OWASP New Zealand Day 2016

From OWASP
Revision as of 06:11, 7 April 2016 by Kim Carter (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

OWASP_NZ_Day_2016_logo.jpg

3rd and 4th Feburary 2016 - Auckland


Introduction

We are proud to announce the seventh OWASP New Zealand Day conference, to be held at the University of Auckland on Thursday February 4th, 2016. OWASP New Zealand Day is a one-day conference dedicated to application security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.


Who is it for?

  • Web Developers: The morning sessions will introduce you to application security. Afternoon sessions will dive deeper into technical topics, and build on the morning sessions.
  • Management: After an introduction to web application security, one of the afternoon streams will focus on informational and defensive topics.
  • Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics.

Conference structure

Date: Thurs 4 Feb 2016
Time: 9:00am - 5:00pm
Cost: Free
Food: Morning and Afternoon tea

The main conference is on Thursday 4th of February, and will have three streams:


Morning Introductions to application security topics
Afternoon Offensive Security Informational / Defensive

Training

Date: Wed 3 Feb 2016
Time: 9:30am - 12:30pm session booked out
Time: 1:30am - 4:30pm or part thereof. Spaces going fast, so get in quick


As well as the main conference on Thursday, we are pleased to be able to provide training on Wednesday. All details including registration can be found on the Training Registration Page.


The seventh OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer a slightly different location from last year. Entry to the event will, as in the past, be free.


For any comments, feedback or observations, please don't hesitate to contact us.

Registration

Registration for the main conference day is now open: Conference Registration Here

There is no cost for the main conference day. Morning and afternoon tea will be provided. Unfortunately due to increased conference running costs, lunch will not be provided as it has been for the past OWASP NZ Days. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.


Important dates

  • CFP & CFT submission deadline: 7th December 2015
  • Conference Registration deadline: 21st January 2016
  • Training Registration deadline: 21st January 2016
  • Training Day date: 3rd February 2016
  • Conference Day date: 4th February 2016


Conference Venue

The University of Auckland School of Commerce
Address: 12 Grafton Road

Main conference room: Level 1
Room: 115 (Fisher & Paykel Auditorium)

Afternoon parallel stream: Level 0
Room: B5

Auckland
New Zealand
Map

073 AUBiz 10Apr08small.jpg OWASPNZDayLectureTheatre.jpg

Conference Sponsors

University_of_Auckland_crest_small.png
Nz_information_security_forum.png
ICT and Department of Information Systems and Operations Management
 

Gold Sponsors:

INSOMNIA.PNG
   
RedShield.png
   
SA_Logo_w_DD.gif
Insomnia Security
   
Aura RedShield
   
www.security-assessment.com

Silver Sponsors:

Quantum.png
ZX Security Cutout Cropped.png
Wynyard CMYK land.png

Support Sponsor:

BinaryMistLimited.png

Conference Committee

  • Denis Andzakovic - OWASP New Zealand Leader (Auckland)
  • Adrian Hayes - OWASP New Zealand Leader (Wellington)
  • Kirk Jackson - OWASP New Zealand Leader (Wellington)
  • Kim Carter - OWASP New Zealand Leader (Christchurch)
  • Lech Janczewski - Associate Professor - University of Auckland School of Business

Please direct all enquiries to denis.andzakovic@owasp.org | adrian.hayes@owasp.org | kim.carter@owasp.org | kirk.jackson@owasp.org

For information on other OWASP NZ events, please visit the NZ chapter site


Presentations

4th Feburary 2016

08:30 Registration Opens
09:00

Welcome to OWASP New Zealand Day 2016
Lech Janczewski (Associate Professor), Adrian Hayes, Denis Andzakovic and Kim Carter (OWASP Leaders)

09:15

Credit card fraud: you don't want to be the common point of purchase
Dan Wallis - Christchurch ISIG

09:45

Chronicles of SOP bypass
Emmanuel Law - Aura Information Security

10:15

Keep calm and CSP
Valentinas Bakaitis - Aura Information Security

10:30

Break for Morning Tea

11:00

Continuous Security
Laura Bell - SafeStack

11:30

Making AppSec a (Respectable) Religion
Chris Campbell - Jade Software

12:00

Oauth 2.0: The Promise and Pitfalls
Sergey Ozernikov - Lateral Security

12:30

Break for Lunch

13:30

Attacking Real-World Crypto Flaws
Chris Smith - Insomnia Security

Two-thirds of the Sacred Triangle
Andrew Kelly - Insomnia Security

14:00

Practical Attacks on WebRTC Applications
Felix Shi - Xero

Source Code Reviews: Why You Should
David Waters - Lateral Security

14:30

Practical exploitation of less commonly identified vulnerabilities
Daniel Jensen - Security Assessment

Host Hardening - Achieve or Avoid?
Nilesh Kapoor

15:00

Deserialization, what could go wrong
Brendan Jamieson - Insomnia Security

I judge all of your services and applications
Shahn Harris - Beca Ltd

15:30

Break for Afternoon Tea

16:00

Risk based software assurance requirements for aircraft systems
Russell McMullan - Beca Ltd

16:30

After 30 Years, I’m Coming Out
Kevin Alcock - Katipo Information Security Ltd

17:00

Information Security is a Marketing Responsibility
Carlos Cordero - Convergnce

17:15

Wrap Up
Time for the pub, for those interested

Speakers List

Dan Wallis - Christchurch ISIG - Credit card fraud; you don't want to be the common point of purchase


Abstract

A real-world example of how three problems lined up to leak credit card data online. Each problem wasn't by itself enough to leak anything valuable, but by their powers combined, the bank called. I'll talk through the details of each flaw, why they were introduced, how they lined up, and lessons learnt.

Speaker Bio

I'm a sysadmin with lots of web experience; I've been in the industry for more than 10 years. I currently work for an agency in Christchurch, focusing on ecommerce websites.


Emmanuel Law - Aura Information Security - Chronicles of SOP bypass


Abstract

Same Origin Policy (SOP) is one of the fundamental protection when surfing the internet. It's in all browsers, various plugins and mobile applications. This talk will walk the audience through a history of some of SOP most interesting bugs; ranging from some of the earliest manifestations to the more recent SOP bypasses. Although many of these SOP bugs are beyond the control of the developers but we'll cover some mitigating measures that one could possibly take.

Speaker Bio

Principal security consultant @ Aura Information Security (NZ) by day, he spends his nights exploiting stuff for fun and profit.


Valentinas Bakaitis - Aura Information Security - Keep calm and CSP


Abstract

CSP stands for Content Security Policy and is a reasonably new mechanism to protect against client side vulnerabilities like XSS and XSRF. Applied correctly it can completely eliminate nearly all XSS issues, regardless whether they are known or unknown. While the mechanism is extremely, effective and in most cases easy to implement, the adoption remains low. This talk will introduce CSP to those who are not familiar with it and remind about the power of it to those that heard about it before.

Speaker Bio

Developer turned Security Consultant. Valentinas has 10 years of experience in IT industry, with last two years working as a security consultant. His interests include IT security, physical security and hardware hacking.


Russell McMullan - Beca Ltd - Risk based software assurance requirements for aircraft systems


Abstract

This talk focuses on the contribution of the design methods used in aircraft system development and their contribution to security. This includes an overview of aircraft system design requirements and design rules, how the system and software ‘Design Assurance Level’ is determined, and an overview of the Software ‘Assurance Level’ requirements used in software development. I’ll provide my personal thoughts on the Design Assurance Level contribution to security including the inherent aircraft system design principles and processes that contribute to security, and some thoughts on augmenting these practices with the Common Criteria requirements.

If you’ve ever wondered about aircraft systems software development, this talk may be of interest.

Speaker Bio

With 20+ years associated with military aircraft systems, Russell has a unique view of system and software risk methods for aircraft systems. Russell currently works at Beca in the Advisory team.


Chris Campbell - Jade Software - Making AppSec a (Respectable) Religion


Abstract

No stranger to rapid transformation, Jade Software – a leading technology company with an almost 40 year pedigree, today works with an ever increasing range of technologies to solve complex problems for its’ customers. .NET, HTML5, SQL, Oracle, Java, Azure and AWS cloud services, and of course the JADE platform, all form part of the Jade technology stable.

Using the latest and greatest technology stack only gets you so far. But to maintain the reputation of producing market leading, enterprise-level solutions, robust security practices are a must. Making security a key component of your SDLC with minimal interruption can be achieved with assistance from an OWASP project (or a few), coupled with a lot of passion.

Speaker Bio

Chris, who in a past life was a .NET developer, is a Security & Operations Consultant at Jade Software. His role sees him managing operational and user security, and overseeing both the security and architecture of development and operational projects which span a wide variety of industries.


Sergey Ozernikov - Lateral Security - Oauth 2.0: The Promise and Pitfalls


Abstract

OAuth 2.0, the second version of the popular authorisation framework, was proposed as an IETF standard in October 2012 and has since been implemented and used by companies such as Facebook, Google and Microsoft. In January 2013 an RFC containing a comprehensive threat model of OAuth 2.0 was introduced. It was as long as the initial specification which had left out a lot of security considerations, most likely as it was assumed that developers would know how to securely implement OAuth 2.0. However many didn’t and without the necessary security controls, many relatively benign web application vulnerabilities could now flourish on a much larger and bountiful attack surface. An open redirect directly leading to an account compromise? Easy. In this talk, an overview of what should be catered for when integrating OAuth 2.0 into your project and how not to introduce additional security risks, will be provided. Most common attack vectors and some examples of real-life vulnerabilities in OAuth 2.0 implementations will be presented. Ideally attendees should have a basic understanding of OAuth 2.0 flow and web application security.

Speaker Bio

Sergey has gained his experience in the field of information security working for several Russian commercial and government organisations for around 7 years after finally realising that he enjoys breaking and protecting things more than building them. In 2013 he moved to New Zealand and shortly after joined Lateral Security as a security consultant.


Chris Smith - Insomnia Security - Attacking Real-World Crypto Flaws


Abstract

Everybody knows by now not to roll your own crypto, right? RIGHT? But, as an attacker, how do you go about identifying and exploiting these flaws for your own benefit. And, as a defender, how can you gauge the full impact of such flaws and ensure you steer clear of them?

So forget about the LUCKYBEASTCRIMEPOODLE13 for now, this talk is going to focus on real-world crypto flaws in everyday software. We'll look at some cryptographic issues I've come across in my travels, and how to exploit them. And along the way, we might just learn something about doing it correctly, too!

Speaker Bio

Chris is a consultant for Insomnia Security where he breaks other peoples stuff and writes reports about it. Previously a Linux sysadmin and polyglot developer, he now exacts his revenge on technologies that have wronged him.


Felix Shi - Xero - Practical Attacks on WebRTC Applications


Abstract

WebRTC is a browser-based technology that allows peer-to-peer communication via a list of predefined APIs. It has gained popularity among many video conferencing, telephony, and file sharing applications.

Research has been done on its design, architecture, and potential attack vectors against applications that use it. This talk will focus on practical attacks that can be performed on applications that use WebRTC, and how to mitigate against them.

Speaker Bio

Felix works in the product security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.


Nilesh Kapoor - Aura Information Security - Host Hardening : Achieve or Avoid?


Abstract

This is still a question mark for most of the business and application owners; host hardening – Avoid or Achieve. This paper covers the real world scenario of a potential server compromise due to the lack of OS hardening, running secure but unpatched services over the Internet and the host review process and approach backed up with OWASP guideline and CIS benchmark. This talk also touches on host review and hardening automation techniques for medium-sized and enterprise organisations.

This topic aims; Increase the awareness and importance of host review and hardening among business owners, application owners, server administrators and developers. Answer basic questions such as what host review involves, what approach is recommended for structured host review and achieving compliance, how to create a hardening baseline standard and apply them to your organisation policy Automate host review process and hardening for servers hosting critical data

Speaker Bio

Nilesh Kapoor is the author of “Security Testing Handbook for Banking Applications” published by IT Governance. He is currently working as a Senior Security Consultant with Aura Information Security. He has over 8 years of experience in security consulting, application security, host review and hardening, network security, enterprise solution security and mobile security. He is also a registered penetration tester with CREST and a CEH certification holder. His articles are published on IITP blogs and also maintain own security blog at http://nileshkapoor.blogspot.com.


Shahn Harris - Beca Ltd - I judge all of your services and applications


Abstract

I will explain the process that goes on inside a corporate/enterprise when a corporate security team is contacted to evaluate a new application or service by a business unit. The first questions asked have nothing to do with your SDLC, choice of code, framework or potential integration points. the questions are more what is it, what does it do and where does it live and what do they know. Come to this talk if you wish to discover what information most large corporates/enterprises will ask of you if you try to sell a product/service to them. By taking the learnings from this talk it could potentially save you lots of time,money and

Speaker Bio

Shahn has worked for/with a number of different flagship New Zealand companies across multiple sectors and industries as a security consultant.


Laura Bell - SafeStack - Continuous Security


Abstract

Agile development is a powerful tool for the creation of high-quality software products. It has however scared the life out of many security managers and risk leaders. Once the job of a dedicated security team, security is now the responsibility of all members of our Agile teams.

So how do we bring continuous security to our lifecycles without compromising velocity and innovation? What tools and techniques do we need and when should we apply them?

In this talk, we will examine why security is the new key skills for successful Agile development teams and what you can do to bring it to your teams.

This is a talk of war stories from the SCRUM team trenches and real world tools, techniques and processes that are less about 'managing' security than they are about building amazing(secure) things, fast.

Speaker Bio

With almost a decade of experience in software development and information security, Laura specialises in bringing security survival skills, practices and culture into fast-moving environments.

Laura has spoken at various events such as BlackHat, BlueHat, Velocity, OSCON, Kiwicon, Linux Conf AU and Microsoft TechEd on the subjects of privacy, covert communications, Agile security and security mindset.

Laura is the founder of SafeStack, a specialist security training, development, and consultancy firm and lives in Auckland with her husband and daughter.


Kevin Alcock - Katipo Information Security Ltd - After 30 Years, I’m Coming Out


Abstract

This talk is about my journey from a software development veteran with 30 years of experience to an information security noob. The intended audience is for information security noobs looking to get better and web application developers wanting to understand how their applications are vulnerable. The focus is on the Offensive Security (makers of Kali Linux) course Penetration Testing Training with Kali Linux and the Offensive Security Certified Professional (OSCP) certification exam. There will be no spoilers for those that are currently doing the course and exam. OWASP projects such as ZAP, Dirbuster and Broken Web Applications will be discussed on how they help me. I will also discuss which of the OWASP Top 10 (2013) vulnerabilities I used to gain access to the systems on the lab network.

Speaker Bio

Kevin has spent the last 30 (10 in North America) years in enterprise software development and delivery, now he is turn that experience towards the information security sector to help businesses in need.


Carlos Cordero - Convergnce - Information Security is a Marketing Responsibility


Abstract

KPMG’s Global CEO Outlook Survey (July 2015) showed that 50% of global CEO’s say that their organisations are “not fully prepared” for a “cyber event”. Additionally, information security related risks are perceived to be “the most unpredictable kind of risk”. CEOs and Boards expect the IT function to take care of this aspect of the business risk portfolio - for obvious reasons: they own the IT infrastructure or manage it on behalf of other functions (logistics, operations, HR, accounting, finance, etc.). Unfortunately, nobody has told the marketers.

In the last 3 to 5 years, marketing departments have taken upon themselves to bring into the organisation a smorgasbord of systems and applications, with little or no consultation with the IT department. The result is an unprecedented increase of infosec and legal risks that few organisations are even aware off, much less managing.

Our presentation would consist of 15-20 minutes sharing:

In this presentation we will: (1) Describe briefly the current situation and how we got to it. (2) Give an insight into the mindset of “the marketer” and an explanation of why “marketers” are oblivious to security. (3) Suggest a map of the marketing-related risks for businesses in the 201X going forward into the 202X (4) Offer a prediction of the evolution of the marketing-related risks and its implications for information security professionals. (5) Offer suggestions regarding how these risks should be approached in order to reduce the exposure that the marketing department is bringing to the organisation.

Speaker Bio

Carlos is a marketing and intelligence consultant. One of his current areas of interest and research is risk in the marketing context.


Andrew Kelly - Insomnia Security - Two-Thirds of the Sacred Triangle


Abstract

"People, Process, and Technology" has been the sacred mantra, or triad, of IT for as long as I've been in the business. Unfortunately, whether you consider it a 'strategy for success', part of your overall 'holistic approach', or even 'the smell of good business', it's too often ignored. That is, two of the three are, as we all race to install faster, cheaper, more efficient, or 'better' technologies, in order to save money, stay ahead of our competitors, or sometimes even just for the sake of it? My talk will, hopefully, remind you that that "People, Process" part is as important as, maybe even more so, than the tech. Or, as Douglas Adams put it: "It is a mistake to think you can solve any major problems just with potatoes." List of the author's previous papers/articles/speeches on the same/similar topic: Previously, and similar, at ISIG, ISF, OWASP, etc.

Speaker Bio

Andrew started in InfoSec back when the dinosaur's still ruled the Earth. At least, that's how his fellow InfoSec workers, and often his audiences, view him anyways. But, even though his useful working life is slowly coming to its inevitable end, he reckons he still has a little something to offer his fellow IT professionals. Even if every other sentence these days begins with: "Back in my day..." and most of the others with: "Damned kids..." Between nanny naps, Andrew is still relatively gainfully employed as the GM for Insomnia Security.


Daniel Jensen - Security Assessment - Practical exploitation of less commonly identified vulnerabilities


Abstract

Recently I decided to look for some slightly more "complex" vulnerabilities in a PHP project. The open source video platform Kaltura was chosen for no particular reason other than looking vulnerable and having no prior CVEs. Surprisingly, a large PHP based project actually contained some fairly serious (and interesting) issues such as SSRF, object injection, and poor cryptography. This talk will provide some practical advice for finding less commonly identified vulnerabilities, their impact, and how to mercilessly exploit them in a real world application, using Kaltura as our test subject.

Speaker Bio

Daniel is a consultant at Security-Assessment.com where he hacks assorted systems and carries out research (read hacks). Before that he enjoyed a brief stint as a sysadmin, and spent too many years south of the Cook Strait in a misguided attempt at attending university. He currently resides in the bustling metropolis that is Auckland City, and resents having to write his own biography.


Brendan Jamieson - Insomnia Security - Deserialization, what could go wrong?


Abstract

So you're just gonna pass off that data to unserialize()? What could possibly go wrong?

This talk is focused on the deserialization class of web application vulnerabilities. What are they? How are they introduced into web applications? Just how bad can deserializing that arbitrary object really be?

In this talk we'll cover real-world examples of deserialization vulnerabilities being introduced, and exploited, across a number of languages. We'll then look at options that are available to developers to avoid introducing this class of vulnerability into their applications.

Speaker Bio

Brendan Jamieson is a security consultant for Insomnia Security, based out of Wellington. He is active in the .nz infosec community, having spoken at Wellington's ISIG, and involved in Kiwicons as a speaker; a trainer; and also the event organiser for the Hamiltr0n CTF.


David Waters - Lateral Security - Source Code Reviews: Why You Should


Abstract

In this talk I will give the case that you should be using security focused code review as part of your defensive strategy. I will talk about the types of bugs that are more easily found with either white-box penetration tests or code reviews as opposed to more limited penetration tests. I will then present some real world examples of issues found during code reviews.

Speaker Bio

David is a Senior Security Consultant at Lateral Security, David previously worked in the Security Team at Google in London and draws on 16 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.