Difference between revisions of "OWASP New Zealand Day 2010"

From OWASP
Jump to: navigation, search
m
m
 
(46 intermediate revisions by one user not shown)
Line 10: Line 10:
 
= Introduction =
 
= Introduction =
  
Following the success of the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009 OWASP New Zealand 2009] security conference which attracted more than 150 attendees from all over the country, we decided to organise the <b>OWASP New Zealand Day 2010</b>. The event will be held on the <b>15th July 2010</b> in <b>Auckland</b>. For those people who missed the first OWASP New Zealand Day, this is a national security conference entirely dedicated to web application security. The intent of the conference is to promote and raise web application security awareness in New Zealand. IT professionals, including IT security professionals, developers, managers and students are invited to partecipate to this conference. Entry to the conference is <b>free</b>.
+
Following the success of the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009 OWASP New Zealand 2009] security conference which attracted more than 150 attendees, the [http://www.owasp.org/index.php/New_Zealand OWASP New Zealand Chapter] decided to organise the <b>OWASP New Zealand Day 2010</b>. The event was held on the <b>15th July 2010</b> in <b>Auckland</b> and was a great conference day. The event gathered an audience of 160 delegates including security professionals, developers, managers and students.<br>
 +
For those people who missed the event or are interested in the conference material, some of the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010#tab=Presentations presentations] have been published and can be downloaded from the presentations page.<br>
 +
For any comments, feedback or observations, please don't hesitate to contact [mailto:robertosl@owasp.org us].<br>
 +
Again, big thanks to the sponsors <b>Security-Assessment.com</b> and <b>Lateral Security</b>, the speakers and the conference committee for their contributions and support to the organisation of the event.
  
==Registration==
+
==Blog/Coverage==
  
Entry to the event is <b>free</b>. Registration is mandatory in order to attend. To register at the conference, please click the registration button below:<br>
+
Some blog coverage from Kirk Jackson:
<br>
+
[http://pageofwords.com/blog/CategoryView,category,OWASP.aspx http://pageofwords.com/blog/CategoryView,category,OWASP.aspx]
==Conference Venue==
+
  
The University of Auckland Business School<br>
 
Owen G Glenn Building<br>
 
Room: OGGB 260-073 (OGGB4)<br>
 
Address: 12 Grafton Road<br>
 
Auckland<br>
 
New Zealand<br>
 
[http://maps.google.com/maps?oe=UTF-8&ie=UTF8&q=auckland+business+school&fb=1&split=1&cid=0,0,12303692579639430581&ei=6WeqSZr_OZLFkAWR--zbDQ&ll=-36.852308,174.770916&spn=0.01056,0.020621&z=16&iwloc=A Map]<br>
 
<center>[[Image:Auckland_business_school_small2.jpg]] [[Image:Room_hall.jpg]]</center>
 
  
==Topics==
 
  
The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.
+
====Presentations====
  
Conference topics include, but are not limited to:
+
<center>
 +
<table width="80%" class="t">
 +
<tr>
 +
<td width="7%" class="tcell3" valign="top"><div align="right">08:30</div></td>
 +
<td bgcolor="#8595C2" class="tcell3">    <div align="left">Registration  
 +
    </div></td>
 +
</tr>
 +
<tr>
  
* OWASP Project Presentation (i.e Tool Updates/Project Status etc)
+
<td class="tcell2" valign="top"><div align="right">09:00</div></td>
* Threat modelling of web applications
+
<td bgcolor="#eeeeee" class="tcell"><div align="center"><b>Welcome to OWASP New Zealand Day 2010</b><br /
* Privacy Concerns with Applications and Data Storage
+
      <em>Roberto Suggi Liverani / Lech Janczewski - Security-Assessment.com / The University of Auckland</em></div></td>
* Vulnerability analysis of web applications (code review, pentest, static analysis, scanning)
+
</tr>
* Baseline or Metrics for Application Security
+
<tr>
* Countermeasures for web application vulnerabilities
+
<td class="tcell2" valign="top"><div align="right">09:15</div></td>
* Web application security
+
<td bgcolor="#b9c2dc" class="tcell"><div align="center"><b>[http://www.owasp.org/images/b/b5/2010_OWASP_NZ.pptx Don't Try This At Home]</b> - pptx<br/>
* Platform or language (e.g. Java, .NET) security features that help secure web applications
+
    <em>Brett Moore - Insomnia Security</em></div></td>
* Secure application development
+
</tr>
* How to use databases securely in web applications
+
* Security of Service Oriented Architectures
+
* Access control in web applications
+
* Web services security
+
* Browser security
+
* PCI
+
  
==Conference structure and schedule==
+
<tr>
 +
<td class="tcell2" valign="top"><div align="right">9:50</div></td>
 +
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>[http://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_application_DoS.pdf Defending Against Application Level DoS Attacks]</b> - pdf<br/>
 +
    <em>Roberto Suggi Liverani - Security-Assessment.com</em></div></td>
 +
</tr>
 +
<tr>
 +
  <td class="tcell2" valign="top"><div align="right">10:40</div></td>
 +
  <td bgcolor="#D98B66" class="tcell"><div align="left">Coffee Break<br />
 +
    <br />
 +
  </div></td>
 +
  </tr>
 +
<tr>
 +
  <td class="tcell2" valign="top"><div align="right">11:10</div></td>
 +
  <td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>"Oh F#!K": What To Do When You Get Pwned</b><br/>
 +
              <em>Paul Craig – Security-Assessment.com</em></div></td>
 +
  </tr>
 +
<tr>
 +
<td class="tcell3" valign="top"><div align="right">12:00</div></td>
 +
<td bgcolor="#D98B66" class="tcell3"><div align="left">Lunch Break<br />
 +
  <br />
 +
  <br />
 +
</div></td>
 +
  </tr>
 +
<tr>
 +
<td class="tcell2" valign="top"><div align="right">13:30</div></td>
 +
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>Low Scuttling Chilli Crab:Network Recon 2010AD **</b><br />
 +
                <em>Metlstorm</em></div></td>
 +
</tr>
 +
<tr>
 +
<td class="tcell2" valign="top"><div align="right">14:15</div></td>
 +
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>[http://www.owasp.org/images/c/cc/Tales-of-the-crypto.pdf Tales from the Crypt0]</b> - pdf<br/>
 +
                <em>Graeme Neilson / Kirk Jackson - Aura Software Security / Xero</em></div></td>
 +
        </tr>
 +
<tr>
 +
  <td class="tcell2" valign="top"><div align="right">15:00</div></td>
 +
  <td bgcolor="#D98B66" class="tcell">Snackie Break<br />
 +
      <br /></td>
 +
  </tr>
 +
<tr>
 +
  <td class="tcell2" valign="top"><div align="right">15:30</div></td>
 +
  <td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>[http://www.owasp.org/images/4/49/Hosting-and-web-apps.pdf Hosting and Web Apps - The Obscurity of Security]</b> - pdf<br/>
 +
              <em>Quintin Russ / Mike Jager - SiteHost / Web Drive</em></div></td>
 +
  </tr>
 +
 +
<tr>
 +
<td class="tcell2" valign="top"><div align="right">16:15</div></td>
 +
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>The Ramblings of an ex-QSA</b><br />
 +
                <em>Dean Carter</em></div></td>
 +
        </tr>
 +
<tr>
 +
<td class="tcell2" valign="top"><div align="right">17:00</div></td>
 +
<td bgcolor="#B5B5B5" class="tcell"><div align="left">Panel Discussion/Conclusion<br />
 +
  <br />
 +
</div></td>
 +
        </tr>
  
OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes.
+
</table>
 +
</center>
 +
<b>**</b> <i>replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk.</i>
  
It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors. 
+
====Speakers====
  
The detailed agenda of the conference will be available on the web site before the event.
+
==Low Scuttling Chilli Crab:NETWORK RECON 2010AD  **==
  
====Speakers====
+
Network reconnaissance is an art as old as hacking, but the days of dumpster diving and fingering your away around the 'net are long in our past. In the world of Google, Wolfram|Alpha and Shodan, target acquisition is king: there's a new exploit every day, who's going down after you've finished your first cup of coffee tomorrow?
  
Speakers will be announced at the end of June 2010.
+
In this presentation, Metlstorm examines the practicality, implementation and effect of datamining country-scale network targeting databases. Building on the experience of spending the previous year mapping the New Zealand internet for his Kiwicon 2009 talk "Do Your Fruit Hang Low", Metlstorm deploys the Low Hanging Kiwifruit toolchain against its newest target: Singapore.
<br>
+
<b>Please note that CFP is now open.</b>
+
  
====Call For Sponsorships (OPEN)====
+
So, Singapore, are your networks open? How many open DSL routers are there in Singapore? Which ISP has their blade switches open for you to telnet to? Just how useful is it to full text search every SSL certificate name, 302 Redirect target and DNS entry?
 +
 
 +
<b>Metlstorm</b>
 +
 
 +
Metlstorm is an independent unix hacker from New Zealand, where he milks both sheep and hobbits. In the brief gaps in this bucolic schedule, he finds time to organise Kiwicon - the NZ hacker con, co-host the award-winning Risky.biz weekly infosec podcast and hold down a day job as a whitehat security consultant. In true sellout style, Metl has worked the floor at Blackhat, Defcon, Kiwicon & Ruxcon, achieving minor notoriety at the latter for being the only speaker ever punched out by a member of the audience at the end of his talk. Metlstorm loves bugs that are features, carrier networks and "enterprise" unix software, because we all know that "enterprise" means "the 80s called, they want their long environment variables back".
 +
 
 +
- <i>replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk</i>.
 +
 
 +
==Dean Carter - The Ramblings of an ex-QSA==
 +
 
 +
As a QSA there were a bunch of things Dean was forbidden from discussing.
 +
 
 +
As an ex QSA some of these matters will remain firmly sequestered inside his kimono - but others things, more general things, can now be shared.
 +
 
 +
Dean has 30 minutes worth of handy tips, hints, lessons and some brickbats relating to PCI and secure system development that he can now share with the community.
 +
 
 +
<b>Dean Carter</b>
 +
 
 +
Dean still remembers the day he first heard about the PCI DSS - he then spent several years trying to convince everyone that the PCI DSS was the bestest thing since the Beatles… not many people listened… they had projects to finish and settings to tweak…
 +
 
 +
Then Dean joined Security-Assessment.com and became a QSA (PCI power-up!)… people listened! Organisations even paid to listen! A few organisations went so far as to demonstrate their security posture to Dean The QSA. In return he signed their Reports on Compliance. Most made great progress towards compliance… while some simply went in political circles and denied the need to make any effort.
 +
 
 +
Two years on Dean, the ex-QSA, now works for financial institution where, in between other tasks, he regularly sticks his nose into PCI matters and  still firmly believes that the PCI DSS is a positive thing.
 +
 
 +
 
 +
==Paul Craig – Security-Assessment.com - "Oh F#!K" : What To Do When You Get Pwned==
 +
 
 +
If your company’s website were hacked tomorrow, would you know what to do?
 +
Forensics is not what you see on CSI, and most people have no idea what they should do in the event of a compromise.  What is an appropriate incident response for a company, what do you say to your CEO, when do you involve law enforcement? Do you attempt to solve the forensic case yourself; keeping in mind any action you take may directly affect the evidence, or compromise legal judicial requirements.
 +
This presentation will demonstrate the forensic process for a compromised website, and what an organization should do when they find out they have been compromised. I will use case studies from previous incidents and demonstrate what you should and shouldn’t do when you get pwned.
 +
 
 +
<b>Paul Craig</b>
 +
 
 +
My name is Paul Craig, I work as the lead forensic incident responder at Security-Assessment.com and I work with many New Zealand companies who have been compromised. From small websites to large corporations and government agencies, our nation is regularly being defaced and defrauded.  IT Forensics is here to pick up the pieces, and it’s my job to spend long nights trying to provide answers to businesses regarding what really happened.
 +
 
 +
 
 +
==Brett Moore - Insomnia Security - "Don't Try This At Home"==
 +
 
 +
During source code and application reviews a number of common issues are
 +
often seen. Developers making the same mistakes time and time again. There
 +
are also those 'unique' issues that only come up once in a while, when
 +
people handroll their own methods to solve a particular problem.
 +
 
 +
Over the course of this talk, the speaker will explain and describe a number
 +
of issues that he has seen over the last 24 months in locally developed
 +
code. This is an opportunity to see what local developers are doing wrong,
 +
and why you shouldn't try this at home.
 +
 
 +
<b>Brett Moore</b>
 +
 
 +
Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.
 +
 
 +
 
 +
==Graeme Neilson / Kirk Jackson - Aura Software Security / Xero - Tales from the Crypt0==
 +
 
 +
Does the thought of SSL, HTTPS and S/MIME make you squeamish?
 +
Does PKI make you want to scream?
 +
Does encrypting data at rest make you want to bury yourself alive?
 +
 
 +
Cryptography is an important part of most web applications these days,
 +
and developers and admins need to understand how, why and when to
 +
employ the best and appropriate techniques to secure their servers,
 +
applications, data and the livelihoods of their users.
 +
 
 +
Join Graeme Neilson (Aura Software Security) and Kirk Jackson (Xero)
 +
for a series of scary stories in "Tales from the Crypt0".
 +
 
 +
<b>Graeme Neilson</b>
 +
 
 +
Graeme Neilson is lead security researcher at Aura Software Security,
 +
a security consultancy based in Wellington with clients across the globe.
 +
 
 +
<b>Kirk Jackson</b>
 +
 
 +
Kirk Jackson is a developer at Xero, makers of the world's easiest
 +
accounting system.
 +
 
 +
 
 +
==Quintin Russ / Mike Jager - SiteHost / Web Drive - Hosting and Web Apps - The Obscurity of Security==
 +
 
 +
The security of web applications has traditionally been considered to be
 +
the problem of the company whose servers they were hosted upon. However,
 +
while you can outsource the hosting of web apps, you cannot outsource
 +
the responsibility of ensuring that those apps are secure. Mike and
 +
Quintin set aside their corporate rivalry to demonstrate the gap between
 +
the way things are and the way things should be.
 +
 
 +
<b>Quintin Russ</b>
 +
 
 +
Quintin has carved out his own niche in the .nz hosting industry, having
 +
spent a large proportion of the last few years becoming an expert in
 +
both building and defending systems. He now runs enough infrastructure
 +
to ensure he never, ever gets a good night's sleep, and sometimes
 +
doesn't even get to snooze through Sunday mornings. Quintin has a keen
 +
interest in security, especially as it relates to web hosting. This has
 +
ranged from the vicissitudes of shared hosting to code reviews of
 +
popular blogging applications. He has previously presented at ISIG and
 +
Kiwicon 2009.
 +
 
 +
<b>Mike Jager</b>
 +
 
 +
Since his arrival at Web Drive in 2004, Mike has been sticking his
 +
fingers into the wall sockets of web hosting. Currently, he herds
 +
packets, mutters at clouds, and sneaks up on web applications, tricking
 +
them into scaling horizontally when they least expect it. Mike holds a
 +
BE in Computer Systems Engineering from the University of Auckland, and
 +
has been spotted presenting recently at NZNOG, APRICOT and the
 +
occasional ISIG meeting.
 +
 
 +
 
 +
==Roberto Suggi Liverani - Security-Assessment.com - Defending Against Application Level DoS Attacks==
 +
 
 +
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks.
 +
These attacks often result in significant damage against unprepared and vulnerable organisations.
 +
 
 +
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
 +
 
 +
<b>Roberto Suggi Liverani</b>
 +
 
 +
Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and
 +
leader of the OWASP (Open Web Application Security Project) in New Zealand.  Roberto has worked with
 +
companies such as Google, Adobe and Opera by reporting and helping to fix security vulnerabilities in their
 +
products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various
 +
security conferences around the globe.
 +
 
 +
 
 +
<br><br>
 +
<b>Please note that CFP is now closed.</b>
 +
 
 +
====Call For Sponsorships (CLOSED)====
 
   
 
   
 
The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.
 
The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.
 
   
 
   
 
Three types of sponsorships are available:
 
Three types of sponsorships are available:
 +
<br><br>
 +
* <b>Support Sponsorships</b>: n/a - company covers expenses for international speaker / media company that provides article/coverage on the event
  
* Support Sponsorships: n/a - company covers expenses for international speaker / media company that provides article/coverage on the event
+
- Publication of the sponsor logo on the event web site.
 +
<br><br>
 +
* <b>Silver sponsorship</b>: 1500 NZD
  
- Publication of the sponsor logo on the event web site
 
 
* Silver sponsorship: 1500 NZD
 
 
- Publication of the sponsor logo on the event web site<br>
 
 
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.<br>
 
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.<br>
+
<br>
* Gold Sponsorship: 3500 NZD
+
* <b>Gold Sponsorship</b>: 3500 NZD
  
- Publication of the sponsor logo on the event web site
+
- Publication of the sponsor logo on the event web site;<br>
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.<br>
+
- Publication of the sponsor logo on the OWASP New Zealand Chapter page;<br>
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event.<br>
+
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference;<br>
 +
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event;<br>
 
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.<br>
 
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.<br>
 
+
<br>
 
Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
 
Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
 
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.
 
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.
Line 94: Line 271:
 
</table>
 
</table>
  
====Call for Paper (OPEN) and review process====
+
====Call for Paper (CLOSED) and review process====
  
 
OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
 
OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
Line 135: Line 312:
 
Conference topics include, but are not limited to:
 
Conference topics include, but are not limited to:
  
* OWASP Project Presentation (i.e Tool Updates/Project Status etc)
+
* OWASP Project presentation (i.e Tool Updates/Project Status etc);
* Threat modelling of web applications
+
* Threat modelling of web applications;
* Privacy Concerns with Applications and Data Storage
+
* Privacy concerns with applications and data storage;
* Vulnerability analysis of web applications (code review, pentest, static analysis, scanning)
+
* Vulnerability analysis of web applications (code review, pentest, static analysis, scanning);
* Baseline or Metrics for Application Security
+
* Baseline or metrics for web application security;
* Countermeasures for web application vulnerabilities
+
* Countermeasures for web application vulnerabilities;
* Web application security
+
* Web application security;
* Platform or language (e.g. Java, .NET) security features that help secure web applications
+
* Platform or language (e.g. Java, .NET) security features that help secure web applications;
* Secure application development
+
* Secure application development;
* How to use databases securely in web applications
+
* How to use databases securely in web applications;
* Security of Service Oriented Architectures
+
* Security of Service Oriented Architectures;
* Access control in web applications
+
* Access control in web applications;
* Web services security
+
* Web services security;
* Browser security
+
* Browser security;
* PCI
+
* PCI.
  
  
Line 155: Line 332:
 
===Conference structure and schedule===
 
===Conference structure and schedule===
  
OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes.
+
OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes. It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors.  The detailed agenda of the conference will be available on the web site before the event.
 
+
It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors.   
+
 
+
The detailed agenda of the conference will be available on the web site before the event.
+
  
 
====Conference dates====
 
====Conference dates====
  
* CFP close:  15th June 2010
+
* CFP close:  30th June 2010
* Contributions submission deadline: 25th June 2010  
+
* Contributions submission deadline: 10th July 2010  
* Registration deadline: 20th June 2010
+
* Registration deadline: 30th June 2010
* Conference Agenda due: 20th June 2010  
+
* Conference Agenda due: 2nd July 2010  
* Conference date: 13th July 2010  
+
* Conference date: 15th July 2010  
  
 
====Conference Committee====
 
====Conference Committee====
  
'''OWASP New Zealand Day 2010 Organising Committees:'''
+
'''OWASP New Zealand Day 2010 Organising Committee:'''
  
 
* Roberto Suggi Liverani – OWASP New Zealand Leader
 
* Roberto Suggi Liverani – OWASP New Zealand Leader
Line 186: Line 359:
 
   </tr>
 
   </tr>
 
   <tr>
 
   <tr>
     <td valign="top" width="50%"><center>Department of Computer Science<br>ICT and Department of Information Systems and Operations Management</center></td>
+
     <td valign="top" width="50%"><center>ICT and Department of Information Systems and Operations Management</center></td>
 
     <td valign="top" width="50%">&nbsp;</td>
 
     <td valign="top" width="50%">&nbsp;</td>
 
   </tr>
 
   </tr>
Line 195: Line 368:
 
<table width="100%" border="0" cellspacing="0" cellpadding="0">
 
<table width="100%" border="0" cellspacing="0" cellpadding="0">
 
   <tr>
 
   <tr>
     <td><center></center></td>
+
     <td><center>[http://www.security-assessment.com https://www.owasp.org/images/a/a4/Security-assessment_com.jpeg]</center></td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
Line 201: Line 374:
 
   </tr>
 
   </tr>
 
   <tr>
 
   <tr>
     <td><center></center></td>
+
     <td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
Line 211: Line 384:
 
<table width="100%" border="0" cellspacing="0" cellpadding="0">
 
<table width="100%" border="0" cellspacing="0" cellpadding="0">
 
   <tr>
 
   <tr>
     <td><center></center></td>
+
     <td><center>[http://www.lateralsecurity.com/ https://www.owasp.org/images/f/f4/Lateral_security.jpeg]</center></td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
Line 217: Line 390:
 
   </tr>
 
   </tr>
 
   <tr>
 
   <tr>
     <td><center></center></td>
+
     <td><center>[http://www.lateralsecurity.com/ www.lateralsecurity.com]</center></td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
   </tr>
 
   </tr>
 +
</table>
  
 
'''Support Sponsors:'''
 
'''Support Sponsors:'''
 
<table width="100%" border="0" cellspacing="0" cellpadding="0">
 
<table width="100%" border="0" cellspacing="0" cellpadding="0">
 
   <tr>
 
   <tr>
     <td><center></center></td>
+
     <td><center>[http://www.techday.co.nz/netguide/ http://www.owasp.org/images/1/1d/Netguide-logo.png]</center></td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
Line 232: Line 406:
 
   </tr>
 
   </tr>
 
   <tr>
 
   <tr>
     <td><center></center></td>
+
     <td><center>[http://www.techday.co.nz/netguide/ www.techday.co.nz/netguide]</center></td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>

Latest revision as of 20:47, 21 July 2010

Introduction

OWASP New Zealand Day 2010
15th July - Auckland

Owasp_nz_day_2010.jpg


Introduction

Following the success of the OWASP New Zealand 2009 security conference which attracted more than 150 attendees, the OWASP New Zealand Chapter decided to organise the OWASP New Zealand Day 2010. The event was held on the 15th July 2010 in Auckland and was a great conference day. The event gathered an audience of 160 delegates including security professionals, developers, managers and students.
For those people who missed the event or are interested in the conference material, some of the presentations have been published and can be downloaded from the presentations page.
For any comments, feedback or observations, please don't hesitate to contact us.
Again, big thanks to the sponsors Security-Assessment.com and Lateral Security, the speakers and the conference committee for their contributions and support to the organisation of the event.

Blog/Coverage

Some blog coverage from Kirk Jackson: http://pageofwords.com/blog/CategoryView,category,OWASP.aspx


Presentations

08:30
Registration
09:00
Welcome to OWASP New Zealand Day 2010
Roberto Suggi Liverani / Lech Janczewski - Security-Assessment.com / The University of Auckland
09:15
Don't Try This At Home - pptx
Brett Moore - Insomnia Security
9:50
Defending Against Application Level DoS Attacks - pdf
Roberto Suggi Liverani - Security-Assessment.com
10:40
Coffee Break


11:10
"Oh F#!K": What To Do When You Get Pwned
Paul Craig – Security-Assessment.com
12:00
Lunch Break



13:30
Low Scuttling Chilli Crab:Network Recon 2010AD **
Metlstorm
14:15
Tales from the Crypt0 - pdf
Graeme Neilson / Kirk Jackson - Aura Software Security / Xero
15:00
Snackie Break

15:30
Hosting and Web Apps - The Obscurity of Security - pdf
Quintin Russ / Mike Jager - SiteHost / Web Drive
16:15
The Ramblings of an ex-QSA
Dean Carter
17:00
Panel Discussion/Conclusion


** replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk.

Speakers

Low Scuttling Chilli Crab:NETWORK RECON 2010AD **

Network reconnaissance is an art as old as hacking, but the days of dumpster diving and fingering your away around the 'net are long in our past. In the world of Google, Wolfram|Alpha and Shodan, target acquisition is king: there's a new exploit every day, who's going down after you've finished your first cup of coffee tomorrow?

In this presentation, Metlstorm examines the practicality, implementation and effect of datamining country-scale network targeting databases. Building on the experience of spending the previous year mapping the New Zealand internet for his Kiwicon 2009 talk "Do Your Fruit Hang Low", Metlstorm deploys the Low Hanging Kiwifruit toolchain against its newest target: Singapore.

So, Singapore, are your networks open? How many open DSL routers are there in Singapore? Which ISP has their blade switches open for you to telnet to? Just how useful is it to full text search every SSL certificate name, 302 Redirect target and DNS entry?

Metlstorm

Metlstorm is an independent unix hacker from New Zealand, where he milks both sheep and hobbits. In the brief gaps in this bucolic schedule, he finds time to organise Kiwicon - the NZ hacker con, co-host the award-winning Risky.biz weekly infosec podcast and hold down a day job as a whitehat security consultant. In true sellout style, Metl has worked the floor at Blackhat, Defcon, Kiwicon & Ruxcon, achieving minor notoriety at the latter for being the only speaker ever punched out by a member of the audience at the end of his talk. Metlstorm loves bugs that are features, carrier networks and "enterprise" unix software, because we all know that "enterprise" means "the 80s called, they want their long environment variables back".

- replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk.

Dean Carter - The Ramblings of an ex-QSA

As a QSA there were a bunch of things Dean was forbidden from discussing.

As an ex QSA some of these matters will remain firmly sequestered inside his kimono - but others things, more general things, can now be shared.

Dean has 30 minutes worth of handy tips, hints, lessons and some brickbats relating to PCI and secure system development that he can now share with the community.

Dean Carter

Dean still remembers the day he first heard about the PCI DSS - he then spent several years trying to convince everyone that the PCI DSS was the bestest thing since the Beatles… not many people listened… they had projects to finish and settings to tweak…

Then Dean joined Security-Assessment.com and became a QSA (PCI power-up!)… people listened! Organisations even paid to listen! A few organisations went so far as to demonstrate their security posture to Dean The QSA. In return he signed their Reports on Compliance. Most made great progress towards compliance… while some simply went in political circles and denied the need to make any effort.

Two years on Dean, the ex-QSA, now works for financial institution where, in between other tasks, he regularly sticks his nose into PCI matters and still firmly believes that the PCI DSS is a positive thing.


Paul Craig – Security-Assessment.com - "Oh F#!K" : What To Do When You Get Pwned

If your company’s website were hacked tomorrow, would you know what to do? Forensics is not what you see on CSI, and most people have no idea what they should do in the event of a compromise. What is an appropriate incident response for a company, what do you say to your CEO, when do you involve law enforcement? Do you attempt to solve the forensic case yourself; keeping in mind any action you take may directly affect the evidence, or compromise legal judicial requirements. This presentation will demonstrate the forensic process for a compromised website, and what an organization should do when they find out they have been compromised. I will use case studies from previous incidents and demonstrate what you should and shouldn’t do when you get pwned.

Paul Craig

My name is Paul Craig, I work as the lead forensic incident responder at Security-Assessment.com and I work with many New Zealand companies who have been compromised. From small websites to large corporations and government agencies, our nation is regularly being defaced and defrauded. IT Forensics is here to pick up the pieces, and it’s my job to spend long nights trying to provide answers to businesses regarding what really happened.


Brett Moore - Insomnia Security - "Don't Try This At Home"

During source code and application reviews a number of common issues are often seen. Developers making the same mistakes time and time again. There are also those 'unique' issues that only come up once in a while, when people handroll their own methods to solve a particular problem.

Over the course of this talk, the speaker will explain and describe a number of issues that he has seen over the last 24 months in locally developed code. This is an opportunity to see what local developers are doing wrong, and why you shouldn't try this at home.

Brett Moore

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.


Graeme Neilson / Kirk Jackson - Aura Software Security / Xero - Tales from the Crypt0

Does the thought of SSL, HTTPS and S/MIME make you squeamish? Does PKI make you want to scream? Does encrypting data at rest make you want to bury yourself alive?

Cryptography is an important part of most web applications these days, and developers and admins need to understand how, why and when to employ the best and appropriate techniques to secure their servers, applications, data and the livelihoods of their users.

Join Graeme Neilson (Aura Software Security) and Kirk Jackson (Xero) for a series of scary stories in "Tales from the Crypt0".

Graeme Neilson

Graeme Neilson is lead security researcher at Aura Software Security, a security consultancy based in Wellington with clients across the globe.

Kirk Jackson

Kirk Jackson is a developer at Xero, makers of the world's easiest accounting system.


Quintin Russ / Mike Jager - SiteHost / Web Drive - Hosting and Web Apps - The Obscurity of Security

The security of web applications has traditionally been considered to be the problem of the company whose servers they were hosted upon. However, while you can outsource the hosting of web apps, you cannot outsource the responsibility of ensuring that those apps are secure. Mike and Quintin set aside their corporate rivalry to demonstrate the gap between the way things are and the way things should be.

Quintin Russ

Quintin has carved out his own niche in the .nz hosting industry, having spent a large proportion of the last few years becoming an expert in both building and defending systems. He now runs enough infrastructure to ensure he never, ever gets a good night's sleep, and sometimes doesn't even get to snooze through Sunday mornings. Quintin has a keen interest in security, especially as it relates to web hosting. This has ranged from the vicissitudes of shared hosting to code reviews of popular blogging applications. He has previously presented at ISIG and Kiwicon 2009.

Mike Jager

Since his arrival at Web Drive in 2004, Mike has been sticking his fingers into the wall sockets of web hosting. Currently, he herds packets, mutters at clouds, and sneaks up on web applications, tricking them into scaling horizontally when they least expect it. Mike holds a BE in Computer Systems Engineering from the University of Auckland, and has been spotted presenting recently at NZNOG, APRICOT and the occasional ISIG meeting.


Roberto Suggi Liverani - Security-Assessment.com - Defending Against Application Level DoS Attacks

Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.

The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.

Roberto Suggi Liverani

Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and leader of the OWASP (Open Web Application Security Project) in New Zealand. Roberto has worked with companies such as Google, Adobe and Opera by reporting and helping to fix security vulnerabilities in their products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various security conferences around the globe.




Please note that CFP is now closed.

Call For Sponsorships (CLOSED)

The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.

Three types of sponsorships are available:

  • Support Sponsorships: n/a - company covers expenses for international speaker / media company that provides article/coverage on the event

- Publication of the sponsor logo on the event web site.

  • Silver sponsorship: 1500 NZD

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.

  • Gold Sponsorship: 3500 NZD

- Publication of the sponsor logo on the event web site;
- Publication of the sponsor logo on the OWASP New Zealand Chapter page;
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference;
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event;
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.

Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the OWASP New Zealand Board.
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

funds to OWASP earmarked for OWASP New Zealand Day 2010.

Call for Paper (CLOSED) and review process

OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the OWASP New Zealand Board.
The email subject must be “OWASP New Zealand 2010: CFP” and the email body must contains the following information/sections:

  • Name and Surname
  • Affiliation
  • Address
  • Telephone number
  • Email address
  • List of the author’s previous papers/articles/speeches on the same topics
  • Title of the contribution
  • Type of contribution: Technical or Informative
  • Abstract (max one A4 style page)
  • Why the contribution is relevant for OWASP New Zealand 2010
  • If you are not from New Zealand, will your company support your expenses - Yes/No

The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

Due to limited budget available, expenses for international speakers cannot be covered. If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

Conference

Conference Venue

The University of Auckland Business School
Owen G Glenn Building
Room: OGGB 260-073 (OGGB4)
Address: 12 Grafton Road
Auckland
New Zealand
Map

Auckland business school small2.jpg Room hall.jpg

Topics

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:

  • OWASP Project presentation (i.e Tool Updates/Project Status etc);
  • Threat modelling of web applications;
  • Privacy concerns with applications and data storage;
  • Vulnerability analysis of web applications (code review, pentest, static analysis, scanning);
  • Baseline or metrics for web application security;
  • Countermeasures for web application vulnerabilities;
  • Web application security;
  • Platform or language (e.g. Java, .NET) security features that help secure web applications;
  • Secure application development;
  • How to use databases securely in web applications;
  • Security of Service Oriented Architectures;
  • Access control in web applications;
  • Web services security;
  • Browser security;
  • PCI.


Conference structure and schedule

OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes. It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors. The detailed agenda of the conference will be available on the web site before the event.

Conference dates

  • CFP close: 30th June 2010
  • Contributions submission deadline: 10th July 2010
  • Registration deadline: 30th June 2010
  • Conference Agenda due: 2nd July 2010
  • Conference date: 15th July 2010

Conference Committee

OWASP New Zealand Day 2010 Organising Committee:

  • Roberto Suggi Liverani – OWASP New Zealand Leader
  • Rob Munro – OWASP New Zealand Evangelist
  • Lech Janczewski - Associate Professor - University of Auckland

Conference Sponsors

University_of_Auckland_crest_small.png
Nz_information_security_forum.png
ICT and Department of Information Systems and Operations Management
 


Gold Sponsors:

Security-assessment_com.jpeg
     
www.security-assessment.com
     

Silver Sponsors:

Lateral_security.jpeg
     
www.lateralsecurity.com
     

Support Sponsors:

Netguide-logo.png
     
www.techday.co.nz/netguide