OWASP New Zealand Day 2013

Presentations

Speakers List

Tom Eastman - Catalyst IT - Serialization Formats Aren't Toys

Abstract

Do you have an API? Do you accept input from users? Do you accept it in XML? What about YAML? Or maybe JSON? How safe are you? How sure are you? It's not in the OWASP Top 10, but you don't have to look far to hear stories of security vulnerabilities involving deserialization user inputs. Why do they keep happening?

In this talk I'll go over what the threat is, how you might be making yourself vulnerable and how to mitigate the problem. I'll cover the features (not bugs, features) of formats like XML, YAML, and JSON that make them surprisingly dangerous, and how to protect your code from them.

Because here's the thing: If you are using, say, a compliant, properly implemented XML parser to parse your XML, you are NOT safe. Possibly quite the opposite.

Speaker Bio

Tom is a senior Python developer and technical lead for Catalyst IT, New Zealand's largest company specialising in open source. Prior to that he worked as a developer and system administrator for the University of Otago Faculty of Medicine and as a Computer Science tutor for same.

Paul Haas - Security-Assessment.com - Improving XPath Injection with Binary Search Optimisations

Abstract

XPath injection is technique similar to SQL injection for attacking XML processors, however many people are unaware of the technique and exploitation vectors. This talk aims to expand awareness of both the risks and remediation path in addition to the introduction of a new technique to significantly improve reconstruction speed of the backend XML document. A brief primer to XPath injection will also be covered within the talk.

Speaker Bio

Paul Haas hails from California where the waves are better but the quakes are not. With over nine years of experience in professional hacking, he is currently working with Security-Assessment.com in Wellington to bring the good word of web hacks to Kiwis everywhere. His sole hobby is driving people into Mario Kart's abyss.

Nick von Dadelszen - Lateral Security - Security Vulnerability Disclosure

Abstract

Disclosing security vulnerabilities can be a dangerous business. While there are systems in place for handling disclosures to most major software companies, the process for disclosing vulnerabilities to local organisations is a lot less discussed.

As the discloser, there is always the chance that you are accused of hacking and get a visit from the police merely for identifying an issue. As an organisation, you can find yourself on the front page of the news when someone goes public with an issue.

This talk outlines the dilemmas faced when stumbling across that SQL injection in the local shopping site and proposes mechanisms to safely get the right people told about it. It also discusses how organisations can make it more likely that security vulnerabilities are reported to them directly, rather than through the press.

Speaker Bio

Nick von Dadelszen is the technical director at Lateral Security. Nick has been performing professional penetration testing for over 12 years and has managed several successful penetration testing teams. He has worked with the majority of large corporates and Government agencies in New Zealand and is a regular presenter at OWASP and Kiwicon conferences.

Mark Piper - Insomnia Security - OWASP Top 10 Mobile Risks - An Introduction By Case Study

Abstract

As mobile application usage explodes, so does the associated application security issues. The OWASP Mobile Security Project includes an initiative to categorise and rate these issues into a top 10 format. This list is known as the Top 10 Mobile Risks.

During the session, we will introduce the current (RC1) Top 10 supported with several real world case studies of issues. We will cover how the issues were identified, how they may be exploited by attackers and what mitigation's could be implemented to resolve the issues in the future. While the issues will be largely platform agnostic, the examples will cover both iOS and Android environments.

Speaker Bio

Mark is a Principal Security Consultant with the Insomnia Security team. Mark spends his days auditing software, running penetration testing and red team engagements while working with global customers on developing new testing services.

Kirk Jackson and Andy Prow - Xero and Aura Security - Bad Smells That Lead to Bad Security

Abstract

Your job as a defender is to reduce the attack surface of your web application and protect your infrastructure and data from being breached. However we can't be involved in every decision that goes on in our organisation, and we don't always think the same as an attacker does. This talk will introduce you to some common "bad smells" that might indicate security issues lurking under the surface of your code, and help you develop your spidey sense so that you know when to raise the alarm.

Speaker Bio

Kirk is the Security Officer at Xero, and is interested in writing and defending secure web applications.

Andy Prow is an IT Security Consultant, Trainer and software developer who founded Aura back in 2001. With 19 years in the IT industry Andy has developed code for IBM, Vodafone, Telecom and Microsoft. Andy presents around the world at conferences including Microsoft's TechEd.

Kim Carter - BinaryMist - What's Our Software Doing With All That User Input

Abstract

What are we doing with all the characters that get shoved into our applications? Have we considered every potential execution context? It's often interesting and surprising to see what sort of concoction of characters can be executed in different places... and linking multiple attack vectors together which the builders haven't thought about. What are we trusting? Why are we trusting it? What, where and how should we be sanitising?

We have a vast collection of libraries, techniques, cheat sheets, tutorials, guides and tools at our disposal. I often find myself thinking... how can we commoditise the sanitisation of user input and I keep coming up with the same answer. It's not easy. Every application has a completely different set of concerns.

In order for our software to be shielded from an attack, the builders must think like attackers.

In this talk I'll attempt to:

• Increase our knowledge and awareness
• Discuss practical techniques and approaches that increase our defences
• Break some software

Speaker Bio

Kim Carter is a Software Engineer, Architect, Entrepreneur and the founder of BinaryMist. He is passionate about and enjoys many things. Some of which include:

• Designing and creating robust software and networks.
• Breaking his and others software and networks, then fixing it/them.
• Teaching, training, mentoring, motivating, listening to and being around smart people.
• Increasing quality awareness and helping people and organisations implement higher quality in a cost effective manner.
• Improving operational efficiencies.

Hugh Davenport - Aura RedEye Security - Bug Chaining (aka, why XSS can be worse than you think)

Abstract

Security bugs can range in damage from small stuff, all the way to big stuff. Some people only focus on the large stuff, and the smaller stuff can go unnoticed. This talk will give a real world example of a project that had a small bug, that allowed a larger bug to happen, which allowed a larger bug, which allowed for unwanted shell access.

Speaker Bio

Hugh works at Aura RedEye Security on their managed vulnerability scanning service. In his spare time, he is the security point of contact on the Mahara open source tool and contributes to many other open source projects.

Hinne Hettema - University of Auckland - Evolution of Threats and the Skills in our Security Team

Abstract

The threat landscape for security threats is constantly evolving, with new threats being stealthier, more diverse, and increasingly aimed at bypassing the protection offered by antivirus and network intrusion detection systems. Adversaries are now often part of a semi-organised underground economy geared towards the acquisition and sale of digital assets such as usernames, passwords, confidential business information, financial data and designs. There are specific value chains in this economy, which make the acquisition, sale and utilisation of such assets a relatively easy process.

This talk focuses on the skills needed in a security team to deal with this next level of threat, and on the sort of teams that we need in enterprise security to address the modern threats that we face.

Speaker Bio

Hinne Hettema is the team leader of the IT security team at The University of Auckland, an honorary research fellow in the Department of Philosophy at The University of Auckland, and lectures in cyber security at Unitec. He has 10 years experience in security consulting and has a PhD in Philosophy (2012) and theoretical chemistry (1993).

Francois Marier - Mozilla - Securing the Web Without Site-Specific Passwords

Abstract

Has anyone else noticed that the OWASP Top 10 is not changing very much? Especially in the realm of authentication-related problems. I don't claim to have the one true solution for this, but one thing is certain: if we change how things are done on the web and relieve developers from having to store passwords, we can make things better.

We need to let web developers outsource their authentication needs to people who can do it well. Does that mean we should force all of our users to join Facebook? Well not really. That might work for some sites, but outsourcing all of our logins to a single for-profit company isn't a solution that works for the whole web.

The open web needs a better solution. One that enable users to choose their identity provider and shop for the most secure one if that's what they're into. This is the promise behind Persona and the BrowserID protocol. Choose your email provider carefully and let's get rid of all of these site-specific passwords that are just sitting there waiting to be leaked and cracked.

Speaker Bio

Francois is a software engineer and security champion on the Mozilla Identity team where he works on decentralising authentication on the web. A long time Debian developer, Francois has been involved in Open Source and web development for a while and has always had a strong interest in security.

Andrew Kelly - Nothing to See Here!

Abstract

This is how it starts: "Seeking an exciting new challenge? Want to be responsible for building and shaping an embryonic information security function? Then you so won't want to miss this golden opportunity!" Andrew will talk about the setting up of an information security function in an organisation from scratch ('Greenfield') - as opposed to trying to bed yourself down into an already-existing organisation ('Brownfield'). He'll talk about the pros and the cons, and the many ups and downs. And hopefully he'll answer some questions like: Is there, if fact, any such thing as a greenfield security opportunity left in the wild? And ... if such mythical beasties do exist ... are they worth signing on for? Andrew will discuss the pitfalls and pratfalls of the journey from initial engagement, through (maybe) acceptance, until (perhaps) security sign-off and (hopefully) go-live. He'll also discuss both the Pit Bulls and prats you're likely to meet along the way. So ... if you want to hear a guy speak who reckons he's forgotten more than he ever thought he knew? Then this is so the talk for you!

Speaker Bio

Andrew is a whole year older than he was when he presented at last year's OWASP Day: So this time around he's bringing a quarter century's worth of IT security experience to OWASP! Now 25 years ago, he was this mainframe security uber-tech - but today Andrew's recognised as being a 'pragmatic' subject-matter expert on corporate-level information security policy, compliance, frameworks and governance. His first greenfield security 'opportunity' came in November 1989 at the Sun Life Assurance Company of Canada, in the UK. And during those intervening 24 years, he's had similar experiences at various other companies including the likes of Lloyds/TSB Bank, Fonterra, BT Syntegra, Telecom/Gen-i and, lately, Health Benefits Ltd. - amongst many others.

Training Events

We are happy to announce that training will run on Wednesday September 11th 2013, the day before the OWASP Day conference. Both courses will be running from 9:00 AM sharp to 5:00PM.The training venues will be auditoriums kindly provided by the University of Auckland, in the same building as the OWASP Day conference itself. Classes will contain up to 20 students, and each seat has power for laptop usage. Both courses will be run by Aura Information Security, and there is both a basic and advanced course available. Feedback from previous training has been very positive - so get in quick! Details are as follows:

Basic Web Application Security

These days websites are under constant attack and it's incredibly easy for a developer or administrator to make seemingly minor mistakes that introduce security vulnerabilities.

You can't fight a war that you don't know you're waging. You can't defend your websites against attack unless you know the tricks the attackers are using to infiltrate. By the end of this workshop you'll have a good understanding of the OWASP Top 10 including:

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• SQL Injection
• Man-In-the-Middle attacks
• Layering your defenses (defense-in-depth) that can help protect you from exploit chaining.

More importantly, however, you'll also learn how to minimise the risk from these and other attacks, with practical tips that you can apply straight away to help you design, build and manage more secure websites. This workshop is essential for:

• All developers and designers working on web applications but without formal training in security
• Anyone working in the website / web application space
• IT Professionals interested in security issues

This is a hands on workshop where attendees must bring their own laptops. It is required that users are local admins or root on their own machines.

Advanced Web Application Security

This advanced web security course is for senior or experienced developers who are looking for a deeper understanding of web security, beyond the OWASP Top 10. By the end of this workshop you'll have a good understanding of:

Advanced Attacks

We will run through more complex attacks against web-apps using layered attacks requiring a multi-step defense including

• Malicious file uploads and web shells
• XXS shells
• Padding oracle attacks
• XXE injection attacks
• Serialisation and file include attacks
• Timing attacks
• Cryptography

Where, when and how to use it effectively and securely.

Advanced Design and Defense

• How to secure systems against malicious users and admins.
• How to secure data at rest such as credit cards, banking data or other high value data.
• Tools

We will also introduce some of the tools and techniques you should use to test the security of your own systems This is a hands on workshop where attendees must bring their own laptops. It is required that users are local admins or root on their own machines.

For further information, please contact us at the follow email addresses:

• nick.freeman@owasp.org
• adrian.hayes@owasp.org