OWASP - User contributions [en]

New Zealand

2019-07-24T04:00:22Z

Kirkj: Add security.ac.nz to 2019 events.

{{Chapter Template|chaptername=New_Zealand|extra=The chapter leaders are [mailto:kim.carter@owasp.org Kim Carter], [mailto:kirk.jackson@owasp.org Kirk Jackson], and [mailto:john.dileo@owasp.org John DiLeo]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-newzealand|emailarchives=http://lists.owasp.org/pipermail/owasp-newzealand}}

[[Category:OWASP Chapter]]

== Upcoming Events ==

Events also need to be listed in the [https://www.tfaforms.com/301382 OCMS system].

== ''' 2019''' ==

'''24 - 25 August 2019, Wellington - security.ac.nz'''

OWASP NZ is proud to invite you to our first [https://security.ac.nz https://security.ac.nz] event. Please visit the [https://security.ac.nz website] for details.

<hr>

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2019 https://www.owasp.org/images/e/e3/NZDay_2019_web_banner.jpg] 
'''21 - 22 February 2019'''

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2019 OWASP New Zealand Day 2019] - University of Auckland Business School
: One-day conference, with two tracks on Friday, 22 February - Registration is FREE
: Training sessions (half-day or full-day) on Thursday, 21 February - Registration: $500 for full-day; $250 for half-day

== ''' 2018 ''' ==

'''11 December 2018'''

[https://www.meetup.com/OWASP-New-Zealand-Chapter-Auckland/events/249448666/ Meetup - OWASP New Zealand-Auckland ]
: '''Top Ten Focus:''' A4 - XML External Entities (XXE)
: '''Technical Topic:''' TBC
: '''Location:''' Orion Health, [https://www.google.co.nz/maps/place/181+Grafton+Rd,+Grafton,+Auckland+1010 181 Grafton Road, Grafton, Auckland]

; 29 Oct 2018

[https://www.meetup.com/OWASP-Wellington/events/255158934/ OWASP NZ Wellington Meetup page]
: '''Make the Cyber Safer with Multi-factor Authentication - with Kevin Thomas'''
: '''Video:''' [https://www.youtube.com/watch?v=lAkw24tClvQ]
: '''Location:''' Wellington
: '''Presented by:''' Kevin Thomas

; '''9 October 2018'''

[https://www.meetup.com/OWASP-New-Zealand-Chapter-Auckland/events/255158934/ Meetup - OWASP New Zealand-Auckland ]
: '''Technical Topic:''' Integrating the Weakforced Security API - Steve Shipway, SMX Email
: '''Location:''' Cornerstone On-Demand, Level 1, 29 Union Street, Auckland

; 27 Aug 2018

[https://www.meetup.com/OWASP-Wellington/events/253077472/ OWASP NZ Wellington Meetup page]
: '''Developer's guide to Deserialization Attack with Felix Shi'''
: '''Video:''' [https://www.youtube.com/watch?v=Gi-Pk255Jyw]
: '''Location:''' Wellington
: '''Presented by:''' Felix Shi

; '''14 August 2018'''

[https://www.meetup.com/OWASP-New-Zealand-Chapter-Auckland/events/249448651/ Meetup - OWASP New Zealand-Auckland ]
: '''Top Ten Focus:''' A3 - Sensitive Data Exposure
: '''Technical Topic:''' Web Application Penetration Testing Demo - Shofe Miraz
: '''Location:''' Orion Health, [https://www.google.co.nz/maps/place/181+Grafton+Rd,+Grafton,+Auckland+1010 181 Grafton Road, Grafton, Auckland]

; '''12 June 2018'''

[https://www.meetup.com/OWASP-New-Zealand-Chapter-Auckland/events/mcvvmpyxgbnb/ Meetup - OWASP New Zealand-Auckland]
: '''Top Ten Focus:''' A2 - Broken Authentication
: '''Technical Topic:''' GDPR and New Zealand Privacy Law - James Ting-Edwards
: '''Location:''' InternetNZ, 62 Victoria Street West, Auckland CBD, Auckland

; 11 June 2018

[https://www.meetup.com/OWASP-Wellington/events/250629813/ OWASP NZ Wellington Meetup page]
: '''What are certificates? with Matt Cotterell'''
: '''Location:''' Wellington
: '''Presented by:''' Matt Cotterell

;'''10 April 2018'''

[https://www.meetup.com/OWASP-New-Zealand-Chapter-Auckland/events/mcvvmpyxgbnb/ Meetup - OWASP New Zealand-Auckland]
: '''Top Ten Focus:''' A1 - Injection
: '''Technical Topic:''' OWASP Software Assurance Maturity Model (SAMM) - John DiLeo
: '''Location:''' Orion Health, 181 Grafton Road, Grafton, Auckland

;; 28 March 2018 [https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/241803609/ OWASP NZ Christchurch Meetup page]
;: '''CERT NZ'''
;: '''Location:''' Christchurch
;: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst]

; 26 Feb 2018
[https://www.meetup.com/OWASP-Wellington/events/246852662/ OWASP NZ Wellington Meetup page]
: '''CERT NZ - Who are we? How are websites getting hacked in real life? with Declan Ingram'''
: '''Video:''' [https://www.youtube.com/watch?v=WhYh-eUqxIA]
: '''Location:''' Wellington
: '''Presented by:''' Declan Ingram

; 5 Feb 2018

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018 https://www.owasp.org/images/5/53/NZ_day_2018_web.jpg] 

OWASP NZ Day 2018 will be held on Monday the 5th of February 2018 at the University of Auckland School of Business.

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[http://www.zxsecurity.co.nz/ https://www.owasp.org/images/2/27/Zx.png]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.insomniasec.com https://www.owasp.org/images/e/ef/INSOMNIA.PNG]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.aurainfosec.com/ https://www.owasp.org/images/e/ef/Aura_PBK_Colour.jpg]</center></td>
</tr>
</table>
 

== ''' 2017 ''' ==

; 2 Oct 2017
[https://www.meetup.com/OWASP-Wellington/events/242968218/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Same-origin policy: The core of web security
: '''Video:''' [https://www.youtube.com/watch?v=5wFCRANIbdc]
: '''Location:''' Wellington
: '''Presented By:''' Kirk Jackson

; 27 Sept 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/241328587/ OWASP NZ Christchurch Meetup page]
: '''Securing your data (your business) using SQL Server 2016'''
: '''Presented By:''' [https://twitter.com/shantha05 Anupama Natarajan]
: '''Location:''' Christchurch
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst]

; 31 July 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/241187473/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' What is Cross-Site Request Forgery?
: '''Video:''' [https://www.youtube.com/watch?v=G1aLGaMqnm0]
: '''Location:''' Wellington
: '''Presented By:''' Vales Bakaitis

; 28 June 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/236349292/ OWASP NZ Christchurch Meetup page]
: '''Web Developer Quiz Night'''
: '''Prepared and Presented By:''' [https://twitter.com/binarymist Kim Carter]
: '''Details:''' [https://binarymist.io/talk/owaspnz-chch-meetup-workshop-quiz-night/ on binarymist.io]
: '''Location:''' Christchurch
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst]

; 29 May 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/239202702/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Developer's Guide to Preventing XSS
: '''Video:''' [https://www.youtube.com/watch?v=0J5Rpf3nNjU]
: '''Location:''' Wellington
: '''Presented By:''' Felix Shi

;19th and 20th of April 2017

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017 https://www.owasp.org/images/6/63/OWASP_NZ_Day_2017_logo.jpg] 

At the University of Auckland School of Business

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/4/41/SA_Logo_w_DD.gif]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.insomniasec.com https://www.owasp.org/images/e/ef/INSOMNIA.PNG]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.aurainfosec.com/ https://www.owasp.org/images/e/ef/Aura_PBK_Colour.jpg]</center></td>
</tr>
<tr>
<td><center>[https://www.redshield.co/ https://www.owasp.org/images/a/ab/Redshield.png]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.zxsecurity.co.nz/ https://www.owasp.org/images/2/27/Zx.png]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.quantumsecurity.co.nz/ https://www.owasp.org/images/4/4e/Quantumblack3.png]</center></td>
</tr>
</table>
 

; 29 March 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/236349292/ OWASP NZ Christchurch Meetup page]
: '''PHP Hurts Programmers (and other tales)'''
: '''Presented By:''' [https://twitter.com/spronkey Keith Humm]
: '''Slides:''' [https://speakerdeck.com/spronkey/php-hurts-programmers-and-other-tales on speakerdeck]
: '''Locations:''' Christchurch
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst]

; 27 Feb 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/237712167/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Building the ultimate login and signup
: '''Video:''' [https://www.youtube.com/watch?v=E25KxLKwY-M Youtube]
: '''Location:''' Wellington
: '''Presented By:''' Matt Cotterell

; 29 November 2016
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/233253214/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' OWASP Top Ten - Developing secure web apps (PHP-flavoured)
: '''Video:''' [https://www.youtube.com/watch?v=7u08zCz9viU Youtube]
: '''Location:''' Wellington
: '''Presented By:''' Kirk Jackson
: In conjunction with the [https://www.meetup.com/PHP-Usergroup-Wellington/ PHP user group Wellington]

; 10 October 2016
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/233954065/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Introduction to Ruby on Rails security
: '''Video:''' [https://www.youtube.com/watch?v=Hez1QYc9yo8 Youtube]
: '''Locations:''' Wellington
: '''Presented By:''' Tim Goddard
: '''Sponsor:''' [https://www.insomniasec.com Insomnia]

; 28 September 2016
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/232611291/ OWASP NZ Christchurch Meetup page]
: '''Presentation / Demo''' Applying Cold War Learnings to our Daily OPSEC
: '''DeadDrop:''' (https://deaddrop.jadeworld.com/)
: '''Github:''' (https://github.com/phage-nz/deaddrop)
: '''Chris's Blog Post:''' (https://bytefog.blogspot.co.nz/2015/09/burn-after-reading.html)
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/phage_nz Chris Campbell]
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst] and [http://blog.binarymist.net/ BinaryMist]

; 29 August 2016
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/232212284/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Mobile app security: Intro to the OWASP Mobile Top 10
: '''Video:''' [https://www.youtube.com/watch?v=SbXO6wNvOM4 Youtube]
: '''Location:''' Wellington
: '''Presented By:''' Mike Haworth

; 29 June 2016
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/229985413/ OWASP NZ Christchurch Meetup page]
: '''Presentation / Demo''' Security Regression Testing with ZapAPI and NodeGoat
: '''Teaser:''' (https://youtu.be/DrwXUOJWMoo)
: '''Github:''' (https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API)
: '''Sourced From:''' Kims Book (https://leanpub.com/holistic-infosec-for-web-developers/read#process-agile-development-and-practices-security-regression-testing)
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/binarymist Kim Carter]
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst] and [http://blog.binarymist.net/ BinaryMist]

; 27 June 2016
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/232017285/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Introduction to using a web application firewall
: '''Video:''' [https://www.youtube.com/watch?v=iAPFf9Iqwos Youtube]
: '''Location:''' Wellington
: '''Presented By:''' Graeme Neilson
: '''Sponsor:''' [https://www.redshield.co RedShield]

; 30 March 2016
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/226227782/ OWASP NZ Christchurch Meetup page]
: '''Presentation:''' Qubes OS Discussion (https://www.qubes-os.org)
: '''Locations:''' Christchurch
: '''Presented By:''' Craig Rowland
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.io/ BinaryMist Limited]

== ''' 2016 ''' ==

;3rd and 4th of February 2016

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016 https://www.owasp.org/images/2/23/OWASP_NZ_Day_2016_logo.jpg] 

At the University of Auckland School of Commerce

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[[File:INSOMNIA.PNG|center|300px|link=http://www.insomniasec.com/]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:RedShield.png|center|300px|link=https://auraredshield.com/]]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/4/41/SA_Logo_w_DD.gif]</center></td>
</tr>
<tr>
<td><center>[http://www.insomniasec.com Insomnia Security]</center></td>
<td> </td>
<td> </td>
<td><center>[https://auraredshield.com/ Aura RedShield]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
</tr>
</table>

== ''' 2015 ''' ==

; 25 November 2015
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/225737100/ OWASP NZ Christchurch Meetup page]
: '''Presentation:''' UAC, Governance and Managing the External Infosec Audit
: '''Locations:''' Christchurch
: '''Presented By:''' Drewe Hinkley
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.io/ BinaryMist Limited]

; 30 September 2015
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/223462991/ OWASP NZ Christchurch Meetup page]
: '''Two part Presentation:''' The Exploited and the Exploiters - Case Study of a Real Cyber Hack and Live Demo's from [https://leanpub.com/b/holisticinfosecforwebdevelopers Kims book]
: '''Locations:''' Christchurch
: '''Presented By:''' Salinda Lekamge and [https://twitter.com/binarymist Kim Carter]

; 24 June 2015
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/221412721/ OWASP NZ Christchurch Meetup page]
: '''Presentation:''' "[http://blog.binarymist.net/presentations-publications/#does-your-cloud-solution-look-like-a-mushroom Does Your Cloud Solution Look Like a Mushroom]".
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/binarymist Kim Carter].
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.io/ BinaryMist Limited]

; 25 March 2015
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/219456317/ OWASP NZ Christchurch Meetup page]
: '''Presentation:''' Reverse Engineering, Cracking, Compromising Software Security & Mitigations
: '''Locations:''' Christchurch
: '''Presented By:''' Rob Gilmour, Senior Software Engineer, Technical Support, JADE Software Corporation Ltd.
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.io/ BinaryMist Limited]

;26th and 27th of February 2015

[[File:OWASP_NZ_Day_2015_logo_small.png|400px|link=https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2015|26th and 26th February 2015 - University of Auckland Engineering Department
]]

At the University of Auckland Engineering Department

== ''' 2014 ''' ==

; 26 November 2014
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/209420462/ OWASP NZ Christchurch Meetup page]
: '''Workshop:''' Review SSL/TLS, demo sslstrip and mitigation techniques
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/kevinnz Kevin Alcock], [https://twitter.com/katiposec Security Consultant] at [https://katiposec.com/ Katipo Security]
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.net/ BinaryMist Limited]

; 25 September 2014
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/198512052/ OWASP NZ Christchurch Meetup page]
: '''Workshop:''' Review, Exploit and Learn from [https://bytefog.blogspot.co.nz/2015/11/lord-of-flies.html Vulnerable Web App]
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/t0x0_nz Chris Campbell], Security & Operations Consultant Jade
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.net/ BinaryMist Limited]

; 24 July 2014
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/193784032/ OWASP NZ Wellington Meetup page]
: '''Workshop:''' Web App Security Workshop
: '''Locations:''' Wellington
: '''Presented By:''' Adrian Hayes
: '''Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data]

== '''2013''' ==

; 19 December 2013
[http://www.meetup.com/OWASP-New-Zealand-Chapter/events/154075992/ Meetup Link Here]
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland, Christchurch, Webcast
: '''Details:''' All details are on the meetup page above
: '''Presentation:''' [https://www.owasp.org/images/9/9f/Extending-Burp-with-Python.pptx Extending Burp with Python]
: '''Presented By:''' Mike Haworth, Aura Information Security

;11th and 12th of September 2013

[[File:OWASP_NZ_Day_2013_logo.png|400px|link=https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013|11th and 12st September 2013 - Auckland Business School
]]

At the Auckland Business School

[[OWASP New Zealand Day 2013|https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013]]

; 22 May 2013
[http://www.meetup.com/OWASP-New-Zealand-Chapter/events/115108982/ OWASP Meetup page to RSVP]
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland, Webcast
: '''Details:''' All details are on the meetup page above

== '''2012''' ==

; 31st August 2012
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2012 OWASP New Zealand Day 2012]
: '''Co-Sponsor:''' [http://www.auckland.ac.nz/ The University of Auckland], [http://www.security-assessment.com Security-Assessment.com], [http://www.aurainfosec.com Aura Information Security], [http://www.insomniasec.com Insomnia Security], [http://www.lateralsecurity.com Lateral Security], [http://www.webdrive.co.nz Web Drive]
: '''Location:''' Auckland
: '''Event site:''' [[OWASP_New_Zealand_Day_2012|OWASP New Zealand Day 2012]]

; 8th May 2012
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' [https://www.owasp.org/images/e/e0/Owasp2012-MarkPiper.pdf An Overview and introduction to modern day BeEF]
: '''Presented By:''' Mark Piper, Insomnia Security

; 28th February 2012
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' [https://www.owasp.org/images/2/27/OWASP_Top_10-7_to_10-aj.pdf Introduction to the OWASP Top Ten - Part 3]
: '''Presented By:''' Adrian Hayes, Security Consultant (Security-Assessment.com)
: '''Presentation:''' [https://www.owasp.org/images/0/08/OWASP-Mistaken_Identity-Password_Reset-nickf.pdf Mistaken Identity: How Not To Build A Password Reset Process]
: '''Presented By:''' Nick Freeman, Senior Security Consultant (Security-Assessment.com)

== '''2011''' ==


; 6th December 2011
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' [https://www.owasp.org/images/6/6d/OWASP_NZ-DEC2011-OWASP_Top_10-4_to_6.pdf Introduction to the OWASP Top Ten - Part 2]
: '''Presented By:''' Adrian Hayes, Security Consultant (Security-Assessment.com)
: '''Presentation:''' [https://www.owasp.org/images/1/15/OWASP_NZ-DEC2011-Hardened_Hosting.pdf Hardened Hosting]
: '''Presented By:''' Quintin Russ, Technical Director (SiteHost)

; 20th September 2011
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' [https://www.owasp.org/images/c/cf/OWASP_NZ_SEP2011_TOP-10_1-of-3.pdf Introduction to the OWASP Top Ten - Part 1]
: '''Presented By:''' Nick Freeman, Security Consultant (Security-Assessment.com)
: '''Presentation:''' [https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for-shells_PDF-version.pdf Clickjacking for Shells]
: '''Presented By:''' Andrew Horton, Security Consultant (Security-Assessment.com)

; 7th July 2011
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011 https://www.owasp.org/images/0/05/OWASP_NZ_Day_2011_Logo.png]
: '''Co-Sponsor:''' [http://www.security-assessment.com Security-Assessment.com], [http://www.auckland.ac.nz/ The University of Auckland]
: '''Location:''' Auckland
: '''Presentations:''' [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011#tab=Speakers Download]
: '''Event site:''' [[OWASP_New_Zealand_Day_2011|OWASP New Zealand Day 2011]]

; 2nd March 2011
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' Crazy Insecure Web Apps Google Didn't Tell You About..
: '''Presented By:''' Adrian Hayes, Security Consultant (Security-Assessment.com)
: '''Presentation:''' [http://www.owasp.org/images/5/5e/2011-03-02-OWASP.pdf I know what you did last summer: The latest from the world of web hacks]
: '''Presented By:''' Kirk Jackson, Security Consultant (Aura Software Security)

== '''2010''' ==



; 15th July 2010
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010 http://www.owasp.org/images/a/a7/Owasp_nz_day_2010.jpg]
: '''Co-Sponsor:''' [http://www.security-assessment.com Security-Assessment.com], [http://www.lateralsecurity.com Lateral Security], [http://www.auckland.ac.nz/ The University of Auckland]
: '''Location:''' Auckland
: '''Presentations:''' [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010#tab=Presentations Download]
: '''Event site:''' [[OWASP_New_Zealand_Day_2010|OWASP New Zealand Day 2010]]

; 4th March 2010
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' MS-SQL Injections.
: '''Presented By:''' Scott Bell, Security Consultant (Security-Assessment.com)

== '''2009''' ==



; 10th November 2009
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' Testing AMF/Flex.
: '''Presented By:''' Nick Freeman, Security Consultant (Security-Assessment.com)
: '''Presentation:''' "Shared Ownership", from a web security perspective.
: '''Presented By:''' Quintin Russ, Technical Director (Site Host)

; 13th July 2009
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009 https://www.owasp.org/images/8/85/Owasp_nz_logo.jpg]
: '''Co-Sponsor:''' [http://www.security-assessment.com Security-Assessment.com], [http://www.lateralsecurity.com Lateral Security], [http://www.auckland.ac.nz/ The University of Auckland]
: '''Location:''' Auckland
: '''Presentations:''' [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009#tab=Presentations Download]
: '''Event site:''' [[OWASP_New_Zealand_Day_2009|OWASP New Zealand Day 2009]]

; 19th March 2009
: '''Co-Sponsor:''' [http://www.vodafone.co.nz Vodafone New Zealand] and [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[http://www.owasp.org/index.php/Image:ActiveXploitation_In_2009.pptx ActiveXploitation in 2009]"
: '''Presented By:''' Paul Craig, Principal Security Consultant (Security-Assessment.com)
: '''Presentation:''' "[http://www.owasp.org/index.php/Image:OWASP_Mar09_Reversing_JavaScript.zip Reversing JavaScript]"
: '''Presented By:''' Roberto Suggi Liverani, Senior Security Consultant (Security-Assessment.com)

== '''2008''' ==


; 5th November 2008
: '''Co-Sponsor:''' [http://www.vodafone.co.nz Vodafone New Zealand] and [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Common_Application_Flaws.ppt Common Application Flaws]"
: '''Presented By:''' Brett Moore, Network Intrusion Specialist (Insomnia Security)
: '''Presentation:''' "In your Browser, Jackin your Clicks"
: '''Presented By:''' Beau Butler, Security Consultant (Security-Assessment.com)
: '''Presentation:''' "Opera Stored Cross Site Scripting"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-Assessment.com)

; 3rd September 2008
: '''Co-Sponsor:''' [http://www.microsoft.com/en/nz/default.aspx Microsoft] and [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Browser_security.ppt Browser Security]"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-Assessment.com)
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Time_Based_SQL_Injections.ppt Time based blind SQL Injections]"
: '''Presented By:''' Muhaimin Dzulfakar, Security Consultant (Security-Assessment.com)

; 25th June 2008
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "Fuzz the Web"
: '''Presented By:''' Dean Jerkovich, Security Analyst (ASB)
: '''Presentation:''' "Hacking The World With Flash Part #2: The Results"
: '''Presented By:''' Paul Crag, Principal Security Consultant (Security-Assessment.com)

; 29th April 2008
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Hacking_The_World_With_Flash.ppt Hacking The World With Flash]"
: '''Presented By:''' Paul Craig, Principal Security Consultant (Security-Assessment.com)
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Web_spam_techniques.ppt Web Spam Techniques] - also available in [http://malerisch.net/docs/web_spam_techniques/web_spam_techniques.html HTML] format"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-Assessment.com)

; 21st February 2008
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland
: '''Presentation:''' "[http://www.owasp.org/index.php/Image:Xpath_Injection.ppt Xpath Injection - An Overview]"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-assessment.com)

== '''2007''' ==


; 5th December 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland
: '''Presentation:''' "[http://malerisch.net/docs/ajax_security/Ajax_security.ppt Ajax Security]"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-assessment.com)
: '''Presentation:''' "On the job browser exploitation"
: '''Presented By:''' Mark Piper, Senior Security Consultant (Security-assessment.com)

; 22nd May 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Press Release:''' [http://www.vedaadvantage.com/vantage/news_in_brief_and_events/host_nz_owasp_meeting.aspx VedaAdvantage.com]
: '''Locations:''' Auckland
: '''Presentation:''' "OWASP in New Zealand"
: '''Presented By:''' Roberto Suggi Liverani / Antonio Spera

; April 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland

; January 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland

== Activities ==

OWASP New Zealand members actively participate in various OWASP activities. The following are some recent activities undertaken by OWASP NZ members:

* Denis Andzakovic has resigned from his position as OWASP New Zealand Chapter Leader at OWASP NZ Day 2018
* Kim Carter ran a [http://www.meetup.com/owaspnycmetro/events/228716474/ workshop] at the NYC chapter
* Kirk Jackson stepped up to replace Adrian Hayes for Wellington from New Zealand day 2016 onwards.
* Denis Andzakovic stepped up to replace Nick Freeman for Auckland in March 2014
* Kim Carter came on board to lead Christchurch from New Zealand Day 2013 onwards.
* Nick Freeman and Scott Bell have been appointed as the new leaders of the new OWASP New Zealand Chapter
* Roberto Suggi Liverani has resigned from his position as OWASP New Zealand Chapter Leader
* Roberto Suggi Liverani will be speaking at OWASP AppSec Asia 2009 conference
* Roberto Suggi Liverani and Nick Freeman will be speaking at Defcon 17
* OWASP NZ Day 2009 - [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009#tab=Presentations Presentations online]
* Roberto Suggi Liverani and Nick Freeman will be speaking at EUSecWest 09
* Brett Moore will be speaking at [http://www.owasp.org/index.php/OWASP_AU_Conference_2009 OWASP AU Conference] about "Vulnerabilities In Action".
* Roberto Suggi Liverani contributed to the [http://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide v3].
* Mark Piper took his "On the job browser exploitation" talk to the [http://www.owasp.org/index.php/OWASP_Australia_AppSec_2008_Conference OWASP_Australia_AppSec_2008_Conference].
* Rob Munro has been appointed as OWASP Evangelist
* OWASP NZ has audio/video conference capability between Auckland and Wellington

== OWASP NZ Members ==

We are always looking for additional board members to evangelise the OWASP mission help with meetings, projects and initiatives as we all know it takes time/effort to run a chapter. Please contact us if you are interested to join the NZ OWASP board member or for any queries related to OWASP NZ.

<ul>
*NZ Board Member (Leader - Auckland) [mailto:john.dileo@owasp.org John DiLeo],
*NZ Board Member (Leader - Wellington) [mailto:kirk.jackson@owasp.org Kirk Jackson]
*NZ Board Member (Leader - Christchurch) [mailto:kim.carter@owasp.org Kim Carter]
*'''NZ Board Members (Auckland)''' [mailto:dionbramley@gmail.com Dion Bramley], [mailto:cwprobst@gmail.com Christian W Probst]
</ul>

== Chapter Sponsors ==

<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/a/a4/Security-assessment_com.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.touchpoint.co.nz https://www.owasp.org/images/d/d8/Touchpoint.jpg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.touchpoint.co.nz www.touchpoint.co.nz]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://binarymist.io https://www.owasp.org/images/4/4c/BinaryMistLimited.png]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://binarymist.io binarymist.io]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

OWASP New Zealand Day 2019

2019-02-24T21:23:54Z

Kirkj: Add Kirk's Virtual Patching talk

__NOTOC__
<center>
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2019 https://www.owasp.org/images/e/e3/NZDay_2019_web_banner.jpg] 
'''21st and 22nd February 2019 - Auckland'''
</center>
----

=Introduction=

<center>

UPDATE #6 (15 February) - Registration for training classes is now CLOSED.
UPDATE #5 (23 January) - The presentation schedule, talk abstracts, and speaker bios have been posted. Check the "Presentation Schedule" and "Abstracts and Bios" tabs below.
UPDATE #4 (12 January) - The Call for Presentations is now closed. Those submitting proposals will be notified shortly whether their talks have been accepted.
UPDATE #3 (7 January) - Registration for Training Classes Now Open! Visit [https://owaspnz2019-training.eventbrite.com EventBrite] to reserve your spot!
UPDATE #2 (22 December) - Registration Now Open! Visit [https://owaspnz2019.eventbrite.com EventBrite] to register now!
IMPORTANT UPDATE (21 December) - Call for Presentations Extended: The Call for Presentations has been extended, and will now close on Friday, 11 January, 2019.

</center>

==Introduction==

We are proud to announce the tenth OWASP New Zealand Day conference, to be held at the University of Auckland on Friday, February 22nd, 2019. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

There will be two streams throughout the day. The first stream will include introductory talks on application and information security topics, as well as on policy, compliance, and risk management. The second stream will primarily address deeper technical topics.

Who is it for?

* Web Developers
* Security Professionals and Enthusiasts
* Program and Project Managers
* Business Analysts
* Requirements Analysts
* Software Testers

==Conference structure==

'''Date:''' Friday, 22 February 2019

'''Time:''' 9:00am - 6:00pm

'''Cost: FREE'''

The main conference is on Friday, the 22nd of February, and will have two streams in both the morning and the afternoon:

'''Stream One:'''

* Introductory Topics
* Program Management, Policy, Compliance, Risk Management

'''Stream Two:'''

* Technical Topics

==Training==

In addition the main conference on Friday, we are pleased to be offer three training opportunities on Thursday, at the same venue. Course details, including registration, are as follows:

=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Real_World_Penetration_Testing '''Real-World Penetration Testing''']===

'''Date:''' Thursday, 21 February 2019 
'''Time:''' 8:45 a.m. - 5:30 p.m. 
'''Format:''' Live online interaction with instructors; interactive Web-based lab exercises 
'''Instructors:''' Vivek Ramachandran and Nishant Sharma 
'''Instructors' Organisation:''' Pentester Academy 
'''Registration Fee:''' $500.00 
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' (Registration CLOSED)

=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Are_You_a_Secure_Code_Warrior '''Are You a Secure Code Warrior?'''] ===

'''Date:''' Thursday, 21 February 2019 
'''Time:''' 8:45 a.m. - 12:30 p.m. 
'''Instructor:''' Jaap Karan Singh 
'''Instructor's Organisation:''' Secure Code Warrior 
'''Registration Fee:''' $250.00 
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' (Registration CLOSED)

=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Threat_Modelling_From_None_to_Done '''Threat Modelling: Getting from None to Done'''] ===

'''Date:''' Thursday, 21 February 2019 
'''Time:''' 8:45 a.m. - 5:30 p.m. 
'''Instructor:''' Dr. John DiLeo 
'''Instructor's Organisation:''' OWASP New Zealand Chapter 
'''Registration Fee:''' $500.00 
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' (SOLD OUT)

Training registration closed at midnight on 14 February.

==General==

The tenth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same facilities as those we used in 2018. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact [mailto:john.dileo@owasp.org us]. 

==Registration==
Registration is now open. Visit [https://owaspnz2019.eventbrite.com EventBrite] to register.

Please join our low volume [https://lists.owasp.org/mailman/listinfo/owasp-newzealand mailing list] to be notified as further schedule information becomes available, and/or follow us on Twitter [https://twitter.com/owaspnz @owaspnz].

There is no cost for the main conference day. Currently, we are planning to provide morning and afternoon tea; however, this is subject to meeting our sponsorship goals for the event. Spaces are limited, so we do ask that, if at any point you realise you will not be able to attend, you cancel your registration (i.e., "request a refund" in EventBrite) to make room for others.

==Important dates==

{|
|-
! scope="row" style="text-align: right;" | CFP submission deadline:
| 11th January 2019 - Submissions are now closed
|-
! scope="row" style="text-align: right;" | CFT submission deadline:
| 21st December 2018 - Submissions are now closed
|-
! scope="row" style="text-align: right;" | Training Day date:
| 21st February 2019
|-
! scope="row" style="text-align: right;" | Training Registration Deadline:
| 14th February 2019 - Registration is now closed
|-
! scope="row" style="text-align: right;" | Conference Day date:
| 22nd February 2019
|-
! scope="row" style="text-align: right;" | Conference Registration deadline:
| 22nd February 2019 (Same-day registration is permitted, if space is available)
|}

For those of you booking flights, ensure you can be at the venue by 8:30am. The conference will end by 6:00pm. However, we will have post conference drinks at a local drinking establishment for those interested. We are planning to hold a special event on Thursday evening for speakers, trainers, sponsors, and conference volunteers - more details on that to follow.

==Places to eat & drink on the day==

The University published a handy map (in 2018), to help you find places to eat around campus:
[[File:Retail Map City Campus 2018 v2.pdf|frame Campus dining map]]

Some of the options available:
<ul>
<li>The Deli - Located on Level 1 of the Owen G. Glenn Building - This is closest, but will probably have long lines</li>
<li>Mojo Symonds - also on campus</li>
<li>Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St</li>
<li>The CBD - walk up and over Albert Park to get to the CBD with many great food options</li>
<ul>
<li>Fort Street has burgers, kebabs, and KFC</li>
<li>High Street & Lorne Street have lots of little cafes and restaurants</li>
</ul>
<li>Subway, Starbucks, St. Pierre's Sushi & Pita Pit - walk up Symonds Street</li>
<li>Vulture’s Lane is a popular pub with the InfoSec crowd, there are more seats downstairs</li>
<li>The Bluestone Room - also a popular pub just across Queen St</li>
</ul>

==Conference Venue==

<table width="100%">
<tr>
<td>
The University of Auckland School of Business 
Owen G. Glenn Building (OGGB) 
Address: 12 Grafton Road 
 
Stream One: Level 1 
Room: 115 (Fisher & Paykel Auditorium) 
 
Stream Two: Level 0 
Room: 098 
 
Auckland 
New Zealand 
[https://www.google.com/maps/place/Owen+G+Glenn+Building+12+Grafton+Road/@-36.8528203,174.770224,17z/data=!4m6!1m3!3m2!1s0x0000000000000000:0x0205ad91287ba364!2sUniversity+of+Auckland+Graduate+School+of+Enterprise!3m1!1s0x0000000000000000:0xc9d224e5921a6690 Map]
</td>
<td>
[[Image:073_AUBiz_10Apr08small.jpg]] [[Image:OWASPNZDayLectureTheatre.jpg]]
</td>
</tr>
</table>

==Conference Sponsors==

For more information on our Premier Sponsors, please visit our [[OWASP NZ Day 2019-About Our Sponsors|About Our Sponsors]] page

=== Conference Host ===
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="100%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/f/f8/AuckUni.png]</center></td>
</tr>
</table>
----

=== Platinum Sponsor ===

<table align="center" width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td> </td>
<td>[[File:Insomnia Logo-Updated.png|center|x130px|frameless|link=https://www.insomniasec.com|Logo-Insomnia Security]]</td>
<td> </td>
</tr>
</table>
----

=== Gold Sponsors ===
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td>[[File:Orion-Health-Logo 2019 Grey Orange RGB.png|center|x150px|frameless|link=https://www.orionhealth.com|Logo-Orion Health]]</td>
<td>[[File:Quantum Security (strip)-02.png|center|x150px|frameless|link=https://www.quantumsecurity.co.nz|Logo-Quantum Security]]</td>
<td>[[File:SCW logo transparent.png|x150px|frameless|link=https://securecodewarrior.com|Logo-Secure Code Warrior]]</td>
<td>[[File:ZX-Security-Logo--Black.png|center|frameless|x150px|link=https://zxsecurity.co.nz|Logo-ZX Security]]</td>
<td> </td>
</tr>
</table>
----

=== Silver Sponsors ===
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td align="center">
'''Sponsoring Provider - Training Day Tea Breaks''' 
[[File:Aura PBK Colour Panel.jpg|x150px|frameless|center|link=https://www.aurainfosec.com/|Logo-Aura Information Security]]
</td>
</tr>
</table>
----

=== Supporting Sponsors ===
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td align="center">
[[File:BinaryMistLimited.png|x100px|frameless|link=https://binarymist.io/|Logo-Binary Mist Limited]]
</td>
<td align="center">
[[File:Logo-Pentester Lab.png|x100px|frameless|link=https://pentesterlab.com/|Logo-PentesterLab]]
</td>
<td align="center">
[[File:Privasec.png|x100px|frameless|link=https://privasec.com.au/|Logo-Privasec]]
</td>
<td align="center">
[[File:RedShield.png|frameless|link=https://www.redshield.co/|Logo-RedShield]]
</td>
<td>
[[File:Zimbra-logo-color-282.png|x100px|frameless|link=https://www.zimbra.com/|Logo-Zimbra]]
</td>
</tr>
</table>
----

Follow us [https://twitter.com/owaspnz on Twitter (@owaspnz)]

[https://www.facebook.com/owaspnz OWASP New Zealand on Facebook]

=Call for Volunteers=

<center>
'''We're still looking for a few good men and women, to assist with conference preparations and to help things go smoothly during the event.'''

Please contact John DiLeo ([mailto:john.dileo@owasp.org john.dileo@owasp.org]), if you're willing and able to help out.
</center>

==Conference Committee==

So, far, a fair few kind souls have stepped up to help out:

* John DiLeo - Conference Chair, OWASP New Zealand Leader (Auckland)
* Lech Janczewski - Conference Host Liaison, on-site Health & Safety contact - Associate Professor, University of Auckland School of Business
* Tess Brothersen
* Austin Chamberlain
* Teresa Chan
* Paul Howarth
* Toni James
* Arshad Khan
* Alex McClennan
* Stephen Sherry
* Anneke Smitheram
* Anthony Vargo
* Anya Yang
* YOU - We are still looking for volunteers to help out on the day, and make this our most successful conference yet!

= Training - 21 Feb =
==Training==

In addition the main conference on Friday, we are pleased to be offer three training opportunities on Thursday, at the same venue. Course details, including registration, are as follows:

=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Real_World_Penetration_Testing '''Real-World Penetration Testing''']===

'''Date:''' Thursday, 21 February 2019 
'''Time:''' 8:45 a.m. - 5:30 p.m. 
'''Format:''' Live online interaction with instructors; interactive Web-based lab exercises 
'''Instructors:''' Vivek Ramachandran and Nishant Sharma 
'''Instructors' Organisation:''' Pentester Academy 
'''Registration Fee:''' $500.00 
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' (Registration CLOSED)

=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Are_You_a_Secure_Code_Warrior '''Are You a Secure Code Warrior?'''] ===

'''Date:''' Thursday, 21 February 2019 
'''Time:''' 8:45 a.m. - 12:30 p.m. 
'''Instructor:''' Jaap Karan Singh 
'''Instructor's Organisation:''' Secure Code Warrior 
'''Registration Fee:''' $250.00 
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' (Registration CLOSED)

=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Threat_Modelling_From_None_to_Done '''Threat Modelling: Getting from None to Done'''] ===

'''Date:''' Thursday, 21 February 2019 
'''Time:''' 8:45 a.m. - 5:30 p.m. 
'''Instructor:''' Dr. John DiLeo 
'''Instructor's Organisation:''' OWASP New Zealand Chapter 
'''Registration Fee:''' $500.00 
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' (SOLD OUT)

Spaces are going fast, so get in quickly!

Check-in desk will be located in the Level 0 lobby (outside the Case Study Rooms), and will open at 8:00 a.m.

Morning and afternoon tea breaks will be provided; lunch will be on your own.

=Presentation Schedule - 22 Feb=

==Presentations==

<center>
===22nd February 2019===

<table width="100%">
<tr>
<td valign="top" align="right">08:00</td>
<td colspan="3" style="background-color: #8595C2; text-align: center">Registration Opens - Main Foyer, Owen G. Glenn Building</td>
</tr>
<tr>
<td valign="top" align="right">09:00</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Welcome to OWASP New Zealand Day 2019 
John DiLeo (Conference Chair), Kirk Jackson, and [https://binarymist.io Kim Carter] - OWASP NZ Chapter Leaders Lech Janczewski (Conference Host) - Associate Professor, Univ. of Auckland

</tr>
<tr>
<td width="5%" valign="top" align="right"> </td>
<td width="45%" style="background-color: #B9C2DC; text-align: center">
Upstairs Auditorium (Room 115) Track One: Introductory / Management
</td>
<td width="5%" valign="top" align="right"> </td>
<td style="background-color: #B9C2DC; text-align: center">
Downstairs Auditorium (Room 098) Track Two: Technical
</td>
</tr>
<tr>
<td valign="top" align="right">09:20</td>
<td style="background-color: #EEE; text-align: center">
Exploiting Vulnerabilities from the OWASP Top 10: SQLi, XSS, XXE, File Injection 
David Waters and Kieran Molloy - Pushpay
</td>
<td valign="top" align="right">09:20</td>
<td style="background-color: #EEE; text-align: center">
Virtual Patching: Does It Work? 
Kirk Jackson - RedShield 
[[Media:2019-02-22 - Virtual Patching Does it work - Print.pdf|Slides (PDF, 2.1mb)]]
</td>
</tr>
<tr>
<td valign="top" align="right">10:10</td>
<td style="background-color: #B9C2DC; text-align: center">
Threat Modelling When You've Never Done It Before 
Kade Morton - Quantum Security
</td>
<td valign="top" align="right">10:10</td>
<td style="background-color: #B9C2DC; text-align: center">
Cloud Catastrophes and How to Avoid Them 
Michael Haworth - Insomnia Security
</td>

</tr>
<tr>
<td valign="top" align="right">10:45</td>
<td style="background-color: #EEE; text-align: center">
That Vulnerability Looks Quite Risky 
Peter Jakowetz - Quantum Security
</td>
<td rowspan="2" valign="top" align="right">10:45</td>
<td rowspan="2" style="background-color: #EEE; text-align: center">
JWAT: Attacking JSON Web Tokens 
Louis Nyffenegger - Pentester Lab
</td>
</tr>
<tr>
<td valign="top" align="right">11:20</td>
<td style="background-color: #B9C2DC; text-align: center">
Mob Learning Using the OWASP Top 10 and 30 Days of Security Testing 
Mike Clarke - Erudite Software
</td>
</tr>
<tr>
<td valign="top" align="right">11:40</td>
<td style="background-color: #EEE; text-align: center">
How Can OWASP SAMM Help You Build More Secure Software? 
Mohamed Hassan - Aura Information Security
</td>
<td valign="top" align="right">11:40</td>
<td style="background-color: #B9C2DC; text-align: center">
CTF: The Gateway Drug 
Toni James - Orion Health
</td>
</tr>
<tr>
<td valign="top" align="right">12:10</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Lunch 
</td>
</tr>
<tr>
<td valign="top" align="right">13:30</td>
<td style="background-color: #EEE; text-align: center">
NoHolidayChurchGenius: Password Security with 2020 Vision 
Antonio Radich - Quantum Security
</td>
<td rowspan="2" valign="top" align="right">13:30</td>
<td rowspan="2" style="background-color: #EEE; text-align: center">
Security Regression Testing on OWASP ZAP Node API 
Kim Carter - BinaryMist
</td>
</tr>
<tr>
<td valign="top" align="right">14:05</td>
<td style="background-color: #B9C2DC; text-align: center">
Sharing Is Caring: A Beginner's Guide to Security in the Cloud 
Petra Smith - Aura Information Security
</td>
</tr>
<tr>
<td valign="top" align="right">14:25</td>
<td style="background-color: #EEE; text-align: center">
Eating the Elephant: Application Security When You Aren't a Startup 
Stephen Morgan - Westpac New Zealand
</td>
<td valign="top" align="right">14:25</td>
<td style="background-color: #B9C2DC; text-align: center">
CI Can Make $$$ from Thin Air 
Sajeeb Lohani - Privasec
</td>
</tr>
<tr>
<td valign="top" align="right">15:00</td>
<td style="background-color: #B9C2DC; text-align: center">
What's In a Name? Law of Agency and Domain Name Registrations 
Judy Ting-Edwards - Ports of Auckland
</td>
<td valign="top" align="right">15:00</td>
<td style="background-color: #EEE; text-align: center">
Introduction to Building Secure Electron Applications 
Nawaz Gayoom - Provoke Solutions
</td>
</tr>
<tr>
<td valign="top" align="right">15:30</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Afternoon Tea - Coffee / Tea Service Provided 
</td>
</tr>
<tr>
<td valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
How Do I Content Security Policy? 
Kirk Jackson - RedShield 
[[Media:2019-02-22 - How do I Content Security Policy - Print.pdf|Slides (PDF, 1.6mb)]]
</td>
<td valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
Hardening Your Docker Infrastructure 
Kim Carter - BinaryMist
</td>
</tr>
<tr>
<td valign="top" align="right">16:50</td>
<td style="background-color: #B9C2DC; text-align: center">
OWASP Software Assurance Maturity Model (SAMM) 2.0 
John DiLeo - Orion Health
</td>
<td valign="top" align="right">16:50</td>
<td style="background-color: #B9C2DC; text-align: center">
Reverse Engineering Mobile Apps: Why, What, and the Hows 
Karan Sharma
</td>
</tr>
<tr>
<td valign="top" align="right">17:25</td>
<td style="background-color: #EEE; text-align: center">
Why 'Positive Security' Is the Next Software Security Game Changer, and How to Do It 
Jaap Karan Singh - Secure Code Warrior
</td>
<td valign="top" align="right">17:25</td>
<td style="background-color: #EEE; text-align: center">
Serverless Authentication with JWT 
Mehul Patel - Zimbra
</td>
</tr>
<tr>
<td valign="top" align="right">18:00</td>
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
Wrap Up 
Time to go out and socialise, for those interested
</td>
</tr>
</table>
</center>

= Abstracts and Bios =

==Presentation Abstracts and Speaker Biographies==

==Track One - Morning (09:20 - 12:10)==

=== Exploiting Vulnerabilities from the OWASP Top 10: SQLi, XSS, XXE, File Injection ===
----
=== David Waters and Kieran Molloy - Pushpay ===

====Abstract====

We will give a brief introduction to a selection of the OWASP Top 10 and then demonstrate the exploitation of each of these vulnerabilities using tools and hand crafted attacks. We will also demonstrate how a combination vulnerabilities can be chained together by an attacker.

====Speaker Biographies====

David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 20 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.

Kieran is a developer with an interest in security.

=== Threat Modelling When You've Never Done It Before ===
----
=== Kade Morton - Quantum Security ===

====Abstract====

Through the Mozilla Open Leaders program I mentored a project from Asuntos del Sur, a humans right group that operates across South America. This is the story of my crash course in basic threat modelling, and how that basic knowledge is now helping activists across South America.

====Speaker Biography====

Kade is a consultant with Quantum Security. When not doing information security stuff, he volunteers with Mozilla.

=== That Vulnerability Looks Quite Risky ===
----
=== Peter Jakowetz - Quantum Security ===

====Abstract====

Technical findings are great, and finding vulnerabilities in your software so you can fix them is key to ensuring safe and secure code. However what about those things you can’t fix? Do they seem too expensive or hard? This talk will discuss the best way to manage these issues using risk management.

====Speaker Biography====

Peter is an electrical engineer turned security consultant from Wellington, NZ. Certified in many-a-thing, he spends a good chunk of time working on PCI, ISO and NZISM audits, and making security findings readable to senior management. In his spare time, he enjoys playing with open-source hardware and software, poking cars, and breaking things.

=== Mob Learning Using the OWASP Top 10 and 30 Days of Security Testing ===
----
=== Mike Clarke - Erudite Software ===

====Abstract====

Not sure how to get started learning about security? Why not team up with a group of others in the same boat and learn together?

After learning the basics of the OWASP Top Ten, I took part in the '''30 Days of Security Testing''' challenge through WeTest with 100+ other software testers new to security. My talk is about how a small idea turned into an online workspace of over 100 people new to InfoSec, a series of great Meetups, and lessons learned along the way.

====Speaker Biography====

I’ve always been interested in IT and fascinated by information security. I worked for the Royal New Zealand Navy as a Communications Warfare Specialist before trying my hand at software testing. I’m currently working for Erudite Software in Auckland, as the sole tester in a development team largely focused on healthcare software solutions. I’ve recently signed on as an organiser for WeTest Auckland, where we throw together Meetups and online challenges to learn about testing.

=== How Can OWASP SAMM Help You Build More Secure Software? ===
----
=== Mohamed Hassan - Aura Information Security ===

====Abstract====

Have you ever wondered why you or your team keep having high and critical security vulnerabilities in your software? Why you didn't discover these vulnerabilities earlier than two weeks before going life? How penetration testing can be effective when you're changing your software every two weeks? Can security be easier? How can you embed security into your software life cycle? How do you know if security initiatives are paying off? This talk will answer these questions and more!

====Speaker Biography====

Mohamed has been a penetration tester for more than six years. Mohamed has delivered security training to developers, in New Zealand and internationally. He also helps organisations embed more security into their software development lifecycle. In his free time, Mohamed likes to keep active and enjoy New Zealand’s landscape.

==Track Two - Morning (09:20 - 12:10) ==

=== Virtual Patching: Does It Work? ===
----
=== Kirk Jackson - RedShield ===

====Abstract====

Writing secure applications is hard, and often vulnerabilities are found after your application has already been released to production.

But what happens if you’re not able to fix the vulnerabilities quickly? Wouldn’t it be great if the someone else could secure your website for you?

====Speaker Biography====

Kirk works at RedShield, leads the OWASP Wellington-area Meetup, and has previously helped organise the annual OWASP NZ Day in Auckland.

Kirk worked as a Web developer before switching to the defence team - setting up Xero’s security practice, working as a pen tester, and in defence roles at several companies.

=== Cloud Catastrophes and How to Avoid Them ===
----
=== Mike Haworth - Insomnia Security ===

====Abstract====

Cloud and traditional infrastructure are different and sometimes the consequences of not changing mindset can be.. unpleasant.

====Speaker Biography====

Mike is a Principal Consultant for Insomnia Security, based in Wellington. He likes pentesting most things, and is rubbish at writing bios.

=== JWAT: Attacking JSON Web Tokens ===
----
=== Louis Nyffenegger - Pentester Lab ===

====Abstract====

Nowadays, JSON Web Tokens are everywhere. They are used as session tokens or just to pass data between applications or µservices. By design, JWT contains a high number of security and cryptography pitfalls. In this talk, we are going to learn how to exploit (with demos) some of those issues.

====Speaker Biography====

Louis is a security engineer based in Melbourne, Australia. He performs pentest, architecture and code review. Louis is the founder of PentesterLab, a learning platform for Web penetration testing. Recently, Louis talked at OWASP AppSecDay Melbourne, and ran two workshops at DEF CON 26, in 2018.

=== CTF: The Gateway Drug ===
----
=== Toni James - Orion Health ===

====Abstract====

I can't stop thinking about it, I can't wait for the next one, it keeps me up late at night, and I always want more. Flags that is! A how-to and where-to-start with Capture the Flag competitions, accompanied by a casual discourse about imposter syndrome, sexism in tech, and pondering the harsh realities of vim (not really, I never use vim, I'd never be able to get out of it). Followed by a live walkthrough of my favourite CTF challenges, the ones I think would entice other devs and wanna-be hackers to give it a try. "The first one's free."

====Speaker Biography====

Toni is a snowboarder turned software engineer, with an addiction to security. She's won a few scholarships in her quest to get more women into tech and she's really good at supporting others to do 'all the things'. A firm believer in ‘you need to see it to be it,’ she puts herself out there to enable others to step up and challenge the status quo. She/Her. [https://twitter.com/_tonijames @_tonijames]

==Track One - Afternoon 1 (13:30 - 15:30) ==

=== NoHolidayChurchGenius: Password Security with 2020 Vision ===
----
=== Antonio Radich - Quantum Security ===

====Abstract====

This season's passwords are now in fashion, similar to last year's, with one difference. Passwords are a staple in the developer toolkit. Developers follow guidelines put out by NIST or the GCSB. Users are ‘efficient’. With everyone striving for the minimum, we can already see "Winter (2019) is coming…"

====Speaker Biography====

Antonio has been with Quantum Security, as a Security Consultant performing penetration tests and security audits, for two years. He is interested in red teaming, post exploitation, and general security on an organisation level.

=== Sharing Is Caring: A Beginner's Guide to Security in the Cloud ===
----
=== Petra Smith - Aura Information Security ===

====Abstract====

Thinking of moving your applications to the cloud? How do you make sure they stay secure? This fast, fun, beginner-friendly session will demystify cloud security, introduce you to the most common cloud security models, and help you to choose the model that’s right for you.

====Speaker Biography====

Petra grew up wanting to be Sailor Mercury – the awkward blue-haired one from Sailor Moon who used computers to protect the world from evil. Now she’s a purple-team security consultant at Aura Information Security, which you have to admit is pretty close. She loves to teach people to pick locks, and gets kind of ranty about privacy, trust, and making digital spaces safe and inclusive for everyone.

=== Eating the Elephant: Application Security When You Aren't a Startup ===
----
=== Stephen Morgan - Westpac New Zealand ===

====Abstract====

DevSecOps, AppSec Engineers, and Continuous Integration Security are a panacea, but how do older institutions with many legacy systems and technical debt even begin to tackle agile application security practices? We will explore ways that you can start working with your developers write secure code.

====Speaker Biography====

Stephen is an Information Security Consultant at Westpac New Zealand where he wrangles Pen Testers, reviews codes, and diminishes his rapport with developers. He has worn many hats including those of a Customs Officer, Penetration Tester, Java Developer, and (cough) IT Auditor.

=== What's In a Name? Law of Agency and Domain Name Registrations ===
----
=== Judy Ting-Edwards - Ports of Auckland ===

====Abstract====

Have you ever hired Web developers to make a Web site for you, but then find out that you don’t actually own the domain name when you checked on Whois? Find out why this is the case and how we (maybe) should be doing domain name registrations, by taking a leaf from the law of agency’s book.

====Speaker Biography====

Judy has been registering domain names since 2013 when she was a junior lawyer for a stingy boss. She has recently changed careers to work in infosec, with a special interest in policy and appsec. As a part of a recent web hygiene audit, she discovered inconsistencies in how web devs register domain names in the industry and would like to see the industry come together with a best practice guideline. Risk management has been a constant in both her careers and she is always open to discussions on policies to embrace technology and reduce risks for the business at the same time.

==Track Two - Afternoon 1 (13:30 - 15:30)==

=== Security Regression Testing on OWASP ZAP Node API ===
----
=== Kim Carter - BinaryMist ===

====Abstract====

The OWASP ZAP HTTP intercepting proxy is useful for manually attacking your Web apps and APIs. Now, we have the official Node API to programatically drive ZAP to regression test our creations. I’ll show you how to build a fully featured security regression testing CLI, consumable by your CI/nightly builds.

====Speaker Biography====

Kim is a Technologist / Engineer, Information Security Professional, Entrepreneur, and the founder of BinaryMist Ltd. He is one of the OWASP NZ Chapter leaders and a Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 17 years of commercial industry experience across many domains, Kim enjoys teaching others how to apply information security to their Agile processes, bringing the security focus up front where it’s the cheapest to implement, increasing profit and reducing costs. Co-organiser of the Christchurch Hacker Con, International trainer, speaker, published author, and Software Engineering Radio podcast host, focusing on software and network architecture, Web development and engineering, and information security. Kim is also a regular blog poster. Kim loves designing and creating robust software and networks, breaking software and networks, then fixing them and helping organisations increase productivity.

=== CI Can Make $$$ from Thin Air ===
----
=== Sajeeb Lohani - Privasec ===

====Abstract====

This talk covers how people can utilise free tools, outside of their intended use case, in a malicious way. Using TravisCI as an example, we will look into what essentially can become a distributed super computer, to mine bitcoins and distributed denial of service attacks free of any cost whatsoever.

====Speaker Biography====

Sajeeb is a penetration tester at Privasec, with years of prior development experience. Having graduated from Monash University with a Bachelor of Software Engineering (Honours) in 2017, Sajeeb remains passionate about contributing to and improving cyber security research. Sajeeb gives back regularly to the Melbourne cyber security community by founding the Monash Cyber Security Club, presenting at SecTalks, and mentoring at the Australian Women in Security Network (AWSN) Cadets workshops. Sajeeb also runs initiatives which attempt to responsibly disclose security issues within open source software projects, making the world of software ‘more secure’.

=== Introduction to Building Secure Electron Applications ===
----
=== Nawaz Gayoom - Provoke Solutions ===

====Abstract====

Electron is a popular framework for building desktop apps and is used by many prominent companies today. To build a production-ready Electron app, there are certain security considerations we need to take into account, if we are loading any external content on it.

====Speaker Biography====

Nawaz is a software developer at Provoke Solutions mostly working on web applications for the past 3 years. In this digital age with increasingly complex systems, it is a personal passion of mine to keep information secure and accessible. Apart from enjoying researching about security and sharing things that I learn along the way while in projects for my clients I do spend some (probably a little more than that) time watching Netflix as well. Other things I like doing include singing, surfing and sampling food.

==Track One - Afternoon 2 (16:00 - 18:00)==

=== How Do I Content Security Policy? ===
----
=== Kirk Jackson - RedShield ===

====Abstract====

Content Security Policy (CSP) helps you secure your Web site, by declaring which javascript and resources it uses. This means that XSS attacks will be greatly limited.

However, setting up CSP on an existing Web site is hard. We’ll discuss an easy approach that you can follow to set up CSP.

====Speaker Biography====

Kirk works at RedShield, leads the OWASP Wellington-area Meetup, and has previously helped organise the annual OWASP NZ Day in Auckland.

Kirk worked as a Web developer before switching to the defence team - setting up Xero’s security practice, working as a pen tester, and in defence roles at several companies.

=== OWASP Software Assurance Maturity Model (SAMM) 2.0 ===
----
=== John DiLeo - Orion Health ===

====Abstract====

The OWASP SAMM Project Team recently release a Beta version of SAMM 2.0, which is currently open for comment. The model provides a framework for assessing the maturity of an organisation’s software assurance program, and identifying areas for future emphasis in improving the security of their development practices. This talk will provide an overview of the model, the benefits that can be realised by organisations utilising the model, and the process for assessing the maturity of the organisation’s software assurance program.

====Speaker Biography====

John is one of the co-leaders of the OWASP New Zealand Chapter. He moved to Auckland, from the United States, in 2017, and now works as Orion Health's Application Security Architect. John's focus is on developing and managing enterprise-wide Software Assurance Programmes, including the assessment of the organisation's maturity and building a roadmap to improve. This led him to join the core team of the OWASP SAMM project, where he helped to create the new model.

Before moving into application security, John worked as a solution architect, a Web development lead, and in developing discrete-event simulations of distributed systems. Along the way, he's also worked as a college instructor, trainer, and general IT consultant.

=== Why 'Positive Security' Is the Next Software Security Game Changer, and How to Do It ===
----
=== Jaap Karan Singh - Secure Code Warrior ===

====Abstract====

A 2017 report based on 400,000 application scans reported that only 30% passed the OWASP Top 10 policy. This presentation showcases the principles and practice of “positive security” and explains why it is an important game changer that will substantially improve application security.

====Speaker Biography====

Jaap Karan Singh is the Co-Founder and Chief Singh of Secure Code Warrior, a global security company that makes software development better and more secure. After security testing at BAE Systems in Australia, Jaap moved from hacking Web applications to educating developers on how to protect their own applications. Jaap has delivered training on web application security concepts and run workshops at Australian financial and telecommunications organisations in Australia. He specialises in Javascript technologies such as HTML5, Node, Express and Mongo. He recently created and delivered a course on hacking and protecting modern Javascript applications at OWASP AppSec EU 2016.

== Track Two - Afternoon 2 (16:00 - 18:00)==

=== Hardening Your Docker Infrastructure ===
----
=== Kim Carter - BinaryMist ===

====Abstract====

The security defaults of Docker are designed to get you up and running (“just work”) quickly, rather than being the most secure. There are many default configurations that can be improved upon. In this talk we’ll walk through improving the security of Docker hosts, containers, networking, and deployments.

====Speaker Biography====

Kim is a Technologist / Engineer, Information Security Professional, Entrepreneur, and the founder of BinaryMist Ltd. He is one of the OWASP NZ Chapter leaders and a Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 17 years of commercial industry experience across many domains, Kim enjoys teaching others how to apply information security to their Agile processes, bringing the security focus up front where it’s the cheapest to implement, increasing profit and reducing costs. Co-organiser of the Christchurch Hacker Con, International trainer, speaker, published author, and Software Engineering Radio podcast host, focusing on software and network architecture, Web development and engineering, and information security. Kim is also a regular blog poster. Kim loves designing and creating robust software and networks, breaking software and networks, then fixing them and helping organisations increase productivity.

=== Reverse Engineering Mobile Apps: Why, What, and the Hows ===
----
=== Karan Sharma ===

====Abstract====

I’d like to talk about why Reverse Engineering mobile apps is important for an organisation, what can you discover while reversing an app and how can you apply those lessons to add an additional layer of defense while building your future apps.

====Speaker Biography====

Karan started his career as a network engineer before moving into information security field 8 years ago. He is working as a security consultant for one of the leading financial institutes of NZ. He has a true passion for breaking & fixing web/mobile apps. He enjoy doing app reversing in his free time and love sharing his knowledge with others.

=== Serverless Authentication with JWT ===
----
=== Mehul Patel ===

====Abstract====

Authentication is one of the big parts of every application. Security is always something that is changing and evolving. In this talk, I will cover what JSON Web Tokens (JWTs) are and why using JWTs in your applications when it comes to security is awesome.

====Speaker Biography====

Mehul is an engineer who loves digging into technology, and public speaker currently living in India. His interests range from technology to innovation. He is also interested in Web development, writing, and safe programming.

Mehul holds a Masters in Computers Science and has been working and contributing towards the open source community in all ways he can. He is a social guy, loves to interacting with new people, traveling, playing cricket, He can dance like crazy!!!

Currently, Mehul is an Engineer at Zimbra, Ambassador at Auth0, Mentor at Mozilla Reps and Campus Advisory Committee at Mozilla and Founder/Organizer of Google Developer Group - Nashik. Moreover, He is the initiator of Rust Hacks - the super safe system programming language of course and co-founder of Infinite Defense Foundation (IDF).

=Call for Sponsorships=

==Call For Sponsorships==

OWASP New Zealand Day 2019 will be held in Auckland on the 22nd of February, 2019, and is a security conference entirely dedicated to application security.
The conference is once again being hosted by the University of Auckland with their support and assistance.
OWASP New Zealand Day 2019 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community.
OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2019 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:

* Venue - Room use and on-site management fees
* Name tags - We feel that getting to know people within the New Zealand community is important, and name tags make that possible
* Promotion - We would like to reach a wider audience, by utilising paid advertising for the event
* Printed Materials - Printed materials will include program information, room signs, and lanyards
* Recognition items for speakers and trainers
* Morning and afternoon tea, to promote a congenial environment for networking among application security professionals

== Facts ==

Last year, the event was supported by seven sponsors and attracted more than 700 registrations. Plenty of constructive (and positive!) feedback from the audience was received, and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

The OWASP New Zealand community is strong, with more than 500 people currently subscribed to the mailing list ([https://lists.owasp.org/mailman/listinfo/owasp-newzealand sign up]). OWASP New Zealand Day is expected to attract between 900 and 1000 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, Web application architects and developers, QA managers, QA testers and system administrators.

== How to Become a Sponsor ==

All financial matters related to the conference, including Sponsorship Agreements and payments, are handled through the OWASP Foundation. To express interest in supporting the conference as a sponsor, please [mailto:john.dileo@owasp.org,kelly.santalucia@owasp.org contact us by email].

== Premium Sponsorship Packages ==

{| class="wikitable"
|-
! !!   Platinum !!   Gold !!   Silver !!   Bronze !! A La Carte (See Below)
|-
! scope="row" style="text-align: left;" | Enrolment Limit
| style="text-align: center;" | 2
| style="text-align: center;" | 6
| style="text-align: center;" | --
| style="text-align: center;" | --
| style="text-align: center; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | General Rate
| style="text-align: center;" | $5,000
| style="text-align: center;" | $3,000
| style="text-align: center;" | $1,750
| style="text-align: center;" | $1,000
| style="text-align: center;" | Varies
|-
! scope="row" style="text-align: left;" | OWASP [https://www.owasp.org/index.php/Corporate_Membership Corporate Member] Rate
| style="text-align: center;" | $4,250
| style="text-align: center;" | $2,550
| style="text-align: center;" | $1,500
| style="text-align: center;" | $850
| style="text-align: center;" | N/A
|-
! scope="row" style="text-align: left;" | A La Carte Sponsorship Discount
| style="text-align: center;" | 15%
| style="text-align: center;" | 10%
| style="text-align: center;" | 5%
| style="text-align: center;" | --
| style="text-align: center;" | --
|-
! scope="row" style="text-align: left;" | Banner in Conference Lobby (see notes)
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center;" | No
| style="text-align: center;" | No
| style="text-align: center;" | No
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Banner at Side of Stage (see notes)
| style="text-align: center; font-weight: bold;" | Yes (2)
| style="text-align: center; font-weight: bold;" | Yes (1)
| style="text-align: center;" | No
| style="text-align: center;" | No
| style="text-align: center;" | No
|-
! scope="row" style="text-align: left;" | Logo on Attendee Badges
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center;" | No
| style="text-align: center;" | No
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Logo on Room Signs
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center;" | No
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Company Description on Conference Web Page
| style="text-align: center; font-weight: bold;" | 150 words
| style="text-align: center; font-weight: bold;" | 100 words
| style="text-align: center; font-weight: bold;" | 50 words
| style="text-align: center;" | No
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Pre-Conference Reception Tickets
| style="text-align: center; font-weight: bold;" | 4
| style="text-align: center; font-weight: bold;" | 3
| style="text-align: center; font-weight: bold;" | 2
| style="text-align: center;" | 1
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Logo on Conference Tote Bags
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center;" | No
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Mention in Pre-Event Publicity
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold; " | Yes
| style="text-align: center;" | Yes
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Logo on Conference Web Site
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
|-
! scope="row" style="text-align: left;" | Recognition during Opening/Closing Sessions
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
|-
! scope="row" style="text-align: left;" | Promotional Items in Conference Tote Bags (see notes)
| style="text-align: center; font-weight: bold;" | Yes (up to 3)
| style="text-align: center; font-weight: bold;" | Yes (up to 2)
| style="text-align: center; font-weight: bold;" | Yes (1)
| style="text-align: center; font-weight: bold;" | Yes (1)
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|}

== A La Carte Sponsorship Opportunities ==

=== 1. Morning and Afternoon Tea Breaks - Conference Day ===

'''Sponsorships Available:''' Four (4)

'''General Rate:''' $4,500

'''Benefits:'''

* Opportunity to display your company's banner in the conference lobby (see notes below) throughout the day of the conference
* Recognition as sponsoring provider, on signs displayed on service tables during tea breaks
* Sponsor logo printed on attendee badges
* Sponsor logo printed on Room Signs
* Single-colour sponsor logo imprinted on conference tote bags
* Sponsor logo displayed on conference Web page, alongside Platinum Sponsors
* Opportunity to include 150-word company description in '''About Our Sponsors''' section of conference Web page
* Written recognition as a leading sponsor, in pre-event publicity communications
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 2. Pre-Conference Reception ===

On the Thursday evening, the OWASP New Zealand Day Committee will host a reception for speakers, trainers, conference volunteers, and Premier Sponsors. The event will be held at an establishment near the conference venue.

'''Sponsorships Available:''' Two (2)

'''General Rate:''' $2,000

'''Benefits:'''

* Opportunity to display your company's banner at the reception venue (see notes below) during the reception
* Opportunity to address reception attendees, as "hosting" sponsor of reception
* Recognition as sponsoring provider, on signs displayed on service tables/bars during reception
* Sponsor logo printed on Room Signs
* Single-colour sponsor logo imprinted on conference tote bags
* Sponsor logo displayed on conference Web page, alongside Silver Sponsors
* Opportunity to include 100-word company description in '''About Our Sponsors''' section of conference Web page
* Written recognition as a leading sponsor, in pre-event publicity communications
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 3. Conference Tote Bags for Attendees ===

'''Sponsorships Available:''' One (1)

'''General Rate:''' $1,800

'''Benefits:'''

* Single-colour sponsor logo printed on the Conference Tote Bags, along with those of Platinum, Gold, and Silver Sponsors
* Sponsor logo printed on Room Signs
* Sponsor logo displayed on conference Web page
* Opportunity to include 50-word company description in '''About Our Sponsors''' section of conference Web page
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 4. Lanyards for Attendee Badges ===

'''Sponsorships Available:''' One (1)

'''General Rate:''' $1,800

'''Benefits:'''

* Single-colour sponsor logo printed on the Attendee Lanyards, along with the OWASP logo
* Sponsor logo printed on Room Signs
* Sponsor logo displayed on conference Web page
* Opportunity to include 50-word company description in '''About Our Sponsors''' section of conference Web page
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 5. Speaker Gifts ===

'''Sponsorships Available:''' One (1)

'''General Rate:''' $1,500

'''Benefits:'''

* Sponsor logo printed on Room Signs
* Single-colour sponsor logo imprinted on conference tote bags
* Sponsor logo displayed on conference Web page, alongside Silver Sponsors
* Opportunity to include 50-word company description in '''About Our Sponsors''' section of conference Web page
* Written recognition as a leading sponsor, in pre-event publicity communications
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 6. Morning and Afternoon Tea Breaks - Training Day ===

'''Sponsorships Available:''' Two (2) '''--Funded, no longer available'''

'''General Rate:''' $750

'''Benefits:'''

* Opportunity to display your company's banner in the training facility lobby (see notes below) throughout the training day
* Recognition as sponsoring provider, on signs displayed on service tables during training day tea breaks
* Sponsor logo displayed on conference Web page, alongside Bronze Sponsors
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 7. International Travel Support ===

As part of the submission process for presentations, prospective presenters from outside New Zealand are given the opportunity to indicate if they will need travel support to be able to attend OWASP New Zealand Day. Each International Travel Support sponsorship is intended to provide a maximum of $2,500 for one international presenter's travel expenses related to attending, and presenting at, the conference. Supported travel expenses may include: return airfare from the airport nearest the presenter's residence to Auckland, two nights' accommodation in a lodging near the conference venue, and return shuttle transportation between the Auckland airport and the accommodation.

'''Sponsorships Available:''' No Limit

'''General Rate:''' $2,500

'''Benefits:'''

* Sponsor logo displayed on conference Web page, alongside Gold Sponsors
* Opportunity to include 100-word company description in '''About Our Sponsors''' section of conference Web page
* Opportunity for sponsor representative to introduce sponsored presenter
* Written recognition as a leading sponsor, in pre-event publicity communications
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 8. Diversity Fund ===

The OWASP New Zealand Day Diversity and Financial Aid Fund has been established to provide financial assistance to students at New Zealand universities. Each Diversity Fund sponsorship is intended to cover travel expenses for one New Zealand student, from outside the Auckland area, who will be attending or presenting at the conference. Each Diversity Fund support recipient will receive funding for return airfare from their nearest domestic airport to Auckland International Airport, two night's accommodation in a lodging near the conference venue, and return shuttle transportation between the airport and the accommodation.

'''Sponsorships Available:''' No Limit

'''General Rate:''' $750

'''Benefits:'''

* Sponsor logo displayed on conference Web page, as a Diversity Fund Sponsor
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 9. Door Prizes ===

At the closing session of the conference, the OWASP New Zealand Day Committee will conduct a series of random drawings, awarding donated items to attendees, who must be present to win. There is no minimum or maximum value required for donated items, nor is the number of items provided subject to any limit. It is recommended that items provided be of interest to the conference's target audience, rather than of a generic nature.

'''Sponsorships Available:''' No Limit

'''General Rate:''' In-Kind Donation

'''Benefits:'''

* Verbal recognition, at the time of the prize drawing, as the donor of the prize

=== 10. Other Supporting Sponsorships ===

If your company would like to provide special items to attendees, funding for paid promotional advertising for the event, or other items that we haven't yet thought of, you are welcome to contact us to discuss your ideas.

'''Sponsorships Available:''' No Limit

'''General Rate:''' In-Kind Donation

'''Benefits:'''

* Sponsor logo displayed on conference Web page, as a Supporting Sponsor
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

== Notes ==

''' Sponsor Logos:'''

* Logos are to be provided by the respective sponsors, as digital files (JPEG and PNG preferred)
* Logos provided should be full colour
* For lanyards and tote bags (including Platinum/Gold/Silver Sponsors), a single-colour version of the logo should also be provided, in a separate file. If a single-colour version of the logo is not provided by the sponsor, the OWASP New Zealand Day Committee reserves the right to electronically convert the full-colour logo to a single-colour version, or omit the sponsor's logo from the imprinted items if that proves infeasible.

'''Sponsor Banners:'''

* Lobby and stage-side banners are to be provided by the respective sponsors, must be free-standing, and their size is subject to approval by the OWASP New Zealand Day Committee.
* The conference venue includes two tracks, conducted in separate auditoriums; Platinum Sponsors may display one banner to the side of each auditorium's stage; Gold Sponsors may display a banner to the side of the stage in one auditorium. Gold Sponsors may express an auditorium preference, but final locations are at the discretion of the OWASP New Zealand Day Committee.
* There will be a maximum of four (4) sponsor banners displayed in each auditorium, with placement priority given to Platinum Sponsors.

'''Promotional Items:'''

* Printed materials are limited in dimensions to A4 size - either a single sheet, printed on one or both sides; or a single A3 sheet, folded in half
* Small imprinted items are also acceptable - pens, stress balls, USB keys, fidget spinners, etc.
* Design of printed materials and imprinted items are subject to approval by OWASP New Zealand Day Committee
* '''RECRUITMENT:''' In addition to the promotional item allowances included in Premium Sponsorship Packages, any sponsor may provide one A5-size card with information on ''actual current'' vacancies for which candidates are actively being sought

'''All amounts listed are in New Zealand dollars (NZD)'''

= Diversity Fund =

==Diversity and Financial Aid fund==

Thanks to the generous support of our lovely sponsors, we have some funding available to help people from around New Zealand attend the OWASP NZ Day, who would otherwise find it hard to attend. In particular, we welcome applications from women, people of colour, LGBTIQ, and all others. You all deserve to be able to learn more about security, and we’ll do our best to help make that happen!

Our funds are limited, and we’ll be reviewing applications every week, starting at the end of January. Submit your application soon, so we can approve them promptly, and you’ll be in several review cycles!

Process:

* Fill out our [https://docs.google.com/forms/d/e/1FAIpQLSfl4I38Z3ke5H8gYL7KmG9pVY8qIZe3kO5YH_ykALJyvq894w/viewform Application Form]
* We will review and approve applications each week. The first reviews will be completed by 29 January.
* We will contact all applicants and let them know the result of the review.
* Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:

* We are biased towards (but not exclusively for) diverse applicants.
* We do attempt to maximise cost efficiency and will aim to get as many people to OWASP as possible, with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: john.dileo@owasp.org

= Code of Conduct =
==Code of Conduct==

We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you that all activities associated with this event are subject to OWASP's [https://www.owasp.org/index.php/Governance/Conference_Policies Conference Policies]. At their core, these policies are intended to promote and maintain an inclusive, welcoming environment for all participants - actions detrimental to that environment are unwelcome.

Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

If you have any concerns during the day, please seek out John, Austin, or Brendan. We will make ourselves visible at the start of the day, so you know what we look like.

=Call for Presentations - CLOSED =

==Call for Presentations==

'''UPDATE: The Call for Presentations is now CLOSED.''' The committee is reviewing the proposals received, and will be notifying submitters of their selection status shortly.

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines, including
architects, Web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three focus areas of the conference:

Track One:

* Introductions to various Information Security topics, and the OWASP projects
* Policy, Compliance and Risk Management

Track Two:
* Technical topics

Introductory talks should appeal to an intermediate to experienced software developer, without requiring a solid grounding in application security or knowledge of OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.

This being an OWASP conference, the selection process for talks in Track One will give priority to those related to OWASP's Projects, Tools, and Guidance (check out the current [OWASP Project Inventory](https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory) for more information). If multiple submissions are received related to the same OWASP Project/Tool, preference will be given to speakers actively involved as leaders or members of the respective project teams.

Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:

* Web application security
* Mobile security
* Cloud security
* Secure development
* Vulnerability analysis
* Threat modelling
* Application exploitation
* Exploitation techniques
* Threat and vulnerability countermeasures
* Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
* Penetration Testing
* Browser and client security
* Application and solution architecture security
* PCI DSS
* Risk management
* Security concepts for C*Os, project managers and other non-technical attendees
* Privacy controls

The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:

* Due to limited funds availability, the conference budget does not include a plan to cover expenses for international speakers. However, if sponsorship funds are received for this purpose, we will issue a call for support applications from those outside New Zealand who have submitted proposals. Please indicate in the "additional information" section, whether you would be able to present without such support.
* If you are selected as a speaker, and your company is willing to cover travel and accommodation costs, the company will be recognised as a "Supporting Sponsor" of the event.

Please submit your presentation on [https://www.papercall.io/owaspnz2019 PaperCall].

Submission Deadline: Friday, 11th January 2019 (NOW CLOSED)

Applicants will be notified in the following week after the deadline, whether they were successful or not.

= Call For Trainers - CLOSED =
== Call For Trainers ==

'''The Call for Trainers is now closed. Trainers selected to present training have been contacted, and details are now being finalised.'''

We are happy to announce that training will run on Thursday, 21 February 2019, the day before the OWASP NZ Day conference.
The training venue will be Level 0, Rooms: case rooms 1(005), 2(057), 3(055), and 4(009), kindly provided by the University of Auckland School of Business, in the same building as the OWASP NZ Day conference itself.
Classes can contain up to 69 students, with power for laptop usage and Wi-Fi. A wide range of half-day or full-day training proposals will be considered,
see the Call for Papers for a list of example topics.

If you are interested in running one of the training sessions, please contact John DiLeo ([mailto:john.dileo@owasp.org john.dileo@owasp.org]) with the following information:

* Trainer name
* Trainer organisation
* Telephone + email contact
* Short Trainer bio
* Training title
* Trainer requirements (e.g. a projector, whiteboard, etc)
* Trainee requirements (e.g. laptop, VMware/VirtualBox, etc)
* Training summary (less than 500 words)
* Target audience (e.g. testers, project managers, security managers, web developers, architects)
* Skill level required (Basic / Intermediate / Advanced)
* What attendees can expect to learn (key objectives)
* Short course outline

The fixed price per head for training will be $250 for a half-day session and $500 for a whole-day session. As this training is part of an OWASP event, part of the proceeds go back to OWASP. The split is as follows:

* 25% to OWASP Global - used for OWASP projects around the world
* 25% to OWASP NZ Day - used for NZ Day expenses
* 50% to the training provider.

Submission Deadline: Friday, 21st December 2018

Applicants will be notified in the following week after the deadline, whether they were successful or not.

<headertabs></headertabs>

[[Category:OWASP AppSec Conference]]

File:2019-02-22 - Virtual Patching Does it work - Print.pdf

2019-02-24T21:21:36Z

Kirkj:

Presented at OWASP NZ Day 2019, 22 Feb 2019, by Kirk Jackson (RedShield)

OWASP New Zealand Day 2019

2019-02-24T21:12:26Z

Kirkj: Add Kirk's CSP talk

__NOTOC__
<center>
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2019 https://www.owasp.org/images/e/e3/NZDay_2019_web_banner.jpg] 
'''21st and 22nd February 2019 - Auckland'''
</center>
----

=Introduction=

<center>

UPDATE #6 (15 February) - Registration for training classes is now CLOSED.
UPDATE #5 (23 January) - The presentation schedule, talk abstracts, and speaker bios have been posted. Check the "Presentation Schedule" and "Abstracts and Bios" tabs below.
UPDATE #4 (12 January) - The Call for Presentations is now closed. Those submitting proposals will be notified shortly whether their talks have been accepted.
UPDATE #3 (7 January) - Registration for Training Classes Now Open! Visit [https://owaspnz2019-training.eventbrite.com EventBrite] to reserve your spot!
UPDATE #2 (22 December) - Registration Now Open! Visit [https://owaspnz2019.eventbrite.com EventBrite] to register now!
IMPORTANT UPDATE (21 December) - Call for Presentations Extended: The Call for Presentations has been extended, and will now close on Friday, 11 January, 2019.

</center>

==Introduction==

We are proud to announce the tenth OWASP New Zealand Day conference, to be held at the University of Auckland on Friday, February 22nd, 2019. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

There will be two streams throughout the day. The first stream will include introductory talks on application and information security topics, as well as on policy, compliance, and risk management. The second stream will primarily address deeper technical topics.

Who is it for?

* Web Developers
* Security Professionals and Enthusiasts
* Program and Project Managers
* Business Analysts
* Requirements Analysts
* Software Testers

==Conference structure==

'''Date:''' Friday, 22 February 2019

'''Time:''' 9:00am - 6:00pm

'''Cost: FREE'''

The main conference is on Friday, the 22nd of February, and will have two streams in both the morning and the afternoon:

'''Stream One:'''

* Introductory Topics
* Program Management, Policy, Compliance, Risk Management

'''Stream Two:'''

* Technical Topics

==Training==

In addition the main conference on Friday, we are pleased to be offer three training opportunities on Thursday, at the same venue. Course details, including registration, are as follows:

=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Real_World_Penetration_Testing '''Real-World Penetration Testing''']===

'''Date:''' Thursday, 21 February 2019 
'''Time:''' 8:45 a.m. - 5:30 p.m. 
'''Format:''' Live online interaction with instructors; interactive Web-based lab exercises 
'''Instructors:''' Vivek Ramachandran and Nishant Sharma 
'''Instructors' Organisation:''' Pentester Academy 
'''Registration Fee:''' $500.00 
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' (Registration CLOSED)

=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Are_You_a_Secure_Code_Warrior '''Are You a Secure Code Warrior?'''] ===

'''Date:''' Thursday, 21 February 2019 
'''Time:''' 8:45 a.m. - 12:30 p.m. 
'''Instructor:''' Jaap Karan Singh 
'''Instructor's Organisation:''' Secure Code Warrior 
'''Registration Fee:''' $250.00 
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' (Registration CLOSED)

=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Threat_Modelling_From_None_to_Done '''Threat Modelling: Getting from None to Done'''] ===

'''Date:''' Thursday, 21 February 2019 
'''Time:''' 8:45 a.m. - 5:30 p.m. 
'''Instructor:''' Dr. John DiLeo 
'''Instructor's Organisation:''' OWASP New Zealand Chapter 
'''Registration Fee:''' $500.00 
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' (SOLD OUT)

Training registration closed at midnight on 14 February.

==General==

The tenth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same facilities as those we used in 2018. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact [mailto:john.dileo@owasp.org us]. 

==Registration==
Registration is now open. Visit [https://owaspnz2019.eventbrite.com EventBrite] to register.

Please join our low volume [https://lists.owasp.org/mailman/listinfo/owasp-newzealand mailing list] to be notified as further schedule information becomes available, and/or follow us on Twitter [https://twitter.com/owaspnz @owaspnz].

There is no cost for the main conference day. Currently, we are planning to provide morning and afternoon tea; however, this is subject to meeting our sponsorship goals for the event. Spaces are limited, so we do ask that, if at any point you realise you will not be able to attend, you cancel your registration (i.e., "request a refund" in EventBrite) to make room for others.

==Important dates==

{|
|-
! scope="row" style="text-align: right;" | CFP submission deadline:
| 11th January 2019 - Submissions are now closed
|-
! scope="row" style="text-align: right;" | CFT submission deadline:
| 21st December 2018 - Submissions are now closed
|-
! scope="row" style="text-align: right;" | Training Day date:
| 21st February 2019
|-
! scope="row" style="text-align: right;" | Training Registration Deadline:
| 14th February 2019 - Registration is now closed
|-
! scope="row" style="text-align: right;" | Conference Day date:
| 22nd February 2019
|-
! scope="row" style="text-align: right;" | Conference Registration deadline:
| 22nd February 2019 (Same-day registration is permitted, if space is available)
|}

For those of you booking flights, ensure you can be at the venue by 8:30am. The conference will end by 6:00pm. However, we will have post conference drinks at a local drinking establishment for those interested. We are planning to hold a special event on Thursday evening for speakers, trainers, sponsors, and conference volunteers - more details on that to follow.

==Places to eat & drink on the day==

The University published a handy map (in 2018), to help you find places to eat around campus:
[[File:Retail Map City Campus 2018 v2.pdf|frame Campus dining map]]

Some of the options available:
<ul>
<li>The Deli - Located on Level 1 of the Owen G. Glenn Building - This is closest, but will probably have long lines</li>
<li>Mojo Symonds - also on campus</li>
<li>Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St</li>
<li>The CBD - walk up and over Albert Park to get to the CBD with many great food options</li>
<ul>
<li>Fort Street has burgers, kebabs, and KFC</li>
<li>High Street & Lorne Street have lots of little cafes and restaurants</li>
</ul>
<li>Subway, Starbucks, St. Pierre's Sushi & Pita Pit - walk up Symonds Street</li>
<li>Vulture’s Lane is a popular pub with the InfoSec crowd, there are more seats downstairs</li>
<li>The Bluestone Room - also a popular pub just across Queen St</li>
</ul>

==Conference Venue==

<table width="100%">
<tr>
<td>
The University of Auckland School of Business 
Owen G. Glenn Building (OGGB) 
Address: 12 Grafton Road 
 
Stream One: Level 1 
Room: 115 (Fisher & Paykel Auditorium) 
 
Stream Two: Level 0 
Room: 098 
 
Auckland 
New Zealand 
[https://www.google.com/maps/place/Owen+G+Glenn+Building+12+Grafton+Road/@-36.8528203,174.770224,17z/data=!4m6!1m3!3m2!1s0x0000000000000000:0x0205ad91287ba364!2sUniversity+of+Auckland+Graduate+School+of+Enterprise!3m1!1s0x0000000000000000:0xc9d224e5921a6690 Map]
</td>
<td>
[[Image:073_AUBiz_10Apr08small.jpg]] [[Image:OWASPNZDayLectureTheatre.jpg]]
</td>
</tr>
</table>

==Conference Sponsors==

For more information on our Premier Sponsors, please visit our [[OWASP NZ Day 2019-About Our Sponsors|About Our Sponsors]] page

=== Conference Host ===
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="100%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/f/f8/AuckUni.png]</center></td>
</tr>
</table>
----

=== Platinum Sponsor ===

<table align="center" width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td> </td>
<td>[[File:Insomnia Logo-Updated.png|center|x130px|frameless|link=https://www.insomniasec.com|Logo-Insomnia Security]]</td>
<td> </td>
</tr>
</table>
----

=== Gold Sponsors ===
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td>[[File:Orion-Health-Logo 2019 Grey Orange RGB.png|center|x150px|frameless|link=https://www.orionhealth.com|Logo-Orion Health]]</td>
<td>[[File:Quantum Security (strip)-02.png|center|x150px|frameless|link=https://www.quantumsecurity.co.nz|Logo-Quantum Security]]</td>
<td>[[File:SCW logo transparent.png|x150px|frameless|link=https://securecodewarrior.com|Logo-Secure Code Warrior]]</td>
<td>[[File:ZX-Security-Logo--Black.png|center|frameless|x150px|link=https://zxsecurity.co.nz|Logo-ZX Security]]</td>
<td> </td>
</tr>
</table>
----

=== Silver Sponsors ===
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td align="center">
'''Sponsoring Provider - Training Day Tea Breaks''' 
[[File:Aura PBK Colour Panel.jpg|x150px|frameless|center|link=https://www.aurainfosec.com/|Logo-Aura Information Security]]
</td>
</tr>
</table>
----

=== Supporting Sponsors ===
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td align="center">
[[File:BinaryMistLimited.png|x100px|frameless|link=https://binarymist.io/|Logo-Binary Mist Limited]]
</td>
<td align="center">
[[File:Logo-Pentester Lab.png|x100px|frameless|link=https://pentesterlab.com/|Logo-PentesterLab]]
</td>
<td align="center">
[[File:Privasec.png|x100px|frameless|link=https://privasec.com.au/|Logo-Privasec]]
</td>
<td align="center">
[[File:RedShield.png|frameless|link=https://www.redshield.co/|Logo-RedShield]]
</td>
<td>
[[File:Zimbra-logo-color-282.png|x100px|frameless|link=https://www.zimbra.com/|Logo-Zimbra]]
</td>
</tr>
</table>
----

Follow us [https://twitter.com/owaspnz on Twitter (@owaspnz)]

[https://www.facebook.com/owaspnz OWASP New Zealand on Facebook]

=Call for Volunteers=

<center>
'''We're still looking for a few good men and women, to assist with conference preparations and to help things go smoothly during the event.'''

Please contact John DiLeo ([mailto:john.dileo@owasp.org john.dileo@owasp.org]), if you're willing and able to help out.
</center>

==Conference Committee==

So, far, a fair few kind souls have stepped up to help out:

* John DiLeo - Conference Chair, OWASP New Zealand Leader (Auckland)
* Lech Janczewski - Conference Host Liaison, on-site Health & Safety contact - Associate Professor, University of Auckland School of Business
* Tess Brothersen
* Austin Chamberlain
* Teresa Chan
* Paul Howarth
* Toni James
* Arshad Khan
* Alex McClennan
* Stephen Sherry
* Anneke Smitheram
* Anthony Vargo
* Anya Yang
* YOU - We are still looking for volunteers to help out on the day, and make this our most successful conference yet!

= Training - 21 Feb =
==Training==

In addition the main conference on Friday, we are pleased to be offer three training opportunities on Thursday, at the same venue. Course details, including registration, are as follows:

=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Real_World_Penetration_Testing '''Real-World Penetration Testing''']===

'''Date:''' Thursday, 21 February 2019 
'''Time:''' 8:45 a.m. - 5:30 p.m. 
'''Format:''' Live online interaction with instructors; interactive Web-based lab exercises 
'''Instructors:''' Vivek Ramachandran and Nishant Sharma 
'''Instructors' Organisation:''' Pentester Academy 
'''Registration Fee:''' $500.00 
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' (Registration CLOSED)

=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Are_You_a_Secure_Code_Warrior '''Are You a Secure Code Warrior?'''] ===

'''Date:''' Thursday, 21 February 2019 
'''Time:''' 8:45 a.m. - 12:30 p.m. 
'''Instructor:''' Jaap Karan Singh 
'''Instructor's Organisation:''' Secure Code Warrior 
'''Registration Fee:''' $250.00 
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' (Registration CLOSED)

=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Threat_Modelling_From_None_to_Done '''Threat Modelling: Getting from None to Done'''] ===

'''Date:''' Thursday, 21 February 2019 
'''Time:''' 8:45 a.m. - 5:30 p.m. 
'''Instructor:''' Dr. John DiLeo 
'''Instructor's Organisation:''' OWASP New Zealand Chapter 
'''Registration Fee:''' $500.00 
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' (SOLD OUT)

Spaces are going fast, so get in quickly!

Check-in desk will be located in the Level 0 lobby (outside the Case Study Rooms), and will open at 8:00 a.m.

Morning and afternoon tea breaks will be provided; lunch will be on your own.

=Presentation Schedule - 22 Feb=

==Presentations==

<center>
===22nd February 2019===

<table width="100%">
<tr>
<td valign="top" align="right">08:00</td>
<td colspan="3" style="background-color: #8595C2; text-align: center">Registration Opens - Main Foyer, Owen G. Glenn Building</td>
</tr>
<tr>
<td valign="top" align="right">09:00</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Welcome to OWASP New Zealand Day 2019 
John DiLeo (Conference Chair), Kirk Jackson, and [https://binarymist.io Kim Carter] - OWASP NZ Chapter Leaders Lech Janczewski (Conference Host) - Associate Professor, Univ. of Auckland

</tr>
<tr>
<td width="5%" valign="top" align="right"> </td>
<td width="45%" style="background-color: #B9C2DC; text-align: center">
Upstairs Auditorium (Room 115) Track One: Introductory / Management
</td>
<td width="5%" valign="top" align="right"> </td>
<td style="background-color: #B9C2DC; text-align: center">
Downstairs Auditorium (Room 098) Track Two: Technical
</td>
</tr>
<tr>
<td valign="top" align="right">09:20</td>
<td style="background-color: #EEE; text-align: center">
Exploiting Vulnerabilities from the OWASP Top 10: SQLi, XSS, XXE, File Injection 
David Waters and Kieran Molloy - Pushpay
</td>
<td valign="top" align="right">09:20</td>
<td style="background-color: #EEE; text-align: center">
Virtual Patching: Does It Work? 
Kirk Jackson - RedShield
</td>
</tr>
<tr>
<td valign="top" align="right">10:10</td>
<td style="background-color: #B9C2DC; text-align: center">
Threat Modelling When You've Never Done It Before 
Kade Morton - Quantum Security
</td>
<td valign="top" align="right">10:10</td>
<td style="background-color: #B9C2DC; text-align: center">
Cloud Catastrophes and How to Avoid Them 
Michael Haworth - Insomnia Security
</td>

</tr>
<tr>
<td valign="top" align="right">10:45</td>
<td style="background-color: #EEE; text-align: center">
That Vulnerability Looks Quite Risky 
Peter Jakowetz - Quantum Security
</td>
<td rowspan="2" valign="top" align="right">10:45</td>
<td rowspan="2" style="background-color: #EEE; text-align: center">
JWAT: Attacking JSON Web Tokens 
Louis Nyffenegger - Pentester Lab
</td>
</tr>
<tr>
<td valign="top" align="right">11:20</td>
<td style="background-color: #B9C2DC; text-align: center">
Mob Learning Using the OWASP Top 10 and 30 Days of Security Testing 
Mike Clarke - Erudite Software
</td>
</tr>
<tr>
<td valign="top" align="right">11:40</td>
<td style="background-color: #EEE; text-align: center">
How Can OWASP SAMM Help You Build More Secure Software? 
Mohamed Hassan - Aura Information Security
</td>
<td valign="top" align="right">11:40</td>
<td style="background-color: #B9C2DC; text-align: center">
CTF: The Gateway Drug 
Toni James - Orion Health
</td>
</tr>
<tr>
<td valign="top" align="right">12:10</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Lunch 
</td>
</tr>
<tr>
<td valign="top" align="right">13:30</td>
<td style="background-color: #EEE; text-align: center">
NoHolidayChurchGenius: Password Security with 2020 Vision 
Antonio Radich - Quantum Security
</td>
<td rowspan="2" valign="top" align="right">13:30</td>
<td rowspan="2" style="background-color: #EEE; text-align: center">
Security Regression Testing on OWASP ZAP Node API 
Kim Carter - BinaryMist
</td>
</tr>
<tr>
<td valign="top" align="right">14:05</td>
<td style="background-color: #B9C2DC; text-align: center">
Sharing Is Caring: A Beginner's Guide to Security in the Cloud 
Petra Smith - Aura Information Security
</td>
</tr>
<tr>
<td valign="top" align="right">14:25</td>
<td style="background-color: #EEE; text-align: center">
Eating the Elephant: Application Security When You Aren't a Startup 
Stephen Morgan - Westpac New Zealand
</td>
<td valign="top" align="right">14:25</td>
<td style="background-color: #B9C2DC; text-align: center">
CI Can Make $$$ from Thin Air 
Sajeeb Lohani - Privasec
</td>
</tr>
<tr>
<td valign="top" align="right">15:00</td>
<td style="background-color: #B9C2DC; text-align: center">
What's In a Name? Law of Agency and Domain Name Registrations 
Judy Ting-Edwards - Ports of Auckland
</td>
<td valign="top" align="right">15:00</td>
<td style="background-color: #EEE; text-align: center">
Introduction to Building Secure Electron Applications 
Nawaz Gayoom - Provoke Solutions
</td>
</tr>
<tr>
<td valign="top" align="right">15:30</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Afternoon Tea - Coffee / Tea Service Provided 
</td>
</tr>
<tr>
<td valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
How Do I Content Security Policy? 
Kirk Jackson - RedShield 
[[Media:2019-02-22 - How do I Content Security Policy - Print.pdf|Slides (PDF, 1.6mb)]]
</td>
<td valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
Hardening Your Docker Infrastructure 
Kim Carter - BinaryMist
</td>
</tr>
<tr>
<td valign="top" align="right">16:50</td>
<td style="background-color: #B9C2DC; text-align: center">
OWASP Software Assurance Maturity Model (SAMM) 2.0 
John DiLeo - Orion Health
</td>
<td valign="top" align="right">16:50</td>
<td style="background-color: #B9C2DC; text-align: center">
Reverse Engineering Mobile Apps: Why, What, and the Hows 
Karan Sharma
</td>
</tr>
<tr>
<td valign="top" align="right">17:25</td>
<td style="background-color: #EEE; text-align: center">
Why 'Positive Security' Is the Next Software Security Game Changer, and How to Do It 
Jaap Karan Singh - Secure Code Warrior
</td>
<td valign="top" align="right">17:25</td>
<td style="background-color: #EEE; text-align: center">
Serverless Authentication with JWT 
Mehul Patel - Zimbra
</td>
</tr>
<tr>
<td valign="top" align="right">18:00</td>
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
Wrap Up 
Time to go out and socialise, for those interested
</td>
</tr>
</table>
</center>

= Abstracts and Bios =

==Presentation Abstracts and Speaker Biographies==

==Track One - Morning (09:20 - 12:10)==

=== Exploiting Vulnerabilities from the OWASP Top 10: SQLi, XSS, XXE, File Injection ===
----
=== David Waters and Kieran Molloy - Pushpay ===

====Abstract====

We will give a brief introduction to a selection of the OWASP Top 10 and then demonstrate the exploitation of each of these vulnerabilities using tools and hand crafted attacks. We will also demonstrate how a combination vulnerabilities can be chained together by an attacker.

====Speaker Biographies====

David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 20 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.

Kieran is a developer with an interest in security.

=== Threat Modelling When You've Never Done It Before ===
----
=== Kade Morton - Quantum Security ===

====Abstract====

Through the Mozilla Open Leaders program I mentored a project from Asuntos del Sur, a humans right group that operates across South America. This is the story of my crash course in basic threat modelling, and how that basic knowledge is now helping activists across South America.

====Speaker Biography====

Kade is a consultant with Quantum Security. When not doing information security stuff, he volunteers with Mozilla.

=== That Vulnerability Looks Quite Risky ===
----
=== Peter Jakowetz - Quantum Security ===

====Abstract====

Technical findings are great, and finding vulnerabilities in your software so you can fix them is key to ensuring safe and secure code. However what about those things you can’t fix? Do they seem too expensive or hard? This talk will discuss the best way to manage these issues using risk management.

====Speaker Biography====

Peter is an electrical engineer turned security consultant from Wellington, NZ. Certified in many-a-thing, he spends a good chunk of time working on PCI, ISO and NZISM audits, and making security findings readable to senior management. In his spare time, he enjoys playing with open-source hardware and software, poking cars, and breaking things.

=== Mob Learning Using the OWASP Top 10 and 30 Days of Security Testing ===
----
=== Mike Clarke - Erudite Software ===

====Abstract====

Not sure how to get started learning about security? Why not team up with a group of others in the same boat and learn together?

After learning the basics of the OWASP Top Ten, I took part in the '''30 Days of Security Testing''' challenge through WeTest with 100+ other software testers new to security. My talk is about how a small idea turned into an online workspace of over 100 people new to InfoSec, a series of great Meetups, and lessons learned along the way.

====Speaker Biography====

I’ve always been interested in IT and fascinated by information security. I worked for the Royal New Zealand Navy as a Communications Warfare Specialist before trying my hand at software testing. I’m currently working for Erudite Software in Auckland, as the sole tester in a development team largely focused on healthcare software solutions. I’ve recently signed on as an organiser for WeTest Auckland, where we throw together Meetups and online challenges to learn about testing.

=== How Can OWASP SAMM Help You Build More Secure Software? ===
----
=== Mohamed Hassan - Aura Information Security ===

====Abstract====

Have you ever wondered why you or your team keep having high and critical security vulnerabilities in your software? Why you didn't discover these vulnerabilities earlier than two weeks before going life? How penetration testing can be effective when you're changing your software every two weeks? Can security be easier? How can you embed security into your software life cycle? How do you know if security initiatives are paying off? This talk will answer these questions and more!

====Speaker Biography====

Mohamed has been a penetration tester for more than six years. Mohamed has delivered security training to developers, in New Zealand and internationally. He also helps organisations embed more security into their software development lifecycle. In his free time, Mohamed likes to keep active and enjoy New Zealand’s landscape.

==Track Two - Morning (09:20 - 12:10) ==

=== Virtual Patching: Does It Work? ===
----
=== Kirk Jackson - RedShield ===

====Abstract====

Writing secure applications is hard, and often vulnerabilities are found after your application has already been released to production.

But what happens if you’re not able to fix the vulnerabilities quickly? Wouldn’t it be great if the someone else could secure your website for you?

====Speaker Biography====

Kirk works at RedShield, leads the OWASP Wellington-area Meetup, and has previously helped organise the annual OWASP NZ Day in Auckland.

Kirk worked as a Web developer before switching to the defence team - setting up Xero’s security practice, working as a pen tester, and in defence roles at several companies.

=== Cloud Catastrophes and How to Avoid Them ===
----
=== Mike Haworth - Insomnia Security ===

====Abstract====

Cloud and traditional infrastructure are different and sometimes the consequences of not changing mindset can be.. unpleasant.

====Speaker Biography====

Mike is a Principal Consultant for Insomnia Security, based in Wellington. He likes pentesting most things, and is rubbish at writing bios.

=== JWAT: Attacking JSON Web Tokens ===
----
=== Louis Nyffenegger - Pentester Lab ===

====Abstract====

Nowadays, JSON Web Tokens are everywhere. They are used as session tokens or just to pass data between applications or µservices. By design, JWT contains a high number of security and cryptography pitfalls. In this talk, we are going to learn how to exploit (with demos) some of those issues.

====Speaker Biography====

Louis is a security engineer based in Melbourne, Australia. He performs pentest, architecture and code review. Louis is the founder of PentesterLab, a learning platform for Web penetration testing. Recently, Louis talked at OWASP AppSecDay Melbourne, and ran two workshops at DEF CON 26, in 2018.

=== CTF: The Gateway Drug ===
----
=== Toni James - Orion Health ===

====Abstract====

I can't stop thinking about it, I can't wait for the next one, it keeps me up late at night, and I always want more. Flags that is! A how-to and where-to-start with Capture the Flag competitions, accompanied by a casual discourse about imposter syndrome, sexism in tech, and pondering the harsh realities of vim (not really, I never use vim, I'd never be able to get out of it). Followed by a live walkthrough of my favourite CTF challenges, the ones I think would entice other devs and wanna-be hackers to give it a try. "The first one's free."

====Speaker Biography====

Toni is a snowboarder turned software engineer, with an addiction to security. She's won a few scholarships in her quest to get more women into tech and she's really good at supporting others to do 'all the things'. A firm believer in ‘you need to see it to be it,’ she puts herself out there to enable others to step up and challenge the status quo. She/Her. [https://twitter.com/_tonijames @_tonijames]

==Track One - Afternoon 1 (13:30 - 15:30) ==

=== NoHolidayChurchGenius: Password Security with 2020 Vision ===
----
=== Antonio Radich - Quantum Security ===

====Abstract====

This season's passwords are now in fashion, similar to last year's, with one difference. Passwords are a staple in the developer toolkit. Developers follow guidelines put out by NIST or the GCSB. Users are ‘efficient’. With everyone striving for the minimum, we can already see "Winter (2019) is coming…"

====Speaker Biography====

Antonio has been with Quantum Security, as a Security Consultant performing penetration tests and security audits, for two years. He is interested in red teaming, post exploitation, and general security on an organisation level.

=== Sharing Is Caring: A Beginner's Guide to Security in the Cloud ===
----
=== Petra Smith - Aura Information Security ===

====Abstract====

Thinking of moving your applications to the cloud? How do you make sure they stay secure? This fast, fun, beginner-friendly session will demystify cloud security, introduce you to the most common cloud security models, and help you to choose the model that’s right for you.

====Speaker Biography====

Petra grew up wanting to be Sailor Mercury – the awkward blue-haired one from Sailor Moon who used computers to protect the world from evil. Now she’s a purple-team security consultant at Aura Information Security, which you have to admit is pretty close. She loves to teach people to pick locks, and gets kind of ranty about privacy, trust, and making digital spaces safe and inclusive for everyone.

=== Eating the Elephant: Application Security When You Aren't a Startup ===
----
=== Stephen Morgan - Westpac New Zealand ===

====Abstract====

DevSecOps, AppSec Engineers, and Continuous Integration Security are a panacea, but how do older institutions with many legacy systems and technical debt even begin to tackle agile application security practices? We will explore ways that you can start working with your developers write secure code.

====Speaker Biography====

Stephen is an Information Security Consultant at Westpac New Zealand where he wrangles Pen Testers, reviews codes, and diminishes his rapport with developers. He has worn many hats including those of a Customs Officer, Penetration Tester, Java Developer, and (cough) IT Auditor.

=== What's In a Name? Law of Agency and Domain Name Registrations ===
----
=== Judy Ting-Edwards - Ports of Auckland ===

====Abstract====

Have you ever hired Web developers to make a Web site for you, but then find out that you don’t actually own the domain name when you checked on Whois? Find out why this is the case and how we (maybe) should be doing domain name registrations, by taking a leaf from the law of agency’s book.

====Speaker Biography====

Judy has been registering domain names since 2013 when she was a junior lawyer for a stingy boss. She has recently changed careers to work in infosec, with a special interest in policy and appsec. As a part of a recent web hygiene audit, she discovered inconsistencies in how web devs register domain names in the industry and would like to see the industry come together with a best practice guideline. Risk management has been a constant in both her careers and she is always open to discussions on policies to embrace technology and reduce risks for the business at the same time.

==Track Two - Afternoon 1 (13:30 - 15:30)==

=== Security Regression Testing on OWASP ZAP Node API ===
----
=== Kim Carter - BinaryMist ===

====Abstract====

The OWASP ZAP HTTP intercepting proxy is useful for manually attacking your Web apps and APIs. Now, we have the official Node API to programatically drive ZAP to regression test our creations. I’ll show you how to build a fully featured security regression testing CLI, consumable by your CI/nightly builds.

====Speaker Biography====

Kim is a Technologist / Engineer, Information Security Professional, Entrepreneur, and the founder of BinaryMist Ltd. He is one of the OWASP NZ Chapter leaders and a Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 17 years of commercial industry experience across many domains, Kim enjoys teaching others how to apply information security to their Agile processes, bringing the security focus up front where it’s the cheapest to implement, increasing profit and reducing costs. Co-organiser of the Christchurch Hacker Con, International trainer, speaker, published author, and Software Engineering Radio podcast host, focusing on software and network architecture, Web development and engineering, and information security. Kim is also a regular blog poster. Kim loves designing and creating robust software and networks, breaking software and networks, then fixing them and helping organisations increase productivity.

=== CI Can Make $$$ from Thin Air ===
----
=== Sajeeb Lohani - Privasec ===

====Abstract====

This talk covers how people can utilise free tools, outside of their intended use case, in a malicious way. Using TravisCI as an example, we will look into what essentially can become a distributed super computer, to mine bitcoins and distributed denial of service attacks free of any cost whatsoever.

====Speaker Biography====

Sajeeb is a penetration tester at Privasec, with years of prior development experience. Having graduated from Monash University with a Bachelor of Software Engineering (Honours) in 2017, Sajeeb remains passionate about contributing to and improving cyber security research. Sajeeb gives back regularly to the Melbourne cyber security community by founding the Monash Cyber Security Club, presenting at SecTalks, and mentoring at the Australian Women in Security Network (AWSN) Cadets workshops. Sajeeb also runs initiatives which attempt to responsibly disclose security issues within open source software projects, making the world of software ‘more secure’.

=== Introduction to Building Secure Electron Applications ===
----
=== Nawaz Gayoom - Provoke Solutions ===

====Abstract====

Electron is a popular framework for building desktop apps and is used by many prominent companies today. To build a production-ready Electron app, there are certain security considerations we need to take into account, if we are loading any external content on it.

====Speaker Biography====

Nawaz is a software developer at Provoke Solutions mostly working on web applications for the past 3 years. In this digital age with increasingly complex systems, it is a personal passion of mine to keep information secure and accessible. Apart from enjoying researching about security and sharing things that I learn along the way while in projects for my clients I do spend some (probably a little more than that) time watching Netflix as well. Other things I like doing include singing, surfing and sampling food.

==Track One - Afternoon 2 (16:00 - 18:00)==

=== How Do I Content Security Policy? ===
----
=== Kirk Jackson - RedShield ===

====Abstract====

Content Security Policy (CSP) helps you secure your Web site, by declaring which javascript and resources it uses. This means that XSS attacks will be greatly limited.

However, setting up CSP on an existing Web site is hard. We’ll discuss an easy approach that you can follow to set up CSP.

====Speaker Biography====

Kirk works at RedShield, leads the OWASP Wellington-area Meetup, and has previously helped organise the annual OWASP NZ Day in Auckland.

Kirk worked as a Web developer before switching to the defence team - setting up Xero’s security practice, working as a pen tester, and in defence roles at several companies.

=== OWASP Software Assurance Maturity Model (SAMM) 2.0 ===
----
=== John DiLeo - Orion Health ===

====Abstract====

The OWASP SAMM Project Team recently release a Beta version of SAMM 2.0, which is currently open for comment. The model provides a framework for assessing the maturity of an organisation’s software assurance program, and identifying areas for future emphasis in improving the security of their development practices. This talk will provide an overview of the model, the benefits that can be realised by organisations utilising the model, and the process for assessing the maturity of the organisation’s software assurance program.

====Speaker Biography====

John is one of the co-leaders of the OWASP New Zealand Chapter. He moved to Auckland, from the United States, in 2017, and now works as Orion Health's Application Security Architect. John's focus is on developing and managing enterprise-wide Software Assurance Programmes, including the assessment of the organisation's maturity and building a roadmap to improve. This led him to join the core team of the OWASP SAMM project, where he helped to create the new model.

Before moving into application security, John worked as a solution architect, a Web development lead, and in developing discrete-event simulations of distributed systems. Along the way, he's also worked as a college instructor, trainer, and general IT consultant.

=== Why 'Positive Security' Is the Next Software Security Game Changer, and How to Do It ===
----
=== Jaap Karan Singh - Secure Code Warrior ===

====Abstract====

A 2017 report based on 400,000 application scans reported that only 30% passed the OWASP Top 10 policy. This presentation showcases the principles and practice of “positive security” and explains why it is an important game changer that will substantially improve application security.

====Speaker Biography====

Jaap Karan Singh is the Co-Founder and Chief Singh of Secure Code Warrior, a global security company that makes software development better and more secure. After security testing at BAE Systems in Australia, Jaap moved from hacking Web applications to educating developers on how to protect their own applications. Jaap has delivered training on web application security concepts and run workshops at Australian financial and telecommunications organisations in Australia. He specialises in Javascript technologies such as HTML5, Node, Express and Mongo. He recently created and delivered a course on hacking and protecting modern Javascript applications at OWASP AppSec EU 2016.

== Track Two - Afternoon 2 (16:00 - 18:00)==

=== Hardening Your Docker Infrastructure ===
----
=== Kim Carter - BinaryMist ===

====Abstract====

The security defaults of Docker are designed to get you up and running (“just work”) quickly, rather than being the most secure. There are many default configurations that can be improved upon. In this talk we’ll walk through improving the security of Docker hosts, containers, networking, and deployments.

====Speaker Biography====

Kim is a Technologist / Engineer, Information Security Professional, Entrepreneur, and the founder of BinaryMist Ltd. He is one of the OWASP NZ Chapter leaders and a Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 17 years of commercial industry experience across many domains, Kim enjoys teaching others how to apply information security to their Agile processes, bringing the security focus up front where it’s the cheapest to implement, increasing profit and reducing costs. Co-organiser of the Christchurch Hacker Con, International trainer, speaker, published author, and Software Engineering Radio podcast host, focusing on software and network architecture, Web development and engineering, and information security. Kim is also a regular blog poster. Kim loves designing and creating robust software and networks, breaking software and networks, then fixing them and helping organisations increase productivity.

=== Reverse Engineering Mobile Apps: Why, What, and the Hows ===
----
=== Karan Sharma ===

====Abstract====

I’d like to talk about why Reverse Engineering mobile apps is important for an organisation, what can you discover while reversing an app and how can you apply those lessons to add an additional layer of defense while building your future apps.

====Speaker Biography====

Karan started his career as a network engineer before moving into information security field 8 years ago. He is working as a security consultant for one of the leading financial institutes of NZ. He has a true passion for breaking & fixing web/mobile apps. He enjoy doing app reversing in his free time and love sharing his knowledge with others.

=== Serverless Authentication with JWT ===
----
=== Mehul Patel ===

====Abstract====

Authentication is one of the big parts of every application. Security is always something that is changing and evolving. In this talk, I will cover what JSON Web Tokens (JWTs) are and why using JWTs in your applications when it comes to security is awesome.

====Speaker Biography====

Mehul is an engineer who loves digging into technology, and public speaker currently living in India. His interests range from technology to innovation. He is also interested in Web development, writing, and safe programming.

Mehul holds a Masters in Computers Science and has been working and contributing towards the open source community in all ways he can. He is a social guy, loves to interacting with new people, traveling, playing cricket, He can dance like crazy!!!

Currently, Mehul is an Engineer at Zimbra, Ambassador at Auth0, Mentor at Mozilla Reps and Campus Advisory Committee at Mozilla and Founder/Organizer of Google Developer Group - Nashik. Moreover, He is the initiator of Rust Hacks - the super safe system programming language of course and co-founder of Infinite Defense Foundation (IDF).

=Call for Sponsorships=

==Call For Sponsorships==

OWASP New Zealand Day 2019 will be held in Auckland on the 22nd of February, 2019, and is a security conference entirely dedicated to application security.
The conference is once again being hosted by the University of Auckland with their support and assistance.
OWASP New Zealand Day 2019 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community.
OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2019 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:

* Venue - Room use and on-site management fees
* Name tags - We feel that getting to know people within the New Zealand community is important, and name tags make that possible
* Promotion - We would like to reach a wider audience, by utilising paid advertising for the event
* Printed Materials - Printed materials will include program information, room signs, and lanyards
* Recognition items for speakers and trainers
* Morning and afternoon tea, to promote a congenial environment for networking among application security professionals

== Facts ==

Last year, the event was supported by seven sponsors and attracted more than 700 registrations. Plenty of constructive (and positive!) feedback from the audience was received, and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

The OWASP New Zealand community is strong, with more than 500 people currently subscribed to the mailing list ([https://lists.owasp.org/mailman/listinfo/owasp-newzealand sign up]). OWASP New Zealand Day is expected to attract between 900 and 1000 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, Web application architects and developers, QA managers, QA testers and system administrators.

== How to Become a Sponsor ==

All financial matters related to the conference, including Sponsorship Agreements and payments, are handled through the OWASP Foundation. To express interest in supporting the conference as a sponsor, please [mailto:john.dileo@owasp.org,kelly.santalucia@owasp.org contact us by email].

== Premium Sponsorship Packages ==

{| class="wikitable"
|-
! !!   Platinum !!   Gold !!   Silver !!   Bronze !! A La Carte (See Below)
|-
! scope="row" style="text-align: left;" | Enrolment Limit
| style="text-align: center;" | 2
| style="text-align: center;" | 6
| style="text-align: center;" | --
| style="text-align: center;" | --
| style="text-align: center; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | General Rate
| style="text-align: center;" | $5,000
| style="text-align: center;" | $3,000
| style="text-align: center;" | $1,750
| style="text-align: center;" | $1,000
| style="text-align: center;" | Varies
|-
! scope="row" style="text-align: left;" | OWASP [https://www.owasp.org/index.php/Corporate_Membership Corporate Member] Rate
| style="text-align: center;" | $4,250
| style="text-align: center;" | $2,550
| style="text-align: center;" | $1,500
| style="text-align: center;" | $850
| style="text-align: center;" | N/A
|-
! scope="row" style="text-align: left;" | A La Carte Sponsorship Discount
| style="text-align: center;" | 15%
| style="text-align: center;" | 10%
| style="text-align: center;" | 5%
| style="text-align: center;" | --
| style="text-align: center;" | --
|-
! scope="row" style="text-align: left;" | Banner in Conference Lobby (see notes)
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center;" | No
| style="text-align: center;" | No
| style="text-align: center;" | No
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Banner at Side of Stage (see notes)
| style="text-align: center; font-weight: bold;" | Yes (2)
| style="text-align: center; font-weight: bold;" | Yes (1)
| style="text-align: center;" | No
| style="text-align: center;" | No
| style="text-align: center;" | No
|-
! scope="row" style="text-align: left;" | Logo on Attendee Badges
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center;" | No
| style="text-align: center;" | No
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Logo on Room Signs
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center;" | No
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Company Description on Conference Web Page
| style="text-align: center; font-weight: bold;" | 150 words
| style="text-align: center; font-weight: bold;" | 100 words
| style="text-align: center; font-weight: bold;" | 50 words
| style="text-align: center;" | No
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Pre-Conference Reception Tickets
| style="text-align: center; font-weight: bold;" | 4
| style="text-align: center; font-weight: bold;" | 3
| style="text-align: center; font-weight: bold;" | 2
| style="text-align: center;" | 1
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Logo on Conference Tote Bags
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center;" | No
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Mention in Pre-Event Publicity
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold; " | Yes
| style="text-align: center;" | Yes
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|-
! scope="row" style="text-align: left;" | Logo on Conference Web Site
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
|-
! scope="row" style="text-align: left;" | Recognition during Opening/Closing Sessions
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
| style="text-align: center; font-weight: bold;" | Yes
|-
! scope="row" style="text-align: left;" | Promotional Items in Conference Tote Bags (see notes)
| style="text-align: center; font-weight: bold;" | Yes (up to 3)
| style="text-align: center; font-weight: bold;" | Yes (up to 2)
| style="text-align: center; font-weight: bold;" | Yes (1)
| style="text-align: center; font-weight: bold;" | Yes (1)
| style="text-align: center; font-weight: bold; font-style: italic;" | Varies
|}

== A La Carte Sponsorship Opportunities ==

=== 1. Morning and Afternoon Tea Breaks - Conference Day ===

'''Sponsorships Available:''' Four (4)

'''General Rate:''' $4,500

'''Benefits:'''

* Opportunity to display your company's banner in the conference lobby (see notes below) throughout the day of the conference
* Recognition as sponsoring provider, on signs displayed on service tables during tea breaks
* Sponsor logo printed on attendee badges
* Sponsor logo printed on Room Signs
* Single-colour sponsor logo imprinted on conference tote bags
* Sponsor logo displayed on conference Web page, alongside Platinum Sponsors
* Opportunity to include 150-word company description in '''About Our Sponsors''' section of conference Web page
* Written recognition as a leading sponsor, in pre-event publicity communications
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 2. Pre-Conference Reception ===

On the Thursday evening, the OWASP New Zealand Day Committee will host a reception for speakers, trainers, conference volunteers, and Premier Sponsors. The event will be held at an establishment near the conference venue.

'''Sponsorships Available:''' Two (2)

'''General Rate:''' $2,000

'''Benefits:'''

* Opportunity to display your company's banner at the reception venue (see notes below) during the reception
* Opportunity to address reception attendees, as "hosting" sponsor of reception
* Recognition as sponsoring provider, on signs displayed on service tables/bars during reception
* Sponsor logo printed on Room Signs
* Single-colour sponsor logo imprinted on conference tote bags
* Sponsor logo displayed on conference Web page, alongside Silver Sponsors
* Opportunity to include 100-word company description in '''About Our Sponsors''' section of conference Web page
* Written recognition as a leading sponsor, in pre-event publicity communications
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 3. Conference Tote Bags for Attendees ===

'''Sponsorships Available:''' One (1)

'''General Rate:''' $1,800

'''Benefits:'''

* Single-colour sponsor logo printed on the Conference Tote Bags, along with those of Platinum, Gold, and Silver Sponsors
* Sponsor logo printed on Room Signs
* Sponsor logo displayed on conference Web page
* Opportunity to include 50-word company description in '''About Our Sponsors''' section of conference Web page
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 4. Lanyards for Attendee Badges ===

'''Sponsorships Available:''' One (1)

'''General Rate:''' $1,800

'''Benefits:'''

* Single-colour sponsor logo printed on the Attendee Lanyards, along with the OWASP logo
* Sponsor logo printed on Room Signs
* Sponsor logo displayed on conference Web page
* Opportunity to include 50-word company description in '''About Our Sponsors''' section of conference Web page
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 5. Speaker Gifts ===

'''Sponsorships Available:''' One (1)

'''General Rate:''' $1,500

'''Benefits:'''

* Sponsor logo printed on Room Signs
* Single-colour sponsor logo imprinted on conference tote bags
* Sponsor logo displayed on conference Web page, alongside Silver Sponsors
* Opportunity to include 50-word company description in '''About Our Sponsors''' section of conference Web page
* Written recognition as a leading sponsor, in pre-event publicity communications
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 6. Morning and Afternoon Tea Breaks - Training Day ===

'''Sponsorships Available:''' Two (2) '''--Funded, no longer available'''

'''General Rate:''' $750

'''Benefits:'''

* Opportunity to display your company's banner in the training facility lobby (see notes below) throughout the training day
* Recognition as sponsoring provider, on signs displayed on service tables during training day tea breaks
* Sponsor logo displayed on conference Web page, alongside Bronze Sponsors
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 7. International Travel Support ===

As part of the submission process for presentations, prospective presenters from outside New Zealand are given the opportunity to indicate if they will need travel support to be able to attend OWASP New Zealand Day. Each International Travel Support sponsorship is intended to provide a maximum of $2,500 for one international presenter's travel expenses related to attending, and presenting at, the conference. Supported travel expenses may include: return airfare from the airport nearest the presenter's residence to Auckland, two nights' accommodation in a lodging near the conference venue, and return shuttle transportation between the Auckland airport and the accommodation.

'''Sponsorships Available:''' No Limit

'''General Rate:''' $2,500

'''Benefits:'''

* Sponsor logo displayed on conference Web page, alongside Gold Sponsors
* Opportunity to include 100-word company description in '''About Our Sponsors''' section of conference Web page
* Opportunity for sponsor representative to introduce sponsored presenter
* Written recognition as a leading sponsor, in pre-event publicity communications
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 8. Diversity Fund ===

The OWASP New Zealand Day Diversity and Financial Aid Fund has been established to provide financial assistance to students at New Zealand universities. Each Diversity Fund sponsorship is intended to cover travel expenses for one New Zealand student, from outside the Auckland area, who will be attending or presenting at the conference. Each Diversity Fund support recipient will receive funding for return airfare from their nearest domestic airport to Auckland International Airport, two night's accommodation in a lodging near the conference venue, and return shuttle transportation between the airport and the accommodation.

'''Sponsorships Available:''' No Limit

'''General Rate:''' $750

'''Benefits:'''

* Sponsor logo displayed on conference Web page, as a Diversity Fund Sponsor
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

=== 9. Door Prizes ===

At the closing session of the conference, the OWASP New Zealand Day Committee will conduct a series of random drawings, awarding donated items to attendees, who must be present to win. There is no minimum or maximum value required for donated items, nor is the number of items provided subject to any limit. It is recommended that items provided be of interest to the conference's target audience, rather than of a generic nature.

'''Sponsorships Available:''' No Limit

'''General Rate:''' In-Kind Donation

'''Benefits:'''

* Verbal recognition, at the time of the prize drawing, as the donor of the prize

=== 10. Other Supporting Sponsorships ===

If your company would like to provide special items to attendees, funding for paid promotional advertising for the event, or other items that we haven't yet thought of, you are welcome to contact us to discuss your ideas.

'''Sponsorships Available:''' No Limit

'''General Rate:''' In-Kind Donation

'''Benefits:'''

* Sponsor logo displayed on conference Web page, as a Supporting Sponsor
* Visual and verbal recognition of sponsor at opening and closing sessions of conference

== Notes ==

''' Sponsor Logos:'''

* Logos are to be provided by the respective sponsors, as digital files (JPEG and PNG preferred)
* Logos provided should be full colour
* For lanyards and tote bags (including Platinum/Gold/Silver Sponsors), a single-colour version of the logo should also be provided, in a separate file. If a single-colour version of the logo is not provided by the sponsor, the OWASP New Zealand Day Committee reserves the right to electronically convert the full-colour logo to a single-colour version, or omit the sponsor's logo from the imprinted items if that proves infeasible.

'''Sponsor Banners:'''

* Lobby and stage-side banners are to be provided by the respective sponsors, must be free-standing, and their size is subject to approval by the OWASP New Zealand Day Committee.
* The conference venue includes two tracks, conducted in separate auditoriums; Platinum Sponsors may display one banner to the side of each auditorium's stage; Gold Sponsors may display a banner to the side of the stage in one auditorium. Gold Sponsors may express an auditorium preference, but final locations are at the discretion of the OWASP New Zealand Day Committee.
* There will be a maximum of four (4) sponsor banners displayed in each auditorium, with placement priority given to Platinum Sponsors.

'''Promotional Items:'''

* Printed materials are limited in dimensions to A4 size - either a single sheet, printed on one or both sides; or a single A3 sheet, folded in half
* Small imprinted items are also acceptable - pens, stress balls, USB keys, fidget spinners, etc.
* Design of printed materials and imprinted items are subject to approval by OWASP New Zealand Day Committee
* '''RECRUITMENT:''' In addition to the promotional item allowances included in Premium Sponsorship Packages, any sponsor may provide one A5-size card with information on ''actual current'' vacancies for which candidates are actively being sought

'''All amounts listed are in New Zealand dollars (NZD)'''

= Diversity Fund =

==Diversity and Financial Aid fund==

Thanks to the generous support of our lovely sponsors, we have some funding available to help people from around New Zealand attend the OWASP NZ Day, who would otherwise find it hard to attend. In particular, we welcome applications from women, people of colour, LGBTIQ, and all others. You all deserve to be able to learn more about security, and we’ll do our best to help make that happen!

Our funds are limited, and we’ll be reviewing applications every week, starting at the end of January. Submit your application soon, so we can approve them promptly, and you’ll be in several review cycles!

Process:

* Fill out our [https://docs.google.com/forms/d/e/1FAIpQLSfl4I38Z3ke5H8gYL7KmG9pVY8qIZe3kO5YH_ykALJyvq894w/viewform Application Form]
* We will review and approve applications each week. The first reviews will be completed by 29 January.
* We will contact all applicants and let them know the result of the review.
* Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:

* We are biased towards (but not exclusively for) diverse applicants.
* We do attempt to maximise cost efficiency and will aim to get as many people to OWASP as possible, with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: john.dileo@owasp.org

= Code of Conduct =
==Code of Conduct==

We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you that all activities associated with this event are subject to OWASP's [https://www.owasp.org/index.php/Governance/Conference_Policies Conference Policies]. At their core, these policies are intended to promote and maintain an inclusive, welcoming environment for all participants - actions detrimental to that environment are unwelcome.

Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

If you have any concerns during the day, please seek out John, Austin, or Brendan. We will make ourselves visible at the start of the day, so you know what we look like.

=Call for Presentations - CLOSED =

==Call for Presentations==

'''UPDATE: The Call for Presentations is now CLOSED.''' The committee is reviewing the proposals received, and will be notifying submitters of their selection status shortly.

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines, including
architects, Web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three focus areas of the conference:

Track One:

* Introductions to various Information Security topics, and the OWASP projects
* Policy, Compliance and Risk Management

Track Two:
* Technical topics

Introductory talks should appeal to an intermediate to experienced software developer, without requiring a solid grounding in application security or knowledge of OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.

This being an OWASP conference, the selection process for talks in Track One will give priority to those related to OWASP's Projects, Tools, and Guidance (check out the current [OWASP Project Inventory](https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory) for more information). If multiple submissions are received related to the same OWASP Project/Tool, preference will be given to speakers actively involved as leaders or members of the respective project teams.

Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:

* Web application security
* Mobile security
* Cloud security
* Secure development
* Vulnerability analysis
* Threat modelling
* Application exploitation
* Exploitation techniques
* Threat and vulnerability countermeasures
* Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
* Penetration Testing
* Browser and client security
* Application and solution architecture security
* PCI DSS
* Risk management
* Security concepts for C*Os, project managers and other non-technical attendees
* Privacy controls

The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:

* Due to limited funds availability, the conference budget does not include a plan to cover expenses for international speakers. However, if sponsorship funds are received for this purpose, we will issue a call for support applications from those outside New Zealand who have submitted proposals. Please indicate in the "additional information" section, whether you would be able to present without such support.
* If you are selected as a speaker, and your company is willing to cover travel and accommodation costs, the company will be recognised as a "Supporting Sponsor" of the event.

Please submit your presentation on [https://www.papercall.io/owaspnz2019 PaperCall].

Submission Deadline: Friday, 11th January 2019 (NOW CLOSED)

Applicants will be notified in the following week after the deadline, whether they were successful or not.

= Call For Trainers - CLOSED =
== Call For Trainers ==

'''The Call for Trainers is now closed. Trainers selected to present training have been contacted, and details are now being finalised.'''

We are happy to announce that training will run on Thursday, 21 February 2019, the day before the OWASP NZ Day conference.
The training venue will be Level 0, Rooms: case rooms 1(005), 2(057), 3(055), and 4(009), kindly provided by the University of Auckland School of Business, in the same building as the OWASP NZ Day conference itself.
Classes can contain up to 69 students, with power for laptop usage and Wi-Fi. A wide range of half-day or full-day training proposals will be considered,
see the Call for Papers for a list of example topics.

If you are interested in running one of the training sessions, please contact John DiLeo ([mailto:john.dileo@owasp.org john.dileo@owasp.org]) with the following information:

* Trainer name
* Trainer organisation
* Telephone + email contact
* Short Trainer bio
* Training title
* Trainer requirements (e.g. a projector, whiteboard, etc)
* Trainee requirements (e.g. laptop, VMware/VirtualBox, etc)
* Training summary (less than 500 words)
* Target audience (e.g. testers, project managers, security managers, web developers, architects)
* Skill level required (Basic / Intermediate / Advanced)
* What attendees can expect to learn (key objectives)
* Short course outline

The fixed price per head for training will be $250 for a half-day session and $500 for a whole-day session. As this training is part of an OWASP event, part of the proceeds go back to OWASP. The split is as follows:

* 25% to OWASP Global - used for OWASP projects around the world
* 25% to OWASP NZ Day - used for NZ Day expenses
* 50% to the training provider.

Submission Deadline: Friday, 21st December 2018

Applicants will be notified in the following week after the deadline, whether they were successful or not.

<headertabs></headertabs>

[[Category:OWASP AppSec Conference]]

File:2019-02-22 - How do I Content Security Policy - Print.pdf

2019-02-24T21:10:07Z

2018-07-11T23:05:26Z

Kirkj: Add video links

__NOTOC__
<center>
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018 https://www.owasp.org/images/5/53/NZ_day_2018_web.jpg] 
'''4th and 5th February 2018 - Auckland'''
</center>
----

= Introduction =
==Introduction==
We are proud to announce the ninth OWASP New Zealand Day conference, to be held at the University of Auckland on Monday February 5th, 2018. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

Who is it for?

* Web Developers: There will be a choice of two streams in the morning. First stream covering introductory talks to information security, second stream covering deeper technical topics. Afternoon sessions will cover offensive security in stream one, and continue with deeper technical topics in stream two
* Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics

==Conference structure==

Date: Monday 5 February 2018 
Time: 9:30am - 6:00pm 
Cost: Free 

The main conference is on Monday 5th of February, and will have two streams in both the morning and the afternoon:



==Training==

As well as the main conference on Monday, we are pleased to be able to provide training on Sunday at the same venue. All details including registration are as follows:

[https://binarymist.io/talk/owaspnzday-2018-workshop-building-security-into-your-development-team/ '''Building Security Into Your Development Teams''']
Date: Sun 04 February 2018 
Time: 9:00am - 5:30pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-interactive-workshop-building-security-into-your-development-teams-tickets-41266447054 Training Registration Page]

Spaces going fast, so get in quick

==General==

The ninth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same location as last year for stream one, with the addition of another room near by for the stream two room. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact [mailto:kim.carter@owasp.org?cc=kirk.jackson@owasp.org&cc=denis.andzakovic@owasp.org us]. 

==Registration==


Registration for the main conference day is now open: [https://owaspnz2018.eventbrite.com/ Conference Registration Here],
Follow us on twitter [https://twitter.com/owaspnz @owaspnz]

There is no cost for the main conference day. Unfortunately due to increased conference running costs, lunch, morning and afternoon tea's will not be provided as it has been for the past OWASP NZ Days. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.





==Important dates==

* CFP submission deadline: 8th December 2017
* CFT submission deadline: 8th December 2017
* Conference Registration deadline: 29th January 2018
* Training Registration deadline: 29th January 2018
* Training Day date: 4th February 2018
* Conference Day date: 5th February 2018

For those of you booking flights, ensure you can be at the venue at 9:00am, the conference will end by 6:00pm however we will have post conference drinks at a local drinking establishment for those interested.

==Places to eat & drink on the day==

<ul>
<li>Coffee cart and selection of snacks next to the reception on the ground floor, this is the closest but will probably have long lines</li>
<li>Mojo Symonds - also on campus</li>
<li>Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St</li>
<li>The CBD - walk up and over Albert Park to get to the CBD with many great food options</li>
<ul>
<li>Fort Street has burgers, kebabs, and KFC</li>
<li>High Street & Lorne Street have lots of little cafes and restaurants</li>
</ul>
<li>Subway, Starbucks, & Pita Pit - walk up Symonds Street</li>
<li>Vulture’s Lane is a popular pub with the infosec crowd, there are more seats downstairs</li>
<li>The Bluestone Room - also a popular pub just across Queen St</li>
</ul>

==Conference Venue==

<table width="100%">
<tr>
<td>
The University of Auckland School of Business 
Owen Glen Building 
Address: 12 Grafton Road 
 
Stream one room: Level 1 
Room: 115 (Fisher & Paykel Auditorium) 
 
Stream two room: Level 0 
Room: 098 
 
Auckland 
New Zealand 
[https://www.google.com/maps/place/Owen+G+Glenn+Building+12+Grafton+Road/@-36.8528203,174.770224,17z/data=!4m6!1m3!3m2!1s0x0000000000000000:0x0205ad91287ba364!2sUniversity+of+Auckland+Graduate+School+of+Enterprise!3m1!1s0x0000000000000000:0xc9d224e5921a6690 Map]
</td>
<td>
[[Image:073_AUBiz_10Apr08small.jpg]] [[Image:OWASPNZDayLectureTheatre.jpg]]
</td>
</tr>
</table>

==Conference Sponsors==
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="100%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/f/f8/AuckUni.png]</center></td>
</tr>
</table>
----

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[[File:Zx.png|link=http://www.zxsecurity.co.nz]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:INSOMNIA.PNG|link=http://www.insomniasec.com]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:Aura_PBK_Colour.jpg|link=http://www.aurainfosec.com]]</center></td>
</tr>
</table>
----

'''Silver Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[[File:Quantum_Security_%28strip%29-02.png|link=http://www.quantumsecurity.co.nz]]</center></td>
</tr>
</table>
----

'''Support Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[[File:BinaryMistLimited.png|center|150px|link=https://binarymist.io]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:Atlassian.png|center|183px|link=https://www.atlassian.com/]]</center></td>
</tr>
</table>

==Conference Committee==

* Kirk Jackson - OWASP New Zealand Leader (Wellington)
* Kim Carter - OWASP New Zealand Leader (Christchurch)
* Nick Malcolm - OWASP New Zealand Leader (Auckland)
* Lech Janczewski - Associate Professor - University of Auckland School of Business

Please direct all enquiries to nick.malcolm@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

OWASP NZ on Twitter (https://twitter.com/owaspnz)

= Training =
==Training==

As well as the main conference on Monday, we are pleased to be able to provide training on Sunday at the same venue. All details including registration are as follows:

[https://binarymist.io/talk/owaspnzday-2018-workshop-building-security-into-your-development-team/ '''Building Security Into Your Development Teams''']
Date: Sun 04 February 2018 
Time: 9:00am - 5:30pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-interactive-workshop-building-security-into-your-development-teams-tickets-41266447054 Training Registration Page]

Spaces going fast, so get in quick

= Call For Presentations =
==Call For Presentations==

'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines including
architects, web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference:

* Introductions to various Information Security topics, and the OWASP projects
* Technical topics
* Policy, Compliance and Risk Management

The introductory talks should appeal to an intermediate to experienced software developer, without a solid grounding in application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.

Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:

* Web application security
* Mobile security
* Cloud security
* Secure development
* Vulnerability analysis
* Threat modelling
* Application exploitation
* Exploitation techniques
* Threat and vulnerability countermeasures
* Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
* Penetration Testing
* Browser and client security
* Application and solution architecture security
* PCI DSS
* Risk management
* Security concepts for C*Os, project managers and other non-technical attendees
* Privacy controls



The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:

* Due to limited budget available, expenses for international speakers cannot be covered.
* If your company is willing to cover travel and accommodation costs, the company will become "Support Sponsor" of the event.

'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''

Please submit your presentation [https://www.papercall.io/owaspnz2018 here].



Submissions deadline: 8th December 2017

Applicants will be notified in the following week after the deadline, whether they were successful or not.


= Call For Sponsorships =
==Call For Sponsorships==

OWASP New Zealand Day 2018 will be held in Auckland on the 5th of February, 2018 and is a security conference entirely dedicated to application security.
The conference is once again being hosted by the University of Auckland with their support and assistance.
OWASP New Zealand Day 2018 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community.
OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2018 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:

* Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
* Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
* Printed Materials - printed materials will include brochures, tags and lanyards.

== Facts ==

Last year, the event was supported by nine sponsors and attracted more than 900 registrations. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017

The OWASP New Zealand community is strong, there are more than 500 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 800 and 1000 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

== Sponsorships ==

There are three different levels of sponsorships for the OWASP New Zealand Day event:

Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event)

Includes:

* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Silver Sponsorship: 1500 NZD

Includes:

* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018
* The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
* The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship: 2750 NZD

Includes:

* The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
* The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
* The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
* Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Those who are interested in sponsoring OWASP New Zealand 2018 Conference can contact the [mailto:kim.carter@owasp.org,kirk.jackson@owasp.org,denis.andzakovic@owasp.org OWASP New Zealand Board]. 

= Presentation Schedule =
==Presentations==

<center>
5th February 2018
<table width="100%">
<tr>
<td width="5%" valign="top" align="right">08:30</td>
<td colspan="3" style="background-color: #8595C2; text-align: center">Registration Opens</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">09:30</td>
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
Welcome to OWASP New Zealand Day 2018 
Kirk Jackson, [https://binarymist.io Kim Carter], Nick Malcolm (OWASP Leaders), and Lech Janczewski (Associate Professor)

</tr>
<tr>
<td width="7%" valign="top" align="right"></td>
<td style="background-color: #EEE; text-align: center">
Upstairs room
</td>
<td width="7%" valign="top" align="right">09:45</td>
<td style="background-color: #EEE; text-align: center">
'''Downstairs room'''
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right"></td>
<td style="background-color: #EEE; text-align: center">
Fear Itself 
Laura Bell - SafeStack
</td>
<td width="7%" valign="top" align="right">09:45</td>
<td style="background-color: #EEE; text-align: center">
Offensive Defence 
Chris Berry - Aura Information Security 
[[Media:2018-02-05-ChrisBerry.pdf|Slides: (PDF, 3.4mb)]]
[https://www.youtube.com/edit?o=U&video_id=-z4ID7Rh84E Video]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">10:20</td>
<td style="background-color: #B9C2DC; text-align: center">
Pizza Roulette 
Catherine McIlvride and Fiona Sasse 
[[Media:2018-02-05-CatherineMcIlvrideFionaSasse.pdf|Slides: (PDF, 3.4mb)]]
[https://www.youtube.com/watch?v=FUY-PgZqI3A Video]
</td>
<td width="7%" valign="top" align="right">10:20</td>
<td style="background-color: #B9C2DC; text-align: center">
Auth* Infrastructure for Everyone 
Ryan Kurte and Kirk Holloway 
[https://docs.google.com/presentation/d/11tFlGmRQUBJ5ns-8gxRDxL3J0rAkCgOVqAEGqwqxDLM/edit?usp=sharing Slides]
</td>

</tr>
<tr>
<td width="7%" valign="top" align="right">10:55</td>
<td style="background-color: #EEE; text-align: center">
Guarding the Pot of Gold while the Rainbow gets bigger 
Sarah Bennett and Patricia Ramsden - Xero 
[https://www.youtube.com/watch?v=kh5q-79Boe8 Video]
</td>
<td width="7%" valign="top" align="right">10:55</td>
<td style="background-color: #EEE; text-align: center">
Bermudez - a honeypit designed to waste hacker's time 
Ian Welch and Kaishuo Yang 
[https://www.youtube.com/watch?v=t5XBf4LApoo Video]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">11:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Enough theory, how are websites getting hacked in real life? 
Declan Ingram - CERT 
[https://www.youtube.com/watch?v=WhYh-eUqxIA&t=137s Video]
</td>
<td width="7%" valign="top" align="right">11:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Rails Derailed 
Tim Goddard 
[https://insomniasec.com/releases Slides]
[https://www.youtube.com/watch?v=fGlS6w2naN0 Video]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">12:05</td>
<td style="background-color: #EEE; text-align: center">
Secure APIs: Road to Business Growth 
Anupama Natarajan - Unisys New Zealand 
[[Media:2018-02-05-AnupamaNatarajan.pdf|Slides: (PDF, 719kb)]]
[https://www.youtube.com/watch?v=WIz6pS9L5l0 Video]
</td>
<td width="7%" valign="top" align="right">12:05</td>
<td style="background-color: #EEE; text-align: center">
Timing-Based Attacks in Web Applications 
Yappare 
[[Media:2018-02-05-AhmadAshraff.pdf|Slides: (PDF, 7.7mb)]]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">12:35</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Lunch 
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">14:00</td>
<td style="background-color: #EEE; text-align: center">
Developer's guide to Deserialization Attacks 
Felix Shi
</td>
<td width="7%" valign="top" align="right">14:00</td>
<td style="background-color: #EEE; text-align: center">
IoT - How to fight the tyre fire 
Tom Isaacson 
[https://speakerdeck.com/parsley72/iot-how-to-fight-the-tyre-fire-1 Slides (speakerdeck)]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">14:45</td>
<td style="background-color: #B9C2DC; text-align: center">
Finding the path to #DevSecOps nirvana 
Olly - Xero
</td>
<td width="7%" valign="top" align="right">14:45</td>
<td style="background-color: #B9C2DC; text-align: center">
Thinking like an Attacker (Hacking your own organisation) 
Nick Le Mouton - drugs.com 
[https://speakerdeck.com/noodlesnz/thinking-like-an-attacker Slides (speakerdeck)]
[https://www.youtube.com/watch?v=fGlS6w2naN0 Video]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">15:00</td>
<td style="background-color: #EEE; text-align: center">
When Shoestrings Snap 
Rory Shillington - VoltsAndBits 
[[Media:2018-02-05-RoryShillington.pdf|Slides: (PDF, 7.3mb)]]
[https://www.youtube.com/watch?v=ElbY05nfZ2M Video]
</td>
<td width="7%" valign="top" align="right">15:00</td>
<td style="background-color: #EEE; text-align: center">
Evil Pickles: DoS Attacks Based on Object-Graph Engineering 
Jens Dietrich - Massey University 
[https://docs.google.com/presentation/d/1WSDq_k6z4rZeuZlvdYfNyS1IwJhVLH-gxUROi98qkL8/edit#slide=id.p Slides (google)]
[https://www.youtube.com/watch?v=1q2rZyR17jU Video]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">15:30</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Afternoon Tea 
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
Enough with XSS, let's talk about something else? 
Karan Sharma 
[[Media:2018-02-05-KaranSharma.pptx|Slides: (PPTX, 4mb)]]
[https://www.youtube.com/watch?v=KbVWJcf2CRQ Video]
</td>
<td width="7%" valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
Secure development in Go 
Dion Bramley 
[https://github.com/dionb/GoSecureDev Slides (github)]
[https://www.youtube.com/watch?v=4O2OShd-Su8 Video]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">16:35</td>
<td style="background-color: #B9C2DC; text-align: center">
Riding someone else’s wave with CSRF 
Sam Shute - Quantum Security 
[[Media:2018-02-05-SamShute.pptx|Slides: (PPTX, 234kb)]]
</td>
<td width="7%" valign="top" align="right">16:35</td>
<td style="background-color: #B9C2DC; text-align: center">
Secure Your Programming Future! 
David Pearce 
[[Media:2018-02-05-DavidPearce.pdf|Slides: (PDF, 1.8mb)]]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">17:10</td>
<td style="background-color: #EEE; text-align: center">
Operation Luigi: How I hacked my friend without her noticing 
Alex Hogue - Atlassian
</td>
<td width="7%" valign="top" align="right">17:10</td>
<td style="background-color: #EEE; text-align: center">
Handling Of A PCI Incident - PANs In The Database 
David Waters - Pushpay
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">17:50</td>
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
Wrap Up 
Time to go out and socialise, for those interested
</td>
</tr>
</table>
</center>

= Speakers List =
==Speakers List==

===Laura Bell - SafeStack - Fear Itself===
----
Abstract

Abstract: The world is a scary place right now. While the risk posed by security threats is high, there are many organisations and people for whom this is the least of their concerns.

In a time of unsettled economies & governments, where there are more breaches each week than we would have once seen in a year... how can we change the way we enable and inspire security change to stop trying to scare the terrified and start trying to help.

Speaker Bio

With almost a decade of experience in software development and information security, Laura Bell specializes in bringing security survival skills, practices, and culture into fast paced organisations of every shape and size.

An experienced conference speaker, trainer, and regular panel member, Laura has spoken at a range of events such as BlackHat USA, Velocity, OSCON, Kiwicon, Linux Conf AU, and Microsoft TechEd on the subjects of privacy, covert communications, agile security, and security mindset.

As the co-author of "Agile Application Security" published by O'Reilly media, Laura is internationally recognised as a leader in her field.

She is the founder and CEO of SafeStack, leading its operations from Auckland, New Zealand.

===Chris Berry - Aura Information Security - Offensive Defence===
----
Abstract

Frustrated by the ability to take over corporate networks by exploiting the same petty misconfigurations for the past several years, I want to expose blue teamer’s and dev’s to the current internal pen test strategies, which have proven consistently effective in going from no auth to domain admin.

Speaker Bio

Chris is a Security Consultant at Aura Information Security with experience across a broad variety of domains and industries. He is owned by a cat.

===Catherine McIlvride and Fiona Sasse - Pizza Roulette===
----
Abstract

Catherine and Fiona are security newbies in the world of bleepbloops. As their hunger for more knowledge on Security Testing grows, they attempt to chomp into the cyber realm of ordering pizza. Pull up a chair, grab a slice* and prepare yourself for a feast! *Disclaimer: Pizza will not be included.

Speaker Bio

Catherine and Fiona are software testers who have been united by their passion for pizza and their curiosity for wearing black and whites hats. They hammer and chisel their way through interfaces, databases, and all other places to identify cracks and gaps. Now they face their next adventure roaming unfamiliar territory in the security space.

===Ryan Kurte and Kirk Holloway - Auth* Infrastructure for Everyone===
----
Abstract

Auth(entication|orisation) is tough. We’re going to talk about how it’s usually done, the developer and user experience of auth*, and some things that often go wrong. Then we’re going pitch an idea that might, hopefully, maybe, help us all build safe exciting things.

Speaker Bio

Ryan is an aspiring hardware whisperer and academic with an incurable side project problem.

Kirk builds tiny bits of content that go in bigger bits of content for your local internet box. Combined they form 5/8ths of a full stack developer.

===Sarah Bennett and Patricia Ramsden - Xero - Guarding the Pot of Gold while the Rainbow gets bigger===
----
Abstract

We've all heard that as an industry we're severely outnumbered (defenders vs attackers). Many of us become a potential targets due to the type of market our company is in. The closer to money handling you are, the more attention you get therefore the more that ratio of defenders to attackers gets worse.
We've seen our adversaries change over time as we've grown. We'll discuss how our hitting one million paid subscribers affected us in terms of security, and how the motives of attackers seem to change with the seasons.

Speaker Bio

TBD

===Ian Welch and Kaishuo Yang - Bermudez: a honeypit designed to waste hacker's time===
----
Abstract

Small enterprises don’t have the human resources to deal with web attacks 24/7 although attacks can occur anytime. We describe a honeypit designed to entrap and slow attackers down giving time for a sysadmin to detect and respond to an attack.

Speaker Bio

Ian works for Victoria University of Wellington (VUW) doing computer security teaching and research mostly related to honeypots (CaptureHPC) and more recently software-defined networks (Gasket and Baffle).

Kai is a research assistant at Victoria University of Wellington (VUW). He developed Bermudez as part of his final year project last year and is working over summer on a security policy language for software-defined networks called Baffle.

===Declan Ingram - CERT - Enough theory, how are websites getting hacked in real life?===
----
Abstract

Since opening in April 2017, CERT NZ has dealt with hundreds of hacked websites. In this talk I propose to step through a few case studies of what went wrong, and how to stop it from happening to your websites. This talk will be done specifically for OWASP day and won’t be used for other audiences.

Speaker Bio

Declan Ingram is the Manager of Operations for CERT NZ and leads the technical side of CERT NZ – including the Incident Response Team. He has worked for over 17 years in information security, with broad experience in both incident response and security testing.

===Tim Goddard - Rails Derailed===
----
Abstract

Modern web application frameworks provide a lot of protections by default, but no protection is absolute. We explore common, severe security issues in Ruby on Rails applications, why they still occur despite its attempts to protect us.

Speaker Bio

Tim (pruby) moved two years ago from being a useful human being and building web applications, to the more haphazard world of tearing them apart. He applies his development background and knowledge to review applications from the ground-up, using the code to inform an efficient approach to security testing.

===Anupama Natarajan - Unisys New Zealand - Secure APIs: Road to Business Growth===
----
Abstract

Security must never be an afterthought. API Security is key for all modern digital businesses and secure APIs provide more confidence to the consumers. Come and learn the art of detecting underprotected APIs and how to secure them.

Speaker Bio

I am a Software Professional with over 15 years experience in designing and developing Web, Data Warehouse, Business Intelligence and Mobile solutions. I am a Microsoft Certified Trainer (MCT) and really passionate in sharing knowledge. I love solving complex business problems for my clients with innovative solutions using Microsoft Technologies and use that experience in my trainings and presentations. I share tried and tested examples which people can start use in their organisations immediately.

===Yappare - Timing Based Attacks in Web Applications===
----
Abstract

Timing-based attacks are deadly but often overlooked. Pentesters often miss such attacks when testing web applications.

By the end of the talk, the audience will learn ways to identify timing-based webapp vulnerabilities through careful manual and automated analysis of response generation times.

Speaker Bio

I was a Chemical Engineering graduate but have interest in application security. 7+ years in penetration testing industry and 5 years in bug bounty scene and currently at top leaderboard of Bugcrowd. Involving in these two areas of ‘hacking’ environment, expose me with various ways of identifying web vulnerabilities.

===Felix Shi - Developer's guide to Deserialization Attacks===
----
Abstract

A beginner friendly talk on deserialization attacks, targeted towards webapp devs and QA engineers. Heavy emphasis on explaining the attack vectors, the technical/business impact, and how to test for it.

There will be demos in some popular languages/frameworks - namely Python, Java, and C#.

Speaker Bio

Felix works in the security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.

===Tom Isaacson - IoT: How to fight the tyre fire===
----
Abstract

Everyone knows that IoT is a tyre fire but what can we do to start putting it out? Take a quick tour through the new OWASP IoT Top 10 and some other (personal) examples of how not to do IoT.

Speaker Bio

I’ve been an embedded developer for 20 years. I haven’t bothered learning web development because I still think the internet is a passing fad, but I’ve been forced to think about security after we added networking to our products.

===Olly - Xero - Finding the path to #DevSecOps nirvana===
----
Abstract

A talk about my experiences automating security infrastructure in AWS at Xero. The end goal, things to consider in a security context, the 80/20 rule, convincing people and how to get started. Buzzwords include: DevOps, DevSecOps, AWS, Cloud, CI/CD, “.* as code”.

Speaker Bio

Oliver is a Graduate Security Engineer at Xero where he helps build and deploy security infrastructure into AWS focusing on automation and repeatability. He is a contributor to Security Monkey, Netflix’s open source AWS security auditing tool.

===Nick Le Mouton - drugs.com - Thinking like an Attacker (Hacking your own organisation)===
----
Abstract

Often as developers we think like defenders. We identify vulns (SQLi, XSS etc) and patch them. How often do we think, how far could an attacker get by using this vuln? What could they do?

It’s easier to get non security buy-in if you can provide a working exploit to show how serious a vuln is.

Speaker Bio

I started my career as a developer and for the last 20 years I’ve moved more and more into the security space. I’m currently the CTO for Drugs.com, but spend a lot of time reading through legacy code and identifying areas of concern/exploiting vulnerabilities.

===Rory Shillington - VoltsAndBits - When Shoestrings Snap===
----
Abstract

Have you ever fed a sheep to a wolf? Every day, charities, non-profit organisations and small businesses get devoured by online threats. Let’s take a look at what’s happening both at the keyboard and IRL/AFK.

Speaker Bio

Rory Shillington is an electrical engineer trying to save polar bears by day, and a jack of all admins by night.

When not designing, testing and breaking solar inverters, he helps a small handful of clients navigate the minefields of the internet while keeping their websites patched (arrr). He has a strong passion for computer security with a number of years of hands-on experience, and a tendency of venturing questionable distances to solve other people’s problems. He also maintains a number of hobby and community websites.

===Jens Dietrich - Massey University - Evil Pickles: DoS Attacks Based on Object-Graph Engineering===
----
Abstract

Evil pickles is a new type of degradation of service attack inspired by billion laughs. It exploits the object serialisation interface present in most modern languages (such as Java, C#, Ruby), and can be used to exhaust resources including CPU time, stack and heap memory of the systems attacked.

Speaker Bio

Jens is an Associate Professor at Massey University Turitea Palmerston North. Jens has a MSc in Mathematics and a PhD in Computer Science from the University of Leipzig. After graduating in 1996, he worked as a software consultant, participating in some of the first large-scale enterprise-level projects that used object-oriented programming (Smalltalk and later Java) and agile principles. Clients he worked for include Mercedes-Benz, Volkswagen and some of the largest German banks. He moved to Namibia in 1999, working for a development aid agency to establish a computing curriculum at the local university of applied science. He continued with freelance consulting work for European and US clients during this time, and started several open source projects. In 2003 he moved to New Zealand to take up a position at Massey. Jens’ research interest are in the areas of software modularisation, evolution and static analysis for bug and vulnerability detection. He currently leads a National Science Challenge project on program analysis, and his research on fast algorithms for static analysis of large Java programs has been supported by several rounds of funding by Oracle Incl (through Oracle Labs Brisbane). Jens is executive member of Software Innovation NZ (SI^NZ) and member of the ACM.

===Karan Sharma - Enough with XSS, let's talk about something else?===
----
Abstract

I think it is time to lift our game and think beyond classic vulns such as XSS, CSRF, Dir Traversal, SQLi and talk about recent web vulns which are becoming more and more common and being exploited in the wild these days like IDOR, XXE, SSRF, DOM Clobbering, RPO and Insecure Cryptographic Storage.

Speaker Bio

Working as a Security Consultant at one of the leading financial institute of NZ. Very passionate about web app security and have been doing it for over 6 years. Love building and breaking stuff especially web apps and IoT stuff. I spend my days testing web apps and network infrastructure for vulnerabilities and then help mitigate what I find.

Like to code in node.js on embedded devices and love building Web of Things oppose to Internet of Things (no pun intended).

===Dion Bramley - Secure development in Go===
----
Abstract

Google loves Go, and they claim it makes secure development much easier for people who aren’t teams of seasoned security experts. But what makes it so special? Why should you choose Go for your next secure API project? How to do secure Go. And why it can be a really terrible option for some projects

Speaker Bio

I have been working in software since 2012 using a wide range of languages. Currently I work at Spalk Ltd (yuck, sports) as a senior engineer building APIs and streaming services, and teaching interns. I studied a combination of computer science and computer engineering at UoA for 5 years. Sometimes I do free security and (engineering) design consulting for startups and charities. Hobbies include theatre, gaming, and helping people be awesome.

===Sam Shute - Quantum Security - Riding someone else’s wave with CSRF===
----
Abstract

Cross-site request forgery is one of the common vulnerabilities we are seeing in pen tests. It can be used to create or delete accounts, escalate privileges, and perform other actions. This talk will cover what it is, common issues and how to properly defend against it.

Speaker Bio

Sam is a security consultant with Quantum Security. While relatively new to the security industry he spent the last 7 years studying various security topics at the University of Waikato. Sam has been an organiser and challenge developer of the New Zealand Cyber Security Challenge for the last 3 years. His areas of interest include behavioral biometrics, the physical/digital security overlap and breaking IoT devices.

===David Pearce - Secure Your Programming Future!===
----
Abstract

Can programming languages help us write secure code? It’s an age-old question. New languages come and go, but don’t often seem that different. But wait! You haven’t seen anything like Whiley before. Forget about type checking. This is a whole new level. You might think the demo is faked. It’s not.

Speaker Bio

David graduated with a PhD from Imperial College London in 2005, and took up a lecturer position at Victoria University of Wellington, NZ. David’s PhD thesis was on efficient algorithms for pointer analysis of C, and his techniques have since been incorporated into GCC. His interests are in programming languages, compilers and static analysis. Since 2009, he has been developing the Whiley Programming Language which is designed specifically to simplify program verification. David has previously interned at Bell Labs, New Jersey, where he worked on compilers for FPGAs; and also at IBM Hursely, UK, where he worked with the AspectJ development team on profiling systems.

===Alex Hogue - Atlassian - Operation Luigi: How I hacked my friend without her noticing===
----
Abstract

My friend gave me permission to “hack all her stuff” and this is my story. It’s about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM.

Speaker Bio

Alex is your conference speaker, your best friend, and your sweet mango boy. Alex fell off the back of a gently glowing ute 17 years ago, and now haunts the Earth in corporeal form. Critics have called him “aggressively wonky”. He does incident detection and response at Atlassian, which is kiiinda like being an adult. Catch him scratching out MEMBERS ONLY signs into MEMERS ONLY.

===David Waters - Pushpay - Handling Of A PCI Incident - PANs In The Database===
----
Abstract

Are you storing credit card numbers in your database when you’re not meant to? Would you know? We will be briefly cover PCI, and telling the story of the discovery of PANs in our pipeline. Then describe the full journey from discovery, to recovery to future prevention.

Speaker Bio

David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 19 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.

= Diversity fund =
==Diversity and Financial Aid fund==

'''The Diversity and Financial Aid assistance fund has now closed. If you find yourself stuck and need assistance, please get in touch with kirk.jackson@owasp.org and we'll see what we can do.'''

[We have unashamedly followed the model adopted by the nz.js(con) team with their fund. Many thanks to Jen and the team!]

Due to the support of our lovely sponsors, we have some additional funding available to help people from around New Zealand attend the OWASP NZ Day that would find it hard to otherwise attend. In particular, we welcome applications from women, people of colour, LGBTIQ and all others. You all deserve to be able to learn more about security, and we’ll do our darndest to help make that happen!

Our funds are limited, and we’ll be reviewing applications every two weeks starting in December. Submit your applications soon, so we can approve them early and you’ll be in several review cycles!

Process:

* Fill out our [https://docs.google.com/forms/d/e/1FAIpQLSeTPgNCXb-3FIKetzBtTSwe1IXYckmADCK5sXPdiWRu8mdI6g/viewform application form]
* We will review and approve applications each two weeks. The next review date is in Dec 2017.
* We will contact all applicants and let them know the result of the review.
* Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:

* We are biased towards (but not exclusively for) diverse applicants.
* We do attempt to maximise cost efficiency and will aim to get as many people to OWASP with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: nick.malcolm@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

= Code of Conduct =
==Code of Conduct==

We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy: [https://www.owasp.org/index.php/Governance/Conference_Policies].

Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

If you have any concerns during the day, please seek out Kirk, Nick or Kim. We will make ourselves visible at the start of the day so you know what we look like.

<headertabs></headertabs>

[[Category:OWASP AppSec Conference]]

New Zealand

2018-02-26T20:42:00Z

Kirkj: Add Feb WLG talk

{{Chapter Template|chaptername=New_Zealand|extra=The chapter leaders are [mailto:denis.andzakovic@owasp.org Denis Andzakovic], [mailto:kim.carter@owasp.org Kim Carter] and [mailto:kirk.jackson@owasp.org Kirk Jackson]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-newzealand|emailarchives=http://lists.owasp.org/pipermail/owasp-newzealand}}

[[Category:OWASP Chapter]]

== Upcoming Events ==

Events also need to be listed in the [https://www.tfaforms.com/301382 OCMS system].

; 28 March 2018
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/241803609/ OWASP NZ Christchurch Meetup page]
: '''CERT NZ'''
: '''Location:''' Christchurch
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst]

== ''' 2018 ''' ==

; 26 Feb 2018
[https://www.meetup.com/OWASP-Wellington/events/246852662/ OWASP NZ Wellington Meetup page]
: '''CERT NZ - Who are we? How are websites getting hacked in real life? with Declan Ingram'''
: '''Video:''' [https://www.youtube.com/watch?v=WhYh-eUqxIA]
: '''Location:''' Wellington
: '''Presented by:''' Declan Ingram

; 5 Feb 2018

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018 https://www.owasp.org/images/5/53/NZ_day_2018_web.jpg] 

OWASP NZ Day 2018 will be held on Monday the 5th of February 2018 at the University of Auckland School of Business.

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[http://www.zxsecurity.co.nz/ https://www.owasp.org/images/2/27/Zx.png]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.insomniasec.com https://www.owasp.org/images/e/ef/INSOMNIA.PNG]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.aurainfosec.com/ https://www.owasp.org/images/e/ef/Aura_PBK_Colour.jpg]</center></td>
</tr>
</table>
 

== ''' 2017 ''' ==

; 2 Oct 2017
[https://www.meetup.com/OWASP-Wellington/events/242968218/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Same-origin policy: The core of web security
: '''Video:''' [https://www.youtube.com/watch?v=5wFCRANIbdc]
: '''Location:''' Wellington
: '''Presented By:''' Kirk Jackson

; 27 Sept 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/241328587/ OWASP NZ Christchurch Meetup page]
: '''Securing your data (your business) using SQL Server 2016'''
: '''Presented By:''' [https://twitter.com/shantha05 Anupama Natarajan]
: '''Location:''' Christchurch
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst]

; 31 July 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/241187473/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' What is Cross-Site Request Forgery?
: '''Video:''' [https://www.youtube.com/watch?v=G1aLGaMqnm0]
: '''Location:''' Wellington
: '''Presented By:''' Vales Bakaitis

; 28 June 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/236349292/ OWASP NZ Christchurch Meetup page]
: '''Web Developer Quiz Night'''
: '''Prepared and Presented By:''' [https://twitter.com/binarymist Kim Carter]
: '''Details:''' [https://binarymist.io/talk/owaspnz-chch-meetup-workshop-quiz-night/ on binarymist.io]
: '''Location:''' Christchurch
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst]

; 29 May 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/239202702/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Developer's Guide to Preventing XSS
: '''Video:''' [https://www.youtube.com/watch?v=0J5Rpf3nNjU]
: '''Location:''' Wellington
: '''Presented By:''' Felix Shi

;19th and 20th of April 2017

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017 https://www.owasp.org/images/6/63/OWASP_NZ_Day_2017_logo.jpg] 

At the University of Auckland School of Business

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/4/41/SA_Logo_w_DD.gif]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.insomniasec.com https://www.owasp.org/images/e/ef/INSOMNIA.PNG]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.aurainfosec.com/ https://www.owasp.org/images/e/ef/Aura_PBK_Colour.jpg]</center></td>
</tr>
<tr>
<td><center>[https://www.redshield.co/ https://www.owasp.org/images/a/ab/Redshield.png]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.zxsecurity.co.nz/ https://www.owasp.org/images/2/27/Zx.png]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.quantumsecurity.co.nz/ https://www.owasp.org/images/4/4e/Quantumblack3.png]</center></td>
</tr>
</table>
 

; 29 March 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/236349292/ OWASP NZ Christchurch Meetup page]
: '''PHP Hurts Programmers (and other tales)'''
: '''Presented By:''' [https://twitter.com/spronkey Keith Humm]
: '''Slides:''' [https://speakerdeck.com/spronkey/php-hurts-programmers-and-other-tales on speakerdeck]
: '''Locations:''' Christchurch
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst]

; 27 Feb 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/237712167/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Building the ultimate login and signup
: '''Video:''' [https://www.youtube.com/watch?v=E25KxLKwY-M Youtube]
: '''Location:''' Wellington
: '''Presented By:''' Matt Cotterell

; 29 November 2016
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/233253214/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' OWASP Top Ten - Developing secure web apps (PHP-flavoured)
: '''Video:''' [https://www.youtube.com/watch?v=7u08zCz9viU Youtube]
: '''Location:''' Wellington
: '''Presented By:''' Kirk Jackson
: In conjunction with the [https://www.meetup.com/PHP-Usergroup-Wellington/ PHP user group Wellington]

; 10 October 2016
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/233954065/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Introduction to Ruby on Rails security
: '''Video:''' [https://www.youtube.com/watch?v=Hez1QYc9yo8 Youtube]
: '''Locations:''' Wellington
: '''Presented By:''' Tim Goddard
: '''Sponsor:''' [https://www.insomniasec.com Insomnia]

; 28 September 2016
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/232611291/ OWASP NZ Christchurch Meetup page]
: '''Presentation / Demo''' Applying Cold War Learnings to our Daily OPSEC
: '''DeadDrop:''' (https://deaddrop.jadeworld.com/)
: '''Github:''' (https://github.com/phage-nz/deaddrop)
: '''Chris's Blog Post:''' (https://bytefog.blogspot.co.nz/2015/09/burn-after-reading.html)
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/phage_nz Chris Campbell]
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst] and [http://blog.binarymist.net/ BinaryMist]

; 29 August 2016
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/232212284/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Mobile app security: Intro to the OWASP Mobile Top 10
: '''Video:''' [https://www.youtube.com/watch?v=SbXO6wNvOM4 Youtube]
: '''Location:''' Wellington
: '''Presented By:''' Mike Haworth

; 29 June 2016
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/229985413/ OWASP NZ Christchurch Meetup page]
: '''Presentation / Demo''' Security Regression Testing with ZapAPI and NodeGoat
: '''Teaser:''' (https://youtu.be/DrwXUOJWMoo)
: '''Github:''' (https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API)
: '''Sourced From:''' Kims Book (https://leanpub.com/holistic-infosec-for-web-developers/read#process-agile-development-and-practices-security-regression-testing)
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/binarymist Kim Carter]
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst] and [http://blog.binarymist.net/ BinaryMist]

; 27 June 2016
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/232017285/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Introduction to using a web application firewall
: '''Video:''' [https://www.youtube.com/watch?v=iAPFf9Iqwos Youtube]
: '''Location:''' Wellington
: '''Presented By:''' Graeme Neilson
: '''Sponsor:''' [https://www.redshield.co RedShield]

; 30 March 2016
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/226227782/ OWASP NZ Christchurch Meetup page]
: '''Presentation:''' Qubes OS Discussion (https://www.qubes-os.org)
: '''Locations:''' Christchurch
: '''Presented By:''' Craig Rowland
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.io/ BinaryMist Limited]

== ''' 2016 ''' ==

;3rd and 4th of February 2016

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016 https://www.owasp.org/images/2/23/OWASP_NZ_Day_2016_logo.jpg] 

At the University of Auckland School of Commerce

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[[File:INSOMNIA.PNG|center|300px|link=http://www.insomniasec.com/]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:RedShield.png|center|300px|link=https://auraredshield.com/]]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/4/41/SA_Logo_w_DD.gif]</center></td>
</tr>
<tr>
<td><center>[http://www.insomniasec.com Insomnia Security]</center></td>
<td> </td>
<td> </td>
<td><center>[https://auraredshield.com/ Aura RedShield]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
</tr>
</table>

== ''' 2015 ''' ==

; 25 November 2015
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/225737100/ OWASP NZ Christchurch Meetup page]
: '''Presentation:''' UAC, Governance and Managing the External Infosec Audit
: '''Locations:''' Christchurch
: '''Presented By:''' Drewe Hinkley
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.io/ BinaryMist Limited]

; 30 September 2015
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/223462991/ OWASP NZ Christchurch Meetup page]
: '''Two part Presentation:''' The Exploited and the Exploiters - Case Study of a Real Cyber Hack and Live Demo's from [https://leanpub.com/b/holisticinfosecforwebdevelopers Kims book]
: '''Locations:''' Christchurch
: '''Presented By:''' Salinda Lekamge and [https://twitter.com/binarymist Kim Carter]

; 24 June 2015
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/221412721/ OWASP NZ Christchurch Meetup page]
: '''Presentation:''' "[http://blog.binarymist.net/presentations-publications/#does-your-cloud-solution-look-like-a-mushroom Does Your Cloud Solution Look Like a Mushroom]".
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/binarymist Kim Carter].
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.io/ BinaryMist Limited]

; 25 March 2015
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/219456317/ OWASP NZ Christchurch Meetup page]
: '''Presentation:''' Reverse Engineering, Cracking, Compromising Software Security & Mitigations
: '''Locations:''' Christchurch
: '''Presented By:''' Rob Gilmour, Senior Software Engineer, Technical Support, JADE Software Corporation Ltd.
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.io/ BinaryMist Limited]

;26th and 27th of February 2015

[[File:OWASP_NZ_Day_2015_logo_small.png|400px|link=https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2015|26th and 26th February 2015 - University of Auckland Engineering Department
]]

At the University of Auckland Engineering Department

== ''' 2014 ''' ==

; 26 November 2014
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/209420462/ OWASP NZ Christchurch Meetup page]
: '''Workshop:''' Review SSL/TLS, demo sslstrip and mitigation techniques
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/kevinnz Kevin Alcock], [https://twitter.com/katiposec Security Consultant] at [https://katiposec.com/ Katipo Security]
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.net/ BinaryMist Limited]

; 25 September 2014
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/198512052/ OWASP NZ Christchurch Meetup page]
: '''Workshop:''' Review, Exploit and Learn from [https://bytefog.blogspot.co.nz/2015/11/lord-of-flies.html Vulnerable Web App]
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/t0x0_nz Chris Campbell], Security & Operations Consultant Jade
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.net/ BinaryMist Limited]

; 24 July 2014
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/193784032/ OWASP NZ Wellington Meetup page]
: '''Workshop:''' Web App Security Workshop
: '''Locations:''' Wellington
: '''Presented By:''' Adrian Hayes
: '''Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data]

== '''2013''' ==

; 19 December 2013
[http://www.meetup.com/OWASP-New-Zealand-Chapter/events/154075992/ Meetup Link Here]
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland, Christchurch, Webcast
: '''Details:''' All details are on the meetup page above
: '''Presentation:''' [https://www.owasp.org/images/9/9f/Extending-Burp-with-Python.pptx Extending Burp with Python]
: '''Presented By:''' Mike Haworth, Aura Information Security

;11th and 12th of September 2013

[[File:OWASP_NZ_Day_2013_logo.png|400px|link=https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013|11th and 12st September 2013 - Auckland Business School
]]

At the Auckland Business School

[[OWASP New Zealand Day 2013|https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013]]

; 22 May 2013
[http://www.meetup.com/OWASP-New-Zealand-Chapter/events/115108982/ OWASP Meetup page to RSVP]
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland, Webcast
: '''Details:''' All details are on the meetup page above

== '''2012''' ==

; 31st August 2012
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2012 OWASP New Zealand Day 2012]
: '''Co-Sponsor:''' [http://www.auckland.ac.nz/ The University of Auckland], [http://www.security-assessment.com Security-Assessment.com], [http://www.aurainfosec.com Aura Information Security], [http://www.insomniasec.com Insomnia Security], [http://www.lateralsecurity.com Lateral Security], [http://www.webdrive.co.nz Web Drive]
: '''Location:''' Auckland
: '''Event site:''' [[OWASP_New_Zealand_Day_2012|OWASP New Zealand Day 2012]]

; 8th May 2012
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' [https://www.owasp.org/images/e/e0/Owasp2012-MarkPiper.pdf An Overview and introduction to modern day BeEF]
: '''Presented By:''' Mark Piper, Insomnia Security

; 28th February 2012
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' [https://www.owasp.org/images/2/27/OWASP_Top_10-7_to_10-aj.pdf Introduction to the OWASP Top Ten - Part 3]
: '''Presented By:''' Adrian Hayes, Security Consultant (Security-Assessment.com)
: '''Presentation:''' [https://www.owasp.org/images/0/08/OWASP-Mistaken_Identity-Password_Reset-nickf.pdf Mistaken Identity: How Not To Build A Password Reset Process]
: '''Presented By:''' Nick Freeman, Senior Security Consultant (Security-Assessment.com)

== '''2011''' ==


; 6th December 2011
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' [https://www.owasp.org/images/6/6d/OWASP_NZ-DEC2011-OWASP_Top_10-4_to_6.pdf Introduction to the OWASP Top Ten - Part 2]
: '''Presented By:''' Adrian Hayes, Security Consultant (Security-Assessment.com)
: '''Presentation:''' [https://www.owasp.org/images/1/15/OWASP_NZ-DEC2011-Hardened_Hosting.pdf Hardened Hosting]
: '''Presented By:''' Quintin Russ, Technical Director (SiteHost)

; 20th September 2011
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' [https://www.owasp.org/images/c/cf/OWASP_NZ_SEP2011_TOP-10_1-of-3.pdf Introduction to the OWASP Top Ten - Part 1]
: '''Presented By:''' Nick Freeman, Security Consultant (Security-Assessment.com)
: '''Presentation:''' [https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for-shells_PDF-version.pdf Clickjacking for Shells]
: '''Presented By:''' Andrew Horton, Security Consultant (Security-Assessment.com)

; 7th July 2011
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011 https://www.owasp.org/images/0/05/OWASP_NZ_Day_2011_Logo.png]
: '''Co-Sponsor:''' [http://www.security-assessment.com Security-Assessment.com], [http://www.auckland.ac.nz/ The University of Auckland]
: '''Location:''' Auckland
: '''Presentations:''' [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011#tab=Speakers Download]
: '''Event site:''' [[OWASP_New_Zealand_Day_2011|OWASP New Zealand Day 2011]]

; 2nd March 2011
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' Crazy Insecure Web Apps Google Didn't Tell You About..
: '''Presented By:''' Adrian Hayes, Security Consultant (Security-Assessment.com)
: '''Presentation:''' [http://www.owasp.org/images/5/5e/2011-03-02-OWASP.pdf I know what you did last summer: The latest from the world of web hacks]
: '''Presented By:''' Kirk Jackson, Security Consultant (Aura Software Security)

== '''2010''' ==



; 15th July 2010
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010 http://www.owasp.org/images/a/a7/Owasp_nz_day_2010.jpg]
: '''Co-Sponsor:''' [http://www.security-assessment.com Security-Assessment.com], [http://www.lateralsecurity.com Lateral Security], [http://www.auckland.ac.nz/ The University of Auckland]
: '''Location:''' Auckland
: '''Presentations:''' [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010#tab=Presentations Download]
: '''Event site:''' [[OWASP_New_Zealand_Day_2010|OWASP New Zealand Day 2010]]

; 4th March 2010
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' MS-SQL Injections.
: '''Presented By:''' Scott Bell, Security Consultant (Security-Assessment.com)

== '''2009''' ==



; 10th November 2009
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' Testing AMF/Flex.
: '''Presented By:''' Nick Freeman, Security Consultant (Security-Assessment.com)
: '''Presentation:''' "Shared Ownership", from a web security perspective.
: '''Presented By:''' Quintin Russ, Technical Director (Site Host)

; 13th July 2009
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009 https://www.owasp.org/images/8/85/Owasp_nz_logo.jpg]
: '''Co-Sponsor:''' [http://www.security-assessment.com Security-Assessment.com], [http://www.lateralsecurity.com Lateral Security], [http://www.auckland.ac.nz/ The University of Auckland]
: '''Location:''' Auckland
: '''Presentations:''' [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009#tab=Presentations Download]
: '''Event site:''' [[OWASP_New_Zealand_Day_2009|OWASP New Zealand Day 2009]]

; 19th March 2009
: '''Co-Sponsor:''' [http://www.vodafone.co.nz Vodafone New Zealand] and [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[http://www.owasp.org/index.php/Image:ActiveXploitation_In_2009.pptx ActiveXploitation in 2009]"
: '''Presented By:''' Paul Craig, Principal Security Consultant (Security-Assessment.com)
: '''Presentation:''' "[http://www.owasp.org/index.php/Image:OWASP_Mar09_Reversing_JavaScript.zip Reversing JavaScript]"
: '''Presented By:''' Roberto Suggi Liverani, Senior Security Consultant (Security-Assessment.com)

== '''2008''' ==


; 5th November 2008
: '''Co-Sponsor:''' [http://www.vodafone.co.nz Vodafone New Zealand] and [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Common_Application_Flaws.ppt Common Application Flaws]"
: '''Presented By:''' Brett Moore, Network Intrusion Specialist (Insomnia Security)
: '''Presentation:''' "In your Browser, Jackin your Clicks"
: '''Presented By:''' Beau Butler, Security Consultant (Security-Assessment.com)
: '''Presentation:''' "Opera Stored Cross Site Scripting"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-Assessment.com)

; 3rd September 2008
: '''Co-Sponsor:''' [http://www.microsoft.com/en/nz/default.aspx Microsoft] and [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Browser_security.ppt Browser Security]"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-Assessment.com)
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Time_Based_SQL_Injections.ppt Time based blind SQL Injections]"
: '''Presented By:''' Muhaimin Dzulfakar, Security Consultant (Security-Assessment.com)

; 25th June 2008
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "Fuzz the Web"
: '''Presented By:''' Dean Jerkovich, Security Analyst (ASB)
: '''Presentation:''' "Hacking The World With Flash Part #2: The Results"
: '''Presented By:''' Paul Crag, Principal Security Consultant (Security-Assessment.com)

; 29th April 2008
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Hacking_The_World_With_Flash.ppt Hacking The World With Flash]"
: '''Presented By:''' Paul Craig, Principal Security Consultant (Security-Assessment.com)
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Web_spam_techniques.ppt Web Spam Techniques] - also available in [http://malerisch.net/docs/web_spam_techniques/web_spam_techniques.html HTML] format"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-Assessment.com)

; 21st February 2008
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland
: '''Presentation:''' "[http://www.owasp.org/index.php/Image:Xpath_Injection.ppt Xpath Injection - An Overview]"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-assessment.com)

== '''2007''' ==


; 5th December 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland
: '''Presentation:''' "[http://malerisch.net/docs/ajax_security/Ajax_security.ppt Ajax Security]"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-assessment.com)
: '''Presentation:''' "On the job browser exploitation"
: '''Presented By:''' Mark Piper, Senior Security Consultant (Security-assessment.com)

; 22nd May 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Press Release:''' [http://www.vedaadvantage.com/vantage/news_in_brief_and_events/host_nz_owasp_meeting.aspx VedaAdvantage.com]
: '''Locations:''' Auckland
: '''Presentation:''' "OWASP in New Zealand"
: '''Presented By:''' Roberto Suggi Liverani / Antonio Spera

; April 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland

; January 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland

== Activities ==

OWASP New Zealand members actively participate in various OWASP activities. The following are some recent activities undertaken by OWASP NZ members:

* Kim Carter ran a [http://www.meetup.com/owaspnycmetro/events/228716474/ workshop] at the NYC chapter
* Kirk Jackson stepped up to replace Adrian Hayes for Wellington from New Zealand day 2016 onwards.
* Denis Andzakovic stepped up to replace Nick Freeman for Auckland in March 2014
* Kim Carter came on board to lead Christchurch from New Zealand Day 2013 onwards.
* Nick Freeman and Scott Bell have been appointed as the new leaders of the new OWASP New Zealand Chapter
* Roberto Suggi Liverani has resigned from his position as OWASP New Zealand Chapter Leader
* Roberto Suggi Liverani will be speaking at OWASP AppSec Asia 2009 conference
* Roberto Suggi Liverani and Nick Freeman will be speaking at Defcon 17
* OWASP NZ Day 2009 - [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009#tab=Presentations Presentations online]
* Roberto Suggi Liverani and Nick Freeman will be speaking at EUSecWest 09
* Brett Moore will be speaking at [http://www.owasp.org/index.php/OWASP_AU_Conference_2009 OWASP AU Conference] about "Vulnerabilities In Action".
* Roberto Suggi Liverani contributed to the [http://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide v3].
* Mark Piper took his "On the job browser exploitation" talk to the [http://www.owasp.org/index.php/OWASP_Australia_AppSec_2008_Conference OWASP_Australia_AppSec_2008_Conference].
* Rob Munro has been appointed as OWASP Evangelist
* OWASP NZ has audio/video conference capability between Auckland and Wellington

== OWASP NZ Members ==

We are always looking for additional board members to evangelise the OWASP mission help with meetings, projects and initiatives as we all know it takes time/effort to run a chapter. Please contact us if you are interested to join the NZ OWASP board member or for any queries related to OWASP NZ.

<ul>
*NZ Board Member (Leader - Auckland) [mailto:denis.andzakovic@owasp.org Denis Andzakovic]
*NZ Board Member (Leader - Wellington) [mailto:kirk.jackson@owasp.org Kirk Jackson]
*NZ Board Member (Leader - Christchurch) [mailto:kim.carter@owasp.org Kim Carter] 0274 622 607
</ul>

== Chapter Sponsors ==

<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/a/a4/Security-assessment_com.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.touchpoint.co.nz https://www.owasp.org/images/d/d8/Touchpoint.jpg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.touchpoint.co.nz www.touchpoint.co.nz]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://binarymist.io https://www.owasp.org/images/4/4c/BinaryMistLimited.png]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://binarymist.io binarymist.io]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

New Zealand

2018-02-13T04:06:06Z

Kirkj: Add missing Wellington events

{{Chapter Template|chaptername=New_Zealand|extra=The chapter leaders are [mailto:denis.andzakovic@owasp.org Denis Andzakovic], [mailto:kim.carter@owasp.org Kim Carter] and [mailto:kirk.jackson@owasp.org Kirk Jackson]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-newzealand|emailarchives=http://lists.owasp.org/pipermail/owasp-newzealand}}

[[Category:OWASP Chapter]]

== Upcoming Events ==

; 26 Feb 2018
https://www.meetup.com/OWASP-Wellington/events/246852662/ OWASP NZ Wellington Meetup page]
: '''CERT NZ - Who are we? How are websites getting hacked in real life? with Declan Ingram'''
: '''Location:''' Wellington

; 28 March 2018
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/241803609/ OWASP NZ Christchurch Meetup page]
: '''CERT NZ'''
: '''Location:''' Christchurch
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst]

== ''' 2018 ''' ==

; 5 Feb 2018

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018 https://www.owasp.org/images/5/53/NZ_day_2018_web.jpg] 

OWASP NZ Day 2018 will be held on Monday the 5th of February 2018 at the University of Auckland School of Business.

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[http://www.zxsecurity.co.nz/ https://www.owasp.org/images/2/27/Zx.png]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.insomniasec.com https://www.owasp.org/images/e/ef/INSOMNIA.PNG]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.aurainfosec.com/ https://www.owasp.org/images/e/ef/Aura_PBK_Colour.jpg]</center></td>
</tr>
</table>
 

== ''' 2017 ''' ==

; 2 Oct 2017
[https://www.meetup.com/OWASP-Wellington/events/242968218/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Same-origin policy: The core of web security
: '''Video:''' [https://www.youtube.com/watch?v=5wFCRANIbdc]
: '''Location:''' Wellington
: '''Presented By:''' Kirk Jackson

; 27 Sept 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/241328587/ OWASP NZ Christchurch Meetup page]
: '''Securing your data (your business) using SQL Server 2016'''
: '''Presented By:''' [https://twitter.com/shantha05 Anupama Natarajan]
: '''Location:''' Christchurch
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst]

; 31 July 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/241187473/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' What is Cross-Site Request Forgery?
: '''Video:''' [https://www.youtube.com/watch?v=G1aLGaMqnm0]
: '''Location:''' Wellington
: '''Presented By:''' Vales Bakaitis

; 28 June 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/236349292/ OWASP NZ Christchurch Meetup page]
: '''Web Developer Quiz Night'''
: '''Prepared and Presented By:''' [https://twitter.com/binarymist Kim Carter]
: '''Details:''' [https://binarymist.io/talk/owaspnz-chch-meetup-workshop-quiz-night/ on binarymist.io]
: '''Location:''' Christchurch
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst]

; 29 May 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/239202702/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Developer's Guide to Preventing XSS
: '''Video:''' [https://www.youtube.com/watch?v=0J5Rpf3nNjU]
: '''Location:''' Wellington
: '''Presented By:''' Felix Shi

;19th and 20th of April 2017

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017 https://www.owasp.org/images/6/63/OWASP_NZ_Day_2017_logo.jpg] 

At the University of Auckland School of Business

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/4/41/SA_Logo_w_DD.gif]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.insomniasec.com https://www.owasp.org/images/e/ef/INSOMNIA.PNG]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.aurainfosec.com/ https://www.owasp.org/images/e/ef/Aura_PBK_Colour.jpg]</center></td>
</tr>
<tr>
<td><center>[https://www.redshield.co/ https://www.owasp.org/images/a/ab/Redshield.png]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.zxsecurity.co.nz/ https://www.owasp.org/images/2/27/Zx.png]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.quantumsecurity.co.nz/ https://www.owasp.org/images/4/4e/Quantumblack3.png]</center></td>
</tr>
</table>
 

; 29 March 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/236349292/ OWASP NZ Christchurch Meetup page]
: '''PHP Hurts Programmers (and other tales)'''
: '''Presented By:''' [https://twitter.com/spronkey Keith Humm]
: '''Slides:''' [https://speakerdeck.com/spronkey/php-hurts-programmers-and-other-tales on speakerdeck]
: '''Locations:''' Christchurch
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst]

; 27 Feb 2017
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/237712167/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Building the ultimate login and signup
: '''Video:''' [https://www.youtube.com/watch?v=E25KxLKwY-M Youtube]
: '''Location:''' Wellington
: '''Presented By:''' Matt Cotterell

; 29 November 2016
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/233253214/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' OWASP Top Ten - Developing secure web apps (PHP-flavoured)
: '''Video:''' [https://www.youtube.com/watch?v=7u08zCz9viU Youtube]
: '''Location:''' Wellington
: '''Presented By:''' Kirk Jackson
: In conjunction with the [https://www.meetup.com/PHP-Usergroup-Wellington/ PHP user group Wellington]

; 10 October 2016
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/233954065/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Introduction to Ruby on Rails security
: '''Video:''' [https://www.youtube.com/watch?v=Hez1QYc9yo8 Youtube]
: '''Locations:''' Wellington
: '''Presented By:''' Tim Goddard
: '''Sponsor:''' [https://www.insomniasec.com Insomnia]

; 28 September 2016
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/232611291/ OWASP NZ Christchurch Meetup page]
: '''Presentation / Demo''' Applying Cold War Learnings to our Daily OPSEC
: '''DeadDrop:''' (https://deaddrop.jadeworld.com/)
: '''Github:''' (https://github.com/phage-nz/deaddrop)
: '''Chris's Blog Post:''' (https://bytefog.blogspot.co.nz/2015/09/burn-after-reading.html)
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/phage_nz Chris Campbell]
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst] and [http://blog.binarymist.net/ BinaryMist]

; 29 August 2016
[https://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/232212284/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Mobile app security: Intro to the OWASP Mobile Top 10
: '''Video:''' [https://www.youtube.com/watch?v=SbXO6wNvOM4 Youtube]
: '''Location:''' Wellington
: '''Presented By:''' Mike Haworth

; 29 June 2016
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/229985413/ OWASP NZ Christchurch Meetup page]
: '''Presentation / Demo''' Security Regression Testing with ZapAPI and NodeGoat
: '''Teaser:''' (https://youtu.be/DrwXUOJWMoo)
: '''Github:''' (https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API)
: '''Sourced From:''' Kims Book (https://leanpub.com/holistic-infosec-for-web-developers/read#process-agile-development-and-practices-security-regression-testing)
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/binarymist Kim Carter]
: '''Co-Sponsor:''' [http://www.catalyst.net.nz/ Catalyst] and [http://blog.binarymist.net/ BinaryMist]

; 27 June 2016
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/232017285/ OWASP NZ Wellington Meetup page]
: '''Presentation:''' Introduction to using a web application firewall
: '''Video:''' [https://www.youtube.com/watch?v=iAPFf9Iqwos Youtube]
: '''Location:''' Wellington
: '''Presented By:''' Graeme Neilson
: '''Sponsor:''' [https://www.redshield.co RedShield]

; 30 March 2016
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/226227782/ OWASP NZ Christchurch Meetup page]
: '''Presentation:''' Qubes OS Discussion (https://www.qubes-os.org)
: '''Locations:''' Christchurch
: '''Presented By:''' Craig Rowland
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.io/ BinaryMist Limited]

== ''' 2016 ''' ==

;3rd and 4th of February 2016

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016 https://www.owasp.org/images/2/23/OWASP_NZ_Day_2016_logo.jpg] 

At the University of Auckland School of Commerce

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[[File:INSOMNIA.PNG|center|300px|link=http://www.insomniasec.com/]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:RedShield.png|center|300px|link=https://auraredshield.com/]]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/4/41/SA_Logo_w_DD.gif]</center></td>
</tr>
<tr>
<td><center>[http://www.insomniasec.com Insomnia Security]</center></td>
<td> </td>
<td> </td>
<td><center>[https://auraredshield.com/ Aura RedShield]</center></td>
<td> </td>
<td> </td>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
</tr>
</table>

== ''' 2015 ''' ==

; 25 November 2015
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/225737100/ OWASP NZ Christchurch Meetup page]
: '''Presentation:''' UAC, Governance and Managing the External Infosec Audit
: '''Locations:''' Christchurch
: '''Presented By:''' Drewe Hinkley
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.io/ BinaryMist Limited]

; 30 September 2015
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/223462991/ OWASP NZ Christchurch Meetup page]
: '''Two part Presentation:''' The Exploited and the Exploiters - Case Study of a Real Cyber Hack and Live Demo's from [https://leanpub.com/b/holisticinfosecforwebdevelopers Kims book]
: '''Locations:''' Christchurch
: '''Presented By:''' Salinda Lekamge and [https://twitter.com/binarymist Kim Carter]

; 24 June 2015
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/221412721/ OWASP NZ Christchurch Meetup page]
: '''Presentation:''' "[http://blog.binarymist.net/presentations-publications/#does-your-cloud-solution-look-like-a-mushroom Does Your Cloud Solution Look Like a Mushroom]".
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/binarymist Kim Carter].
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.io/ BinaryMist Limited]

; 25 March 2015
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/219456317/ OWASP NZ Christchurch Meetup page]
: '''Presentation:''' Reverse Engineering, Cracking, Compromising Software Security & Mitigations
: '''Locations:''' Christchurch
: '''Presented By:''' Rob Gilmour, Senior Software Engineer, Technical Support, JADE Software Corporation Ltd.
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.io/ BinaryMist Limited]

;26th and 27th of February 2015

[[File:OWASP_NZ_Day_2015_logo_small.png|400px|link=https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2015|26th and 26th February 2015 - University of Auckland Engineering Department
]]

At the University of Auckland Engineering Department

== ''' 2014 ''' ==

; 26 November 2014
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/209420462/ OWASP NZ Christchurch Meetup page]
: '''Workshop:''' Review SSL/TLS, demo sslstrip and mitigation techniques
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/kevinnz Kevin Alcock], [https://twitter.com/katiposec Security Consultant] at [https://katiposec.com/ Katipo Security]
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.net/ BinaryMist Limited]

; 25 September 2014
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/198512052/ OWASP NZ Christchurch Meetup page]
: '''Workshop:''' Review, Exploit and Learn from [https://bytefog.blogspot.co.nz/2015/11/lord-of-flies.html Vulnerable Web App]
: '''Locations:''' Christchurch
: '''Presented By:''' [https://twitter.com/t0x0_nz Chris Campbell], Security & Operations Consultant Jade
: '''Co-Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data] and [http://binarymist.net/ BinaryMist Limited]

; 24 July 2014
[http://www.meetup.com/OWASP-New-Zealand-Chapter-Wellington/events/193784032/ OWASP NZ Wellington Meetup page]
: '''Workshop:''' Web App Security Workshop
: '''Locations:''' Wellington
: '''Presented By:''' Adrian Hayes
: '''Sponsor:''' [http://www.dimensiondata.com/en-NZ Dimension Data]

== '''2013''' ==

; 19 December 2013
[http://www.meetup.com/OWASP-New-Zealand-Chapter/events/154075992/ Meetup Link Here]
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland, Christchurch, Webcast
: '''Details:''' All details are on the meetup page above
: '''Presentation:''' [https://www.owasp.org/images/9/9f/Extending-Burp-with-Python.pptx Extending Burp with Python]
: '''Presented By:''' Mike Haworth, Aura Information Security

;11th and 12th of September 2013

[[File:OWASP_NZ_Day_2013_logo.png|400px|link=https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013|11th and 12st September 2013 - Auckland Business School
]]

At the Auckland Business School

[[OWASP New Zealand Day 2013|https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013]]

; 22 May 2013
[http://www.meetup.com/OWASP-New-Zealand-Chapter/events/115108982/ OWASP Meetup page to RSVP]
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland, Webcast
: '''Details:''' All details are on the meetup page above

== '''2012''' ==

; 31st August 2012
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2012 OWASP New Zealand Day 2012]
: '''Co-Sponsor:''' [http://www.auckland.ac.nz/ The University of Auckland], [http://www.security-assessment.com Security-Assessment.com], [http://www.aurainfosec.com Aura Information Security], [http://www.insomniasec.com Insomnia Security], [http://www.lateralsecurity.com Lateral Security], [http://www.webdrive.co.nz Web Drive]
: '''Location:''' Auckland
: '''Event site:''' [[OWASP_New_Zealand_Day_2012|OWASP New Zealand Day 2012]]

; 8th May 2012
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' [https://www.owasp.org/images/e/e0/Owasp2012-MarkPiper.pdf An Overview and introduction to modern day BeEF]
: '''Presented By:''' Mark Piper, Insomnia Security

; 28th February 2012
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' [https://www.owasp.org/images/2/27/OWASP_Top_10-7_to_10-aj.pdf Introduction to the OWASP Top Ten - Part 3]
: '''Presented By:''' Adrian Hayes, Security Consultant (Security-Assessment.com)
: '''Presentation:''' [https://www.owasp.org/images/0/08/OWASP-Mistaken_Identity-Password_Reset-nickf.pdf Mistaken Identity: How Not To Build A Password Reset Process]
: '''Presented By:''' Nick Freeman, Senior Security Consultant (Security-Assessment.com)

== '''2011''' ==


; 6th December 2011
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com] and [http://www.touchpoint.co.nz Touchpoint]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' [https://www.owasp.org/images/6/6d/OWASP_NZ-DEC2011-OWASP_Top_10-4_to_6.pdf Introduction to the OWASP Top Ten - Part 2]
: '''Presented By:''' Adrian Hayes, Security Consultant (Security-Assessment.com)
: '''Presentation:''' [https://www.owasp.org/images/1/15/OWASP_NZ-DEC2011-Hardened_Hosting.pdf Hardened Hosting]
: '''Presented By:''' Quintin Russ, Technical Director (SiteHost)

; 20th September 2011
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' [https://www.owasp.org/images/c/cf/OWASP_NZ_SEP2011_TOP-10_1-of-3.pdf Introduction to the OWASP Top Ten - Part 1]
: '''Presented By:''' Nick Freeman, Security Consultant (Security-Assessment.com)
: '''Presentation:''' [https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for-shells_PDF-version.pdf Clickjacking for Shells]
: '''Presented By:''' Andrew Horton, Security Consultant (Security-Assessment.com)

; 7th July 2011
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011 https://www.owasp.org/images/0/05/OWASP_NZ_Day_2011_Logo.png]
: '''Co-Sponsor:''' [http://www.security-assessment.com Security-Assessment.com], [http://www.auckland.ac.nz/ The University of Auckland]
: '''Location:''' Auckland
: '''Presentations:''' [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011#tab=Speakers Download]
: '''Event site:''' [[OWASP_New_Zealand_Day_2011|OWASP New Zealand Day 2011]]

; 2nd March 2011
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' Crazy Insecure Web Apps Google Didn't Tell You About..
: '''Presented By:''' Adrian Hayes, Security Consultant (Security-Assessment.com)
: '''Presentation:''' [http://www.owasp.org/images/5/5e/2011-03-02-OWASP.pdf I know what you did last summer: The latest from the world of web hacks]
: '''Presented By:''' Kirk Jackson, Security Consultant (Aura Software Security)

== '''2010''' ==



; 15th July 2010
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010 http://www.owasp.org/images/a/a7/Owasp_nz_day_2010.jpg]
: '''Co-Sponsor:''' [http://www.security-assessment.com Security-Assessment.com], [http://www.lateralsecurity.com Lateral Security], [http://www.auckland.ac.nz/ The University of Auckland]
: '''Location:''' Auckland
: '''Presentations:''' [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010#tab=Presentations Download]
: '''Event site:''' [[OWASP_New_Zealand_Day_2010|OWASP New Zealand Day 2010]]

; 4th March 2010
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' MS-SQL Injections.
: '''Presented By:''' Scott Bell, Security Consultant (Security-Assessment.com)

== '''2009''' ==



; 10th November 2009
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' Testing AMF/Flex.
: '''Presented By:''' Nick Freeman, Security Consultant (Security-Assessment.com)
: '''Presentation:''' "Shared Ownership", from a web security perspective.
: '''Presented By:''' Quintin Russ, Technical Director (Site Host)

; 13th July 2009
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009 https://www.owasp.org/images/8/85/Owasp_nz_logo.jpg]
: '''Co-Sponsor:''' [http://www.security-assessment.com Security-Assessment.com], [http://www.lateralsecurity.com Lateral Security], [http://www.auckland.ac.nz/ The University of Auckland]
: '''Location:''' Auckland
: '''Presentations:''' [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009#tab=Presentations Download]
: '''Event site:''' [[OWASP_New_Zealand_Day_2009|OWASP New Zealand Day 2009]]

; 19th March 2009
: '''Co-Sponsor:''' [http://www.vodafone.co.nz Vodafone New Zealand] and [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[http://www.owasp.org/index.php/Image:ActiveXploitation_In_2009.pptx ActiveXploitation in 2009]"
: '''Presented By:''' Paul Craig, Principal Security Consultant (Security-Assessment.com)
: '''Presentation:''' "[http://www.owasp.org/index.php/Image:OWASP_Mar09_Reversing_JavaScript.zip Reversing JavaScript]"
: '''Presented By:''' Roberto Suggi Liverani, Senior Security Consultant (Security-Assessment.com)

== '''2008''' ==


; 5th November 2008
: '''Co-Sponsor:''' [http://www.vodafone.co.nz Vodafone New Zealand] and [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Common_Application_Flaws.ppt Common Application Flaws]"
: '''Presented By:''' Brett Moore, Network Intrusion Specialist (Insomnia Security)
: '''Presentation:''' "In your Browser, Jackin your Clicks"
: '''Presented By:''' Beau Butler, Security Consultant (Security-Assessment.com)
: '''Presentation:''' "Opera Stored Cross Site Scripting"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-Assessment.com)

; 3rd September 2008
: '''Co-Sponsor:''' [http://www.microsoft.com/en/nz/default.aspx Microsoft] and [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Browser_security.ppt Browser Security]"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-Assessment.com)
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Time_Based_SQL_Injections.ppt Time based blind SQL Injections]"
: '''Presented By:''' Muhaimin Dzulfakar, Security Consultant (Security-Assessment.com)

; 25th June 2008
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "Fuzz the Web"
: '''Presented By:''' Dean Jerkovich, Security Analyst (ASB)
: '''Presentation:''' "Hacking The World With Flash Part #2: The Results"
: '''Presented By:''' Paul Crag, Principal Security Consultant (Security-Assessment.com)

; 29th April 2008
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Hacking_The_World_With_Flash.ppt Hacking The World With Flash]"
: '''Presented By:''' Paul Craig, Principal Security Consultant (Security-Assessment.com)
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Web_spam_techniques.ppt Web Spam Techniques] - also available in [http://malerisch.net/docs/web_spam_techniques/web_spam_techniques.html HTML] format"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-Assessment.com)

; 21st February 2008
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland
: '''Presentation:''' "[http://www.owasp.org/index.php/Image:Xpath_Injection.ppt Xpath Injection - An Overview]"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-assessment.com)

== '''2007''' ==


; 5th December 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland
: '''Presentation:''' "[http://malerisch.net/docs/ajax_security/Ajax_security.ppt Ajax Security]"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-assessment.com)
: '''Presentation:''' "On the job browser exploitation"
: '''Presented By:''' Mark Piper, Senior Security Consultant (Security-assessment.com)

; 22nd May 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Press Release:''' [http://www.vedaadvantage.com/vantage/news_in_brief_and_events/host_nz_owasp_meeting.aspx VedaAdvantage.com]
: '''Locations:''' Auckland
: '''Presentation:''' "OWASP in New Zealand"
: '''Presented By:''' Roberto Suggi Liverani / Antonio Spera

; April 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland

; January 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland

== Activities ==

OWASP New Zealand members actively participate in various OWASP activities. The following are some recent activities undertaken by OWASP NZ members:

* Kim Carter ran a [http://www.meetup.com/owaspnycmetro/events/228716474/ workshop] at the NYC chapter
* Kirk Jackson stepped up to replace Adrian Hayes for Wellington from New Zealand day 2016 onwards.
* Denis Andzakovic stepped up to replace Nick Freeman for Auckland in March 2014
* Kim Carter came on board to lead Christchurch from New Zealand Day 2013 onwards.
* Nick Freeman and Scott Bell have been appointed as the new leaders of the new OWASP New Zealand Chapter
* Roberto Suggi Liverani has resigned from his position as OWASP New Zealand Chapter Leader
* Roberto Suggi Liverani will be speaking at OWASP AppSec Asia 2009 conference
* Roberto Suggi Liverani and Nick Freeman will be speaking at Defcon 17
* OWASP NZ Day 2009 - [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009#tab=Presentations Presentations online]
* Roberto Suggi Liverani and Nick Freeman will be speaking at EUSecWest 09
* Brett Moore will be speaking at [http://www.owasp.org/index.php/OWASP_AU_Conference_2009 OWASP AU Conference] about "Vulnerabilities In Action".
* Roberto Suggi Liverani contributed to the [http://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide v3].
* Mark Piper took his "On the job browser exploitation" talk to the [http://www.owasp.org/index.php/OWASP_Australia_AppSec_2008_Conference OWASP_Australia_AppSec_2008_Conference].
* Rob Munro has been appointed as OWASP Evangelist
* OWASP NZ has audio/video conference capability between Auckland and Wellington

== OWASP NZ Members ==

We are always looking for additional board members to evangelise the OWASP mission help with meetings, projects and initiatives as we all know it takes time/effort to run a chapter. Please contact us if you are interested to join the NZ OWASP board member or for any queries related to OWASP NZ.

<ul>
*NZ Board Member (Leader - Auckland) [mailto:denis.andzakovic@owasp.org Denis Andzakovic]
*NZ Board Member (Leader - Wellington) [mailto:kirk.jackson@owasp.org Kirk Jackson]
*NZ Board Member (Leader - Christchurch) [mailto:kim.carter@owasp.org Kim Carter] 0274 622 607
</ul>

== Chapter Sponsors ==

<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/a/a4/Security-assessment_com.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.touchpoint.co.nz https://www.owasp.org/images/d/d8/Touchpoint.jpg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.touchpoint.co.nz www.touchpoint.co.nz]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://binarymist.io https://www.owasp.org/images/4/4c/BinaryMistLimited.png]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://binarymist.io binarymist.io]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

OWASP New Zealand Day 2018

2018-02-12T20:48:17Z

Kirkj: Moar slides

__NOTOC__
<center>
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018 https://www.owasp.org/images/5/53/NZ_day_2018_web.jpg] 
'''4th and 5th February 2018 - Auckland'''
</center>
----

= Introduction =
==Introduction==
We are proud to announce the ninth OWASP New Zealand Day conference, to be held at the University of Auckland on Monday February 5th, 2018. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

Who is it for?

* Web Developers: There will be a choice of two streams in the morning. First stream covering introductory talks to information security, second stream covering deeper technical topics. Afternoon sessions will cover offensive security in stream one, and continue with deeper technical topics in stream two
* Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics

==Conference structure==

Date: Monday 5 February 2018 
Time: 9:30am - 6:00pm 
Cost: Free 

The main conference is on Monday 5th of February, and will have two streams in both the morning and the afternoon:



==Training==

As well as the main conference on Monday, we are pleased to be able to provide training on Sunday at the same venue. All details including registration are as follows:

[https://binarymist.io/talk/owaspnzday-2018-workshop-building-security-into-your-development-team/ '''Building Security Into Your Development Teams''']
Date: Sun 04 February 2018 
Time: 9:00am - 5:30pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-interactive-workshop-building-security-into-your-development-teams-tickets-41266447054 Training Registration Page]

Spaces going fast, so get in quick

==General==

The ninth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same location as last year for stream one, with the addition of another room near by for the stream two room. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact [mailto:kim.carter@owasp.org?cc=kirk.jackson@owasp.org&cc=denis.andzakovic@owasp.org us]. 

==Registration==


Registration for the main conference day is now open: [https://owaspnz2018.eventbrite.com/ Conference Registration Here],
Follow us on twitter [https://twitter.com/owaspnz @owaspnz]

There is no cost for the main conference day. Unfortunately due to increased conference running costs, lunch, morning and afternoon tea's will not be provided as it has been for the past OWASP NZ Days. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.





==Important dates==

* CFP submission deadline: 8th December 2017
* CFT submission deadline: 8th December 2017
* Conference Registration deadline: 29th January 2018
* Training Registration deadline: 29th January 2018
* Training Day date: 4th February 2018
* Conference Day date: 5th February 2018

For those of you booking flights, ensure you can be at the venue at 9:00am, the conference will end by 6:00pm however we will have post conference drinks at a local drinking establishment for those interested.

==Places to eat & drink on the day==

<ul>
<li>Coffee cart and selection of snacks next to the reception on the ground floor, this is the closest but will probably have long lines</li>
<li>Mojo Symonds - also on campus</li>
<li>Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St</li>
<li>The CBD - walk up and over Albert Park to get to the CBD with many great food options</li>
<ul>
<li>Fort Street has burgers, kebabs, and KFC</li>
<li>High Street & Lorne Street have lots of little cafes and restaurants</li>
</ul>
<li>Subway, Starbucks, & Pita Pit - walk up Symonds Street</li>
<li>Vulture’s Lane is a popular pub with the infosec crowd, there are more seats downstairs</li>
<li>The Bluestone Room - also a popular pub just across Queen St</li>
</ul>

==Conference Venue==

<table width="100%">
<tr>
<td>
The University of Auckland School of Business 
Owen Glen Building 
Address: 12 Grafton Road 
 
Stream one room: Level 1 
Room: 115 (Fisher & Paykel Auditorium) 
 
Stream two room: Level 0 
Room: 098 
 
Auckland 
New Zealand 
[https://www.google.com/maps/place/Owen+G+Glenn+Building+12+Grafton+Road/@-36.8528203,174.770224,17z/data=!4m6!1m3!3m2!1s0x0000000000000000:0x0205ad91287ba364!2sUniversity+of+Auckland+Graduate+School+of+Enterprise!3m1!1s0x0000000000000000:0xc9d224e5921a6690 Map]
</td>
<td>
[[Image:073_AUBiz_10Apr08small.jpg]] [[Image:OWASPNZDayLectureTheatre.jpg]]
</td>
</tr>
</table>

==Conference Sponsors==
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="100%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/f/f8/AuckUni.png]</center></td>
</tr>
</table>
----

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[[File:Zx.png|link=http://www.zxsecurity.co.nz]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:INSOMNIA.PNG|link=http://www.insomniasec.com]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:Aura_PBK_Colour.jpg|link=http://www.aurainfosec.com]]</center></td>
</tr>
</table>
----

'''Silver Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[[File:Quantum_Security_%28strip%29-02.png|link=http://www.quantumsecurity.co.nz]]</center></td>
</tr>
</table>
----

'''Support Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[[File:BinaryMistLimited.png|center|150px|link=https://binarymist.io]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:Atlassian.png|center|183px|link=https://www.atlassian.com/]]</center></td>
</tr>
</table>

==Conference Committee==

* Kirk Jackson - OWASP New Zealand Leader (Wellington)
* Kim Carter - OWASP New Zealand Leader (Christchurch)
* Nick Malcolm - OWASP New Zealand Leader (Auckland)
* Lech Janczewski - Associate Professor - University of Auckland School of Business

Please direct all enquiries to nick.malcolm@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

OWASP NZ on Twitter (https://twitter.com/owaspnz)

= Training =
==Training==

As well as the main conference on Monday, we are pleased to be able to provide training on Sunday at the same venue. All details including registration are as follows:

[https://binarymist.io/talk/owaspnzday-2018-workshop-building-security-into-your-development-team/ '''Building Security Into Your Development Teams''']
Date: Sun 04 February 2018 
Time: 9:00am - 5:30pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-interactive-workshop-building-security-into-your-development-teams-tickets-41266447054 Training Registration Page]

Spaces going fast, so get in quick

= Call For Presentations =
==Call For Presentations==

'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines including
architects, web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference:

* Introductions to various Information Security topics, and the OWASP projects
* Technical topics
* Policy, Compliance and Risk Management

The introductory talks should appeal to an intermediate to experienced software developer, without a solid grounding in application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.

Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:

* Web application security
* Mobile security
* Cloud security
* Secure development
* Vulnerability analysis
* Threat modelling
* Application exploitation
* Exploitation techniques
* Threat and vulnerability countermeasures
* Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
* Penetration Testing
* Browser and client security
* Application and solution architecture security
* PCI DSS
* Risk management
* Security concepts for C*Os, project managers and other non-technical attendees
* Privacy controls



The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:

* Due to limited budget available, expenses for international speakers cannot be covered.
* If your company is willing to cover travel and accommodation costs, the company will become "Support Sponsor" of the event.

'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''

Please submit your presentation [https://www.papercall.io/owaspnz2018 here].



Submissions deadline: 8th December 2017

Applicants will be notified in the following week after the deadline, whether they were successful or not.


= Call For Sponsorships =
==Call For Sponsorships==

OWASP New Zealand Day 2018 will be held in Auckland on the 5th of February, 2018 and is a security conference entirely dedicated to application security.
The conference is once again being hosted by the University of Auckland with their support and assistance.
OWASP New Zealand Day 2018 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community.
OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2018 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:

* Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
* Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
* Printed Materials - printed materials will include brochures, tags and lanyards.

== Facts ==

Last year, the event was supported by nine sponsors and attracted more than 900 registrations. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017

The OWASP New Zealand community is strong, there are more than 500 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 800 and 1000 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

== Sponsorships ==

There are three different levels of sponsorships for the OWASP New Zealand Day event:

Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event)

Includes:

* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Silver Sponsorship: 1500 NZD

Includes:

* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018
* The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
* The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship: 2750 NZD

Includes:

* The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
* The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
* The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
* Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Those who are interested in sponsoring OWASP New Zealand 2018 Conference can contact the [mailto:kim.carter@owasp.org,kirk.jackson@owasp.org,denis.andzakovic@owasp.org OWASP New Zealand Board]. 

= Presentation Schedule =
==Presentations==

<center>
5th February 2018
<table width="100%">
<tr>
<td width="5%" valign="top" align="right">08:30</td>
<td colspan="3" style="background-color: #8595C2; text-align: center">Registration Opens</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">09:30</td>
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
Welcome to OWASP New Zealand Day 2018 
Kirk Jackson, [https://binarymist.io Kim Carter], Nick Malcolm (OWASP Leaders), and Lech Janczewski (Associate Professor)

</tr>
<tr>
<td width="7%" valign="top" align="right"></td>
<td style="background-color: #EEE; text-align: center">
Upstairs room
</td>
<td width="7%" valign="top" align="right">09:45</td>
<td style="background-color: #EEE; text-align: center">
'''Downstairs room'''
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right"></td>
<td style="background-color: #EEE; text-align: center">
Fear Itself 
Laura Bell - SafeStack
</td>
<td width="7%" valign="top" align="right">09:45</td>
<td style="background-color: #EEE; text-align: center">
Offensive Defence 
Chris Berry - Aura Information Security 
[[Media:2018-02-05-ChrisBerry.pdf|Slides: (PDF, 3.4mb)]]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">10:20</td>
<td style="background-color: #B9C2DC; text-align: center">
Pizza Roulette 
Catherine McIlvride and Fiona Sasse 
[[Media:2018-02-05-CatherineMcIlvrideFionaSasse.pdf|Slides: (PDF, 3.4mb)]]
</td>
<td width="7%" valign="top" align="right">10:20</td>
<td style="background-color: #B9C2DC; text-align: center">
Auth* Infrastructure for Everyone 
Ryan Kurte and Kirk Holloway 
[https://docs.google.com/presentation/d/11tFlGmRQUBJ5ns-8gxRDxL3J0rAkCgOVqAEGqwqxDLM/edit?usp=sharing Slides]
</td>

</tr>
<tr>
<td width="7%" valign="top" align="right">10:55</td>
<td style="background-color: #EEE; text-align: center">
Guarding the Pot of Gold while the Rainbow gets bigger 
Sarah Bennett and Patricia Ramsden - Xero
</td>
<td width="7%" valign="top" align="right">10:55</td>
<td style="background-color: #EEE; text-align: center">
Bermudez - a honeypit designed to waste hacker's time 
Ian Welch and Kaishuo Yang
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">11:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Enough theory, how are websites getting hacked in real life? 
Declan Ingram - CERT
</td>
<td width="7%" valign="top" align="right">11:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Rails Derailed 
Tim Goddard 
[https://insomniasec.com/releases Slides]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">12:05</td>
<td style="background-color: #EEE; text-align: center">
Secure APIs: Road to Business Growth 
Anupama Natarajan - Unisys New Zealand 
[[Media:2018-02-05-AnupamaNatarajan.pdf|Slides: (PDF, 719kb)]]
</td>
<td width="7%" valign="top" align="right">12:05</td>
<td style="background-color: #EEE; text-align: center">
Timing-Based Attacks in Web Applications 
Yappare 
[[Media:2018-02-05-AhmadAshraff.pdf|Slides: (PDF, 7.7mb)]]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">12:35</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Lunch 
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">14:00</td>
<td style="background-color: #EEE; text-align: center">
Developer's guide to Deserialization Attacks 
Felix Shi
</td>
<td width="7%" valign="top" align="right">14:00</td>
<td style="background-color: #EEE; text-align: center">
IoT - How to fight the tyre fire 
Tom Isaacson 
[https://speakerdeck.com/parsley72/iot-how-to-fight-the-tyre-fire-1 Slides (speakerdeck)]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">14:45</td>
<td style="background-color: #B9C2DC; text-align: center">
Finding the path to #DevSecOps nirvana 
Olly - Xero
</td>
<td width="7%" valign="top" align="right">14:45</td>
<td style="background-color: #B9C2DC; text-align: center">
Thinking like an Attacker (Hacking your own organisation) 
Nick Le Mouton - drugs.com 
[https://speakerdeck.com/noodlesnz/thinking-like-an-attacker Slides (speakerdeck)]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">15:00</td>
<td style="background-color: #EEE; text-align: center">
When Shoestrings Snap 
Rory Shillington - VoltsAndBits 
[[Media:2018-02-05-RoryShillington.pdf|Slides: (PDF, 7.3mb)]]
</td>
<td width="7%" valign="top" align="right">15:00</td>
<td style="background-color: #EEE; text-align: center">
Evil Pickles: DoS Attacks Based on Object-Graph Engineering 
Jens Dietrich - Massey University 
[https://docs.google.com/presentation/d/1WSDq_k6z4rZeuZlvdYfNyS1IwJhVLH-gxUROi98qkL8/edit#slide=id.p Slides (google)]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">15:30</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Afternoon Tea 
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
Enough with XSS, let's talk about something else? 
Karan Sharma 
[[Media:2018-02-05-KaranSharma.pptx|Slides: (PPTX, 4mb)]]
</td>
<td width="7%" valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
Secure development in Go 
Dion Bramley 
[https://github.com/dionb/GoSecureDev Slides (github)]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">16:35</td>
<td style="background-color: #B9C2DC; text-align: center">
Riding someone else’s wave with CSRF 
Sam Shute - Quantum Security 
[[Media:2018-02-05-SamShute.pptx|Slides: (PPTX, 234kb)]]
</td>
<td width="7%" valign="top" align="right">16:35</td>
<td style="background-color: #B9C2DC; text-align: center">
Secure Your Programming Future! 
David Pearce 
[[Media:2018-02-05-DavidPearce.pdf|Slides: (PDF, 1.8mb)]]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">17:10</td>
<td style="background-color: #EEE; text-align: center">
Operation Luigi: How I hacked my friend without her noticing 
Alex Hogue - Atlassian
</td>
<td width="7%" valign="top" align="right">17:10</td>
<td style="background-color: #EEE; text-align: center">
Handling Of A PCI Incident - PANs In The Database 
David Waters - Pushpay
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">17:50</td>
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
Wrap Up 
Time to go out and socialise, for those interested
</td>
</tr>
</table>
</center>

= Speakers List =
==Speakers List==

===Laura Bell - SafeStack - Fear Itself===
----
Abstract

Abstract: The world is a scary place right now. While the risk posed by security threats is high, there are many organisations and people for whom this is the least of their concerns.

In a time of unsettled economies & governments, where there are more breaches each week than we would have once seen in a year... how can we change the way we enable and inspire security change to stop trying to scare the terrified and start trying to help.

Speaker Bio

With almost a decade of experience in software development and information security, Laura Bell specializes in bringing security survival skills, practices, and culture into fast paced organisations of every shape and size.

An experienced conference speaker, trainer, and regular panel member, Laura has spoken at a range of events such as BlackHat USA, Velocity, OSCON, Kiwicon, Linux Conf AU, and Microsoft TechEd on the subjects of privacy, covert communications, agile security, and security mindset.

As the co-author of "Agile Application Security" published by O'Reilly media, Laura is internationally recognised as a leader in her field.

She is the founder and CEO of SafeStack, leading its operations from Auckland, New Zealand.

===Chris Berry - Aura Information Security - Offensive Defence===
----
Abstract

Frustrated by the ability to take over corporate networks by exploiting the same petty misconfigurations for the past several years, I want to expose blue teamer’s and dev’s to the current internal pen test strategies, which have proven consistently effective in going from no auth to domain admin.

Speaker Bio

Chris is a Security Consultant at Aura Information Security with experience across a broad variety of domains and industries. He is owned by a cat.

===Catherine McIlvride and Fiona Sasse - Pizza Roulette===
----
Abstract

Catherine and Fiona are security newbies in the world of bleepbloops. As their hunger for more knowledge on Security Testing grows, they attempt to chomp into the cyber realm of ordering pizza. Pull up a chair, grab a slice* and prepare yourself for a feast! *Disclaimer: Pizza will not be included.

Speaker Bio

Catherine and Fiona are software testers who have been united by their passion for pizza and their curiosity for wearing black and whites hats. They hammer and chisel their way through interfaces, databases, and all other places to identify cracks and gaps. Now they face their next adventure roaming unfamiliar territory in the security space.

===Ryan Kurte and Kirk Holloway - Auth* Infrastructure for Everyone===
----
Abstract

Auth(entication|orisation) is tough. We’re going to talk about how it’s usually done, the developer and user experience of auth*, and some things that often go wrong. Then we’re going pitch an idea that might, hopefully, maybe, help us all build safe exciting things.

Speaker Bio

Ryan is an aspiring hardware whisperer and academic with an incurable side project problem.

Kirk builds tiny bits of content that go in bigger bits of content for your local internet box. Combined they form 5/8ths of a full stack developer.

===Sarah Bennett and Patricia Ramsden - Xero - Guarding the Pot of Gold while the Rainbow gets bigger===
----
Abstract

We've all heard that as an industry we're severely outnumbered (defenders vs attackers). Many of us become a potential targets due to the type of market our company is in. The closer to money handling you are, the more attention you get therefore the more that ratio of defenders to attackers gets worse.
We've seen our adversaries change over time as we've grown. We'll discuss how our hitting one million paid subscribers affected us in terms of security, and how the motives of attackers seem to change with the seasons.

Speaker Bio

TBD

===Ian Welch and Kaishuo Yang - Bermudez: a honeypit designed to waste hacker's time===
----
Abstract

Small enterprises don’t have the human resources to deal with web attacks 24/7 although attacks can occur anytime. We describe a honeypit designed to entrap and slow attackers down giving time for a sysadmin to detect and respond to an attack.

Speaker Bio

Ian works for Victoria University of Wellington (VUW) doing computer security teaching and research mostly related to honeypots (CaptureHPC) and more recently software-defined networks (Gasket and Baffle).

Kai is a research assistant at Victoria University of Wellington (VUW). He developed Bermudez as part of his final year project last year and is working over summer on a security policy language for software-defined networks called Baffle.

===Declan Ingram - CERT - Enough theory, how are websites getting hacked in real life?===
----
Abstract

Since opening in April 2017, CERT NZ has dealt with hundreds of hacked websites. In this talk I propose to step through a few case studies of what went wrong, and how to stop it from happening to your websites. This talk will be done specifically for OWASP day and won’t be used for other audiences.

Speaker Bio

Declan Ingram is the Manager of Operations for CERT NZ and leads the technical side of CERT NZ – including the Incident Response Team. He has worked for over 17 years in information security, with broad experience in both incident response and security testing.

===Tim Goddard - Rails Derailed===
----
Abstract

Modern web application frameworks provide a lot of protections by default, but no protection is absolute. We explore common, severe security issues in Ruby on Rails applications, why they still occur despite its attempts to protect us.

Speaker Bio

Tim (pruby) moved two years ago from being a useful human being and building web applications, to the more haphazard world of tearing them apart. He applies his development background and knowledge to review applications from the ground-up, using the code to inform an efficient approach to security testing.

===Anupama Natarajan - Unisys New Zealand - Secure APIs: Road to Business Growth===
----
Abstract

Security must never be an afterthought. API Security is key for all modern digital businesses and secure APIs provide more confidence to the consumers. Come and learn the art of detecting underprotected APIs and how to secure them.

Speaker Bio

I am a Software Professional with over 15 years experience in designing and developing Web, Data Warehouse, Business Intelligence and Mobile solutions. I am a Microsoft Certified Trainer (MCT) and really passionate in sharing knowledge. I love solving complex business problems for my clients with innovative solutions using Microsoft Technologies and use that experience in my trainings and presentations. I share tried and tested examples which people can start use in their organisations immediately.

===Yappare - Timing Based Attacks in Web Applications===
----
Abstract

Timing-based attacks are deadly but often overlooked. Pentesters often miss such attacks when testing web applications.

By the end of the talk, the audience will learn ways to identify timing-based webapp vulnerabilities through careful manual and automated analysis of response generation times.

Speaker Bio

I was a Chemical Engineering graduate but have interest in application security. 7+ years in penetration testing industry and 5 years in bug bounty scene and currently at top leaderboard of Bugcrowd. Involving in these two areas of ‘hacking’ environment, expose me with various ways of identifying web vulnerabilities.

===Felix Shi - Developer's guide to Deserialization Attacks===
----
Abstract

A beginner friendly talk on deserialization attacks, targeted towards webapp devs and QA engineers. Heavy emphasis on explaining the attack vectors, the technical/business impact, and how to test for it.

There will be demos in some popular languages/frameworks - namely Python, Java, and C#.

Speaker Bio

Felix works in the security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.

===Tom Isaacson - IoT: How to fight the tyre fire===
----
Abstract

Everyone knows that IoT is a tyre fire but what can we do to start putting it out? Take a quick tour through the new OWASP IoT Top 10 and some other (personal) examples of how not to do IoT.

Speaker Bio

I’ve been an embedded developer for 20 years. I haven’t bothered learning web development because I still think the internet is a passing fad, but I’ve been forced to think about security after we added networking to our products.

===Olly - Xero - Finding the path to #DevSecOps nirvana===
----
Abstract

A talk about my experiences automating security infrastructure in AWS at Xero. The end goal, things to consider in a security context, the 80/20 rule, convincing people and how to get started. Buzzwords include: DevOps, DevSecOps, AWS, Cloud, CI/CD, “.* as code”.

Speaker Bio

Oliver is a Graduate Security Engineer at Xero where he helps build and deploy security infrastructure into AWS focusing on automation and repeatability. He is a contributor to Security Monkey, Netflix’s open source AWS security auditing tool.

===Nick Le Mouton - drugs.com - Thinking like an Attacker (Hacking your own organisation)===
----
Abstract

Often as developers we think like defenders. We identify vulns (SQLi, XSS etc) and patch them. How often do we think, how far could an attacker get by using this vuln? What could they do?

It’s easier to get non security buy-in if you can provide a working exploit to show how serious a vuln is.

Speaker Bio

I started my career as a developer and for the last 20 years I’ve moved more and more into the security space. I’m currently the CTO for Drugs.com, but spend a lot of time reading through legacy code and identifying areas of concern/exploiting vulnerabilities.

===Rory Shillington - VoltsAndBits - When Shoestrings Snap===
----
Abstract

Have you ever fed a sheep to a wolf? Every day, charities, non-profit organisations and small businesses get devoured by online threats. Let’s take a look at what’s happening both at the keyboard and IRL/AFK.

Speaker Bio

Rory Shillington is an electrical engineer trying to save polar bears by day, and a jack of all admins by night.

When not designing, testing and breaking solar inverters, he helps a small handful of clients navigate the minefields of the internet while keeping their websites patched (arrr). He has a strong passion for computer security with a number of years of hands-on experience, and a tendency of venturing questionable distances to solve other people’s problems. He also maintains a number of hobby and community websites.

===Jens Dietrich - Massey University - Evil Pickles: DoS Attacks Based on Object-Graph Engineering===
----
Abstract

Evil pickles is a new type of degradation of service attack inspired by billion laughs. It exploits the object serialisation interface present in most modern languages (such as Java, C#, Ruby), and can be used to exhaust resources including CPU time, stack and heap memory of the systems attacked.

Speaker Bio

Jens is an Associate Professor at Massey University Turitea Palmerston North. Jens has a MSc in Mathematics and a PhD in Computer Science from the University of Leipzig. After graduating in 1996, he worked as a software consultant, participating in some of the first large-scale enterprise-level projects that used object-oriented programming (Smalltalk and later Java) and agile principles. Clients he worked for include Mercedes-Benz, Volkswagen and some of the largest German banks. He moved to Namibia in 1999, working for a development aid agency to establish a computing curriculum at the local university of applied science. He continued with freelance consulting work for European and US clients during this time, and started several open source projects. In 2003 he moved to New Zealand to take up a position at Massey. Jens’ research interest are in the areas of software modularisation, evolution and static analysis for bug and vulnerability detection. He currently leads a National Science Challenge project on program analysis, and his research on fast algorithms for static analysis of large Java programs has been supported by several rounds of funding by Oracle Incl (through Oracle Labs Brisbane). Jens is executive member of Software Innovation NZ (SI^NZ) and member of the ACM.

===Karan Sharma - Enough with XSS, let's talk about something else?===
----
Abstract

I think it is time to lift our game and think beyond classic vulns such as XSS, CSRF, Dir Traversal, SQLi and talk about recent web vulns which are becoming more and more common and being exploited in the wild these days like IDOR, XXE, SSRF, DOM Clobbering, RPO and Insecure Cryptographic Storage.

Speaker Bio

Working as a Security Consultant at one of the leading financial institute of NZ. Very passionate about web app security and have been doing it for over 6 years. Love building and breaking stuff especially web apps and IoT stuff. I spend my days testing web apps and network infrastructure for vulnerabilities and then help mitigate what I find.

Like to code in node.js on embedded devices and love building Web of Things oppose to Internet of Things (no pun intended).

===Dion Bramley - Secure development in Go===
----
Abstract

Google loves Go, and they claim it makes secure development much easier for people who aren’t teams of seasoned security experts. But what makes it so special? Why should you choose Go for your next secure API project? How to do secure Go. And why it can be a really terrible option for some projects

Speaker Bio

I have been working in software since 2012 using a wide range of languages. Currently I work at Spalk Ltd (yuck, sports) as a senior engineer building APIs and streaming services, and teaching interns. I studied a combination of computer science and computer engineering at UoA for 5 years. Sometimes I do free security and (engineering) design consulting for startups and charities. Hobbies include theatre, gaming, and helping people be awesome.

===Sam Shute - Quantum Security - Riding someone else’s wave with CSRF===
----
Abstract

Cross-site request forgery is one of the common vulnerabilities we are seeing in pen tests. It can be used to create or delete accounts, escalate privileges, and perform other actions. This talk will cover what it is, common issues and how to properly defend against it.

Speaker Bio

Sam is a security consultant with Quantum Security. While relatively new to the security industry he spent the last 7 years studying various security topics at the University of Waikato. Sam has been an organiser and challenge developer of the New Zealand Cyber Security Challenge for the last 3 years. His areas of interest include behavioral biometrics, the physical/digital security overlap and breaking IoT devices.

===David Pearce - Secure Your Programming Future!===
----
Abstract

Can programming languages help us write secure code? It’s an age-old question. New languages come and go, but don’t often seem that different. But wait! You haven’t seen anything like Whiley before. Forget about type checking. This is a whole new level. You might think the demo is faked. It’s not.

Speaker Bio

David graduated with a PhD from Imperial College London in 2005, and took up a lecturer position at Victoria University of Wellington, NZ. David’s PhD thesis was on efficient algorithms for pointer analysis of C, and his techniques have since been incorporated into GCC. His interests are in programming languages, compilers and static analysis. Since 2009, he has been developing the Whiley Programming Language which is designed specifically to simplify program verification. David has previously interned at Bell Labs, New Jersey, where he worked on compilers for FPGAs; and also at IBM Hursely, UK, where he worked with the AspectJ development team on profiling systems.

===Alex Hogue - Atlassian - Operation Luigi: How I hacked my friend without her noticing===
----
Abstract

My friend gave me permission to “hack all her stuff” and this is my story. It’s about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM.

Speaker Bio

Alex is your conference speaker, your best friend, and your sweet mango boy. Alex fell off the back of a gently glowing ute 17 years ago, and now haunts the Earth in corporeal form. Critics have called him “aggressively wonky”. He does incident detection and response at Atlassian, which is kiiinda like being an adult. Catch him scratching out MEMBERS ONLY signs into MEMERS ONLY.

===David Waters - Pushpay - Handling Of A PCI Incident - PANs In The Database===
----
Abstract

Are you storing credit card numbers in your database when you’re not meant to? Would you know? We will be briefly cover PCI, and telling the story of the discovery of PANs in our pipeline. Then describe the full journey from discovery, to recovery to future prevention.

Speaker Bio

David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 19 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.

= Diversity fund =
==Diversity and Financial Aid fund==

'''The Diversity and Financial Aid assistance fund has now closed. If you find yourself stuck and need assistance, please get in touch with kirk.jackson@owasp.org and we'll see what we can do.'''

[We have unashamedly followed the model adopted by the nz.js(con) team with their fund. Many thanks to Jen and the team!]

Due to the support of our lovely sponsors, we have some additional funding available to help people from around New Zealand attend the OWASP NZ Day that would find it hard to otherwise attend. In particular, we welcome applications from women, people of colour, LGBTIQ and all others. You all deserve to be able to learn more about security, and we’ll do our darndest to help make that happen!

Our funds are limited, and we’ll be reviewing applications every two weeks starting in December. Submit your applications soon, so we can approve them early and you’ll be in several review cycles!

Process:

* Fill out our [https://docs.google.com/forms/d/e/1FAIpQLSeTPgNCXb-3FIKetzBtTSwe1IXYckmADCK5sXPdiWRu8mdI6g/viewform application form]
* We will review and approve applications each two weeks. The next review date is in Dec 2017.
* We will contact all applicants and let them know the result of the review.
* Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:

* We are biased towards (but not exclusively for) diverse applicants.
* We do attempt to maximise cost efficiency and will aim to get as many people to OWASP with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: nick.malcolm@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

= Code of Conduct =
==Code of Conduct==

We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy: [https://www.owasp.org/index.php/Governance/Conference_Policies].

Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

If you have any concerns during the day, please seek out Kirk, Nick or Kim. We will make ourselves visible at the start of the day so you know what we look like.

<headertabs></headertabs>

[[Category:OWASP AppSec Conference]]

File:2018-02-05-ChrisBerry.pdf

2018-02-12T20:47:23Z

Kirkj:

OWASP New Zealand Day 2018

2018-02-11T20:23:28Z

Kirkj: Add slides

__NOTOC__
<center>
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018 https://www.owasp.org/images/5/53/NZ_day_2018_web.jpg] 
'''4th and 5th February 2018 - Auckland'''
</center>
----

= Introduction =
==Introduction==
We are proud to announce the ninth OWASP New Zealand Day conference, to be held at the University of Auckland on Monday February 5th, 2018. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

Who is it for?

* Web Developers: There will be a choice of two streams in the morning. First stream covering introductory talks to information security, second stream covering deeper technical topics. Afternoon sessions will cover offensive security in stream one, and continue with deeper technical topics in stream two
* Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics

==Conference structure==

Date: Monday 5 February 2018 
Time: 9:30am - 6:00pm 
Cost: Free 

The main conference is on Monday 5th of February, and will have two streams in both the morning and the afternoon:



==Training==

As well as the main conference on Monday, we are pleased to be able to provide training on Sunday at the same venue. All details including registration are as follows:

[https://binarymist.io/talk/owaspnzday-2018-workshop-building-security-into-your-development-team/ '''Building Security Into Your Development Teams''']
Date: Sun 04 February 2018 
Time: 9:00am - 5:30pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-interactive-workshop-building-security-into-your-development-teams-tickets-41266447054 Training Registration Page]

Spaces going fast, so get in quick

==General==

The ninth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same location as last year for stream one, with the addition of another room near by for the stream two room. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact [mailto:kim.carter@owasp.org?cc=kirk.jackson@owasp.org&cc=denis.andzakovic@owasp.org us]. 

==Registration==


Registration for the main conference day is now open: [https://owaspnz2018.eventbrite.com/ Conference Registration Here],
Follow us on twitter [https://twitter.com/owaspnz @owaspnz]

There is no cost for the main conference day. Unfortunately due to increased conference running costs, lunch, morning and afternoon tea's will not be provided as it has been for the past OWASP NZ Days. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.





==Important dates==

* CFP submission deadline: 8th December 2017
* CFT submission deadline: 8th December 2017
* Conference Registration deadline: 29th January 2018
* Training Registration deadline: 29th January 2018
* Training Day date: 4th February 2018
* Conference Day date: 5th February 2018

For those of you booking flights, ensure you can be at the venue at 9:00am, the conference will end by 6:00pm however we will have post conference drinks at a local drinking establishment for those interested.

==Places to eat & drink on the day==

<ul>
<li>Coffee cart and selection of snacks next to the reception on the ground floor, this is the closest but will probably have long lines</li>
<li>Mojo Symonds - also on campus</li>
<li>Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St</li>
<li>The CBD - walk up and over Albert Park to get to the CBD with many great food options</li>
<ul>
<li>Fort Street has burgers, kebabs, and KFC</li>
<li>High Street & Lorne Street have lots of little cafes and restaurants</li>
</ul>
<li>Subway, Starbucks, & Pita Pit - walk up Symonds Street</li>
<li>Vulture’s Lane is a popular pub with the infosec crowd, there are more seats downstairs</li>
<li>The Bluestone Room - also a popular pub just across Queen St</li>
</ul>

==Conference Venue==

<table width="100%">
<tr>
<td>
The University of Auckland School of Business 
Owen Glen Building 
Address: 12 Grafton Road 
 
Stream one room: Level 1 
Room: 115 (Fisher & Paykel Auditorium) 
 
Stream two room: Level 0 
Room: 098 
 
Auckland 
New Zealand 
[https://www.google.com/maps/place/Owen+G+Glenn+Building+12+Grafton+Road/@-36.8528203,174.770224,17z/data=!4m6!1m3!3m2!1s0x0000000000000000:0x0205ad91287ba364!2sUniversity+of+Auckland+Graduate+School+of+Enterprise!3m1!1s0x0000000000000000:0xc9d224e5921a6690 Map]
</td>
<td>
[[Image:073_AUBiz_10Apr08small.jpg]] [[Image:OWASPNZDayLectureTheatre.jpg]]
</td>
</tr>
</table>

==Conference Sponsors==
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="100%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/f/f8/AuckUni.png]</center></td>
</tr>
</table>
----

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[[File:Zx.png|link=http://www.zxsecurity.co.nz]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:INSOMNIA.PNG|link=http://www.insomniasec.com]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:Aura_PBK_Colour.jpg|link=http://www.aurainfosec.com]]</center></td>
</tr>
</table>
----

'''Silver Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[[File:Quantum_Security_%28strip%29-02.png|link=http://www.quantumsecurity.co.nz]]</center></td>
</tr>
</table>
----

'''Support Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[[File:BinaryMistLimited.png|center|150px|link=https://binarymist.io]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:Atlassian.png|center|183px|link=https://www.atlassian.com/]]</center></td>
</tr>
</table>

==Conference Committee==

* Kirk Jackson - OWASP New Zealand Leader (Wellington)
* Kim Carter - OWASP New Zealand Leader (Christchurch)
* Nick Malcolm - OWASP New Zealand Leader (Auckland)
* Lech Janczewski - Associate Professor - University of Auckland School of Business

Please direct all enquiries to nick.malcolm@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

OWASP NZ on Twitter (https://twitter.com/owaspnz)

= Training =
==Training==

As well as the main conference on Monday, we are pleased to be able to provide training on Sunday at the same venue. All details including registration are as follows:

[https://binarymist.io/talk/owaspnzday-2018-workshop-building-security-into-your-development-team/ '''Building Security Into Your Development Teams''']
Date: Sun 04 February 2018 
Time: 9:00am - 5:30pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-interactive-workshop-building-security-into-your-development-teams-tickets-41266447054 Training Registration Page]

Spaces going fast, so get in quick

= Call For Presentations =
==Call For Presentations==

'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines including
architects, web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference:

* Introductions to various Information Security topics, and the OWASP projects
* Technical topics
* Policy, Compliance and Risk Management

The introductory talks should appeal to an intermediate to experienced software developer, without a solid grounding in application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.

Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:

* Web application security
* Mobile security
* Cloud security
* Secure development
* Vulnerability analysis
* Threat modelling
* Application exploitation
* Exploitation techniques
* Threat and vulnerability countermeasures
* Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
* Penetration Testing
* Browser and client security
* Application and solution architecture security
* PCI DSS
* Risk management
* Security concepts for C*Os, project managers and other non-technical attendees
* Privacy controls



The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:

* Due to limited budget available, expenses for international speakers cannot be covered.
* If your company is willing to cover travel and accommodation costs, the company will become "Support Sponsor" of the event.

'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''

Please submit your presentation [https://www.papercall.io/owaspnz2018 here].



Submissions deadline: 8th December 2017

Applicants will be notified in the following week after the deadline, whether they were successful or not.


= Call For Sponsorships =
==Call For Sponsorships==

OWASP New Zealand Day 2018 will be held in Auckland on the 5th of February, 2018 and is a security conference entirely dedicated to application security.
The conference is once again being hosted by the University of Auckland with their support and assistance.
OWASP New Zealand Day 2018 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community.
OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2018 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:

* Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
* Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
* Printed Materials - printed materials will include brochures, tags and lanyards.

== Facts ==

Last year, the event was supported by nine sponsors and attracted more than 900 registrations. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017

The OWASP New Zealand community is strong, there are more than 500 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 800 and 1000 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

== Sponsorships ==

There are three different levels of sponsorships for the OWASP New Zealand Day event:

Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event)

Includes:

* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Silver Sponsorship: 1500 NZD

Includes:

* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018
* The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
* The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship: 2750 NZD

Includes:

* The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
* The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
* The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
* Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Those who are interested in sponsoring OWASP New Zealand 2018 Conference can contact the [mailto:kim.carter@owasp.org,kirk.jackson@owasp.org,denis.andzakovic@owasp.org OWASP New Zealand Board]. 

= Presentation Schedule =
==Presentations==

<center>
5th February 2018
<table width="100%">
<tr>
<td width="5%" valign="top" align="right">08:30</td>
<td colspan="3" style="background-color: #8595C2; text-align: center">Registration Opens</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">09:30</td>
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
Welcome to OWASP New Zealand Day 2018 
Kirk Jackson, [https://binarymist.io Kim Carter], Nick Malcolm (OWASP Leaders), and Lech Janczewski (Associate Professor)

</tr>
<tr>
<td width="7%" valign="top" align="right"></td>
<td style="background-color: #EEE; text-align: center">
Upstairs room
</td>
<td width="7%" valign="top" align="right">09:45</td>
<td style="background-color: #EEE; text-align: center">
'''Downstairs room'''
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right"></td>
<td style="background-color: #EEE; text-align: center">
Fear Itself 
Laura Bell - SafeStack
</td>
<td width="7%" valign="top" align="right">09:45</td>
<td style="background-color: #EEE; text-align: center">
Offensive Defence 
Chris Berry - Aura Information Security
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">10:20</td>
<td style="background-color: #B9C2DC; text-align: center">
Pizza Roulette 
Catherine McIlvride and Fiona Sasse 
[[Media:2018-02-05-CatherineMcIlvrideFionaSasse.pdf|Slides: (PDF, 3.4mb)]]
</td>
<td width="7%" valign="top" align="right">10:20</td>
<td style="background-color: #B9C2DC; text-align: center">
Auth* Infrastructure for Everyone 
Ryan Kurte and Kirk Holloway 
[https://docs.google.com/presentation/d/11tFlGmRQUBJ5ns-8gxRDxL3J0rAkCgOVqAEGqwqxDLM/edit?usp=sharing Slides]
</td>

</tr>
<tr>
<td width="7%" valign="top" align="right">10:55</td>
<td style="background-color: #EEE; text-align: center">
Guarding the Pot of Gold while the Rainbow gets bigger 
Sarah Bennett and Patricia Ramsden - Xero
</td>
<td width="7%" valign="top" align="right">10:55</td>
<td style="background-color: #EEE; text-align: center">
Bermudez - a honeypit designed to waste hacker's time 
Ian Welch and Kaishuo Yang
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">11:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Enough theory, how are websites getting hacked in real life? 
Declan Ingram - CERT
</td>
<td width="7%" valign="top" align="right">11:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Rails Derailed 
Tim Goddard 
[https://insomniasec.com/releases Slides]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">12:05</td>
<td style="background-color: #EEE; text-align: center">
Secure APIs: Road to Business Growth 
Anupama Natarajan - Unisys New Zealand 
[[Media:2018-02-05-AnupamaNatarajan.pdf|Slides: (PDF, 719kb)]]
</td>
<td width="7%" valign="top" align="right">12:05</td>
<td style="background-color: #EEE; text-align: center">
Timing-Based Attacks in Web Applications 
Yappare 
[[Media:2018-02-05-AhmadAshraff.pdf|Slides: (PDF, 7.7mb)]]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">12:35</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Lunch 
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">14:00</td>
<td style="background-color: #EEE; text-align: center">
Developer's guide to Deserialization Attacks 
Felix Shi
</td>
<td width="7%" valign="top" align="right">14:00</td>
<td style="background-color: #EEE; text-align: center">
IoT - How to fight the tyre fire 
Tom Isaacson 
[https://speakerdeck.com/parsley72/iot-how-to-fight-the-tyre-fire-1 Slides (speakerdeck)]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">14:45</td>
<td style="background-color: #B9C2DC; text-align: center">
Finding the path to #DevSecOps nirvana 
Olly - Xero
</td>
<td width="7%" valign="top" align="right">14:45</td>
<td style="background-color: #B9C2DC; text-align: center">
Thinking like an Attacker (Hacking your own organisation) 
Nick Le Mouton - drugs.com 
[https://speakerdeck.com/noodlesnz/thinking-like-an-attacker Slides (speakerdeck)]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">15:00</td>
<td style="background-color: #EEE; text-align: center">
When Shoestrings Snap 
Rory Shillington - VoltsAndBits 
[[Media:2018-02-05-RoryShillington.pdf|Slides: (PDF, 7.3mb)]]
</td>
<td width="7%" valign="top" align="right">15:00</td>
<td style="background-color: #EEE; text-align: center">
Evil Pickles: DoS Attacks Based on Object-Graph Engineering 
Jens Dietrich - Massey University 
[https://docs.google.com/presentation/d/1WSDq_k6z4rZeuZlvdYfNyS1IwJhVLH-gxUROi98qkL8/edit#slide=id.p Slides (google)]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">15:30</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Afternoon Tea 
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
Enough with XSS, let's talk about something else? 
Karan Sharma 
[[Media:2018-02-05-KaranSharma.pptx|Slides: (PPTX, 4mb)]]
</td>
<td width="7%" valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
Secure development in Go 
Dion Bramley 
[https://github.com/dionb/GoSecureDev Slides (github)]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">16:35</td>
<td style="background-color: #B9C2DC; text-align: center">
Riding someone else’s wave with CSRF 
Sam Shute - Quantum Security 
[[Media:2018-02-05-SamShute.pptx|Slides: (PPTX, 234kb)]]
</td>
<td width="7%" valign="top" align="right">16:35</td>
<td style="background-color: #B9C2DC; text-align: center">
Secure Your Programming Future! 
David Pearce 
[[Media:2018-02-05-DavidPearce.pdf|Slides: (PDF, 1.8mb)]]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">17:10</td>
<td style="background-color: #EEE; text-align: center">
Operation Luigi: How I hacked my friend without her noticing 
Alex Hogue - Atlassian
</td>
<td width="7%" valign="top" align="right">17:10</td>
<td style="background-color: #EEE; text-align: center">
Handling Of A PCI Incident - PANs In The Database 
David Waters - Pushpay
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">17:50</td>
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
Wrap Up 
Time to go out and socialise, for those interested
</td>
</tr>
</table>
</center>

= Speakers List =
==Speakers List==

===Laura Bell - SafeStack - Fear Itself===
----
Abstract

Abstract: The world is a scary place right now. While the risk posed by security threats is high, there are many organisations and people for whom this is the least of their concerns.

In a time of unsettled economies & governments, where there are more breaches each week than we would have once seen in a year... how can we change the way we enable and inspire security change to stop trying to scare the terrified and start trying to help.

Speaker Bio

With almost a decade of experience in software development and information security, Laura Bell specializes in bringing security survival skills, practices, and culture into fast paced organisations of every shape and size.

An experienced conference speaker, trainer, and regular panel member, Laura has spoken at a range of events such as BlackHat USA, Velocity, OSCON, Kiwicon, Linux Conf AU, and Microsoft TechEd on the subjects of privacy, covert communications, agile security, and security mindset.

As the co-author of "Agile Application Security" published by O'Reilly media, Laura is internationally recognised as a leader in her field.

She is the founder and CEO of SafeStack, leading its operations from Auckland, New Zealand.

===Chris Berry - Aura Information Security - Offensive Defence===
----
Abstract

Frustrated by the ability to take over corporate networks by exploiting the same petty misconfigurations for the past several years, I want to expose blue teamer’s and dev’s to the current internal pen test strategies, which have proven consistently effective in going from no auth to domain admin.

Speaker Bio

Chris is a Security Consultant at Aura Information Security with experience across a broad variety of domains and industries. He is owned by a cat.

===Catherine McIlvride and Fiona Sasse - Pizza Roulette===
----
Abstract

Catherine and Fiona are security newbies in the world of bleepbloops. As their hunger for more knowledge on Security Testing grows, they attempt to chomp into the cyber realm of ordering pizza. Pull up a chair, grab a slice* and prepare yourself for a feast! *Disclaimer: Pizza will not be included.

Speaker Bio

Catherine and Fiona are software testers who have been united by their passion for pizza and their curiosity for wearing black and whites hats. They hammer and chisel their way through interfaces, databases, and all other places to identify cracks and gaps. Now they face their next adventure roaming unfamiliar territory in the security space.

===Ryan Kurte and Kirk Holloway - Auth* Infrastructure for Everyone===
----
Abstract

Auth(entication|orisation) is tough. We’re going to talk about how it’s usually done, the developer and user experience of auth*, and some things that often go wrong. Then we’re going pitch an idea that might, hopefully, maybe, help us all build safe exciting things.

Speaker Bio

Ryan is an aspiring hardware whisperer and academic with an incurable side project problem.

Kirk builds tiny bits of content that go in bigger bits of content for your local internet box. Combined they form 5/8ths of a full stack developer.

===Sarah Bennett and Patricia Ramsden - Xero - Guarding the Pot of Gold while the Rainbow gets bigger===
----
Abstract

We've all heard that as an industry we're severely outnumbered (defenders vs attackers). Many of us become a potential targets due to the type of market our company is in. The closer to money handling you are, the more attention you get therefore the more that ratio of defenders to attackers gets worse.
We've seen our adversaries change over time as we've grown. We'll discuss how our hitting one million paid subscribers affected us in terms of security, and how the motives of attackers seem to change with the seasons.

Speaker Bio

TBD

===Ian Welch and Kaishuo Yang - Bermudez: a honeypit designed to waste hacker's time===
----
Abstract

Small enterprises don’t have the human resources to deal with web attacks 24/7 although attacks can occur anytime. We describe a honeypit designed to entrap and slow attackers down giving time for a sysadmin to detect and respond to an attack.

Speaker Bio

Ian works for Victoria University of Wellington (VUW) doing computer security teaching and research mostly related to honeypots (CaptureHPC) and more recently software-defined networks (Gasket and Baffle).

Kai is a research assistant at Victoria University of Wellington (VUW). He developed Bermudez as part of his final year project last year and is working over summer on a security policy language for software-defined networks called Baffle.

===Declan Ingram - CERT - Enough theory, how are websites getting hacked in real life?===
----
Abstract

Since opening in April 2017, CERT NZ has dealt with hundreds of hacked websites. In this talk I propose to step through a few case studies of what went wrong, and how to stop it from happening to your websites. This talk will be done specifically for OWASP day and won’t be used for other audiences.

Speaker Bio

Declan Ingram is the Manager of Operations for CERT NZ and leads the technical side of CERT NZ – including the Incident Response Team. He has worked for over 17 years in information security, with broad experience in both incident response and security testing.

===Tim Goddard - Rails Derailed===
----
Abstract

Modern web application frameworks provide a lot of protections by default, but no protection is absolute. We explore common, severe security issues in Ruby on Rails applications, why they still occur despite its attempts to protect us.

Speaker Bio

Tim (pruby) moved two years ago from being a useful human being and building web applications, to the more haphazard world of tearing them apart. He applies his development background and knowledge to review applications from the ground-up, using the code to inform an efficient approach to security testing.

===Anupama Natarajan - Unisys New Zealand - Secure APIs: Road to Business Growth===
----
Abstract

Security must never be an afterthought. API Security is key for all modern digital businesses and secure APIs provide more confidence to the consumers. Come and learn the art of detecting underprotected APIs and how to secure them.

Speaker Bio

I am a Software Professional with over 15 years experience in designing and developing Web, Data Warehouse, Business Intelligence and Mobile solutions. I am a Microsoft Certified Trainer (MCT) and really passionate in sharing knowledge. I love solving complex business problems for my clients with innovative solutions using Microsoft Technologies and use that experience in my trainings and presentations. I share tried and tested examples which people can start use in their organisations immediately.

===Yappare - Timing Based Attacks in Web Applications===
----
Abstract

Timing-based attacks are deadly but often overlooked. Pentesters often miss such attacks when testing web applications.

By the end of the talk, the audience will learn ways to identify timing-based webapp vulnerabilities through careful manual and automated analysis of response generation times.

Speaker Bio

I was a Chemical Engineering graduate but have interest in application security. 7+ years in penetration testing industry and 5 years in bug bounty scene and currently at top leaderboard of Bugcrowd. Involving in these two areas of ‘hacking’ environment, expose me with various ways of identifying web vulnerabilities.

===Felix Shi - Developer's guide to Deserialization Attacks===
----
Abstract

A beginner friendly talk on deserialization attacks, targeted towards webapp devs and QA engineers. Heavy emphasis on explaining the attack vectors, the technical/business impact, and how to test for it.

There will be demos in some popular languages/frameworks - namely Python, Java, and C#.

Speaker Bio

Felix works in the security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.

===Tom Isaacson - IoT: How to fight the tyre fire===
----
Abstract

Everyone knows that IoT is a tyre fire but what can we do to start putting it out? Take a quick tour through the new OWASP IoT Top 10 and some other (personal) examples of how not to do IoT.

Speaker Bio

I’ve been an embedded developer for 20 years. I haven’t bothered learning web development because I still think the internet is a passing fad, but I’ve been forced to think about security after we added networking to our products.

===Olly - Xero - Finding the path to #DevSecOps nirvana===
----
Abstract

A talk about my experiences automating security infrastructure in AWS at Xero. The end goal, things to consider in a security context, the 80/20 rule, convincing people and how to get started. Buzzwords include: DevOps, DevSecOps, AWS, Cloud, CI/CD, “.* as code”.

Speaker Bio

Oliver is a Graduate Security Engineer at Xero where he helps build and deploy security infrastructure into AWS focusing on automation and repeatability. He is a contributor to Security Monkey, Netflix’s open source AWS security auditing tool.

===Nick Le Mouton - drugs.com - Thinking like an Attacker (Hacking your own organisation)===
----
Abstract

Often as developers we think like defenders. We identify vulns (SQLi, XSS etc) and patch them. How often do we think, how far could an attacker get by using this vuln? What could they do?

It’s easier to get non security buy-in if you can provide a working exploit to show how serious a vuln is.

Speaker Bio

I started my career as a developer and for the last 20 years I’ve moved more and more into the security space. I’m currently the CTO for Drugs.com, but spend a lot of time reading through legacy code and identifying areas of concern/exploiting vulnerabilities.

===Rory Shillington - VoltsAndBits - When Shoestrings Snap===
----
Abstract

Have you ever fed a sheep to a wolf? Every day, charities, non-profit organisations and small businesses get devoured by online threats. Let’s take a look at what’s happening both at the keyboard and IRL/AFK.

Speaker Bio

Rory Shillington is an electrical engineer trying to save polar bears by day, and a jack of all admins by night.

When not designing, testing and breaking solar inverters, he helps a small handful of clients navigate the minefields of the internet while keeping their websites patched (arrr). He has a strong passion for computer security with a number of years of hands-on experience, and a tendency of venturing questionable distances to solve other people’s problems. He also maintains a number of hobby and community websites.

===Jens Dietrich - Massey University - Evil Pickles: DoS Attacks Based on Object-Graph Engineering===
----
Abstract

Evil pickles is a new type of degradation of service attack inspired by billion laughs. It exploits the object serialisation interface present in most modern languages (such as Java, C#, Ruby), and can be used to exhaust resources including CPU time, stack and heap memory of the systems attacked.

Speaker Bio

Jens is an Associate Professor at Massey University Turitea Palmerston North. Jens has a MSc in Mathematics and a PhD in Computer Science from the University of Leipzig. After graduating in 1996, he worked as a software consultant, participating in some of the first large-scale enterprise-level projects that used object-oriented programming (Smalltalk and later Java) and agile principles. Clients he worked for include Mercedes-Benz, Volkswagen and some of the largest German banks. He moved to Namibia in 1999, working for a development aid agency to establish a computing curriculum at the local university of applied science. He continued with freelance consulting work for European and US clients during this time, and started several open source projects. In 2003 he moved to New Zealand to take up a position at Massey. Jens’ research interest are in the areas of software modularisation, evolution and static analysis for bug and vulnerability detection. He currently leads a National Science Challenge project on program analysis, and his research on fast algorithms for static analysis of large Java programs has been supported by several rounds of funding by Oracle Incl (through Oracle Labs Brisbane). Jens is executive member of Software Innovation NZ (SI^NZ) and member of the ACM.

===Karan Sharma - Enough with XSS, let's talk about something else?===
----
Abstract

I think it is time to lift our game and think beyond classic vulns such as XSS, CSRF, Dir Traversal, SQLi and talk about recent web vulns which are becoming more and more common and being exploited in the wild these days like IDOR, XXE, SSRF, DOM Clobbering, RPO and Insecure Cryptographic Storage.

Speaker Bio

Working as a Security Consultant at one of the leading financial institute of NZ. Very passionate about web app security and have been doing it for over 6 years. Love building and breaking stuff especially web apps and IoT stuff. I spend my days testing web apps and network infrastructure for vulnerabilities and then help mitigate what I find.

Like to code in node.js on embedded devices and love building Web of Things oppose to Internet of Things (no pun intended).

===Dion Bramley - Secure development in Go===
----
Abstract

Google loves Go, and they claim it makes secure development much easier for people who aren’t teams of seasoned security experts. But what makes it so special? Why should you choose Go for your next secure API project? How to do secure Go. And why it can be a really terrible option for some projects

Speaker Bio

I have been working in software since 2012 using a wide range of languages. Currently I work at Spalk Ltd (yuck, sports) as a senior engineer building APIs and streaming services, and teaching interns. I studied a combination of computer science and computer engineering at UoA for 5 years. Sometimes I do free security and (engineering) design consulting for startups and charities. Hobbies include theatre, gaming, and helping people be awesome.

===Sam Shute - Quantum Security - Riding someone else’s wave with CSRF===
----
Abstract

Cross-site request forgery is one of the common vulnerabilities we are seeing in pen tests. It can be used to create or delete accounts, escalate privileges, and perform other actions. This talk will cover what it is, common issues and how to properly defend against it.

Speaker Bio

Sam is a security consultant with Quantum Security. While relatively new to the security industry he spent the last 7 years studying various security topics at the University of Waikato. Sam has been an organiser and challenge developer of the New Zealand Cyber Security Challenge for the last 3 years. His areas of interest include behavioral biometrics, the physical/digital security overlap and breaking IoT devices.

===David Pearce - Secure Your Programming Future!===
----
Abstract

Can programming languages help us write secure code? It’s an age-old question. New languages come and go, but don’t often seem that different. But wait! You haven’t seen anything like Whiley before. Forget about type checking. This is a whole new level. You might think the demo is faked. It’s not.

Speaker Bio

David graduated with a PhD from Imperial College London in 2005, and took up a lecturer position at Victoria University of Wellington, NZ. David’s PhD thesis was on efficient algorithms for pointer analysis of C, and his techniques have since been incorporated into GCC. His interests are in programming languages, compilers and static analysis. Since 2009, he has been developing the Whiley Programming Language which is designed specifically to simplify program verification. David has previously interned at Bell Labs, New Jersey, where he worked on compilers for FPGAs; and also at IBM Hursely, UK, where he worked with the AspectJ development team on profiling systems.

===Alex Hogue - Atlassian - Operation Luigi: How I hacked my friend without her noticing===
----
Abstract

My friend gave me permission to “hack all her stuff” and this is my story. It’s about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM.

Speaker Bio

Alex is your conference speaker, your best friend, and your sweet mango boy. Alex fell off the back of a gently glowing ute 17 years ago, and now haunts the Earth in corporeal form. Critics have called him “aggressively wonky”. He does incident detection and response at Atlassian, which is kiiinda like being an adult. Catch him scratching out MEMBERS ONLY signs into MEMERS ONLY.

===David Waters - Pushpay - Handling Of A PCI Incident - PANs In The Database===
----
Abstract

Are you storing credit card numbers in your database when you’re not meant to? Would you know? We will be briefly cover PCI, and telling the story of the discovery of PANs in our pipeline. Then describe the full journey from discovery, to recovery to future prevention.

Speaker Bio

David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 19 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.

= Diversity fund =
==Diversity and Financial Aid fund==

'''The Diversity and Financial Aid assistance fund has now closed. If you find yourself stuck and need assistance, please get in touch with kirk.jackson@owasp.org and we'll see what we can do.'''

[We have unashamedly followed the model adopted by the nz.js(con) team with their fund. Many thanks to Jen and the team!]

Due to the support of our lovely sponsors, we have some additional funding available to help people from around New Zealand attend the OWASP NZ Day that would find it hard to otherwise attend. In particular, we welcome applications from women, people of colour, LGBTIQ and all others. You all deserve to be able to learn more about security, and we’ll do our darndest to help make that happen!

Our funds are limited, and we’ll be reviewing applications every two weeks starting in December. Submit your applications soon, so we can approve them early and you’ll be in several review cycles!

Process:

* Fill out our [https://docs.google.com/forms/d/e/1FAIpQLSeTPgNCXb-3FIKetzBtTSwe1IXYckmADCK5sXPdiWRu8mdI6g/viewform application form]
* We will review and approve applications each two weeks. The next review date is in Dec 2017.
* We will contact all applicants and let them know the result of the review.
* Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:

* We are biased towards (but not exclusively for) diverse applicants.
* We do attempt to maximise cost efficiency and will aim to get as many people to OWASP with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: nick.malcolm@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

= Code of Conduct =
==Code of Conduct==

We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy: [https://www.owasp.org/index.php/Governance/Conference_Policies].

Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

If you have any concerns during the day, please seek out Kirk, Nick or Kim. We will make ourselves visible at the start of the day so you know what we look like.

<headertabs></headertabs>

[[Category:OWASP AppSec Conference]]

2018-01-30T01:19:05Z

Kirkj: /* Diversity and Financial Aid fund */

__NOTOC__
<center>
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018 https://www.owasp.org/images/5/53/NZ_day_2018_web.jpg] 
'''4th and 5th February 2018 - Auckland'''
</center>
----

= Introduction =
==Introduction==
We are proud to announce the ninth OWASP New Zealand Day conference, to be held at the University of Auckland on Monday February 5th, 2018. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

Who is it for?

* Web Developers: There will be a choice of two streams in the morning. First stream covering introductory talks to information security, second stream covering deeper technical topics. Afternoon sessions will cover offensive security in stream one, and continue with deeper technical topics in stream two
* Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics

==Conference structure==

Date: Monday 5 February 2018 
Time: 9:30am - 6:00pm 
Cost: Free 

The main conference is on Monday 5th of February, and will have two streams in both the morning and the afternoon:



==Training==

As well as the main conference on Monday, we are pleased to be able to provide training on Sunday at the same venue. All details including registration are as follows:

[https://binarymist.io/talk/owaspnzday-2018-workshop-building-security-into-your-development-team/ '''Building Security Into Your Development Teams''']
Date: Sun 04 February 2018 
Time: 9:00am - 5:30pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-interactive-workshop-building-security-into-your-development-teams-tickets-41266447054 Training Registration Page]

Spaces going fast, so get in quick

==General==

The ninth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same location as last year for stream one, with the addition of another room near by for the stream two room. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact [mailto:kim.carter@owasp.org?cc=kirk.jackson@owasp.org&cc=denis.andzakovic@owasp.org us]. 

==Registration==


Registration for the main conference day is now open: [https://owaspnz2018.eventbrite.com/ Conference Registration Here],
Follow us on twitter [https://twitter.com/owaspnz @owaspnz]

There is no cost for the main conference day. Unfortunately due to increased conference running costs, lunch, morning and afternoon tea's will not be provided as it has been for the past OWASP NZ Days. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.





==Important dates==

* CFP submission deadline: 8th December 2017
* CFT submission deadline: 8th December 2017
* Conference Registration deadline: 29th January 2018
* Training Registration deadline: 29th January 2018
* Training Day date: 4th February 2018
* Conference Day date: 5th February 2018

For those of you booking flights, ensure you can be at the venue at 9:00am, the conference will end by 6:00pm however we will have post conference drinks at a local drinking establishment for those interested.

==Places to eat & drink on the day==

<ul>
<li>Excel Cafe - just inside the Owen G Glenn building, this is the closest but will probably have long lines</li>
<li>Mojo Symonds - also on campus</li>
<li>Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St</li>
<li>The CBD - walk up and over Albert Park to get to the CBD with many great food options</li>
<ul>
<li>Fort Street has burgers, kebabs, and KFC</li>
<li>High Street & Lorne Street have lots of little cafes and restaurants</li>
</ul>
<li>Subway, Starbucks, & Pita Pit - walk up Symonds Street</li>
<li>Vulture’s Lane is a popular pub with the infosec crowd, there are more seats downstairs</li>
<li>The Bluestone Room - also a popular pub just across Queen St</li>
</ul>

==Conference Venue==

<table width="100%">
<tr>
<td>

The University of Auckland School of Business 
Owen Glen Building 
Address: 12 Grafton Road 
 
Stream one room: Level 1 
Room: 115 (Fisher & Paykel Auditorium) 
 
Stream two room: Level 0 
Room: 098 
 
Auckland 
New Zealand 
[https://www.google.com/maps/place/Owen+G+Glenn+Building+12+Grafton+Road/@-36.8528203,174.770224,17z/data=!4m6!1m3!3m2!1s0x0000000000000000:0x0205ad91287ba364!2sUniversity+of+Auckland+Graduate+School+of+Enterprise!3m1!1s0x0000000000000000:0xc9d224e5921a6690 Map]
</td>
<td>
[[Image:073_AUBiz_10Apr08small.jpg]] [[Image:OWASPNZDayLectureTheatre.jpg]]
</td>
</tr>
</table>

==Conference Sponsors==
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="100%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/f/f8/AuckUni.png]</center></td>
</tr>
</table>
----

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[[File:Zx.png|link=http://www.zxsecurity.co.nz]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:INSOMNIA.PNG|link=http://www.insomniasec.com]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:Aura_PBK_Colour.jpg|link=http://www.aurainfosec.com]]</center></td>
</tr>
</table>
----

'''Silver Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[[File:Quantum_Security_%28strip%29-02.png|link=http://www.quantumsecurity.co.nz]]</center></td>
</tr>
</table>
----

'''Support Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[[File:BinaryMistLimited.png|center|150px|link=https://binarymist.io]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:Atlassian.png|center|183px|link=https://www.atlassian.com/]]</center></td>
</tr>
</table>

==Conference Committee==

* Denis Andzakovic - OWASP New Zealand Leader (Auckland)
* Kirk Jackson - OWASP New Zealand Leader (Wellington)
* Kim Carter - OWASP New Zealand Leader (Christchurch)
* Nick Malcolm - OWASP New Zealand (Auckland)
* Lech Janczewski - Associate Professor - University of Auckland School of Business

Please direct all enquiries to denis.andzakovic@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

OWASP NZ on Twitter (https://twitter.com/owaspnz)

= Training =
==Training==

As well as the main conference on Monday, we are pleased to be able to provide training on Sunday at the same venue. All details including registration are as follows:

[https://binarymist.io/talk/owaspnzday-2018-workshop-building-security-into-your-development-team/ '''Building Security Into Your Development Teams''']
Date: Sun 04 February 2018 
Time: 9:00am - 5:30pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-interactive-workshop-building-security-into-your-development-teams-tickets-41266447054 Training Registration Page]

Spaces going fast, so get in quick

= Call For Presentations =
==Call For Presentations==

'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines including
architects, web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference:

* Introductions to various Information Security topics, and the OWASP projects
* Technical topics
* Policy, Compliance and Risk Management

The introductory talks should appeal to an intermediate to experienced software developer, without a solid grounding in application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.

Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:

* Web application security
* Mobile security
* Cloud security
* Secure development
* Vulnerability analysis
* Threat modelling
* Application exploitation
* Exploitation techniques
* Threat and vulnerability countermeasures
* Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
* Penetration Testing
* Browser and client security
* Application and solution architecture security
* PCI DSS
* Risk management
* Security concepts for C*Os, project managers and other non-technical attendees
* Privacy controls



The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:

* Due to limited budget available, expenses for international speakers cannot be covered.
* If your company is willing to cover travel and accommodation costs, the company will become "Support Sponsor" of the event.

'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''

Please submit your presentation [https://www.papercall.io/owaspnz2018 here].



Submissions deadline: 8th December 2017

Applicants will be notified in the following week after the deadline, whether they were successful or not.


= Call For Sponsorships =
==Call For Sponsorships==

OWASP New Zealand Day 2018 will be held in Auckland on the 5th of February, 2018 and is a security conference entirely dedicated to application security.
The conference is once again being hosted by the University of Auckland with their support and assistance.
OWASP New Zealand Day 2018 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community.
OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2018 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:

* Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
* Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
* Printed Materials - printed materials will include brochures, tags and lanyards.

== Facts ==

Last year, the event was supported by nine sponsors and attracted more than 900 registrations. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017

The OWASP New Zealand community is strong, there are more than 500 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 800 and 1000 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

== Sponsorships ==

There are three different levels of sponsorships for the OWASP New Zealand Day event:

Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event)

Includes:

* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Silver Sponsorship: 1500 NZD

Includes:

* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018
* The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
* The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship: 2750 NZD

Includes:

* The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
* The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
* The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
* Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Those who are interested in sponsoring OWASP New Zealand 2018 Conference can contact the [mailto:kim.carter@owasp.org,kirk.jackson@owasp.org,denis.andzakovic@owasp.org OWASP New Zealand Board]. 

= Presentation Schedule =
==Presentations==

<center>
5th February 2018
<table width="100%">
<tr>
<td width="5%" valign="top" align="right">08:30</td>
<td colspan="3" style="background-color: #8595C2; text-align: center">Registration Opens</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">09:30</td>
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
Welcome to OWASP New Zealand Day 2018 
Kirk Jackson, [https://binarymist.io Kim Carter], Denis Andzakovic, Nick Malcolm, Sam Macleod (OWASP Leaders), and Lech Janczewski (Associate Professor)

</tr>
<tr>
<td width="7%" valign="top" align="right">09:45</td>
<td style="background-color: #EEE; text-align: center">
Fear Itself 
Laura Bell - SafeStack
</td>
<td width="7%" valign="top" align="right">09:45</td>
<td style="background-color: #EEE; text-align: center">
Offensive Defence 
Chris Berry - Aura Information Security
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">10:20</td>
<td style="background-color: #B9C2DC; text-align: center">
Pizza Roulette 
Catherine McIlvride and Fiona Sasse
</td>
<td width="7%" valign="top" align="right">10:20</td>
<td style="background-color: #B9C2DC; text-align: center">
Auth* Infrastructure for Everyone 
Ryan Kurte and Kirk Holloway
</td>

</tr>
<tr>
<td width="7%" valign="top" align="right">10:55</td>
<td style="background-color: #EEE; text-align: center">
Guarding the Pot of Gold while the Rainbow gets bigger 
Sarah Bennett and Patricia Ramsden - Xero
</td>
<td width="7%" valign="top" align="right">10:55</td>
<td style="background-color: #EEE; text-align: center">
Bermudez - a honeypit designed to waste hacker's time 
Ian Welch and Kaishuo Yang
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">11:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Enough theory, how are websites getting hacked in real life? 
Declan Ingram - CERT
</td>
<td width="7%" valign="top" align="right">11:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Rails Derailed 
Tim Goddard
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">12:05</td>
<td style="background-color: #EEE; text-align: center">
Secure APIs: Road to Business Growth 
Anupama Natarajan - Unisys New Zealand
</td>
<td width="7%" valign="top" align="right">12:05</td>
<td style="background-color: #EEE; text-align: center">
Timing-Based Attacks in Web Applications 
Yappare
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">12:35</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Lunch 
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">14:00</td>
<td style="background-color: #EEE; text-align: center">
Developer's guide to Deserialization Attacks 
Felix Shi
</td>
<td width="7%" valign="top" align="right">14:00</td>
<td style="background-color: #EEE; text-align: center">
IoT - How to fight the tyre fire 
Tom Isaacson
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">14:45</td>
<td style="background-color: #B9C2DC; text-align: center">
Finding the path to #DevSecOps nirvana 
Olly - Xero
</td>
<td width="7%" valign="top" align="right">14:45</td>
<td style="background-color: #B9C2DC; text-align: center">
Thinking like an Attacker (Hacking your own organisation) 
Nick Le Mouton - drugs.com
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">15:00</td>
<td style="background-color: #EEE; text-align: center">
When Shoestrings Snap 
Rory Shillington - VoltsAndBits
</td>
<td width="7%" valign="top" align="right">15:00</td>
<td style="background-color: #EEE; text-align: center">
Evil Pickles: DoS Attacks Based on Object-Graph Engineering 
Jens Dietrich - Massey University
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">15:30</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Afternoon Tea 
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
Enough with XSS, let's talk about something else? 
Karan Sharma
</td>
<td width="7%" valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
Secure development in Go 
Dion Bramley
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">16:35</td>
<td style="background-color: #B9C2DC; text-align: center">
Riding someone else’s wave with CSRF 
Sam Shute - Quantum Security
</td>
<td width="7%" valign="top" align="right">16:35</td>
<td style="background-color: #B9C2DC; text-align: center">
Secure Your Programming Future! 
David Pearce
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">17:10</td>
<td style="background-color: #EEE; text-align: center">
Operation Luigi: How I hacked my friend without her noticing 
Alex Hogue - Atlassian
</td>
<td width="7%" valign="top" align="right">17:10</td>
<td style="background-color: #EEE; text-align: center">
Handling Of A PCI Incident - PANs In The Database 
David Waters - Pushpay
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">17:50</td>
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
Wrap Up 
Time to go out and socialise, for those interested
</td>
</tr>
</table>
</center>

= Speakers List =
==Speakers List==

===Laura Bell - SafeStack - Fear Itself===
----
Abstract

Abstract: The world is a scary place right now. While the risk posed by security threats is high, there are many organisations and people for whom this is the least of their concerns.

In a time of unsettled economies & governments, where there are more breaches each week than we would have once seen in a year... how can we change the way we enable and inspire security change to stop trying to scare the terrified and start trying to help.

Speaker Bio

With almost a decade of experience in software development and information security, Laura Bell specializes in bringing security survival skills, practices, and culture into fast paced organisations of every shape and size.

An experienced conference speaker, trainer, and regular panel member, Laura has spoken at a range of events such as BlackHat USA, Velocity, OSCON, Kiwicon, Linux Conf AU, and Microsoft TechEd on the subjects of privacy, covert communications, agile security, and security mindset.

As the co-author of "Agile Application Security" published by O'Reilly media, Laura is internationally recognised as a leader in her field.

She is the founder and CEO of SafeStack, leading its operations from Auckland, New Zealand.

===Chris Berry - Aura Information Security - Offensive Defence===
----
Abstract

Frustrated by the ability to take over corporate networks by exploiting the same petty misconfigurations for the past several years, I want to expose blue teamer’s and dev’s to the current internal pen test strategies, which have proven consistently effective in going from no auth to domain admin.

Speaker Bio

Chris is a Security Consultant at Aura Information Security with experience across a broad variety of domains and industries. He is owned by a cat.

===Catherine McIlvride and Fiona Sasse - Pizza Roulette===
----
Abstract

Catherine and Fiona are security newbies in the world of bleepbloops. As their hunger for more knowledge on Security Testing grows, they attempt to chomp into the cyber realm of ordering pizza. Pull up a chair, grab a slice* and prepare yourself for a feast! *Disclaimer: Pizza will not be included.

Speaker Bio

Catherine and Fiona are software testers who have been united by their passion for pizza and their curiosity for wearing black and whites hats. They hammer and chisel their way through interfaces, databases, and all other places to identify cracks and gaps. Now they face their next adventure roaming unfamiliar territory in the security space.

===Ryan Kurte and Kirk Holloway - Auth* Infrastructure for Everyone===
----
Abstract

Auth(entication|orisation) is tough. We’re going to talk about how it’s usually done, the developer and user experience of auth*, and some things that often go wrong. Then we’re going pitch an idea that might, hopefully, maybe, help us all build safe exciting things.

Speaker Bio

Ryan is an aspiring hardware whisperer and academic with an incurable side project problem.

Kirk builds tiny bits of content that go in bigger bits of content for your local internet box. Combined they form 5/8ths of a full stack developer.

===Sarah Bennett and Patricia Ramsden - Xero - Guarding the Pot of Gold while the Rainbow gets bigger===
----
Abstract

We've all heard that as an industry we're severely outnumbered (defenders vs attackers). Many of us become a potential targets due to the type of market our company is in. The closer to money handling you are, the more attention you get therefore the more that ratio of defenders to attackers gets worse.
We've seen our adversaries change over time as we've grown. We'll discuss how our hitting one million paid subscribers affected us in terms of security, and how the motives of attackers seem to change with the seasons.

Speaker Bio

TBD

===Ian Welch and Kaishuo Yang - Bermudez: a honeypit designed to waste hacker's time===
----
Abstract

Small enterprises don’t have the human resources to deal with web attacks 24/7 although attacks can occur anytime. We describe a honeypit designed to entrap and slow attackers down giving time for a sysadmin to detect and respond to an attack.

Speaker Bio

Ian works for Victoria University of Wellington (VUW) doing computer security teaching and research mostly related to honeypots (CaptureHPC) and more recently software-defined networks (Gasket and Baffle).

Kai is a research assistant at Victoria University of Wellington (VUW). He developed Bermudez as part of his final year project last year and is working over summer on a security policy language for software-defined networks called Baffle.

===Declan Ingram - CERT - Enough theory, how are websites getting hacked in real life?===
----
Abstract

Since opening in April 2017, CERT NZ has dealt with hundreds of hacked websites. In this talk I propose to step through a few case studies of what went wrong, and how to stop it from happening to your websites. This talk will be done specifically for OWASP day and won’t be used for other audiences.

Speaker Bio

Declan Ingram is the Manager of Operations for CERT NZ and leads the technical side of CERT NZ – including the Incident Response Team. He has worked for over 17 years in information security, with broad experience in both incident response and security testing.

===Tim Goddard - Rails Derailed===
----
Abstract

Modern web application frameworks provide a lot of protections by default, but no protection is absolute. We explore common, severe security issues in Ruby on Rails applications, why they still occur despite its attempts to protect us.

Speaker Bio

Tim (pruby) moved two years ago from being a useful human being and building web applications, to the more haphazard world of tearing them apart. He applies his development background and knowledge to review applications from the ground-up, using the code to inform an efficient approach to security testing.

===Anupama Natarajan - Unisys New Zealand - Secure APIs: Road to Business Growth===
----
Abstract

Security must never be an afterthought. API Security is key for all modern digital businesses and secure APIs provide more confidence to the consumers. Come and learn the art of detecting underprotected APIs and how to secure them.

Speaker Bio

I am a Software Professional with over 15 years experience in designing and developing Web, Data Warehouse, Business Intelligence and Mobile solutions. I am a Microsoft Certified Trainer (MCT) and really passionate in sharing knowledge. I love solving complex business problems for my clients with innovative solutions using Microsoft Technologies and use that experience in my trainings and presentations. I share tried and tested examples which people can start use in their organisations immediately.

===Yappare - Timing Based Attacks in Web Applications===
----
Abstract

Timing-based attacks are deadly but often overlooked. Pentesters often miss such attacks when testing web applications.

By the end of the talk, the audience will learn ways to identify timing-based webapp vulnerabilities through careful manual and automated analysis of response generation times.

Speaker Bio

I was a Chemical Engineering graduate but have interest in application security. 7+ years in penetration testing industry and 5 years in bug bounty scene and currently at top leaderboard of Bugcrowd. Involving in these two areas of ‘hacking’ environment, expose me with various ways of identifying web vulnerabilities.

===Felix Shi - Developer's guide to Deserialization Attacks===
----
Abstract

A beginner friendly talk on deserialization attacks, targeted towards webapp devs and QA engineers. Heavy emphasis on explaining the attack vectors, the technical/business impact, and how to test for it.

There will be demos in some popular languages/frameworks - namely Python, Java, and C#.

Speaker Bio

Felix works in the security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.

===Tom Isaacson - IoT: How to fight the tyre fire===
----
Abstract

Everyone knows that IoT is a tyre fire but what can we do to start putting it out? Take a quick tour through the new OWASP IoT Top 10 and some other (personal) examples of how not to do IoT.

Speaker Bio

I’ve been an embedded developer for 20 years. I haven’t bothered learning web development because I still think the internet is a passing fad, but I’ve been forced to think about security after we added networking to our products.

===Olly - Xero - Finding the path to #DevSecOps nirvana===
----
Abstract

A talk about my experiences automating security infrastructure in AWS at Xero. The end goal, things to consider in a security context, the 80/20 rule, convincing people and how to get started. Buzzwords include: DevOps, DevSecOps, AWS, Cloud, CI/CD, “.* as code”.

Speaker Bio

Oliver is a Graduate Security Engineer at Xero where he helps build and deploy security infrastructure into AWS focusing on automation and repeatability. He is a contributor to Security Monkey, Netflix’s open source AWS security auditing tool.

===Nick Le Mouton - drugs.com - Thinking like an Attacker (Hacking your own organisation)===
----
Abstract

Often as developers we think like defenders. We identify vulns (SQLi, XSS etc) and patch them. How often do we think, how far could an attacker get by using this vuln? What could they do?

It’s easier to get non security buy-in if you can provide a working exploit to show how serious a vuln is.

Speaker Bio

I started my career as a developer and for the last 20 years I’ve moved more and more into the security space. I’m currently the CTO for Drugs.com, but spend a lot of time reading through legacy code and identifying areas of concern/exploiting vulnerabilities.

===Rory Shillington - VoltsAndBits - When Shoestrings Snap===
----
Abstract

Have you ever fed a sheep to a wolf? Every day, charities, non-profit organisations and small businesses get devoured by online threats. Let’s take a look at what’s happening both at the keyboard and IRL/AFK.

Speaker Bio

Rory Shillington is an electrical engineer trying to save polar bears by day, and a jack of all admins by night.

When not designing, testing and breaking solar inverters, he helps a small handful of clients navigate the minefields of the internet while keeping their websites patched (arrr). He has a strong passion for computer security with a number of years of hands-on experience, and a tendency of venturing questionable distances to solve other people’s problems. He also maintains a number of hobby and community websites.

===Jens Dietrich - Massey University - Evil Pickles: DoS Attacks Based on Object-Graph Engineering===
----
Abstract

Evil pickles is a new type of degradation of service attack inspired by billion laughs. It exploits the object serialisation interface present in most modern languages (such as Java, C#, Ruby), and can be used to exhaust resources including CPU time, stack and heap memory of the systems attacked.

Speaker Bio

Jens is an Associate Professor at Massey University Turitea Palmerston North. Jens has a MSc in Mathematics and a PhD in Computer Science from the University of Leipzig. After graduating in 1996, he worked as a software consultant, participating in some of the first large-scale enterprise-level projects that used object-oriented programming (Smalltalk and later Java) and agile principles. Clients he worked for include Mercedes-Benz, Volkswagen and some of the largest German banks. He moved to Namibia in 1999, working for a development aid agency to establish a computing curriculum at the local university of applied science. He continued with freelance consulting work for European and US clients during this time, and started several open source projects. In 2003 he moved to New Zealand to take up a position at Massey. Jens’ research interest are in the areas of software modularisation, evolution and static analysis for bug and vulnerability detection. He currently leads a National Science Challenge project on program analysis, and his research on fast algorithms for static analysis of large Java programs has been supported by several rounds of funding by Oracle Incl (through Oracle Labs Brisbane). Jens is executive member of Software Innovation NZ (SI^NZ) and member of the ACM.

===Karan Sharma - Enough with XSS, let's talk about something else?===
----
Abstract

I think it is time to lift our game and think beyond classic vulns such as XSS, CSRF, Dir Traversal, SQLi and talk about recent web vulns which are becoming more and more common and being exploited in the wild these days like IDOR, XXE, SSRF, DOM Clobbering, RPO and Insecure Cryptographic Storage.

Speaker Bio

Working as a Security Consultant at one of the leading financial institute of NZ. Very passionate about web app security and have been doing it for over 6 years. Love building and breaking stuff especially web apps and IoT stuff. I spend my days testing web apps and network infrastructure for vulnerabilities and then help mitigate what I find.

Like to code in node.js on embedded devices and love building Web of Things oppose to Internet of Things (no pun intended).

===Dion Bramley - Secure development in Go===
----
Abstract

Google loves Go, and they claim it makes secure development much easier for people who aren’t teams of seasoned security experts. But what makes it so special? Why should you choose Go for your next secure API project? How to do secure Go. And why it can be a really terrible option for some projects

Speaker Bio

I have been working in software since 2012 using a wide range of languages. Currently I work at Spalk Ltd (yuck, sports) as a senior engineer building APIs and streaming services, and teaching interns. I studied a combination of computer science and computer engineering at UoA for 5 years. Sometimes I do free security and (engineering) design consulting for startups and charities. Hobbies include theatre, gaming, and helping people be awesome.

===Sam Shute - Quantum Security - Riding someone else’s wave with CSRF===
----
Abstract

Cross-site request forgery is one of the common vulnerabilities we are seeing in pen tests. It can be used to create or delete accounts, escalate privileges, and perform other actions. This talk will cover what it is, common issues and how to properly defend against it.

Speaker Bio

Sam is a security consultant with Quantum Security. While relatively new to the security industry he spent the last 7 years studying various security topics at the University of Waikato. Sam has been an organiser and challenge developer of the New Zealand Cyber Security Challenge for the last 3 years. His areas of interest include behavioral biometrics, the physical/digital security overlap and breaking IoT devices.

===David Pearce - Secure Your Programming Future!===
----
Abstract

Can programming languages help us write secure code? It’s an age-old question. New languages come and go, but don’t often seem that different. But wait! You haven’t seen anything like Whiley before. Forget about type checking. This is a whole new level. You might think the demo is faked. It’s not.

Speaker Bio

David graduated with a PhD from Imperial College London in 2005, and took up a lecturer position at Victoria University of Wellington, NZ. David’s PhD thesis was on efficient algorithms for pointer analysis of C, and his techniques have since been incorporated into GCC. His interests are in programming languages, compilers and static analysis. Since 2009, he has been developing the Whiley Programming Language which is designed specifically to simplify program verification. David has previously interned at Bell Labs, New Jersey, where he worked on compilers for FPGAs; and also at IBM Hursely, UK, where he worked with the AspectJ development team on profiling systems.

===Alex Hogue - Atlassian - Operation Luigi: How I hacked my friend without her noticing===
----
Abstract

My friend gave me permission to “hack all her stuff” and this is my story. It’s about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM.

Speaker Bio

Alex is your conference speaker, your best friend, and your sweet mango boy. Alex fell off the back of a gently glowing ute 17 years ago, and now haunts the Earth in corporeal form. Critics have called him “aggressively wonky”. He does incident detection and response at Atlassian, which is kiiinda like being an adult. Catch him scratching out MEMBERS ONLY signs into MEMERS ONLY.

===David Waters - Pushpay - Handling Of A PCI Incident - PANs In The Database===
----
Abstract

Are you storing credit card numbers in your database when you’re not meant to? Would you know? We will be briefly cover PCI, and telling the story of the discovery of PANs in our pipeline. Then describe the full journey from discovery, to recovery to future prevention.

Speaker Bio

David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 19 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.

= Diversity fund =
==Diversity and Financial Aid fund==

'''The Diversity and Financial Aid assistance fund has now closed. If you find yourself stuck and need assistance, please get in touch with kirk.jackson@owasp.org and we'll see what we can do.'''

[We have unashamedly followed the model adopted by the nz.js(con) team with their fund. Many thanks to Jen and the team!]

Due to the support of our lovely sponsors, we have some additional funding available to help people from around New Zealand attend the OWASP NZ Day that would find it hard to otherwise attend. In particular, we welcome applications from women, people of colour, LGBTIQ and all others. You all deserve to be able to learn more about security, and we’ll do our darndest to help make that happen!

Our funds are limited, and we’ll be reviewing applications every two weeks starting in December. Submit your applications soon, so we can approve them early and you’ll be in several review cycles!

Process:

* Fill out our [https://docs.google.com/forms/d/e/1FAIpQLSeTPgNCXb-3FIKetzBtTSwe1IXYckmADCK5sXPdiWRu8mdI6g/viewform application form]
* We will review and approve applications each two weeks. The next review date is in Dec 2017.
* We will contact all applicants and let them know the result of the review.
* Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:

* We are biased towards (but not exclusively for) diverse applicants.
* We do attempt to maximise cost efficiency and will aim to get as many people to OWASP with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: denis.andzakovic@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

= Code of Conduct =
==Code of Conduct==

We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy: [https://www.owasp.org/index.php/Governance/Conference_Policies].

Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

If you have any concerns during the day, please seek out Kirk, Denis or Kim. We will make ourselves visible at the start of the day so you know what we look like.

<headertabs></headertabs>

[[Category:OWASP AppSec Conference]]

Kirkj: /* Presentations */

__NOTOC__
<center>
[[File:OWASP_NZ_Day_2017_logo.jpg|https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017]] 
'''19th and 20th April 2017 - Auckland'''
</center>
----

= Introduction =
==Introduction==
We are proud to announce the eighth OWASP New Zealand Day conference, to be held at the University of Auckland on Thursday April 20th, 2017. OWASP New Zealand Day is a one-day conference dedicated to application security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

Who is it for?

* Web Developers: There will be a choice of two streams in the morning. First stream covering introductory talks to application security, second stream covering deeper technical topics. Afternoon sessions will cover various defensive topics, with a DevSecOps cluster of talks in stream two after afternoon tea break.
* Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics.

==Conference structure==

Date: Thurs 20 April 2017 
Time: 9:30am - 6:00pm 
Cost: Free 

The main conference is on Thursday 20th of April, and will have two streams in both the morning and the afternoon:



Registration for the main conference day is now open: [https://www.eventbrite.com/e/owasp-nz-day-conference-tickets-31872881647 Conference Registration Here]

==Training==

As well as the main conference on Thursday, we are pleased to be able to provide training on Wednesday at the same venue. All details including registration are as follows:

'''LittleHackMe - Morning'''
Date: Wed 19 April 2017 
Afternoon session: 9:00am - 12:00pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-training-littlehackme-v-morning-session-tickets-33233099094 Morning Training Registration Page]

'''LittleHackMe - Afternoon'''
Date: Wed 19 April 2017 
Afternoon session: 1:00pm - 5:00pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-training-littlehackme-v-tickets-32870738263 Afternoon Training Registration Page] '''SOLD OUT'''

'''Advanced Web Hacking and Secure Coding'''
Date: Wed 19 April 2017 
Time: 9:00am - 5:00pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-training-advanced-web-hacking-and-secure-coding-tickets-32871439360 Training Registration Page] '''SOLD OUT'''

([https://www.eventbrite.com/e/advanced-web-hacking-and-secure-coding-tickets-33518127622 Additional training sessions] are being provided privately by Vikram)

'''Security Testing for Software Testers'''
Date: Wed 19 April 2017 
Time: 9:00am - 5:00pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-training-security-testing-for-software-testers-tickets-32871328027 Training Registration Page] '''SOLD OUT'''

Spaces going fast, so get in quick

==General==

The eighth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same location as last year for stream one, with the addition of another room near by for the stream two room. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact [mailto:kim.carter@owasp.org?cc=kirk.jackson@owasp.org&cc=denis.andzakovic@owasp.org us]. 

==Registration==

'''Sold out!'''

'''Please add yourself to the [https://www.eventbrite.com/e/owasp-nz-day-conference-tickets-31872881647#tickets waitlist] if you'd like to be notified when tickets become available.'''



Registration for the main conference day is now open: [https://www.eventbrite.com/e/owasp-nz-day-conference-tickets-31872881647 Conference Registration Here]
Follow us on twitter [https://twitter.com/owaspnz @owaspnz]

There is no cost for the main conference day. Unfortunately due to increased conference running costs, lunch, morning and afternoon tea's will not be provided as it has been for the past OWASP NZ Days. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.





==Important dates==

* CFP submission deadline: 18th March 2017
* CFT submission deadline: 28th February 2017
* Conference Registration deadline: 15th April 2017
* Training Registration deadline: 15th April 2017
* Training Day date: 19th April 2017
* Conference Day date: 20th April 2017

For those of you booking flights, ensure you can be at the venue at 9:00am, the conference will end by 6:00pm however we will have post conference drinks at a local drinking establishment for those interested.

==Conference Venue==

<table width="100%">
<tr>
<td>
The University of Auckland School of Business 
Owen Glen Building 
Address: 12 Grafton Road 
 
Stream one room: Level 1 
Room: 115 (Fisher & Paykel Auditorium) 
 
Stream two room: Level 0 
Room: 092 
 
Auckland 
New Zealand 
[https://www.google.com/maps/place/Owen+G+Glenn+Building+12+Grafton+Road/@-36.8528203,174.770224,17z/data=!4m6!1m3!3m2!1s0x0000000000000000:0x0205ad91287ba364!2sUniversity+of+Auckland+Graduate+School+of+Enterprise!3m1!1s0x0000000000000000:0xc9d224e5921a6690 Map]
</td>
<td>
[[Image:073_AUBiz_10Apr08small.jpg]] [[Image:OWASPNZDayLectureTheatre.jpg]]
</td>
</tr>
</table>

==Conference Sponsors==
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="100%"><center>[[File:AuckUni800-110.png|http://www.auckland.ac.nz]]</center></td>
</tr>
</table>
----

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="7" cellpadding="0">
<tr>
<td><center>[[File:SA_Logo_w_DD.gif|link=http://www.security-assessment.com]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:INSOMNIA.PNG|link=http://www.insomniasec.com]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:Aura_PBK_Colour.jpg|link=http://www.aurainfosec.com]]</center></td>
</tr>
<tr>
<td><center>[[File:Redshield.png|link=https://www.redshield.co]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:Zx.png|link=http://www.zxsecurity.co.nz]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:Quantumblack3.png|link=http://www.quantumsecurity.co.nz]]</center></td>
</tr>
</table>
----

'''Support Sponsor:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[[File:BinaryMistLimited.png|center|150px|link=http://binarymist.io]]</center></td>
<td> </td>
<td> </td>
<td><center>[[File:Atlassian.png|center|183px|link=https://www.atlassian.com/]]</center></td>
</tr>
</table>

==Conference Committee==

* Denis Andzakovic - OWASP New Zealand Leader (Auckland)
* Kirk Jackson - OWASP New Zealand Leader (Wellington)
* Kim Carter - OWASP New Zealand Leader (Christchurch)
* Lech Janczewski - Associate Professor - University of Auckland School of Business

Please direct all enquiries to denis.andzakovic@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

= Training =

==Training==

As well as the main conference on Thursday, we are pleased to be able to provide training on Wednesday at the same venue. All details including registration are as follows:

'''LittleHackMe - Morning'''
Date: Wed 19 April 2017 
Time: 9:00am - 12:00pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-training-littlehackme-v-morning-session-tickets-33233099094 Training Registration Page]

'''LittleHackMe'''
Date: Wed 19 April 2017 
Time: 1:00pm - 5:00pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-training-littlehackme-v-tickets-32870738263 Training Registration Page] '''SOLD OUT'''

'''Advanced Web Hacking and Secure Coding'''
Date: Wed 19 April 2017 
Time: 9:00am - 5:00pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-training-advanced-web-hacking-and-secure-coding-tickets-32871439360 Training Registration Page] '''SOLD OUT'''

([https://www.eventbrite.com/e/advanced-web-hacking-and-secure-coding-tickets-33518127622 Additional training sessions] are being provided privately by Vikram)

'''Security Testing for Software Testers'''
Date: Wed 19 April 2017 
Time: 9:00am - 5:00pm or part thereof 
[https://www.eventbrite.com/e/owasp-nz-day-training-security-testing-for-software-testers-tickets-32871328027 Training Registration Page] '''SOLD OUT'''

Spaces going fast, so get in quick

= Call For Presentations =
==Call For Presentations==

'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines including
architects, web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference:

* Introductions to various Web Application Security topics, and the OWASP projects
* Technical topics
* Policy, Compliance and Risk Management

The introductory talks should appeal to an intermediate to experienced web developer, without a solid grounding in web application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about web application security, and give them techniques that they can immediately return to work and apply to their jobs.

Technical topics are running all day and should appeal to two audiences - experienced web application security testers or researchers, and web developers who have a “OWASP Top Ten” level of understanding of web attacks and defenses. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:

* Web application security
* Mobile security
* Secure development
* Vulnerability analysis
* Threat modelling
* Application exploitation
* Exploitation techniques
* Threat and vulnerability countermeasures
* Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, etc)
* Penetration Testing
* Browser and client security
* Application and solution architecture security
* PCI DSS
* Risk management
* Security concepts for C*Os, project managers and other non-technical attendees
* Privacy controls



The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:

* Due to limited budget available, expenses for international speakers cannot be covered.
* If your company is willing to cover travel and accommodation costs, the company will become "Support Sponsor" of the event.

'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''

Please submit your presentation [https://www.papercall.io/owaspnz2017 here].



Submissions deadline: 18th March 2017

Applicants will be notified in the following week after the deadline, whether they were successful or not.


= Call For Sponsorships =
==Call For Sponsorships==

'''Thank you to all our sponsors. Sponsorship has now been fully subscribed, we are no longer accepting new sponsors.'''

OWASP New Zealand Day 2017 will be held in Auckland on the 20th of April, 2017 and is a security conference entirely dedicated to application security.
The conference is once again being hosted by the University of Auckland with their support and assistance.
OWASP New Zealand Day 2017 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community.
OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2017 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:

* Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
* Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
* Printed Materials - printed materials will include brochures, tags and lanyards.

== Facts ==

Last year, the event was supported by nine sponsors and attracted more than 500 participants. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016

The OWASP New Zealand community is strong, there are more than 490 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 500 and 600 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

== Sponsorships ==

There are three different levels of sponsorships for the OWASP Day event:

Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event)

Includes:

* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017

Silver Sponsorship: 750 NZD

Includes:

* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017
* The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
* The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship: 1500 NZD

Includes:

* The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
* The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
* The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
* Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017

Those who are interested in sponsoring OWASP New Zealand 2017 Conference can contact the [mailto:kim.carter@owasp.org,kirk.jackson@owasp.org,denis.andzakovic@owasp.org OWASP New Zealand Board]. 

'''Thank you to all our sponsors. Sponsorship has now been fully subscribed, we are no longer accepting new sponsors.'''

= Presentation Schedule =
==Presentations==

<center>
20th April 2017
<table width="100%">
<tr>
<td width="5%" valign="top" align="right">08:30</td>
<td colspan="3" style="background-color: #8595C2; text-align: center">Registration Opens</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">09:30</td>
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
Welcome to OWASP New Zealand Day 2017 
Lech Janczewski (Associate Professor), Kirk Jackson, Denis Andzakovic and [https://binarymist.io Kim Carter] (OWASP Leaders)

</tr>
<tr>
<td width="7%" valign="top" align="right">09:45</td>
<td style="background-color: #EEE; text-align: center">
OWASP Top 10 Review & Preview 
Kevin Alcock - Katipo Information Security 
[[Media:2017-04-20-OWASPNZ-KevinAlcock.pdf|Slides (PDF, 2.5mb)]]
</td>
<td width="7%" valign="top" align="right">09:45</td>
<td style="background-color: #EEE; text-align: center">
Gaslighting with Honeypits and Mirages 
Kate Pearce - Cisco
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">10:20</td>
<td style="background-color: #B9C2DC; text-align: center">
Developer's guide to preventing XSS 
Felix Shi - Xero
</td>
<td width="7%" valign="top" align="right">10:20</td>
<td style="background-color: #B9C2DC; text-align: center">
The Magical World of Cloud Security 
Erica Anderson 
[https://github.com/sputina/magical-world-cloud-security/blob/master/magical-world-of-cloud-security.pdf Slides (PDF 0.6mb)]
</td>

</tr>
<tr>
<td width="7%" valign="top" align="right">10:55</td>
<td style="background-color: #EEE; text-align: center">
The dangerous, exquisite art of safely handling user-uploaded files 
Tom Eastman
</td>
<td width="7%" valign="top" align="right">10:55</td>
<td style="background-color: #EEE; text-align: center">
How to spot and stop a wolf in sheep's clothing (a.k.a Account Takeover) 
Nick Malcolm - SafeStack 
[https://www.slideshare.net/NickMalcolm/how-to-spot-a-wolf-in-sheeps-clothing-aka-account-takeover Slides]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">11:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Building the ultimate login and signup 
Matt Cotterell - Fairfax Media 
[[Media:2017-04-20-PerfectLoginPage.pdf|Slides (PDF, 5mb)]]
</td>
<td width="7%" valign="top" align="right">11:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Security on a shoestring - running a security critical service as a volunteer 
Daniel Compton
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">12:05</td>
<td style="background-color: #EEE; text-align: center">
XML: Still Considered Dangerous 
Adam Bell - Lateral Security
</td>
<td width="7%" valign="top" align="right">12:05</td>
<td style="background-color: #EEE; text-align: center">
Confession of a lactose intolerant vulnerability hunter 
Trev H - RedShield
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">12:35</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Lunch 
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">14:00</td>
<td style="background-color: #EEE; text-align: center">
Sensible defaults for client-side security 
Jen Zajac - Catalyst 
[https://github.com/jenofdoom/sensible-defaults-for-client-side-security/blob/master/sensible-defaults-for-client-side-security.pdf Slides (PDF 5mb)]
</td>
<td width="7%" valign="top" align="right">14:00</td>
<td style="background-color: #EEE; text-align: center">
Huzzer, the tree-based generational mutating HTTP fuzzer 
Matthew Daley - Aura Information Security 
[https://bugfuzz.com/talks/huzzer_owasp-nz-day-2017.pdf Slides (PDF 16mb)]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">14:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Changing Perspectives 
Shahn Harris - Equifax
</td>
<td width="7%" valign="top" align="right">14:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Root Cause is the Best Cause 
Adrian Hayes
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">15:15</td>
<td style="background-color: #EEE; text-align: center">
30 Days (ish) of Security 
Grace Nolan and Catherine McIlvride 
[[Media:2017-04-20-30DaysOfSecurity.pdf|Slides (PDF, 3.1mb)]]
</td>
<td width="7%" valign="top" align="right">15:15</td>
<td style="background-color: #EEE; text-align: center">
From JSONP to XSS persistence 
Claudio Contin - Aura Information Security 
[[Media:2017-04-20-JSONPXSS.pdf| Slides (800kb)]]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">15:30</td>
<td colspan="3" style="background-color: #D98B66; text-align: center">
Break for Afternoon Tea 
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
So we broke all CSPs... You won't guess what happened next! 
Lukas Weichselbaum & Michele Spagnuolo - Google Switzerland 
[[Media:2017-04-20-OWASPNZ-SpagnuoloWeichselbaum.pdf|Slides (PDF, 1.8mb)]]
</td>
<td width="7%" valign="top" align="right">16:00</td>
<td style="background-color: #EEE; text-align: center">
AppSec in a DevOps World 
Peter Chestna - Veracode 
[[Media:2017-04-20-AppSecDevops.pdf| Slides (PDF, 4.5mb)]]
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">16:45</td>
<td style="background-color: #B9C2DC; text-align: center">
Hacking the Talent Pipeline 
Ruth McDavitt - Summer of Tech 
[[Media:2017-04-20-OWASPNZ-HackingTheTalentPipeline.pdf| Slides (PDF, 1mb)]]
</td>
<td width="7%" valign="top" align="right">16:30</td>
<td style="background-color: #B9C2DC; text-align: center">
Trust me, I'm a cloud 
Sam Macleod - SafeStack
</td>
</tr>
<tr>
<td width="7%" valign="top" align="right">17:00</td>
<td style="background-color: #EEE; text-align: center">
Conscious Incompetence: Started from the bottom, now we're here 
Charlie Gavey - Snapper Services
</td>
<td colspan="2"> </td>
</tr>
<tr>
<td width="7%" valign="top" align="right">17:15</td>
<td style="background-color: #B9C2DC; text-align: center">
Graphing when your Facebook friends are awake 
Alex Hogue - Atlassian 
[https://docs.google.com/presentation/d/1MPT9C2FyEz1HIFoW4fHJGvAYRNWgkFArbLYohwa9HhI/edit?usp=sharing Google Slides]
</td>
<td colspan="2"> </td>
</tr>
<tr>
<td width="7%" valign="top" align="right">17:45</td>
<td style="background-color: #EEE; text-align: center">
Wrap Up 
Time for the pub, for those interested
</td>
<td colspan="2"> </td>
</tr>
</table>
</center>

= Speakers List =
==Speakers List==

===Kevin Alcock - Katipo Information Security - OWASP Top 10 Review & Preview===
----
Abstract

This is OWASP Day, let’s recap the top 10 from 2013 for those in the room that might not know or need a refresher. But hey it’s 2017 where are we at now? Let’s look at analyse the data collected from the 2016 data call.

Speaker Bio

Kevin helps run the Christchurch branch of ISIG. He has been programming for a living since 1986 (yes, longer than most of you have been alive) after studying at what is now known as Ara Institute of Canterbury. In those 30 plus years he spent of lot of his time in Enterprise, Financial systems with mobile/internet applications. 2016 he became a Offensive Security Certified Professional (OSCP). He is the founder and principal consultant at Katipo Information Security.

===Kate Pearce - Cisco - Gaslighting with Honeypits and Mirages: Destroying discovery to deplete attackers===
----
Abstract

Abstract (Small): When an attacker is after you they need a way in, and to prioritize efforts. Defensive gaslighting makes them chase ghost systems, and attack phantom vulnerabilities - keeping you secure.
As we discussed last time, we may release tools, and we may discuss some theory, but are you sure that really happened?

Speaker Bio

Catherine (Kate) Pearce is a Senior Security Consultant for Cisco, who is based in Wellington, New Zealand. Formerly a Security Consultant for Neohapsis in the USA, she has engaged with a widespread and varied range of clients to assist them in understanding their current security state, adding resilience into their systems and processes, and managing their ongoing security risk. Day-to-day she undertakes a mix of advising clients around their security, client-focused security assessments (such as penetration tests), and security research. She has spoken at her work at many security conferences, including Black Hat USA, Source Boston, Nolacon, Kiwicon, ACSC, Bsides Canberra and many others. While she has recently presented on Network Security, her true loves are application security enablement, complex systems security, and cross-discipline security analogues.

===Felix Shi - Xero - Developer's guide to preventing XSS===
----
Abstract

An introductory talk on cross site scripting, targeted towards web-app developers and QA engineers. Common methods of identifying the issue, as well as prevention and mitigation will be shown in this demo-heavy presentation.

Speaker Bio

Felix works in the product security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.

===Tom Eastman - The dangerous, exquisite art of safely handling user-uploaded files===
----
Abstract

“Come On, What Harm Can a User Profile photo Do?”.

I’ll show you every scary thing I know about that can be done with a file upload, and how to protect yourself from – hopefully – most of them.

Speaker Bio

Tom Eastman writes words that control computers to tell other computers to build FAKE computers that run on DIFFERENT computers.

===Nick Malcolm - SafeStack - How to spot and stop a wolf in sheep's clothing (a.k.a Account Takeover)===
----
Abstract

Almost two thirds of confirmed breaches involve using weak or stolen passwords - it’s not a new threat, but it works. By the end of this talk you will understand the Account Takeover threat, and walk away with some techniques & tools for detection and response within your own web applications.

Speaker Bio

Nick Malcolm is a Security Consultant at SafeStack, which means he gets to help people develop more secure software! He works with awesome people, in Auckland, New Zealand. He was formerly CTO at ThisData, a security product which protected millions of websites from account takeover attacks.

He’s also an active member in the Ruby community, regularly speaking about coding and security. He is a member of OWASP NZ, ISIG (Info Sec Interest Group), CSA (Cloud Security Alliance), and Internet NZ.

When he’s not coding he’s probably watching some scifi, spending time with his wife and kid, patting his cat, or strummin’ on his guitar.

===Matt Cotterell - Fairfax Media - Building the ultimate login and signup===
----
Abstract

Web Applications have lots of quirks and limitations that set them apart from other kinds of applications. In this talk, we explore public facing login and registration flows and some of those quirks that can catch devs out which can open your application (or users!) to security or privacy risks.

Speaker Bio

Matt Cotterell is a Security Engineer and a .NET Developer with 5+ years professional experience in software engineering for various diverse industries, including healthcare, cinema management and journalism. He is more of a maker than a breaker and spends his time exploring various software frameworks and public cloud providers (particularly .NET and Azure) along with writing software and presentations that enable developers to secure these systems.

He is currently working for Fairfax Media (stuff.co.nz) helping the DevOps teams improve the general security posture of their software and systems architecture, and developing awareness training for the in-house development teams. In his spare time, he can be found watching bad movies, gleefully overusing the word “cyber”, and feeling awkward writing biographies in a third-person perspective.

===Daniel Compton - Security on a shoestring - running a security critical service as a volunteer===
----
Abstract

Clojars is a JAR hosting service for the Clojure community. It’s a security critical piece of infrastructure for many organisations. This talk discusses my joining Clojars, how we improved our security, and how you can do the same, especially if you’re at a non-profit or a volunteer.

Speaker Bio

Daniel Compton is an independent software consultant, living in The Regions (Morrinsville). He works mainly with Clojure and ClojureScript, and is a volunteer admin for Clojars, the Clojure community JAR host. He also runs Deps, a private JAR hosting service. He enjoys contributing to open source projects and spending time with his young family.

===Adam Bell - Lateral Security - XML: Still Considered Dangerous===
----
Abstract

XML, the JSON of 2005. This talk will discuss an existing class of attacks against XML parsers, with some new twists for evading existing attack mitigations.

Speaker Bio

Adam ‘feabell’ Bell lives in Auckland with his wife and daughter. By day he is a security consultant for Lateral Security, by night he tries to remember what sleep is.

===Trev H - RedShield - Confession of a lactose intolerant vulnerability hunter===
----
Abstract

Eating cheese is delicious but if your body can’t process lactose (like mine) you are in for trouble. On those late, dairy induced nights where sleep just won’t happen, I’ll spend time developing an idea for an automated mass scan tool - “fon-didly-do”. This tool could collate vulnerability data collected from open Github projects and run analytics on them. This tool could be useful in identifying vulnerability trends for certain project types and platforms. I could write this tool using a combination of Postgres, Elixir and any number of free static code analysis tools.

This looks like a lot of work, but as luck would I have it … I have a fridge full of beer, some crusty bread and a wheel of gorgonzola, lets get to work!

There will be a release of fon-didly-do, a demo and some live cheese during this talk.

Speaker Bio

Trev is a RedShield Developer and Security Researcher who should not eat cheese! His daily job is to help secure web applications used by hundreds of thousands of people across the globe. He enjoys cooking, blues guitar and being a professional developer.

===Jen Zajac - Catalyst - Sensible defaults for client-side security===
----
Abstract

When starting a new web project, what foundations should you lay to ensure your JavaScript, HTML and CSS is going to be secure? Thinking about CSP, session token storage, how much you can trust a given input early can save a lot of rework later!

Speaker Bio

Jen is the lead front-end developer at Catalyst, a development company with a strong focus on Open Source. Based in Wellington, New Zealand, Jen is originally from the UK but ended up in NZ working for a conservation charity and ended up sticking around. With 10 years of experience in the tech industry, Jen is the co-director of Kiwi PyCon 2014 and the director of nz.js(con); 2017.

===Matthew Daley - Aura Information Security - Huzzer, the tree-based generational mutating HTTP fuzzer===
----
Abstract

Webapp fuzzing is well-covered by tools such as Zed Attack Proxy or Burp Suite, but what about the underlying webservers? Huzzer is a tree-based, generational mutating fuzzer for HTTP that targets webservers. I’ll talk about its development and some vulnerabilities found in real world webservers.

Speaker Bio

Senior Security Consultant at Aura Information Security and general weirdo in real life. Finds vulnerabilities in hypervisors, servers, webapps, and front doors.

===Shahn Harris - Equifax - Changing Perspectives===
----
Abstract

I will share 10 techniques on how you change companies perspectives on what information security is, and how it should be handled. These tips do not involve executive buy in, metrics, risk assessments, budget and without anyone knowing what you are actually doing.

Speaker Bio

Shahn Harris has spent many years working inside businesses of carious sizes in many different capacities. This has resulted in him changing from average tech guy to a beautiful butterfly of business engagement, stakeholder management, strategic product alignment, future states, and whatever other business jargon you can think of. He has worked across a number of leading New Zealand institutes, organisation’s and, brands spanning multiple industries as an internal resource or as a consultant.

===Adrian Hayes - Root Cause is the Best Cause===
----
Abstract

This talk will explore web app security flaws at the source code level at find the patterns and anti-patterns that lead to vulnerabilities. If you’re a developer you’ll learn how to write more secure code, and if you’re a pentester you’ll learn some root causes and where to focus your efforts.

Speaker Bio

Adrian Hayes has twelve years experience in the IT industry specialising in both software development and IT security. He has consulted on security for some of the largest organisations in the financial, government, telecommunications, and education sectors across New Zealand and internationally. Adrian has been known to speak at various security events including Kiwicon, OWASP NZ Day, ISACA education days, and OWASP Asia AppSec. He has published security research in the IEEE Security and Privacy magazine, and has been invited to speak on wider IT issues on Radio NZ.

===Grace Nolan and Catherine McIlvride - Enable Ltd and Assurity - 30 Days (ish) of Security===
----
Abstract

What is it like to learn security as complete beginner? What is is like to teach a complete beginner? Where would you start? This talk is about what it’s like learning security as a complete beginner.

Speaker Bio

Grace has been pressing buttons on computers her whole life. The right buttons and the wrong buttons. Now she presses buttons for a living. She’s currently a systems developer for Enable Ltd, a fibre broadband company in Christchurch, which sounds terrifyingly adult on paper. She cares about Computer Science in schools and Women in Tech stuff. She’s an enthusiastic choral singer, tea fanatic, and paints watercolours when she’s not devouring the latest in tech news.

Catherine is a Software Tester from Assurity. Her role is to gently bring developers back down to earth by methodically exposing their bugs. She laughs kindly at their dismay. She is a woman to be celebrated and feared. Wanting to discover new challenges, Cat is learning about security in the hopes of finding even better, juicier bugs.

===Claudio Contin - Aura Information Security - From JSONP to XSS persistence===
----
Abstract

An unescaped JSONP endpoint, combined to a XSS vulnerability, can lead to a persisted XSS, through service workers onFetch event.

Speaker Bio

I’ve been a backed web developer and system admin for many years, with good knowledge of JavaScript as well, and have explored a variety of open source technologies and programming languages. Since 2016 I’m working full time as a security consultant for Aura Information Security, mainly performing penetration tests for web and mobile applications.

===Lukas Weichselbaum & Michele Spagnuolo - Google Switzerland - So we broke all CSPs... You won't guess what happened next!===
----
Abstract

Last year we proved that the whitelist-based approach of Content Security Policy (CSP) is flawed and proposed an alternative based on 'strict-dynamic' in combination with nonces or hashes.

In our academic paper (CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, ACM CCS, 2016), we demonstrated, using automatic checks, that 94.72% of all real-world policies can be trivially bypassed by an attacker with an XSS bug, and 75.81% are bypassable due to whitelists.

Thanks to the new 'strict-dynamic' approach, we were finally able to deploy an effective policy to many important Google products, such as GMail, Photos, and others. In this presentation we would like to share our experience, show examples, best practices and common pitfalls.

Finally, we share how we are addressing the recent bypasses of nonce-based policies, such as nonce exfiltration/reuse techniques and dangling markup attacks.

Speaker Bio

Lukas Weichselbaum is an Information Security Researcher at Google focusing on security enhancements and mitigations for web applications. He co-authored the specification for ‘strict-dynamic’ in CSP3 and launched CSP-Evaluator (csp-evaluator.withgoogle.com), a tool for developers and security experts to check if a Content Security Policy serves as a strong mitigation against cross-site scripting attacks. Lukas previously worked on dynamic analysis of Android malware. He also founded Andrubis – one of the very first large scale malware analysis platforms for Android applications.

Michele Spagnuolo is an Information Security Engineer at Google focusing on security enhancements and mitigations for web applications. He co-authored the specification for ‘strict-dynamic’ in CSP3, serving as a strong mitigation against cross-site scripting attacks. Other works include Rosetta Flash (rosettaflash.com) and BitIodine (bitiodine.net).

===Peter Chestna - Veracode - AppSec in a DevOps World===
----
Abstract

Dev teams were already struggling with adding security to their Agile processes. DevOps teams are pushing to release continuously, meaning integrating security will become even more of a challenge. How can teams deliver secure code while maintaining the speed required in a DevOps world?

Speaker Bio

As Director of Developer Engagement at Veracode, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec experience as both a developer and development leader, Pete provides information on best practices amassed from working with Veracode’s 1,000+ customers.

Pete joined Veracode in 2006 as a software developer and was instrumental in delivering the first version of Veracode’s service to customers. Later, as Director of Platform Engineering, Pete built and managed the Agile teams responsible for delivering Veracode’s SaaS platform. He also built the first DevOps team to deliver microservices. He is a certified product owner and scrum master. Pete also spearheaded Veracode’s initiative to automate the use of Veracode products into the company’s development processes called project Purina. Using this experience, he has spoken with hundreds of Veracode customers to help them set up similar programs.

Pete has more than 25 years’ experience developing software and has been granted 3 patents. He has been developing web applications since 1996, including one of the first applications to be delivered through a web interface. In his spare time he enjoys listening to Rush, drinking whiskey and programming on the Arduino platform.

===Ruth McDavitt - Summer of Tech - Hacking the Talent Pipeline===
----
Abstract

How can we join together to creatively overcome the limitations of our current education & recruitment systems to achieve a better talent pipeline? It’s recognised as a massive barrier, so what can we do about it today, to grow the talent pool right now, and for the future?

Speaker Bio

Ruth works on the human side of the technology industry, leading the Summer of Tech programme that is addressing the shortage of NZ technology skills through connecting experienced industry mentors with students. She is an active mentor to young entrepreneurs in a variety of programmes, including incubators, accelerators, universities, within community groups and at high schools.

===Sam Macleod - SafeStack - Trust me, I'm a cloud===
----
Abstract

As the cloud continues to take over every part of our lives, chances are that most of our systems and applications look quite different today than they used to. I will be talking about some of the Business Continuity pitfalls that are common in cloud environments, and how we can weather the storm.

Speaker Bio

Sam comes from an operations background, with experience in infrastructure design, incident response, and policy writing and implementation.  Working with financial applications, he has extensive experience in creating and working with high security environments.

===Charlie Gavey - Snapper Services - Conscious Incompetence: Started from the bottom, now we're here===
----
Abstract

Feeling like your organisation isn’t getting anywhere with security? The realisation that you don’t know anything is actually a critical part of the process. Described as the “conscious competence model”, this talk discusses how being conscious of your own incompetence is an important first step.

Speaker Bio

As a Scrum Master and Product Owner at Snapper Services, I’m all about empowering agile teams, with an interest in how agile teams mature and scale. I’m enthusiastic about fostering the next generation of tech talent; working with PC4G, RailsGirls, Cultivate Mentoring, and Summer of Tech. Will tramp for scroggin.

===Alex Hogue - Atlassian - Graphing when your Facebook friends are awake===
----
Abstract

We’re going to talk about finding this weird bug/feature, reverse-engineering what it does, actually looking at the graphs of real-life humans, using it in a social engineering context, how to prevent it, and tips for applying to work at the NSA.

Speaker Bio

Alex is a kid with a laptop and a pocketful of memes. Critics have described him as “aggressively wonky”. As far as he can tell from carefully examining the smoking crater that is his life, he’s working in Incident Response at Atlassian, which is a little bit like being an adult but with more ice cream. He does magic tricks and makes dumb one-use novelty websites as a substitude for getting out more.

===Erica Anderson - The Magical World of Cloud Security===
----
Abstract

Before you can get to a web app, your request usually goes through a few different levels of security infrastructure. This talk will focus on common tools and technology used at the host and platform level, why they are used, and which ones are full of fairy dust.

Speaker Bio

Her twitter bio says “info sec, cat, and ketchup enthusiast”. This story checks out.

= Diversity fund =
==Diversity and Financial Aid fund==

[We have unashamedly followed the model adopted by the nz.js(con) team with their fund. Many thanks to Jen and the team!]

Due to the support of our lovely sponsors, we have some additional funding available to help people from around New Zealand attend the OWASP NZ Day that would find it hard to otherwise attend. In particular, we welcome applications from women, people of colour, LGBTIQ and all others. You all deserve to be able to learn more about security, and we’ll do our darndest to help make that happen!

Our funds are limited, and we’ll be reviewing applications every two weeks. Submit your applications soon, so we can approve them early and you’ll be in several review cycles!

Process:

* Fill out our [https://docs.google.com/forms/d/e/1FAIpQLSfgj4k8PzOiZpA5KunjhaEpHPQUP31mqwcESfDlEMP2odTZFg/viewform?usp=sf_link application form]
* We will review and approve applications each two weeks. The next review date is 12 April 2017.
* We will contact all applicants and let them know the result of the review.
* Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:

* We are biased towards (but not exclusively for) diverse applicants.
* We do attempt to maximise cost efficiency and will aim to get as many people to OWASP with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: denis.andzakovic@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

= Code of Conduct =
==Code of Conduct==

We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy: [https://www.owasp.org/index.php/Governance/Conference_Policies].

Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

If you have any concerns during the day, please seek out Kirk, Denis or Kim. We will make ourselves visible at the start of the day so you know what we look like.

<headertabs></headertabs>

[[Category:OWASP AppSec Conference]]

File:2017-04-20-JSONPXSS.pdf

2017-05-01T02:01:20Z

Kirkj: From JSONP to XSS persistence Presented at OWASP NZ Day 2017 by Claudio Contin - Aura Information Security

From JSONP to XSS persistence
Presented at OWASP NZ Day 2017 by Claudio Contin - Aura Information Security