OWASP New Zealand Day 2009
The OWASP New Zealand Day has been the first all day security conference dedicated to web application security in New Zealand. It has been a great day with 150 attendees from all over New Zealand and seven great talks covering several topics within the web application security area.
The presentations have been published online and can be downloaded from the "Presentations" page.
Again, big thanks to the sponsors, the speakers and the conference committee for making this a valuable experience.
- Kirk Jackson's Page of Words - OWASP NZ Day Keynotes - http://pageofwords.com/blog/CategoryView,category,OWASP.aspx
- Malerisch.net - http://malerisch.net/
Welcome to OWASP New Zealand Day 2009
Roberto Suggi Liverani / Lech Janczewski - Security-Assessment.com / The University of Auckland
Keynote: Insecurity and the Internet - pptx
Paul Craig - Security-Assessment.com
Vulnerabilities In Action
Brett Moore - Insomnia Security
Testing Web Services - pdf
Nick von Dadelszen – Lateral Security
Exploiting Firefox Extensions - pptx
Roberto Suggi Liverani / Nick Freeman - Security-Assessment.com
Application Bug Chaining - pdf
Mark Piper - Catalyst IT Ltd
"Where Worlds Collide" - PCI-DSS for OWASP practioners - ppt
Dean Carter - Security-Assessment.com
XSS – The Gloves are Off - pptx
Andy Prow / Kirk Jackson - Aura Software Security / Xero
Dean Carter - Security-Assessment.com - "Where Worlds Collide" - PCI-DSS for OWASP practioners
Payment Card Industry Data Security Standard (PCI DSS) has become a compliance requirement for many organisations. Due to its width and breadth the PCI-DSS poses many and varied challenges to an organisation. Achieving and maintaining compliance is not simply a technical issue – it relies heavily on people, policy and processes. This session aims to look at OWASP initiatives that can be related directly to the PCI-DSS.
The session will start with a very brief, high level overview of the PCI-DSS and then look closely how various OWASP initiatives can be leveraged in organisational compliance programs.
Dean Carter leads the Security Advisory Services team within Security-Assessment.com .
Dean has been in the IT industry for 17 years during which time he has worked with a wide range of technologies, industries and companies. For the past 7 of those 17 years Dean has spent the majority of his time specializing in information security consulting for financial organizations and telcos.
Paul Craig – Security-Assessment.com - “Insecurity and the Internet”
For the last 5 years I have spent 10 hours a day successfully breaking the internet. Networks, applications, services, it’s all insecure, hack-able and often completely vulnerable. Through my work at Security-Assessment.com I have pointed out critical security flaws in the majority of New Zealand organizations. Hacking a multi-billion dollar New Zealand organization is actually not that hard. This fact really troubles me, and I find myself asking the question: “Why is the internet insecure?” It is after all 2009, not 1999. Today I hope to answer that question and find out why the internet is, and will likely always remain insecure.
Paul Craig is a principal security consultant at Security-Assessment.com in Auckland New Zealand, where he leads the penetration testing team. Paul is an active security researcher, published author, and a devoted hacker. Paul specializes in application penetration testing, and regularly speaks at security conferences around the globe.
Brett Moore – Insomnia Security - “Vulnerabilities In Action”
Common application vulnerabilities have been known for years now, and developers have been told about the threats and how to prevent these flaws. Even so, web applications are still been developed that are vulnerable to some of the oldest and most well known security flaws. The aim of this presentation is to show the attendees how vulnerabilities are discovered and exploited in real world situations, and the devastating effect that a flaw can have on the security of an application. The presentation will demonstrate multiple different application vulnerabilities across various development languages and operating systems. All of the commonly seen vulnerabilities will be demonstrated, aligned with the OWASP top 10 rating system. Attendees will be able to learn about the real dangers that application vulnerabilities pose, by seeing them been exploited as they would in a real compromise situation. The demonstration will be done again a ‘virtual’ network of vulnerable systems that will contain both server and application level flaws, giving a real world insight to an application compromise.
Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over six years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.
Roberto Suggi Liverani / Nick Freeman – Security-Assessment.com - “Exploiting Firefox Extensions”
Firefox extensions are popular, well-established and used by millions of people around the world. Some of these extensions are recommended by the Mozilla community, and are implicitly trusted by the masses.
Little is known about Firefox extensions from a security perspective and our research intends to fill this gap. The talk is divided in two parts: theory and practice. First, we will explore the security model of Firefox extensions and present a security testing methodology. Next, we will illustrate how we applied the theory and discovered severe vulnerabilities in the most popular and recommended Firefox extensions. Examples of exploits will also be demonstrated.
After this talk, attendees will have gained a better understanding of the security implications, threats and risks of using and deploying Firefox extensions. Security professionals and auditors will be able to use our material as a security testing framework when auditing Firefox extensions.
Roberto Suggi Liverani
Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and leader of the OWASP (Open Web Application Security Project) in New Zealand. Roberto has worked with companies such as Google, Oracle and Opera by reporting and helping to fix security vulnerabilities in their products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various security conferences around the globe.
Nick Freeman is a security consultant at Security-Assessment.com, based in Auckland, New Zealand. After a couple of years of building systems for companies he has turned to breaking them instead, and spends his spare time searching for shells and the ultimate combination of whisky and bacon.
Nick von Dadelszen – Lateral Security - “Testing Web Services”
Web Services are now a major component of many organisation's online presence. This could be in the form of AJAX-type consumer websites where more processing is being passed to the browser, or in corporate/governemtn b2b information-sharing environments. This talk will focus on how to properly test web services, what to look for, and some of the tips and tricks picked up through my testing of these types of systems.
Nick von Dadelszen
Nick von Dadelszen has managed successful security teams for two previous employers and is now a co-founder and director of Lateral Security, responsible for technical delivery of projects. Nick has been performing penetration testing in New Zealand for the last 10 years and in that time he has worked with the majority of New Zealand's largest organisations including government, financial and telecommunications sectors.
Mark Piper - Catalyst IT Ltd - “Application Bug Chaining”
As the number of useful, un-authenticated application bugs dwindles in 2009, the number of practical 'chained' exploits is growing.
Often, during development, it is very easy for developers (and penetration testers) to focus on individual bugs within an application. While these bugs may be serious, they are often difficult to exploit practically. This talk will explore various conditions that may be found within web applications to allow the 'chaining' of application bugs to produce reliable and practical exploits.
A real world case study of how exploiting chaining can work will be discussed, dissected and demonstrated to the audience.
Currently working as a Linux Guy for Catalyst IT Ltd. Mark has a passion for all things related to caffeine, UNIX and security.
In the past Mark has been both a UNIX Administrator and Principal Security Consultant assisting and advising a large number of organizations across New Zealand with regards to security. He has also presented at a number of conferences including the OWASP conference in Australia and OWASP evenings in New Zealand.
Mark is often called upon as a trusted advisor to various public and private sector organizations regarding the practical, real world threats they face.
Andy Prow / Kirk Jackson - Aura Software Security / Xero - “XSS – The Gloves are Off”
XSS (Cross-site Scripting) is still one of the most common web-attacks used today. Whether hidden in websites that have been vulnerable like Twitter, Facebook, MSN, Hotmail and Amazon, or in PDFs or Flash, XSS attacks are out in the wild. Just in May of this year we saw Gumblar (a.k.a. Grumblar, Martuz, JSRedir) which hit the top-web-infections lists around the globe – one of its growth techniques was good old XSS.
The key message of this presentation -“You’ve heard of XSS and you’ve followed the “OWASP XSS Prevention Cheat Sheet” to protect your code, but do you really understand each protection step, and does it really matter if you miss one?”
To help answer this question in an easily understandable way this presentation is not just another “XSS talk”, but more of a “Gloves are Off” battle between good and bad. Andy takes the “bad-guy” role with XSS attacks, Kirk is the “good-guy” defender, locking down his .Net website. Who will win?
Andy has15 years commercial experience in Software Development from companies including IBM, Vodafone, Telecom and Ericssons, in roles including lead software developer, technical architect and development manager. Andy is the Managing Director of the Aura group which he started in 2001. Aura Software Security Ltd provides IT Security Consulting and Penetration Testing to major NZ companies and agencies including the NZ Police, MFAT, Fidelity Life, Xero, TAB and several banks. Aura provides overseas pen-testing to both Ausy and UK companies.
Kirk Jackson is a Senior Developer and is the IT Security Officer at Xero (www.xero.com). Kirks is also involved in the Microsoft development community, runs the Wellington .NET Users Group, presents nationwide and has presented at Microsoft TechEd the past 4 years. Kirk is an ASP.NET MVP, and occasionally blogs at http://pageofwords.com
Please note that CFP is now closed.
Call For Sponsorships (CLOSED)
The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.
Two types of sponsorships are available:
- Silver sponsorship: 1500 NZD
- Publication of the sponsor logo on the event web site (top of this page)
- Gold Sponsorship: 3500 NZD
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.
Those who are interested in sponsoring OWASP New Zealand 2009 Conference can contact the OWASP New Zealand Board.
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.
<paypal>OWASP New Zealand Day 2009</paypal>
Call for Paper (CLOSED) and review process
OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the OWASP New Zealand Board.
The email subject must be “OWASP New Zealand 2009: CFP” and the email body must contains the following information/sections:
- Name and Surname
- Telephone number
- Email address
- List of the author’s previous papers/articles/speeches on the same topics
- Title of the contribution
- Type of contribution: Technical or Informative
- Abstract (max one A4 style page)
- Why the contribution is relevant for OWASP New Zealand 2009
The submission will be reviewed by the OWASP New Zealand Board and the 12-14 most interesting ones will be selected and invited for presentation.
The University of Auckland Business School
Owen G Glenn Building
Room: OGGB 260-073 (OGGB4)
Address: 12 Grafton Road
The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.
Conference topics include, but are not limited to:
- OWASP Project Presentation (i.e Tool Updates/Project Status etc)
- Threat modelling of web applications
- Privacy Concerns with Applications and Data Storage
- Vulnerability analysis of web applications (code review, pentest, static analysis, scanning)
- Baseline or Metrics for Application Security
- Countermeasures for web application vulnerabilities
- Web application security
- Platform or language (e.g. Java, .NET) security features that help secure web applications
- Secure application development
- How to use databases securely in web applications
- Security of Service Oriented Architectures
- Access control in web applications
- Web services security
- Browser security
Conference structure and schedule
OWASP New Zealand Day 2009 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes.
It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors.
The detailed agenda of the conference will be available on the web site before the event.
- CFP close: 15th June 2009
- Contributions submission deadline: 25th June 2009
- Registration deadline: 20th June 2009
- Conference Agenda due: 20th June 2009
- Conference date: 13th July 2009
OWASP New Zealand Day 2009 Organising Committees:
- Roberto Suggi Liverani – OWASP New Zealand Leader
- Rob Munro – OWASP New Zealand Evangelist
- Alexandre Medarov – ICT Risk Manager - University of Auckland
- Lech Janczewski - Associate Professor - University of Auckland
ICT and Department of Information Systems and Operations Management