Revision as of 21:24, 7 June 2009

Introduction

OWASP New Zealand Day 2009
13th July - Auckland

in collaboration with:

Department of Computer Science ICT and Department of Information Systems and Operations Management

Introduction

Welcome to the OWASP New Zealand for 2009, the first all day security conference dedicated to web application security in New Zealand.

Conference Venue

The University of Auckland Business School
Owen G Glenn Building
Room: OGGB 260-073 (OGGB4)
Address: 12 Grafton Road
Auckland
New Zealand
Map

Registration

You are invited to attend to the OWASP Day conference at no charge (Free as in beer). However to ensure an orderly, well run event we require that all attendees register before the registration close off date (20th June 2009). At this time there will be no plan to allow "on the day registration", so register now to reserve your place.

To register at the conference, please click the registration button below:

Topics

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:

• OWASP Project Presentation (i.e Tool Updates/Project Status etc)
• Threat modelling of web applications
• Privacy Concerns with Applications and Data Storage
• Vulnerability analysis of web applications (code review, pentest, static analysis, scanning)
• Baseline or Metrics for Application Security
• Countermeasures for web application vulnerabilities
• Web application security
• Platform or language (e.g. Java, .NET) security features that help secure web applications
• Secure application development
• How to use databases securely in web applications
• Security of Service Oriented Architectures
• Access control in web applications
• Web services security
• Browser security

Conference structure and schedule

OWASP New Zealand Day 2009 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes.

It will be structured in two parallel streams. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors.

The detailed agenda of the conference will be available on the web site before the event.

Agenda

Speakers

Dean Carter - Security-Assessment.com - "Where Worlds Collide" - PCI-DSS for OWASP practioners

Payment Card Industry Data Security Standard (PCI DSS) has become a compliance requirement for many organisations. Due to its width and breadth the PCI-DSS poses many and varied challenges to an organisation. Achieving and maintaining compliance is not simply a technical issue – it relies heavily on people, policy and processes. This session aims to look at OWASP initiatives that can be related directly to the PCI-DSS.

The session will start with a very brief, high level overview of the PCI-DSS and then look closely how various OWASP initiatives can be leveraged in organisational compliance programs.

Dean Carter

Paul Craig – Security-Assessment.com - “Insecurity and the Internet”

For the last 5 years I have spent 10 hours a day successfully breaking the internet. Networks, applications, services, it’s all insecure, hack-able and often completely vulnerable. Through my work at Security-Assessment.com I have pointed out critical security flaws in the majority of New Zealand organizations. Hacking a multi-billion dollar New Zealand organization is actually not that hard. This fact really troubles me, and I find myself asking the question: “Why is the internet insecure?” It is after all 2009, not 1999.. Today I hope to answer that question and find out why the internet is, and will likely always remain insecure.

Paul Craig

Paul Craig is a principal security consultant at Security-Assessment.com in Auckland New Zealand, where he leads the penetration testing team. Paul is an active security researcher, published author, and a devoted hacker. Paul specializes in application penetration testing, and regularly speaks at security conferences around the globe.

Brett Moore – Insomnia Security - “Vulnerabilities In Action”

Common application vulnerabilities have been known for years now, and developers have been told about the threats and how to prevent these flaws. Even so, web applications are still been developed that are vulnerable to some of the oldest and most well known security flaws. The aim of this presentation is to show the attendees how vulnerabilities are discovered and exploited in real world situations, and the devastating effect that a flaw can have on the security of an application. The presentation will demonstrate multiple different application vulnerabilities across various development languages and operating systems. All of the commonly seen vulnerabilities will be demonstrated, aligned with the OWASP top 10 rating system. Attendees will be able to learn about the real dangers that application vulnerabilities pose, by seeing them been exploited as they would in a real compromise situation. The demonstration will be done again a ‘virtual’ network of vulnerable systems that will contain both server and application level flaws, giving a real world insight to an application compromise.

Brett Moore

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over six years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.

Roberto Suggi Liverani / Nick Freeman – Security-Assessment.com - “Exploiting Firefox Extensions”

Firefox extensions are popular, well-established and used by millions of people around the world. Some of these extensions are recommended by the Mozilla community, and are implicitly trusted by the masses.

Little is known about Firefox extensions from a security perspective and our research intends to fill this gap. The talk is divided in two parts: theory and practice. First, we will explore the security model of Firefox extensions and present a security testing methodology. Next, we will illustrate how we applied the theory and discovered severe vulnerabilities in the most popular and recommended Firefox extensions. Examples of exploits will also be demonstrated.

After this talk, attendees will have gained a better understanding of the security implications, threats and risks of using and deploying Firefox extensions. Security professionals and auditors will be able to use our material as a security testing framework when auditing Firefox extensions.

Roberto Suggi Liverani

Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and leader of the OWASP (Open Web Application Security Project) in New Zealand. Roberto has worked with companies such as Google, Oracle and Opera by reporting and helping to fix security vulnerabilities in their products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various security conferences around the globe.

Nick Freeman

Nick Freeman is a security consultant at Security-Assessment.com, based in Auckland, New Zealand. After a couple of years of building systems for companies he has turned to breaking them instead, and spends his spare time searching for shells and the ultimate combination of whisky and bacon.

Nick von Dadelszen – Lateral Security - “Testing Web Services”

Web Services are now a major component of many organisation's online presence. This could be in the form of AJAX-type consumer websites where more processing is being passed to the browser, or in corporate/governemtn b2b information-sharing environments. This talk will focus on how to properly test web services, what to look for, and some of the tips and tricks picked up through my testing of these types of systems.

Nick von Dadelszen

Nick von Dadelszen has managed successful security teams for two previous employers and is now a co-founder and director of Lateral Security, responsible for technical delivery of projects. Nick has been performing penetration testing in New Zealand for the last 10 years and in that time he has worked with the majority of New Zealand's largest organisations including government, financial and telecommunications sectors.

Please note that CFP is still open. Other slots are available for presenting.

Call For Sponsorships (OPEN)

The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events. Two types of sponsorships are available:

• Silver sponsorship: 1500 NZD

- Publication of the sponsor logo on the event web site (top of this page)

• Gold Sponsorship: 3500 NZD

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.

Those who are interested in sponsoring OWASP New Zealand 2009 Conference can contact the OWASP New Zealand Board.
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

Call for Paper (OPEN) and review process

OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the OWASP New Zealand Board.
The email subject must be “OWASP New Zealand 2009: CFP” and the email body must contains the following information/sections:

• Name and Surname
• Affiliation
• Address
• Telephone number
• Email address
• List of the author’s previous papers/articles/speeches on the same topics
• Title of the contribution
• Type of contribution: Technical or Informative
• Abstract (max one A4 style page)
• Why the contribution is relevant for OWASP New Zealand 2009

The submission will be reviewed by the OWASP New Zealand Board and the 12-14 most interesting ones will be selected and invited for presentation.

Conference dates

• CFP close: 15th June 2009
• Contributions submission deadline: 25th June 2009
• Registration deadline: 20th June 2009
• Conference Agenda due: 20th June 2009
• Conference date: 13th July 2009

Conference Committee

OWASP New Zealand Day 2009 Organising Committees:

• Roberto Suggi Liverani – OWASP New Zealand Leader
• Rob Munro – OWASP New Zealand Evangelist
• Alexandre Medarov – ICT Risk Manager - University of Auckland
• Lech Janczewski - Associate Professor - University of Auckland

Conference Sponsors

Gold Sponsors:

www.security-assessment.com

Silver Sponsors:

www.lateralsecurity.com