2011-02-14T21:49:46Z

Rsl81: /* Upcoming Event */

== Welcome to the OWASP New Zealand Local Chapter ==

Welcome to the OWASP New Zealand chapter site.

== Participation ==

Get involved! All OWASP chapter meetings are free and open to anyone interested in application security and New Zealand is no different. We encourage members to give presentations on any OWASP related topic and to share their knowledge with the rest of the OWASP NZ chapter. Please also subscribe to the [https://lists.owasp.org/mailman/listinfo/owasp-newzealand OWASP NZ Mailing-list] to receive future event announcements or access previous [https://lists.owasp.org/pipermail/owasp-newzealand/ posts].

== Upcoming Event ==

; 2nd March 2011
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' Crazy Insecure Web Apps Google Didn't Tell You About.
: '''Presented By:''' Adrain Hayes, Security Consultant (Security-Assessment.com)

== Past Events ==

== '''2010''' ==



; 15th July 2010
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010 http://www.owasp.org/images/a/a7/Owasp_nz_day_2010.jpg]
: '''Co-Sponsor:''' [http://www.security-assessment.com Security-Assessment.com], [http://www.lateralsecurity.com Lateral Security], [http://www.auckland.ac.nz/ The University of Auckland]
: '''Location:''' Auckland
: '''Presentations:''' [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010#tab=Presentations Download]
: '''Event site:''' [[OWASP_New_Zealand_Day_2010|OWASP New Zealand Day 2010]]

; 4th March 2010
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' MS-SQL Injections.
: '''Presented By:''' Scott Bell, Security Consultant (Security-Assessment.com)

== '''2009''' ==



; 10th November 2009
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' Testing AMF/Flex.
: '''Presented By:''' Nick Freeman, Security Consultant (Security-Assessment.com)
: '''Presentation:''' "Shared Ownership", from a web security perspective.
: '''Presented By:''' Quintin Russ, Technical Director (Site Host)

; 13th July 2009
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009 https://www.owasp.org/images/8/85/Owasp_nz_logo.jpg]
: '''Co-Sponsor:''' [http://www.security-assessment.com Security-Assessment.com], [http://www.lateralsecurity.com Lateral Security], [http://www.auckland.ac.nz/ The University of Auckland]
: '''Location:''' Auckland
: '''Presentations:''' [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009#tab=Presentations Download]
: '''Event site:''' [[OWASP_New_Zealand_Day_2009|OWASP New Zealand Day 2009]]

; 19th March 2009
: '''Co-Sponsor:''' [http://www.vodafone.co.nz Vodafone New Zealand] and [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[http://www.owasp.org/index.php/Image:ActiveXploitation_In_2009.pptx ActiveXploitation in 2009]"
: '''Presented By:''' Paul Craig, Principal Security Consultant (Security-Assessment.com)
: '''Presentation:''' "[http://www.owasp.org/index.php/Image:OWASP_Mar09_Reversing_JavaScript.zip Reversing JavaScript]"
: '''Presented By:''' Roberto Suggi Liverani, Senior Security Consultant (Security-Assessment.com)
<hr>

== '''2008''' ==


; 5th November 2008
: '''Co-Sponsor:''' [http://www.vodafone.co.nz Vodafone New Zealand] and [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Common_Application_Flaws.ppt Common Application Flaws]"
: '''Presented By:''' Brett Moore, Network Intrusion Specialist (Insomnia Security)
: '''Presentation:''' "In your Browser, Jackin your Clicks"
: '''Presented By:''' Beau Butler, Security Consultant (Security-Assessment.com)
: '''Presentation:''' "Opera Stored Cross Site Scripting"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-Assessment.com)

; 3rd September 2008
: '''Co-Sponsor:''' [http://www.microsoft.com/en/nz/default.aspx Microsoft] and [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Browser_security.ppt Browser Security]"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-Assessment.com)
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Time_Based_SQL_Injections.ppt Time based blind SQL Injections]"
: '''Presented By:''' Muhaimin Dzulfakar, Security Consultant (Security-Assessment.com)

; 25th June 2008
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "Fuzz the Web"
: '''Presented By:''' Dean Jerkovich, Security Analyst (ASB)
: '''Presentation:''' "Hacking The World With Flash Part #2: The Results"
: '''Presented By:''' Paul Crag, Principal Security Consultant (Security-Assessment.com)

; 29th April 2008
: '''Co-Sponsor:''' [http://security-assessment.com Security-Assessment.com]
: '''Locations:''' Wellington, Auckland
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Hacking_The_World_With_Flash.ppt Hacking The World With Flash]"
: '''Presented By:''' Paul Craig, Principal Security Consultant (Security-Assessment.com)
: '''Presentation:''' "[https://www.owasp.org/index.php/Image:Web_spam_techniques.ppt Web Spam Techniques] - also available in [http://malerisch.net/docs/web_spam_techniques/web_spam_techniques.html HTML] format"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-Assessment.com)

; 21st February 2008
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland
: '''Presentation:''' "[http://www.owasp.org/index.php/Image:Xpath_Injection.ppt Xpath Injection - An Overview]"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-assessment.com)

<hr>

== '''2007''' ==


; 5th December 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland
: '''Presentation:''' "[http://malerisch.net/docs/ajax_security/Ajax_security.ppt Ajax Security]"
: '''Presented By:''' Roberto Suggi Liverani, Security Consultant (Security-assessment.com)
: '''Presentation:''' "On the job browser exploitation"
: '''Presented By:''' Mark Piper, Senior Security Consultant (Security-assessment.com)

; 22nd May 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Press Release:''' [http://www.vedaadvantage.com/vantage/news_in_brief_and_events/host_nz_owasp_meeting.aspx VedaAdvantage.com]
: '''Locations:''' Auckland
: '''Presentation:''' "OWASP in New Zealand"
: '''Presented By:''' Roberto Suggi Liverani / Antonio Spera

; April 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland

; January 2007
: '''Co-Sponsor:''' [http://www.vedaadvantage.com/home/home_default.aspx Veda Advantage]
: '''Locations:''' Auckland

== Activities ==

OWASP New Zealand members actively participate in various OWASP activities. The following are some recent activities undertaken by OWASP NZ members:

* Roberto Suggi Liverani will be speaking at OWASP AppSec Asia 2009 conference
* Roberto Suggi Liverani and Nick Freeman will be speaking at Defcon 17
* OWASP NZ Day 2009 - [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009#tab=Presentations Presentations online]
* Roberto Suggi Liverani and Nick Freeman will be speaking at EUSecWest 09
* Brett Moore will be speaking at [http://www.owasp.org/index.php/OWASP_AU_Conference_2009 OWASP AU Conference] about "Vulnerabilities In Action".
* Roberto Suggi Liverani contributed to the [http://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide v3].
* Mark Piper took his "On the job browser exploitation" talk to the [http://www.owasp.org/index.php/OWASP_Australia_AppSec_2008_Conference OWASP_Australia_AppSec_2008_Conference].
* Rob Munro has been appointed as OWASP Evangelist
* OWASP NZ has audio/video conference capability between Auckland and Wellington

== OWASP NZ Members ==

We are always looking for additional board members to evangelise the OWASP mission help with meetings, projects and initiatives as we all know it takes time/effort to run a chapter. Please contact us if you are interested to join the NZ OWASP board member or for any queries related to OWASP NZ.

<ul>
*<b>NZ Board Member (Leader)</b> [mailto:robertosl(at)owasp.org Roberto Suggi Liverani] 021 928 780
*<b>NZ Board Member (Evangelist)</b> [mailto:rob(at)robmunro.com Rob Munro] 021 677 785
</ul>

<u>The chapter mailing address is:</u><br>
NZ OWASP <br>
17 Woodberry Drive<br>
Dannemora, Auckland 2016 <br>
<br>

== Chapter Sponsors ==

<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/a/a4/Security-assessment_com.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

File:Tales-of-the-crypto.pdf

2010-07-22T12:49:35Z

Rsl81: uploaded a new version of "File:Tales-of-the-crypto.pdf"

OWASP New Zealand Day 2010

2010-07-22T01:47:51Z

Rsl81:

__NOTOC__
====Introduction====

<center>'''OWASP New Zealand Day 2010<br>15th July - Auckland'''

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010 http://www.owasp.org/images/a/a7/Owasp_nz_day_2010.jpg]<br><br>
</center>
----

= Introduction =

Following the success of the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009 OWASP New Zealand 2009] security conference which attracted more than 150 attendees, the [http://www.owasp.org/index.php/New_Zealand OWASP New Zealand Chapter] decided to organise the <b>OWASP New Zealand Day 2010</b>. The event was held on the <b>15th July 2010</b> in <b>Auckland</b> and was a great conference day. The event gathered an audience of 160 delegates including security professionals, developers, managers and students.<br>
For those people who missed the event or are interested in the conference material, some of the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010#tab=Presentations presentations] have been published and can be downloaded from the presentations page.<br>
For any comments, feedback or observations, please don't hesitate to contact [mailto:robertosl@owasp.org us].<br>
Again, big thanks to the sponsors <b>Security-Assessment.com</b> and <b>Lateral Security</b>, the speakers and the conference committee for their contributions and support to the organisation of the event.

==Blog/Coverage==

Some blog coverage from Kirk Jackson:
[http://pageofwords.com/blog/CategoryView,category,OWASP.aspx http://pageofwords.com/blog/CategoryView,category,OWASP.aspx]

====Presentations====

<center>
<table width="80%" class="t">
<tr>
<td width="7%" class="tcell3" valign="top"><div align="right">08:30</div></td>
<td bgcolor="#8595C2" class="tcell3"> <div align="left">Registration
</div></td>
</tr>
<tr>

<td class="tcell2" valign="top"><div align="right">09:00</div></td>
<td bgcolor="#eeeeee" class="tcell"><div align="center"><b>Welcome to OWASP New Zealand Day 2010</b><br />
<em>Roberto Suggi Liverani / Lech Janczewski - Security-Assessment.com / The University of Auckland</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">09:15</div></td>
<td bgcolor="#b9c2dc" class="tcell"><div align="center"><b>[http://www.owasp.org/images/b/b5/2010_OWASP_NZ.pptx Don't Try This At Home]</b> - pptx<br/>
<em>Brett Moore - Insomnia Security</em></div></td>
</tr>

<tr>
<td class="tcell2" valign="top"><div align="right">9:50</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>[http://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_application_DoS.pdf Defending Against Application Level DoS Attacks]</b> - pdf<br/>
<em>Roberto Suggi Liverani - Security-Assessment.com</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">10:40</div></td>
<td bgcolor="#D98B66" class="tcell"><div align="left">Coffee Break<br />
<br />
</div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">11:10</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>"Oh F#!K": What To Do When You Get Pwned</b><br/>
<em>Paul Craig – Security-Assessment.com</em></div></td>
</tr>
<tr>
<td class="tcell3" valign="top"><div align="right">12:00</div></td>
<td bgcolor="#D98B66" class="tcell3"><div align="left">Lunch Break<br />
<br />
<br />
</div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">13:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>Low Scuttling Chilli Crab:Network Recon 2010AD **</b><br />
<em>Metlstorm</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">14:15</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>[http://www.owasp.org/images/c/cc/Tales-of-the-crypto.pdf Tales from the Crypt0]</b> - pdf<br/>
<em>Graeme Neilson / Kirk Jackson - Aura Software Security / Xero</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">15:00</div></td>
<td bgcolor="#D98B66" class="tcell">Snackie Break<br />
<br /></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">15:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>[http://www.owasp.org/images/4/49/Hosting-and-web-apps.pdf Hosting and Web Apps - The Obscurity of Security]</b> - pdf<br/>
<em>Quintin Russ / Mike Jager - SiteHost / Web Drive</em></div></td>
</tr>

<tr>
<td class="tcell2" valign="top"><div align="right">16:15</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>The Ramblings of an ex-QSA</b><br />
<em>Dean Carter</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">17:00</div></td>
<td bgcolor="#B5B5B5" class="tcell"><div align="left">Panel Discussion/Conclusion<br />
<br />
</div></td>
</tr>

</table>
</center>
<b>**</b> <i>replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk.</i>

====Speakers====

==Low Scuttling Chilli Crab:NETWORK RECON 2010AD **==

Network reconnaissance is an art as old as hacking, but the days of dumpster diving and fingering your away around the 'net are long in our past. In the world of Google, Wolfram|Alpha and Shodan, target acquisition is king: there's a new exploit every day, who's going down after you've finished your first cup of coffee tomorrow?

In this presentation, Metlstorm examines the practicality, implementation and effect of datamining country-scale network targeting databases. Building on the experience of spending the previous year mapping the New Zealand internet for his Kiwicon 2009 talk "Do Your Fruit Hang Low", Metlstorm deploys the Low Hanging Kiwifruit toolchain against its newest target: Singapore.

So, Singapore, are your networks open? How many open DSL routers are there in Singapore? Which ISP has their blade switches open for you to telnet to? Just how useful is it to full text search every SSL certificate name, 302 Redirect target and DNS entry?

<b>Metlstorm</b>

Metlstorm is an independent unix hacker from New Zealand, where he milks both sheep and hobbits. In the brief gaps in this bucolic schedule, he finds time to organise Kiwicon - the NZ hacker con, co-host the award-winning Risky.biz weekly infosec podcast and hold down a day job as a whitehat security consultant. In true sellout style, Metl has worked the floor at Blackhat, Defcon, Kiwicon & Ruxcon, achieving minor notoriety at the latter for being the only speaker ever punched out by a member of the audience at the end of his talk. Metlstorm loves bugs that are features, carrier networks and "enterprise" unix software, because we all know that "enterprise" means "the 80s called, they want their long environment variables back".

- <i>replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk</i>.

==Dean Carter - The Ramblings of an ex-QSA==

As a QSA there were a bunch of things Dean was forbidden from discussing.

As an ex QSA some of these matters will remain firmly sequestered inside his kimono - but others things, more general things, can now be shared.

Dean has 30 minutes worth of handy tips, hints, lessons and some brickbats relating to PCI and secure system development that he can now share with the community.

<b>Dean Carter</b>

Dean still remembers the day he first heard about the PCI DSS - he then spent several years trying to convince everyone that the PCI DSS was the bestest thing since the Beatles… not many people listened… they had projects to finish and settings to tweak…

Then Dean joined Security-Assessment.com and became a QSA (PCI power-up!)… people listened! Organisations even paid to listen! A few organisations went so far as to demonstrate their security posture to Dean The QSA. In return he signed their Reports on Compliance. Most made great progress towards compliance… while some simply went in political circles and denied the need to make any effort.

Two years on Dean, the ex-QSA, now works for financial institution where, in between other tasks, he regularly sticks his nose into PCI matters and still firmly believes that the PCI DSS is a positive thing.

==Paul Craig – Security-Assessment.com - "Oh F#!K" : What To Do When You Get Pwned==

If your company’s website were hacked tomorrow, would you know what to do?
Forensics is not what you see on CSI, and most people have no idea what they should do in the event of a compromise. What is an appropriate incident response for a company, what do you say to your CEO, when do you involve law enforcement? Do you attempt to solve the forensic case yourself; keeping in mind any action you take may directly affect the evidence, or compromise legal judicial requirements.
This presentation will demonstrate the forensic process for a compromised website, and what an organization should do when they find out they have been compromised. I will use case studies from previous incidents and demonstrate what you should and shouldn’t do when you get pwned.

<b>Paul Craig</b>

My name is Paul Craig, I work as the lead forensic incident responder at Security-Assessment.com and I work with many New Zealand companies who have been compromised. From small websites to large corporations and government agencies, our nation is regularly being defaced and defrauded. IT Forensics is here to pick up the pieces, and it’s my job to spend long nights trying to provide answers to businesses regarding what really happened.

==Brett Moore - Insomnia Security - "Don't Try This At Home"==

During source code and application reviews a number of common issues are
often seen. Developers making the same mistakes time and time again. There
are also those 'unique' issues that only come up once in a while, when
people handroll their own methods to solve a particular problem.

Over the course of this talk, the speaker will explain and describe a number
of issues that he has seen over the last 24 months in locally developed
code. This is an opportunity to see what local developers are doing wrong,
and why you shouldn't try this at home.

<b>Brett Moore</b>

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.

==Graeme Neilson / Kirk Jackson - Aura Software Security / Xero - Tales from the Crypt0==

Does the thought of SSL, HTTPS and S/MIME make you squeamish?
Does PKI make you want to scream?
Does encrypting data at rest make you want to bury yourself alive?

Cryptography is an important part of most web applications these days,
and developers and admins need to understand how, why and when to
employ the best and appropriate techniques to secure their servers,
applications, data and the livelihoods of their users.

Join Graeme Neilson (Aura Software Security) and Kirk Jackson (Xero)
for a series of scary stories in "Tales from the Crypt0".

<b>Graeme Neilson</b>

Graeme Neilson is lead security researcher at Aura Software Security,
a security consultancy based in Wellington with clients across the globe.

<b>Kirk Jackson</b>

Kirk Jackson is a developer at Xero, makers of the world's easiest
accounting system.

==Quintin Russ / Mike Jager - SiteHost / Web Drive - Hosting and Web Apps - The Obscurity of Security==

The security of web applications has traditionally been considered to be
the problem of the company whose servers they were hosted upon. However,
while you can outsource the hosting of web apps, you cannot outsource
the responsibility of ensuring that those apps are secure. Mike and
Quintin set aside their corporate rivalry to demonstrate the gap between
the way things are and the way things should be.

<b>Quintin Russ</b>

Quintin has carved out his own niche in the .nz hosting industry, having
spent a large proportion of the last few years becoming an expert in
both building and defending systems. He now runs enough infrastructure
to ensure he never, ever gets a good night's sleep, and sometimes
doesn't even get to snooze through Sunday mornings. Quintin has a keen
interest in security, especially as it relates to web hosting. This has
ranged from the vicissitudes of shared hosting to code reviews of
popular blogging applications. He has previously presented at ISIG and
Kiwicon 2009.

<b>Mike Jager</b>

Since his arrival at Web Drive in 2004, Mike has been sticking his
fingers into the wall sockets of web hosting. Currently, he herds
packets, mutters at clouds, and sneaks up on web applications, tricking
them into scaling horizontally when they least expect it. Mike holds a
BE in Computer Systems Engineering from the University of Auckland, and
has been spotted presenting recently at NZNOG, APRICOT and the
occasional ISIG meeting.

==Roberto Suggi Liverani - Security-Assessment.com - Defending Against Application Level DoS Attacks==

Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks.
These attacks often result in significant damage against unprepared and vulnerable organisations.

The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.

<b>Roberto Suggi Liverani</b>

Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and
leader of the OWASP (Open Web Application Security Project) in New Zealand. Roberto has worked with
companies such as Google, Adobe and Opera by reporting and helping to fix security vulnerabilities in their
products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various
security conferences around the globe.

<br><br>
<b>Please note that CFP is now closed.</b>

====Call For Sponsorships (CLOSED)====

The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.

Three types of sponsorships are available:
<br><br>
* <b>Support Sponsorships</b>: n/a - company covers expenses for international speaker / media company that provides article/coverage on the event

- Publication of the sponsor logo on the event web site.
<br><br>
* <b>Silver sponsorship</b>: 1500 NZD

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.<br>
<br>
* <b>Gold Sponsorship</b>: 3500 NZD

- Publication of the sponsor logo on the event web site;<br>
- Publication of the sponsor logo on the OWASP New Zealand Chapter page;<br>
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference;<br>
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event;<br>
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.<br>
<br>
Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

<table width="100%" border="2" cellspacing="0" cellpadding="0">
<tr>
<td bordercolor="#FF6600" bgcolor="#FFFFFF" valign="top"><div align="center"><paypal>OWASP New Zealand Day 2010</paypal></div></td>
</tr>
</table>

====Call for Paper (CLOSED) and review process====

OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
The email subject must be “OWASP New Zealand 2010: CFP” and the email body must contains the following information/sections:

* Name and Surname
* Affiliation
* Address
* Telephone number
* Email address
* List of the author’s previous papers/articles/speeches on the same topics
* Title of the contribution
* Type of contribution: Technical or Informative
* Abstract (max one A4 style page)
* Why the contribution is relevant for OWASP New Zealand 2010
* If you are not from New Zealand, will your company support your expenses - Yes/No

The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

Due to limited budget available, expenses for international speakers cannot be covered.
If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

====Conference====

==Conference Venue==

The University of Auckland Business School<br>
Owen G Glenn Building<br>
Room: OGGB 260-073 (OGGB4)<br>
Address: 12 Grafton Road<br>
Auckland<br>
New Zealand<br>
[http://maps.google.com/maps?oe=UTF-8&ie=UTF8&q=auckland+business+school&fb=1&split=1&cid=0,0,12303692579639430581&ei=6WeqSZr_OZLFkAWR--zbDQ&ll=-36.852308,174.770916&spn=0.01056,0.020621&z=16&iwloc=A Map]<br>
<center>[[Image:Auckland_business_school_small2.jpg]] [[Image:Room_hall.jpg]]</center>

==Topics==

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:

* OWASP Project presentation (i.e Tool Updates/Project Status etc);
* Threat modelling of web applications;
* Privacy concerns with applications and data storage;
* Vulnerability analysis of web applications (code review, pentest, static analysis, scanning);
* Baseline or metrics for web application security;
* Countermeasures for web application vulnerabilities;
* Web application security;
* Platform or language (e.g. Java, .NET) security features that help secure web applications;
* Secure application development;
* How to use databases securely in web applications;
* Security of Service Oriented Architectures;
* Access control in web applications;
* Web services security;
* Browser security;
* PCI.

===Conference structure and schedule===

OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes. It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors. The detailed agenda of the conference will be available on the web site before the event.

====Conference dates====

* CFP close: 30th June 2010
* Contributions submission deadline: 10th July 2010
* Registration deadline: 30th June 2010
* Conference Agenda due: 2nd July 2010
* Conference date: 15th July 2010

====Conference Committee====

'''OWASP New Zealand Day 2010 Organising Committee:'''

* Roberto Suggi Liverani – OWASP New Zealand Leader
* Rob Munro – OWASP New Zealand Evangelist
* Lech Janczewski - Associate Professor - University of Auckland

<headertabs/>

==Conference Sponsors==
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="50%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/8/82/University_of_Auckland_crest_small.png]</center></td>
<td valign="bottom" width="50%"><center>[http://www.security.org.nz/NZISF_NZISForumContent.php https://www.owasp.org/images/5/5a/Nz_information_security_forum.png]</center></td>
</tr>
<tr>
<td valign="top" width="50%"><center>ICT and Department of Information Systems and Operations Management</center></td>
<td valign="top" width="50%"> </td>
</tr>
</table>

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/a/a4/Security-assessment_com.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

'''Silver Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.lateralsecurity.com/ https://www.owasp.org/images/f/f4/Lateral_security.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.lateralsecurity.com/ www.lateralsecurity.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

'''Support Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.techday.co.nz/netguide/ http://www.owasp.org/images/1/1d/Netguide-logo.png]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.techday.co.nz/netguide/ www.techday.co.nz/netguide]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>

</table>

[[Category:OWASP AppSec Conference]]

OWASP New Zealand Day 2010

2010-07-22T01:46:29Z

Rsl81:

__NOTOC__
====Introduction====

<center>'''OWASP New Zealand Day 2010<br>15th July - Auckland'''

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010 http://www.owasp.org/images/a/a7/Owasp_nz_day_2010.jpg]<br><br>
</center>
----

= Introduction =

Following the success of the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009 OWASP New Zealand 2009] security conference which attracted more than 150 attendees, the [http://www.owasp.org/index.php/New_Zealand OWASP New Zealand Chapter] decided to organise the <b>OWASP New Zealand Day 2010</b>. The event was held on the <b>15th July 2010</b> in <b>Auckland</b> and was a great conference day. The event gathered an audience of 160 delegates including security professionals, developers, managers and students.<br>
For those people who missed the event or are interested in the conference material, some of the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010#tab=Presentations presentations] have been published and can be downloaded from the presentations page.<br>
For any comments, feedback or observations, please don't hesitate to contact [mailto:robertosl@owasp.org us].<br>
Again, big thanks to the sponsors <b>Security-Assessment.com</b> and <b>Lateral Security</b>, the speakers and the conference committee for their contributions and support to the organisation of the event.

==Blog/Coverage==

Some blog coverage from Kirk Jackson:
[http://pageofwords.com/blog/CategoryView,category,OWASP.aspx http://pageofwords.com/blog/CategoryView,category,OWASP.aspx]

====Presentations====

<center>
<table width="80%" class="t">
<tr>
<td width="7%" class="tcell3" valign="top"><div align="right">08:30</div></td>
<td bgcolor="#8595C2" class="tcell3"> <div align="left">Registration
</div></td>
</tr>
<tr>

<td class="tcell2" valign="top"><div align="right">09:00</div></td>
<td bgcolor="#eeeeee" class="tcell"><div align="center"><b>Welcome to OWASP New Zealand Day 2010</b><br />
<em>Roberto Suggi Liverani / Lech Janczewski - Security-Assessment.com / The University of Auckland</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">09:15</div></td>
<td bgcolor="#b9c2dc" class="tcell"><div align="center"><b>[http://www.owasp.org/images/b/b5/2010_OWASP_NZ.pptx Don't Try This At Home]</b> - PowerPoint<br/>
<em>Brett Moore - Insomnia Security</em></div></td>
</tr>

<tr>
<td class="tcell2" valign="top"><div align="right">9:50</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>[http://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_application_DoS.pdf Defending Against Application Level DoS Attacks]</b> - pdf<br/>
<em>Roberto Suggi Liverani - Security-Assessment.com</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">10:40</div></td>
<td bgcolor="#D98B66" class="tcell"><div align="left">Coffee Break<br />
<br />
</div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">11:10</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>"Oh F#!K": What To Do When You Get Pwned</b><br/>
<em>Paul Craig – Security-Assessment.com</em></div></td>
</tr>
<tr>
<td class="tcell3" valign="top"><div align="right">12:00</div></td>
<td bgcolor="#D98B66" class="tcell3"><div align="left">Lunch Break<br />
<br />
<br />
</div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">13:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>Low Scuttling Chilli Crab:Network Recon 2010AD **</b><br />
<em>Metlstorm</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">14:15</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>[http://www.owasp.org/images/c/cc/Tales-of-the-crypto.pdf Tales from the Crypt0]</b> - pdf<br/>
<em>Graeme Neilson / Kirk Jackson - Aura Software Security / Xero</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">15:00</div></td>
<td bgcolor="#D98B66" class="tcell">Snackie Break<br />
<br /></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">15:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>[http://www.owasp.org/images/4/49/Hosting-and-web-apps.pdf Hosting and Web Apps - The Obscurity of Security]</b> - pdf<br/>
<em>Quintin Russ / Mike Jager - SiteHost / Web Drive</em></div></td>
</tr>

<tr>
<td class="tcell2" valign="top"><div align="right">16:15</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>The Ramblings of an ex-QSA</b><br />
<em>Dean Carter</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">17:00</div></td>
<td bgcolor="#B5B5B5" class="tcell"><div align="left">Panel Discussion/Conclusion<br />
<br />
</div></td>
</tr>

</table>
</center>
<b>**</b> <i>replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk.</i>

====Speakers====

==Low Scuttling Chilli Crab:NETWORK RECON 2010AD **==

Network reconnaissance is an art as old as hacking, but the days of dumpster diving and fingering your away around the 'net are long in our past. In the world of Google, Wolfram|Alpha and Shodan, target acquisition is king: there's a new exploit every day, who's going down after you've finished your first cup of coffee tomorrow?

In this presentation, Metlstorm examines the practicality, implementation and effect of datamining country-scale network targeting databases. Building on the experience of spending the previous year mapping the New Zealand internet for his Kiwicon 2009 talk "Do Your Fruit Hang Low", Metlstorm deploys the Low Hanging Kiwifruit toolchain against its newest target: Singapore.

So, Singapore, are your networks open? How many open DSL routers are there in Singapore? Which ISP has their blade switches open for you to telnet to? Just how useful is it to full text search every SSL certificate name, 302 Redirect target and DNS entry?

<b>Metlstorm</b>

Metlstorm is an independent unix hacker from New Zealand, where he milks both sheep and hobbits. In the brief gaps in this bucolic schedule, he finds time to organise Kiwicon - the NZ hacker con, co-host the award-winning Risky.biz weekly infosec podcast and hold down a day job as a whitehat security consultant. In true sellout style, Metl has worked the floor at Blackhat, Defcon, Kiwicon & Ruxcon, achieving minor notoriety at the latter for being the only speaker ever punched out by a member of the audience at the end of his talk. Metlstorm loves bugs that are features, carrier networks and "enterprise" unix software, because we all know that "enterprise" means "the 80s called, they want their long environment variables back".

- <i>replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk</i>.

==Dean Carter - The Ramblings of an ex-QSA==

As a QSA there were a bunch of things Dean was forbidden from discussing.

As an ex QSA some of these matters will remain firmly sequestered inside his kimono - but others things, more general things, can now be shared.

Dean has 30 minutes worth of handy tips, hints, lessons and some brickbats relating to PCI and secure system development that he can now share with the community.

<b>Dean Carter</b>

Dean still remembers the day he first heard about the PCI DSS - he then spent several years trying to convince everyone that the PCI DSS was the bestest thing since the Beatles… not many people listened… they had projects to finish and settings to tweak…

Then Dean joined Security-Assessment.com and became a QSA (PCI power-up!)… people listened! Organisations even paid to listen! A few organisations went so far as to demonstrate their security posture to Dean The QSA. In return he signed their Reports on Compliance. Most made great progress towards compliance… while some simply went in political circles and denied the need to make any effort.

Two years on Dean, the ex-QSA, now works for financial institution where, in between other tasks, he regularly sticks his nose into PCI matters and still firmly believes that the PCI DSS is a positive thing.

==Paul Craig – Security-Assessment.com - "Oh F#!K" : What To Do When You Get Pwned==

If your company’s website were hacked tomorrow, would you know what to do?
Forensics is not what you see on CSI, and most people have no idea what they should do in the event of a compromise. What is an appropriate incident response for a company, what do you say to your CEO, when do you involve law enforcement? Do you attempt to solve the forensic case yourself; keeping in mind any action you take may directly affect the evidence, or compromise legal judicial requirements.
This presentation will demonstrate the forensic process for a compromised website, and what an organization should do when they find out they have been compromised. I will use case studies from previous incidents and demonstrate what you should and shouldn’t do when you get pwned.

<b>Paul Craig</b>

My name is Paul Craig, I work as the lead forensic incident responder at Security-Assessment.com and I work with many New Zealand companies who have been compromised. From small websites to large corporations and government agencies, our nation is regularly being defaced and defrauded. IT Forensics is here to pick up the pieces, and it’s my job to spend long nights trying to provide answers to businesses regarding what really happened.

==Brett Moore - Insomnia Security - "Don't Try This At Home"==

During source code and application reviews a number of common issues are
often seen. Developers making the same mistakes time and time again. There
are also those 'unique' issues that only come up once in a while, when
people handroll their own methods to solve a particular problem.

Over the course of this talk, the speaker will explain and describe a number
of issues that he has seen over the last 24 months in locally developed
code. This is an opportunity to see what local developers are doing wrong,
and why you shouldn't try this at home.

<b>Brett Moore</b>

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.

==Graeme Neilson / Kirk Jackson - Aura Software Security / Xero - Tales from the Crypt0==

Does the thought of SSL, HTTPS and S/MIME make you squeamish?
Does PKI make you want to scream?
Does encrypting data at rest make you want to bury yourself alive?

Cryptography is an important part of most web applications these days,
and developers and admins need to understand how, why and when to
employ the best and appropriate techniques to secure their servers,
applications, data and the livelihoods of their users.

Join Graeme Neilson (Aura Software Security) and Kirk Jackson (Xero)
for a series of scary stories in "Tales from the Crypt0".

<b>Graeme Neilson</b>

Graeme Neilson is lead security researcher at Aura Software Security,
a security consultancy based in Wellington with clients across the globe.

<b>Kirk Jackson</b>

Kirk Jackson is a developer at Xero, makers of the world's easiest
accounting system.

==Quintin Russ / Mike Jager - SiteHost / Web Drive - Hosting and Web Apps - The Obscurity of Security==

The security of web applications has traditionally been considered to be
the problem of the company whose servers they were hosted upon. However,
while you can outsource the hosting of web apps, you cannot outsource
the responsibility of ensuring that those apps are secure. Mike and
Quintin set aside their corporate rivalry to demonstrate the gap between
the way things are and the way things should be.

<b>Quintin Russ</b>

Quintin has carved out his own niche in the .nz hosting industry, having
spent a large proportion of the last few years becoming an expert in
both building and defending systems. He now runs enough infrastructure
to ensure he never, ever gets a good night's sleep, and sometimes
doesn't even get to snooze through Sunday mornings. Quintin has a keen
interest in security, especially as it relates to web hosting. This has
ranged from the vicissitudes of shared hosting to code reviews of
popular blogging applications. He has previously presented at ISIG and
Kiwicon 2009.

<b>Mike Jager</b>

Since his arrival at Web Drive in 2004, Mike has been sticking his
fingers into the wall sockets of web hosting. Currently, he herds
packets, mutters at clouds, and sneaks up on web applications, tricking
them into scaling horizontally when they least expect it. Mike holds a
BE in Computer Systems Engineering from the University of Auckland, and
has been spotted presenting recently at NZNOG, APRICOT and the
occasional ISIG meeting.

==Roberto Suggi Liverani - Security-Assessment.com - Defending Against Application Level DoS Attacks==

Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks.
These attacks often result in significant damage against unprepared and vulnerable organisations.

The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.

<b>Roberto Suggi Liverani</b>

Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and
leader of the OWASP (Open Web Application Security Project) in New Zealand. Roberto has worked with
companies such as Google, Adobe and Opera by reporting and helping to fix security vulnerabilities in their
products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various
security conferences around the globe.

<br><br>
<b>Please note that CFP is now closed.</b>

====Call For Sponsorships (CLOSED)====

The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.

Three types of sponsorships are available:
<br><br>
* <b>Support Sponsorships</b>: n/a - company covers expenses for international speaker / media company that provides article/coverage on the event

- Publication of the sponsor logo on the event web site.
<br><br>
* <b>Silver sponsorship</b>: 1500 NZD

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.<br>
<br>
* <b>Gold Sponsorship</b>: 3500 NZD

- Publication of the sponsor logo on the event web site;<br>
- Publication of the sponsor logo on the OWASP New Zealand Chapter page;<br>
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference;<br>
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event;<br>
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.<br>
<br>
Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

<table width="100%" border="2" cellspacing="0" cellpadding="0">
<tr>
<td bordercolor="#FF6600" bgcolor="#FFFFFF" valign="top"><div align="center"><paypal>OWASP New Zealand Day 2010</paypal></div></td>
</tr>
</table>

====Call for Paper (CLOSED) and review process====

OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
The email subject must be “OWASP New Zealand 2010: CFP” and the email body must contains the following information/sections:

* Name and Surname
* Affiliation
* Address
* Telephone number
* Email address
* List of the author’s previous papers/articles/speeches on the same topics
* Title of the contribution
* Type of contribution: Technical or Informative
* Abstract (max one A4 style page)
* Why the contribution is relevant for OWASP New Zealand 2010
* If you are not from New Zealand, will your company support your expenses - Yes/No

The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

Due to limited budget available, expenses for international speakers cannot be covered.
If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

====Conference====

==Conference Venue==

The University of Auckland Business School<br>
Owen G Glenn Building<br>
Room: OGGB 260-073 (OGGB4)<br>
Address: 12 Grafton Road<br>
Auckland<br>
New Zealand<br>
[http://maps.google.com/maps?oe=UTF-8&ie=UTF8&q=auckland+business+school&fb=1&split=1&cid=0,0,12303692579639430581&ei=6WeqSZr_OZLFkAWR--zbDQ&ll=-36.852308,174.770916&spn=0.01056,0.020621&z=16&iwloc=A Map]<br>
<center>[[Image:Auckland_business_school_small2.jpg]] [[Image:Room_hall.jpg]]</center>

==Topics==

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:

* OWASP Project presentation (i.e Tool Updates/Project Status etc);
* Threat modelling of web applications;
* Privacy concerns with applications and data storage;
* Vulnerability analysis of web applications (code review, pentest, static analysis, scanning);
* Baseline or metrics for web application security;
* Countermeasures for web application vulnerabilities;
* Web application security;
* Platform or language (e.g. Java, .NET) security features that help secure web applications;
* Secure application development;
* How to use databases securely in web applications;
* Security of Service Oriented Architectures;
* Access control in web applications;
* Web services security;
* Browser security;
* PCI.

===Conference structure and schedule===

OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes. It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors. The detailed agenda of the conference will be available on the web site before the event.

====Conference dates====

* CFP close: 30th June 2010
* Contributions submission deadline: 10th July 2010
* Registration deadline: 30th June 2010
* Conference Agenda due: 2nd July 2010
* Conference date: 15th July 2010

====Conference Committee====

'''OWASP New Zealand Day 2010 Organising Committee:'''

* Roberto Suggi Liverani – OWASP New Zealand Leader
* Rob Munro – OWASP New Zealand Evangelist
* Lech Janczewski - Associate Professor - University of Auckland

<headertabs/>

==Conference Sponsors==
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="50%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/8/82/University_of_Auckland_crest_small.png]</center></td>
<td valign="bottom" width="50%"><center>[http://www.security.org.nz/NZISF_NZISForumContent.php https://www.owasp.org/images/5/5a/Nz_information_security_forum.png]</center></td>
</tr>
<tr>
<td valign="top" width="50%"><center>ICT and Department of Information Systems and Operations Management</center></td>
<td valign="top" width="50%"> </td>
</tr>
</table>

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/a/a4/Security-assessment_com.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

'''Silver Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.lateralsecurity.com/ https://www.owasp.org/images/f/f4/Lateral_security.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.lateralsecurity.com/ www.lateralsecurity.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

'''Support Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.techday.co.nz/netguide/ http://www.owasp.org/images/1/1d/Netguide-logo.png]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.techday.co.nz/netguide/ www.techday.co.nz/netguide]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>

</table>

[[Category:OWASP AppSec Conference]]

File:2010 OWASP NZ.pptx

2010-07-22T01:43:43Z

Rsl81:

OWASP New Zealand Day 2010

2010-07-19T22:53:48Z

Rsl81: /* Introduction */

__NOTOC__
====Introduction====

<center>'''OWASP New Zealand Day 2010<br>15th July - Auckland'''

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010 http://www.owasp.org/images/a/a7/Owasp_nz_day_2010.jpg]<br><br>
</center>
----

= Introduction =

Following the success of the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009 OWASP New Zealand 2009] security conference which attracted more than 150 attendees, the [http://www.owasp.org/index.php/New_Zealand OWASP New Zealand Chapter] decided to organise the <b>OWASP New Zealand Day 2010</b>. The event was held on the <b>15th July 2010</b> in <b>Auckland</b> and was a great conference day. The event gathered an audience of 160 delegates including security professionals, developers, managers and students.<br>
For those people who missed the event or are interested in the conference material, some of the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010#tab=Presentations presentations] have been published and can be downloaded from the presentations page.<br>
For any comments, feedback or observations, please don't hesitate to contact [mailto:robertosl@owasp.org us].<br>
Again, big thanks to the sponsors <b>Security-Assessment.com</b> and <b>Lateral Security</b>, the speakers and the conference committee for their contributions and support to the organisation of the event.

==Blog/Coverage==

Some blog coverage from Kirk Jackson:
[http://pageofwords.com/blog/CategoryView,category,OWASP.aspx http://pageofwords.com/blog/CategoryView,category,OWASP.aspx]

====Presentations====

<center>
<table width="80%" class="t">
<tr>
<td width="7%" class="tcell3" valign="top"><div align="right">08:30</div></td>
<td bgcolor="#8595C2" class="tcell3"> <div align="left">Registration
</div></td>
</tr>
<tr>

<td class="tcell2" valign="top"><div align="right">09:00</div></td>
<td bgcolor="#eeeeee" class="tcell"><div align="center"><b>Welcome to OWASP New Zealand Day 2010</b><br />
<em>Roberto Suggi Liverani / Lech Janczewski - Security-Assessment.com / The University of Auckland</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">09:15</div></td>
<td bgcolor="#b9c2dc" class="tcell"><div align="center"><b>Don't Try This At Home</b><br/>
<em>Brett Moore - Insomnia Security</em></div></td>
</tr>

<tr>
<td class="tcell2" valign="top"><div align="right">9:50</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>[http://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_application_DoS.pdf Defending Against Application Level DoS Attacks]</b> - pdf<br/>
<em>Roberto Suggi Liverani - Security-Assessment.com</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">10:40</div></td>
<td bgcolor="#D98B66" class="tcell"><div align="left">Coffee Break<br />
<br />
</div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">11:10</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>"Oh F#!K": What To Do When You Get Pwned</b><br/>
<em>Paul Craig – Security-Assessment.com</em></div></td>
</tr>
<tr>
<td class="tcell3" valign="top"><div align="right">12:00</div></td>
<td bgcolor="#D98B66" class="tcell3"><div align="left">Lunch Break<br />
<br />
<br />
</div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">13:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>Low Scuttling Chilli Crab:Network Recon 2010AD **</b><br />
<em>Metlstorm</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">14:15</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>[http://www.owasp.org/images/c/cc/Tales-of-the-crypto.pdf Tales from the Crypt0]</b> - pdf<br/>
<em>Graeme Neilson / Kirk Jackson - Aura Software Security / Xero</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">15:00</div></td>
<td bgcolor="#D98B66" class="tcell">Snackie Break<br />
<br /></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">15:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>[http://www.owasp.org/images/4/49/Hosting-and-web-apps.pdf Hosting and Web Apps - The Obscurity of Security]</b> - pdf<br/>
<em>Quintin Russ / Mike Jager - SiteHost / Web Drive</em></div></td>
</tr>

<tr>
<td class="tcell2" valign="top"><div align="right">16:15</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>The Ramblings of an ex-QSA</b><br />
<em>Dean Carter</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">17:00</div></td>
<td bgcolor="#B5B5B5" class="tcell"><div align="left">Panel Discussion/Conclusion<br />
<br />
</div></td>
</tr>

</table>
</center>
<b>**</b> <i>replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk.</i>

====Speakers====

==Low Scuttling Chilli Crab:NETWORK RECON 2010AD **==

Network reconnaissance is an art as old as hacking, but the days of dumpster diving and fingering your away around the 'net are long in our past. In the world of Google, Wolfram|Alpha and Shodan, target acquisition is king: there's a new exploit every day, who's going down after you've finished your first cup of coffee tomorrow?

In this presentation, Metlstorm examines the practicality, implementation and effect of datamining country-scale network targeting databases. Building on the experience of spending the previous year mapping the New Zealand internet for his Kiwicon 2009 talk "Do Your Fruit Hang Low", Metlstorm deploys the Low Hanging Kiwifruit toolchain against its newest target: Singapore.

So, Singapore, are your networks open? How many open DSL routers are there in Singapore? Which ISP has their blade switches open for you to telnet to? Just how useful is it to full text search every SSL certificate name, 302 Redirect target and DNS entry?

<b>Metlstorm</b>

Metlstorm is an independent unix hacker from New Zealand, where he milks both sheep and hobbits. In the brief gaps in this bucolic schedule, he finds time to organise Kiwicon - the NZ hacker con, co-host the award-winning Risky.biz weekly infosec podcast and hold down a day job as a whitehat security consultant. In true sellout style, Metl has worked the floor at Blackhat, Defcon, Kiwicon & Ruxcon, achieving minor notoriety at the latter for being the only speaker ever punched out by a member of the audience at the end of his talk. Metlstorm loves bugs that are features, carrier networks and "enterprise" unix software, because we all know that "enterprise" means "the 80s called, they want their long environment variables back".

- <i>replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk</i>.

==Dean Carter - The Ramblings of an ex-QSA==

As a QSA there were a bunch of things Dean was forbidden from discussing.

As an ex QSA some of these matters will remain firmly sequestered inside his kimono - but others things, more general things, can now be shared.

Dean has 30 minutes worth of handy tips, hints, lessons and some brickbats relating to PCI and secure system development that he can now share with the community.

<b>Dean Carter</b>

Dean still remembers the day he first heard about the PCI DSS - he then spent several years trying to convince everyone that the PCI DSS was the bestest thing since the Beatles… not many people listened… they had projects to finish and settings to tweak…

Then Dean joined Security-Assessment.com and became a QSA (PCI power-up!)… people listened! Organisations even paid to listen! A few organisations went so far as to demonstrate their security posture to Dean The QSA. In return he signed their Reports on Compliance. Most made great progress towards compliance… while some simply went in political circles and denied the need to make any effort.

Two years on Dean, the ex-QSA, now works for financial institution where, in between other tasks, he regularly sticks his nose into PCI matters and still firmly believes that the PCI DSS is a positive thing.

==Paul Craig – Security-Assessment.com - "Oh F#!K" : What To Do When You Get Pwned==

If your company’s website were hacked tomorrow, would you know what to do?
Forensics is not what you see on CSI, and most people have no idea what they should do in the event of a compromise. What is an appropriate incident response for a company, what do you say to your CEO, when do you involve law enforcement? Do you attempt to solve the forensic case yourself; keeping in mind any action you take may directly affect the evidence, or compromise legal judicial requirements.
This presentation will demonstrate the forensic process for a compromised website, and what an organization should do when they find out they have been compromised. I will use case studies from previous incidents and demonstrate what you should and shouldn’t do when you get pwned.

<b>Paul Craig</b>

My name is Paul Craig, I work as the lead forensic incident responder at Security-Assessment.com and I work with many New Zealand companies who have been compromised. From small websites to large corporations and government agencies, our nation is regularly being defaced and defrauded. IT Forensics is here to pick up the pieces, and it’s my job to spend long nights trying to provide answers to businesses regarding what really happened.

==Brett Moore - Insomnia Security - "Don't Try This At Home"==

During source code and application reviews a number of common issues are
often seen. Developers making the same mistakes time and time again. There
are also those 'unique' issues that only come up once in a while, when
people handroll their own methods to solve a particular problem.

Over the course of this talk, the speaker will explain and describe a number
of issues that he has seen over the last 24 months in locally developed
code. This is an opportunity to see what local developers are doing wrong,
and why you shouldn't try this at home.

<b>Brett Moore</b>

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.

==Graeme Neilson / Kirk Jackson - Aura Software Security / Xero - Tales from the Crypt0==

Does the thought of SSL, HTTPS and S/MIME make you squeamish?
Does PKI make you want to scream?
Does encrypting data at rest make you want to bury yourself alive?

Cryptography is an important part of most web applications these days,
and developers and admins need to understand how, why and when to
employ the best and appropriate techniques to secure their servers,
applications, data and the livelihoods of their users.

Join Graeme Neilson (Aura Software Security) and Kirk Jackson (Xero)
for a series of scary stories in "Tales from the Crypt0".

<b>Graeme Neilson</b>

Graeme Neilson is lead security researcher at Aura Software Security,
a security consultancy based in Wellington with clients across the globe.

<b>Kirk Jackson</b>

Kirk Jackson is a developer at Xero, makers of the world's easiest
accounting system.

==Quintin Russ / Mike Jager - SiteHost / Web Drive - Hosting and Web Apps - The Obscurity of Security==

The security of web applications has traditionally been considered to be
the problem of the company whose servers they were hosted upon. However,
while you can outsource the hosting of web apps, you cannot outsource
the responsibility of ensuring that those apps are secure. Mike and
Quintin set aside their corporate rivalry to demonstrate the gap between
the way things are and the way things should be.

<b>Quintin Russ</b>

Quintin has carved out his own niche in the .nz hosting industry, having
spent a large proportion of the last few years becoming an expert in
both building and defending systems. He now runs enough infrastructure
to ensure he never, ever gets a good night's sleep, and sometimes
doesn't even get to snooze through Sunday mornings. Quintin has a keen
interest in security, especially as it relates to web hosting. This has
ranged from the vicissitudes of shared hosting to code reviews of
popular blogging applications. He has previously presented at ISIG and
Kiwicon 2009.

<b>Mike Jager</b>

Since his arrival at Web Drive in 2004, Mike has been sticking his
fingers into the wall sockets of web hosting. Currently, he herds
packets, mutters at clouds, and sneaks up on web applications, tricking
them into scaling horizontally when they least expect it. Mike holds a
BE in Computer Systems Engineering from the University of Auckland, and
has been spotted presenting recently at NZNOG, APRICOT and the
occasional ISIG meeting.

==Roberto Suggi Liverani - Security-Assessment.com - Defending Against Application Level DoS Attacks==

Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks.
These attacks often result in significant damage against unprepared and vulnerable organisations.

The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.

<b>Roberto Suggi Liverani</b>

Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and
leader of the OWASP (Open Web Application Security Project) in New Zealand. Roberto has worked with
companies such as Google, Adobe and Opera by reporting and helping to fix security vulnerabilities in their
products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various
security conferences around the globe.

<br><br>
<b>Please note that CFP is now closed.</b>

====Call For Sponsorships (CLOSED)====

The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.

Three types of sponsorships are available:
<br><br>
* <b>Support Sponsorships</b>: n/a - company covers expenses for international speaker / media company that provides article/coverage on the event

- Publication of the sponsor logo on the event web site.
<br><br>
* <b>Silver sponsorship</b>: 1500 NZD

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.<br>
<br>
* <b>Gold Sponsorship</b>: 3500 NZD

- Publication of the sponsor logo on the event web site;<br>
- Publication of the sponsor logo on the OWASP New Zealand Chapter page;<br>
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference;<br>
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event;<br>
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.<br>
<br>
Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

<table width="100%" border="2" cellspacing="0" cellpadding="0">
<tr>
<td bordercolor="#FF6600" bgcolor="#FFFFFF" valign="top"><div align="center"><paypal>OWASP New Zealand Day 2010</paypal></div></td>
</tr>
</table>

====Call for Paper (CLOSED) and review process====

OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
The email subject must be “OWASP New Zealand 2010: CFP” and the email body must contains the following information/sections:

* Name and Surname
* Affiliation
* Address
* Telephone number
* Email address
* List of the author’s previous papers/articles/speeches on the same topics
* Title of the contribution
* Type of contribution: Technical or Informative
* Abstract (max one A4 style page)
* Why the contribution is relevant for OWASP New Zealand 2010
* If you are not from New Zealand, will your company support your expenses - Yes/No

The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

Due to limited budget available, expenses for international speakers cannot be covered.
If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

====Conference====

==Conference Venue==

The University of Auckland Business School<br>
Owen G Glenn Building<br>
Room: OGGB 260-073 (OGGB4)<br>
Address: 12 Grafton Road<br>
Auckland<br>
New Zealand<br>
[http://maps.google.com/maps?oe=UTF-8&ie=UTF8&q=auckland+business+school&fb=1&split=1&cid=0,0,12303692579639430581&ei=6WeqSZr_OZLFkAWR--zbDQ&ll=-36.852308,174.770916&spn=0.01056,0.020621&z=16&iwloc=A Map]<br>
<center>[[Image:Auckland_business_school_small2.jpg]] [[Image:Room_hall.jpg]]</center>

==Topics==

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:

* OWASP Project presentation (i.e Tool Updates/Project Status etc);
* Threat modelling of web applications;
* Privacy concerns with applications and data storage;
* Vulnerability analysis of web applications (code review, pentest, static analysis, scanning);
* Baseline or metrics for web application security;
* Countermeasures for web application vulnerabilities;
* Web application security;
* Platform or language (e.g. Java, .NET) security features that help secure web applications;
* Secure application development;
* How to use databases securely in web applications;
* Security of Service Oriented Architectures;
* Access control in web applications;
* Web services security;
* Browser security;
* PCI.

===Conference structure and schedule===

OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes. It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors. The detailed agenda of the conference will be available on the web site before the event.

====Conference dates====

* CFP close: 30th June 2010
* Contributions submission deadline: 10th July 2010
* Registration deadline: 30th June 2010
* Conference Agenda due: 2nd July 2010
* Conference date: 15th July 2010

====Conference Committee====

'''OWASP New Zealand Day 2010 Organising Committee:'''

* Roberto Suggi Liverani – OWASP New Zealand Leader
* Rob Munro – OWASP New Zealand Evangelist
* Lech Janczewski - Associate Professor - University of Auckland

<headertabs/>

==Conference Sponsors==
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="50%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/8/82/University_of_Auckland_crest_small.png]</center></td>
<td valign="bottom" width="50%"><center>[http://www.security.org.nz/NZISF_NZISForumContent.php https://www.owasp.org/images/5/5a/Nz_information_security_forum.png]</center></td>
</tr>
<tr>
<td valign="top" width="50%"><center>ICT and Department of Information Systems and Operations Management</center></td>
<td valign="top" width="50%"> </td>
</tr>
</table>

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/a/a4/Security-assessment_com.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

'''Silver Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.lateralsecurity.com/ https://www.owasp.org/images/f/f4/Lateral_security.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.lateralsecurity.com/ www.lateralsecurity.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

'''Support Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.techday.co.nz/netguide/ http://www.owasp.org/images/1/1d/Netguide-logo.png]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.techday.co.nz/netguide/ www.techday.co.nz/netguide]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>

</table>

[[Category:OWASP AppSec Conference]]

OWASP New Zealand Day 2010

2010-07-19T22:52:15Z

Rsl81: /* Introduction */

__NOTOC__
====Introduction====

<center>'''OWASP New Zealand Day 2010<br>15th July - Auckland'''

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010 http://www.owasp.org/images/a/a7/Owasp_nz_day_2010.jpg]<br><br>
</center>
----

= Introduction =

Following the success of the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009 OWASP New Zealand 2009] security conference which attracted more than 150 attendees, the [http://www.owasp.org/index.php/New_Zealand OWASP New Zealand Chapter] decided to organise the <b>OWASP New Zealand Day 2010</b>. The event was held on the <b>15th July 2010</b> in <b>Auckland</b> and was a great conference day. The event gathered an audience of 160 delegates including security professionals, developers, managers and students.<br>
For those people who missed the event or are interested in the conference material, some of the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010#tab=Presentations presentations] have been published and can be downloaded from the presentations page.<br>
For any comments, feedback or observations, please don't hesitate to contact [mailto:robertosl@owasp.org us].<br>
Again, big thanks to the sponsors Security-Assessment.com and Lateral Security, the speakers and the conference committee for their contributions and support to the organisation of the event.

==Blog/Coverage==

Some blog coverage from Kirk Jackson:
[http://pageofwords.com/blog/CategoryView,category,OWASP.aspx http://pageofwords.com/blog/CategoryView,category,OWASP.aspx]

====Presentations====

<center>
<table width="80%" class="t">
<tr>
<td width="7%" class="tcell3" valign="top"><div align="right">08:30</div></td>
<td bgcolor="#8595C2" class="tcell3"> <div align="left">Registration
</div></td>
</tr>
<tr>

<td class="tcell2" valign="top"><div align="right">09:00</div></td>
<td bgcolor="#eeeeee" class="tcell"><div align="center"><b>Welcome to OWASP New Zealand Day 2010</b><br />
<em>Roberto Suggi Liverani / Lech Janczewski - Security-Assessment.com / The University of Auckland</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">09:15</div></td>
<td bgcolor="#b9c2dc" class="tcell"><div align="center"><b>Don't Try This At Home</b><br/>
<em>Brett Moore - Insomnia Security</em></div></td>
</tr>

<tr>
<td class="tcell2" valign="top"><div align="right">9:50</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>[http://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_application_DoS.pdf Defending Against Application Level DoS Attacks]</b> - pdf<br/>
<em>Roberto Suggi Liverani - Security-Assessment.com</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">10:40</div></td>
<td bgcolor="#D98B66" class="tcell"><div align="left">Coffee Break<br />
<br />
</div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">11:10</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>"Oh F#!K": What To Do When You Get Pwned</b><br/>
<em>Paul Craig – Security-Assessment.com</em></div></td>
</tr>
<tr>
<td class="tcell3" valign="top"><div align="right">12:00</div></td>
<td bgcolor="#D98B66" class="tcell3"><div align="left">Lunch Break<br />
<br />
<br />
</div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">13:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>Low Scuttling Chilli Crab:Network Recon 2010AD **</b><br />
<em>Metlstorm</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">14:15</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>[http://www.owasp.org/images/c/cc/Tales-of-the-crypto.pdf Tales from the Crypt0]</b> - pdf<br/>
<em>Graeme Neilson / Kirk Jackson - Aura Software Security / Xero</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">15:00</div></td>
<td bgcolor="#D98B66" class="tcell">Snackie Break<br />
<br /></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">15:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>[http://www.owasp.org/images/4/49/Hosting-and-web-apps.pdf Hosting and Web Apps - The Obscurity of Security]</b> - pdf<br/>
<em>Quintin Russ / Mike Jager - SiteHost / Web Drive</em></div></td>
</tr>

<tr>
<td class="tcell2" valign="top"><div align="right">16:15</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>The Ramblings of an ex-QSA</b><br />
<em>Dean Carter</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">17:00</div></td>
<td bgcolor="#B5B5B5" class="tcell"><div align="left">Panel Discussion/Conclusion<br />
<br />
</div></td>
</tr>

</table>
</center>
<b>**</b> <i>replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk.</i>

====Speakers====

==Low Scuttling Chilli Crab:NETWORK RECON 2010AD **==

Network reconnaissance is an art as old as hacking, but the days of dumpster diving and fingering your away around the 'net are long in our past. In the world of Google, Wolfram|Alpha and Shodan, target acquisition is king: there's a new exploit every day, who's going down after you've finished your first cup of coffee tomorrow?

In this presentation, Metlstorm examines the practicality, implementation and effect of datamining country-scale network targeting databases. Building on the experience of spending the previous year mapping the New Zealand internet for his Kiwicon 2009 talk "Do Your Fruit Hang Low", Metlstorm deploys the Low Hanging Kiwifruit toolchain against its newest target: Singapore.

So, Singapore, are your networks open? How many open DSL routers are there in Singapore? Which ISP has their blade switches open for you to telnet to? Just how useful is it to full text search every SSL certificate name, 302 Redirect target and DNS entry?

<b>Metlstorm</b>

Metlstorm is an independent unix hacker from New Zealand, where he milks both sheep and hobbits. In the brief gaps in this bucolic schedule, he finds time to organise Kiwicon - the NZ hacker con, co-host the award-winning Risky.biz weekly infosec podcast and hold down a day job as a whitehat security consultant. In true sellout style, Metl has worked the floor at Blackhat, Defcon, Kiwicon & Ruxcon, achieving minor notoriety at the latter for being the only speaker ever punched out by a member of the audience at the end of his talk. Metlstorm loves bugs that are features, carrier networks and "enterprise" unix software, because we all know that "enterprise" means "the 80s called, they want their long environment variables back".

- <i>replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk</i>.

==Dean Carter - The Ramblings of an ex-QSA==

As a QSA there were a bunch of things Dean was forbidden from discussing.

As an ex QSA some of these matters will remain firmly sequestered inside his kimono - but others things, more general things, can now be shared.

Dean has 30 minutes worth of handy tips, hints, lessons and some brickbats relating to PCI and secure system development that he can now share with the community.

<b>Dean Carter</b>

Dean still remembers the day he first heard about the PCI DSS - he then spent several years trying to convince everyone that the PCI DSS was the bestest thing since the Beatles… not many people listened… they had projects to finish and settings to tweak…

Then Dean joined Security-Assessment.com and became a QSA (PCI power-up!)… people listened! Organisations even paid to listen! A few organisations went so far as to demonstrate their security posture to Dean The QSA. In return he signed their Reports on Compliance. Most made great progress towards compliance… while some simply went in political circles and denied the need to make any effort.

Two years on Dean, the ex-QSA, now works for financial institution where, in between other tasks, he regularly sticks his nose into PCI matters and still firmly believes that the PCI DSS is a positive thing.

==Paul Craig – Security-Assessment.com - "Oh F#!K" : What To Do When You Get Pwned==

If your company’s website were hacked tomorrow, would you know what to do?
Forensics is not what you see on CSI, and most people have no idea what they should do in the event of a compromise. What is an appropriate incident response for a company, what do you say to your CEO, when do you involve law enforcement? Do you attempt to solve the forensic case yourself; keeping in mind any action you take may directly affect the evidence, or compromise legal judicial requirements.
This presentation will demonstrate the forensic process for a compromised website, and what an organization should do when they find out they have been compromised. I will use case studies from previous incidents and demonstrate what you should and shouldn’t do when you get pwned.

<b>Paul Craig</b>

My name is Paul Craig, I work as the lead forensic incident responder at Security-Assessment.com and I work with many New Zealand companies who have been compromised. From small websites to large corporations and government agencies, our nation is regularly being defaced and defrauded. IT Forensics is here to pick up the pieces, and it’s my job to spend long nights trying to provide answers to businesses regarding what really happened.

==Brett Moore - Insomnia Security - "Don't Try This At Home"==

During source code and application reviews a number of common issues are
often seen. Developers making the same mistakes time and time again. There
are also those 'unique' issues that only come up once in a while, when
people handroll their own methods to solve a particular problem.

Over the course of this talk, the speaker will explain and describe a number
of issues that he has seen over the last 24 months in locally developed
code. This is an opportunity to see what local developers are doing wrong,
and why you shouldn't try this at home.

<b>Brett Moore</b>

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.

==Graeme Neilson / Kirk Jackson - Aura Software Security / Xero - Tales from the Crypt0==

Does the thought of SSL, HTTPS and S/MIME make you squeamish?
Does PKI make you want to scream?
Does encrypting data at rest make you want to bury yourself alive?

Cryptography is an important part of most web applications these days,
and developers and admins need to understand how, why and when to
employ the best and appropriate techniques to secure their servers,
applications, data and the livelihoods of their users.

Join Graeme Neilson (Aura Software Security) and Kirk Jackson (Xero)
for a series of scary stories in "Tales from the Crypt0".

<b>Graeme Neilson</b>

Graeme Neilson is lead security researcher at Aura Software Security,
a security consultancy based in Wellington with clients across the globe.

<b>Kirk Jackson</b>

Kirk Jackson is a developer at Xero, makers of the world's easiest
accounting system.

==Quintin Russ / Mike Jager - SiteHost / Web Drive - Hosting and Web Apps - The Obscurity of Security==

The security of web applications has traditionally been considered to be
the problem of the company whose servers they were hosted upon. However,
while you can outsource the hosting of web apps, you cannot outsource
the responsibility of ensuring that those apps are secure. Mike and
Quintin set aside their corporate rivalry to demonstrate the gap between
the way things are and the way things should be.

<b>Quintin Russ</b>

Quintin has carved out his own niche in the .nz hosting industry, having
spent a large proportion of the last few years becoming an expert in
both building and defending systems. He now runs enough infrastructure
to ensure he never, ever gets a good night's sleep, and sometimes
doesn't even get to snooze through Sunday mornings. Quintin has a keen
interest in security, especially as it relates to web hosting. This has
ranged from the vicissitudes of shared hosting to code reviews of
popular blogging applications. He has previously presented at ISIG and
Kiwicon 2009.

<b>Mike Jager</b>

Since his arrival at Web Drive in 2004, Mike has been sticking his
fingers into the wall sockets of web hosting. Currently, he herds
packets, mutters at clouds, and sneaks up on web applications, tricking
them into scaling horizontally when they least expect it. Mike holds a
BE in Computer Systems Engineering from the University of Auckland, and
has been spotted presenting recently at NZNOG, APRICOT and the
occasional ISIG meeting.

==Roberto Suggi Liverani - Security-Assessment.com - Defending Against Application Level DoS Attacks==

Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks.
These attacks often result in significant damage against unprepared and vulnerable organisations.

The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.

<b>Roberto Suggi Liverani</b>

Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and
leader of the OWASP (Open Web Application Security Project) in New Zealand. Roberto has worked with
companies such as Google, Adobe and Opera by reporting and helping to fix security vulnerabilities in their
products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various
security conferences around the globe.

<br><br>
<b>Please note that CFP is now closed.</b>

====Call For Sponsorships (CLOSED)====

The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.

Three types of sponsorships are available:
<br><br>
* <b>Support Sponsorships</b>: n/a - company covers expenses for international speaker / media company that provides article/coverage on the event

- Publication of the sponsor logo on the event web site.
<br><br>
* <b>Silver sponsorship</b>: 1500 NZD

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.<br>
<br>
* <b>Gold Sponsorship</b>: 3500 NZD

- Publication of the sponsor logo on the event web site;<br>
- Publication of the sponsor logo on the OWASP New Zealand Chapter page;<br>
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference;<br>
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event;<br>
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.<br>
<br>
Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

<table width="100%" border="2" cellspacing="0" cellpadding="0">
<tr>
<td bordercolor="#FF6600" bgcolor="#FFFFFF" valign="top"><div align="center"><paypal>OWASP New Zealand Day 2010</paypal></div></td>
</tr>
</table>

====Call for Paper (CLOSED) and review process====

OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
The email subject must be “OWASP New Zealand 2010: CFP” and the email body must contains the following information/sections:

* Name and Surname
* Affiliation
* Address
* Telephone number
* Email address
* List of the author’s previous papers/articles/speeches on the same topics
* Title of the contribution
* Type of contribution: Technical or Informative
* Abstract (max one A4 style page)
* Why the contribution is relevant for OWASP New Zealand 2010
* If you are not from New Zealand, will your company support your expenses - Yes/No

The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

Due to limited budget available, expenses for international speakers cannot be covered.
If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

====Conference====

==Conference Venue==

The University of Auckland Business School<br>
Owen G Glenn Building<br>
Room: OGGB 260-073 (OGGB4)<br>
Address: 12 Grafton Road<br>
Auckland<br>
New Zealand<br>
[http://maps.google.com/maps?oe=UTF-8&ie=UTF8&q=auckland+business+school&fb=1&split=1&cid=0,0,12303692579639430581&ei=6WeqSZr_OZLFkAWR--zbDQ&ll=-36.852308,174.770916&spn=0.01056,0.020621&z=16&iwloc=A Map]<br>
<center>[[Image:Auckland_business_school_small2.jpg]] [[Image:Room_hall.jpg]]</center>

==Topics==

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:

* OWASP Project presentation (i.e Tool Updates/Project Status etc);
* Threat modelling of web applications;
* Privacy concerns with applications and data storage;
* Vulnerability analysis of web applications (code review, pentest, static analysis, scanning);
* Baseline or metrics for web application security;
* Countermeasures for web application vulnerabilities;
* Web application security;
* Platform or language (e.g. Java, .NET) security features that help secure web applications;
* Secure application development;
* How to use databases securely in web applications;
* Security of Service Oriented Architectures;
* Access control in web applications;
* Web services security;
* Browser security;
* PCI.

===Conference structure and schedule===

OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes. It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors. The detailed agenda of the conference will be available on the web site before the event.

====Conference dates====

* CFP close: 30th June 2010
* Contributions submission deadline: 10th July 2010
* Registration deadline: 30th June 2010
* Conference Agenda due: 2nd July 2010
* Conference date: 15th July 2010

====Conference Committee====

'''OWASP New Zealand Day 2010 Organising Committee:'''

* Roberto Suggi Liverani – OWASP New Zealand Leader
* Rob Munro – OWASP New Zealand Evangelist
* Lech Janczewski - Associate Professor - University of Auckland

<headertabs/>

==Conference Sponsors==
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="50%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/8/82/University_of_Auckland_crest_small.png]</center></td>
<td valign="bottom" width="50%"><center>[http://www.security.org.nz/NZISF_NZISForumContent.php https://www.owasp.org/images/5/5a/Nz_information_security_forum.png]</center></td>
</tr>
<tr>
<td valign="top" width="50%"><center>ICT and Department of Information Systems and Operations Management</center></td>
<td valign="top" width="50%"> </td>
</tr>
</table>

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/a/a4/Security-assessment_com.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

'''Silver Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.lateralsecurity.com/ https://www.owasp.org/images/f/f4/Lateral_security.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.lateralsecurity.com/ www.lateralsecurity.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

'''Support Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.techday.co.nz/netguide/ http://www.owasp.org/images/1/1d/Netguide-logo.png]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.techday.co.nz/netguide/ www.techday.co.nz/netguide]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>

</table>

[[Category:OWASP AppSec Conference]]

OWASP New Zealand Day 2010

2010-07-19T22:51:18Z

Rsl81:

__NOTOC__
====Introduction====

<center>'''OWASP New Zealand Day 2010<br>15th July - Auckland'''

[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010 http://www.owasp.org/images/a/a7/Owasp_nz_day_2010.jpg]<br><br>
</center>
----

= Introduction =

Following the success of the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009 OWASP New Zealand 2009] security conference which attracted more than 150 attendees, the [http://www.owasp.org/index.php/New_Zealand OWASP New Zealand Chapter] decided to organise the <b>OWASP New Zealand Day 2010</b>. The event was held on the <b>15th July 2010</b> in <b>Auckland</b> and was a great conference day. The event gathered an audience of 160 delegates including security professionals, developers, managers and students.<br>
For those people who missed the event or are interested in the conference material, the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010#tab=Presentations presentations] have been published and can be downloaded from the presentations page.<br>
For any comments, feedback or observations, please don't hesitate to contact [mailto:robertosl@owasp.org us].<br>
Again, big thanks to the sponsors Security-Assessment.com and Lateral Security, the speakers and the conference committee for their contributions and support to the organisation of the event.

==Blog/Coverage==

Some blog coverage from Kirk Jackson:
[http://pageofwords.com/blog/CategoryView,category,OWASP.aspx http://pageofwords.com/blog/CategoryView,category,OWASP.aspx]

====Presentations====

<center>
<table width="80%" class="t">
<tr>
<td width="7%" class="tcell3" valign="top"><div align="right">08:30</div></td>
<td bgcolor="#8595C2" class="tcell3"> <div align="left">Registration
</div></td>
</tr>
<tr>

<td class="tcell2" valign="top"><div align="right">09:00</div></td>
<td bgcolor="#eeeeee" class="tcell"><div align="center"><b>Welcome to OWASP New Zealand Day 2010</b><br />
<em>Roberto Suggi Liverani / Lech Janczewski - Security-Assessment.com / The University of Auckland</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">09:15</div></td>
<td bgcolor="#b9c2dc" class="tcell"><div align="center"><b>Don't Try This At Home</b><br/>
<em>Brett Moore - Insomnia Security</em></div></td>
</tr>

<tr>
<td class="tcell2" valign="top"><div align="right">9:50</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>[http://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_application_DoS.pdf Defending Against Application Level DoS Attacks]</b> - pdf<br/>
<em>Roberto Suggi Liverani - Security-Assessment.com</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">10:40</div></td>
<td bgcolor="#D98B66" class="tcell"><div align="left">Coffee Break<br />
<br />
</div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">11:10</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>"Oh F#!K": What To Do When You Get Pwned</b><br/>
<em>Paul Craig – Security-Assessment.com</em></div></td>
</tr>
<tr>
<td class="tcell3" valign="top"><div align="right">12:00</div></td>
<td bgcolor="#D98B66" class="tcell3"><div align="left">Lunch Break<br />
<br />
<br />
</div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">13:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>Low Scuttling Chilli Crab:Network Recon 2010AD **</b><br />
<em>Metlstorm</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">14:15</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>[http://www.owasp.org/images/c/cc/Tales-of-the-crypto.pdf Tales from the Crypt0]</b> - pdf<br/>
<em>Graeme Neilson / Kirk Jackson - Aura Software Security / Xero</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">15:00</div></td>
<td bgcolor="#D98B66" class="tcell">Snackie Break<br />
<br /></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">15:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><div align="center"><b>[http://www.owasp.org/images/4/49/Hosting-and-web-apps.pdf Hosting and Web Apps - The Obscurity of Security]</b> - pdf<br/>
<em>Quintin Russ / Mike Jager - SiteHost / Web Drive</em></div></td>
</tr>

<tr>
<td class="tcell2" valign="top"><div align="right">16:15</div></td>
<td bgcolor="#B9C2DC" class="tcell"><div align="center"><b>The Ramblings of an ex-QSA</b><br />
<em>Dean Carter</em></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">17:00</div></td>
<td bgcolor="#B5B5B5" class="tcell"><div align="left">Panel Discussion/Conclusion<br />
<br />
</div></td>
</tr>

</table>
</center>
<b>**</b> <i>replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk.</i>

====Speakers====

==Low Scuttling Chilli Crab:NETWORK RECON 2010AD **==

Network reconnaissance is an art as old as hacking, but the days of dumpster diving and fingering your away around the 'net are long in our past. In the world of Google, Wolfram|Alpha and Shodan, target acquisition is king: there's a new exploit every day, who's going down after you've finished your first cup of coffee tomorrow?

In this presentation, Metlstorm examines the practicality, implementation and effect of datamining country-scale network targeting databases. Building on the experience of spending the previous year mapping the New Zealand internet for his Kiwicon 2009 talk "Do Your Fruit Hang Low", Metlstorm deploys the Low Hanging Kiwifruit toolchain against its newest target: Singapore.

So, Singapore, are your networks open? How many open DSL routers are there in Singapore? Which ISP has their blade switches open for you to telnet to? Just how useful is it to full text search every SSL certificate name, 302 Redirect target and DNS entry?

<b>Metlstorm</b>

Metlstorm is an independent unix hacker from New Zealand, where he milks both sheep and hobbits. In the brief gaps in this bucolic schedule, he finds time to organise Kiwicon - the NZ hacker con, co-host the award-winning Risky.biz weekly infosec podcast and hold down a day job as a whitehat security consultant. In true sellout style, Metl has worked the floor at Blackhat, Defcon, Kiwicon & Ruxcon, achieving minor notoriety at the latter for being the only speaker ever punched out by a member of the audience at the end of his talk. Metlstorm loves bugs that are features, carrier networks and "enterprise" unix software, because we all know that "enterprise" means "the 80s called, they want their long environment variables back".

- <i>replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk</i>.

==Dean Carter - The Ramblings of an ex-QSA==

As a QSA there were a bunch of things Dean was forbidden from discussing.

As an ex QSA some of these matters will remain firmly sequestered inside his kimono - but others things, more general things, can now be shared.

Dean has 30 minutes worth of handy tips, hints, lessons and some brickbats relating to PCI and secure system development that he can now share with the community.

<b>Dean Carter</b>

Dean still remembers the day he first heard about the PCI DSS - he then spent several years trying to convince everyone that the PCI DSS was the bestest thing since the Beatles… not many people listened… they had projects to finish and settings to tweak…

Then Dean joined Security-Assessment.com and became a QSA (PCI power-up!)… people listened! Organisations even paid to listen! A few organisations went so far as to demonstrate their security posture to Dean The QSA. In return he signed their Reports on Compliance. Most made great progress towards compliance… while some simply went in political circles and denied the need to make any effort.

Two years on Dean, the ex-QSA, now works for financial institution where, in between other tasks, he regularly sticks his nose into PCI matters and still firmly believes that the PCI DSS is a positive thing.

==Paul Craig – Security-Assessment.com - "Oh F#!K" : What To Do When You Get Pwned==

If your company’s website were hacked tomorrow, would you know what to do?
Forensics is not what you see on CSI, and most people have no idea what they should do in the event of a compromise. What is an appropriate incident response for a company, what do you say to your CEO, when do you involve law enforcement? Do you attempt to solve the forensic case yourself; keeping in mind any action you take may directly affect the evidence, or compromise legal judicial requirements.
This presentation will demonstrate the forensic process for a compromised website, and what an organization should do when they find out they have been compromised. I will use case studies from previous incidents and demonstrate what you should and shouldn’t do when you get pwned.

<b>Paul Craig</b>

My name is Paul Craig, I work as the lead forensic incident responder at Security-Assessment.com and I work with many New Zealand companies who have been compromised. From small websites to large corporations and government agencies, our nation is regularly being defaced and defrauded. IT Forensics is here to pick up the pieces, and it’s my job to spend long nights trying to provide answers to businesses regarding what really happened.

==Brett Moore - Insomnia Security - "Don't Try This At Home"==

During source code and application reviews a number of common issues are
often seen. Developers making the same mistakes time and time again. There
are also those 'unique' issues that only come up once in a while, when
people handroll their own methods to solve a particular problem.

Over the course of this talk, the speaker will explain and describe a number
of issues that he has seen over the last 24 months in locally developed
code. This is an opportunity to see what local developers are doing wrong,
and why you shouldn't try this at home.

<b>Brett Moore</b>

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.

==Graeme Neilson / Kirk Jackson - Aura Software Security / Xero - Tales from the Crypt0==

Does the thought of SSL, HTTPS and S/MIME make you squeamish?
Does PKI make you want to scream?
Does encrypting data at rest make you want to bury yourself alive?

Cryptography is an important part of most web applications these days,
and developers and admins need to understand how, why and when to
employ the best and appropriate techniques to secure their servers,
applications, data and the livelihoods of their users.

Join Graeme Neilson (Aura Software Security) and Kirk Jackson (Xero)
for a series of scary stories in "Tales from the Crypt0".

<b>Graeme Neilson</b>

Graeme Neilson is lead security researcher at Aura Software Security,
a security consultancy based in Wellington with clients across the globe.

<b>Kirk Jackson</b>

Kirk Jackson is a developer at Xero, makers of the world's easiest
accounting system.

==Quintin Russ / Mike Jager - SiteHost / Web Drive - Hosting and Web Apps - The Obscurity of Security==

The security of web applications has traditionally been considered to be
the problem of the company whose servers they were hosted upon. However,
while you can outsource the hosting of web apps, you cannot outsource
the responsibility of ensuring that those apps are secure. Mike and
Quintin set aside their corporate rivalry to demonstrate the gap between
the way things are and the way things should be.

<b>Quintin Russ</b>

Quintin has carved out his own niche in the .nz hosting industry, having
spent a large proportion of the last few years becoming an expert in
both building and defending systems. He now runs enough infrastructure
to ensure he never, ever gets a good night's sleep, and sometimes
doesn't even get to snooze through Sunday mornings. Quintin has a keen
interest in security, especially as it relates to web hosting. This has
ranged from the vicissitudes of shared hosting to code reviews of
popular blogging applications. He has previously presented at ISIG and
Kiwicon 2009.

<b>Mike Jager</b>

Since his arrival at Web Drive in 2004, Mike has been sticking his
fingers into the wall sockets of web hosting. Currently, he herds
packets, mutters at clouds, and sneaks up on web applications, tricking
them into scaling horizontally when they least expect it. Mike holds a
BE in Computer Systems Engineering from the University of Auckland, and
has been spotted presenting recently at NZNOG, APRICOT and the
occasional ISIG meeting.

==Roberto Suggi Liverani - Security-Assessment.com - Defending Against Application Level DoS Attacks==

Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks.
These attacks often result in significant damage against unprepared and vulnerable organisations.

The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.

<b>Roberto Suggi Liverani</b>

Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and
leader of the OWASP (Open Web Application Security Project) in New Zealand. Roberto has worked with
companies such as Google, Adobe and Opera by reporting and helping to fix security vulnerabilities in their
products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various
security conferences around the globe.

<br><br>
<b>Please note that CFP is now closed.</b>

====Call For Sponsorships (CLOSED)====

The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.

Three types of sponsorships are available:
<br><br>
* <b>Support Sponsorships</b>: n/a - company covers expenses for international speaker / media company that provides article/coverage on the event

- Publication of the sponsor logo on the event web site.
<br><br>
* <b>Silver sponsorship</b>: 1500 NZD

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.<br>
<br>
* <b>Gold Sponsorship</b>: 3500 NZD

- Publication of the sponsor logo on the event web site;<br>
- Publication of the sponsor logo on the OWASP New Zealand Chapter page;<br>
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference;<br>
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event;<br>
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.<br>
<br>
Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

<table width="100%" border="2" cellspacing="0" cellpadding="0">
<tr>
<td bordercolor="#FF6600" bgcolor="#FFFFFF" valign="top"><div align="center"><paypal>OWASP New Zealand Day 2010</paypal></div></td>
</tr>
</table>

====Call for Paper (CLOSED) and review process====

OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the [mailto:robertosl@owasp.org OWASP New Zealand Board].<br>
The email subject must be “OWASP New Zealand 2010: CFP” and the email body must contains the following information/sections:

* Name and Surname
* Affiliation
* Address
* Telephone number
* Email address
* List of the author’s previous papers/articles/speeches on the same topics
* Title of the contribution
* Type of contribution: Technical or Informative
* Abstract (max one A4 style page)
* Why the contribution is relevant for OWASP New Zealand 2010
* If you are not from New Zealand, will your company support your expenses - Yes/No

The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

Due to limited budget available, expenses for international speakers cannot be covered.
If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

====Conference====

==Conference Venue==

The University of Auckland Business School<br>
Owen G Glenn Building<br>
Room: OGGB 260-073 (OGGB4)<br>
Address: 12 Grafton Road<br>
Auckland<br>
New Zealand<br>
[http://maps.google.com/maps?oe=UTF-8&ie=UTF8&q=auckland+business+school&fb=1&split=1&cid=0,0,12303692579639430581&ei=6WeqSZr_OZLFkAWR--zbDQ&ll=-36.852308,174.770916&spn=0.01056,0.020621&z=16&iwloc=A Map]<br>
<center>[[Image:Auckland_business_school_small2.jpg]] [[Image:Room_hall.jpg]]</center>

==Topics==

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:

* OWASP Project presentation (i.e Tool Updates/Project Status etc);
* Threat modelling of web applications;
* Privacy concerns with applications and data storage;
* Vulnerability analysis of web applications (code review, pentest, static analysis, scanning);
* Baseline or metrics for web application security;
* Countermeasures for web application vulnerabilities;
* Web application security;
* Platform or language (e.g. Java, .NET) security features that help secure web applications;
* Secure application development;
* How to use databases securely in web applications;
* Security of Service Oriented Architectures;
* Access control in web applications;
* Web services security;
* Browser security;
* PCI.

===Conference structure and schedule===

OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes. It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors. The detailed agenda of the conference will be available on the web site before the event.

====Conference dates====

* CFP close: 30th June 2010
* Contributions submission deadline: 10th July 2010
* Registration deadline: 30th June 2010
* Conference Agenda due: 2nd July 2010
* Conference date: 15th July 2010

====Conference Committee====

'''OWASP New Zealand Day 2010 Organising Committee:'''

* Roberto Suggi Liverani – OWASP New Zealand Leader
* Rob Munro – OWASP New Zealand Evangelist
* Lech Janczewski - Associate Professor - University of Auckland

<headertabs/>

==Conference Sponsors==
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td valign="bottom" width="50%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/8/82/University_of_Auckland_crest_small.png]</center></td>
<td valign="bottom" width="50%"><center>[http://www.security.org.nz/NZISF_NZISForumContent.php https://www.owasp.org/images/5/5a/Nz_information_security_forum.png]</center></td>
</tr>
<tr>
<td valign="top" width="50%"><center>ICT and Department of Information Systems and Operations Management</center></td>
<td valign="top" width="50%"> </td>
</tr>
</table>

'''Gold Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.security-assessment.com https://www.owasp.org/images/a/a4/Security-assessment_com.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.security-assessment.com www.security-assessment.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

'''Silver Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.lateralsecurity.com/ https://www.owasp.org/images/f/f4/Lateral_security.jpeg]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.lateralsecurity.com/ www.lateralsecurity.com]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>

'''Support Sponsors:'''
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><center>[http://www.techday.co.nz/netguide/ http://www.owasp.org/images/1/1d/Netguide-logo.png]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><center>[http://www.techday.co.nz/netguide/ www.techday.co.nz/netguide]</center></td>
<td> </td>
<td> </td>
<td> </td>
</tr>

</table>

[[Category:OWASP AppSec Conference]]

2010-05-20T04:30:19Z

Rsl81: uploaded a new version of "File:Netguide-logo.png"