OWASP New Zealand Day 2017

From OWASP
Revision as of 05:44, 10 August 2017 by Kirkj (talk | contribs) (Added videos to right-hand stream)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017

19th and 20th April 2017 - Auckland


Introduction

We are proud to announce the eighth OWASP New Zealand Day conference, to be held at the University of Auckland on Thursday April 20th, 2017. OWASP New Zealand Day is a one-day conference dedicated to application security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.


Who is it for?

  • Web Developers: There will be a choice of two streams in the morning. First stream covering introductory talks to application security, second stream covering deeper technical topics. Afternoon sessions will cover various defensive topics, with a DevSecOps cluster of talks in stream two after afternoon tea break.
  • Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics.

Conference structure

Date: Thurs 20 April 2017
Time: 9:30am - 6:00pm
Cost: Free

The main conference is on Thursday 20th of April, and will have two streams in both the morning and the afternoon:


Registration for the main conference day is now open: Conference Registration Here


Training

As well as the main conference on Thursday, we are pleased to be able to provide training on Wednesday at the same venue. All details including registration are as follows:

LittleHackMe - Morning Date: Wed 19 April 2017
Afternoon session: 9:00am - 12:00pm or part thereof
Morning Training Registration Page

LittleHackMe - Afternoon Date: Wed 19 April 2017
Afternoon session: 1:00pm - 5:00pm or part thereof
Afternoon Training Registration Page SOLD OUT

Advanced Web Hacking and Secure Coding Date: Wed 19 April 2017
Time: 9:00am - 5:00pm or part thereof
Training Registration Page SOLD OUT

(Additional training sessions are being provided privately by Vikram)


Security Testing for Software Testers Date: Wed 19 April 2017
Time: 9:00am - 5:00pm or part thereof
Training Registration Page SOLD OUT


Spaces going fast, so get in quick

General

The eighth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same location as last year for stream one, with the addition of another room near by for the stream two room. Entry to the event will, as in the past, be free.


For any comments, feedback or observations, please don't hesitate to contact us.

Registration

Sold out!

Please add yourself to the waitlist if you'd like to be notified when tickets become available.


Registration for the main conference day is now open: Conference Registration Here Follow us on twitter @owaspnz


There is no cost for the main conference day. Unfortunately due to increased conference running costs, lunch, morning and afternoon tea's will not be provided as it has been for the past OWASP NZ Days. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.


Important dates

  • CFP submission deadline: 18th March 2017
  • CFT submission deadline: 28th February 2017
  • Conference Registration deadline: 15th April 2017
  • Training Registration deadline: 15th April 2017
  • Training Day date: 19th April 2017
  • Conference Day date: 20th April 2017


For those of you booking flights, ensure you can be at the venue at 9:00am, the conference will end by 6:00pm however we will have post conference drinks at a local drinking establishment for those interested.


Conference Venue

The University of Auckland School of Business
Owen Glen Building
Address: 12 Grafton Road

Stream one room: Level 1
Room: 115 (Fisher & Paykel Auditorium)

Stream two room: Level 0
Room: 092

Auckland
New Zealand
Map

073 AUBiz 10Apr08small.jpg OWASPNZDayLectureTheatre.jpg

Conference Sponsors

http://www.auckland.ac.nz

Gold Sponsors:

SA Logo w DD.gif
   
INSOMNIA.PNG
   
Aura PBK Colour.jpg
Redshield.png
   
Zx.png
   
Quantumblack3.png

Support Sponsor:

BinaryMistLimited.png
   
Atlassian.png

Conference Committee

  • Denis Andzakovic - OWASP New Zealand Leader (Auckland)
  • Kirk Jackson - OWASP New Zealand Leader (Wellington)
  • Kim Carter - OWASP New Zealand Leader (Christchurch)
  • Lech Janczewski - Associate Professor - University of Auckland School of Business

Please direct all enquiries to denis.andzakovic@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

Training

As well as the main conference on Thursday, we are pleased to be able to provide training on Wednesday at the same venue. All details including registration are as follows:


LittleHackMe - Morning Date: Wed 19 April 2017
Time: 9:00am - 12:00pm or part thereof
Training Registration Page

LittleHackMe Date: Wed 19 April 2017
Time: 1:00pm - 5:00pm or part thereof
Training Registration Page SOLD OUT

Advanced Web Hacking and Secure Coding Date: Wed 19 April 2017
Time: 9:00am - 5:00pm or part thereof
Training Registration Page SOLD OUT

(Additional training sessions are being provided privately by Vikram)

Security Testing for Software Testers Date: Wed 19 April 2017
Time: 9:00am - 5:00pm or part thereof
Training Registration Page SOLD OUT


Spaces going fast, so get in quick

Call For Presentations

Thank you to all those who have submitted talks. The call for presentations has now closed.

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines including architects, web developers and engineers, system administrators, penetration testers, policy specialists and more.


We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference:

  • Introductions to various Web Application Security topics, and the OWASP projects
  • Technical topics
  • Policy, Compliance and Risk Management


The introductory talks should appeal to an intermediate to experienced web developer, without a solid grounding in web application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about web application security, and give them techniques that they can immediately return to work and apply to their jobs.

Technical topics are running all day and should appeal to two audiences - experienced web application security testers or researchers, and web developers who have a “OWASP Top Ten” level of understanding of web attacks and defenses. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.


We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:


  • Web application security
  • Mobile security
  • Secure development
  • Vulnerability analysis
  • Threat modelling
  • Application exploitation
  • Exploitation techniques
  • Threat and vulnerability countermeasures
  • Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, etc)
  • Penetration Testing
  • Browser and client security
  • Application and solution architecture security
  • PCI DSS
  • Risk management
  • Security concepts for C*Os, project managers and other non-technical attendees
  • Privacy controls


The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.


PLEASE NOTE:

  • Due to limited budget available, expenses for international speakers cannot be covered.
  • If your company is willing to cover travel and accommodation costs, the company will become "Support Sponsor" of the event.


Thank you to all those who have submitted talks. The call for presentations has now closed.

Please submit your presentation here.


Submissions deadline: 18th March 2017

Applicants will be notified in the following week after the deadline, whether they were successful or not.

Call For Sponsorships

Thank you to all our sponsors. Sponsorship has now been fully subscribed, we are no longer accepting new sponsors.

OWASP New Zealand Day 2017 will be held in Auckland on the 20th of April, 2017 and is a security conference entirely dedicated to application security. The conference is once again being hosted by the University of Auckland with their support and assistance. OWASP New Zealand Day 2017 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2017 a free, compelling, and valuable experience for all attendees.


The sponsorship funds collected are to be used for things such as:

  • Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
  • Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
  • Printed Materials - printed materials will include brochures, tags and lanyards.

Facts

Last year, the event was supported by nine sponsors and attracted more than 500 participants. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016

The OWASP New Zealand community is strong, there are more than 490 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 500 and 600 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

Sponsorships

There are three different levels of sponsorships for the OWASP Day event:


Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event)

Includes:


Silver Sponsorship: 750 NZD

Includes:

  • Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017
  • The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
  • The possibility to distribute the company brochures, CDs or other materials to the participants during the event.


Gold Sponsorship: 1500 NZD

Includes:

  • The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
  • The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
  • The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
  • Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
  • Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017


Those who are interested in sponsoring OWASP New Zealand 2017 Conference can contact the OWASP New Zealand Board.

Thank you to all our sponsors. Sponsorship has now been fully subscribed, we are no longer accepting new sponsors.


Presentations

20th April 2017

08:30 Registration Opens
09:30

Welcome to OWASP New Zealand Day 2017
Lech Janczewski (Associate Professor), Kirk Jackson, Denis Andzakovic and Kim Carter (OWASP Leaders)


09:45

OWASP Top 10 Review & Preview
Kevin Alcock - Katipo Information Security
Slides (PDF, 2.5mb)

09:45

Gaslighting with Honeypits and Mirages
Kate Pearce - Cisco

10:20

Developer's guide to preventing XSS
Felix Shi - Xero
Slides (PDF 400kb)

10:20

The Magical World of Cloud Security
Erica Anderson
Slides (PDF 0.6mb) Video

10:55

The dangerous, exquisite art of safely handling user-uploaded files
Tom Eastman
Slides

10:55

How to spot and stop a wolf in sheep's clothing (a.k.a Account Takeover)
Nick Malcolm - SafeStack
Slides Video

11:30

Building the ultimate login and signup
Matt Cotterell - Fairfax Media
Slides (PDF, 5mb)

11:30

Security on a shoestring - running a security critical service as a volunteer
Daniel Compton
Slideshare Video

12:05

XML: Still Considered Dangerous
Adam Bell - Lateral Security
Slides (PDF, 1.8mb)

12:05

Confession of a lactose intolerant vulnerability hunter
Trev H - RedShield
Slides (300kb) Video

12:35

Break for Lunch

14:00

Sensible defaults for client-side security
Jen Zajac - Catalyst
Slides (PDF 5mb)

14:00

Huzzer, the tree-based generational mutating HTTP fuzzer
Matthew Daley - Aura Information Security
Slides (PDF 16mb) Video

14:30

Changing Perspectives
Shahn Harris - Equifax

14:30

Root Cause is the Best Cause
Adrian Hayes
Video

15:15

30 Days (ish) of Security
Grace Nolan and Catherine McIlvride
Slides (PDF, 3.1mb)

15:15

From JSONP to XSS persistence
Claudio Contin - Aura Information Security
Slides (800kb) Video

15:30

Break for Afternoon Tea

16:00

So we broke all CSPs... You won't guess what happened next!
Lukas Weichselbaum & Michele Spagnuolo - Google Switzerland
Slides (PDF, 1.8mb)

16:00

AppSec in a DevOps World
Peter Chestna - Veracode
Slides (PDF, 4.5mb) Video

16:45

Hacking the Talent Pipeline
Ruth McDavitt - Summer of Tech
Slides (PDF, 1mb)

16:30

Trust me, I'm a cloud
Sam Macleod - SafeStack
Slides (PDF, 200kb) Video

17:00

Conscious Incompetence: Started from the bottom, now we're here
Charlie Gavey - Snapper Services

 
17:15

Graphing when your Facebook friends are awake
Alex Hogue - Atlassian
Google Slides

 
17:45

Wrap Up
Time for the pub, for those interested

 

Speakers List

Kevin Alcock - Katipo Information Security - OWASP Top 10 Review & Preview


Abstract

This is OWASP Day, let’s recap the top 10 from 2013 for those in the room that might not know or need a refresher. But hey it’s 2017 where are we at now? Let’s look at analyse the data collected from the 2016 data call.

Speaker Bio

Kevin helps run the Christchurch branch of ISIG. He has been programming for a living since 1986 (yes, longer than most of you have been alive) after studying at what is now known as Ara Institute of Canterbury. In those 30 plus years he spent of lot of his time in Enterprise, Financial systems with mobile/internet applications. 2016 he became a Offensive Security Certified Professional (OSCP). He is the founder and principal consultant at Katipo Information Security.


Kate Pearce - Cisco - Gaslighting with Honeypits and Mirages: Destroying discovery to deplete attackers


Abstract

Abstract (Small): When an attacker is after you they need a way in, and to prioritize efforts. Defensive gaslighting makes them chase ghost systems, and attack phantom vulnerabilities - keeping you secure. As we discussed last time, we may release tools, and we may discuss some theory, but are you sure that really happened?

Speaker Bio

Catherine (Kate) Pearce is a Senior Security Consultant for Cisco, who is based in Wellington, New Zealand. Formerly a Security Consultant for Neohapsis in the USA, she has engaged with a widespread and varied range of clients to assist them in understanding their current security state, adding resilience into their systems and processes, and managing their ongoing security risk. Day-to-day she undertakes a mix of advising clients around their security, client-focused security assessments (such as penetration tests), and security research. She has spoken at her work at many security conferences, including Black Hat USA, Source Boston, Nolacon, Kiwicon, ACSC, Bsides Canberra and many others. While she has recently presented on Network Security, her true loves are application security enablement, complex systems security, and cross-discipline security analogues.


Felix Shi - Xero - Developer's guide to preventing XSS


Abstract

An introductory talk on cross site scripting, targeted towards web-app developers and QA engineers. Common methods of identifying the issue, as well as prevention and mitigation will be shown in this demo-heavy presentation.

Speaker Bio

Felix works in the product security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.


Tom Eastman - The dangerous, exquisite art of safely handling user-uploaded files


Abstract

“Come On, What Harm Can a User Profile photo Do?”.

I’ll show you every scary thing I know about that can be done with a file upload, and how to protect yourself from – hopefully – most of them.

Speaker Bio

Tom Eastman writes words that control computers to tell other computers to build FAKE computers that run on DIFFERENT computers.


Nick Malcolm - SafeStack - How to spot and stop a wolf in sheep's clothing (a.k.a Account Takeover)


Abstract

Almost two thirds of confirmed breaches involve using weak or stolen passwords - it’s not a new threat, but it works. By the end of this talk you will understand the Account Takeover threat, and walk away with some techniques & tools for detection and response within your own web applications.

Speaker Bio

Nick Malcolm is a Security Consultant at SafeStack, which means he gets to help people develop more secure software! He works with awesome people, in Auckland, New Zealand. He was formerly CTO at ThisData, a security product which protected millions of websites from account takeover attacks.

He’s also an active member in the Ruby community, regularly speaking about coding and security. He is a member of OWASP NZ, ISIG (Info Sec Interest Group), CSA (Cloud Security Alliance), and Internet NZ.

When he’s not coding he’s probably watching some scifi, spending time with his wife and kid, patting his cat, or strummin’ on his guitar.

Matt Cotterell - Fairfax Media - Building the ultimate login and signup


Abstract

Web Applications have lots of quirks and limitations that set them apart from other kinds of applications. In this talk, we explore public facing login and registration flows and some of those quirks that can catch devs out which can open your application (or users!) to security or privacy risks.

Speaker Bio

Matt Cotterell is a Security Engineer and a .NET Developer with 5+ years professional experience in software engineering for various diverse industries, including healthcare, cinema management and journalism. He is more of a maker than a breaker and spends his time exploring various software frameworks and public cloud providers (particularly .NET and Azure) along with writing software and presentations that enable developers to secure these systems.

He is currently working for Fairfax Media (stuff.co.nz) helping the DevOps teams improve the general security posture of their software and systems architecture, and developing awareness training for the in-house development teams. In his spare time, he can be found watching bad movies, gleefully overusing the word “cyber”, and feeling awkward writing biographies in a third-person perspective.


Daniel Compton - Security on a shoestring - running a security critical service as a volunteer


Abstract

Clojars is a JAR hosting service for the Clojure community. It’s a security critical piece of infrastructure for many organisations. This talk discusses my joining Clojars, how we improved our security, and how you can do the same, especially if you’re at a non-profit or a volunteer.

Speaker Bio

Daniel Compton is an independent software consultant, living in The Regions (Morrinsville). He works mainly with Clojure and ClojureScript, and is a volunteer admin for Clojars, the Clojure community JAR host. He also runs Deps, a private JAR hosting service. He enjoys contributing to open source projects and spending time with his young family.


Adam Bell - Lateral Security - XML: Still Considered Dangerous


Abstract

XML, the JSON of 2005. This talk will discuss an existing class of attacks against XML parsers, with some new twists for evading existing attack mitigations.

Speaker Bio

Adam ‘feabell’ Bell lives in Auckland with his wife and daughter. By day he is a security consultant for Lateral Security, by night he tries to remember what sleep is.


Trev H - RedShield - Confession of a lactose intolerant vulnerability hunter


Abstract

Eating cheese is delicious but if your body can’t process lactose (like mine) you are in for trouble. On those late, dairy induced nights where sleep just won’t happen, I’ll spend time developing an idea for an automated mass scan tool - “fon-didly-do”. This tool could collate vulnerability data collected from open Github projects and run analytics on them. This tool could be useful in identifying vulnerability trends for certain project types and platforms. I could write this tool using a combination of Postgres, Elixir and any number of free static code analysis tools.

This looks like a lot of work, but as luck would I have it … I have a fridge full of beer, some crusty bread and a wheel of gorgonzola, lets get to work!

There will be a release of fon-didly-do, a demo and some live cheese during this talk.

Speaker Bio

Trev is a RedShield Developer and Security Researcher who should not eat cheese! His daily job is to help secure web applications used by hundreds of thousands of people across the globe. He enjoys cooking, blues guitar and being a professional developer.


Jen Zajac - Catalyst - Sensible defaults for client-side security


Abstract

When starting a new web project, what foundations should you lay to ensure your JavaScript, HTML and CSS is going to be secure? Thinking about CSP, session token storage, how much you can trust a given input early can save a lot of rework later!

Speaker Bio

Jen is the lead front-end developer at Catalyst, a development company with a strong focus on Open Source. Based in Wellington, New Zealand, Jen is originally from the UK but ended up in NZ working for a conservation charity and ended up sticking around. With 10 years of experience in the tech industry, Jen is the co-director of Kiwi PyCon 2014 and the director of nz.js(con); 2017.


Matthew Daley - Aura Information Security - Huzzer, the tree-based generational mutating HTTP fuzzer


Abstract

Webapp fuzzing is well-covered by tools such as Zed Attack Proxy or Burp Suite, but what about the underlying webservers? Huzzer is a tree-based, generational mutating fuzzer for HTTP that targets webservers. I’ll talk about its development and some vulnerabilities found in real world webservers.

Speaker Bio

Senior Security Consultant at Aura Information Security and general weirdo in real life. Finds vulnerabilities in hypervisors, servers, webapps, and front doors.


Shahn Harris - Equifax - Changing Perspectives


Abstract

I will share 10 techniques on how you change companies perspectives on what information security is, and how it should be handled. These tips do not involve executive buy in, metrics, risk assessments, budget and without anyone knowing what you are actually doing.

Speaker Bio

Shahn Harris has spent many years working inside businesses of carious sizes in many different capacities. This has resulted in him changing from average tech guy to a beautiful butterfly of business engagement, stakeholder management, strategic product alignment, future states, and whatever other business jargon you can think of. He has worked across a number of leading New Zealand institutes, organisation’s and, brands spanning multiple industries as an internal resource or as a consultant.


Adrian Hayes - Root Cause is the Best Cause


Abstract

This talk will explore web app security flaws at the source code level at find the patterns and anti-patterns that lead to vulnerabilities. If you’re a developer you’ll learn how to write more secure code, and if you’re a pentester you’ll learn some root causes and where to focus your efforts.

Speaker Bio

Adrian Hayes has twelve years experience in the IT industry specialising in both software development and IT security. He has consulted on security for some of the largest organisations in the financial, government, telecommunications, and education sectors across New Zealand and internationally. Adrian has been known to speak at various security events including Kiwicon, OWASP NZ Day, ISACA education days, and OWASP Asia AppSec. He has published security research in the IEEE Security and Privacy magazine, and has been invited to speak on wider IT issues on Radio NZ.


Grace Nolan and Catherine McIlvride - Enable Ltd and Assurity - 30 Days (ish) of Security


Abstract

What is it like to learn security as complete beginner? What is is like to teach a complete beginner? Where would you start? This talk is about what it’s like learning security as a complete beginner.

Speaker Bio

Grace has been pressing buttons on computers her whole life. The right buttons and the wrong buttons. Now she presses buttons for a living. She’s currently a systems developer for Enable Ltd, a fibre broadband company in Christchurch, which sounds terrifyingly adult on paper. She cares about Computer Science in schools and Women in Tech stuff. She’s an enthusiastic choral singer, tea fanatic, and paints watercolours when she’s not devouring the latest in tech news.

Catherine is a Software Tester from Assurity. Her role is to gently bring developers back down to earth by methodically exposing their bugs. She laughs kindly at their dismay. She is a woman to be celebrated and feared. Wanting to discover new challenges, Cat is learning about security in the hopes of finding even better, juicier bugs.


Claudio Contin - Aura Information Security - From JSONP to XSS persistence


Abstract

An unescaped JSONP endpoint, combined to a XSS vulnerability, can lead to a persisted XSS, through service workers onFetch event.

Speaker Bio

I’ve been a backed web developer and system admin for many years, with good knowledge of JavaScript as well, and have explored a variety of open source technologies and programming languages. Since 2016 I’m working full time as a security consultant for Aura Information Security, mainly performing penetration tests for web and mobile applications.


Lukas Weichselbaum & Michele Spagnuolo - Google Switzerland - So we broke all CSPs... You won't guess what happened next!


Abstract

Last year we proved that the whitelist-based approach of Content Security Policy (CSP) is flawed and proposed an alternative based on 'strict-dynamic' in combination with nonces or hashes.

In our academic paper (CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, ACM CCS, 2016), we demonstrated, using automatic checks, that 94.72% of all real-world policies can be trivially bypassed by an attacker with an XSS bug, and 75.81% are bypassable due to whitelists.

Thanks to the new 'strict-dynamic' approach, we were finally able to deploy an effective policy to many important Google products, such as GMail, Photos, and others. In this presentation we would like to share our experience, show examples, best practices and common pitfalls.

Finally, we share how we are addressing the recent bypasses of nonce-based policies, such as nonce exfiltration/reuse techniques and dangling markup attacks.

Speaker Bio

Lukas Weichselbaum is an Information Security Researcher at Google focusing on security enhancements and mitigations for web applications. He co-authored the specification for ‘strict-dynamic’ in CSP3 and launched CSP-Evaluator (csp-evaluator.withgoogle.com), a tool for developers and security experts to check if a Content Security Policy serves as a strong mitigation against cross-site scripting attacks. Lukas previously worked on dynamic analysis of Android malware. He also founded Andrubis – one of the very first large scale malware analysis platforms for Android applications.

Michele Spagnuolo is an Information Security Engineer at Google focusing on security enhancements and mitigations for web applications. He co-authored the specification for ‘strict-dynamic’ in CSP3, serving as a strong mitigation against cross-site scripting attacks. Other works include Rosetta Flash (rosettaflash.com) and BitIodine (bitiodine.net).


Peter Chestna - Veracode - AppSec in a DevOps World


Abstract

Dev teams were already struggling with adding security to their Agile processes. DevOps teams are pushing to release continuously, meaning integrating security will become even more of a challenge. How can teams deliver secure code while maintaining the speed required in a DevOps world?

Speaker Bio

As Director of Developer Engagement at Veracode, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec experience as both a developer and development leader, Pete provides information on best practices amassed from working with Veracode’s 1,000+ customers.

Pete joined Veracode in 2006 as a software developer and was instrumental in delivering the first version of Veracode’s service to customers. Later, as Director of Platform Engineering, Pete built and managed the Agile teams responsible for delivering Veracode’s SaaS platform. He also built the first DevOps team to deliver microservices. He is a certified product owner and scrum master. Pete also spearheaded Veracode’s initiative to automate the use of Veracode products into the company’s development processes called project Purina. Using this experience, he has spoken with hundreds of Veracode customers to help them set up similar programs.

Pete has more than 25 years’ experience developing software and has been granted 3 patents. He has been developing web applications since 1996, including one of the first applications to be delivered through a web interface. In his spare time he enjoys listening to Rush, drinking whiskey and programming on the Arduino platform.


Ruth McDavitt - Summer of Tech - Hacking the Talent Pipeline


Abstract

How can we join together to creatively overcome the limitations of our current education & recruitment systems to achieve a better talent pipeline? It’s recognised as a massive barrier, so what can we do about it today, to grow the talent pool right now, and for the future?

Speaker Bio

Ruth works on the human side of the technology industry, leading the Summer of Tech programme that is addressing the shortage of NZ technology skills through connecting experienced industry mentors with students. She is an active mentor to young entrepreneurs in a variety of programmes, including incubators, accelerators, universities, within community groups and at high schools.


Sam Macleod - SafeStack - Trust me, I'm a cloud


Abstract

As the cloud continues to take over every part of our lives, chances are that most of our systems and applications look quite different today than they used to. I will be talking about some of the Business Continuity pitfalls that are common in cloud environments, and how we can weather the storm.

Speaker Bio

Sam comes from an operations background, with experience in infrastructure design, incident response, and policy writing and implementation. 
Working with financial applications, he has extensive experience in creating and working with high security environments.


Charlie Gavey - Snapper Services - Conscious Incompetence: Started from the bottom, now we're here


Abstract

Feeling like your organisation isn’t getting anywhere with security? The realisation that you don’t know anything is actually a critical part of the process. Described as the “conscious competence model”, this talk discusses how being conscious of your own incompetence is an important first step.

Speaker Bio

As a Scrum Master and Product Owner at Snapper Services, I’m all about empowering agile teams, with an interest in how agile teams mature and scale. I’m enthusiastic about fostering the next generation of tech talent; working with PC4G, RailsGirls, Cultivate Mentoring, and Summer of Tech. Will tramp for scroggin.


Alex Hogue - Atlassian - Graphing when your Facebook friends are awake


Abstract

We’re going to talk about finding this weird bug/feature, reverse-engineering what it does, actually looking at the graphs of real-life humans, using it in a social engineering context, how to prevent it, and tips for applying to work at the NSA.

Speaker Bio

Alex is a kid with a laptop and a pocketful of memes. Critics have described him as “aggressively wonky”. As far as he can tell from carefully examining the smoking crater that is his life, he’s working in Incident Response at Atlassian, which is a little bit like being an adult but with more ice cream. He does magic tricks and makes dumb one-use novelty websites as a substitude for getting out more.


Erica Anderson - The Magical World of Cloud Security


Abstract

Before you can get to a web app, your request usually goes through a few different levels of security infrastructure. This talk will focus on common tools and technology used at the host and platform level, why they are used, and which ones are full of fairy dust.

Speaker Bio

Her twitter bio says “info sec, cat, and ketchup enthusiast”. This story checks out.

Diversity and Financial Aid fund

[We have unashamedly followed the model adopted by the nz.js(con) team with their fund. Many thanks to Jen and the team!]

Due to the support of our lovely sponsors, we have some additional funding available to help people from around New Zealand attend the OWASP NZ Day that would find it hard to otherwise attend. In particular, we welcome applications from women, people of colour, LGBTIQ and all others. You all deserve to be able to learn more about security, and we’ll do our darndest to help make that happen!

Our funds are limited, and we’ll be reviewing applications every two weeks. Submit your applications soon, so we can approve them early and you’ll be in several review cycles!

Process:

  • Fill out our application form
  • We will review and approve applications each two weeks. The next review date is 12 April 2017.
  • We will contact all applicants and let them know the result of the review.
  • Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:

  • We are biased towards (but not exclusively for) diverse applicants.
  • We do attempt to maximise cost efficiency and will aim to get as many people to OWASP with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: denis.andzakovic@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

Code of Conduct

We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy: [1].

Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

If you have any concerns during the day, please seek out Kirk, Denis or Kim. We will make ourselves visible at the start of the day so you know what we look like.