Difference between revisions of "OWASP New Zealand Day 2018"

Latest revision as of 21:45, 23 January 2019

4th and 5th February 2018 - Auckland

Introduction

We are proud to announce the ninth OWASP New Zealand Day conference, to be held at the University of Auckland on Monday February 5th, 2018. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

Who is it for?

Web Developers: There will be a choice of two streams in the morning. First stream covering introductory talks to information security, second stream covering deeper technical topics. Afternoon sessions will cover offensive security in stream one, and continue with deeper technical topics in stream two
Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics

Conference structure

Date: Monday 5 February 2018
Time: 9:30am - 6:00pm
Cost: Free

The main conference is on Monday 5th of February, and will have two streams in both the morning and the afternoon:

Training

As well as the main conference on Monday, we are pleased to be able to provide training on Sunday at the same venue. All details including registration are as follows:

Building Security Into Your Development Teams Date: Sun 04 February 2018
Time: 9:00am - 5:30pm or part thereof
Training Registration Page

Spaces going fast, so get in quick

General

The ninth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same location as last year for stream one, with the addition of another room near by for the stream two room. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact us.

Registration

Registration for the main conference day is now open: Conference Registration Here, Follow us on twitter @owaspnz

There is no cost for the main conference day. Unfortunately due to increased conference running costs, lunch, morning and afternoon tea's will not be provided as it has been for the past OWASP NZ Days. We do ask that if at any point you realise you cannot make it please cancel your registration to make room for others as spaces are limited.

Important dates

CFP submission deadline: 8th December 2017
CFT submission deadline: 8th December 2017
Conference Registration deadline: 29th January 2018
Training Registration deadline: 29th January 2018
Training Day date: 4th February 2018
Conference Day date: 5th February 2018

For those of you booking flights, ensure you can be at the venue at 9:00am, the conference will end by 6:00pm however we will have post conference drinks at a local drinking establishment for those interested.

Places to eat & drink on the day

Coffee cart and selection of snacks next to the reception on the ground floor, this is the closest but will probably have long lines
Mojo Symonds - also on campus
Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St
The CBD - walk up and over Albert Park to get to the CBD with many great food options

Fort Street has burgers, kebabs, and KFC
High Street & Lorne Street have lots of little cafes and restaurants

Subway, Starbucks, & Pita Pit - walk up Symonds Street
Vulture’s Lane is a popular pub with the infosec crowd, there are more seats downstairs
The Bluestone Room - also a popular pub just across Queen St

Conference Venue

The University of Auckland School of Business
Owen Glen Building
Address: 12 Grafton Road

Stream one room: Level 1
Room: 115 (Fisher & Paykel Auditorium)

Stream two room: Level 0
Room: 098

Auckland
New Zealand
Map

Conference Sponsors

Gold Sponsors:

Silver Sponsors:

Support Sponsors:

Conference Committee

Kirk Jackson - OWASP New Zealand Leader (Wellington)
Kim Carter - OWASP New Zealand Leader (Christchurch)
Nick Malcolm - OWASP New Zealand Leader (Auckland)
Lech Janczewski - Associate Professor - University of Auckland School of Business

Please direct all enquiries to nick.malcolm@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

OWASP NZ on Twitter (https://twitter.com/owaspnz)

Call For Presentations

Thank you to all those who have submitted talks. The call for presentations has now closed.

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines including architects, web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference:

Introductions to various Information Security topics, and the OWASP projects
Technical topics
Policy, Compliance and Risk Management

The introductory talks should appeal to an intermediate to experienced software developer, without a solid grounding in application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.

Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:

Web application security
Mobile security
Cloud security
Secure development
Vulnerability analysis
Threat modelling
Application exploitation
Exploitation techniques
Threat and vulnerability countermeasures
Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
Penetration Testing
Browser and client security
Application and solution architecture security
PCI DSS
Risk management
Security concepts for C*Os, project managers and other non-technical attendees
Privacy controls

The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:

Due to limited budget available, expenses for international speakers cannot be covered.
If your company is willing to cover travel and accommodation costs, the company will become "Support Sponsor" of the event.

Thank you to all those who have submitted talks. The call for presentations has now closed.

Please submit your presentation here.

Submissions deadline: 8th December 2017

Applicants will be notified in the following week after the deadline, whether they were successful or not.

Call For Sponsorships

OWASP New Zealand Day 2018 will be held in Auckland on the 5th of February, 2018 and is a security conference entirely dedicated to application security. The conference is once again being hosted by the University of Auckland with their support and assistance. OWASP New Zealand Day 2018 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2018 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:

Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
Printed Materials - printed materials will include brochures, tags and lanyards.

Facts

Last year, the event was supported by nine sponsors and attracted more than 900 registrations. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017

The OWASP New Zealand community is strong, there are more than 500 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 800 and 1000 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

Sponsorships

There are three different levels of sponsorships for the OWASP New Zealand Day event:

Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event)

Includes:

Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Silver Sponsorship: 1500 NZD

Includes:

Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018
The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship: 2750 NZD

Includes:

The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

Those who are interested in sponsoring OWASP New Zealand 2018 Conference can contact the OWASP New Zealand Board.

Presentations

5th February 2018

08:30	Registration Opens
09:30	Welcome to OWASP New Zealand Day 2018 Kirk Jackson, Kim Carter, Nick Malcolm (OWASP Leaders), and Lech Janczewski (Associate Professor)
	Upstairs room	09:45	Downstairs room
	Fear Itself Laura Bell - SafeStack	09:45	Offensive Defence Chris Berry - Aura Information Security Slides: (PDF, 3.4mb) Video
10:20	Pizza Roulette Catherine McIlvride and Fiona Sasse Slides: (PDF, 3.4mb) Video	10:20	*Auth Infrastructure for Everyone** Ryan Kurte and Kirk Holloway Slides
10:55	Guarding the Pot of Gold while the Rainbow gets bigger Sarah Bennett and Patricia Ramsden - Xero Video	10:55	Bermudez - a honeypit designed to waste hacker's time Ian Welch and Kaishuo Yang Video
11:30	Enough theory, how are websites getting hacked in real life? Declan Ingram - CERT Video	11:30	Rails Derailed Tim Goddard Slides Video
12:05	Secure APIs: Road to Business Growth Anupama Natarajan - Unisys New Zealand Slides: (PDF, 719kb) Video	12:05	Timing-Based Attacks in Web Applications Yappare Slides: (PDF, 7.7mb)
12:35	Break for Lunch
14:00	Developer's guide to Deserialization Attacks Felix Shi	14:00	IoT - How to fight the tyre fire Tom Isaacson Slides (speakerdeck)
14:45	Finding the path to #DevSecOps nirvana Olly - Xero	14:45	Thinking like an Attacker (Hacking your own organisation) Nick Le Mouton - drugs.com Slides (speakerdeck) Video
15:00	When Shoestrings Snap Rory Shillington - VoltsAndBits Slides: (PDF, 7.3mb) Video	15:00	Evil Pickles: DoS Attacks Based on Object-Graph Engineering Jens Dietrich - Massey University Slides (google) Video
15:30	Break for Afternoon Tea
16:00	Enough with XSS, let's talk about something else? Karan Sharma Slides: (PPTX, 4mb) Video	16:00	Secure development in Go Dion Bramley Slides (github) Video
16:35	Riding someone else’s wave with CSRF Sam Shute - Quantum Security Slides: (PPTX, 234kb)	16:35	Secure Your Programming Future! David Pearce Slides: (PDF, 1.8mb)
17:10	Operation Luigi: How I hacked my friend without her noticing Alex Hogue - Atlassian	17:10	Handling Of A PCI Incident - PANs In The Database David Waters - Pushpay
17:50	Wrap Up Time to go out and socialise, for those interested

Speakers List

Laura Bell - SafeStack - Fear Itself

Abstract

Abstract: The world is a scary place right now. While the risk posed by security threats is high, there are many organisations and people for whom this is the least of their concerns.

In a time of unsettled economies & governments, where there are more breaches each week than we would have once seen in a year... how can we change the way we enable and inspire security change to stop trying to scare the terrified and start trying to help.

Speaker Bio

With almost a decade of experience in software development and information security, Laura Bell specializes in bringing security survival skills, practices, and culture into fast paced organisations of every shape and size.

An experienced conference speaker, trainer, and regular panel member, Laura has spoken at a range of events such as BlackHat USA, Velocity, OSCON, Kiwicon, Linux Conf AU, and Microsoft TechEd on the subjects of privacy, covert communications, agile security, and security mindset.

As the co-author of "Agile Application Security" published by O'Reilly media, Laura is internationally recognised as a leader in her field.

She is the founder and CEO of SafeStack, leading its operations from Auckland, New Zealand.

Chris Berry - Aura Information Security - Offensive Defence

Abstract

Frustrated by the ability to take over corporate networks by exploiting the same petty misconfigurations for the past several years, I want to expose blue teamer’s and dev’s to the current internal pen test strategies, which have proven consistently effective in going from no auth to domain admin.

Speaker Bio

Chris is a Security Consultant at Aura Information Security with experience across a broad variety of domains and industries. He is owned by a cat.

Catherine McIlvride and Fiona Sasse - Pizza Roulette

Abstract

Catherine and Fiona are security newbies in the world of bleepbloops. As their hunger for more knowledge on Security Testing grows, they attempt to chomp into the cyber realm of ordering pizza. Pull up a chair, grab a slice* and prepare yourself for a feast! *Disclaimer: Pizza will not be included.

Speaker Bio

Catherine and Fiona are software testers who have been united by their passion for pizza and their curiosity for wearing black and whites hats. They hammer and chisel their way through interfaces, databases, and all other places to identify cracks and gaps. Now they face their next adventure roaming unfamiliar territory in the security space.

Ryan Kurte and Kirk Holloway - Auth* Infrastructure for Everyone

Abstract

Auth(entication|orisation) is tough. We’re going to talk about how it’s usually done, the developer and user experience of auth*, and some things that often go wrong. Then we’re going pitch an idea that might, hopefully, maybe, help us all build safe exciting things.

Speaker Bio

Ryan is an aspiring hardware whisperer and academic with an incurable side project problem.

Kirk builds tiny bits of content that go in bigger bits of content for your local internet box. Combined they form 5/8ths of a full stack developer.

Sarah Bennett and Patricia Ramsden - Xero - Guarding the Pot of Gold while the Rainbow gets bigger

Abstract

We've all heard that as an industry we're severely outnumbered (defenders vs attackers). Many of us become a potential targets due to the type of market our company is in. The closer to money handling you are, the more attention you get therefore the more that ratio of defenders to attackers gets worse. We've seen our adversaries change over time as we've grown. We'll discuss how our hitting one million paid subscribers affected us in terms of security, and how the motives of attackers seem to change with the seasons.

Speaker Bio

TBD

Ian Welch and Kaishuo Yang - Bermudez: a honeypit designed to waste hacker's time

Abstract

Small enterprises don’t have the human resources to deal with web attacks 24/7 although attacks can occur anytime. We describe a honeypit designed to entrap and slow attackers down giving time for a sysadmin to detect and respond to an attack.

Speaker Bio

Ian works for Victoria University of Wellington (VUW) doing computer security teaching and research mostly related to honeypots (CaptureHPC) and more recently software-defined networks (Gasket and Baffle).

Kai is a research assistant at Victoria University of Wellington (VUW). He developed Bermudez as part of his final year project last year and is working over summer on a security policy language for software-defined networks called Baffle.

Declan Ingram - CERT - Enough theory, how are websites getting hacked in real life?

Abstract

Since opening in April 2017, CERT NZ has dealt with hundreds of hacked websites. In this talk I propose to step through a few case studies of what went wrong, and how to stop it from happening to your websites. This talk will be done specifically for OWASP day and won’t be used for other audiences.

Speaker Bio

Declan Ingram is the Manager of Operations for CERT NZ and leads the technical side of CERT NZ – including the Incident Response Team. He has worked for over 17 years in information security, with broad experience in both incident response and security testing.

Tim Goddard - Rails Derailed

Abstract

Modern web application frameworks provide a lot of protections by default, but no protection is absolute. We explore common, severe security issues in Ruby on Rails applications, why they still occur despite its attempts to protect us.

Speaker Bio

Tim (pruby) moved two years ago from being a useful human being and building web applications, to the more haphazard world of tearing them apart. He applies his development background and knowledge to review applications from the ground-up, using the code to inform an efficient approach to security testing.

Anupama Natarajan - Unisys New Zealand - Secure APIs: Road to Business Growth

Abstract

Security must never be an afterthought. API Security is key for all modern digital businesses and secure APIs provide more confidence to the consumers. Come and learn the art of detecting underprotected APIs and how to secure them.

Speaker Bio

I am a Software Professional with over 15 years experience in designing and developing Web, Data Warehouse, Business Intelligence and Mobile solutions. I am a Microsoft Certified Trainer (MCT) and really passionate in sharing knowledge. I love solving complex business problems for my clients with innovative solutions using Microsoft Technologies and use that experience in my trainings and presentations. I share tried and tested examples which people can start use in their organisations immediately.

Yappare - Timing Based Attacks in Web Applications

Abstract

Timing-based attacks are deadly but often overlooked. Pentesters often miss such attacks when testing web applications.

By the end of the talk, the audience will learn ways to identify timing-based webapp vulnerabilities through careful manual and automated analysis of response generation times.

Speaker Bio

I was a Chemical Engineering graduate but have interest in application security. 7+ years in penetration testing industry and 5 years in bug bounty scene and currently at top leaderboard of Bugcrowd. Involving in these two areas of ‘hacking’ environment, expose me with various ways of identifying web vulnerabilities.

Felix Shi - Developer's guide to Deserialization Attacks

Abstract

A beginner friendly talk on deserialization attacks, targeted towards webapp devs and QA engineers. Heavy emphasis on explaining the attack vectors, the technical/business impact, and how to test for it.

There will be demos in some popular languages/frameworks - namely Python, Java, and C#.

Speaker Bio

Felix works in the security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.

Tom Isaacson - IoT: How to fight the tyre fire

Abstract

Everyone knows that IoT is a tyre fire but what can we do to start putting it out? Take a quick tour through the new OWASP IoT Top 10 and some other (personal) examples of how not to do IoT.

Speaker Bio

I’ve been an embedded developer for 20 years. I haven’t bothered learning web development because I still think the internet is a passing fad, but I’ve been forced to think about security after we added networking to our products.

Olly - Xero - Finding the path to #DevSecOps nirvana

Abstract

A talk about my experiences automating security infrastructure in AWS at Xero. The end goal, things to consider in a security context, the 80/20 rule, convincing people and how to get started. Buzzwords include: DevOps, DevSecOps, AWS, Cloud, CI/CD, “.* as code”.

Speaker Bio

Oliver is a Graduate Security Engineer at Xero where he helps build and deploy security infrastructure into AWS focusing on automation and repeatability. He is a contributor to Security Monkey, Netflix’s open source AWS security auditing tool.

Nick Le Mouton - drugs.com - Thinking like an Attacker (Hacking your own organisation)

Abstract

Often as developers we think like defenders. We identify vulns (SQLi, XSS etc) and patch them. How often do we think, how far could an attacker get by using this vuln? What could they do?

It’s easier to get non security buy-in if you can provide a working exploit to show how serious a vuln is.

Speaker Bio

I started my career as a developer and for the last 20 years I’ve moved more and more into the security space. I’m currently the CTO for Drugs.com, but spend a lot of time reading through legacy code and identifying areas of concern/exploiting vulnerabilities.

Rory Shillington - VoltsAndBits - When Shoestrings Snap

Abstract

Have you ever fed a sheep to a wolf? Every day, charities, non-profit organisations and small businesses get devoured by online threats. Let’s take a look at what’s happening both at the keyboard and IRL/AFK.

Speaker Bio

Rory Shillington is an electrical engineer trying to save polar bears by day, and a jack of all admins by night.

When not designing, testing and breaking solar inverters, he helps a small handful of clients navigate the minefields of the internet while keeping their websites patched (arrr). He has a strong passion for computer security with a number of years of hands-on experience, and a tendency of venturing questionable distances to solve other people’s problems. He also maintains a number of hobby and community websites.

Jens Dietrich - Massey University - Evil Pickles: DoS Attacks Based on Object-Graph Engineering

Abstract

Evil pickles is a new type of degradation of service attack inspired by billion laughs. It exploits the object serialisation interface present in most modern languages (such as Java, C#, Ruby), and can be used to exhaust resources including CPU time, stack and heap memory of the systems attacked.

Speaker Bio

Jens is an Associate Professor at Massey University Turitea Palmerston North. Jens has a MSc in Mathematics and a PhD in Computer Science from the University of Leipzig. After graduating in 1996, he worked as a software consultant, participating in some of the first large-scale enterprise-level projects that used object-oriented programming (Smalltalk and later Java) and agile principles. Clients he worked for include Mercedes-Benz, Volkswagen and some of the largest German banks. He moved to Namibia in 1999, working for a development aid agency to establish a computing curriculum at the local university of applied science. He continued with freelance consulting work for European and US clients during this time, and started several open source projects. In 2003 he moved to New Zealand to take up a position at Massey. Jens’ research interest are in the areas of software modularisation, evolution and static analysis for bug and vulnerability detection. He currently leads a National Science Challenge project on program analysis, and his research on fast algorithms for static analysis of large Java programs has been supported by several rounds of funding by Oracle Incl (through Oracle Labs Brisbane). Jens is executive member of Software Innovation NZ (SI^NZ) and member of the ACM.

Karan Sharma - Enough with XSS, let's talk about something else?

Abstract

I think it is time to lift our game and think beyond classic vulns such as XSS, CSRF, Dir Traversal, SQLi and talk about recent web vulns which are becoming more and more common and being exploited in the wild these days like IDOR, XXE, SSRF, DOM Clobbering, RPO and Insecure Cryptographic Storage.

Speaker Bio

Working as a Security Consultant at one of the leading financial institute of NZ. Very passionate about web app security and have been doing it for over 6 years. Love building and breaking stuff especially web apps and IoT stuff. I spend my days testing web apps and network infrastructure for vulnerabilities and then help mitigate what I find.

Like to code in node.js on embedded devices and love building Web of Things oppose to Internet of Things (no pun intended).

Dion Bramley - Secure development in Go

Abstract

Google loves Go, and they claim it makes secure development much easier for people who aren’t teams of seasoned security experts. But what makes it so special? Why should you choose Go for your next secure API project? How to do secure Go. And why it can be a really terrible option for some projects

Speaker Bio

I have been working in software since 2012 using a wide range of languages. Currently I work at Spalk Ltd (yuck, sports) as a senior engineer building APIs and streaming services, and teaching interns. I studied a combination of computer science and computer engineering at UoA for 5 years. Sometimes I do free security and (engineering) design consulting for startups and charities. Hobbies include theatre, gaming, and helping people be awesome.

Sam Shute - Quantum Security - Riding someone else’s wave with CSRF

Abstract

Cross-site request forgery is one of the common vulnerabilities we are seeing in pen tests. It can be used to create or delete accounts, escalate privileges, and perform other actions. This talk will cover what it is, common issues and how to properly defend against it.

Speaker Bio

Sam is a security consultant with Quantum Security. While relatively new to the security industry he spent the last 7 years studying various security topics at the University of Waikato. Sam has been an organiser and challenge developer of the New Zealand Cyber Security Challenge for the last 3 years. His areas of interest include behavioral biometrics, the physical/digital security overlap and breaking IoT devices.

David Pearce - Secure Your Programming Future!

Abstract

Can programming languages help us write secure code? It’s an age-old question. New languages come and go, but don’t often seem that different. But wait! You haven’t seen anything like Whiley before. Forget about type checking. This is a whole new level. You might think the demo is faked. It’s not.

Speaker Bio

David graduated with a PhD from Imperial College London in 2005, and took up a lecturer position at Victoria University of Wellington, NZ. David’s PhD thesis was on efficient algorithms for pointer analysis of C, and his techniques have since been incorporated into GCC. His interests are in programming languages, compilers and static analysis. Since 2009, he has been developing the Whiley Programming Language which is designed specifically to simplify program verification. David has previously interned at Bell Labs, New Jersey, where he worked on compilers for FPGAs; and also at IBM Hursely, UK, where he worked with the AspectJ development team on profiling systems.

Alex Hogue - Atlassian - Operation Luigi: How I hacked my friend without her noticing

Abstract

My friend gave me permission to “hack all her stuff” and this is my story. It’s about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM.

Speaker Bio

Alex is your conference speaker, your best friend, and your sweet mango boy. Alex fell off the back of a gently glowing ute 17 years ago, and now haunts the Earth in corporeal form. Critics have called him “aggressively wonky”. He does incident detection and response at Atlassian, which is kiiinda like being an adult. Catch him scratching out MEMBERS ONLY signs into MEMERS ONLY.

David Waters - Pushpay - Handling Of A PCI Incident - PANs In The Database

Abstract

Are you storing credit card numbers in your database when you’re not meant to? Would you know? We will be briefly cover PCI, and telling the story of the discovery of PANs in our pipeline. Then describe the full journey from discovery, to recovery to future prevention.

Speaker Bio

David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 19 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.

Diversity and Financial Aid fund

The Diversity and Financial Aid assistance fund has now closed. If you find yourself stuck and need assistance, please get in touch with kirk.jackson@owasp.org and we'll see what we can do.

[We have unashamedly followed the model adopted by the nz.js(con) team with their fund. Many thanks to Jen and the team!]

Due to the support of our lovely sponsors, we have some additional funding available to help people from around New Zealand attend the OWASP NZ Day that would find it hard to otherwise attend. In particular, we welcome applications from women, people of colour, LGBTIQ and all others. You all deserve to be able to learn more about security, and we’ll do our darndest to help make that happen!

Our funds are limited, and we’ll be reviewing applications every two weeks starting in December. Submit your applications soon, so we can approve them early and you’ll be in several review cycles!

Process:

Fill out our application form
We will review and approve applications each two weeks. The next review date is in Dec 2017.
We will contact all applicants and let them know the result of the review.
Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:

We are biased towards (but not exclusively for) diverse applicants.
We do attempt to maximise cost efficiency and will aim to get as many people to OWASP with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: nick.malcolm@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

@@ Line 417: / Line 417: @@
 		<td style="background-color: #EEE; text-align: center">
 			<b>Offensive Defence</b><br />
-			<i>Chris Berry - Aura Information Security</i>
+			<i>Chris Berry - Aura Information Security</i><br/>
+[[Media:2018-02-05-ChrisBerry.pdf|Slides: (PDF, 3.4mb)]]
+[https://www.youtube.com/edit?o=U&video_id=-z4ID7Rh84E Video]
 		</td>
 	</tr>
@@ Line 426: / Line 428: @@
 			<i>Catherine McIlvride and Fiona Sasse</i><br />
 [[Media:2018-02-05-CatherineMcIlvrideFionaSasse.pdf|Slides: (PDF, 3.4mb)]]
+[https://www.youtube.com/watch?v=FUY-PgZqI3A Video]
 		</td>
 		<td width="7%" valign="top" align="right">10:20</td>
@@ Line 439: / Line 442: @@
 		<td style="background-color: #EEE; text-align: center">
 			<b>Guarding the Pot of Gold while the Rainbow gets bigger</b><br />
-			<i>Sarah Bennett and Patricia Ramsden - Xero</i>
+			<i>Sarah Bennett and Patricia Ramsden - Xero</i><br />
+[https://www.youtube.com/watch?v=kh5q-79Boe8 Video]
 		</td>
 		<td width="7%" valign="top" align="right">10:55</td>
 		<td style="background-color: #EEE; text-align: center">
 			<b>Bermudez - a honeypit designed to waste hacker's time</b><br />
-			<i>Ian Welch and Kaishuo Yang</i>
+			<i>Ian Welch and Kaishuo Yang</i><br />
+[https://www.youtube.com/watch?v=t5XBf4LApoo Video]
 		</td>
 	</tr>
@@ Line 451: / Line 456: @@
 		<td style="background-color: #B9C2DC; text-align: center">
 			<b>Enough theory, how are websites getting hacked in real life?</b><br />
-			<i>Declan Ingram - CERT</i>
+			<i>Declan Ingram - CERT</i><br/>
+[https://www.youtube.com/watch?v=WhYh-eUqxIA&t=137s Video]
 		</td>
 		<td width="7%" valign="top" align="right">11:30</td>
@@ Line 458: / Line 464: @@
 			<i>Tim Goddard</i><br />
 [https://insomniasec.com/releases Slides]
+[https://www.youtube.com/watch?v=fGlS6w2naN0 Video]
 		</td>
 	</tr>
@@ Line 466: / Line 473: @@
 			<i>Anupama Natarajan - Unisys New Zealand</i><br />
 [[Media:2018-02-05-AnupamaNatarajan.pdf|Slides: (PDF, 719kb)]]
+[https://www.youtube.com/watch?v=WIz6pS9L5l0 Video]
 		</td>
 		<td width="7%" valign="top" align="right">12:05</td>
@@ Line 504: / Line 512: @@
 			<i>Nick Le Mouton - drugs.com</i><br />
 [https://speakerdeck.com/noodlesnz/thinking-like-an-attacker Slides (speakerdeck)]
+[https://www.youtube.com/watch?v=fGlS6w2naN0 Video]
 		</td>
 	</tr>
@@ Line 512: / Line 521: @@
 			<i>Rory Shillington - VoltsAndBits</i><br />
 [[Media:2018-02-05-RoryShillington.pdf|Slides: (PDF, 7.3mb)]]
+[https://www.youtube.com/watch?v=ElbY05nfZ2M Video]
 		</td>
 		<td width="7%" valign="top" align="right">15:00</td>
@@ Line 518: / Line 528: @@
 			<i>Jens Dietrich - Massey University</i><br />
 [https://docs.google.com/presentation/d/1WSDq_k6z4rZeuZlvdYfNyS1IwJhVLH-gxUROi98qkL8/edit#slide=id.p Slides (google)]
+[https://www.youtube.com/watch?v=1q2rZyR17jU Video]
 		</td>
 	</tr>
@@ Line 530: / Line 541: @@
 		<td style="background-color: #EEE; text-align: center">
 			<b>Enough with XSS, let's talk about something else?</b><br />
-			<i>Karan Sharma</i>
+			<i>Karan Sharma</i><br />
+[[Media:2018-02-05-KaranSharma.pptx|Slides: (PPTX, 4mb)]]
+[https://www.youtube.com/watch?v=KbVWJcf2CRQ Video]
 		</td>
 		<td width="7%" valign="top" align="right">16:00</td>
@@ Line 537: / Line 550: @@
 			<i>Dion Bramley</i><br />
 [https://github.com/dionb/GoSecureDev Slides (github)]
+[https://www.youtube.com/watch?v=4O2OShd-Su8 Video]
 		</td>
 	</tr>
@@ Line 872: / Line 886: @@
 ==Code of Conduct==
-We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy: [https://www.owasp.org/index.php/Governance/Conference_Policies].
+We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy: [https://www.owasp.org/index.php/Governance/Conference_Policies], including the '''Anti-Harassment Policy''', '''Privacy Policy''', and '''OWASP Code of Conduct'''.
 Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

Difference between revisions of "OWASP New Zealand Day 2018"

Latest revision as of 21:45, 23 January 2019

Introduction

Conference structure

Training

General

Registration

Important dates

Places to eat & drink on the day

Conference Venue

Conference Sponsors

Conference Committee

Navigation menu

Search