Latest revision as of 01:47, 22 July 2010

Introduction

Introduction

Following the success of the OWASP New Zealand 2009 security conference which attracted more than 150 attendees, the OWASP New Zealand Chapter decided to organise the OWASP New Zealand Day 2010. The event was held on the 15th July 2010 in Auckland and was a great conference day. The event gathered an audience of 160 delegates including security professionals, developers, managers and students.
For those people who missed the event or are interested in the conference material, some of the presentations have been published and can be downloaded from the presentations page.
For any comments, feedback or observations, please don't hesitate to contact us.
Again, big thanks to the sponsors Security-Assessment.com and Lateral Security, the speakers and the conference committee for their contributions and support to the organisation of the event.

Blog/Coverage

Some blog coverage from Kirk Jackson: http://pageofwords.com/blog/CategoryView,category,OWASP.aspx

Presentations

** replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk.

Speakers

Low Scuttling Chilli Crab:NETWORK RECON 2010AD **

Network reconnaissance is an art as old as hacking, but the days of dumpster diving and fingering your away around the 'net are long in our past. In the world of Google, Wolfram|Alpha and Shodan, target acquisition is king: there's a new exploit every day, who's going down after you've finished your first cup of coffee tomorrow?

In this presentation, Metlstorm examines the practicality, implementation and effect of datamining country-scale network targeting databases. Building on the experience of spending the previous year mapping the New Zealand internet for his Kiwicon 2009 talk "Do Your Fruit Hang Low", Metlstorm deploys the Low Hanging Kiwifruit toolchain against its newest target: Singapore.

So, Singapore, are your networks open? How many open DSL routers are there in Singapore? Which ISP has their blade switches open for you to telnet to? Just how useful is it to full text search every SSL certificate name, 302 Redirect target and DNS entry?

Metlstorm

Metlstorm is an independent unix hacker from New Zealand, where he milks both sheep and hobbits. In the brief gaps in this bucolic schedule, he finds time to organise Kiwicon - the NZ hacker con, co-host the award-winning Risky.biz weekly infosec podcast and hold down a day job as a whitehat security consultant. In true sellout style, Metl has worked the floor at Blackhat, Defcon, Kiwicon & Ruxcon, achieving minor notoriety at the latter for being the only speaker ever punched out by a member of the audience at the end of his talk. Metlstorm loves bugs that are features, carrier networks and "enterprise" unix software, because we all know that "enterprise" means "the 80s called, they want their long environment variables back".

- replaced Scott Bell's "Web Application Vulnerabilities: How far does the rabbit hole go?" talk.

Dean Carter - The Ramblings of an ex-QSA

As a QSA there were a bunch of things Dean was forbidden from discussing.

As an ex QSA some of these matters will remain firmly sequestered inside his kimono - but others things, more general things, can now be shared.

Dean has 30 minutes worth of handy tips, hints, lessons and some brickbats relating to PCI and secure system development that he can now share with the community.

Dean Carter

Dean still remembers the day he first heard about the PCI DSS - he then spent several years trying to convince everyone that the PCI DSS was the bestest thing since the Beatles… not many people listened… they had projects to finish and settings to tweak…

Then Dean joined Security-Assessment.com and became a QSA (PCI power-up!)… people listened! Organisations even paid to listen! A few organisations went so far as to demonstrate their security posture to Dean The QSA. In return he signed their Reports on Compliance. Most made great progress towards compliance… while some simply went in political circles and denied the need to make any effort.

Two years on Dean, the ex-QSA, now works for financial institution where, in between other tasks, he regularly sticks his nose into PCI matters and still firmly believes that the PCI DSS is a positive thing.

Paul Craig – Security-Assessment.com - "Oh F#!K" : What To Do When You Get Pwned

If your company’s website were hacked tomorrow, would you know what to do? Forensics is not what you see on CSI, and most people have no idea what they should do in the event of a compromise. What is an appropriate incident response for a company, what do you say to your CEO, when do you involve law enforcement? Do you attempt to solve the forensic case yourself; keeping in mind any action you take may directly affect the evidence, or compromise legal judicial requirements. This presentation will demonstrate the forensic process for a compromised website, and what an organization should do when they find out they have been compromised. I will use case studies from previous incidents and demonstrate what you should and shouldn’t do when you get pwned.

Paul Craig

My name is Paul Craig, I work as the lead forensic incident responder at Security-Assessment.com and I work with many New Zealand companies who have been compromised. From small websites to large corporations and government agencies, our nation is regularly being defaced and defrauded. IT Forensics is here to pick up the pieces, and it’s my job to spend long nights trying to provide answers to businesses regarding what really happened.

Brett Moore - Insomnia Security - "Don't Try This At Home"

During source code and application reviews a number of common issues are often seen. Developers making the same mistakes time and time again. There are also those 'unique' issues that only come up once in a while, when people handroll their own methods to solve a particular problem.

Over the course of this talk, the speaker will explain and describe a number of issues that he has seen over the last 24 months in locally developed code. This is an opportunity to see what local developers are doing wrong, and why you shouldn't try this at home.

Brett Moore

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.

Graeme Neilson / Kirk Jackson - Aura Software Security / Xero - Tales from the Crypt0

Does the thought of SSL, HTTPS and S/MIME make you squeamish? Does PKI make you want to scream? Does encrypting data at rest make you want to bury yourself alive?

Cryptography is an important part of most web applications these days, and developers and admins need to understand how, why and when to employ the best and appropriate techniques to secure their servers, applications, data and the livelihoods of their users.

Join Graeme Neilson (Aura Software Security) and Kirk Jackson (Xero) for a series of scary stories in "Tales from the Crypt0".

Graeme Neilson

Graeme Neilson is lead security researcher at Aura Software Security, a security consultancy based in Wellington with clients across the globe.

Kirk Jackson

Kirk Jackson is a developer at Xero, makers of the world's easiest accounting system.

Quintin Russ / Mike Jager - SiteHost / Web Drive - Hosting and Web Apps - The Obscurity of Security

The security of web applications has traditionally been considered to be the problem of the company whose servers they were hosted upon. However, while you can outsource the hosting of web apps, you cannot outsource the responsibility of ensuring that those apps are secure. Mike and Quintin set aside their corporate rivalry to demonstrate the gap between the way things are and the way things should be.

Quintin Russ

Quintin has carved out his own niche in the .nz hosting industry, having spent a large proportion of the last few years becoming an expert in both building and defending systems. He now runs enough infrastructure to ensure he never, ever gets a good night's sleep, and sometimes doesn't even get to snooze through Sunday mornings. Quintin has a keen interest in security, especially as it relates to web hosting. This has ranged from the vicissitudes of shared hosting to code reviews of popular blogging applications. He has previously presented at ISIG and Kiwicon 2009.

Mike Jager

Since his arrival at Web Drive in 2004, Mike has been sticking his fingers into the wall sockets of web hosting. Currently, he herds packets, mutters at clouds, and sneaks up on web applications, tricking them into scaling horizontally when they least expect it. Mike holds a BE in Computer Systems Engineering from the University of Auckland, and has been spotted presenting recently at NZNOG, APRICOT and the occasional ISIG meeting.

Roberto Suggi Liverani - Security-Assessment.com - Defending Against Application Level DoS Attacks

Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.

The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.

Roberto Suggi Liverani

Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and leader of the OWASP (Open Web Application Security Project) in New Zealand. Roberto has worked with companies such as Google, Adobe and Opera by reporting and helping to fix security vulnerabilities in their products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various security conferences around the globe.

Please note that CFP is now closed.

Call For Sponsorships (CLOSED)

The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.

Three types of sponsorships are available:

• Support Sponsorships: n/a - company covers expenses for international speaker / media company that provides article/coverage on the event

- Publication of the sponsor logo on the event web site.

• Silver sponsorship: 1500 NZD

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.

• Gold Sponsorship: 3500 NZD

- Publication of the sponsor logo on the event web site;
- Publication of the sponsor logo on the OWASP New Zealand Chapter page;
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference;
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event;
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.

Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the OWASP New Zealand Board.
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

Call for Paper (CLOSED) and review process

OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the OWASP New Zealand Board.
The email subject must be “OWASP New Zealand 2010: CFP” and the email body must contains the following information/sections:

• Name and Surname
• Affiliation
• Address
• Telephone number
• Email address
• List of the author’s previous papers/articles/speeches on the same topics
• Title of the contribution
• Type of contribution: Technical or Informative
• Abstract (max one A4 style page)
• Why the contribution is relevant for OWASP New Zealand 2010
• If you are not from New Zealand, will your company support your expenses - Yes/No

The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

Due to limited budget available, expenses for international speakers cannot be covered. If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

Conference

Conference Venue

The University of Auckland Business School
Owen G Glenn Building
Room: OGGB 260-073 (OGGB4)
Address: 12 Grafton Road
Auckland
New Zealand
Map

Topics

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:

• OWASP Project presentation (i.e Tool Updates/Project Status etc);
• Threat modelling of web applications;
• Privacy concerns with applications and data storage;
• Vulnerability analysis of web applications (code review, pentest, static analysis, scanning);
• Baseline or metrics for web application security;
• Countermeasures for web application vulnerabilities;
• Web application security;
• Platform or language (e.g. Java, .NET) security features that help secure web applications;
• Secure application development;
• How to use databases securely in web applications;
• Security of Service Oriented Architectures;
• Access control in web applications;
• Web services security;
• Browser security;
• PCI.

Conference structure and schedule

OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes. It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors. The detailed agenda of the conference will be available on the web site before the event.

Conference dates

• CFP close: 30th June 2010
• Contributions submission deadline: 10th July 2010
• Registration deadline: 30th June 2010
• Conference Agenda due: 2nd July 2010
• Conference date: 15th July 2010

Conference Committee

OWASP New Zealand Day 2010 Organising Committee:

• Roberto Suggi Liverani – OWASP New Zealand Leader
• Rob Munro – OWASP New Zealand Evangelist
• Lech Janczewski - Associate Professor - University of Auckland

Conference Sponsors

ICT and Department of Information Systems and Operations Management

Gold Sponsors:

www.security-assessment.com

Silver Sponsors:

www.lateralsecurity.com

Support Sponsors:

www.techday.co.nz/netguide