OWASP New Zealand Day 2016
We are proud to announce the seventh OWASP New Zealand Day conference, to be held at the University of Auckland on Thursday February 4th, 2016. OWASP New Zealand Day is a one-day conference dedicated to application security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.
Who is it for?
- Web Developers: The morning sessions will introduce you to application security. Afternoon sessions will dive deeper into technical topics, and build on the morning sessions.
- Management: After an introduction to web application security, one of the afternoon streams will focus on informational and defensive topics.
- Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics.
Date: Thurs 4 Feb 2016
Time: 9:00am - 5:00pm
Food: Morning and Afternoon tea
The main conference is on Thursday 4th of February, and will have three streams:
|Morning||Introductions to application security topics|
|Afternoon||Offensive Security||Informational / Defensive|
Date: Wed 3 Feb 2016
Time: 9:30am - 12:30pm session booked out
Time: 1:30am - 4:30pm or part thereof. Spaces going fast, so get in quick
As well as the main conference on Thursday, we are pleased to be able to provide training on Wednesday. All details including registration can be found on the Training Registration Page.
The seventh OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer a slightly different location from last year. Entry to the event will, as in the past, be free.
For any comments, feedback or observations, please don't hesitate to contact us.
Registration for the main conference day is now open: Conference Registration Here
There is no cost for the main conference day. Morning and afternoon tea will be provided. Unfortunately due to increased conference running costs, lunch will not be provided as it has been for the past OWASP NZ Days. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.
- CFP & CFT submission deadline: 7th December 2015
- Conference Registration deadline: 21st January 2016
- Training Registration deadline: 21st January 2016
- Training Day date: 3rd February 2016
- Conference Day date: 4th February 2016
The University of Auckland School of Commerce
- Denis Andzakovic - OWASP New Zealand Leader (Auckland)
- Adrian Hayes - OWASP New Zealand Leader (Wellington)
- Kirk Jackson - OWASP New Zealand Leader (Wellington)
- Kim Carter - OWASP New Zealand Leader (Christchurch)
- Lech Janczewski - Associate Professor - University of Auckland School of Business
Please direct all enquiries to firstname.lastname@example.org | email@example.com | firstname.lastname@example.org | email@example.com
For information on other OWASP NZ events, please visit the NZ chapter site
4th Feburary 2016
Credit card fraud: you don't want to be the common point of purchase
Chronicles of SOP bypass
Keep calm and CSP
Break for Morning Tea
Making AppSec a (Respectable) Religion
Oauth 2.0: The Promise and Pitfalls
Break for Lunch
Attacking Real-World Crypto Flaws
Two-thirds of the Sacred Triangle
Practical Attacks on WebRTC Applications
Source Code Reviews: Why You Should
Practical exploitation of less commonly identified vulnerabilities
Host Hardening - Achieve or Avoid?
Deserialization, what could go wrong
I judge all of your services and applications
Break for Afternoon Tea
Risk based software assurance requirements for aircraft systems
After 30 Years, I’m Coming Out
Information Security is a Marketing Responsibility
Dan Wallis - Christchurch ISIG - Credit card fraud; you don't want to be the common point of purchase
A real-world example of how three problems lined up to leak credit card data online. Each problem wasn't by itself enough to leak anything valuable, but by their powers combined, the bank called. I'll talk through the details of each flaw, why they were introduced, how they lined up, and lessons learnt.
I'm a sysadmin with lots of web experience; I've been in the industry for more than 10 years. I currently work for an agency in Christchurch, focusing on ecommerce websites.
Emmanuel Law - Aura Information Security - Chronicles of SOP bypass
Same Origin Policy (SOP) is one of the fundamental protection when surfing the internet. It's in all browsers, various plugins and mobile applications. This talk will walk the audience through a history of some of SOP most interesting bugs; ranging from some of the earliest manifestations to the more recent SOP bypasses. Although many of these SOP bugs are beyond the control of the developers but we'll cover some mitigating measures that one could possibly take.
Principal security consultant @ Aura Information Security (NZ) by day, he spends his nights exploiting stuff for fun and profit.
Valentinas Bakaitis - Aura Information Security - Keep calm and CSP
CSP stands for Content Security Policy and is a reasonably new mechanism to protect against client side vulnerabilities like XSS and XSRF. Applied correctly it can completely eliminate nearly all XSS issues, regardless whether they are known or unknown. While the mechanism is extremely, effective and in most cases easy to implement, the adoption remains low. This talk will introduce CSP to those who are not familiar with it and remind about the power of it to those that heard about it before.
Developer turned Security Consultant. Valentinas has 10 years of experience in IT industry, with last two years working as a security consultant. His interests include IT security, physical security and hardware hacking.
Russell McMullan - Beca Ltd - Risk based software assurance requirements for aircraft systems
This talk focuses on the contribution of the design methods used in aircraft system development and their contribution to security. This includes an overview of aircraft system design requirements and design rules, how the system and software ‘Design Assurance Level’ is determined, and an overview of the Software ‘Assurance Level’ requirements used in software development. I’ll provide my personal thoughts on the Design Assurance Level contribution to security including the inherent aircraft system design principles and processes that contribute to security, and some thoughts on augmenting these practices with the Common Criteria requirements.
If you’ve ever wondered about aircraft systems software development, this talk may be of interest.
With 20+ years associated with military aircraft systems, Russell has a unique view of system and software risk methods for aircraft systems. Russell currently works at Beca in the Advisory team.
Chris Campbell - Jade Software - Making AppSec a (Respectable) Religion
No stranger to rapid transformation, Jade Software – a leading technology company with an almost 40 year pedigree, today works with an ever increasing range of technologies to solve complex problems for its’ customers. .NET, HTML5, SQL, Oracle, Java, Azure and AWS cloud services, and of course the JADE platform, all form part of the Jade technology stable.
Using the latest and greatest technology stack only gets you so far. But to maintain the reputation of producing market leading, enterprise-level solutions, robust security practices are a must. Making security a key component of your SDLC with minimal interruption can be achieved with assistance from an OWASP project (or a few), coupled with a lot of passion.
Chris, who in a past life was a .NET developer, is a Security & Operations Consultant at Jade Software. His role sees him managing operational and user security, and overseeing both the security and architecture of development and operational projects which span a wide variety of industries.
Sergey Ozernikov - Lateral Security - Oauth 2.0: The Promise and Pitfalls
OAuth 2.0, the second version of the popular authorisation framework, was proposed as an IETF standard in October 2012 and has since been implemented and used by companies such as Facebook, Google and Microsoft. In January 2013 an RFC containing a comprehensive threat model of OAuth 2.0 was introduced. It was as long as the initial specification which had left out a lot of security considerations, most likely as it was assumed that developers would know how to securely implement OAuth 2.0. However many didn’t and without the necessary security controls, many relatively benign web application vulnerabilities could now flourish on a much larger and bountiful attack surface. An open redirect directly leading to an account compromise? Easy. In this talk, an overview of what should be catered for when integrating OAuth 2.0 into your project and how not to introduce additional security risks, will be provided. Most common attack vectors and some examples of real-life vulnerabilities in OAuth 2.0 implementations will be presented. Ideally attendees should have a basic understanding of OAuth 2.0 flow and web application security.
Sergey has gained his experience in the field of information security working for several Russian commercial and government organisations for around 7 years after finally realising that he enjoys breaking and protecting things more than building them. In 2013 he moved to New Zealand and shortly after joined Lateral Security as a security consultant.
Chris Smith - Insomnia Security - Attacking Real-World Crypto Flaws
Everybody knows by now not to roll your own crypto, right? RIGHT? But, as an attacker, how do you go about identifying and exploiting these flaws for your own benefit. And, as a defender, how can you gauge the full impact of such flaws and ensure you steer clear of them?
So forget about the LUCKYBEASTCRIMEPOODLE13 for now, this talk is going to focus on real-world crypto flaws in everyday software. We'll look at some cryptographic issues I've come across in my travels, and how to exploit them. And along the way, we might just learn something about doing it correctly, too!
Chris is a consultant for Insomnia Security where he breaks other peoples stuff and writes reports about it. Previously a Linux sysadmin and polyglot developer, he now exacts his revenge on technologies that have wronged him.
Felix Shi - Xero - Practical Attacks on WebRTC Applications
WebRTC is a browser-based technology that allows peer-to-peer communication via a list of predefined APIs. It has gained popularity among many video conferencing, telephony, and file sharing applications.
Research has been done on its design, architecture, and potential attack vectors against applications that use it. This talk will focus on practical attacks that can be performed on applications that use WebRTC, and how to mitigate against them.
Felix works in the product security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.
Nilesh Kapoor - Aura Information Security - Host Hardening : Achieve or Avoid?
This is still a question mark for most of the business and application owners; host hardening – Avoid or Achieve. This paper covers the real world scenario of a potential server compromise due to the lack of OS hardening, running secure but unpatched services over the Internet and the host review process and approach backed up with OWASP guideline and CIS benchmark. This talk also touches on host review and hardening automation techniques for medium-sized and enterprise organisations.
This topic aims; Increase the awareness and importance of host review and hardening among business owners, application owners, server administrators and developers. Answer basic questions such as what host review involves, what approach is recommended for structured host review and achieving compliance, how to create a hardening baseline standard and apply them to your organisation policy Automate host review process and hardening for servers hosting critical data
Nilesh Kapoor is the author of “Security Testing Handbook for Banking Applications” published by IT Governance. He is currently working as a Senior Security Consultant with Aura Information Security. He has over 8 years of experience in security consulting, application security, host review and hardening, network security, enterprise solution security and mobile security. He is also a registered penetration tester with CREST and a CEH certification holder. His articles are published on IITP blogs and also maintain own security blog at http://nileshkapoor.blogspot.com.
Shahn Harris - Beca Ltd - I judge all of your services and applications
I will explain the process that goes on inside a corporate/enterprise when a corporate security team is contacted to evaluate a new application or service by a business unit. The first questions asked have nothing to do with your SDLC, choice of code, framework or potential integration points. the questions are more what is it, what does it do and where does it live and what do they know. Come to this talk if you wish to discover what information most large corporates/enterprises will ask of you if you try to sell a product/service to them. By taking the learnings from this talk it could potentially save you lots of time,money and
Shahn has worked for/with a number of different flagship New Zealand companies across multiple sectors and industries as a security consultant.
Laura Bell - SafeStack - Continuous Security
Agile development is a powerful tool for the creation of high-quality software products. It has however scared the life out of many security managers and risk leaders. Once the job of a dedicated security team, security is now the responsibility of all members of our Agile teams.
So how do we bring continuous security to our lifecycles without compromising velocity and innovation? What tools and techniques do we need and when should we apply them?
In this talk, we will examine why security is the new key skills for successful Agile development teams and what you can do to bring it to your teams.
This is a talk of war stories from the SCRUM team trenches and real world tools, techniques and processes that are less about 'managing' security than they are about building amazing(secure) things, fast.
With almost a decade of experience in software development and information security, Laura specialises in bringing security survival skills, practices and culture into fast-moving environments.
Laura has spoken at various events such as BlackHat, BlueHat, Velocity, OSCON, Kiwicon, Linux Conf AU and Microsoft TechEd on the subjects of privacy, covert communications, Agile security and security mindset.
Laura is the founder of SafeStack, a specialist security training, development, and consultancy firm and lives in Auckland with her husband and daughter.
Kevin Alcock - Katipo Information Security Ltd - After 30 Years, I’m Coming Out
This talk is about my journey from a software development veteran with 30 years of experience to an information security noob. The intended audience is for information security noobs looking to get better and web application developers wanting to understand how their applications are vulnerable. The focus is on the Offensive Security (makers of Kali Linux) course Penetration Testing Training with Kali Linux and the Offensive Security Certified Professional (OSCP) certification exam. There will be no spoilers for those that are currently doing the course and exam. OWASP projects such as ZAP, Dirbuster and Broken Web Applications will be discussed on how they help me. I will also discuss which of the OWASP Top 10 (2013) vulnerabilities I used to gain access to the systems on the lab network.
Kevin has spent the last 30 (10 in North America) years in enterprise software development and delivery, now he is turn that experience towards the information security sector to help businesses in need.
Carlos Cordero - Convergnce - Information Security is a Marketing Responsibility
KPMG’s Global CEO Outlook Survey (July 2015) showed that 50% of global CEO’s say that their organisations are “not fully prepared” for a “cyber event”. Additionally, information security related risks are perceived to be “the most unpredictable kind of risk”. CEOs and Boards expect the IT function to take care of this aspect of the business risk portfolio - for obvious reasons: they own the IT infrastructure or manage it on behalf of other functions (logistics, operations, HR, accounting, finance, etc.). Unfortunately, nobody has told the marketers.
In the last 3 to 5 years, marketing departments have taken upon themselves to bring into the organisation a smorgasbord of systems and applications, with little or no consultation with the IT department. The result is an unprecedented increase of infosec and legal risks that few organisations are even aware off, much less managing.
Our presentation would consist of 15-20 minutes sharing:
In this presentation we will: (1) Describe briefly the current situation and how we got to it. (2) Give an insight into the mindset of “the marketer” and an explanation of why “marketers” are oblivious to security. (3) Suggest a map of the marketing-related risks for businesses in the 201X going forward into the 202X (4) Offer a prediction of the evolution of the marketing-related risks and its implications for information security professionals. (5) Offer suggestions regarding how these risks should be approached in order to reduce the exposure that the marketing department is bringing to the organisation.
Carlos is a marketing and intelligence consultant. One of his current areas of interest and research is risk in the marketing context.
Andrew Kelly - Insomnia Security - Two-Thirds of the Sacred Triangle
"People, Process, and Technology" has been the sacred mantra, or triad, of IT for as long as I've been in the business. Unfortunately, whether you consider it a 'strategy for success', part of your overall 'holistic approach', or even 'the smell of good business', it's too often ignored. That is, two of the three are, as we all race to install faster, cheaper, more efficient, or 'better' technologies, in order to save money, stay ahead of our competitors, or sometimes even just for the sake of it? My talk will, hopefully, remind you that that "People, Process" part is as important as, maybe even more so, than the tech. Or, as Douglas Adams put it: "It is a mistake to think you can solve any major problems just with potatoes." List of the author's previous papers/articles/speeches on the same/similar topic: Previously, and similar, at ISIG, ISF, OWASP, etc.
Andrew started in InfoSec back when the dinosaur's still ruled the Earth. At least, that's how his fellow InfoSec workers, and often his audiences, view him anyways. But, even though his useful working life is slowly coming to its inevitable end, he reckons he still has a little something to offer his fellow IT professionals. Even if every other sentence these days begins with: "Back in my day..." and most of the others with: "Damned kids..." Between nanny naps, Andrew is still relatively gainfully employed as the GM for Insomnia Security.
Daniel Jensen - Security Assessment - Practical exploitation of less commonly identified vulnerabilities
Recently I decided to look for some slightly more "complex" vulnerabilities in a PHP project. The open source video platform Kaltura was chosen for no particular reason other than looking vulnerable and having no prior CVEs. Surprisingly, a large PHP based project actually contained some fairly serious (and interesting) issues such as SSRF, object injection, and poor cryptography. This talk will provide some practical advice for finding less commonly identified vulnerabilities, their impact, and how to mercilessly exploit them in a real world application, using Kaltura as our test subject.
Daniel is a consultant at Security-Assessment.com where he hacks assorted systems and carries out research (read hacks). Before that he enjoyed a brief stint as a sysadmin, and spent too many years south of the Cook Strait in a misguided attempt at attending university. He currently resides in the bustling metropolis that is Auckland City, and resents having to write his own biography.
Brendan Jamieson - Insomnia Security - Deserialization, what could go wrong?
So you're just gonna pass off that data to unserialize()? What could possibly go wrong?
This talk is focused on the deserialization class of web application vulnerabilities. What are they? How are they introduced into web applications? Just how bad can deserializing that arbitrary object really be?
In this talk we'll cover real-world examples of deserialization vulnerabilities being introduced, and exploited, across a number of languages. We'll then look at options that are available to developers to avoid introducing this class of vulnerability into their applications.
Brendan Jamieson is a security consultant for Insomnia Security, based out of Wellington. He is active in the .nz infosec community, having spoken at Wellington's ISIG, and involved in Kiwicons as a speaker; a trainer; and also the event organiser for the Hamiltr0n CTF.
David Waters - Lateral Security - Source Code Reviews: Why You Should
In this talk I will give the case that you should be using security focused code review as part of your defensive strategy. I will talk about the types of bugs that are more easily found with either white-box penetration tests or code reviews as opposed to more limited penetration tests. I will then present some real world examples of issues found during code reviews.