OWASP New Zealand Day 2011

Introduction
OWASP New Zealand Day 2011 7th July - Auckland

https://www.owasp.org/images/0/05/OWASP_NZ_Day_2011_Logo.png

= Introduction =

Following the success of the OWASP New Zealand 2009 and OWASP New Zealand 2010 security conferences, the OWASP New Zealand Chapter is pleased to announce the return of the conference in 2011. The third OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland School of Business, which will kindly offer the same conference venue of the last two years. Entry to the event will, as in the past, be free. OWASP New Zealand Day 2011 will be held on Thursday July 7th, 2011.

For any comments, feedback or observations, please don't hesitate to contact [mailto:nick.freeman@owasp.org?cc=scott.bell@owasp.org us].

You can register for the conference here. Please note that the registration cut-off date is June 23, 2011; no registrations will be accepted on the day.

Conference dates

 * CFP closes: 			 			31st May 2011
 * Conference Agenda due: 			15th June 2011
 * Registration deadline: 				23rd June 2011
 * Conference date: 					7th July 2011

Conference Venue
The University of Auckland Business School Owen G Glenn Building Room: OGGB 260-073 (OGGB4) Address: 12 Grafton Road Auckland New Zealand Map

Registration
You are invited to attend to the OWASP Day conference at no charge (Free as in beer). However to ensure an orderly, well run event we require that all attendees register before the registration close off date (23rd June 2011). At this time there will be no plan to allow "on the day registration". Registration is handled through the RegOnline event management system, available at http://regonline.com/owaspnzday2011. Please note that the registration cut-off date is June 23, 2011; no registrations will be accepted on the day.

Conference Sponsors
Gold Sponsors:

Silver Sponsors:

Topics
The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:


 * OWASP Project Presentation (i.e Tool Updates/Project Status etc)
 * Threat modelling of web applications
 * Privacy Concerns with Applications and Data Storage
 * Vulnerability analysis of web applications (code review, pentest, static analysis, scanning)
 * Baseline or Metrics for Application Security
 * Countermeasures for web application vulnerabilities
 * Web application security
 * Platform or language (e.g. Java, .NET) security features that help secure web applications
 * Secure application development
 * How to use databases securely in web applications
 * Security of Service Oriented Architectures
 * Access control in web applications
 * Web services security
 * Browser security

Conference Committee

 * Nick Freeman - OWASP New Zealand Leader (Auckland)
 * Scott Bell -  OWASP New Zealand Leader (Wellington)
 * Lech Janczewski - Associate Professor - University of Auckland School of Business

Blair Strang - Security-Assessment.com - Secure Development: What The OWASP Guide Didn't Tell You
OWASP has lots of useful information for developers wishing to secure their applications. However, there are concepts which can make your life easier which are not covered in the OWASP guide.

+ Where in your code to apply the OWASP recommended protections + Some advice on hard-to-get right protections + Bonus protections: Advanced security measures not in the OWASP guide

Blair Strang

Bio to come

Andrew Evans - Kiwibank - I <3 Reporting - Managing Effective Web Application Assessments
In a previous role as a full time penetration test manager, I often encountered situations where the outcome of a penetration test was affected by the preparedness of the client, the information and resources available to the testers, and the ability of the client to interpret the report. While there are abundant resources for penetration testers available to teach techniques for web application hacking, there is very little information to guide pre and post engagement activities such as scoping, logistics, and reporting.

The complexity of modern web applications means that there is a huge dependency on clients understanding what is required of them, and how to provide the appropriate information and resources to testers to get the best outcome from a penetration test.

Andrew Evans

Andrew Evans is an information security jack-of-all-trades at Kiwibank. Prior to that, he managed penetration tests for a large UK bank, where he spent his time being schmoozed by vendors, LOLing at reports, shouting at developers, and playing havoc with go-live dates.

Nick von Dadelszen – Lateral Security - Testing Mobile Applications
Mobile applications are the "next big thing" in application development and it seems everyone is developing them, including banks, travel companies, retail outlets and everyone else. Mobile application security requires a different focus to standard web applications and this talk discusses those differences, how to test mobile applications, and some tips and tricks from Lateral Security's experience in penetration testing mobile applications.

Nick von Dadelszen

Nick von Dadelszen is a respected security consultant with over 10 years experience in the security industry. In that time he has worked with the majority of New Zealand's largest organisations including leading players in a government, financial, and telecommunications sectors.

Nick has previously managed two successful security teams and is now a co-founder of Lateral Security, responsible for technical delivery of projects.

Adrian Hayes - Security-Assessment.com - Web Crypto for the Developer Who Has Better Things To Do
Crypto is easy to get wrong and can be a pain to implement. This presentation will take you through practical examples of how to implement solid crypto on a number of common development platforms. We'll talk about how to store and 	verify passwords, how to safely transport and store backups. What's wrong with some default SSL configurations and maybe even random token generation among other things. Web app crypto should be easy and secure, not just one of those.

Adrian Hayes

Adrian Hayes is a security consultant for Security-Assessment.com in Wellington. Adrian comes from a web app development background but has jumped the fence and now spends his time hacking them.

Brett Moore - Insomnia Security - Concurrency Vulnerabilities
Concurrency vulnerabilities are not very common, as they require specific circumstances for a vulnerable scenario to exist. However, the consequences of such issues can be devastating and include auth bypass, cross user account access, and purchase tampering.

This talk will discuss in detail some of the situations leading to these vulnerabilities, and how they can be detected both at the source level and during active testing.

Brett Moore

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.

Sam Pickles - F5 - A Day in the Life of a WAF
Web Application Firewalls in production get to see a large volume of malicious requests; and present a unique opportunity to discover what is really happening out in the black hat community.

In this talk, real attack examples seen in production will be presented which demonstrate the reality and relevance of the OWASP Top Ten. Attack samples and reports have been gathered from a number of sites globally and sanitised, and will be used to help understand the answers to some common questions:

- How often is my application being attacked? (more than you might think) - What techniques are being attempted? - Who is doing this, and why?

Additionally, some recent headline-grabbing hacks in banking and finance will be detailed at a practical level.

Sam Pickles

Sam Pickles has worked across the security industry for over ten years, in APAC, EMEA, and USA. Sam has held senior technical responsibility within many high profile IT and physical security projects across banking, government and service provider customers. During this period he has been involved in creating some of the world's largest web application firewall gateways, designed and built IT security systems and conducted network, application and hardware device penetration testing.

As an architect and security specialist with F5 Networks, Sam maintains a keen interest in web application security, is a member of OWASP and a long time attendee of chapter meetings in London. He has degrees in Physics from the University of Otago, and Computer Science from the University of Oxford.

Kirk Jackson / Mike Haworth - Aura Information Security - HTML5 Security
HTML5 brings a suite of new features to browsers these features are enabled and the browser we use today. Some features that'll be more interesting to application security reviewers are:

- The loosening of the same origin policy - WebSockets - Local Storage - And a bunch of new XSS vectors

Kirk Jackson

Kirk Jackson is a Security Consultant for Aura Information Security, and has spent a decent percentage of his waking life building websites for a living (most recently at Xero).

Mike Haworth

Mike Haworth, tests pens for AuraInfoSec. Former webmonkey and recovering Drupaholic

Kirk Jackson - Aura Information Security - File Uploads are Evil
So your users want to upload and share files on your website? We know how to put XSS protections in place, but how do we protect against malicious content uploaded to our sites?

Kirk Jackson

Kirk Jackson is a Security Consultant for Aura Information Security, and has spent a decent percentage of his waking life building websites for a living (most recently at Xero).

Mark Young - Datacom - Sleeping Easy: Architecting Web Applications Securely
Tales from a developer – practical tips on how to lead teams and design solutions in a way that produces secure web applications. Starting off with “why does security matter to my customers”, I’ll look at how to get organisations and teams on board and excited about security. Then mostly using .NET will show some common mistakes I’ve observed and specific examples of how solution and application framework design can mitigate some of these issues. I’ll look at difficulties in integrating a secure development lifecycle into the daily grind of project delivery and some of the struggles and pitfalls with implementing secure practices. If there’s time I’ll squeeze in some exemplar exploits as well.

Mark Young

Mark Young is a senior developer / team lead / architect at Datacom in Auckland, who has spent the last few years leading dev teams and architecting enterprise web systems, particularly in banking. Mark has a focus on web security, has been known to deliver and reproduce exploits, and has also been stung a few times by his code (or that of his team).

Quintin Russ - SiteHost - Real Applications, Real Vulnerabilities, Really Exploited
Websites are being compromised. Daily. Some of these attacks are sophisticated and occur without warning, but many are not. This talk will look at some widely exploited vulnerabilities in popular applications, such as authentication bypass, remote code execution & SQL injection. We will cover how they were exploited and discuss techniques to help organisations avoid becoming another statistic.

Quintin Russ

Quintin has carved out his own niche in the .nz hosting industry, having spent a large proportion of the last few years becoming an expert in both building and defending systems. He now runs enough infrastructure to ensure he never, ever gets a good night's sleep, and sometimes doesn't even get to snooze through Sunday mornings. Quintin has a keen interest in security, especially as it relates to web hosting. This has ranged from the vicissitudes of shared hosting to code reviews of popular blogging applications. He has previously presented at ISIG, OWASP & Kiwicon.

Call For Sponsorships (CLOSED)
The call for silver and gold sponsorships is now closed, however we are still looking for support sponsors who can provide media coverage/promotion for the event.

Following the success of the previous events in 2009 and 2010, OWASP New Zealand Day 2011 will be held in Auckland on the 7th of July, 2011. OWASP New Zealand Day is a security conference entirely dedicated to web application security. The conference is once again being hosted by the University of Auckland School of Business with their support and assistance. OWASP New Zealand Day 2011 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. OWASP is strictly non for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2011 a free, compelling and valuable experience for the audience.

The sponsorship funds collected are to be used for things such as:


 * Refreshments (coffee break/lunch) - we want to keep people refreshed during the day; while we certainly bring good and interesting speakers, we don't want people to go home when they become hungry.
 * Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
 * Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
 * Printed Materials - printed materials will include brochures, tags and lanyards.

Facts
Last year, the event was supported by 3 sponsors and attracted more than 150 participants. A lot of good feedback from the audience was received and this is the reason why we are re-organising the event. For more information on last year's event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010

The OWASP New Zealand community is strong and there are more than 160 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract a number between 150 and 200 attendees during the conference.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

Sponsorships
There are three different levels of sponsorships for the OWASP Day event:

Includes:
 * Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event)

- Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011


 * Silver Sponsorship: 1500 NZD

Includes:

- Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference. - The possibility to distribute the company brochures, CDs or other materials to the participants during the event.


 * Gold Sponsorship: 3500 NZD

Includes:

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference. - The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

- Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand - Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011 - Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.

Those who are interested in sponsoring OWASP New Zealand 2011 Conference can contact the [mailto:nick.freeman@owasp.org?cc=scott.bell@owasp.org OWASP New Zealand Board]. Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

Call for Papers (CLOSED)
The OWASP New Zealand Chapter is holding the annual OWASP New Zealand Day web application security conference at the University of Auckland School of Business on July 7th, 2011. The Call For Papers is now open, and you are cordially invited to submit your stuff!

Following on from the previous two years, the conference will consist of a single track covering both technical and risk management topics. So if you'd like to share your brand new technique, detail your run-ins with .cn, .ru or Anonymous, spread fear about the cloud or drop some 0day, we'd like to hear from you.

We are looking for talks of various lengths, but ask that you keep the talk under 40 minutes long. 10-15 minute long lightning talks are welcome, and ideal if you have something you want to share that doesn't need half an hour to explain.

Other than the above, we are seeking presentations on any of the following topics:


 * OWASP Project Presentation (i.e Tool Updates/Project Status etc)
 * Threat modelling of web applications
 * Privacy Concerns with Applications and Data Storage
 * Vulnerability analysis of web applications (code review, pentest, static analysis, scanning)
 * Baseline or Metrics for Application Security
 * Countermeasures for web application vulnerabilities - secure coding practices
 * Web application security
 * Platform or language (e.g. Java, .NET) security features that help secure web applications
 * Secure application development
 * How to use databases securely in web applications
 * Security of Service Oriented Architectures
 * Access control in web applications
 * Web services security
 * Browser security
 * PCI

The timeline for submissions is as follows:

31st May 2011: The official closing date for receiving a synopsis of the presentation. 15th Jun 2011: Announcements on selected candidates will be provided. 20th Jun 2011: Complete presentations will need to be submitted.

The email subject must be "OWASP New Zealand 2011: CFP" and the email body must contains the following information/sections:


 * Name and Surname
 * Affiliation
 * Address
 * Telephone number
 * Email address
 * List of the author's previous papers/articles/speeches on the same topic
 * Title of the contribution
 * Type of contribution: Technical or Informative
 * Abstract (up to 500 words)
 * Why the contribution is relevant for OWASP New Zealand 2011
 * If you are not from New Zealand, will your company support your travel/accomodation costs - Yes/No

The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

PLEASE NOTE:
 * Due to limited budget available, expenses for international speakers cannot be covered.
 * If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

Please submit your presentation topics and an abstract of up to 500 words to Nick Freeman and Scott Bell - nick.freeman@owasp.org & scott.bell@owasp.org

Call For Trainers (CLOSED)
We are happy to announce that training will run alongside OWASP Day this year, on July 7th 2011. The training venue will be an auditorium kindly provided by the University of Auckland School of Business, in the same building as the OWASP Day conference itself. Classes will contain up to 20 students, and each seat has a power point for laptop usage.

Two 3-hour slots will be available for training, one from 9am-12noon and a second from 2pm-5pm. As the slots are quite short, we're looking for training events that will be providing either introductory lessons in web app security, or sessions dedicated to a particular topic.

Examples of training topics:

+ Input filtering 101 + Securing web services + Introduction to the OWASP Top 10 + Hardening web servers + Mobile app security + Web App Security for Project Managers

If you are interested in running one of the training sessions, please contact myself or Scott Bell with the following information:

- Trainer name - Trainer organisation - Telephone + email contact - Training title - Trainer requirements (e.g. a projector) - Trainee requirements (e.g. laptop, VMWare/Virtualbox etc) - Training summary (less than 500 words) - Target audience (e.g. testers, project managers, security managers, web developers) - Skill level required (Basic / Intermediate / Advanced) - A few sentences about why you think this training is important to web application security - What attendees can expect to learn (key objectives) - Short Trainer bio - List of published papers/presentations - Course outline E.g.: 1. Topic 1 > Sub Topic 1.a 		> Sub Topic 1.b 		> Exercise 1 2. Topic 2 3. Topic 3 > Sub Topic 3.a 	       > Demo > Sub Topic 3.b

The fixed price per head for training will be $250. As this training is part of an OWASP event, part of the proceeds go back to OWASP. The split is as follows: - 25% to OWASP Global - used for OWASP projects around the world - 25% to OWASP NZ Day - used for expenses such as catering during the conference - 50% to the training provider.

If you have any further queries, or wish to submit a training course, please send the above information to the following email addresses: - nick.freeman@owasp.org - scott.bell@owasp.org

Accepted training sessions will be announced on June 15th, together with the presentations.

Conference dates

 * CFP close: 			 			31st May 2011
 * Conference Agenda due: 			15th June 2011
 * Registration deadline: 				23rd June 2011
 * Conference date: 					7th July 2011

Conference Committee
OWASP New Zealand Day 2011 Organising Committee:


 * Nick Freeman - OWASP New Zealand Leader (Auckland)
 * Scott Bell - OWASP New Zealand Leader (Wellington)
 * Lech Janczewski - Associate Professor - University of Auckland School of Business