Difference between revisions of "OWASP New Zealand Day 2011"

From OWASP
Jump to: navigation, search
Line 386: Line 386:
 
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | <b>Date/Time:</b> July 7 2011, 9am-12pm
 
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | <b>Date/Time:</b> July 7 2011, 9am-12pm
 
|-
 
|-
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Click here to register (COMING SOON)
+
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [http://www.regonline.com/Register/Checkin.aspx?EventID=967373 Click here to register]
 
|}
 
|}
  
Line 410: Line 410:
 
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | <b>Date/Time:</b> July 7 2011, 2pm-5pm
 
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | <b>Date/Time:</b> July 7 2011, 2pm-5pm
 
|-
 
|-
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Click here to register (COMING SOON)
+
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [http://www.regonline.com/Register/Checkin.aspx?EventID=967373 Click here to register]
 
|}
 
|}
  

Revision as of 07:42, 15 June 2011

Introduction

OWASP New Zealand Day 2011
7th July - Auckland

OWASP_NZ_Day_2011_Logo.png


Introduction

Following the success of the OWASP New Zealand 2009 and OWASP New Zealand 2010 security conferences, the OWASP New Zealand Chapter is pleased to announce the return of the conference in 2011. The third OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland School of Business, which will kindly offer the same conference venue of the last two years. Entry to the event will, as in the past, be free. OWASP New Zealand Day 2011 will be held on Thursday July 7th, 2011.

For any comments, feedback or observations, please don't hesitate to contact us.

You can register for the conference here. Please note that the registration cut-off date is June 20, 2011; no registrations will be accepted on the day.


Conference dates

  • CFP closes: 31st May 2011
  • Conference Agenda due: 15th June 2011
  • Registration deadline: 20th June 2011
  • Conference date: 7th July 2011


Conference Venue

The University of Auckland Business School
Owen G Glenn Building
Room: OGGB 260-073 (OGGB4)
Address: 12 Grafton Road
Auckland
New Zealand
Map

Auckland business school small2.jpg Room hall.jpg

Registration

You are invited to attend to the OWASP Day conference at no charge (Free as in beer). However to ensure an orderly, well run event we require that all attendees register before the registration close off date (20th June 2011). At this time there will be no plan to allow "on the day registration". Registration is handled through the RegOnline event management system, available at http://regonline.com/owaspnzday2011. Please note that the registration cut-off date is June 20, 2011; no registrations will be accepted on the day.

Conference Sponsors

University_of_Auckland_crest_small.png
Nz_information_security_forum.png
ICT and Department of Information Systems and Operations Management
 


Gold Sponsors:

SA_Logo_w_DD.gif
     
www.security-assessment.com
     


Silver Sponsors:

Lateral_security.jpeg
     
www.lateralsecurity.com
     
f5-1color-125.jpg
     
www.f5.com
     

Topics

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:

  • OWASP Project Presentation (i.e Tool Updates/Project Status etc)
  • Threat modelling of web applications
  • Privacy Concerns with Applications and Data Storage
  • Vulnerability analysis of web applications (code review, pentest, static analysis, scanning)
  • Baseline or Metrics for Application Security
  • Countermeasures for web application vulnerabilities
  • Web application security
  • Platform or language (e.g. Java, .NET) security features that help secure web applications
  • Secure application development
  • How to use databases securely in web applications
  • Security of Service Oriented Architectures
  • Access control in web applications
  • Web services security
  • Browser security

Conference Committee

  • Nick Freeman –- OWASP New Zealand Leader (Auckland)
  • Scott Bell - – OWASP New Zealand Leader (Wellington)
  • Lech Janczewski - Associate Professor - University of Auckland School of Business

Schedule (NEW!)

08:30
Registration
09:00
Welcome to OWASP New Zealand Day 2011
Nick Freeman & Scott Bell / Lech Janczewski - Security-Assessment.com / The University of Auckland
09:15
Secure Development: What The OWASP Guide Didn't Tell You
Blair Strang - Security-Assessment.com
10:00
I <3 Reporting - Managing Effective Web Application Assessments
Andrew Evans - Kiwibank
10:30
Coffee Break


11:00
Testing Mobile Applications
Nick von Dadelszen - Lateral Security
11:45
Web Crypto for the Developer Who Has Better Things To Do
Adrian Hayes - Security-Assessment.com
12:30
Lunch Break



13:30
Concurrency Vulnerabilities
Brett Moore - Insomnia Security
14:15
A Day in the Life of a WAF
Sam Pickles - F5
15:00
HTML5 Security
Mike Haworth & Kirk Jackson - Aura Information Security
15:30
Afternoon Tea

16:00
File Uploads Are Evil
Kirk Jackson - Aura Information Security
16:15
Sleeping Easy: Architecting Web Applications Securely
Mark Young - Datacom
16:45
Real Applications, Real Vulnerabilities, Really Exploited
Quintin Russ - SiteHost
17:15
Panel Discussion/Conclusion


17:30

19:00
After-con Drinks @ TBA


Speakers (NEW!)

Blair Strang - Security-Assessment.com - Secure Development: What The OWASP Guide Didn't Tell You

OWASP has lots of useful information for developers wishing to secure their applications. However, there are concepts which can make your life easier which are not covered in the OWASP guide.

+ Where in your code to apply the OWASP recommended protections
+ Some advice on hard-to-get right protections
+ Bonus protections: Advanced security measures not in the OWASP guide

Blair Strang

Bio to come


Andrew Evans - Kiwibank - I <3 Reporting - Managing Effective Web Application Assessments

In a previous role as a full time penetration test manager, I often encountered situations where the outcome of a penetration test was affected by the preparedness of the client, the information and resources available to the testers, and the ability of the client to interpret the report. While there are abundant resources for penetration testers available to teach techniques for web application hacking, there is very little information to guide pre and post engagement activities such as scoping, logistics, and reporting.

The complexity of modern web applications means that there is a huge dependency on clients understanding what is required of them, and how to provide the appropriate information and resources to testers to get the best outcome from a penetration test.

Andrew Evans

Bio to come


Nick von Dadelszen – Lateral Security - Testing Mobile Applications

Mobile applications are the "next big thing" in application development and it seems everyone is developing them, including banks, travel companies, retail outlets and everyone else. Mobile application security requires a different focus to standard web applications and this talk discusses those differences, how to test mobile applications, and some tips and tricks from Lateral Security's experience in penetration testing mobile applications.

Nick von Dadelszen

Bio to come


Adrian Hayes - Security-Assessment.com - Web Crypto for the Developer Who Has Better Things To Do

Crypto is easy to get wrong and can be a pain to implement. This presentation will take you through practical examples of how to implement solid crypto on a number of common development platforms. We'll talk about how to store and verify passwords, how to safely transport and store backups. What's wrong with some default SSL configurations and maybe even random token generation among other things. Web app crypto should be easy and secure, not just one of those.


Adrian Hayes

Adrian Hayes is a security consultant for Security-Assessment.com in Wellington. Adrian comes from a web app development background but has jumped the fence and now spends his time hacking them.


Brett Moore - Insomnia Security - Concurrency Vulnerabilities

Concurrency vulnerabilities are not very common, as they require specific circumstances for a vulnerable scenario to exist. However, the consequences of such issues can be devastating and include auth bypass, cross user account access, and purchase tampering.

This talk will discuss in detail some of the situations leading to these vulnerabilities, and how they can be detected both at the source level and during active testing.

Brett Moore

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.


Sam Pickles - F5 - A Day in the Life of a WAF

Web Application Firewalls in production get to see a large volume of malicious requests; and present a unique opportunity to discover what is really happening out in the black hat community.

In this talk, real attack examples seen in production will be presented which demonstrate the reality and relevance of the OWASP Top Ten. Attack samples and reports have been gathered from a number of sites globally and sanitised, and will be used to help understand the answers to some common questions:

- How often is my application being attacked? (more than you might think)
- What techniques are being attempted?
- Who is doing this, and why?

Additionally, some recent headline-grabbing hacks in banking and finance will be detailed at a practical level.

Sam Pickles

Sam Pickles has worked across the security industry for over ten years, in APAC, EMEA, and USA. Sam has held senior technical responsibility within many high profile IT and physical security projects across banking, government and service provider customers. During this period he has been involved in creating some of the world's largest web application firewall gateways, designed and built IT security systems and conducted network, application and hardware device penetration testing.

As an architect and security specialist with F5 Networks, Sam maintains a keen interest in web application security, is a member of OWASP and a long time attendee of chapter meetings in London. He has degrees in Physics from the University of Otago, and Computer Science from the University of Oxford.


Kirk Jackson / Mike Haworth - Aura Information Security - HTML5 Security

HTML5 brings a suite of new features to browsers these features are enabled and the browser we use today. Some features that'll be more interesting to application security reviewers are:

- The loosening of the same origin policy
- WebSockets
- Local Storage
- And a bunch of new XSS vectors

Kirk Jackson

Kirk Jackson is a Security Consultant for Aura Information Security, and has spent a decent percentage of his waking life building websites for a living (most recently at Xero).

Mike Haworth

Mike Haworth, tests pens for AuraInfoSec. Former webmonkey and recovering Drupaholic


Kirk Jackson - Aura Information Security - File Uploads are Evil

So your users want to upload and share files on your website? We know how to put XSS protections in place, but how do we protect against malicious content uploaded to our sites?

Kirk Jackson

Kirk Jackson is a Security Consultant for Aura Information Security, and has spent a decent percentage of his waking life building websites for a living (most recently at Xero).


Mark Young - Datacom - Sleeping Easy: Architecting Web Applications Securely

Tales from a developer – practical tips on how to lead teams and design solutions in a way that produces secure web applications. Starting off with “why does security matter to my customers”, I’ll look at how to get organisations and teams on board and excited about security. Then mostly using .NET will show some common mistakes I’ve observed and specific examples of how solution and application framework design can mitigate some of these issues. I’ll look at difficulties in integrating a secure development lifecycle into the daily grind of project delivery and some of the struggles and pitfalls with implementing secure practices. If there’s time I’ll squeeze in some exemplar exploits as well.

Mark Young

Mark Young is a senior developer / team lead / architect at Datacom in Auckland, who has spent the last few years leading dev teams and architecting enterprise web systems, particularly in banking. Mark has a focus on web security, has been known to deliver and reproduce exploits, and has also been stung a few times by his code (or that of his team).


Quintin Russ - SiteHost - Real Applications, Real Vulnerabilities, Really Exploited

Websites are being compromised. Daily. Some of these attacks are sophisticated and occur without warning, but many are not. This talk will look at some widely exploited vulnerabilities in popular applications, such as authentication bypass, remote code execution & SQL injection. We will cover how they were exploited and discuss techniques to help organisations avoid becoming another statistic.

Quintin Russ

Quintin has carved out his own niche in the .nz hosting industry, having spent a large proportion of the last few years becoming an expert in both building and defending systems. He now runs enough infrastructure to ensure he never, ever gets a good night's sleep, and sometimes doesn't even get to snooze through Sunday mornings. Quintin has a keen interest in security, especially as it relates to web hosting. This has ranged from the vicissitudes of shared hosting to code reviews of popular blogging applications. He has previously presented at ISIG, OWASP & Kiwicon.

Training (NEW!)

Codefather - 3 hours (9am-12pm, July 7 2011)- $250
Abstract: These days websites are under constant attack and it's incredibly easy for a developer or administrator to make seemingly minor mistakes that have catastrophic consequences.

You can't fight a war that you don't know you're waging. You can't defend your websites against attack unless you know the tricks the blackhats are using to infiltrate. This workshop outlines and demonstrates many of the latest attacks and defenses in use today.
We have 2 lab environments where attendees will learn, explore and perform real attacks against our full featured websites and each other. This is an interactive and extremely entertaining session covering hands on:
- SQL injection
- XSS
- CSRF
- Website logic abuse!

Key objectives:
  • Know the most common forms of attack that exist today, so they understand what the attacks hit and how
  • Know the techniques to project against these common attacks
  • Understand the steps and process to assess their systems against all attacks
  • Have the skills to future protect their code and to minimise the potential for new security holes
Target Audience: Web developers (basic development skills required)
Instructor: Scott Fletcher
Auralogo3.png
Aura Information Security
Date/Time: July 7 2011, 9am-12pm
Click here to register
Secure Development 101 - 3 hours (2pm-5pm, July 7 2011)- $250
Abstract: This introductory training course focuses on the most common web application security problems; the OWASP Top 10 risks. The OWASP Top 10 covers many of the risks facing web applications every day. This training will explain each of the 10 risks, demonstrating the vulnerabilities and provide platform-agnostic recommendations for remediating these issues through the use of existing OWASP projects. The thorough explanation of vulnerabilities, exploits and remediations will leave you with a clear understanding of the OWASP Top 10 risks and how to avoid them.

This training course is a compact version of Security-Assessment.com's brand new two-day intensive secure web application development tutorial. We encourage the use the Top 10 to get organisations started with application security so developers can learn from the mistakes of other organisations. Executives can start thinking about how to manage the risk that software applications create in their enterprise.

Key objectives:
  • A solid understanding of common risks within web applications, as defined by the OWASP Top 10 Project
  • How a hacker's knowledge of these risks can lead to compromise of your web app, web server, kitchen sink..
  • How to avoid these vulnerabilities by employing best practise coding methodologies
  • Tips and tricks to architect your application securely from the get-go from a dev-turn-hacker
Target Audience: Web developers (basic development skills required)
Instructors: Andrew Horton & Adrian Hayes
SA_Logo_w_DD.gif
Security-Assessment.com
Date/Time: July 7 2011, 2pm-5pm
Click here to register

Call For Sponsorships (CLOSED)

The call for silver and gold sponsorships is now closed, however we are still looking for support sponsors who can provide media coverage/promotion for the event.

Following the success of the previous events in 2009 and 2010, OWASP New Zealand Day 2011 will be held in Auckland on the 7th of July, 2011. OWASP New Zealand Day is a security conference entirely dedicated to web application security. The conference is once again being hosted by the University of Auckland School of Business with their support and assistance. OWASP New Zealand Day 2011 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. OWASP is strictly non for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2011 a free, compelling and valuable experience for the audience.


The sponsorship funds collected are to be used for things such as:

  • Refreshments (coffee break/lunch) - we want to keep people refreshed during the day; while we certainly bring good and interesting speakers, we don't want people to go home when they become hungry.
  • Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
  • Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
  • Printed Materials - printed materials will include brochures, tags and lanyards.


Facts

Last year, the event was supported by 3 sponsors and attracted more than 150 participants. A lot of good feedback from the audience was received and this is the reason why we are re-organising the event. For more information on last year's event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010

The OWASP New Zealand community is strong and there are more than 160 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract a number between 150 and 200 attendees during the conference.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.


Sponsorships

There are three different levels of sponsorships for the OWASP Day event:


  • Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event)

Includes:

- Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011


  • Silver Sponsorship: 1500 NZD

Includes:

- Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event.


  • Gold Sponsorship: 3500 NZD

Includes:

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference. - The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

- Publication of the sponsor logo on the OWASP New Zealand Chapter page
- Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
- Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.


Those who are interested in sponsoring OWASP New Zealand 2011 Conference can contact the OWASP New Zealand Board.
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

funds to OWASP earmarked for OWASP New Zealand Day 2011.


Call for Papers (CLOSED)

The OWASP New Zealand Chapter is holding the annual OWASP New Zealand Day web application security conference at the University of Auckland School of Business on July 7th, 2011. The Call For Papers is now open, and you are cordially invited to submit your stuff!

Following on from the previous two years, the conference will consist of a single track covering both technical and risk management topics. So if you'd like to share your brand new technique, detail your run-ins with .cn, .ru or Anonymous, spread fear about the cloud or drop some 0day, we'd like to hear from you.

We are looking for talks of various lengths, but ask that you keep the talk under 40 minutes long. 10-15 minute long lightning talks are welcome, and ideal if you have something you want to share that doesn't need half an hour to explain.


Other than the above, we are seeking presentations on any of the following topics:

  • OWASP Project Presentation (i.e Tool Updates/Project Status etc)
  • Threat modelling of web applications
  • Privacy Concerns with Applications and Data Storage
  • Vulnerability analysis of web applications (code review, pentest, static analysis, scanning)
  • Baseline or Metrics for Application Security
  • Countermeasures for web application vulnerabilities - secure coding practices
  • Web application security
  • Platform or language (e.g. Java, .NET) security features that help secure web applications
  • Secure application development
  • How to use databases securely in web applications
  • Security of Service Oriented Architectures
  • Access control in web applications
  • Web services security
  • Browser security
  • PCI


The timeline for submissions is as follows:

31st May 2011: The official closing date for receiving a synopsis of the presentation.
15th Jun 2011: Announcements on selected candidates will be provided.
20th Jun 2011: Complete presentations will need to be submitted.


The email subject must be "OWASP New Zealand 2011: CFP" and the email body must contains the following information/sections:

  • Name and Surname
  • Affiliation
  • Address
  • Telephone number
  • Email address
  • List of the author's previous papers/articles/speeches on the same topic
  • Title of the contribution
  • Type of contribution: Technical or Informative
  • Abstract (up to 500 words)
  • Why the contribution is relevant for OWASP New Zealand 2011
  • If you are not from New Zealand, will your company support your travel/accomodation costs - Yes/No


The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

PLEASE NOTE:

  • Due to limited budget available, expenses for international speakers cannot be covered.
  • If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

Please submit your presentation topics and an abstract of up to 500 words to Nick Freeman and Scott Bell - nick.freeman@owasp.org & scott.bell@owasp.org

Call For Trainers (CLOSED)

We are happy to announce that training will run alongside OWASP Day this year, on July 7th 2011. The training venue will be an auditorium kindly provided by the University of Auckland School of Business, in the same building as the OWASP Day conference itself. Classes will contain up to 20 students, and each seat has a power point for laptop usage.

Two 3-hour slots will be available for training, one from 9am-12noon and a second from 2pm-5pm. As the slots are quite short, we're looking for training events that will be providing either introductory lessons in web app security, or sessions dedicated to a particular topic.

Examples of training topics:

+ Input filtering 101
+ Securing web services
+ Introduction to the OWASP Top 10
+ Hardening web servers
+ Mobile app security
+ Web App Security for Project Managers


If you are interested in running one of the training sessions, please contact myself or Scott Bell with the following information:

- Trainer name
- Trainer organisation
- Telephone + email contact
- Training title
- Trainer requirements (e.g. a projector)
- Trainee requirements (e.g. laptop, VMWare/Virtualbox etc)
- Training summary (less than 500 words)
- Target audience (e.g. testers, project managers, security managers, web developers)
- Skill level required (Basic / Intermediate / Advanced)
- A few sentences about why you think this training is important to web application security
- What attendees can expect to learn (key objectives)
- Short Trainer bio
- List of published papers/presentations
- Course outline E.g.:

1. Topic 1
> Sub Topic 1.a
> Sub Topic 1.b
> Exercise 1
2. Topic 2
3. Topic 3
> Sub Topic 3.a
> Demo
> Sub Topic 3.b


The fixed price per head for training will be $250. As this training is part of an OWASP event, part of the proceeds go back to OWASP. The split is as follows:
- 25% to OWASP Global - used for OWASP projects around the world
- 25% to OWASP NZ Day - used for expenses such as catering during the conference
- 50% to the training provider.


If you have any further queries, or wish to submit a training course, please send the above information to the following email addresses:
- nick.freeman@owasp.org
- scott.bell@owasp.org

Accepted training sessions will be announced on June 15th, together with the presentations.


Conference dates

  • CFP close: 31st May 2011
  • Conference Agenda due: 15th June 2011
  • Registration deadline: 20th June 2011
  • Conference date: 7th July 2011


Conference Committee

OWASP New Zealand Day 2011 Organising Committee:

  • Nick Freeman - OWASP New Zealand Leader (Auckland)
  • Scott Bell - OWASP New Zealand Leader (Wellington)
  • Lech Janczewski - Associate Professor - University of Auckland School of Business