Difference between revisions of "OWASP New Zealand Day 2017"

Training

As well as the main conference on Thursday, we are pleased to be able to provide training on Wednesday at the same venue. All details including registration are as follows:

LittleHackMe - Morning Date: Wed 19 April 2017
Time: 9:00am - 12:00pm or part thereof
Training Registration Page

LittleHackMe Date: Wed 19 April 2017
Time: 1:00pm - 5:00pm or part thereof
Training Registration Page SOLD OUT

Advanced Web Hacking and Secure Coding Date: Wed 19 April 2017
Time: 9:00am - 5:00pm or part thereof
Training Registration Page SOLD OUT

(Additional training sessions are being provided privately by Vikram)

Security Testing for Software Testers Date: Wed 19 April 2017
Time: 9:00am - 5:00pm or part thereof
Training Registration Page SOLD OUT

Spaces going fast, so get in quick

Call For Presentations

Thank you to all those who have submitted talks. The call for presentations has now closed.

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines including architects, web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference:

• Introductions to various Web Application Security topics, and the OWASP projects
• Technical topics
• Policy, Compliance and Risk Management

The introductory talks should appeal to an intermediate to experienced web developer, without a solid grounding in web application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about web application security, and give them techniques that they can immediately return to work and apply to their jobs.

Technical topics are running all day and should appeal to two audiences - experienced web application security testers or researchers, and web developers who have a “OWASP Top Ten” level of understanding of web attacks and defenses. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:

• Web application security
• Mobile security
• Secure development
• Vulnerability analysis
• Threat modelling
• Application exploitation
• Exploitation techniques
• Threat and vulnerability countermeasures
• Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, etc)
• Penetration Testing
• Browser and client security
• Application and solution architecture security
• PCI DSS
• Risk management
• Security concepts for C*Os, project managers and other non-technical attendees
• Privacy controls

The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:

• Due to limited budget available, expenses for international speakers cannot be covered.
• If your company is willing to cover travel and accommodation costs, the company will become "Support Sponsor" of the event.

Thank you to all those who have submitted talks. The call for presentations has now closed.

Please submit your presentation here.

Submissions deadline: 18th March 2017

Applicants will be notified in the following week after the deadline, whether they were successful or not.

Call For Sponsorships

Thank you to all our sponsors. Sponsorship has now been fully subscribed, we are no longer accepting new sponsors.

OWASP New Zealand Day 2017 will be held in Auckland on the 20th of April, 2017 and is a security conference entirely dedicated to application security. The conference is once again being hosted by the University of Auckland with their support and assistance. OWASP New Zealand Day 2017 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2017 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:

• Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
• Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
• Printed Materials - printed materials will include brochures, tags and lanyards.

Facts

Last year, the event was supported by nine sponsors and attracted more than 500 participants. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016

The OWASP New Zealand community is strong, there are more than 490 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 500 and 600 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.

Sponsorships

There are three different levels of sponsorships for the OWASP Day event:

Support Sponsorship: (Covering international speaker travel expenses, media coverage/article/promotion of the event)

Includes:

• Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017

Silver Sponsorship: 750 NZD

Includes:

• Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017
• The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
• The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship: 1500 NZD

Includes:

• The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
• The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
• The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
• Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
• Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017

Those who are interested in sponsoring OWASP New Zealand 2017 Conference can contact the OWASP New Zealand Board.

Thank you to all our sponsors. Sponsorship has now been fully subscribed, we are no longer accepting new sponsors.

Presentations

Speakers List

Kevin Alcock - Katipo Information Security - OWASP Top 10 Review & Preview

Abstract

This is OWASP Day, let’s recap the top 10 from 2013 for those in the room that might not know or need a refresher. But hey it’s 2017 where are we at now? Let’s look at analyse the data collected from the 2016 data call.

Speaker Bio

Kevin helps run the Christchurch branch of ISIG. He has been programming for a living since 1986 (yes, longer than most of you have been alive) after studying at what is now known as Ara Institute of Canterbury. In those 30 plus years he spent of lot of his time in Enterprise, Financial systems with mobile/internet applications. 2016 he became a Offensive Security Certified Professional (OSCP). He is the founder and principal consultant at Katipo Information Security.

Kate Pearce - Cisco - Gaslighting with Honeypits and Mirages: Destroying discovery to deplete attackers

Abstract

Abstract (Small): When an attacker is after you they need a way in, and to prioritize efforts. Defensive gaslighting makes them chase ghost systems, and attack phantom vulnerabilities - keeping you secure. As we discussed last time, we may release tools, and we may discuss some theory, but are you sure that really happened?

Speaker Bio

Catherine (Kate) Pearce is a Senior Security Consultant for Cisco, who is based in Wellington, New Zealand. Formerly a Security Consultant for Neohapsis in the USA, she has engaged with a widespread and varied range of clients to assist them in understanding their current security state, adding resilience into their systems and processes, and managing their ongoing security risk. Day-to-day she undertakes a mix of advising clients around their security, client-focused security assessments (such as penetration tests), and security research. She has spoken at her work at many security conferences, including Black Hat USA, Source Boston, Nolacon, Kiwicon, ACSC, Bsides Canberra and many others. While she has recently presented on Network Security, her true loves are application security enablement, complex systems security, and cross-discipline security analogues.

Felix Shi - Xero - Developer's guide to preventing XSS

Abstract

Beginner friendly talk on XSS, targeted towards webapp devs and QA engineers. With an emphasis on methods of prevention during the SDLC. I will demonstrate the methods of prevention/mitigation(content encoding, input validation, CSP) with modern frontend frameworks in mind.

Speaker Bio

Felix works in the product security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.

Tom Eastman - The dangerous, exquisite art of safely handling user-uploaded files

Abstract

“Come On, What Harm Can a User Profile photo Do?”.

I’ll show you every scary thing I know about that can be done with a file upload, and how to protect yourself from – hopefully – most of them.

Speaker Bio

Tom Eastman writes words that control computers to tell other computers to build FAKE computers that run on DIFFERENT computers.

Nick Malcolm - SafeStack - How to spot and stop a wolf in sheep's clothing (a.k.a Account Takeover)

Abstract

Almost two thirds of confirmed breaches involve using weak or stolen passwords - it’s not a new threat, but it works. By the end of this talk you will understand the Account Takeover threat, and walk away with some techniques & tools for detection and response within your own web applications.

Speaker Bio

Nick Malcolm is a Security Consultant at SafeStack, which means he gets to help people develop more secure software! He works with awesome people, in Auckland, New Zealand. He was formerly CTO at ThisData, a security product which protected millions of websites from account takeover attacks.

He’s also an active member in the Ruby community, regularly speaking about coding and security. He is a member of OWASP NZ, ISIG (Info Sec Interest Group), CSA (Cloud Security Alliance), and Internet NZ.

When he’s not coding he’s probably watching some scifi, spending time with his wife and kid, patting his cat, or strummin’ on his guitar.

Matt Cotterell - Fairfax Media - Building the ultimate login and signup

Abstract

Web Applications have lots of quirks and limitations that set them apart from other kinds of applications. In this talk, we explore public facing login and registration flows and some of those quirks that can catch devs out which can open your application (or users!) to security or privacy risks.

Speaker Bio

Matt Cotterell is a Security Engineer and a .NET Developer with 5+ years professional experience in software engineering for various diverse industries, including healthcare, cinema management and journalism. He is more of a maker than a breaker and spends his time exploring various software frameworks and public cloud providers (particularly .NET and Azure) along with writing software and presentations that enable developers to secure these systems.

He is currently working for Fairfax Media (stuff.co.nz) helping the DevOps teams improve the general security posture of their software and systems architecture, and developing awareness training for the in-house development teams. In his spare time, he can be found watching bad movies, gleefully overusing the word “cyber”, and feeling awkward writing biographies in a third-person perspective.

Daniel Compton - Security on a shoestring - running a security critical service as a volunteer

Abstract

Clojars is a JAR hosting service for the Clojure community. It’s a security critical piece of infrastructure for many organisations. This talk discusses my joining Clojars, how we improved our security, and how you can do the same, especially if you’re at a non-profit or a volunteer.

Speaker Bio

Daniel Compton is an independent software consultant, living in The Regions (Morrinsville). He works mainly with Clojure and ClojureScript, and is a volunteer admin for Clojars, the Clojure community JAR host. He also runs Deps, a private JAR hosting service. He enjoys contributing to open source projects and spending time with his young family.

Adam Bell - Lateral Security - XML: Still Considered Dangerous

Abstract

XML, the JSON of 2005. This talk will discuss an existing class of attacks against XML parsers, with some new twists for evading existing attack mitigations.

Speaker Bio

Adam ‘feabell’ Bell lives in Auckland with his wife and daughter. By day he is a security consultant for Lateral Security, by night he tries to remember what sleep is.

Trev H - RedShield - Confession of a lactose intolerant vulnerability hunter

Abstract

Eating cheese is delicious but if your body can’t process lactose (like mine) you are in for trouble. On those late, dairy induced nights where sleep just won’t happen, I’ll spend time developing an idea for an automated mass scan tool - “fon-didly-do”. This tool could collate vulnerability data collected from open Github projects and run analytics on them. This tool could be useful in identifying vulnerability trends for certain project types and platforms. I could write this tool using a combination of Postgres, Elixir and any number of free static code analysis tools.

This looks like a lot of work, but as luck would I have it … I have a fridge full of beer, some crusty bread and a wheel of gorgonzola, lets get to work!

There will be a release of fon-didly-do, a demo and some live cheese during this talk.

Speaker Bio

Trev is a RedShield Developer and Security Researcher who should not eat cheese! His daily job is to help secure web applications used by hundreds of thousands of people across the globe. He enjoys cooking, blues guitar and being a professional developer.

Jen Zajac - Catalyst - Sensible defaults for client-side security

Abstract

When starting a new web project, what foundations should you lay to ensure your JavaScript, HTML and CSS is going to be secure? Thinking about CSP, session token storage, how much you can trust a given input early can save a lot of rework later!

Speaker Bio

Jen is the lead front-end developer at Catalyst, a development company with a strong focus on Open Source. Based in Wellington, New Zealand, Jen is originally from the UK but ended up in NZ working for a conservation charity and ended up sticking around. With 10 years of experience in the tech industry, Jen is the co-director of Kiwi PyCon 2014 and the director of nz.js(con); 2017.

Matthew Daley - Aura Information Security - Huzzer, the tree-based generational mutating HTTP fuzzer

Abstract

Webapp fuzzing is well-covered by tools such as Zed Attack Proxy or Burp Suite, but what about the underlying webservers? Huzzer is a tree-based, generational mutating fuzzer for HTTP that targets webservers. I’ll talk about its development and some vulnerabilities found in real world webservers.

Speaker Bio

Senior Security Consultant at Aura Information Security and general weirdo in real life. Finds vulnerabilities in hypervisors, servers, webapps, and front doors.

Shahn Harris - Equifax - Changing Perspectives

Abstract

I will share 10 techniques on how you change companies perspectives on what information security is, and how it should be handled. These tips do not involve executive buy in, metrics, risk assessments, budget and without anyone knowing what you are actually doing.

Speaker Bio

Shahn Harris has spent many years working inside businesses of carious sizes in many different capacities. This has resulted in him changing from average tech guy to a beautiful butterfly of business engagement, stakeholder management, strategic product alignment, future states, and whatever other business jargon you can think of. He has worked across a number of leading New Zealand institutes, organisation’s and, brands spanning multiple industries as an internal resource or as a consultant.

Adrian Hayes - Root Cause is the Best Cause

Abstract

This talk will explore web app security flaws at the source code level at find the patterns and anti-patterns that lead to vulnerabilities. If you’re a developer you’ll learn how to write more secure code, and if you’re a pentester you’ll learn some root causes and where to focus your efforts.

Speaker Bio

Adrian Hayes has twelve years experience in the IT industry specialising in both software development and IT security. He has consulted on security for some of the largest organisations in the financial, government, telecommunications, and education sectors across New Zealand and internationally. Adrian has been known to speak at various security events including Kiwicon, OWASP NZ Day, ISACA education days, and OWASP Asia AppSec. He has published security research in the IEEE Security and Privacy magazine, and has been invited to speak on wider IT issues on Radio NZ.

Grace Nolan and Catherine McIlvride - Enable Ltd and Assurity - 30 Days (ish) of Security

Abstract

What is it like to learn security as complete beginner? What is is like to teach a complete beginner? Where would you start? This talk is about what it’s like learning security as a complete beginner.

Speaker Bio

Grace has been pressing buttons on computers her whole life. The right buttons and the wrong buttons. Now she presses buttons for a living. She’s currently a systems developer for Enable Ltd, a fibre broadband company in Christchurch, which sounds terrifyingly adult on paper. She cares about Computer Science in schools and Women in Tech stuff. She’s an enthusiastic choral singer, tea fanatic, and paints watercolours when she’s not devouring the latest in tech news.

Catherine is a Software Tester from Assurity. Her role is to gently bring developers back down to earth by methodically exposing their bugs. She laughs kindly at their dismay. She is a woman to be celebrated and feared. Wanting to discover new challenges, Cat is learning about security in the hopes of finding even better, juicier bugs.

Claudio Contin - Aura Information Security - From JSONP to XSS persistence

Abstract

An unescaped JSONP endpoint, combined to a XSS vulnerability, can lead to a persisted XSS, through service workers onFetch event.

Speaker Bio

I’ve been a backed web developer and system admin for many years, with good knowledge of JavaScript as well, and have explored a variety of open source technologies and programming languages. Since 2016 I’m working full time as a security consultant for Aura Information Security, mainly performing penetration tests for web and mobile applications.

Lukas Weichselbaum & Michele Spagnuolo - Google Switzerland - So we broke all CSPs... You won't guess what happened next!

Abstract

Last year we proved that the whitelist-based approach of Content Security Policy (CSP) is flawed and proposed an alternative based on 'strict-dynamic' in combination with nonces or hashes.

In our academic paper (CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, ACM CCS, 2016), we demonstrated, using automatic checks, that 94.72% of all real-world policies can be trivially bypassed by an attacker with an XSS bug, and 75.81% are bypassable due to whitelists.

Thanks to the new 'strict-dynamic' approach, we were finally able to deploy an effective policy to many important Google products, such as GMail, Photos, and others. In this presentation we would like to share our experience, show examples, best practices and common pitfalls.

Finally, we share how we are addressing the recent bypasses of nonce-based policies, such as nonce exfiltration/reuse techniques and dangling markup attacks.

Speaker Bio

Lukas Weichselbaum is an Information Security Researcher at Google focusing on security enhancements and mitigations for web applications. He co-authored the specification for ‘strict-dynamic’ in CSP3 and launched CSP-Evaluator (csp-evaluator.withgoogle.com), a tool for developers and security experts to check if a Content Security Policy serves as a strong mitigation against cross-site scripting attacks. Lukas previously worked on dynamic analysis of Android malware. He also founded Andrubis – one of the very first large scale malware analysis platforms for Android applications.

Michele Spagnuolo is an Information Security Engineer at Google focusing on security enhancements and mitigations for web applications. He co-authored the specification for ‘strict-dynamic’ in CSP3, serving as a strong mitigation against cross-site scripting attacks. Other works include Rosetta Flash (rosettaflash.com) and BitIodine (bitiodine.net).

Peter Chestna - Veracode - AppSec in a DevOps World

Abstract

Dev teams were already struggling with adding security to their Agile processes. DevOps teams are pushing to release continuously, meaning integrating security will become even more of a challenge. How can teams deliver secure code while maintaining the speed required in a DevOps world?

Speaker Bio

As Director of Developer Engagement at Veracode, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec experience as both a developer and development leader, Pete provides information on best practices amassed from working with Veracode’s 1,000+ customers.

Pete joined Veracode in 2006 as a software developer and was instrumental in delivering the first version of Veracode’s service to customers. Later, as Director of Platform Engineering, Pete built and managed the Agile teams responsible for delivering Veracode’s SaaS platform. He also built the first DevOps team to deliver microservices. He is a certified product owner and scrum master. Pete also spearheaded Veracode’s initiative to automate the use of Veracode products into the company’s development processes called project Purina. Using this experience, he has spoken with hundreds of Veracode customers to help them set up similar programs.

Pete has more than 25 years’ experience developing software and has been granted 3 patents. He has been developing web applications since 1996, including one of the first applications to be delivered through a web interface. In his spare time he enjoys listening to Rush, drinking whiskey and programming on the Arduino platform.

Ruth McDavitt - Summer of Tech - Hacking the Talent Pipeline

Abstract

How can we join together to creatively overcome the limitations of our current education & recruitment systems to achieve a better talent pipeline? It’s recognised as a massive barrier, so what can we do about it today, to grow the talent pool right now, and for the future?

Speaker Bio

Ruth works on the human side of the technology industry, leading the Summer of Tech programme that is addressing the shortage of NZ technology skills through connecting experienced industry mentors with students. She is an active mentor to young entrepreneurs in a variety of programmes, including incubators, accelerators, universities, within community groups and at high schools.

Sam Macleod - SafeStack - Trust me, I'm a cloud

Abstract

As the cloud continues to take over every part of our lives, chances are that most of our systems and applications look quite different today than they used to. I will be talking about some of the Business Continuity pitfalls that are common in cloud environments, and how we can weather the storm.

Speaker Bio

Sam comes from an operations background, with experience in infrastructure design, incident response, and policy writing and implementation. 
Working with financial applications, he has extensive experience in creating and working with high security environments.

Charlie Gavey - Snapper Services - Conscious Incompetence: Started from the bottom, now we're here

Abstract

Feeling like your organisation isn’t getting anywhere with security? The realisation that you don’t know anything is actually a critical part of the process. Described as the “conscious competence model”, this talk discusses how being conscious of your own incompetence is an important first step.

Speaker Bio

As a Scrum Master and Product Owner at Snapper Services, I’m all about empowering agile teams, with an interest in how agile teams mature and scale. I’m enthusiastic about fostering the next generation of tech talent; working with PC4G, RailsGirls, Cultivate Mentoring, and Summer of Tech. Will tramp for scroggin.

Alex Hogue - Atlassian - Graphing when your Facebook friends are awake

Abstract

We’re going to talk about finding this weird bug/feature, reverse-engineering what it does, actually looking at the graphs of real-life humans, using it in a social engineering context, how to prevent it, and tips for applying to work at the NSA.

Speaker Bio

Alex is a kid with a laptop and a pocketful of memes. Critics have described him as “aggressively wonky”. As far as he can tell from carefully examining the smoking crater that is his life, he’s working in Incident Response at Atlassian, which is a little bit like being an adult but with more ice cream. He does magic tricks and makes dumb one-use novelty websites as a substitude for getting out more.

Erica Anderson - The Magical World of Cloud Security

Abstract

Before you can get to a web app, your request usually goes through a few different levels of security infrastructure. This talk will focus on common tools and technology used at the host and platform level, why they are used, and which ones are full of fairy dust.

Speaker Bio

Her twitter bio says “info sec, cat, and ketchup enthusiast”. This story checks out.

Diversity and Financial Aid fund

[We have unashamedly followed the model adopted by the nz.js(con) team with their fund. Many thanks to Jen and the team!]

Due to the support of our lovely sponsors, we have some additional funding available to help people from around New Zealand attend the OWASP NZ Day that would find it hard to otherwise attend. In particular, we welcome applications from women, people of colour, LGBTIQ and all others. You all deserve to be able to learn more about security, and we’ll do our darndest to help make that happen!

Our funds are limited, and we’ll be reviewing applications every two weeks. Submit your applications soon, so we can approve them early and you’ll be in several review cycles!

Process:

• Fill out our application form
• We will review and approve applications each two weeks. The next review date is 12 April 2017.
• We will contact all applicants and let them know the result of the review.
• Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:

• We are biased towards (but not exclusively for) diverse applicants.
• We do attempt to maximise cost efficiency and will aim to get as many people to OWASP with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: denis.andzakovic@owasp.org | kirk.jackson@owasp.org | kim.carter@owasp.org

Code of Conduct

We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy: [1].

Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

If you have any concerns during the day, please seek out Kirk, Denis or Kim. We will make ourselves visible at the start of the day so you know what we look like.