__NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

= Introduction =
__TOC__{{TOC hidden}}

The following is a developer-centric defensive cheat sheet for the 2013 release of the [[OWASP Top Ten Project]]. It also presents a quick reference based on [[OWASP Testing Project]] to help how to identify the risks.

= OWASP Top Ten Cheat Sheet =

{| border=1
|
||'''Presentation'''
||'''Controller'''
||'''Model'''
||'''Testing (OWASP Testing Guide V4)'''

|-
|'''A1 Injection'''
||

''Render:''
*Set a correct content type
*Set safe character set (UTF-8)
*Set correct locale

''On Submit:''
*Enforce input field type and lengths.
*Validate fields and provide feedback.
*Ensure option selects and radio contain only sent values.
||'''Canonicalize using correct character set'''
'''Positive input validation using correct character set'''

(NR) Negative input validation.
(LR) Sanitize input.

''Tip: updating a negative list (such as looking for "script", "sCrIpT", "ßCrîpt", etc) will require expensive and constant deployments and will '''always '''fail as attackers work out your list of "bad" words. Positive validation is simpler, faster and usually more secure and needs updating far less than any other validation mechanism. ''
||*'''[https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet Parameterized queries]'''

*Object relational model (Hibernate).
*Active Record design pattern.
*Stored procedures.

*Escape mechanisms such as ESAPI's Encoder:
**EncodeForLDAP()
**Encoder.EncodeforOS()

''Tip: '''All '''SQL Injection is due to dynamic SQL queries. Strongly consider prohibiting dynamic SQL queries within your organization ''

||
* [[Testing for SQL Injection (OTG-INPVAL-005)]]
* [[Testing for LDAP Injection (OTG-INPVAL-006)]]
* [[Testing for ORM Injection (OTG-INPVAL-007)]]
* [[Testing for XML Injection (OTG-INPVAL-008)]]
* [[Testing for SSI Injection (OTG-INPVAL-009)]]
* [[Testing for XPath Injection (OTG-INPVAL-010)]]
* [[Testing for IMAP/SMTP Injection (OTG-INPVAL-011)]]
* [[Testing for Code Injection (OTG-INPVAL-012)]]
* [[Testing for Command Injection (OTG-INPVAL-013)]]
* [[Testing for Buffer Overflow (OTG-INPVAL-014)]]

|-
|'''A2 Weak authentication and session management'''
||''Render:''
*Validate user is authenticated.
*Validate role is sufficient for this view.
*Set "secure" and "HttpOnly" flags for session cookies.
*Send CSRF token with forms.

||''Design:''
*Only use inbuilt session management.
*Store secondary SSO / framework / custom session identifiers in native session object – do not send as additional headers or cookies.

*Validate user is authenticated.
*Validate role is sufficient to perform this action.
*Validate CSRF token.
||Validate role is sufficient to create, read, update, or delete data

''Tip: Consider the use of a "governor" to regulate the maximum number of requests per second / minute / hour that this user may perform. For example, a typical banking user should not perform more than ten transactions a minute, and one hundred per second is dangerous and should be blocked.''

||
''[https://www.owasp.org/index.php/Test_Role_Definitions_(OTG-IDENT-001) Test Role Definitions (OTG-IDENT-001)]''
''[https://www.owasp.org/index.php/Test_User_Registration_Process_(OTG-IDENT-002) Test User Registration Process (OTG-IDENT-002)]''
''[https://www.owasp.org/index.php/Test_Account_Provisioning_Process_(OTG-IDENT-003) Test Account Provisioning Process (OTG-IDENT-003)]''
''[https://www.owasp.org/index.php/Testing_for_Account_Enumeration_and_Guessable_User_Account_(OTG-IDENT-004) Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)]''
''[https://www.owasp.org/index.php/Testing_for_Weak_or_unenforced_username_policy_(OTG-IDENT-005) Testing for Weak or unenforced username policy (OTG-IDENT-005)]''
''[https://www.owasp.org/index.php/Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001) Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)]''
''[https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002) Testing for default credentials (OTG-AUTHN-002)]''
''[https://www.owasp.org/index.php/Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003) Testing for Weak lock out mechanism (OTG-AUTHN-003)]''
''[https://www.owasp.org/index.php/Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) Testing for bypassing authentication schema (OTG-AUTHN-004)]''
''[https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005) Test remember password functionality (OTG-AUTHN-005)]''
''[https://www.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006) Testing for Browser cache weakness (OTG-AUTHN-006)]''
''[https://www.owasp.org/index.php/Testing_for_Weak_password_policy_(OTG-AUTHN-007) Testing for Weak password policy (OTG-AUTHN-007)]''
''[https://www.owasp.org/index.php/Testing_for_Weak_security_question/answer_(OTG-AUTHN-008) Testing for Weak security question/answer (OTG-AUTHN-008)]''
''[https://www.owasp.org/index.php/Testing_for_weak_password_change_or_reset_functionalities_(OTG-AUTHN-009) Testing for weak password change or reset functionalities (OTG-AUTHN-009)]''
''[https://www.owasp.org/index.php/Testing_for_Weaker_authentication_in_alternative_channel_(OTG-AUTHN-010) Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]''
''[https://www.owasp.org/index.php/Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002) Testing for bypassing authorization schema (OTG-AUTHZ-002)]''
''[https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003) Testing for Privilege Escalation (OTG-AUTHZ-003)]''
''[https://www.owasp.org/index.php/Testing_for_Session_Management_Schema_(OTG-SESS-001) Testing for Bypassing Session Management Schema (OTG-SESS-001)]''
''[https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002) Testing for Cookies attributes (OTG-SESS-002)]''
''[https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003) Testing for Session Fixation (OTG-SESS-003)]''
''[https://www.owasp.org/index.php/Testing_for_Exposed_Session_Variables_(OTG-SESS-004) Testing for Exposed Session Variables (OTG-SESS-004)]''
''[https://www.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005) Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]''
''[https://www.owasp.org/index.php/Testing_for_logout_functionality_(OTG-SESS-006) Testing for logout functionality (OTG-SESS-006)]''
''[https://www.owasp.org/index.php/Test_Session_Timeout_(OTG-SESS-007) Test Session Timeout (OTG-SESS-007)]''
''[https://www.owasp.org/index.php/Testing_for_Session_puzzling_(OTG-SESS-008) Testing for Session puzzling (OTG-SESS-008)]''

|-
|'''A3 XSS'''
||

''Render:''
*Set correct content type
*Set safe character set (UTF-8)
*Set correct locale
*Output encode all user data as per output context
*Set input constraints

''On Submit:''
*Enforce input field type and lengths.
*Validate fields and provide feedback.
*Ensure option selects and radio contain only sent values.
||'''Canonicalize using correct character set'''
'''Positive input validation using correct character set'''

(NR) Negative input validation
(LR) Sanitize input

''Tip: Only process data that is 100% trustworthy. Everything else is hostile and should be rejected.''
||''Tip: Do not store data HTML encoded in the database. This prevents new uses for the data, such as web services, RSS feeds, FTP batches, data warehousing, cloud computing, and so on.''

''Tip: Use OWASP Scrubbr to clean tainted or hostile data from legacy data''

||
''[https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001) Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)]''
''[https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002) Testing for Stored Cross Site Scripting (OTG-INPVAL-002)]''
''[https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001) Testing for DOM based Cross Site Scripting (OTG-CLIENT-001)]''
''[https://www.owasp.org/index.php/Testing_for_JavaScript_Execution_(OTG-CLIENT-002) Testing for JavaScript Execution (OTG-CLIENT-002)]''
''[https://www.owasp.org/index.php/Testing_for_HTML_Injection_(OTG-CLIENT-003) Testing for HTML Injection (OTG-CLIENT-003)]''
''[https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OTG-CLIENT-008) Testing for Cross Site Flashing (OTG-CLIENT-008)]''

|-
|'''A4 Insecure Direct Object References'''
||If data is from internal trusted sources, no data is sent.

Or

''Render:''
*Send indirect random access reference map value.
||Obtain data from internal, trusted sources.

Or

Obtain direct value from random access reference access map.
||Validate role is sufficient to create, read, update, or delete data.

||
''[https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001) Testing Directory traversal/file include (OTG-AUTHZ-001)]''
''[https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004) Testing for Insecure Direct Object References (OTG-AUTHZ-004)]''
''[https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion Testing for Local File Inclusion]''
''[https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion Testing for Remote File Inclusion]''

|-
|'''A5 Security Misconfiguration'''
||Ensure web servers and application servers are hardened.

PHP: Ensure allow_url_fopen and allow_url_include are both disabled in php.ini. Consider the use of Suhosin extension
||Ensure web servers and application servers are hardened

XML: Ensure common web attacks (remote XSLT transforms, hostile XPath queries, recursive DTDs, and so on) are protected by your XML stack. Do not hand craft XML documents or queries – use the XML layer.
||Ensure database servers are hardened

||
''[https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002) Fingerprint Web Server (OTG-INFO-002)]''
''[https://www.owasp.org/index.php/Fingerprint_Web_Application_Framework_(OTG-INFO-008) Fingerprint Web Application Framework (OTG-INFO-008)]''
''[https://www.owasp.org/index.php/Fingerprint_Web_Application_(OTG-INFO-009) Fingerprint Web Application (OTG-INFO-009)]''
''[https://www.owasp.org/index.php/Test_Network/Infrastructure_Configuration_(OTG-CONFIG-001) Test Network/Infrastructure Configuration (OTG-CONFIG-001)]''
''[https://www.owasp.org/index.php/Test_Application_Platform_Configuration_(OTG-CONFIG-002) Test Application Platform Configuration (OTG-CONFIG-002)]''
''[https://www.owasp.org/index.php/Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)]''
''[https://www.owasp.org/index.php/Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)]''
''[https://www.owasp.org/index.php/Enumerate_Infrastructure_and_Application_Admin_Interfaces_(OTG-CONFIG-005) Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)]''
''[https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006) Test HTTP Methods (OTG-CONFIG-006)]''
''[https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_(OTG-CONFIG-008) Test RIA cross domain policy (OTG-CONFIG-008)]''
''[https://www.owasp.org/index.php/Testing_for_Error_Code_(OTG-ERR-001) Analysis of Error Codes (OTG-ERR-001)]''
''[https://www.owasp.org/index.php/Testing_for_Stack_Traces_(OTG-ERR-002) Analysis of Stack Traces (OTG-ERR-002)]''

|-
|'''A6 Sensitive Data Exposure'''
||''Design:''
*Use strong ciphers (AES 128 or better) with secure mode of operations (do not use ECB).
*Use strong hashes (SHA 256 or better) with salts for passwords.
*Protect keys more than any other asset.
*Use TLS 1.2 or later for all web communications.
*Buy extended validation (EV) certificates for public web servers.

''Tip: Use TLS 1.2 always – even internally. Most snooping is done within corporate networks – and it is as easy and unethical as fishing with dynamite.''

''Render:''
*Do not send keys or hashes to the browser.

||''Design:''
*Use strong ciphers (AES 128 or better) with secure mode of operations (do not use ECB).
*Use strong hashes (SHA 256 or better) with salts for passwords.
*Protect keys more than any other asset.
*Mandate strong encrypted communications between web and database servers and any other servers or administrative users.

''Tip: Only certain personally identifiable information and sensitive values MUST be encrypted. Encrypt data that would be embarrassing or costly if it was leaked or stolen. ''

''Tip: It is best to encrypt data on the application server, rather than the database server.''

||''Design:''

*Mandate strong encrypted communications with application servers and any other servers or administrative users.

''Tip: Do not use RDBMS database, row or table level encryption. The data can be retrieved in the clear by anyone with direct access to the server, or over the network using the application credentials. It might even traverse the network in the clear despite being "encrypted" on disk. ''

||
''[https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001)]''
''[https://www.owasp.org/index.php/Testing_for_Padding_Oracle_(OTG-CRYPST-002) Testing for Padding Oracle (OTG-CRYPST-002)]''
''[https://www.owasp.org/index.php/Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003) Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003)]''
''[https://www.owasp.org/index.php/Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-007) Test HTTP Strict Transport Security (OTG-CONFIG-007)]''
''[https://www.owasp.org/index.php/Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001) Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)]''

|-
|'''A7 Missing Function Level Access Control'''
||''Design:''
*Ensure all non-web data is outside the web root (logs, configuration, etc).
*Use octet byte streaming instead of providing access to real files such as PDFs or CSVs or similar.
*Ensure every page requires a role, even if it is "guest".

''Pre-render:''
*Validate user is authenticated.
*Validate role is sufficient to view secured URL.

''Render:''
*Send CSRF token.
||
*Validate user is authenticated.
*Validate role is sufficient to perform secured action.
*Validate CSRF token.

''Tip: It's impossible to control access to secured resources that the web application server does not directly serve. Therefore, PDF reports or similar should be served by the web application server using binary octet streaming. ''

''Tip: Assume attackers '''will''' learn where "hidden" directories and "random" filenames are, so do not store these files in the web root, even if they are not directly linked.''
||Validate role is sufficient to create, read, update, or delete data

||
''[https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001) Testing Directory traversal/file include (OTG-AUTHZ-001)]''
''[https://www.owasp.org/index.php/Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002) Testing for bypassing authorization schema (OTG-AUTHZ-002)]''
''[https://www.owasp.org/index.php/Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) Testing for bypassing authentication schema (OTG-AUTHN-004)]''

|-
|'''A8 Cross Site Request Forgery'''
||''Pre-render:''
*Validate user is authenticated
*Validate role is sufficient for this view

''Render:''
*Send CSRF token.
*Set "secure" and "HttpOnly" flags for session cookies.
||
*Validate CSRF token.
*Validate role is sufficient to perform this action.
*Validate role is sufficient.

''Tip: CSRF is '''always '''possible if there is XSS, so make sure XSS is eliminated within your application.''
||Validate role is sufficient to create, read, update, or delete data

||
''[https://www.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005) Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]''

|-
|'''A9 Using Components with Known Vulnerabilities'''
||

||

||

||
''[https://www.owasp.org/index.php/Enumerate_Applications_on_Webserver_(OTG-INFO-004) Enumerate Applications on Webserver (OTG-INFO-004)]''
|-

|-
|'''A10 Unvalidated Redirects and Forwards'''
||
*Design the app without URL redirection parameters.

or

''Render:''
*Use random indirect object references for redirection parameters.

||
*Design the app without URL redirection parameters.

or

*Obtain direct redirection parameter from random indirect reference access map.
*(LR) Positive validation of redirection parameter.
*(NR) Java – Do not forward() requests as this prevents SSO access control mechanisms.

||
*Validate role is sufficient to create, read, update, or delete data.

||
''[https://www.owasp.org/index.php/Testing_for_Client_Side_URL_Redirect_(OTG-CLIENT-004) Testing for Client Side URL Redirect (OTG-CLIENT-004)]''

|-
|}

= Authors and Primary Editors =

Andrew van der Stock vanderaj[at]owasp.org

Ismael Rocha Gonçalves ismaelrg[at]gmail.com

Jorge Correa jacorream@gmail.com

= Other Cheatsheets =

{{Cheatsheet_Navigation_Body}}

[[Category:Cheatsheets]]

2017-07-27T04:07:36Z

Dan Wallis: /* Related Articles */

OWASP New Zealand Day 2016

2016-04-05T02:25:33Z

Dan Wallis: Adding link to my slides

__NOTOC__
<center>
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016 https://www.owasp.org/images/2/23/OWASP_NZ_Day_2016_logo.jpg]<br><br>
'''3rd and 4th Feburary 2016 - Auckland'''
</center>
----

= Introduction =
==Introduction==
We are proud to announce the seventh OWASP New Zealand Day conference, to be held at the University of Auckland on Thursday February 4th, 2016. OWASP New Zealand Day is a one-day conference dedicated to application security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

Who is it for?

* Web Developers: The morning sessions will introduce you to application security. Afternoon sessions will dive deeper into technical topics, and build on the morning sessions.
* Management: After an introduction to web application security, one of the afternoon streams will focus on informational and defensive topics.
* Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics.

==Conference structure==

Date: Thurs 4 Feb 2016<br>
Time: 9:00am - 5:00pm<br>
Cost: Free<br>
Food: Morning and Afternoon tea

The main conference is on Thursday 4th of February, and will have three streams:

<table style="border:1px solid black;">
<tr>
<td width="10%" style="text-align:center; border:1px solid black">Morning</td>
<td width="90%" colspan="2" style="border:1px solid black; padding: 0px 0px 0px 12px;">Introductions to application security topics</td>
</tr>
<tr>
<td width="10%" style="text-align:center; border:1px solid black;">Afternoon</td>
<td width="45%" style="border:1px solid black; padding: 0px 0px 0px 12px;">Offensive Security</td>
<td width="45%" style="border:1px solid black; padding: 0px 0px 0px 12px;">Informational / Defensive</td>
</tr>
</table>

==Training==

Date: Wed 3 Feb 2016<br>
Time: 9:30am - 12:30pm session booked out<br>
Time: 1:30am - 4:30pm or part thereof. Spaces going fast, so get in quick<br>

As well as the main conference on Thursday, we are pleased to be able to provide training on Wednesday. All details including registration can be found on the [https://www.eventbrite.com/e/owasp-nz-day-training-littlehackme-pm-tickets-20715612956 Training Registration Page].



The seventh OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer a slightly different location from last year. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact [mailto:kim.carter@owasp.org?cc=adrian.hayes@owasp.org&cc=denis.andzakovic@owasp.org&cc=kirk.jackson@owasp.org us].<br>

==Registration==


Registration for the main conference day is now open: [https://www.eventbrite.com/e/owasp-day-nz-conference-tickets-20260031299 Conference Registration Here]

There is no cost for the main conference day. Morning and afternoon tea will be provided. Unfortunately due to increased conference running costs, lunch will not be provided as it has been for the past OWASP NZ Days. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.





==Important dates==

* CFP & CFT submission deadline: 7th December 2015
* Conference Registration deadline: 21st January 2016
* Training Registration deadline: 21st January 2016
* Training Day date: 3rd February 2016
* Conference Day date: 4th February 2016



==Conference Venue==

<table width="100%">
<tr>
<td>

The University of Auckland School of Commerce<br>
Address: 12 Grafton Road<br>
<br>
Main conference room: Level 1<br>
Room: 115 (Fisher & Paykel Auditorium)<br>
<br>
Afternoon parallel stream: Level 0<br>
Room: B5<br>
<br>
Auckland<br>
New Zealand<br>
[https://www.google.com/maps/place/Owen+G+Glenn+Building+12+Grafton+Road/@-36.8528203,174.770224,17z/data=!4m6!1m3!3m2!1s0x0000000000000000:0x0205ad91287ba364!2sUniversity+of+Auckland+Graduate+School+of+Enterprise!3m1!1s0x0000000000000000:0xc9d224e5921a6690 Map]
</td>
<td>
[[Image:073_AUBiz_10Apr08small.jpg]] [[Image:MG_0037small.JPG]]
</td>
</tr>
</table>

==Conference Sponsors==
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="50%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/8/82/University_of_Auckland_crest_small.png]</center></td>
<td valign="bottom" width="50%"><center>[http://security.org.nz/nzsif/ https://www.owasp.org/images/5/5a/Nz_information_security_forum.png]</center></td>
</tr>
<tr>
<td valign="top" width="50%"><center>ICT and Department of Information Systems and Operations Management</center></td>
<td valign="top" width="50%"> </td>
</tr>
</table>
----

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[[File:INSOMNIA.PNG|center|300px|link=http://www.insomniasec.com/]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:RedShield.png|center|300px|link=https://auraredshield.com/]]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/4/41/SA_Logo_w_DD.gif]</center></td>
</tr>
<tr>
<td><center>[http://www.insomniasec.com Insomnia Security]</center></td>
<td> </td>
<td> </td>
<td><center>[https://auraredshield.com/ Aura RedShield]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
</tr>
</table>
----

'''Silver Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[[File:Quantum.png|center|250px|link=http://www.quantumsecurity.co.nz/]]</center></td>
<td><center>[[File:ZX_Security_Cutout_Cropped.png|center|88px|link=http://www.zxsecurity.co.nz/]]</center></td>
<td><center>[[File:Wynyard_CMYK_land.png|center|250px|link=https://www.wynyardgroup.com/]]</center></td>
</tr>
</table>
----

'''Support Sponsor:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[[File:BinaryMistLimited.png|center|150px|link=http://binarymist.io]]</center></td>
</tr>
</table>

==Conference Committee==

* Denis Andzakovic - OWASP New Zealand Leader (Auckland)
* Adrian Hayes - OWASP New Zealand Leader (Wellington)
* Kirk Jackson - OWASP New Zealand Leader (Wellington)
* Kim Carter - OWASP New Zealand Leader (Christchurch)
* Lech Janczewski - Associate Professor - University of Auckland School of Business

Please direct all enquiries to denis.andzakovic@owasp.org | adrian.hayes@owasp.org | kim.carter@owasp.org | kirk.jackson@owasp.org

For information on other OWASP NZ events, please visit the [https://www.owasp.org/index.php/New_Zealand NZ chapter site]

= Presentation Schedule=
==Presentations==
<center>
4th Feburary 2016
<table width="80%">
<tr>
<td width="7%" valign="top">08:30</td>
<td colspan="2" style="background-color: #8595C2; text-align: center">Registration Opens</td>
</tr>
<tr>
<td width="7%" valign="top">09:00</td>
<td colspan="2" style="background-color: #B9C2DC; text-align: center">
<b>[https://speakerdeck.com/binarymist/owasp-nz-day-2016 Welcome to OWASP New Zealand Day 2016]</b><br />
<i>Lech Janczewski (Associate Professor), Adrian Hayes, Denis Andzakovic and [https://binarymist.io Kim Carter] (OWASP Leaders)</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">09:15</td>
<td colspan="2" style="background-color: #EEE; text-align: center">
<b>[https://web.fredden.org/assets/OWASP%20Feb%202016.pdf Credit card fraud: you don't want to be the common point of purchase]</b><br />
<i>Dan Wallis - Christchurch ISIG</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">09:45</td>
<td colspan="2" style="background-color: #B9C2DC; text-align: center">
<b>Chronicles of SOP bypass</b><br />
<i>Emmanuel Law - Aura Information Security</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">10:15</td>
<td colspan="2" style="background-color: #EEE; text-align: center">
<b>[https://www.owasp.org/images/9/9e/Keep_Calm_And_CSP.pdf Keep calm and CSP]</b><br />
<i>Valentinas Bakaitis - Aura Information Security</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">10:30</td>
<td colspan="2" style="background-color: #D98B66; text-align: center">
<b>Break for Morning Tea</b><br />
</td>
</tr>
<tr>
<td width="7%" valign="top">11:00</td>
<td colspan="2" style="background-color: #EEE; text-align: center">
<b>Continuous Security</b><br />
<i>Laura Bell - SafeStack</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">11:30</td>
<td colspan="2" style="background-color: #B9C2DC; text-align: center">
<b>Making AppSec a (Respectable) Religion</b><br />
<i>Chris Campbell - Jade Software</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">12:00</td>
<td colspan="2" style="background-color: #EEE; text-align: center">
<b>[https://www.lateralsecurity.com/downloads/Lateral_Security-OAuth2_The_Promise_and_Pitfalls_NZOWASP2016.pdf Oauth 2.0: The Promise and Pitfalls]</b><br />
<i>Sergey Ozernikov - Lateral Security</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">12:30</td>
<td colspan="2" style="background-color: #D98B66; text-align: center">
<b>Break for Lunch</b><br />
</td>
</tr>
<tr>
<td width="7%" valign="top">13:30</td>
<td style="background-color: #B9C2DC; text-align: center">
<b>Attacking Real-World Crypto Flaws</b><br />
<i>Chris Smith - Insomnia Security</i>
</td>
<td style="background-color: #B9C2DC; text-align: center">
<b>[https://www.owasp.org/images/3/30/Presentation_-_Two-Thirds_of_the_Sacred_Triangle_%28OWASP%29_%2802_2016%29.pptx Two-thirds of the Sacred Triangle]</b><br />
<i>Andrew Kelly - Insomnia Security</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">14:00</td>
<td style="background-color: #EEE; ; text-align: center">
<b>Practical Attacks on WebRTC Applications</b><br />
<i>Felix Shi - Xero</i>
</td>
<td style="background-color: #EEE; ; text-align: center">
<b>[https://www.lateralsecurity.com/downloads/Lateral_Security-Source_Code_Reviews-NZOWASP2016.pdf Source Code Reviews: Why You Should]</b><br />
<i>David Waters - Lateral Security</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">14:30</td>
<td style="background-color: #B9C2DC; text-align: center">
<b>Practical exploitation of less commonly identified vulnerabilities</b><br />
<i>Daniel Jensen - Security Assessment</i>
</td>
<td style="background-color: #B9C2DC; text-align: center">
<b>[https://www.owasp.org/images/8/83/Host_review_owasp_2016.pdf Host Hardening - Achieve or Avoid?]</b><br />
<i>Nilesh Kapoor</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">15:00</td>
<td style="background-color: #EEE; ; text-align: center">
<b>Deserialization, what could go wrong</b><br />
<i>Brendan Jamieson - Insomnia Security</i>
</td>
<td style="background-color: #EEE; ; text-align: center">
<b>I judge all of your services and applications</b><br />
<i>Shahn Harris - Beca Ltd</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">15:30</td>
<td colspan="2" style="background-color: #D98B66; text-align: center">
<b>Break for Afternoon Tea</b><br />
</td>
</tr>
<tr>
<td width="7%" valign="top">16:00</td>
<td colspan="2" style="background-color: #EEE; text-align: center">
<b>[https://www.owasp.org/images/b/bc/OWASP_-_McMullan.pdf Risk based software assurance requirements for aircraft systems]</b><br />
<i>Russell McMullan - Beca Ltd</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">16:30</td>
<td colspan="2" style="background-color: #B9C2DC; text-align: center">
<b>After 30 Years, I’m Coming Out</b><br />
<i>Kevin Alcock - Katipo Information Security Ltd</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">17:00</td>
<td colspan="2" style="background-color: #EEE; text-align: center">
<b>[https://www.owasp.org/images/3/39/INFOSEC_is_a_marketing_responsibility-Carlos_Cordero-Convergnce-OWASP_Day_2016.pdf Information Security is a Marketing Responsibility]</b><br />
<i>Carlos Cordero - Convergnce</i>
</td>
</tr>
<tr>
<td width="7%" valign="top">17:15</td>
<td colspan="2" style="background-color: #B9C2DC; text-align: center">
<b>Wrap Up</b><br />
<i>Time for the pub, for those interested</i>
</td>
</tr>
</table>
</center>

= Speakers List=
==Speakers List==

===Dan Wallis - Christchurch ISIG - Credit card fraud; you don't want to be the common point of purchase===
----
<b>Abstract</b>

A real-world example of how three problems lined up to leak credit card data online. Each problem wasn't by itself enough to leak anything valuable, but by their powers combined, the bank called.
I'll talk through the details of each flaw, why they were introduced, how they lined up, and lessons learnt.

<b>Speaker Bio</b>

I'm a sysadmin with lots of web experience; I've been in the industry for more than 10 years. I currently work for an agency in Christchurch, focusing on ecommerce websites.

===Emmanuel Law - Aura Information Security - Chronicles of SOP bypass===
----
<b>Abstract</b>

Same Origin Policy (SOP) is one of the fundamental protection when surfing the internet. It's in all browsers, various plugins and mobile applications. This talk will walk the audience through a history of some of SOP most interesting bugs; ranging from some of the earliest manifestations to the more recent SOP bypasses. Although many of these SOP bugs are beyond the control of the developers but we'll cover some mitigating measures that one could possibly take.

<b>Speaker Bio</b>

Principal security consultant @ Aura Information Security (NZ) by day, he spends his nights exploiting stuff for fun and profit.

===Valentinas Bakaitis - Aura Information Security - Keep calm and CSP===
----
<b>Abstract</b>

CSP stands for Content Security Policy and is a reasonably new mechanism to protect against client side vulnerabilities like XSS and XSRF. Applied correctly it can completely eliminate nearly all XSS issues, regardless whether they are known or unknown. While the mechanism is extremely, effective and in most cases easy to implement, the adoption remains low. This talk will introduce CSP to those who are not familiar with it and remind about the power of it to those that heard about it before.

<b>Speaker Bio</b>

Developer turned Security Consultant. Valentinas has 10 years of experience in IT industry, with last two years working as a security consultant. His interests include IT security, physical security and hardware hacking.

===Russell McMullan - Beca Ltd - Risk based software assurance requirements for aircraft systems===
----
<b>Abstract</b>

This talk focuses on the contribution of the design methods used in aircraft system development and their contribution to security. This includes an overview of aircraft system design requirements and design rules, how the system and software ‘Design Assurance Level’ is determined, and an overview of the Software ‘Assurance Level’ requirements used in software development. I’ll provide my personal thoughts on the Design Assurance Level contribution to security including the inherent aircraft system design principles and processes that contribute to security, and some thoughts on augmenting these practices with the Common Criteria requirements.

If you’ve ever wondered about aircraft systems software development, this talk may be of interest.

<b>Speaker Bio</b>

With 20+ years associated with military aircraft systems, Russell has a unique view of system and software risk methods for aircraft systems. Russell currently works at Beca in the Advisory team.

===Chris Campbell - Jade Software - Making AppSec a (Respectable) Religion===
----
<b>Abstract</b>

No stranger to rapid transformation, Jade Software – a leading technology company with an almost 40 year pedigree, today works with an ever increasing range of technologies to solve complex problems for its’ customers. .NET, HTML5, SQL, Oracle, Java, Azure and AWS cloud services, and of course the JADE platform, all form part of the Jade technology stable.

Using the latest and greatest technology stack only gets you so far. But to maintain the reputation of producing market leading, enterprise-level solutions, robust security practices are a must. Making security a key component of your SDLC with minimal interruption can be achieved with assistance from an OWASP project (or a few), coupled with a lot of passion.

<b>Speaker Bio</b>

Chris, who in a past life was a .NET developer, is a Security & Operations Consultant at Jade Software. His role sees him managing operational and user security, and overseeing both the security and architecture of development and operational projects which span a wide variety of industries.

===Sergey Ozernikov - Lateral Security - Oauth 2.0: The Promise and Pitfalls===
----
<b>Abstract</b>

OAuth 2.0, the second version of the popular authorisation framework, was proposed as an IETF standard in October 2012 and has since been implemented and used by companies such as Facebook, Google and Microsoft. In January 2013 an RFC containing a comprehensive threat model of OAuth 2.0 was introduced. It was as long as the initial specification which had left out a lot of security considerations, most likely as it was assumed that developers would know how to securely implement OAuth 2.0. However many didn’t and without the necessary security controls, many relatively benign web application vulnerabilities could now flourish on a much larger and bountiful attack surface. An open redirect directly leading to an account compromise? Easy. In this talk, an overview of what should be catered for when integrating OAuth 2.0 into your project and how not to introduce additional security risks, will be provided. Most common attack vectors and some examples of real-life vulnerabilities in OAuth 2.0 implementations will be presented. Ideally attendees should have a basic understanding of OAuth 2.0 flow and web application security.

<b>Speaker Bio</b>

Sergey has gained his experience in the field of information security working for several Russian commercial and government organisations for around 7 years after finally realising that he enjoys breaking and protecting things more than building them. In 2013 he moved to New Zealand and shortly after joined Lateral Security as a security consultant.

===Chris Smith - Insomnia Security - Attacking Real-World Crypto Flaws===
----
<b>Abstract</b>

Everybody knows by now not to roll your own crypto, right? RIGHT? But, as an attacker, how do you go about identifying and exploiting these flaws for your own benefit. And, as a defender, how can you gauge the full impact of such flaws and ensure you steer clear of them?

So forget about the LUCKYBEASTCRIMEPOODLE13 for now, this talk is going to focus on real-world crypto flaws in everyday software. We'll look at some cryptographic issues I've come across in my travels, and how to exploit them. And along the way, we might just learn something about doing it correctly, too!

<b>Speaker Bio</b>

Chris is a consultant for Insomnia Security where he breaks other peoples stuff and writes reports about it. Previously a Linux sysadmin and polyglot developer, he now exacts his revenge on technologies that have wronged him.

===Felix Shi - Xero - Practical Attacks on WebRTC Applications===
----
<b>Abstract</b>

WebRTC is a browser-based technology that allows peer-to-peer communication via a list of predefined APIs. It has gained popularity among many video conferencing, telephony, and file sharing applications.

Research has been done on its design, architecture, and potential attack vectors against applications that use it. This talk will focus on practical attacks that can be performed on applications that use WebRTC, and how to mitigate against them.

<b>Speaker Bio</b>

Felix works in the product security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.

===Nilesh Kapoor - Aura Information Security - Host Hardening : Achieve or Avoid?===
----
<b>Abstract</b>

This is still a question mark for most of the business and application owners; host hardening – Avoid or Achieve. This paper covers the real world scenario of a potential server compromise due to the lack of OS hardening, running secure but unpatched services over the Internet and the host review process and approach backed up with OWASP guideline and CIS benchmark. This talk also touches on host review and hardening automation techniques for medium-sized and enterprise organisations.

This topic aims;
Increase the awareness and importance of host review and hardening among business owners, application owners, server administrators and developers.
Answer basic questions such as what host review involves, what approach is recommended for structured host review and achieving compliance, how to create a hardening baseline standard and apply them to your organisation policy
Automate host review process and hardening for servers hosting critical data

<b>Speaker Bio</b>

Nilesh Kapoor is the author of “Security Testing Handbook for Banking Applications” published by IT Governance. He is currently working as a Senior Security Consultant with Aura Information Security. He has over 8 years of experience in security consulting, application security, host review and hardening, network security, enterprise solution security and mobile security. He is also a registered penetration tester with CREST and a CEH certification holder. His articles are published on IITP blogs and also maintain own security blog at http://nileshkapoor.blogspot.com.

===Shahn Harris - Beca Ltd - I judge all of your services and applications===
----
<b>Abstract</b>

I will explain the process that goes on inside a corporate/enterprise when a corporate security team is contacted to evaluate a new application or service by a business unit.
The first questions asked have nothing to do with your SDLC, choice of code, framework or potential integration points. the questions are more what is it, what does it do and where does it live and what do they know.
Come to this talk if you wish to discover what information most large corporates/enterprises will ask of you if you try to sell a product/service to them. By taking the learnings from this talk it could potentially save you lots of time,money and

<b>Speaker Bio</b>

Shahn has worked for/with a number of different flagship New Zealand companies across multiple sectors and industries as a security consultant.

===Laura Bell - SafeStack - Continuous Security===
----
<b>Abstract</b>

Agile development is a powerful tool for the creation of high-quality software products. It has however scared the life out of many security managers and risk leaders. Once the job of a dedicated security team, security is now the responsibility of all members of our Agile teams.

So how do we bring continuous security to our lifecycles without compromising velocity and innovation? What tools and techniques do we need and when should we apply them?

In this talk, we will examine why security is the new key skills for successful Agile development teams and what you can do to bring it to your teams.

This is a talk of war stories from the SCRUM team trenches and real world tools, techniques and processes that are less about 'managing' security than they are about building amazing(secure) things, fast.

<b>Speaker Bio</b>

With almost a decade of experience in software development and information security, Laura specialises in bringing security survival skills, practices and culture into fast-moving environments.

Laura has spoken at various events such as BlackHat, BlueHat, Velocity, OSCON, Kiwicon, Linux Conf AU and Microsoft TechEd on the subjects of privacy, covert communications, Agile security and security mindset.

Laura is the founder of SafeStack, a specialist security training, development, and consultancy firm and lives in Auckland with her husband and daughter.

===Kevin Alcock - Katipo Information Security Ltd - After 30 Years, I’m Coming Out===
----
<b>Abstract</b>

This talk is about my journey from a software development veteran with 30 years of experience to an information security noob. The intended audience is for information security noobs looking to get better and web application developers wanting to understand how their applications are vulnerable. The focus is on the Offensive Security (makers of Kali Linux) course Penetration Testing Training with Kali Linux and the Offensive Security Certified Professional (OSCP) certification exam. There will be no spoilers for those that are currently doing the course and exam. OWASP projects such as ZAP, Dirbuster and Broken Web Applications will be discussed on how they help me. I will also discuss which of the OWASP Top 10 (2013) vulnerabilities I used to gain access to the systems on the lab network.

<b>Speaker Bio</b>

Kevin has spent the last 30 (10 in North America) years in enterprise software development and delivery, now he is turn that experience towards the information security sector to help businesses in need.

===Carlos Cordero - Convergnce - Information Security is a Marketing Responsibility===
----
<b>Abstract</b>

KPMG’s Global CEO Outlook Survey (July 2015) showed that 50% of global CEO’s say that their organisations are “not fully prepared” for a “cyber event”. Additionally, information security related risks are perceived to be “the most unpredictable kind of risk”. CEOs and Boards expect the IT function to take care of this aspect of the business risk portfolio - for obvious reasons: they own the IT infrastructure or manage it on behalf of other functions (logistics, operations, HR, accounting, finance, etc.). Unfortunately, nobody has told the marketers.

In the last 3 to 5 years, marketing departments have taken upon themselves to bring into the organisation a smorgasbord of systems and applications, with little or no consultation with the IT department. The result is an unprecedented increase of infosec and legal risks that few organisations are even aware off, much less managing.

Our presentation would consist of 15-20 minutes sharing:

In this presentation we will: (1) Describe briefly the current situation and how we got to it. (2) Give an insight into the mindset of “the marketer” and an explanation of why “marketers” are oblivious to security. (3) Suggest a map of the marketing-related risks for businesses in the 201X going forward into the 202X (4) Offer a prediction of the evolution of the marketing-related risks and its implications for information security professionals. (5) Offer suggestions regarding how these risks should be approached in order to reduce the exposure that the marketing department is bringing to the organisation.

<b>Speaker Bio</b>

Carlos is a marketing and intelligence consultant. One of his current areas of interest and research is risk in the marketing context.

===Andrew Kelly - Insomnia Security - Two-Thirds of the Sacred Triangle===
----
<b>Abstract</b>

"People, Process, and Technology" has been the sacred mantra, or triad, of IT for as long as I've been in the business. Unfortunately, whether you consider it a 'strategy for success', part of your overall 'holistic approach', or even 'the smell of good business', it's too often ignored. That is, two of the three are, as we all race to install faster, cheaper, more efficient, or 'better' technologies, in order to save money, stay ahead of our competitors, or sometimes even just for the sake of it? My talk will, hopefully, remind you that that "People, Process" part is as important as, maybe even more so, than the tech. Or, as Douglas Adams put it: "It is a mistake to think you can solve any major problems just with potatoes."
List of the author's previous papers/articles/speeches on the same/similar topic: Previously, and similar, at ISIG, ISF, OWASP, etc.

<b>Speaker Bio</b>

Andrew started in InfoSec back when the dinosaur's still ruled the Earth. At least, that's how his fellow InfoSec workers, and often his audiences, view him anyways. But, even though his useful working life is slowly coming to its inevitable end, he reckons he still has a little something to offer his fellow IT professionals. Even if every other sentence these days begins with: "Back in my day..." and most of the others with: "Damned kids..." Between nanny naps, Andrew is still relatively gainfully employed as the GM for Insomnia Security.

===Daniel Jensen - Security Assessment - Practical exploitation of less commonly identified vulnerabilities===
----
<b>Abstract</b>

Recently I decided to look for some slightly more
"complex" vulnerabilities in a PHP project. The open source video
platform Kaltura was chosen for no particular reason other than looking
vulnerable and having no prior CVEs. Surprisingly, a large PHP based
project actually contained some fairly serious (and interesting) issues
such as SSRF, object injection, and poor cryptography. This talk will
provide some practical advice for finding less commonly identified
vulnerabilities, their impact, and how to mercilessly exploit them in a
real world application, using Kaltura as our test subject.

<b>Speaker Bio</b>

Daniel is a consultant at Security-Assessment.com
where he hacks assorted systems and carries out research (read hacks).
Before that he enjoyed a brief stint as a sysadmin, and spent too many
years south of the Cook Strait in a misguided attempt at attending
university. He currently resides in the bustling metropolis that is
Auckland City, and resents having to write his own biography.

===Brendan Jamieson - Insomnia Security - Deserialization, what could go wrong?===
----
<b>Abstract</b>

So you're just gonna pass off that data to unserialize()? What could
possibly go wrong?

This talk is focused on the deserialization class of web application
vulnerabilities. What are they? How are they introduced into web
applications? Just how bad can deserializing that arbitrary object
really be?

In this talk we'll cover real-world examples of deserialization
vulnerabilities being introduced, and exploited, across a number of
languages. We'll then look at options that are available to developers
to avoid introducing this class of vulnerability into their applications.

<b>Speaker Bio</b>

Brendan Jamieson is a security consultant for Insomnia Security, based
out of Wellington. He is active in the .nz infosec community, having
spoken at Wellington's ISIG, and involved in Kiwicons as a speaker; a
trainer; and also the event organiser for the Hamiltr0n CTF.

===David Waters - Lateral Security - Source Code Reviews: Why You Should===
----
<b>Abstract</b>

In this talk I will give the case that you should be using
security focused code review as part of your defensive strategy.
I will talk about the types of bugs that are more easily found
with either white-box penetration tests or code reviews as opposed
to more limited penetration tests. I will then present some real world
examples of issues found during code reviews.

<b>Speaker Bio</b>

David is a Senior Security Consultant at Lateral Security, David
previously worked in the Security Team at Google in London and draws
on 16 years experience as a systems and web developer, primarily
working in .NET, Java and JavaScript.



<headertabs/>

[[Category:OWASP AppSec Conference]]

OWASP New Zealand Day 2016

2015-10-12T20:52:54Z

Dan Wallis: syntax for mailto: URL