OWASP New Zealand Day 2016

https://www.owasp.org/images/2/23/OWASP_NZ_Day_2016_logo.jpg 3rd and 4th Feburary 2016 - Auckland

= Introduction =

Introduction
We are proud to announce the seventh OWASP New Zealand Day conference, to be held at the University of Auckland on Thursday February 4th, 2016. OWASP New Zealand Day is a one-day conference dedicated to application security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

Who is it for?


 * Web Developers: The morning sessions will introduce you to application security. Afternoon sessions will dive deeper into technical topics, and build on the morning sessions.
 * Management: After an introduction to web application security, one of the afternoon streams will focus on informational and defensive topics.
 * Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics.

Conference structure
Date: Thurs 4 Feb 2016 Time: 9:00am - 5:00pm Cost: Free Food: Morning and Afternoon tea

The main conference is on Thursday 4th of February, and will have three streams:

Training
Date: Wed 3 Feb 2016 Time: 9:30am - 12:30pm or part thereof

As well as the main conference on Thursday, we are pleased to be able to provide training on Wednesday. All details including registration can be found on the Training Registration Page.

The seventh OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer a slightly different location from last year. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact [mailto:kim.carter@owasp.org?cc=adrian.hayes@owasp.org&cc=denis.andzakovic@owasp.org&cc=kirk.jackson@owasp.org us].

Registration
Registration for the main conference day is now open: Conference Registration Here

There is no cost for the main conference day. Morning and afternoon tea will be provided. Unfortunately due to increased conference running costs, lunch will not be provided as it has been for the past OWASP NZ Days. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.

Important dates

 * CFP & CFT submission deadline: 7th December 2015
 * Conference Registration deadline: 21st January 2016
 * Training Registration deadline:  21st January 2016
 * Training Day date:         3rd February 2016
 * Conference Day date:          4th February 2016

Conference Sponsors
Gold Sponsors:

Silver Sponsors:

Support Sponsor:

Conference Committee

 * Denis Andzakovic - OWASP New Zealand Leader (Auckland)
 * Adrian Hayes - OWASP New Zealand Leader (Wellington)
 * Kirk Jackson - OWASP New Zealand Leader (Wellington)
 * Kim Carter - OWASP New Zealand Leader (Christchurch)
 * Lech Janczewski - Associate Professor - University of Auckland School of Business

Please direct all enquiries to denis.andzakovic@owasp.org | adrian.hayes@owasp.org | kim.carter@owasp.org | kirk.jackson@owasp.org

= Presentation Schedule=

Presentations
4th Feburary 2016

= Speakers List=

Dan Wallis - Christchurch ISIG - Credit card fraud; you don't want to be the common point of purchase
Abstract

A real-world example of how three problems lined up to leak credit card data online. Each problem wasn't by itself enough to leak anything valuable, but by their powers combined, the bank called. I'll talk through the details of each flaw, why they were introduced, how they lined up, and lessons learnt.

Speaker Bio

I'm a sysadmin with lots of web experience; I've been in the industry for more than 10 years. I currently work for an agency in Christchurch, focusing on ecommerce websites.

Emmanuel Law - Aura Information Security - Chronicles of SOP bypass
Abstract

Same Origin Policy (SOP) is one of the fundamental protection when surfing the internet. It's in all browsers, various plugins and mobile applications. This talk will walk the audience through a history of some of SOP most interesting bugs; ranging from some of the earliest manifestations to the more recent SOP bypasses. Although many of these SOP bugs are beyond the control of the developers but we'll cover some mitigating measures that one could possibly take.

Speaker Bio

Principal security consultant @ Aura Information Security (NZ) by day, he spends his nights exploiting stuff for fun and profit.

Valentinas Bakaitis - Aura Information Security - Keep calm and CSP
Abstract

CSP stands for Content Security Policy and is a reasonably new mechanism to protect against client side vulnerabilities like XSS and XSRF. Applied correctly it can completely eliminate nearly all XSS issues, regardless whether they are known or unknown. While the mechanism is extremely, effective and in most cases easy to implement, the adoption remains low. This talk will introduce CSP to those who are not familiar with it and remind about the power of it to those that heard about it before.

Speaker Bio

Developer turned Security Consultant. Valentinas has 10 years of experience in IT industry, with last two years working as a security consultant. His interests include IT security, physical security and hardware hacking.

Russell McMullan - Beca Ltd - Risk based software assurance requirements for aircraft systems
Abstract

This talk focuses on the contribution of the design methods used in aircraft system development and their contribution to security. This includes an overview of aircraft system design requirements and design rules, how the system and software ‘Design Assurance Level’ is determined, and an overview of the Software ‘Assurance Level’ requirements used in software development. I’ll provide my personal thoughts on the Design Assurance Level contribution to security including the inherent aircraft system design principles and processes that contribute to security, and some thoughts on augmenting these practices with the Common Criteria requirements. If you’ve ever wondered about aircraft systems software development, this talk may be of interest.

Speaker Bio

With 20+ years associated with military aircraft systems, Russell has a unique view of system and software risk methods for aircraft systems. Russell currently works at Beca in the Advisory team.

Chris Campbell - Jade Software - Making AppSec a (Respectable) Religion
Abstract

No stranger to rapid transformation, Jade Software – a leading technology company with an almost 40 year pedigree, today works with an ever increasing range of technologies to solve complex problems for its’ customers. .NET, HTML5, SQL, Oracle, Java, Azure and AWS cloud services, and of course the JADE platform, all form part of the Jade technology stable. Using the latest and greatest technology stack only gets you so far. But to maintain the reputation of producing market leading, enterprise-level solutions, robust security practices are a must. Making security a key component of your SDLC with minimal interruption can be achieved with assistance from an OWASP project (or a few), coupled with a lot of passion.

Speaker Bio

Chris, who in a past life was a .NET developer, is a Security & Operations Consultant at Jade Software. His role sees him managing operational and user security, and overseeing both the security and architecture of development and operational projects which span a wide variety of industries.

Sergey Ozernikov - Lateral Security - Oauth 2.0: The Promise and Pitfalls
Abstract

OAuth 2.0, the second version of the popular authorisation framework, was proposed as an IETF standard in October 2012 and has since been implemented and used by companies such as Facebook, Google and Microsoft. In January 2013 an RFC containing a comprehensive threat model of OAuth 2.0 was introduced. It was as long as the initial specification which had left out a lot of security considerations, most likely as it was assumed that developers would know how to securely implement OAuth 2.0. However many didn’t and without the necessary security controls, many relatively benign web application vulnerabilities could now flourish on a much larger and bountiful attack surface. An open redirect directly leading to an account compromise? Easy. In this talk, an overview of what should be catered for when integrating OAuth 2.0 into your project and how not to introduce additional security risks, will be provided. Most common attack vectors and some examples of real-life vulnerabilities in OAuth 2.0 implementations will be presented. Ideally attendees should have a basic understanding of OAuth 2.0 flow and web application security.

Speaker Bio

Sergey has gained his experience in the field of information security working for several Russian commercial and government organisations for around 7 years after finally realising that he enjoys breaking and protecting things more than building them. In 2013 he moved to New Zealand and shortly after joined Lateral Security as a security consultant.

Chris Smith - Insomnia Security - Attacking Real-World Crypto Flaws
Abstract

Everybody knows by now not to roll your own crypto, right? RIGHT? But, as an attacker, how do you go about identifying and exploiting these flaws for your own benefit. And, as a defender, how can you gauge the full impact of such flaws and ensure you steer clear of them? So forget about the LUCKYBEASTCRIMEPOODLE13 for now, this talk is going to focus on real-world crypto flaws in everyday software. We'll look at some cryptographic issues I've come across in my travels, and how to exploit them. And along the way, we might just learn something about doing it correctly, too!

Speaker Bio

Chris is a consultant for Insomnia Security where he breaks other peoples stuff and writes reports about it. Previously a Linux sysadmin and polyglot developer, he now exacts his revenge on technologies that have wronged him.

Felix Shi - Xero - Practical Attacks on WebRTC Applications
Abstract

WebRTC is a browser-based technology that allows peer-to-peer communication via a list of predefined APIs. It has gained popularity among many video conferencing, telephony, and file sharing applications.

Research has been done on its design, architecture, and potential attack vectors against applications that use it. This talk will focus on practical attacks that can be performed on applications that use WebRTC, and how to mitigate against them.

Speaker Bio

Felix works in the product security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.

Nilesh Kapoor - Aura Information Security - Host Hardening : Achieve or Avoid?
Abstract

This is still a question mark for most of the business and application owners; host hardening – Avoid or Achieve. This paper covers the real world scenario of a potential server compromise due to the lack of OS hardening, running secure but unpatched services over the Internet and the host review process and approach backed up with OWASP guideline and CIS benchmark. This talk also touches on host review and hardening automation techniques for medium-sized and enterprise organisations. This topic aims; Increase the awareness and importance of host review and hardening among business owners, application owners, server administrators and developers. Answer basic questions such as what host review involves, what approach is recommended for structured host review and achieving compliance, how to create a hardening baseline standard and apply them to your organisation policy Automate host review process and hardening for servers hosting critical data

Speaker Bio

Nilesh Kapoor is the author of “Security Testing Handbook for Banking Applications” published by IT Governance. He is currently working as a Senior Security Consultant with Aura Information Security. He has over 8 years of experience in security consulting, application security, host review and hardening, network security, enterprise solution security and mobile security. He is also a registered penetration tester with CREST and a CEH certification holder. His articles are published on IITP blogs and also maintain own security blog at http://nileshkapoor.blogspot.com.

Shahn Harris - Beca Ltd - I judge all of your services and applications
Abstract

I will explain the process that goes on inside a corporate/enterprise when a corporate security team is contacted to evaluate a new application or service by a business unit. The first questions asked have nothing to do with your SDLC, choice of code, framework or potential integration points. the questions are more what is it, what does it do and where does it live and what do they know. Come to this talk if you wish to discover what information most large corporates/enterprises will ask of you if you try to sell a product/service to them. By taking the learnings from this talk it could potentially save you lots of time,money and

Speaker Bio

Shahn has worked for/with a number of different flagship New Zealand companies across multiple sectors and industries as a security consultant.

Laura Bell - SafeStack - Continuous Security
Abstract

Agile development is a powerful tool for the creation of high-quality software products. It has however scared the life out of many security managers and risk leaders. Once the job of a dedicated security team, security is now the responsibility of all members of our Agile teams.

So how do we bring continuous security to our lifecycles without compromising velocity and innovation? What tools and techniques do we need and when should we apply them?

In this talk, we will examine why security is the new key skills for successful Agile development teams and what you can do to bring it to your teams.

This is a talk of war stories from the SCRUM team trenches and real world tools, techniques and processes that are less about 'managing' security than they are about building amazing(secure) things, fast.

Speaker Bio

With almost a decade of experience in software development and information security, Laura specialises in bringing security survival skills, practices and culture into fast-moving environments.

Laura has spoken at various events such as BlackHat, BlueHat, Velocity, OSCON, Kiwicon, Linux Conf AU and Microsoft TechEd on the subjects of privacy, covert communications, Agile security and security mindset.

Laura is the founder of SafeStack, a specialist security training, development, and consultancy firm and lives in Auckland with her husband and daughter.

Kevin Alcock - Katipo Information Security Ltd - After 30 Years, I’m Coming Out
Abstract

This talk is about my journey	from a software development veteran with 30 years of experience to an information security noob. The intended audience is for information security noobs looking to get better and web application developers wanting to understand how their applications are vulnerable. The focus is on the Offensive Security (makers of Kali Linux) course Penetration Testing Training with Kali Linux and the Offensive Security Certified Professional (OSCP) certification exam. There will be no spoilers for those that are currently doing the course and exam. OWASP projects such as ZAP, Dirbuster and Broken Web Applications will be discussed on how they help me. I will also discuss which of the OWASP Top 10 (2013) vulnerabilities I used to gain access to the systems on the lab network.

Speaker Bio

Kevin has spent the last 30 (10 in North America) years in enterprise software development and delivery, now he is turn that experience towards the information security sector to help businesses in need.

Carlos Cordero - Convergnce - Information Security is a Marketing Responsibility
Abstract

KPMG’s Global CEO Outlook Survey (July 2015) showed that 50% of global CEO’s say that their organisations are “not fully prepared” for a “cyber event”. Additionally, information security related risks are perceived to be “the most unpredictable kind of risk”. CEOs and Boards expect the IT function to take care of this aspect of the business risk portfolio - for obvious reasons: they own the IT infrastructure or manage it on behalf of other functions (logistics, operations, HR, accounting, finance, etc.). Unfortunately, nobody has told the marketers.

In the last 3 to 5 years, marketing departments have taken upon themselves to bring into the organisation a smorgasbord of systems and applications, with little or no consultation with the IT department. The result is an unprecedented increase of infosec and legal risks that few organisations are even aware off, much less managing.

Our presentation would consist of 15-20 minutes sharing:

In this presentation we will: (1) Describe briefly the current situation and how we got to it. (2) Give an insight into the mindset of “the marketer” and an explanation of why “marketers” are oblivious to security. (3) Suggest a map of the marketing-related risks for businesses in the 201X going forward into the 202X (4) Offer a prediction of the evolution of the marketing-related risks and its implications for information security professionals. (5) Offer suggestions regarding how these risks should be approached in order to reduce the exposure that the marketing department is bringing to the organisation.

Speaker Bio

Carlos is a marketing and intelligence consultant. One of his current areas of interest and research is risk in the marketing context.

Andrew Kelly - Insomnia Security - Two-Thirds of the Sacred Triangle
Abstract

"People, Process, and Technology" has been the sacred mantra, or triad, of IT for as long as I've been in the business. Unfortunately, whether you consider it a 'strategy for success', part of your overall 'holistic approach', or even 'the smell of good business', it's too often ignored. That is, two of the three are, as we all race to install faster, cheaper, more efficient, or 'better' technologies, in order to save money, stay ahead of our competitors, or sometimes even just for the sake of it? My talk will, hopefully, remind you that that "People, Process" part is as important as, maybe even more so, than the tech. Or, as Douglas Adams put it: "It is a mistake to think you can solve any major problems just with potatoes." List of the author's previous papers/articles/speeches on the same/similar topic: Previously, and similar, at ISIG, ISF, OWASP, etc.

Speaker Bio

Andrew started in InfoSec back when the dinosaur's still ruled the Earth. At least, that's how his fellow InfoSec workers, and often his audiences, view him anyways. But, even though his useful working life is slowly coming to its inevitable end, he reckons he still has a little something to offer his fellow IT professionals. Even if every other sentence these days begins with: "Back in my day..." and most of the others with: "Damned kids..." Between nanny naps, Andrew is still relatively gainfully employed as the GM for Insomnia Security.

Daniel Jensen - Security Assessment - Practical exploitation of less commonly identified vulnerabilities
Abstract

Recently I decided to look for some slightly more "complex" vulnerabilities in a PHP project. The open source video platform Kaltura was chosen for no particular reason other than looking vulnerable and having no prior CVEs. Surprisingly, a large PHP based project actually contained some fairly serious (and interesting) issues such as SSRF, object injection, and poor cryptography. This talk will provide some practical advice for finding less commonly identified vulnerabilities, their impact, and how to mercilessly exploit them in a real world application, using Kaltura as our test subject.

Speaker Bio

Daniel is a consultant at Security-Assessment.com where he hacks assorted systems and carries out research (read hacks). Before that he enjoyed a brief stint as a sysadmin, and spent too many years south of the Cook Strait in a misguided attempt at attending university. He currently resides in the bustling metropolis that is Auckland City, and resents having to write his own biography.

Brendan Jamieson - Insomnia Security - Deserialization, what could go wrong?
Abstract

So you're just gonna pass off that data to unserialize? What could possibly go wrong?

This talk is focused on the deserialization class of web application vulnerabilities. What are they? How are they introduced into web applications? Just how bad can deserializing that arbitrary object really be?

In this talk we'll cover real-world examples of deserialization vulnerabilities being introduced, and exploited, across a number of languages. We'll then look at options that are available to developers to avoid introducing this class of vulnerability into their applications.

Speaker Bio

Brendan Jamieson is a security consultant for Insomnia Security, based out of Wellington. He is active in the .nz infosec community, having spoken at Wellington's ISIG, and involved in Kiwicons as a speaker; a trainer; and also the event organiser for the Hamiltr0n CTF.

David Waters - Lateral Security - Source Code Reviews: Why You Should
Abstract

In this talk I will give the case that you should be using security focused code review as part of your defensive strategy. I will talk about the types of bugs that are more easily found with either white-box penetration tests or code reviews as opposed to more limited penetration tests. I will then present some real world examples of issues found during code reviews.

Speaker Bio

David is a Senior Security Consultant at Lateral Security, David previously worked in the Security Team at Google in London and draws on 16 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.

<!--= Call For Presentations =

Call For Presentations
OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines including architects, web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference:


 * Introductions to various Web Application Security topics, and the OWASP projects
 * Technical topics
 * Policy, Compliance and Risk Management

The introductory talks should appeal to an intermediate to experienced web developer, without a solid grounding in web application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about web application security, and give them techniques that they can immediately return to work and apply to their jobs.

Technical topics in the afternoon should appeal to two audiences - experienced web application security testers or researchers, and web developers who have a “OWASP Top Ten” level of understanding of web attacks and defenses. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

For the “Management Stream” in the afternoon we would like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:


 * Web application security
 * Mobile security
 * Secure development
 * Vulnerability analysis
 * Threat modelling
 * Application exploitation
 * Exploitation techniques
 * Threat and vulnerability countermeasures
 * Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, etc)
 * Penetration Testing
 * Browser and client security
 * Application and solution architecture security
 * PCI DSS
 * Risk management
 * Security concepts for C*Os, project managers and other non-technical attendees
 * Privacy controls

The email subject must be "OWASP New Zealand 2016: CFP" and the email body must contain the following information/sections:


 * Name and Surname
 * Affiliation
 * Telephone number
 * Email address
 * Short presenter bio
 * Title of the contribution
 * Type of contribution: Technical, Informative, Management
 * Suggested length for the talk
 * Short abstract (up to 500 words)
 * List of the author's previous papers/articles/speeches on the same/similar topic (if any)
 * If you are not from New Zealand, will your company support your travel/accommodation costs? - Yes/No

The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:


 * Due to limited budget available, expenses for international speakers cannot be covered.
 * If your company is willing to cover travel and accommodation costs, the company will become "Support Sponsor" of the event.

Please submit the above information to all of the following: Denis Andzakovic (denis.andzakovic@owasp.org), Adrian Hayes (adrian.hayes@owasp.org) and Kim Carter (kim.carter@owasp.org).

Submissions deadline: 7th December 2015

= Call For Trainers =

Call For Trainers
We are happy to announce that training will run on Wednesday February 3rd 2016, the day before the OWASP Day conference. The training venue will be Level 0, Room: 40C, kindly provided by the University of Auckland School of Commerce, in the same building as the OWASP NZ Day conference itself. Classes will contain up to 48 students, with power for laptop usage and Wi-Fi. A wide range of half-day or full-day training proposals will be considered, see the Call for Papers for a list of example topics.

If you are interested in running one of the training sessions, please contact Denis Andzakovic, Adrian Hayes and Kim Carter with the following information:


 * Trainer name
 * Trainer organisation
 * Telephone + email contact
 * Short Trainer bio
 * Training title
 * Trainer requirements (e.g. a projector, whiteboard, etc)
 * Trainee requirements (e.g. laptop, VMware/VirtualBox, etc)
 * Training summary (less than 500 words)
 * Target audience (e.g. testers, project managers, security managers, web developers, architects)
 * Skill level required (Basic / Intermediate / Advanced)
 * What attendees can expect to learn (key objectives)
 * Short course outline

The fixed price per head for training will be $250 for a half-day session and $500 for a whole-day session. As this training is part of an OWASP event, part of the proceeds go back to OWASP. The split is as follows:


 * 25% to OWASP Global - used for OWASP projects around the world
 * 25% to OWASP NZ Day - used for expenses such as catering during the conference
 * 50% to the training provider.

Please submit the above information to all of the following:
 * Denis Andzakovic (denis.andzakovic@owasp.org)
 * Adrian Hayes (adrian.hayes@owasp.org)
 * Kim Carter (kim.carter@owasp.org).

Submissions deadline: 7th December 2015

= Call For Sponsorships =

Call For Sponsorships
OWASP New Zealand Day 2016 will be held in Auckland on the 4th of February, 2016 and is a security conference entirely dedicated to application security. The conference is once again being hosted by the University of Auckland with their support and assistance. OWASP New Zealand Day 2016 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2016 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:


 * Refreshments (coffee breaks) - we want to keep people refreshed during the day.
 * Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
 * Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
 * Printed Materials - printed materials will include brochures, tags and lanyards.

Facts
Last year, the event was supported by eight sponsors and attracted more than 230 participants. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2015

The OWASP New Zealand community is strong, there are more than 410 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 400 and 500 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

Sponsorships
There are three different levels of sponsorships for the OWASP Day event:

Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event) Includes:


 * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016

Silver Sponsorship: 1500 NZD

Includes:


 * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016
 * The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
 * The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship: 2750 NZD

Includes:


 * The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
 * The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
 * The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
 * Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
 * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016

Those who are interested in sponsoring OWASP New Zealand 2016 Conference can contact the [mailto:kim.carter@owasp.org?cc=adrian.hayes@owasp.org?cc=denis.andzakovic@owasp.org OWASP New Zealand Board]. -->