer Science from the University of Leipzig. After graduating in 1996, he worked as a software consultant, participating in some of the first large-scale enterprise-level projects that used object-oriented programming (Smalltalk and later Java) and agile principles. Clients he worked for include Mercedes-Benz, Volkswagen and some of the largest German banks. He moved to Namibia in 1999, working for a development aid agency to establish a computing curriculum at the local university of applied science. He continued with freelance consulting work for European and US clients during this time, and started several open source projects. In 2003 he moved to New Zealand to take up a position at Massey. Jens’ research interest are in the areas of software modularisation, evolution and static analysis for bug and vulnerability detection. He currently leads a National Science Challenge project on program analysis, and his research on fast algorithms for static analysis of large Java programs has been supported by several rounds of funding by Oracle Incl (through Oracle Labs Brisbane). Jens is executive member of Software Innovation NZ (SI^NZ) and member of the ACM.

Karan Sharma - Enough with XSS, let's talk about something else?
Abstract

I think it is time to lift our game and think beyond classic vulns such as XSS, CSRF, Dir Traversal, SQLi and talk about recent web vulns which are becoming more and more common and being exploited in the wild these days like IDOR, XXE, SSRF, DOM Clobbering, RPO and Insecure Cryptographic Storage.

Speaker Bio

Working as a Security Consultant at one of the leading financial institute of NZ. Very passionate about web app security and have been doing it for over 6 years. Love building and breaking stuff especially web apps and IoT stuff. I spend my days testing web apps and network infrastructure for vulnerabilities and then help mitigate what I find.

Like to code in node.js on embedded devices and love building Web of Things oppose to Internet of Things (no pun intended).

Dion Bramley - Secure development in Go
Abstract

Google loves Go, and they claim it makes secure development much easier for people who aren’t teams of seasoned security experts. But what makes it so special? Why should you choose Go for your next secure API project? How to do secure Go. And why it can be a really terrible option for some projects

Speaker Bio

I have been working in software since 2012 using a wide range of languages. Currently I work at Spalk Ltd (yuck, sports) as a senior engineer building APIs and streaming services, and teaching interns. I studied a combination of computer science and computer engineering at UoA for 5 years. Sometimes I do free security and (engineering) design consulting for startups and charities. Hobbies include theatre, gaming, and helping people be awesome.

Sam Shute - Quantum Security - Riding someone else’s wave with CSRF
Abstract

Cross-site request forgery is one of the common vulnerabilities we are seeing in pen tests. It can be used to create or delete accounts, escalate privileges, and perform other actions. This talk will cover what it is, common issues and how to properly defend against it.

Speaker Bio

Sam is a security consultant with Quantum Security. While relatively new to the security industry he spent the last 7 years studying various security topics at the University of Waikato. Sam has been an organiser and challenge developer of the New Zealand Cyber Security Challenge for the last 3 years. His areas of interest include behavioral biometrics, the physical/digital security overlap and breaking IoT devices.

David Pearce - Secure Your Programming Future!
Abstract

Can programming languages help us write secure code? It’s an age-old question. New languages come and go, but don’t often seem that different. But wait! You haven’t seen anything like Whiley before. Forget about type checking. This is a whole new level. You might think the demo is faked. It’s not.

Speaker Bio

David graduated with a PhD from Imperial College London in 2005, and took up a lecturer position at Victoria University of Wellington, NZ. David’s PhD thesis was on efficient algorithms for pointer analysis of C, and his techniques have since been incorporated into GCC. His interests are in programming languages, compilers and static analysis. Since 2009, he has been developing the Whiley Programming Language which is designed specifically to simplify program verification. David has previously interned at Bell Labs, New Jersey, where he worked on compilers for FPGAs; and also at IBM Hursely, UK, where he worked with the AspectJ development team on profiling systems.

Alex Hogue - Atlassian - Operation Luigi: How I hacked my friend without her noticing
Abstract

My friend gave me permission to “hack all her stuff” and this is my story. It’s about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM.

Speaker Bio

Alex is your conference speaker, your best friend, and your sweet mango boy. Alex fell off the back of a gently glowing ute 17 years ago, and now haunts the Earth in corporeal form. Critics have called him “aggressively wonky”. He does incident detection and response at Atlassian, which is kiiinda like being an adult. Catch him scratching out MEMBERS ONLY signs into MEMERS ONLY.

David Waters - Pushpay - Handling Of A PCI Incident - PANs In The Database
Abstract

Are you storing credit card numbers in your database when you’re not meant to? Would you know? We will be briefly cover PCI, and telling the story of the discovery of PANs in our pipeline. Then describe the full journey from discovery, to recovery to future prevention.

Speaker Bio

David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 19 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.

= Diversity fund =

Diversity and Financial Aid fund
[We have unashamedly followed the model adopted by the nz.js(con) team with their fund. Many thanks to Jen and the team!]

Due to the support of our lovely sponsors, we have some additional funding available to help people from around New Zealand attend the OWASP NZ Day that would find it hard to otherwise attend. In particular, we welcome applications from women, people of colour, LGBTIQ and all others. You all deserve to be able to learn more about security, and we’ll do our darndest to help make that happen!

Our funds are limited, and we’ll be reviewing applications every two weeks starting in December. Submit your applications soon, so we can approve them early and you’ll be in several review cycles!

Process:


 * Fill out our application form
 * We will review and approve applications each two weeks. The next review date is in Dec 2017.
 * We will contact all applicants and let them know the result of the review.
 * Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:


 * We are biased towards (but not exclusively for) diverse applicants.
 * We do attempt to maximise cost efficiency and will aim to get as many people to OWASP with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: denis.andzakovic@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

= Code of Conduct =

Code of Conduct
We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy:.

Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

If you have any concerns during the day, please seek out Kirk, Denis or Kim. We will make ourselves visible at the start of the day so you know what we look like.