Difference between revisions of "OWASP New Zealand Day 2012"

Training

Test-Driven Security

Abstract

The purpose of this training is to introduce and demonstrate some application of test-driven security. Based on a ruby application, we are going to see how developers and testers can quickly improve and ensure the security of an application by asking themselves some simple questions and by checking simple things in their test cases.

Trainer: Louis Nyffenegger - PentesterLab

Louis is a security consultant working in Melbourne for Securus Global. He focus on web application security and presented to Ruxcon, Owasp and Auscert. In his spare, he works on 2 side projects: pentesterlab (a training web site) and pntstr (an easy web to run the first round of an interview).

PentesterLab.com

Trainee Requiements

• Laptop
• Some virtualisation software able to run an ISO. I.e. VirtualBox or VMWare.
• A basic Ruby understanding

Time: 9am till 12pm, 30th August 2012

Cost: $250.00

Register here!

Teaching the Good-Guys Bad-Tricks - OWASP Top 10 in real-life

Abstract

"I'm taught and I forget, I do and I remember" is particularly true with web-security. At this session you will have web-security and insecurity clearly explained and we'll walk through clear examples. But not only will you learn the OWASP Top 10 but you will also hand-craft your own attacks. In our fully functional hack-lab websites you will have a variety of hack challenges from hacking into other users' accounts, stealing credit cards and killing websites! But wait, there's more! We'll also cover techniques you need to employ to defend these attacks.

Trainer: Andy Prow - Aura

Andy Prow is an IT Security Consultant, Trainer and software developer who founded Aura back in 2001. With 18 years in the IT industry Andy has developed code for IBM, Vodafone, Telecom and Microsoft. Andy presents around the world at conferences including Microsoft's TechEd.

AuraInfoSec.com

Trainee Requiements

• Laptop
• A working browser and the Burp Suite free edition installed.

Time: 9am till 5pm, 30th August 2012

Cost: $500.00

Register here!

Conference Schedule / Presentations

Speakers List

Adam Bell - in2securITy - How do I get into Security? I'm a webdev! (An introduction to in2securITy)

Abstract

A brief introduction to in2securITy, it's aims and goals. A particular focus on the availability of mentoring, peers and the secure development stream.

Speaker Bio

Adam Bell is a security consultant with two years experience in the security industry backed by a further seven years experience in other IT industries. In this time he has worked for both local and national governments in network defence roles as well as working in more generalised system administration, programming, and (the dreaded) service centre. He currently works for Lateral Security and is the Network Defence writer for in2security.

Andrew Kelly - Comply or Die Trying

Abstract

We all have to comply with something: Laws or bylaws - regulations or recommendations - industry standards or industry best-practice. This OWASP talk will focus on the 'real-world' application of security policy and compliance in IT and business. How policy and compliance can actually be very useful when it comes to securing your job, your company - and your company's future. Both from an IT - and a business/commercial prospective. And - along the way - some common myths, misconceptions and downright misunderstandings around policy and compliance may well be busted. Come and listen to a guy who actually thinks compliance and policy ... are fun!

Speaker Bio

Andrew brings 27 years IT experience to OWASP - 24 of them in IT Security - and 13 of those spent in the UK and Europe (okay ... Belgium). Now despite starting out as a mainframe uber-tech - Andrew's recognised today as being a 'pragmatic' subject-matter expert on corporate information security policy, compliance and governance. Andrew created his first BS 7799-compliant security policy - for a credit card provider - in Cardiff back in 1999. Since then he's done much the same for the a number of security consultancies (NZ and UK), Fonterra, Transpower and Telecom (NZ) - and BT, Deutsche Bank, Lloyds/TSB Bank and Legal & General Assurance (UK) - amongst many others.

Andy Prow and Sam Pickles - Aura and F5 - Web Application Firewalls - Going where no WAFs have gone before...

Abstract

So we all know that WAFs (web application firewalls) are not the silver bullet they're often sold as. Many of us in the pen-testing space completely discount their value as dumb signature based systems that are bypassed with a flurry of keystrokes and encoding. BUT WAFs are getting MUCH smarter, and you may be really interested to see what a really intelligent WAF can do today. Ever thought a WAF could stop attacks against business logic flaws and broken authorisation?

Speaker Bio

Andy Prow is an IT Security Consultant, Trainer and software developer who founded Aura back in 2001. With 18 years in the IT industry Andy has developed code for IBM, Vodafone, Telecom and Microsoft. Andy presents around the world at conferences including Microsoft's TechEd

Sam Pickles is a senior engineer and security specialist with F5 Networks. During over twelve years of security industry experience, Sam has designed and built IT security systems; and conducted network, application and hardware penetration testing in many countries. Sam studied Physics at the University of Otago, and Computer Science at the University of Oxford; and has presented at events including ISIG, First Tuesday, OWASP and AusCERT.

Brett Moore - Insomnia Security - Increasing The Value of Penetration Testing

Abstract

Penetration testing has become fairy accepted now as part of the requirements of any new project. Is it really part of a company's security practices, or is it just a tick in the box? This presentation will examine how effective this is for organisations and how it can best be used to increase the usefulness from this type of work.

• What is, and what isn't penetration testing
• How cost effective is this method as a security measure?
• How should it fit into the software development lifecycle of any application or network?
• what you should look for in a company doing this work
• what part of the work can you do yourselves

Speaker Bio

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over ten years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.

Dean Carter and Shahn Harris - Lateral Security - An (Unofficial) OWASP Top 10 for Managers

Abstract

The OWASP Top 10 Web Application Security Risks has done a fantastic job at a technical level.

Dean and Shahn have decided to turn their attention to the layer above and create a Top 10 for Managers.

10 things to assist Managers in ensuring that their web application projects are delivered in a secure, measurable, repeatable manner.

Oh… and they don’t cost a lot….

Denis Andzakovic - Security-Assessment.com - The Dos and Don'ts of Web Application Frameworks

Abstract

"Don't roll your own" has been common advice over the past decade; however even when heeding these words, insecure practices and common mistakes lead to glaring security holes. This talk will cover some of the common errors made when implementing applcations based around web frameworks, where to look for vulnerabilities and how to avoid them.

Speaker Bio

Denis is a Security Consultant for Security-Assessment.com, a security consultancy based in Auckland, Wellington, and Singapore.

Francois Marier - Mozilla - Defeating Cross-Site Scripting with Content Security Policy

Abstract

Cross-site scripting vulnerabilities are very common in web applications. They have been in the OWASP top 10 for a while and are routinely used by attackers.

There are simple guidelines that one can follow to prevent XSS bugs and most of the web frameworks out there offer some level of protection but at the end of the day, it's easy to make a mistake.

Content Security Policy adds another layer to a website's defenses: browser-enforced restrictions against external resources or unauthorized scripting. An extra response header instructs browsers to enforce a policy set by the server administrator.

Speaker Bio

Francois is a software engineer on the Mozilla Identity team where he works on Persona, the new decentralized authentication system for the open web. A long time Debian developer, Francois has been involved in Open Source and web development for a while and has always had a strong interest in security.

Kirk Jackson and Mike Haworth - Xero and Aura - Going Down to the Wire

Abstract

You've built the flashiest web app your cow-orkers have ever seen. Your boss loves you, and nominates you for a promotion next financial year. You've leveraged the latest hip web framework, and have jaxed your ajax to the max.

But have you done everything you can to make your application secure? Are you perhaps, in fact, doing a little _too much_?

A common issue we've come across in the past few years is applications that share too much information over the wire, or trust too much of what they receive. In this talk we'll look at some common pitfalls and techniques to counter them in modern web applications.

Let's go down to the wire.

Speaker Bio

Kirk works at Xero as a Security Architect, co-hosts the Wellington .NET user group, and is a Microsoft Developer Security MVP. He has previous experience in building and penetration testing large web applications.

Mike has previously spoken at OWASP and Kiwicon. He is a contributor to the BeEF project and spends his days pentesting for Aura Information Security.

Laura Bell - Lateral Security and Britta Offergeld – Royal New Zealand Foundation of the Blind - Blindsided by Security - The Reality of Web Security for the Visually Impaired

Abstract

Digital self-defence is now seen as a valuable life skill. As web developers we try to design systems that can protect as well as provide for our clients. As security consultants, we develop guidelines and frameworks that people can use to decide if a web application is trustworthy and secure. Even the least technical home users are becoming more confident in spotting suspicious behaviour online. Unfortunately, for the visually impaired, it’s not that simple. In a world where visual clues are not enough and where additional technologies such as screen readers are business as usual – web security is a very different matter.

Lateral Security and The Royal New Zealand Foundation of the Blind will examine the guidance and security best practice commonly in use for web applications today and how effective they are for those with visual impairments. In a talk that mixes real world examples, demonstrations and discussion from both a usability and security perspective, we aim to not only outline the issues but also suggest some solutions.

Nick von Dadelszen - Lateral Security - Mobile NFC 101

Abstract

This talk is designed to provide a detailed understanding of NFC on mobile phones and security considerations associated with the technology.

The participants should leave the presentation with an understanding of the technology behind NFC on mobile phones and how it interacts. They should obtain an understanding of the security considerations for NFC on Mobile and how it differs from standard NFC implementations.

The agenda for the talk will be the following: - Introduce the audience to NFC - Discuss the current state of NFC on mobile phones - Analyse the technology involved and how this is used to develop NFC applications - Discuss the security considerations of NFC on mobile devices

Speaker Bio

Nick von Dadelszen is the technical director at Lateral Security. Nick has been performing professional pen testing for over 12 years and has managed several successful penetration testing teams. He has worked with the majority of large corporates and Government agencies in New Zealand and is a regular presenter at OWASP and kiwicon conferences.

Quintin Russ - SiteHost - Internet Junk

Abstract

Junk, we all have it. Some have more, a lot more ... Whether you have accepted your Trademe addiction or are still in denial we all have a problem. Just like Space we are filling up the Internet with junk. What happens to our websites when we are finished with them? How are they closed? Are they ever closed? This talk will look at what sort of junk is left behind and how this can be used to attack your organisation. We will cover the issues with real world examples and time allowing, discuss simple steps to help overcome your Trademe addiction should you have one.

Speaker Bio

Quintin has carved out his own niche in the .nz hosting industry, having spent a large proportion of the last few years becoming an expert in both building and defending systems. He now runs enough infrastructure to ensure he never, ever gets a good night's sleep, and sometimes doesn't even get to snooze through Sunday mornings. Quintin has a keen interest in security, especially as it relates to web hosting. This has ranged from the vicissitudes of shared hosting to code reviews of popular blogging applications. He has previously presented at ISIG, OWASP & Kiwicon.

Call For Sponsorships

As mentioned above, OWASP New Zealand Day 2012 will be held in Auckland on the 31st of August, 2012. OWASP New Zealand Day is a security conference entirely dedicated to web application security. The conference is once again being hosted by the University of Auckland with their support and assistance. OWASP New Zealand Day 2012 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. OWASP is strictly non for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2012 a free, compelling and valuable experience for the audience.

The sponsorship funds collected are to be used for things such as:

• Refreshments (coffee break/lunch) - we want to keep people refreshed during the day; while we certainly bring good and interesting speakers, we don't want people to go home when they become hungry.
• Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
• Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
• Printed Materials - printed materials will include brochures, tags and lanyards.

Facts

Last year, the event was supported by 5 sponsors and attracted more than 200 participants. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on last year's event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011

The OWASP New Zealand community is strong and there are more than 220 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 200 and 250 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

Sponsorships

There are three different levels of sponsorships for the OWASP Day event:

• Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event)

Includes:

- Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2012

• Silver Sponsorship: 1500 NZD

Includes:

- Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2012
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

• Gold Sponsorship: 2750 or 3500 NZD (see below)

Includes:

- The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
- Publication of the sponsor logo on the OWASP New Zealand Chapter page
- Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
- Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2012
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks. If a booth is not required, the Gold Sponsorship fee is 2750 NZD instead of 3500 NZD.

Those who are interested in sponsoring OWASP New Zealand 2012 Conference can contact the OWASP New Zealand Board.

Conference Dates

Please find below important dates for the conference:

• CFP & CFT closes: 22nd July 2012 [CLOSED]
• Conference Agenda due: 30th July 2012
• Conference Registration deadline: 20th August 2012
• Training Registration deadline: 20th August 2012
• Training Day date: 30th August 2012
• Conference Day date: 31st August 2012

OWASP New Zealand Day 2012 Organising Committee

• Nick Freeman - OWASP New Zealand Leader (Auckland)
• Adrian Hayes - OWASP New Zealand Leader (Wellington)
• Lech Janczewski - Associate Professor - University of Auckland School of Business